Formalization and Validation of Safety-Critical Requirements

T o appear in EPTCS . c  A. Cimatti, M. Rov eri, A. Susi, S. T onetta This work is licensed under the Creativ e Commons Attribution Licens e. F o rmalizat ion and V alidation of Safety-Cr itical Requirements ∗ Alessandro Cimatti FBK-irst T rento, Italy cimatti@fb k.eu Marco Rove ri FBK-irst T rento, Italy roveri@fbk .eu Angelo Susi FBK-irst T rento, Italy susi@fbk.e u Stefano T onetta FBK-irst T rento, Italy tonettas@f bk.eu The validation of requirements is a fund amental step in the development process of safety- critical systems. In safety critical ap plications such as aero space, avionics an d railways, the use of forma l methods is of paramount impo rtance both for req uiremen ts and fo r design validation. Nev ertheless, while fo r the verification o f the design , many form al techniqu es have been conceived and applied, the resear ch o n formal methods f or r equireme nts validation is not yet m ature. The main o bstacles are that, on th e on e hand , the correctness of r equirem ents is no t fo rmally defined ; on the other hand that the formalization an d th e validation of the requiremen ts usually demand s a strong inv o lvement of domain experts. W e repo rt on a methodolo gy and a series of techniques that we developed for the form alization and validation of high-level req uiremen ts f or safe ty-critical app lications. The main ingred ients are a very expressiv e formal language and au tomatic satisfiability p rocedu res. The langu age combines first-order, temporal, and hybrid logic. The satis fiability procedur es are based on model ch ecking and satisfiability modulo theory . W e applied this technology wit hin an industrial project to the validation of railw ays require ments. 1 Introd uction F or mal methods are widely used in the de v elopmen t process of safety-c ritical systems. The applicatio n of formal verificati on technique s relies on the formalization of the system’ s design into a mathematical langua ge. Sev eral formal langua ges a re a v ailab le acc ording to the dif fere nt as pects that are rele v ant to t he ver ification, and man y design tools can automatic ally formalize the design into one of these langu ages. The verification techniqu es typically trade-of f the automation of the anal ysis with the express i ven ess of the specification la nguag e. State-of-the -art approa ches mix model c hec king and theor em pr o ving in order to tackle the ver ification of infinite-stat e systems w ith a suf ficient le v el of automation. Another important aspect of the dev elop ment proc ess is the correctness of the r equir ement s . V er y often bugs in the late phases are caused by some flaws in requiremen ts specificati on. These are dif ficult to detec t and hav e a hu ge impact on the cos t of fixing the b ug. Nev erthele ss, formal methods on require - ments v alidat ion are not yet mature. In partic ular there is no precise definition of correct requirement s. The most relev ant solution has been proposed in the contex t of the pr operty-ba sed appr oach to de- sign, where the dev elop ment process starts from listing a set of formal proper ties, rath er than defining an abstract-le vel model. The requirements val idation is performed with a series of checks that impro ve the confidenc e in the correctn ess of the requiremen ts. These checks consist of ve rifying that the requ ire- ments do not contain contradicti ons and that they are neither too strict to forbid desired behav iors, nor too w eak to allo w undesir ed be ha vior s. This process relies on the av ailability of a sufficien tly expres- si ve log ic so that properties as well as desired and undesired beha viors can be formalized into formulas. ∗ A. Cimatti, M. Roveri, and A. Susi ha ve been partly supported by the European Railw ay Agenc y under the project Eu- RailCheck, service contract ERA/2007/ER TMS/02. S . T onetta has been suppo rted by the P rovincia Au tonoma di Trento (p roject AN A C OND A). A. Cimatti, M. Rov eri, A. Susi, S. T onetta 69 The app roach consid ers a one-to -one mapping between the propertie s and the logical formula s. This allo ws for tracea bility of the formalization and the valid ation result s, and for incremental and modular approa ches to the val idation . In th e conte xt of safety-cr itical appl ication s , the choice of the language used to formalize the re- quiremen ts is still an open issue, requirin g a delicat e balance between ex pressi veness, decidab ility , and comple xity of inferenc e. The di f ficulty i n finding a sui table tra de-of f lies in the f act that the requirements for many real-world applicatio ns in vol ve sev eral dimensions. On the one side, the objects havi ng an ac- ti ve r ole in the tar get application may ha ve comple x struct ure and mutual relati onship s, whose mode ling may require the use of rich data types. On the other side, static constr aints ov er their attrib utes must be complemen ted with constraints on their temporal ev olution. One of the main obstacle in applyin g this ap proach to the industria l lev el is that requ irements are often written in a natural lang uage so that a domain knowledg e is necessary both to formaliz e them and to define which beha viors are desirable and which not during the vali dation proces s. Since domain exp erts are typically not adva nced users of formal methods, the y must be prov ided with a rich but frien dly langua ge for the formal specification and an automatic but scala ble engine for the formal verificatio n. In this paper , we report on a methodolo gy and a series of techniques that we dev elop ed for the for - malizatio n and val idation of high-le vel requ irements for safety-criti cal appl ication s. The methodo logy is based on a three-phase s approach that go es from the informal ana lysis of the requiremen ts, to th eir formaliza tion and v alidat ion [CR ST08a]. The methodolog y rel ies on two main ingredi ents: a very ex- pressi ve formal langu age and automatic satisfiabilit y proce dures. The langu age combin es first-or der , temporal , and hybrid logic [CRST08b, CRST09, CR T09]. The satisfiabili ty proce dures are based on model che cking and sa tisfiabili ty modulo theory . W e app lied this tec hnolo gy within an ind ustria l project to th e v alidat ion of rai lwa ys requireme nts. The tool [ CCM + 09] i nteg rates, within a commercial en viron- ment, technique s for requirement s manag ement and model-ba sed desi gn, an d adv ance d techniques for formal v alidat ion w ith the model check er NuSM V [CCGR00]. The res t of the pape r is or ganized as fo llo w: in Secti on 2, we outline the proposed method ology , gi ving details on the chos en language in Section 2.1 and on the v alida tion procedure in Section 2.2; in Section 3 , we describe the project where the methodolog y wa s applied; in Section 4, we revie w th e related work, and in Sectio n 5, we conclude. 2 A methodology f or the f orm alization and valid ation of req uir ements Our methodo logy has been presented in [CRS T08a]. It consist s of three main steps: • Informal ana lysis. The fi rst acti vity in the methodolog y is the informal analys is of the set of requir ements. In this phase, first the requiremen t fragments are identified and cate gorize d on the basis of their chara cterist ics. Then, the y are structur ed according to their dependen cies. • F or malizatio n. The second phase consist s of the formalization of each cate gor ized req uirement fragment identified in the informal analysi s by specify ing the correspond ing for mal counterp art. The link between informal and for mal is used for req uirement s tracea bility of the for malizatio n agains t the informal textual require ments, and to sel ect directly from the textu al requirements documen t a categoriz ed requirement fragment to valid ate. • F or mal valida tion. T he th ird phase aims at impro ving the quali ty of the require ments and increas- ing the confidence that the cate goriz ed requireme nt fragment and its correspondi ng for malized counte rpart meet the desig n intent. It consis ts of the definitio n of a series of v alid ation problems 70 Formaliz ation and V ali dation of S.-C. Requirements and the a nalysi s of the result s giv en by an auto matic va lidatio n check. The probl ems include three main types of checks; namely , checking logical consistenc y , scenario compatibilit y , and property entailme nt: – Logica l con sisten cy to fo rmally v erify the ab sence of logical co ntradi ctions in th e c onsid ered formalize d requiremen t fragments. It is indeed possibl e that two formaliz ed requireme nt fragment s mandate m utually incomp atible beha viors. Note that this check does not require any d omain kno wledge. – Scenar io co mpatibili ty to verify whether a scenar io is admitted gi v en the cons traints impos ed by the c onsid ered formalize d requi rement frag ments. Intuiti v ely , the check for scenario c om- patibi lity can be seen as a form of simulat ion guided by a set of constr aints. The check for scenar io compatibi lity can be reduced to the problem of checkin g the cons istenc y of the set of cons idered formalized require ment fragments with the constrai nt descr ibing the scenario. – Pr operty entailmen t to v erif y whether an e xpect ed property is implie d by the cons idered for - malized requ irement fragments. This check is similar in spirit to model checking, where a property is checked against a model. Here the con sidere d set of formalized requirement fragment plays the role of the model against which the property must be veri fied. Prop- erty check ing can be reduced to the problem of checking the consistenc y of the considered formalize d requirement fragments with the negatio n of the property . If one of the ch eck re v eals a proble m, two causes are possib le: the first one is that th e for mal- ization is not corre ct due to an improper use of the formal language or to an ambiguity of the informal specificatio n; the second possibility is that there is a flaw in the info rmal sp ecificatio n that needs to be correct ed. An ins pectio n of the diagnos tic information can be carried out in order to discr iminate among the two poss ibilitie s in order to take the most ap propri ate correcti ve action . In fact, the abo ve check s not only prod uce a yes/no answer , but they can also provide the domain exp ert with diagno stic information, mainly in the form of: – T races . When consis tenc y and scenario checking succee ds, it is possible to prod uce a trace witnessin g the consiste ncy , i.e. satisfy ing all the constra ints in the considered formalized requir ement fragments. Similarly , when a prope rty check fails the tool pro vides a trace wit- nessin g the violation of the property by the formalized requirement fragments. – Unsatisfia ble cor e . If the specification is inconsisten t or the scena rio is incompa tible, no beha vior can be associated to the consid ered formal ized requirement fragment s; in these cases, the t ool c an al so ge nerate d iagnos tic information in the form of a minimal inconsisten t subset . This info rmation can be giv en to the domain expert , to support the identificatio n and the fix of the flaw . 2.1 A pr operty specification language for safety-cr itical applications The success of the m ethodo logy relies on the a v aila bility of a spe cification language whic h is enough exp ressi ve to represent the requirements of safety-critic al appli cation s, and enoug h simple to be used by domain expe rts and analyzed with automatic technique s. In order to specify requi rements in the context of safe ty-criti cal applicatio ns we ad opt a fragmen t of first -or der tempor al logic . The first-order componen t allo ws to specif y con strain ts on objects, the ir relatio nships , and their attrib utes, which typically hav e rich data types. The temporal component allows to specify cons traint s o n the tempora l ev olu tion of the possib le configuratio ns. W e en riched the logic with constr ucts able to specify hybrid aspect s of the objects ’ attrib ute s such as deri vati ves of the continuou s A. Cimatti, M. Rov eri, A. Susi, S. T onetta 71 v ariabl es and in stantan eous changes of the di screte vari ables. The logical formulas are conse quent ly interp reted over hybrid traces w here continuou s ev olutions alternate with discret e changes. Finall y , the logic has b een designed in or der to b e suitable for an automatic an alysis with mo del checking techni ques. As describ ed in [CRST09], w e use a class diagra m to define the classes of objects specified by the requir ements, their rel ationsh ips and their attribu tes. The clas s dia gram basic ally defines the signatu re of the fi rst-ord er temporal logic. T he functional symbols that repres ent the attrib utes and the relationshi ps of th e o bjects a re fle xible in the sense that th eir i nterpre tation change at di f ferent ti me p oints. Quantifiers are allo wed to range ov er the object s of a class, and can be intermix ed with the temporal operators . The basic atoms of the logic are arithmetic predica tes of the attribu tes and relations hips of objec ts. As describe d in [CR T09], the “ne xt” operator can be used to refer to the va lue of a vari able after a discrete chang e, while th e “ der” op erator ca n be used to refer to the first deri v ati ve of contin uous va riables during a contin uous ev olution. The temporal structu re of the logic encompasse s the classical linear -time temporal operators com- bined with regular e xpr ession s. T his co mbinatio n is well e stablis hed in th e con tex t of di gital circui ts and forms the core of standard langua ges such as the Property Specification Language (PS L) [EF06]. On the lines of PSL, we also pr ovi de a n umber of syntac tic sugar whic h inc reases the usability of the langua ge by the domain exper ts. This includes natural language expressio ns that substitute the temporal operat ors, the quantifiers, and most of the mathematical symbols. 