Skip to main content
SpringerLink
Log in

Proving the shalls

Early validation of requirements through formal methods

  • Special section on The Industrialization of formal methods: A view from formal methods 2003
  • Published:
International Journal on Software Tools for Technology Transfer Aims and scope Submit manuscript

Abstract

Incomplete, inaccurate, ambiguous, and vola-tile requirements have plagued the software industry since its inception. The convergence of model-based development and formal methods offers developers of safety-critical systems a powerful new approach to the early validation of requirements. This paper describes an exercise conducted to determine if formal methods could be used to validate system requirements early in the lifecycle at reasonable cost. Several hundred functional and safety requirements for the mode logic of a typical flight guidance system were captured as natural language “shall” statements. A formal model of the mode logic was written in the RSMLe language and translated into the NuSMV model checker and the PVS theorem prover using translators developed as part of the project. Each “shall” statement was manually translated into a NuSMV or PVS property and proven using these tools. Numerous errors were found in both the original requirements and the RSMLe model. This demonstrates that formal models can be written for realistic systems and that formal analysis tools have matured to the point where they can be effectively used to find errors before implementation.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Anonymous. Esterel Technologies Home Page. http://wwww.esterel-technologies.com

  2. Anonymous. NASA Software Assurance Technology Center Formal Inspections Page. http://satc.gsfc.nasa.gov/fi/fipage.html

  3. Anonymous. NuSMV Home Page. http://nusmv.irst.itc.it/

  4. Anonymous. PVS Home Page. http://www.csl.sri.com/projects/pvs

  5. Anonymous. The MathWorks Home Page. http://wwww.mathworks.com

  6. Bensalem, S., Caspi, P., Parent-Vigouroux, C., Dumas, C.: A methodology for proving control systems with Lustre and PVS. In: Proceedings of the IEEE 7th Working Conference on Dependable Computing for Critical Applications (DCCA 7), San Jose, CA, pp. 89–107 (Jan. 1999)

  7. Berry, G., Gonthier, G.: The synchronous programming lanugage esterel: design, semantics, and implementation. Sci. Comput. Prog. 19, 87–152 (1992)

    Article  MATH  Google Scholar 

  8. Billings, C.: Aviation Automation: The Search for a Human-Centered Approach. Erlbaum, Mahwah, NJ (1997)

  9. Boehm, B.: Software Engineering Economics. Prentice-Hall, Englewood Cliffs, NJ (1981)

  10. Brooks, F.: No silver bullet: essence and accidents of software engineering. IEEE Comput. 20(4), 10–19 (1987)

    MathSciNet  Google Scholar 

  11. Butler, R., Miller, S., Potts, J., Carreno, V.: A formal methods approach to the analysis of mode confusion. In: 17th Digital Avionics Systems Conference (DASC’ 98), vol. 1, pp. C41/1–C41/8. Belllevue, WA (Oct. 1998)

  12. Chan, W., Anderson, R., Beame, P., Burns, S., Modugno, F., Notkin, D., Reese, J.: Model checking large software specifications. IEEE Trans. Softw. Eng. 24(7), 498–520 (1998)

    Article  Google Scholar 

  13. Choi, Y.: Model checking RSMLe requirements. PhD Thesis, University of Minnesota (July 2003)

  14. Choi, Y., Heimdahl, M.: Model checking RSMLe requirements. In: Proceedings of the 7th IEEE/IEICE International Symposium on High Assurance Systems Engineering, pp. 109–118. Tokyo (Oct. 2002)

  15. Choi, Y., Rayadurgam, S., Heimdahl, M.: Toward automation for model checking requirement specifications with numeric constraints. Requir. Eng. J. 7(4), 225–242 (2002)

    Article  Google Scholar 

  16. Clark, E., Grumberg, O., Peled, D.: Model Checking. MIT Press, Cambridge, MA (2001)

    Google Scholar 

  17. Davis, A.: Software Requirements: Object, Function, and States. Prentice-Hall, Englewood Cliffs, NJ (1993)

    Google Scholar 

  18. de Moura, L.: SAL: Tutorial. SRI International, Computer Science Laboratory. Menlo Park, CA (Jan. 2004)

