Deriving tabular event-based specifications from goal-oriented requirements models

Goal-oriented methods are increasingly popular for elaborating software requirements. They offer systematic support for incrementally building intentional, structural and operational models of the software and its environment. They also provide various techniques for early analysis, notably, to manage conflicting goals or to anticipate abnormal environment behaviours that prevent goals from being achieved. On the other hand, tabular event-based methods are well-established for specifying operational requirements for control software. They provide sophisticated techniques and tools for late analysis of software behaviour models through simulation, model checking or table exhaustiveness checks. The paper proposes to take the best out of these two worlds to engineer requirements for control software. It presents a technique for deriving event-based specifications, written in the SCR tabular language, from operational specifications built according to the KAOS goal-oriented method. The technique consists of a series of transformation steps each of which resolves semantic, structural or syntactic differences between the KAOS source language and the SCR target language. Some of these steps need human intervention and illustrate the kind of semantic subtleties that need to be taken into account when integrating multiple formalisms. As a result of our technique SCR specifiers may use upstream goal-based processes à la KAOS for the incremental elaboration, early analysis, organization and documentation of their tables, while KAOS modelers may use downstream tables à la SCR for later analysis of the behaviour models derived from goal specifications.     

A service creation environment based on scenarios

Scenarios are often constructed for illustrating example runs through reactive system. Scenarios that describe possible interactions between a system and its environment are widely used in requirement engineering, as a means for users to communicate their functional requirements. Various software development methods use scenarios to define user requirements, but often lack tool support. Existing tools are graphical editors rather than tool support for design. This paper presents a service creation environment for elicitation, integration, verification and validation of scenarios. A semi-formal language is defined for user oriented scenario representation, and a prototype tool implementing an algorithm that integrates them for formal specification generation. This specification is then used to automatically find and report inconsistencies in the scenarios.     

A formal approach to scenario integration

The scenario technique is an interesting approach for eliciting requirements. A formal approach to scenario generation has made it even more attractive. The next logical step is to integrate several scenarios into one single, consistent, specification. In this work, a mixed approach, involving formal and informal steps is proposed for performing this task. The system's formal specification is expressed as a finite state machine. The specifications of two interacting scenarios are integrated in a procedure involving formal and informal steps. Then several algorithms based on the properties of the model, are applied to detect three classes of errors: mistakes made by the analyst during the informal steps of the integration, inconsistencies between the scenarios, and incompleteness of both scenarios. Each algorithm detects the corresponding specification errors and in addition, suggests the corrections to apply. The formal techniques applied in this work could be the basis of a CASE tool for scenario‐based requirements engineering.     

航空机载嵌入式控制软件需求建模的形式化工程方法

嵌入式控制软件是现代航空飞行器的核心部件之一。构建软件需求的形式化规约精确地刻画人们对软件期望的功能和运行场景,是确保此类安全攸关软件质量的根本途径。在工业界,形式化需求建模的大规模应用尽管有成功的案例,但仍面临众多的困难。其根本性难点在于缺少一种系统化的工程方法来引导工业界软件实践者,从原始需求开始最终完成形式化需求规约,并能确认该规约真实、充分地反映了人们对软件期望的功能。针对上述挑战,提出了一种面向机载控制软件需求建模的形式化工程方法ACSDL-MV,以形式化方法为理论基础,结合软件需求工程的基本原理,引导工程人员从原始需求出发以演化式的过程逐步完成需求规约的构建;定制了航空控制软件的形式化描述语言ACSDL,用以构建形式化规约;为了确认软件需求规约准确、充分地描述了人们对软件期望的功能,该方法给出了基于图形的静态审查和基于模型的动态模拟技术。在航空发动机公司中的实验结果表明,该方法相比传统方法探测到了更多的潜在错误。     

Modelling Fine-Grained Access Control Policies in Grids

This paper presents an abstract specification of an enforcement mechanism of usage control for Grids, and verifies formally that such mechanism enforces UCON policies. Our technique is based on KAOS, a goal-oriented requirements engineering methodology with a formal LTL-based language and semantics. KAOS is used in a bottom-up form. We abstract the specification of the enforcement mechanism from current implementations of usage control for Grids. The result of this process is agent and operation models that describe the main components and operations of the enforcement mechanism. KAOS is used in top-down form by applying goal-refinement in order to refine UCON policies. The result of this process is a goal-refinement tree, which shows how a goal (policy) can be decomposed into sub-goals. Verification that a policy can be enforced is then equivalent to prove that a goal can be implemented by the enforcement mechanism represented by the agent and operation models.     

