FORMALIZING REQUIREMENTS Hartmut Lackner, 16 th July 2011, VINO‘11
Jan 04, 2016
FORMALIZING REQUIREMENTSHartmut Lackner, 16th July 2011, VINO‘11
The Role of Requirements
Requirements are the building blocks for developing a software product. Detecting errors early saves costs.
Requirements can be considered as the contract between stakeholder and developer. Tests can „show“ that the requirements are
met.
How to formalize requirements for test generation?
Contents
Introduction to a Single Requirements Document
Possible Formalizations in UPPAAL (UML) (MS SpecExplorer)
What is this going to be? (Interactive) Modeling Session
The Requirements Document ECU: Protect a valve to freeze, by killing the
engine. The valve controls the gas flow from the tank to the engine.
Definitions Temperature Sensor reads: invalid, warm, cold, too
cold Time Window: Short (3s), Long (15s)
Initial values Time Window: Short Temperature: invalid
Rules
If the temperature sensor is more than 3s (short delay) "too cold" a quick stop occurs and the engine is shut off.
If the temperature sensor was invalid and switches to valid again and during the following 3s the temperature is not warm a long delay of 15s is activated. In this state a "too cold" triggers the quick-stop after 15s (long delay). (Long delay replaces the initial short delay).
If the temperature is “warm" then the 3s (short delay) is valid again.
If the valid temperature switches to invalid the 3s (short delay) is valid again.
If during the delay the valid temperature is not "too cold" for more than 0.2s the delay timer is reset to start a new delay period.
Definitions Temperature Sensor reads: invalid, warm, cold, too coldTime Window: Short (3s), Long (15s)
Modeling: UPPAAL
Rule 1If the temperature sensor is more than 3s (short delay) "too cold" a quick stop occurs and the engine is shut off.
Design Decisions: One template for each rule
Global Declarations Channels: changeTemp, quickstop; clock x; int[-1,2] temp; int[3,15] delay;
Temperature Sensor Engine
Rule 1
Rule 2
Attention: Clock x is reused Bad Design? This Template is dependent on Rule 3 + 4!
If the temperature sensor was invalid and switches to valid again and during the following 3s the temperature is not warm a long delay of 15s is activated. In this state a "too cold" triggers the quick-stop after 15s (long delay). (Long delay replaces the initial short delay).
Rule 3 + 43. If the temperature is “warm" then the 3s (short delay) is valid again. 4. If the valid temperature switches to invalid the 3s (short delay) is valid again.
Rule 3 Rule 4
Rule 5
Local Declaration: clock y;
If during the delay the valid temperature is not "too cold" for more than 0.2s the delay timer is reset to start a new delay period.
Next Steps
Future Work
Design the UML model Compare the models to the requirements
Is modeling „straight-forward“? Generate tests from the models
How strong is the „fault detection capability“ for each model?
Mutation analysis
Thanks for your Attention!
Questions?