2.2 Model checking techniques for requir ements validation The va lidatio n pr ocess of the proposed methodolo gy relie s on a series of satisfiability checks: cons is- tenc y checking is performed by solving the satisfiabili ty probl em of the conjunct ion of the formalize d requir ements; the check that the requirements are not too strict is performed by chec king whether the conjun ction of the requ irements and the scenario ’ s formulas is satisfiable; finally , the check that the re- quiremen ts are not too weak is performed by checking whether the conjuncti on of the requirements and the neg ation of the propert y is unsatisfiabl e. Unfortun ately , the satisfiability problem of the chosen langua ge is undecidab le. The undec idabil ity comes independen tly from the combination of tempora l and first-order logics, from the combination of the uninte rpreted functions and quantifiers, and from the hybrid component of the logic. Nev ert heless, we want to keep such exp ressi veness in order to faithfully represen t the informal re- quiremen ts in the for mal lan guage. Thus, we rely on automatic al beit incomplete satisfiab ility proce- dures. First, we fix a number of objects per clas s so that it is possible to reduc e the formula to eq ui-sati sfiable one free of quan tifiers and functiona l symbols [CR ST09]. As describe d in [CRST 08b], we ca n automat- ically find a bound on the number of objects for classes under certai n restriction s. Second, w e transl ate the result ing quantifier -free hybrid formula into an equi-satis fiable formula in the classic al temporal logic ov er discrete traces. In this case, we ex ploit the lineari ty of the const raints ov er the deri vati v es to guarantee the existe nce of a pie ce wise-lin ear solution an d to encode th e c ontinu ity of the continuo us var iables into quantifier -fre e const raints. Third, we compile the resultin g formula into a Fair T rans ition System (FTS) [MP92], whose ac- cepted language is not empty iff the formu la is satisfiabl e. For the compilation we rely on the works descri bed in [CR T08, CR ST08b]. W e apply infinite-stat e model checking techniq ues to verify the lan- guage emptines s of the resulting fair transit ion system. In particu lar , we used Bounded Model Check ing (BMC) [BCCZ99], particular ly eff ecti v e in solv ing the satisfiabl e cases and produc ing short models, 72 Formaliz ation and V ali dation of S.-C. Requirements and Countere xample- Guided Abstr action R efinement (CEGAR) [CGJ + 00], more oriente d to prove the unsati sfiability cases. The language non-emptines s check for the F TS is performed by looking for a lasso-shap e trace of length up to a giv en bound. W e encode this trace into an SMT formula using a standard B MC encodi ng and w e submit it to a suitable S MT solver . This proced ure is incomplete from two point of views: first, we are perfo rming B MC limiting the number of diffe rent transitions in the trace; second, unli ke the Boolean case, we cannot guarant ee that if there is no lasso-shap e tra ce, there does not exist an infinite trace satisf ying the mo del (s ince a real v ariabl e may be fo rced to increase f ore v er). Neve rthele ss, we find the proced ure extremel y efficient in the frame wor k of requirements vali dation . In order to prove the emptiness of the FTS , we use predicate abstraction . W e adopt a CE GAR loop, where the abstraction gen eration an d refinement are completely auto mated. The loop cons ists of four phases : 1) abst rac tion , where the abstract system is built according to a gi v en set of predicates; the abstra ct state space is computing by passin g to the SMT solv er an ALLSA T problem; 2) verificatio n , where the non-emp tiness of th e language of the abstrac t system is checked; if the langu age is empt y , it can be con clude d that also th e con crete system has an empty language ; othe rwise, an infinite tra ce is produced; the abstract system is finite so that we can used classical m odel checkin g techniqu es; 3) simulatio n : if the v erifica tion pro duces a trace, the simulation chec ks whether it is realistic by simulating it on the co ncrete system; if the trac e can be simulated in the con crete sy stem, it is reporte d as a real witness of the satisfiabilit y of the formul a; the trace is simula ted by chec king the satisfiab ility of the SMT prob lem; 4) r efinement : if the simula tion cannot find a co ncrete trace corres pondi ng to the abstract one, the refinement disco ve rs new predicate s that, once added t o the abstraction , are suf ficient to rule out the unreali stic path; also this step is solved with an SMT solv er . 