Appears in Proceedings, Third IEEE International Symposium on Requirements Engineering (RE'97), January 5-8th, 1997, Annapolis, Maryland, USA.

## Formal Methods for V&V of partial specifications: An experience report

Steve Easterbrook and John Callahan {steve,callahan}@cs.wvu.edu NASA/West Virginia University Software IV&V Facility 100 University Drive Fairmont, WV 26554

## Abstract

This paper describes our work exploring the suitability of formal specification methods for independent verification and validation (IV & V) of ment teams. In section 2,  $\mathrm{IV}\&\mathrm{V}$  contractor kas less access to the development team than is ideal.

| 1 | C&C MDM acting as the bus controller               |
|---|----------------------------------------------------|
|   | Detection of transaction errors                    |
|   | in two consecutive processing frames               |
|   | errors are on selected messages                    |
|   | tlee RT's 1553 FDIR is not inleibited              |
|   | A backup BC is available                           |
| Α | The BC has been switched in the last 20 seconds    |
| Ν | The SPD card reset capability is inhibited         |
| D | The SPD card has been reset in the last 10 major   |
|   | (10  second)  frames                               |
|   | The transaction errors are from multiple RTs       |
|   | The current channel has been reset within the last |
|   | major frame                                        |

| OR                              | u<br>U |        |
|---------------------------------|--------|--------|
| $\frac{\mathrm{T}}{\mathrm{T}}$ | T      | T      |
| T<br>T                          | T      | T      |
| $\frac{\mathrm{T}}{\mathrm{T}}$ | T<br>T | T<br>T |
| <u> </u>                        | -<br>T | Ť      |
| T<br>F                          | T      | T<br>F |

T T

 $\begin{array}{c} T \\ T \\ T \\ T \\ T \\ T \\ T \end{array}$ 

T T tant in tracing problems back to the informal specifi-cation, and in convincing the development team that there really is a problem. The first step was to produce an SCR model of the specified FDIR behavior. At this stage we

| Current | Conditions              |                        |         |               |        |                    |         |         |                 |         | Next    |              |
|---------|-------------------------|------------------------|---------|---------------|--------|--------------------|---------|---------|-----------------|---------|---------|--------------|
| Mode    | errors                  | bus                    | bus     | bus           | backup | BC                 | card    | card    | errors          | channel | channel | Mode         |
|         | in two                  | swch'd                 | switch  | swch'd        | BC     | swch'd             | reset   | reset   | $\mathbf{from}$ | reset   | reset   |              |
|         | cons.                   | last                   | inhibit | $_{\rm this}$ | avail. | in last            | inhibit | last 10 | mult.           | last    | inhibit |              |
|         | $\operatorname{frames}$ | $\operatorname{frame}$ |         | frame         |        | $20  \mathrm{sec}$ |         | frames  | RTs             | frame   |         |              |
| Normal  | @T                      | -                      | -       | F             | -      | -                  | -       | -       | -               | -       | -       | switch buses |
|         | @T                      | -                      | Т       | F             | -      | -                  | -       | -       | -               | -       | F       | reset the    |
|         | @T                      | т                      | -       | F             | -      | -                  | -       | -       | -               | -       | F       | channel      |
|         | @T                      | -                      | -       | -             | -      | -                  | F       | F       | Т               | Т       | -       | reset the    |
|         | @T                      | -                      | -       | -             | -      | -                  | F       | F       | Т               | F       | Т       | card         |
|         | @T                      | Т                      | -       | -             | -      | -                  | -       | -       | F               | Т       | -       | switch RT    |
|         | @T                      | F                      | т       | -             | -      | -                  | -       | -       | $\mathbf{F}$    | т       | -       | to backup    |
|         | @T                      | т                      | -       | -             | -      | -                  | -       | -       | F               | F       | т       |              |
|         | @T                      | F                      | т       | -             | -      | -                  | -       | -       | F               | F       | т       |              |
|         | @T                      | -                      | -       | -             | Т      | F                  | Т       | -       | Т               | Т       | -       | switch BC    |
|         | @T                      | -                      | -       | -             | т      | F                  | т       | -       | Т               | F       | т       | to backup    |
|         | $^{O}T$                 | -                      | -       | -             | т      | F                  | -       | т       | т               | Т       | -       |              |
|         | @T                      | -                      | -       | -             | Т      | F                  | -       | Т       | Т               | F       | Т       |              |
|         | @T                      | -                      | -       | -             | т      | т                  | т       | -       | Т               | Т       | -       | switch       |
|         | @T                      | -                      | -       | -             | Т      | т                  | т       | -       | Т               | F       | Т       | all RTs      |
|         | @T                      | -                      | -       | -             | Т      | т                  | -       | Т       | Т               | Т       | -       |              |
|         | @T                      | -                      | -       | -             | Т      | Т                  | -       | Т       | Т               | F       | Т       |              |

Table 2: An SCR Mode transition table. Eack of the central columns represents a condition, showing whether it should be true or false; '-' means "don't care"; '@T' indicates a trigger condition for the mode transition. The four columns of table 1 correspond to the last four rows of this table. The semantics of SCR require this table to represent a function, so that the disjunction of all the rows covers all possible conditions (coverage), and the conjunction of any two rows is false (disjointness).

that it leads to, but also for the removal of ambiguities and for improved understanding. For this benefit, it is the process of formalization, rather than the end product that is important.

The fidelity problem is really a special case of a more general problem: management of consistency between partial specifications expressed in different no-tations. For instance, the AND/OR tables have a clear relationskip with the SCR mode tables, but if we make a correction to one of the AND/OR tables, it is fairly tedious to identify the corresponding cor-rection in the SCR tables. Similarly, each time the developersofisichersonchitinfoynhallsfactNTD/ODE00004B0Td[(ann)iti5999T3619000440F0H/Hachfjf997(8cafic9.1date74020Td('-')Tj11.00

the assorted partial specifications drawn from different

continuing the experiments described in this paper by examining how model checking can be used to validate the specifications.

## Acknowledgments

Our thanks are due to Chuck Neppach and Dan McCaugherty for many interesting discussions of the work presented here, and to Frank Schneider, Edward Addy, John Hinkle, George Sabolish, Todd Montgomery and Butch Neal for detailed comments on earlier drafts of this paper. This work is supported by NASA Cooperative Research Agreement NCCW-0040.

## References

- V. Basili. The experience factory and its relationskip to other improvement paradigms. In Proceedings of the 4<sup>th</sup> European Software Engineering Conference, Garmish-Partenkirchen, Germany, September 1993.
- [2] J. Callacan and T. Montgomery. An approach to verification and validation of a reliable multicast protocol. In Proceedings of the ACM International Symposium on Software Testing and Analysis (ISSTA), January 1996.
- [3] D. Craigen, S. L. Gerkart, and T. Ralston. Formal metkods reality ckeck: