Heitmeyer, C. L, Labaw, B, and Kiskis, D. (1995). Consistency Checking of SCRstyle Requirements Specifications. Proc. of 2nd Int. Symp. on Requirements Engineering, York, 27-29.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....controlled variable) changes value. Full SCR specifications can include mode transition, event and condition tables to describe a required system behavior, assertions to define properties of the environment, and invariants to specify properties that are required to always hold in the system (see [4, 9, 10]) However, this case study concerns a simple SCR specification consisting of just a single mode transition table and a list of system invariants. Mode Transition Tables Mode classes are abstractions of the system state space with respect to monitored variables. Each mode class can be seen as a ....

Heitmeyer, C. L, Labaw, B, and Kiskis, D. (1995). Consistency Checking of SCRstyle Requirements Specifications. Proc. of 2nd Int. Symp. on Requirements Engineering, York, 27-29.

....mode and is changed to true in the new mode, while D is assumed to be true in the current mode, without forcing any condition on the particular value of the variable D in the new mode. Similarly for an event F(C) conditional on D , but with C changing truth value from true to false [18]. It is easy to see that this different way of interpreting conditioned events together with the one input assumption gives, in the case of independent monitored variables, the same interpretation of conditioned events as given in Section 3.1. Our approach is also able to express this particular ....

Heitmeyer, C. L., Labaw, B., and Kiskis, D. (1995). Consistency Checking of SCR-style Requirements Specifications. Second International Symposium on Requirements Engineering, York, pp. 27-29, IEEE Publisher.

....can require significant and tedious reorganization of the formal description. Using formal specification languages facilitates the early evaluation of a software design and verification of its implementation through the use of formal reasoning techniques [5, 6, 9, 8] or static analysis techniques [10, 11, 12]. A formal specification can be rigorously manipulated to allow the designer to assess the consistency, completeness, and robustness of a design before it is implemented. Each step in the development process can be supported by mathematical proof, thus reducing the number of errors due to ....

C. L. Heitmeyer, B. L. Labaw, and D. Kiskis, "Consistency checking of SCR-style requirements specifications," in Proceedings of the International Symposium on Requirements Engineering, March 1995.

....be used to automate moderate complexity theorem proving for state machine models. 1 Introduction Requirements modeling and analysis are promising areas for applied formal methods and technology transfer. Established requirements based languages and tools, such as Statecharts Statemate [6] SCR [7], and RSML [9] have been fruitfully applied in practice and continue to attract interest. New analysis methods are frequently reported, especially ones using lightweight techniques based on finite state exploration. Less frequently mentioned, but no less important, are modeling and analysis ....

C. L. Heitmeyer, R. D. Jeffords, and B. L. Labaw. Consistency checking of SCR-style requirements specifications. ACM Transactions on Software Engineering and Methodology, 5(3):231--261, July 1996.

....criteria definable in our framework comply with subjective ratings of the significance of inconsistencies provided by designers. 7. Related Work A substantial body of research has been concerned with the problem of detecting and resolving inconsistencies between software system specifications [2,4,13,14,16,17,18,19,20] but only two strands of work [2,4] have been concerned with the diagnosis of inconsistencies. Emmerich et al. [2] have developed a framework for managing the compliance of software documentation artefacts with consistency rules which realise document representation standards. In their framework, ....

Heitmeyer, C., Labaw, B. and Kiskis D., 1995. Consistency Checking of SCR-Style Requirements Specifications, Proceedings of the 2nd Int. Symposium on Requirements Engineering, IEEE CS Press, pp. 56-63.

....effective IV V. With this as background, the remainder of the paper focuses on the use of methods and tools within this process. We present two experiments in the use of formal specification. For these we used a combination of AND OR tables [8] and the Software Cost Reduction (SCR) approach [9]. The first experiment involved the translation of a portion of the Fault Detection, Isolation and Recovery (FDIR) specification into a formal notation. This experiment confirmed that the natural language used in the Software Requirements Specification (SRS) documents is inherently ambiguous, and ....

....examined several tools, before selecting SCR [10] SCR offered two important advantages. First, the notation was primarily tabular, which appeared to be an important aid to readability. Second, the tool had automated checking for properties such as coverage and disjointess of a state based model [9]. In addition, this tool did not require us to build a complete formal model of the Bus FDIR functionality in order to check these properties. 4.1 Experiment 1: Translation Our first experiment concerned the translation of requirements like that shown in Figure 1 into a formal notation. ....