3 The ETCS pr oject The Europ ean Tra in Cont rol System (ETCS) is a project suppor ted by the Europea n Union aiming at th e implementa tion of a common train control system in all European countries to allo w the uninter rupted mov ement of train across the borders. ET CS is based on the implementation on board of a set of safety critica l functions of speed and distance supervis ion and of information to the dri ver . S uch func tions rely on data tra nsmitted by trac k-side i nstalla tions thro ugh t wo communicati on chan nels: fixed spot t ransmis- sion de vices, called balises, and contin uous, bidirect ional data transmissio n through radio accordin g to the GSM standard. ETCS is already installed in important railw ay lines in diff erent Europe an countries (lik e Spain, It aly , The Neth erland s, Switzerland) an d ins tallatio ns are in progress in other countri es, such as Sweden, UK, France, B elgium and also non-Europ ean railways such as China, India, T urk ey , A rabia, South K orea, Algeria and Mex ico. Since 2005, the European R ailw ay A genc y (ERA) is responsibl e of managing the ev olu tion of the ETCS specificatio ns (chang e cont rol management), ensuring the ir consiste ncy , and guaranteein g the backw ards compatibility of new ve rsions with the old ones. In 2007, ERA issued a call to t ender for the dev elo pment of a methodo logy co mplemented b y a set of suppo rt tools, for the formaliza tion and v alid ation of the ETC S specificatio ns. The activ ity poses many hard problems. First, the E TCS documents are w ritten in natural language, and may thus cont ain a high deg ree of ambiguity . Second, the ETCS specifications are still in progress , an d recei ve contrib ution by many people with diffe rent cultu re and background . Third, the ET CS comprises a huge set documen ts, and comes with se vere issu es of scalabili ty . The EuRailCheck project, originated from the successful response to the call to tender by the con- A. Cimatti, M. Rov eri, A. Susi, S. T onetta 73 sortiu m composed by “Registr o Italiano Nav ale (RIN A)”, a railway cert ifying body , “Fondazio ne Bruno Kes sler - irst”, a resear ch center , and “Dr . Graband and Partner s”, a railwa y consultanc y company . W ithin th e project , we de v elope d a suppor t t ool, coveri ng the vario us phases of the descr ibed method- ology , based on the integ ration of algorithmic formal verification techniques within traditional desi gn tools. Moreo ve r , a realist ic subset of the specifica tion was formalized and v alidated applyi ng the de- vel oped methodolo gy and tools. T he result s of the proje ct were then further exploite d and v alida ted by domain exp erts extern al to the consortiu m. The ev aluation was carried out in form of a workshop , follo w ed by hands-on training courses. These ev ents were attend ed by expert s from manufact uring and rail ways companies, who pro vided positi ve feedback on the appl icabili ty in the lar ge of the methodolo gy . 3.1 T ool support The EuRailCheck supportin g tool, which has been desi gned and de veloped w ithin the project, consid ered se ve ral user and technical requirements such as easy of use, and opennes s. The techno logica l basis was identified in two tools pro vide d by IBM: th e RequisitePro suite was used as a front end for the manageme nt of the ET CS info rmal requirements ; and, the Rational Soft- ware Architect (RSA) was used for the manage ment of the formaliza tion of the ET CS require ments into UML class diagrams and temporal constrai nts. RSA was chosen for its openness in the manipula - tion of UM L specificati on, and its customizabili ty thanks to the embed ded Eclipse plat form it is b uilt upon. RSA worked as a gluing platform, and all the module s were dev elope d as plug -ins for RSA . The main functio naliti es in clude Requisite Pro custom taggin g, annotation of UML diagrams with con- straint s (syntax checkin g, completion), support for the instantiat ion to fi nite domain s, cont rol of the v alidat ion procedure . Moreov er , we also dev elop ed, relying on the API prov ided by Req uisite Pro and on the E clipse platform, the tracea bility links among the informal requirements classified in RequisitePro and their formal counterpa rt inside RSA. The veri fication back-end is based on an extend ed vers ion of the N uSMV/CEGAR [CCGR 00] model check er , able to deal with continuous var iables, and to analyze temporal ly complex ex pressi ons in REL TL [EF06, CRST09, CR T09]. 