Managing conflicts in goal-driven requirements engineering

A wide range of inconsistencies can arise during requirements engineering as goals and requirements are elicited from multiple stakeholders. Resolving such inconsistencies sooner or later in the process is a necessary condition for successful development of the software implementing those requirements. The paper first reviews the main types of inconsistency that can arise during requirements elaboration, defining them in an integrated framework and exploring their interrelationships. It then concentrates on the specific case of conflicting formulations of goals and requirements among different stakeholder viewpoints or within a single viewpoint. A frequent, weaker form of conflict called divergence is introduced and studied in depth. Formal techniques and heuristics are proposed for detecting conflicts and divergences from specifications of goals/requirements and of domain properties. Various techniques are then discussed for resolving conflicts and divergences systematically by the introduction of new goals or by transforming the specifications of goals/objects toward conflict-free versions. Numerous examples are given throughout the paper to illustrate the practical relevance of the concepts and techniques presented. The latter are discussed in the framework of the KAOS methodology for goal-driven requirements engineering     

Automated Prototyping of User Interfaces Based on UML Scenarios

User interface (UI) prototyping and scenario engineering have become popular techniques. Yet, the transition from scenario to formal specifications and the generation of UI code is still ill-defined and essentially a manual task, and the two techniques lack integration in the overall requirements engineering process. In this paper, we suggest an approach for requirements engineering that generates a user interface prototype from scenarios and yields a formal specification of the application. Scenarios are acquired in the form of collaboration diagrams as defined by the Unified Modeling Language (UML), and are enriched with user interface (UI) information. These diagrams are automatically transformed into UML Statechart specifications of the UI objects involved. From the set of obtained specifications, a UI prototype is generated that is embedded in a UI builder environment for further refinement. Based on end user feedback, the collaboration diagrams and the UI prototype may be iteratively refined, and the result of the overall process is a specification consisting of the Statechart diagrams of all the objects involved, together with the generated and refined prototype of the UI. The algorithms underlying this process have been implemented and exercised on a number of examples. This research was mainly conducted at University of Montreal, where the first two authors were PhD students and the third author a full-time faculty member. Funding was provided in part by FCAR (Fonds pour la formation des chercheurs et l'aide à la recherche au Québec) and by the SPOOL project organized by CSER (Consortium Software Engineering Research) which is funded by Bell Canada, NSERC (Natural Sciences and Research Council of Canada), and NRC (National Research Council Canada).     

A first attempt to combine SysML requirements diagrams and B

This article describes a work-in-progress in the framework of a research project aiming at combining requirements engineering methods with formal methods. The main idea is to extend the SysML language with concepts of existing requirements engineering methods. In this article we present extensions to SysML with concepts from the goal model of the KAOS method and we give rules to derive a formal B specification from this goal model. The approach is then illustrated on a case study.     

Automated analysis of security-design models

We have previously proposed SecureUML, an expressive UML-based language for constructing security-design models, which are models that combine design specifications for distributed systems with specifications of their security policies. Here, we show how to automate the analysis of such models in a semantically precise and meaningful way. In our approach, models are formalized together with scenarios that represent possible run-time instances. Queries about properties of the security policy modeled are expressed as formulas in UML’s Object Constraint Language. The policy may include both declarative aspects, i.e., static access-control information such as the assignment of users and permissions to roles, and programmatic aspects, which depend on dynamic information, namely the satisfaction of authorization constraints in a given scenario. We show how such properties can be evaluated, completely automatically, in the context of the metamodel of the security-design language. We demonstrate, through examples, that this approach can be used to formalize and check non-trivial security properties. The approach has been implemented in the SecureMOVA tool and all of the examples presented have been checked using this tool.     

Converting scenarios to CSP traces with Mise en Scene for requirements-based programming

The Requirements-to-Design-to-Code (R2D2C) project of NASA’s Software Engineering Laboratory is based on inferring a formal specification expressed in Communicating Sequential Processes (CSP) from system requirements supplied in the form of CSP traces. The traces, in turn, are to be derived from scenarios, a user-friendly medium used to describe the required behavior of computer systems under development. An extensive survey of the “scenario” concept and an overview of scenario-based approaches to system engineering are presented. This work, called Mise en Scene, defines a new scenario medium (scenario notation language, SNL) suitable for control-dominated systems, coupled with a two-stage process for automatic translation of scenarios to a new trace medium (trace notation language, TNL), which encompasses CSP traces. Notes on progress toward a “smart” scenario authoring tool are provided, as well as a detailed case study. This work was originally presented at the Software Engineering Workshop (SEW-31) in March 2007. It was supported by research grants from Canada’s Natural Sciences and Engineering Research Council (NSERC).     