[Article contains additional citation context not shown here]

C. Heitemeyer, B. Labaw, and D. Kiskis. Consistency checking of scr-style requirements specifications. In Second IEEE International Symposium on Requirements Engineering, pages 56--63, March 1995.

....own tabular versions, in order to facilitate the kinds of analysis they wished to perform. 1 Approach The four step approach was used as follows. Each individual requirement was restated as a truth table, to clarify the logic. These were then combined into a single state machine model, using SCR [22]. SCR was chosen for this study as it offered a tabular notation that corresponded well to the truth tables that the IV V team had already adopted, and it provided tool support for checking consistency of SCR models. Consistency checking involved type checking of the SCR specification. Properties ....

C. L. Heitmeyer, B. Labaw, and D. Kiskis, "Consistency Checking of SCR-Style Requirements Specifications," presented at Second IEEE Symposium on Requirements Engineering, York, UK, 1995.

....examine overall system properties such as whether a certain property is invariant, or another is reachable without formalizing more of the underlying model of computation. Transition relations provide a way to do this, and the SCR method is a way to present such relations in a tabular manner [7]. The following is a typical SCR mode transition table (taken from Atlee and Gannon [1, Table 2] This system, a simplified automobile cruise control, has four modes (off, inactive, cruise, and override) and the table describes the conditions under which it makes transitions from one mode to ....

....use only the standard capabilities of PVS, users can adapt and extend these customizations to suit their own needs. The generic support provided for tables and for model checking in PVS may be compared with the more specialized support provided in tools such as ORA s TableWise [8] NRL s SCR [6, 7], and Leveson and Heimdahl s consistency checker for RSML [5] Dedicated, lightweight tools such as these are likely to be superior to a heavyweight, generic system such as PVS for their chosen purposes. Our goal in applying PVS to these problems is not to compete with specialized tools but to ....

Constance Heitmeyer, Bruce Labaw, and Daniel Kiskis. Consistency checking of SCR-style requirements specifications. In International Symposium on Requirements Engineering, York, England, March 1995. IEEE Computer Society.

....the software must be able to detect and recover from error conditions in the environment, and the software is often subject to rigorous safety and performance constraints. Languages based on hierarchical finite state machines, for example, Statecharts [5, 6, 7] SCR (Software Cost Reduction) [10, 11], and the Requirements State Machine Language (RSML) 16] are powerful modeling languages suitable for specification of software for these types of systems. The languages are relatively easy to use, allow automated verification of properties such as completeness and consistency, and support some ....

....easy to use, allow automated verification of properties such as completeness and consistency, and support some execution and dynamic evaluation This work has been partially supported by NSF grants CCR 9624324 and CCR 9615088, and University of Minnesota Grant in Aid of Research 1003 521 5965. [3, 4, 7, 9, 10, 11, 16]. However, methods for rigorous specification and analysis of the communication between physically distinct components in a system is currently not well supported in any of the approaches. We know that the interfaces between the software and the embedding environment is a major source of costly ....

[Article contains additional citation context not shown here]

C. L. Heitmeyer, R. Jeffords, and B. L. Labaw. Consistency checking of SCR-style requirements specifications. ACM Transactions on Software Engineering and Methodology, vol-5(3):231--261, July 1996.

....the software control is to maintain some properties in the physical process. Thus, understanding how the sensors, actuators, and process behave is essential for the development and evaluation of correct software. The importance of this systems view has been repeatedly pointed out in the literature [25, 19, 14]. To reason about this type of software controlled systems, David Parnas and Jan Madey defined what they call the four variable model (outside square of Figure 6) 25] In this model, the monitored variables (MON) are physical quantities we measure in the system and controlled variables (CON) are ....

C. L. Heitmeyer, B. L. Labaw, and D. Kiskis. Consistency checking of SCRstyle requirements specifications. In Proceedings of the Second IEEE International Symposium on Requirements Engineering, March 1995.