4 Related work Sev era l works faced with the probl em of the formal specification and v alida tion of requiremen ts. S ome of them focused on the problem of formalizing natural lang uage specifications , other focused on the formal specificatio n languages to be used in such a task, other propos ed a methodolo gical approach to the require ments representatio n and va lidatio n. On the fi rst side, works such as [FGR + 94] and [A G06] aim at extract ing automatically from a natu- ral language descripti on a formal model to be analy zed. Ho we ver , their targ et formal languages cannot exp ress temporal constra ints o ve r object models. Mor eov er , the y miss a methodo logy for an adequate formal analys is of the requir ements. Other w orks such as [GMM90, BDZ97] provid ed ex pressi ve formal langua ges to represent the require ments. Although , the proposed lang uages hav e some similari ties with ours such as the adoptio n of first-order temporal logic, the y do not allo w spec ification of hybr id aspects which are n ecessar y for safety-c ritical applicati ons. A lso th ese works miss a methodo logy for the analy- sis o f t he formal requir ements and the verificatio n algori thms are perform either with interacti ve theorem pro ving or with model checking restricted to propositio nal sub-cases. Sev era l formal specification language s such as Z [Spi92], B [Abr9 6], and OCL [OMG06] hav e been propo sed for formal model-based specification. They are very e xpres si ve b ut require a deep background 74 Formaliz ation and V ali dation of S.-C. Requirements in or der to write a corr ect formali zation . Alloy [Ja c02] is a for mal lan guage for describ ing struct ural proper ties of a system relying on the sub set of Z [Spi92] tha t allo ws for object modeli ng. An A lloy specifica tion consists of basic stru ctures represe nting classes together with con strain ts and op eration s descri bing how the structure s change dynamically . Allo y only allows to specify attrib utes belong ing to finite d omains (no Rea ls or Inte gers) . Thus, it would h a ve been imposs ible to model the Train positio n as reques ted by the ETCS specifications . Althoug h A lloy supports the “ne xt” operat or (“prime” operator) to speci fy the temp oral e v olutio n of a gi ven object , it does not a llo w to express prop erties using L TL and reg ular expres sions. Among the methodo logica l approa ches, in [HJL96], a frame wor k is propose d for th e automate d checki ng of requiremen t specifications express ed in Software Cost Reduction tab ular notati on, which aims at detecti ng specification problems such as type errors, missing cases, circular definitions and non- determin ism. Althou gh this work has many relate d points to our approach, the proposed languag e is not adapt to formalize requirements that contain fu nction al descr iptions of the system at high lev el of ab - stracti on with temporal assumptions on the en viro nment. For mal T ropos (FT) [SPGM05, FLM + 04] and KA OS [D DMvL97, vL09] are goal-oriente d softwar e dev elo pment methodo logies that provid e a visua l modeling language that can be used to d efine an informal s pecificat ion, allo wing to model intentio nal a nd social concepts, such as those of actor , goal, and social relationshi ps between actors, and annotate the diagra ms with tempo ral cons traints to ch aracte rize the v alid b eha vio rs of the model. Both FT and KA OS are limited to pr oposi tional L TL temporal constrain ts, and thus n ot suitable for formal izing safety-critic al requir ements. 5 Conclusions In this paper we descri bed a recent researc h line that we are pursui ng in the conte xt of requiremen t v alidat ion for safety-c ritical applic ations. W e de velo ped an end-to-end method ology for the analysis of requirements , which combines informal and formal techni ques. The property- based approach guar- antees traceabili ty , by allo wing for a direct corr espond ence between the components of the informal specifica tion and t heir formalize d count erparts . T he formal specificat ion lang uage mix es linear -temporal logic with first-order and hybrid component s. Automatic albeit incomplete techniques based on model checki ng are used to check consistenc y , entailmen t of require d pro pertie s, and possibility of desir able scenar ios. The methodo logy has been app lied in a project with industri al partne rs for the for malizatio n and v alidat ion of rai lwa ys requirements. During th e project, we de v eloped a tool that int egra tes, within a commercial en viro nment for trad itiona l requirement s management and model-based des ign, adva nced techni ques for formal valida tion. The tool has been used and v alidated by potential end users exte rnal to the project ’ s consortium. In the future, w e will pursue the follo wing lines of acti vity . First, we will in vestigate the application of automated techni ques for N atural Languag e P rocess ing (e.g. automated tag extractio n, discourse repres entatio n theory), in order to increase the automation of the first phase o f t he meth odolo gy . Second, we will explo re exte nsion s to the expressi veness of the formalism, the relativ e scalability issues of the ver ification tools. Refer ences [Abr96 ] J.