FORMALIZING REQUIREMENTSHartmut Lackner, 16th July 2011, VINO‘11

The Role of Requirements

Requirements are the building blocks for developing a software product. Detecting errors early saves costs.

Requirements can be considered as the contract between stakeholder and developer. Tests can „show“ that the requirements are

met.

How to formalize requirements for test generation?

Contents

Introduction to a Single Requirements Document

Possible Formalizations in UPPAAL (UML) (MS SpecExplorer)

What is this going to be? (Interactive) Modeling Session

The Requirements Document ECU: Protect a valve to freeze, by killing the

engine. The valve controls the gas flow from the tank to the engine.

Definitions Temperature Sensor reads: invalid, warm, cold, too

cold Time Window: Short (3s), Long (15s)

Initial values Time Window: Short Temperature: invalid

Rules

If the temperature sensor is more than 3s (short delay) "too cold" a quick stop occurs and the engine is shut off.

If the temperature sensor was invalid and switches to valid again and during the following 3s the temperature is not warm a long delay of 15s is activated. In this state a "too cold" triggers the quick-stop after 15s (long delay). (Long delay replaces the initial short delay).

If the temperature is “warm" then the 3s (short delay) is valid again.

If the valid temperature switches to invalid the 3s (short delay) is valid again.

If during the delay the valid temperature is not "too cold" for more than 0.2s the delay timer is reset to start a new delay period.

Definitions Temperature Sensor reads: invalid, warm, cold, too coldTime Window: Short (3s), Long (15s)

Modeling: UPPAAL

Rule 1If the temperature sensor is more than 3s (short delay) "too cold" a quick stop occurs and the engine is shut off.

Design Decisions: One template for each rule

Global Declarations Channels: changeTemp, quickstop; clock x; int[-1,2] temp; int[3,15] delay;

Temperature Sensor Engine

Rule 1

Rule 2

Attention: Clock x is reused Bad Design? This Template is dependent on Rule 3 + 4!

If the temperature sensor was invalid and switches to valid again and during the following 3s the temperature is not warm a long delay of 15s is activated. In this state a "too cold" triggers the quick-stop after 15s (long delay). (Long delay replaces the initial short delay).

Rule 3 + 43. If the temperature is “warm" then the 3s (short delay) is valid again. 4. If the valid temperature switches to invalid the 3s (short delay) is valid again.

Rule 3 Rule 4

Rule 5

Local Declaration: clock y;

If during the delay the valid temperature is not "too cold" for more than 0.2s the delay timer is reset to start a new delay period.

Next Steps

Future Work

Design the UML model Compare the models to the requirements

Is modeling „straight-forward“? Generate tests from the models

How strong is the „fault detection capability“ for each model?

Mutation analysis

Thanks for your Attention!

Questions?