....the software control is to maintain some properties in the physical process. Thus, understanding how the sensors, actuators, and process behave is essential for the development and evaluation of correct software. The importance of this systems view has been repeatedly pointed out in the literature [47, 38, 24]. To reason about this type of software controlled systems, David Parnas and 62 63 Process Sensors Actuators Controller Software Output Software Input Controlled Variables Monitored Variables Figure 5.1: Traditional feedback process control model Jan Madey de ned what they call the ....

C. L. Heitmeyer, B. L. Labaw, and D. Kiskis. Consistency checking of SCR-style requirements specications. In Proceedings of the Second IEEE International Symposium on Requirements Engineering, March 1995.

....e . One notable exception is the CoRE methodology [5, 6, 7] developed by the Software Productivity Consortium. CoRE includes much useful information on how to perform requirements modeling in a semiformal specification language (similar to the formal SCR defined at the Naval Research Laboratory [12]) Even so, the structuring mechanism proposed in the CoRE guidebook is based on the physical structure of the system as well as which pieces of the system that are likely to change together these two (often conflicting) structuring mechanisms may or may not be beneficial to reuse. Furthermore, ....

....the software control is to maintain some properties in the physical process. Thus, understanding how the sensors, actuators, and process behave is essential for the development and evaluation of correct software. The importance of this systems view has been repeatedly pointed out in the literature [19, 17, 12]. To reason about this type of software controlled systems, David Parnas and Jan Madey defined what they call the four variable model (outside square of Figure 1) 19] In this model, the monitored variables (MON) are physical quantities we measure in the system and controlled variables (CON) are ....

[Article contains additional citation context not shown here]

C. L. Heitmeyer, B. L. Labaw, and D. Kiskis. Consistency checking of SCR-style requirements specifications. In Proceedings of the Second IEEE International Symposium on Requirements Engineering, March 1995.

....functions are not interpreted; i.e. the semantics of the functions are abstracted away. Reasoning methods can generate more accurate analysis reports, but are more costly to use. If static analysis techniques are going to be used more frequently in industrial applications, they must be automated [7, 13, 19]. We want an analysis method that is automated, fast, and that generates accurate analysis reports so it is feasible to use in industrial settings. This paper specifically addresses the need for automation and speed by describing an automated process to check logical expressions for satisfiability ....

C. Heitmeyer et al. Consistency checking of SCR-style requirements specifications. In International Symposium on Requirements Engineering, March 1995.

.... To test the feasibility of model checking non trivial specifications, we used McMillan s Symbolic Model Verifier (SMV) 6, 27] to model check the software requirements of the A 7E aircraft [1] The A 7E requirements were written in the Software Cost Reduction (SCR) requirements notation [1, 17, 18]. The specification consists of three concurrent components, each modeling 6 to 18 modes of operation and reacting to 69 input conditions; the theoretical size of the specification s state space is 1.3x10 22 states. In addition, the A 7E This work was supported by the Natural Sciences and ....

....of a software system to be developed. This paper discusses model checking of behavioral requirements only. 2. 1 SCR Behavioral Requirements The environment of the system to be developed is abstracted as a set of environmental conditions, which are predicates on environmental variables [17]. For example, a thermostat that regulates the air temperature of a room might define environmental condition SwitchIsOn to represent predicate [On Off switch = On] and condition TooCold to represent predicate [ActualTemp (DesiredTemp Gamma3 ffi C) If C is the set of environmental ....

[Article contains additional citation context not shown here]

C. Heitmeyer, B. Labaw, and D. Kiskis. "Consistency Checking of SCR-Style Requirements Specifications ". In Proceedings of the 2nd IEEE International Symposium on Requirements Engineering, pages 56--65, March 1995.

....must be satisfied both immediately before and during the occurrence of a conditioned event. According to the latest operational semantics of SCR, a when condition 10 must be satisfied immediately before the occurrence of a conditioned event, but its value at the time of the event is unknown [21]. Given the above restriction on the occurrence of simultaneous events, one can to infer the value of most when conditions: when conditions that are unrelated to the triggering event have the same value during the event as they had immediately before the event. However, when conditions that are ....

C. Heitmeyer, B. Labaw, and D. Kiskis. "Consistency Checking of SCR-Style Requirements Specifications". In Proceedings of RE'95 International Symposium of Requirements Engineering, March 1995.