-R. Abrial. The B-b ook: assigning pr ogr ams to meanings . Cambridge Uni versity Press , 199 6. A. Cimatti, M. Rov eri, A. Susi, S. T onetta 75 [A G06] V . Ambr iola and V . Ger vasi. On th e Systematic An alysis of Natur al Langu age Req uiremen ts with CIRCE. Autom. Softw . En g. , 13(1):1 07–1 67, 2006. [BCCZ99] A. Biere, A. Cima tti, E. M. Clar ke, and Y . Zhu. Symbolic Mo del Checking without BDDs. In T ACAS , pages 193–207 , 1999. [BDZ97] Philippe Du Bois, Eric Du bois, and Jean-Marc Zeippen. On the Use of a Formal R. E. Languag e - The Generalized Railroad Crossing Problem. In RE , pages 128 –, 1997. [CCGR00] A. Cimatti, E . M. Clarke, F . Giun chiglia, and M. Roveri. Nu SMV: A n ew symbolic mod el checker . STTT , 2(4):410 –425 , 2000. [CCM + 09] Roberto Cav ada, Alessandro Cimatti, Alessandro Mariotti, Cristian Mattarei, Andrea Micheli, Ser gio Mover , Marco Pensallorto, Marco Roveri, An gelo Susi, and Stefano T o netta. Eurailcheck : T oo l support for re quiremen ts validation. In Pr oceeding s of the 24th IEE E/ACM Internationa l Confer ence Automated Softwar e Eng ineering (ASE 2009) , 2009. to app ear . [CGJ + 00] E. M. Clarke, O. Grumberg, S. Jha, Y . Lu, and H. V eith. Counterexamp le-Guided Abstraction Refinement. In CA V , pages 154– 169, 2000. [CRST08a] A. Cimatti, M. Roveri, A. Susi, and S. T on etta. From Inf ormal Requir ements to Proper ty-Driven Formal V alidation. In FMICS , LNCS, L ’ Aquila, Italy , sep 2008. Springer . [CRST08b] A. Cimatti, M. Roveri, A. Susi, and S. T on etta. Object mo dels with temporal constraints. In S EFM , pages 249– 258. IEEE Computer Society , 2008 . [CRST09] A. Cimatti, M. Roveri, A. Susi, and S. T onetta. Formalizing req uirements with object mod- els and temporal constraints. Journal of Softwar e an d Systems Mo deling (SoSyM) , 20 09. DOI 10.10 07/s102 70-009- 0130-7. [CR T08] A. Cimatti, M. Roveri, and S. T onetta. PSL Symbolic Compilatio n. IEEE T rans. on CAD o f Inte- grated Cir cuits and Sy stems , 27(10):1 737–1 750, 2 008. [CR T09] A. Cimatti, M. Roveri, and S. T onetta. Requirem ents V alid ation for Hy brid Systems. In CA V 2009 , LNCS, pages 188–20 3. Springer , 2009. [DDMvL97 ] R. Dar imont, E. De lor , P . Massonet, and A. van Lamsweerde. GRAIL/KA OS: an en vironmen t for goal-dr iv en requirements engineering. In ICSE’97 , pages 612– 613. A CM, 1997 . [EF06] C. Eisner and D. Fisman. A Practical Intr o duction to PSL . Sp ringer-V erlag, 2006 . [FGR + 94] A. F antechi, S. Gn esi, G. Ristori, M. Carenini, M. V anocchi, an d P . M oreschini. Assisting Require- ment Formalization by Means of Natural Langu age T ran slation. F ormal Methods in System Design , 4(3):2 43–26 3, 1 994. [FLM + 04] A. Fuxm an, L. Liu, J. M ylopou los, M. Roveri, and P . Tra verso. Specifyin g an d analyzin g ea rly requirem ents in T ropos. Requirements Enginee ring , 9(2):132–1 50, 2004. [GMM90] Carlo Ghezzi, Dino Mandrioli, and Angelo Morzenti. T rio: A logic language for e xecutable s pecifi- cations of real-time systems. Journal of Systems and Softwar e , 12 (2):10 7–12 3, 1 990. [HJL96] C. L. Heitmeyer , R . D. J effords, and B . G. Labaw . Auto mated consistency checking of requireme nts specifications. T rans. Softw . Eng. Methodol. , 5(3):231–2 61, 1996. [Jac02] D. Jackson. Alloy: a ligh tweight object mo delling notation. ACM T rans. So ftw . E ng. Methodol. , 11(2) :256–2 90, 2002. [MP92] Z. Man na an d A. Pnueli. The T emporal Logic of Rea ctive an d Con curr ent Systems, Specifi cation . Springer, 1992. [OMG06] OMG. Object Constraint Language: OMG available specification V ersion 2.0 , 2006. [SPGM05] A. Susi, A. Perini, P . Giorgini, and J. Mylopo ulos. The T ropos Metamodel and its Us e. Informatica , 29(4) :401–4 08, 2005. [Spi92] J. M. Spiv ey . The Z Notatio n: a r efer e nce manual, 2nd edition . Prentice Hall, 1992 . 76 Formaliz ation and V alidation of S.-C. Requirements [vL09 ] Axel van Lamsweerde. Requirements Engineering: F r o m System Goals to UML Models to Softwar e Specifica tions . W iley , 2009.