  19. Fagan, M.: Design and code inspections to reduce errors in program development. IBM Syst. J. 15(3), 182–211 (1976)

    Article  Google Scholar 

  20. Faulk, S., Brackett, J., Ward, P., Kirby, J.: The Core method for real-time requirements. IEEE Softw. 9(5), 22–33 (1992)

    Article  Google Scholar 

  21. Faulk, S., Finneran, L., Kirby, J., Shah, S., Sutton, J.: Experience applying the Core method to the Lockheed C-130J software requirements. In: 9th Annual Conference on Computer Assurance, pp. 3–8. Gaithersburg, MD (June 1994)

  22. Harel, D., Naamad, A.: The STATEMATE semantics of statecharts. ACM Trans. Softw. Eng. Met. (TOSEM) 5(4), 293–333 (1996)

    Article  Google Scholar 

  23. Heitmeyer, C., Labaw, B., Kiskis, D.: Consistency checking of SCR-style requirements specifications. In: Proceedings of the 2nd IEEE International Symposium on Requirements Engineering, pp. 56–65 (March 1995)

  24. Heitmeyer, C. Kirby, J., Labaw, B.: Automated consistency checking of requirements specification. ACM Trans. Softw. Eng. Methodol. (TOSEM) 5(3), 231–261 (1996)

    Article  Google Scholar 

  25. Joshi, A., Miller, S., Heimdahl, M.: Mode confusion analysis of a flight guidance system using formal methods. In: 22nd Digital Avionics Systems Conference DASC’03, pp. 2.D.1–1–2.D.1–11 (Oct. 2003)

  26. Leveson, N.: Safeware: system safety and computer. Addison-Wesley, Reading, MA (1995)

    Google Scholar 

  27. Leveson, N., Heimdahl, M., Hildreth, H., Reese, J.: TCAS II Collision Avoidance System (CAS) System Requirements Specification change 6.00. Federal Aviation Administration, U.S. Department of Transportation (1993)

  28. Leveson, N., Heimdahl, M., Hildreth, H., Reese, J.: Requirements specifications for process-control systems. IEEE Trans. Softw. Eng. 20(9), 684–707 (1994)

    Article  Google Scholar 

  29. Leveson, N., Pinnel, D., Sandys, S., Koga, S., Reese, J.: Analyzing software specifications for mode confusion potential. In: Workshop on Human Error and System Development, Glasgow, UK (March 1997)

  30. Leveson, N., Heimdahl, M., Reese, J.: Designing specification languages for process control systems: Lessons learned and steps to the future. In: 7th ACM SIGSOFT Symposium on the Foundations of Software Engineering, Lecture Notes in Computer Science, vol. 1687, pp. 127–145. Springer, Berlin Heidelberg New York (Sept. 1999)

  31. Lutz, R.: Analyzing software requirements errors in safety-critical, embedded systems. In: IEEE Symposium on Requirements Engineering, pp. 126–133. San Diego (1993)

  32. Miller, S.: Specifying the mode logic of a flight guidance system in CoRE and SCR. In: 2nd Workshop on Formal Methods in Software Practice (FMSP98), pp 44–53. Clearwater Beach, FL (1998)

  33. Miller, S.: Taxonomy of mode confusion sources—final report. In: NASA Contractor Report (Feb. 2001)

  34. Miller, S., Tribble, A.: A methodology for improving mode awareness in flight guidance design. In: 21st Digital Avionics Systems Conference (DASC’02), vol. 2, pp. 7D1–1–7D1–11. Irvine, CA (Oct. 2002)

  35. Miller, S., Tribble, A., Carlson, T., Danielson, E.: Flight guidance system requirements specification. Technical Report CR-2003-212426, NASA Langley Research Center (June 2003). http://techreports.larc.nasa.gov/ltrs/refer/2003/cr/NASA-2003-cr212426.refer.html

  36. Owen, D., Menzies, T.: Lurch: a lightweight alternative to model checking. In: Proceedings of the 2003 Software Engineering and Knowledge Engineering Conference (SEKE’03), pp. 158–165 (2003)

  37. Owre, S., Rushby, J., Shankar, N.: Analyzing tabular and state-transition requirements specifications in PVS. Technical Report SRI-CSL-95-12, SRI International, Menlo Park, CA (June 1995)