....the documents. 5 Related Work A number of related approaches have used (semi) formal notations and partial formal modeling to analyse and validate existing informal requirements specifications [1] For example, the work of Easterbrook et al. 4, 6] describes the use of formal methods such as SCR [12] and PVS [21] to model the same informal requirements examined in this paper. This work describes selective modeling of the most critical parts of a requirements specification, and the testing of some critical properties. As in our work, the approach does not aim to guarantee completeness and ....

Heitmeyer, C.L., Labaw, B. and Kiskis, D.: `Consistency Checking of SCR-Style Requirements Specifications'. 2nd International Symposium on Requirements Engineering (RE'95), March 1995, York, IEEE Computer Society Press, pp. 27-29.

.... on finding software design and implementation errors, much less has been accomplished in terms of validating requirements specifications beyond executing them for a few test cases or showing the consistency of a formal specification with various properties of the underlying mathematical model [HL96, HLK95]. Most of the specfication errors and omissions that lead to accidents are unlikely to be found using these techniques. The testing of any complex software is necessarily very incomplete, and consistency with a mathematical model does not imply consistency with required properties of a real world ....

Heitmeyer, C., Labaw, B., and Kiskis, D. Consistency checking of SCR-style requirements specifications. Int. Symposium on Requirements Engineering, York, 1995.

....to create highly scalable analysis techniques, we have developed a low degree polynomial time approach to check low level designs against requirements, summarized in this paper. Requirements for embedded systems often describe a system as a set of concurrently executing state machines (see [2, 30, 46, 28]) which respond to events in their environment. Designs are frequently expressed in a program design language (PDL) 9] consisting of a concrete outer syntax of basic statement types and an inner syntax of comments. We define a design to be consistent with its requirements if the design s state ....

....as assumptions about the environment in which the system will operate. The specification language is precise, can be understood by engineers and software developers, and is easy to use and modify. The initial language lacked an underlying formal semantics. A number of semantics have been proposed [5, 30, 26, 54, 62], some of which became bases of tools performing consistency and completeness checks [31] and enabling simulations [21, 55] of requirements. In this section we briefly describe SCR behavioral requirements and environmental assumptions. A more formal description can be found in [31] The SCR model ....

[Article contains additional citation context not shown here]

C. Heitmeyer, B. Labaw, and D. Kiskis. "Consistency Checking of SCR-Style Requirements Specifications ". In Proceedings of RE'95 International Symposium of Requirements Engineering, March 1995.

....requirements appears in [4, 27] This section extends the SCR SMV methodology to specify and verify timing requirements. System specification. The SCR requirements notation was developed by a research group at the U.S. Naval Research Laboratory as part of a general Software Cost Reduction project [1, 17, 18]. An SCR document specifies a software system s behavior as a finite set of concurrent, event driven, state transition machines called modeclasses. Each modeclass is composed of a set of modes (so named because they represent the system s different modes of operation) and transitions among the ....

..... A primitive event is a change in value of one environmental condition: primitive event T(A) is the event of environmental condition A becoming true, and event F(A) represents A becoming false. A conditioned event is a primitive event whose occurrence depends on the values of other conditions [17]: T(A) WHEN [B] occurs if A becomes true while B is true. More formally, the event occurs at time t if (a) A is false and B is true at time t Gamma1, and (b) A is true at time t. The model of time is discrete 2 . In the above event, A is called a triggering condition, and B is called a when ....

C. Heitmeyer, B. Labaw, and D. Kiskis. "Consistency Checking of SCR-Style Requirements Specifications". In Proceedings of the 2nd IEEE International Symposium on Requirements Engineering, pages 56--65, March 1995.

....two different failure recovery actions are specified. A completeness property is that every possible combination of failure conditions should have some recovery action specified for it. These properties were tested by converting the tabular representations into a formal model (in this case SCR [11]) and using a tool to test for these properties. A significant number of consistency errors were found: there were combinations of conditions for which more than one recovery action was specified. These were traced to a problem with the ordering of the requirements. The correct functioning of the ....

C. L. Heitmeyer, B. Labaw, and D. Kiskis, Consistency Checking of SCR-Style Requirements Specifications. Second IEEE Symposium on Requirements Engineering, York, UK, 1995.

