This paper describes an approach to writing requirements specifications for processcontrol systems, a specification language that supports this approach, and an example application of the approach and the language on an industrial aircraft collision avoidance system (TCAS II). The example specification demonstrates (1) the practicality of writing a formal requirements specification for a complex, process-control system and (2) the feasibility of building a formal model of a system using a specification language that is readable and reviewable by applications experts who are not computer scientists or mathematicians. Some lessons learned in the process of this work, which are applicable both to forward and reverse engineering, are also presented.

This paper describes a formal analysis technique, called consistency checking, for automatic detection of errors, such as type errors, nondeterminism, missing cases, and circular definitions, in requirements specifications. The technique is designed to analyze requirements specifications expressed in the SCR (Software Cost Reduction) tabular notation. As background, the SCR approach to specifying requirements is reviewed. To provide a formal semantics for the SCR notation and a foundation for consistency checking, a formal requirements model is introduced; the model represents a software system as a finite state automaton, which produces externally visible outputs in response to changes in monitored environmental quantities. Results are presented of two experiments which evaluated the utility and sealability of our technique for consistency checking in a real-world avionics application. The role of consistency checking during the requirements phase of software development is discussed.

Software requirements specifications (SRS) are often validated manually. One such process is inspection, in which several reviewers independently analyze all or part of the specification and search for faults. These faults are then collected at a meeting of the reviewers and author(s). Usually, reviewers use Ad Hoc or Checklist methods to uncover faults. These methods force all reviewers to rely on nonsystematic techniques to search for a wide variety of faults. We hypothesize that a Scenario-based method, in which each reviewer uses different, systematic techniques to search for different, specific classes of faults, will have a significantly higher success rate. We evaluated this hypothesis using a 3 \Theta 2 4 partial factorial, randomized experimental design. Forty eight graduate students in computer science participated in the experiment. They were assembled into sixteen, three-person teams. Each team inspected two SRS using some combination of Ad Hoc, Checklist or Scenario meth...

Abstract-In this paper, we demonstrate how model checking can be used to verify safety properties for event-driven systems. SCR tabular requirements describe required system behavior in a format that is intuitive, easy to read, and scalable to large systems (e.g., the software requhements for the A7 aircraft). Model checking of temporal logics has been established as a sound technique for verifying properties of hardware systems. We have developed an automated technique for formalizing the semiformal SCR requirements and for transforming the resultant formal specification onto a finite structure that a model checker can analyze. This technique was effective in uncovering violations of system invariants in both an automobile cruise control system and a water-level monitoring system. Index Terms-Formal specification, formal verification, model checking, requirements analysis, sonware requirements, temporal logic.

Although software documentation standards often go into great detail about the format of documents, describing such details as paragraph numbering and section headings, they fail to give precise descriptions of the information to be contained in the documents. This paper does the opposite; it defines the contents of documents without specifying their format or the notation to be used in them. We describe documents such as the "System Requirements Document", the "System Design Document", the "Software Requirements Document", the "Software Behaviour Specification ", the "Module Interface Specification", and the "Module Internal Design Document" as representations of one or more mathematical relations. By describing those relations, we specify what information should be contained in each document. 1 Introduction Engineers are expected to make disciplined use of science, mathematics and technology to build useful products. Those who construct computer systems are clearly Enginee...

This paper describes a class of formal analysis called consistency checking that mechanically checks requirements specifications, expressed in the SCR tabular notation, for application-independent properties. Properties include domain coverage, type correctness, and determinism. As background, the SCR notation for specifying requirements is reviewed. A formal requirements model describing the meaning of the SCR notation is summarized, and consistency checks derived from the formal model are described. The results of experiments to evaluate the utility of automated consistency checking are presented. Where consistency checking of requirements fits in the software development process is discussed. 1 Introduction A recent study of industrial application of formal methods concludes that formal methods, including those for specifying and analyzing requirements, are "beginning to be used seriously and successfully by industry: : : to develop systems of significant scale and importance" [5]...

A set of CASE tools is described for developing formal requirements specifications expressed in the SCR (Software Cost Reduction) tabular notation. The tools include an editor for building the specifications, a consistency checker for testing the specifications for consistency with a formal requirements model, a simulator for symbolically executing the specifications, and a verifier for checking that the specifications satisfy selected application properties. As background, the SCR method for specifying requirements is reviewed, and a formal requirements model is introduced. Examples are presented to illustrate the tools. 1 Introduction High assurance computer systems are computer systems where compelling evidence is required that the system delivers its services in a manner that satisfies certain critical properties. Examples of high assurance systems include military command and control systems, nuclear power plants, telephone networks, medical systems (e.g., patient monitoring sys...

Multi-dimensional mathematical expressions, called tables, have proven to be useful for documenting digital systems. This paper describes 10 classes of tables, giving their syntax and semantics. Several abbreviations that can be useful in tables are introduced. Simple examples are provided. 1 Introduction In earlier papers, [1,2], we have shown how the documentation required for the professional construction and use of computing systems can consist of descriptions of a set of mathematical relations. Those papers discuss the documents very abstractly; the contents of the documents are specified without restricting the notations or formats to be used. This paper complements the earlier papers by defining multidimensional notations (which we call tabular expressions) that have proven useful for describing the specified mathematical functions in practical applications [3, 4, 5, 6, 7, 8]. A companion paper [9], presents an interpretation of logical expressions that is designed for these...

This paper describes two case studies in which requirements for new flight-software subsystems on NASA's Space Shuttle were analyzed, one using standard formal specification techniques, the other using state exploration. These applications serve to illustrate three main theses: (1) formal methods can complement conventional requirements analysis processes effectively, (2) formal methods confer benefits regardless of how extensively they are adopted and applied, and (3) formal methods are most effective when they are judiciously tailored to the application. 1 Introduction Although Space Shuttle flight software is generally considered exemplary among NASA software development projects, requirements analysis and quality assurance in early lifecycle phases still use products and tools dating from the late 1970s and early 1980s. As a result, these analysis and assurance activities remain largely manual exercises lacking well-defined methods or techniques. At the same time, Shuttle flight s...

This paper presents a simple logic-model semantics for Software Cost Reduction (SCR) software requirements. Such a semantics enables model-checking of native SCR requirements and obviates the need to transform the requirements for analysis. The paper also proposes modal-logic abbreviations for expressing conditioned events in temporal-logic formulae. The Symbolic Model Verifier (SMV) is used to verify that an SCR requirements specification enforces desired global requirements, expressed as formulae in the enhanced logic. The properties of a small system (an automobile cruise control system) are verified, including an invariant property that could not be verified previously. The paper concludes with a discussion of how other requirements notations for conditioned-event-driven systems could be similarly checked.