  38. Owre, S., Rushby, J., Shankar, N., Henke, F.: Formal verification for fault-tolerant architectures: prolegomena to the design of PVS. IEEE Trans. Softw. Eng. 21(2), 107–125 (1995)

    Article  Google Scholar 

  39. Parnas, D., Madey, J.: Functional documentation for computer systems engineering (vol. 2). Technical Report CRL 237, McMaster University, Hamilton, Ontario, Canada (Sept. 1990)

  40. Ramamoorthy, C., Prakesh, A., Tsai, W., Usuda, Y.: Software engineering: problems and perspectives. IEEE Comput. 17(10), 191–209 (1984)

    Google Scholar 

  41. Rayadurgam, S., Joshi, A., Heimdahl, M.: Using PVS to prove properties of systems modelled in a synchronous dataflow language. In: Proceedigns of the 5th International Conference on Formal Engineering Methods (ICFEM 2003), pp. 167–186. Singapore (Nov. 2003)

  42. Rushby, J.: Using model checking to help discover mode confusions and other automation surprises. In: Proceedings of the 3rd Workshop on Human Error, Safety, and System Development (HESSD’99), Liege, Belgium (June 1999)

  43. Rushby, J.: Analyzing cockpit interfaces using formal models. Electron. Notes Theor. Comput. Sci. 43, 1–14 (2001)

    Google Scholar 

  44. Rushby, J., Crow, J., Palmer, E.: An automated method to detect potential mode confusion. In: Proceedings of the 18th AIAA/IEEE Digital Avionics Systems Conference (DASC), vol. 1, pp. 4.B.2–1–4.B.2–6. St. Louis, MO (Oct. 1999)

  45. Sarter, N., Woods, D.: Pilot interaction with cockpit automation: operational experiences with the flight management system. Int. J. Aviat. Psychol. 2(4), 303–331 (1992)

    Article  Google Scholar 

  46. Sarter, N., Woods, D.: Pilot interaction with cockpit automation II: an experimental study of pilots’ model and awareness of the flight management system. Int. J. Aviat. Psychol. 4(1), 1–28 (1994)

    Article  Google Scholar 

  47. Sarter, N., Woods, D.: How in the world did I ever get into that mode?: mode error and awareness in supervisory control. Hum. Fact. 37(1), 5–19 (1995)

    Article  Google Scholar 

  48. Thompson, J., Heimdahl, M., Miller, S.: Specification based prototyping for embedded systems. In: 7th ACM SIGSOFT Symposium on the Foundations on Software Engineering, Lecture Notes in Computer Science, vol 1687, pp. 163–179 (Sept. 1999)

  49. Tribble, A., Miller, S.: Safety analysis of a flight guidance system. In: 21st Digital Avionics Systems Conference (DASC’02), vol. 2, pp. 13C1–1–13C1–10. Irvine, CA (Oct. 2002)

  50. van Schouwen, A.: The A-7 requirements model: re-examination for real-time systems and an application to monitoring systems. Technical Report 90-276, Queens University, Hamilton, Ontario, Canada (1990)

  51. Whalen, M.W.: A formal semantics for RSMLe. Master’s thesis, University of Minnesota (May 2000)

  52. Whalen, M.W.: Trustworthy translation for RSMLe. PhD thesis, University of Minnesota (Dec. 2004)

Download references

Author information

Authors and Affiliations

  1. Rockwell Collins Inc., 400 Collins Road NE, Cedar Rapids, IA, 52498, USA

    Steven P. Miller, Alan C. Tribble & Michael W. Whalen

  2. Department of Computer Science and Engineering, University of Minnesota, 4-192 EE/CSci Bldg, 200 Union Street S.E., Minneapolis, MN, 55455, USA

    Mats P. E. Heimdahl

Authors
  1. Steven P. Miller
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Alan C. Tribble
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Michael W. Whalen
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Mats P. E. Heimdahl
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Steven P. Miller.

Additional information

This project was partially funded by the NASA Langley Research Center under contract NCC1-01001 of the Aviation Safety Program.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Miller, S.P., Tribble, A.C., Whalen, M.W. et al. Proving the shalls. Int J Softw Tools Technol Transfer 8, 303–319 (2006). https://doi.org/10.1007/s10009-004-0173-6

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10009-004-0173-6

Keywords

Search

Navigation