Automatic Analysis of Automatic Analysis of Consistency between Consistency between

Requirements and DesignsRequirements and Designs

Jon DavisJon Davis

Andy KantAndy Kant

Article by Chechik and GannonArticle by Chechik and Gannon

IntroductionIntroduction Removing inconsistencies is an effective way to Removing inconsistencies is an effective way to

improve software quality.improve software quality. Current techniques are effective, however, they Current techniques are effective, however, they

require considerable amounts of skills and lots of require considerable amounts of skills and lots of time and investments. However, this only proves time and investments. However, this only proves true on smaller designs.true on smaller designs.

Researchers suggest a method which checks Researchers suggest a method which checks abstractions of programs.abstractions of programs.

The method discussed in the article formalize The method discussed in the article formalize specifications for making abstractions so that specifications for making abstractions so that they can be used to check the consistency of a they can be used to check the consistency of a requirement.requirement.

BackgroundBackground Current methods for checking inconsistencies are Current methods for checking inconsistencies are

theorem-proving and model-checking.theorem-proving and model-checking. The theorem-proving method requires The theorem-proving method requires

considerable skill and time investments.considerable skill and time investments. The model-checking method is limited to finite-The model-checking method is limited to finite-

state systems. Although fully automated, an state systems. Although fully automated, an increased amount of variables makes it too large increased amount of variables makes it too large to analyze.to analyze.

The method suggested in this article is a “light-The method suggested in this article is a “light-weight” formal method which achieves fully weight” formal method which achieves fully automatic verification by checking abstraction of automatic verification by checking abstraction of the system for certain properties.the system for certain properties.

Requirements NotationRequirements Notation

The light-weight method requires a formal The light-weight method requires a formal specification and language syntax.specification and language syntax.

This method makes use of a language that This method makes use of a language that is easily understood by engineers.is easily understood by engineers.

The models for this method are used to The models for this method are used to specify reactive systems.specify reactive systems.

The input language of each machine is a The input language of each machine is a set of conditioned events. A condition is a set of conditioned events. A condition is a Boolean variable.Boolean variable.

Detailed DesignDetailed Design A Program Design Language (PDL) is used A Program Design Language (PDL) is used

to specify design. This method uses a to specify design. This method uses a custom-defined PDL to reason about custom-defined PDL to reason about designs and Software Cost Reduction designs and Software Cost Reduction (SCR) requirements.(SCR) requirements.

Designs should look like real programs – Designs should look like real programs – they should specify control flow using they should specify control flow using standard programming constructs.standard programming constructs.

Designs should capture the essence of Designs should capture the essence of what the code is doing rather than details.what the code is doing rather than details.

Designs should be able to deal with Designs should be able to deal with specific conditional statements.specific conditional statements.

Design Code ExampleDesign Code Example

Analysis of DesignAnalysis of Design

Five properties are checkedFive properties are checked 1. START (If the starting state is 1. START (If the starting state is

correct)correct) 2. OLT (Only legal transitions)2. OLT (Only legal transitions) 3. ALT (All legal transitions)3. ALT (All legal transitions) 4. ENV (Environmental assumptions 4. ENV (Environmental assumptions

are preserved)are preserved) 5. REACH (All nodes are reachable)5. REACH (All nodes are reachable)

General ProcessGeneral Process

Design Flow GraphDesign Flow Graph

Finite-State MachineFinite-State Machine

ResultsResults

After completing the process of After completing the process of creating the DGM…creating the DGM…

Creating the FSM…Creating the FSM… And checking for all 5 properties…And checking for all 5 properties… Results will finally list which Results will finally list which

properties were inconsistent in the properties were inconsistent in the design and the requirements.design and the requirements.

Here is an example result table…Here is an example result table…

Results ExampleResults Example

Overview/ConclusionOverview/Conclusion Using the defined notation, SCR Using the defined notation, SCR

specifications are written and checked for specifications are written and checked for completeness.completeness.

A design is then made with the PDL and A design is then made with the PDL and automatically verified for consistency with automatically verified for consistency with the requirements.the requirements.

A real implementation is made around the A real implementation is made around the PDL statements and checked for PDL statements and checked for consistency with the design.consistency with the design.

This process helps assure that the code This process helps assure that the code implements the behavior specified in the implements the behavior specified in the requirements.requirements.