需求模型中目标的关系及其发现方法

KAOS方法在分析系统目标时只考虑具有负面影响的冲突关系,没有提供支撑作用的判断方法。该文定义一组类似于Tropos中目标间的二元关系,扩展KAOS的目标模型语义框架,使目标间的支撑和抑制作用明朗化。构造目标关系的推理规则和推导算法,以发现模型中隐含的关系,进而分析目标模型的一致性和可行性,为需求可行性评估奠定了理论基础。     

轨道交通控制软件中基于场景的需求分析方法

针对轨道交通控制软件的形式化方法,在实际工程应用中存在形式化建模和系统级场景验证困难的问题。提出一种面向轨道交通领域的形式化建模和需求确认及验证方法。通过非形式化、半形式化到形式化规约三步演化过程,为形式化规约构建提供模板。在对需求的确认和验证中,根据形式化规范建立需求模型,导出相关图表,基于此检查领域专家关注的场景。同时制定场景描述规则,使场景可以在需求模型中正确执行。在此基础上,从特殊变量、效率、场景质量三方面对场景进行优化,更充分地验证需求的正确性。实验结果表明,对于典型车载控制软件,该方法较传统分析方法可多探测到10%的潜在缺陷,效率提升80%以上。     

Triggered Message Sequence Charts

This paper introduces triggered message sequence charts (TMSCs), a graphical, mathematically well-founded framework for capturing scenario-based system requirements of distributed systems. Like message sequence charts (MSCs), TMSCs are graphical depictions of scenarios, or exchanges of messages between processes in a distributed system. Unlike MSCs, however, TMSCs are equipped with a notion of trigger that permits requirements to be made conditional, a notion of partiality indicating that a scenario may be subsequently extended, and a notion of refinement for assessing whether or not a more detailed specification correctly elaborates on a less detailed one. The TMSC notation also includes a collection of composition operators allowing structure to be introduced into scenario specifications so that interactions among different scenarios may be studied. In the first part of this paper, TMSCs are introduced and their use in support of requirements modeling is illustrated via two extended examples. The second part develops the mathematical underpinnings of the language     

Specifying and analyzing early requirements in Tropos

We present a framework that supports the formal verification of early requirements specifications. The framework is based on Formal Tropos, a specification language that adopts primitive concepts for modeling early requirements (such as actor, goal, and strategic dependency), along with a rich temporal specification language. We show how existing formal analysis techniques, and in particular model checking, can be adapted for the automatic verification of Formal Tropos specifications. These techniques have been implemented in a tool, called the T-Tool, that maps Formal Tropos specifications into a language that can be handled by the NuSMV model checker. Finally, we evaluate our methodology on a course-exam management case study. Our experiments show that formal analysis reveals gaps and inconsistencies in early requirements specifications that are by no means trivial to discover without the help of formal analysis tools.

Reducing one class of machine learning algorithms to logical operations of plausible reasoning

The ways to transform a wide class of machine learning algorithms into processes of plausible reasoning based on known deductive and inductive rules of inference are shown. The employed approach to machine learning problems is based on the concept of a good classification (diagnostic) test for a given set of positive and negative examples. The problem of inferring all good diagnostic tests is to search for the best approximations of the given classification (partition or the partitioning) on the established set of examples. The theory of algebraic lattice is used as a mathematical language to construct algorithms of inferring good classification tests. The advantage of the algebraic lattice is that it is given both as a declarative structure, i.e., the structure for knowledge representation, and as a system of dual operations used to generate elements of this structure. In this work, algorithms of inferring good tests are decomposed into subproblems and operations that are the main rules of plausible human inductive and deductive reasoning. The process of plausible reasoning is considered as a sequence of three mental acts: implementing the rule of reasoning (inductive or deductive)with obtaining a new assertion, refining the boundaries of reasoning domain, and choosing a new rule of reasoning (deductive or inductive one).     

一个支持规约获取的形式规约语言

该文介绍了形式规约语言LFC设计的一些主要方面，并通过例子说明了LFC的一些特色。形式规约语言LFC是为支持软件形式规约的获取工作而开发的。该语言以一种新的递归函数，即定义在上下文无关语言上的递归函数为基础，以上下文无关语言为数据类型，在语言级支持规约获取。LFC语言已被用作形式规约获取系统SAQ的一部分。使用表明，LFC是一个能力强、易使用的语言，适合软件形式规约获取之用，并且适合其它一些用途。