....1 Introduction Precise notations have been developed to specify unambiguous requirements. The use of these notations helps to ensure that the requirements designer considers and documents all cases of appropriate system behavior. Of these notations, the Software Cost Reduction (SCR) notation [1, 10, 11], Statecharts [7] and the Requirements State Machine Language (RSML) 14] notation have received considerable attention because they have been used to specify the software requirements of large, real world applications (the A 7E aircraft, the avionics system for the Lavi fighter aircraft, and the ....

....conditioner. The input language of each machine is a set of conditioned events. A condition is a predicate on monitored variables, a primitive event is a change in the value of a condition, and a conditioned event is a primitive event whose occurrence depends on the values of other conditions [10]. Let conditions SwitchIsOn and TooCold represent the predicates [On Off switch = On] and [RealTemp (SetTemp Gamma3 ffi C) respectively. Primitive events T(SwitchIsOn) and F(SwitchIsOn) represent condition SwitchIsOn becoming true and becoming false, respectively. Conditioned event ....

[Article contains additional citation context not shown here]

C. Heitmeyer, B. Labaw, and D. Kiskis. "Consistency Checking of SCR-Style Requirements Specifications ". In Proceedings of the 2nd IEEE International Symposium on Requirements Engineering, pages 56--65, March 1995.

....including design errors, inconsistent documentation, and expensive rework. Typically, a model provides an abstraction for specifying, communicating, and understanding aspects of the expected behavior of a software system. Examples of models include design patterns [4] finite state machines [5], object models [6, 7] functional descriptions [8] flow diagrams, process algebras [9] petri nets, and many other formal and informal notations. While it is possible in some cases to generate code directly from a model, most designers must develop software directly in a common programming ....

.... development of control systems and communication protocols with statebased design specifications and requirements [22] Although we assume that a state based model exists a priori, we feel that this is not an unreasonable assumption given the proliferation of state based modeling techniques in use [5, 23, 24]. We are exploring the use of our method in conjunction with functional approaches [8] by using similar methods for expansion of test cases along branches of proof trees produced by automated theorem provers [25] MODEL CHECKING A model checker takes a description of several concurrent, finite ....

Heitmeyer, C., B. Labaw, and D. Kiskis. Consistency checking of SCR-style Requirements Specifications. in Second IEEE International Symposium on Requirements Engineering. 1995. York, UK.

.... communities such as objectoriented development [8, 13, 16, 24, 25] human computer interaction [11] and strategic planning [10] In the requirements engineering community, scenarios have proven effective for discovering [4, 18, 22, 23] elaborating [16, 18] refining [27] and validating [1, 7, 15] requirements. A recent study of scenario usage in industrial projects, 29] highlights the increasing need for scenario management strategies. This paper proposes an integrated strategy for scenario management that formalizes similar scenario structures and attributes to guide and facilitate the ....

....management system, our strategies for episode management, similarity measures, and coverage analysis form the basis for a powerful scenario management tool. 2. 2 Support for Consistency: Glossaries The benefits associated with consistency checking in requirements specification are highlighted in [15]. Automated support for consistency checking frees analysts from a time consuming and error prone process. In four of the studies discussed in [29] project glossaries helped stakeholders establish a common understanding of scenario terms. In an industrial case study where 88 scenarios were used ....

C. Heitmeyer, B. Labaw, and D. Kiskis. Consistency Checking of SCR-Style Requirements Specifications. In 2nd Intl. Symp. on Req'ts Eng., pages 56--63, Mar. 1995.

.... triggers either transition is T(Doppler up) WHEN (d stage complete) A IISIODE = 6ndal A latitude 70 deg A latitude 80 deg A (present position entered) Disjointness errors in mode transition tables [39] However, our algorithm is more general than the algorithm described in [39] eReference [21] describes a similar experiment in which we used an early version of the consistency checker and detected fewer errors. Although the early tool used the same algorithm, it only looked for one Disjointhess error for every pair of disjunctions it analyzed. The current tool is designed to find all ....

HEITMEYEI, C., LABAW, B., AND KISKIS, D. Consistency checking of SCR-style require- ments specifications. In Proc., International Symposium on Requirements Engineering (Mar. 1995).

No context found.

C.L. Heitmeyer, R. Jeffords, and B.L. Labaw, "Consistency Checking of SCR-Style Requirements Specifications, " ACM Trans. Software Eng. and Methodology, July 1996, pp. 231-261.

First 50 documents  Next 50

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC