Formalization and Validation of Safety-Critical Requirements

To appear in EPTCS. c⃝A. Cimatti, M. Roveri, A. Susi, S. Tonetta This work is licensed under the Creative Commons Attribution License. Formalization and Validation of Safety-Critical Requirements∗ Alessandro Cimatti FBK-irst Trento, Italy cimatti@fbk.eu Marco Roveri FBK-irst Trento, Italy roveri@fbk.eu Angelo Susi FBK-irst Trento, Italy susi@fbk.eu Stefano Tonetta FBK-irst Trento, Italy tonettas@fbk.eu The validation of requirements is a fundamental step in the development process of safety-critical systems. In safety critical applications such as aerospace, avionics and railways, the use of formal methods is of paramount importance both for requirements and for design validation. Nevertheless, while for the verification of the design, many formal techniques have been conceived and applied, the research on formal methods for requirements validation is not yet mature. The main obstacles are that, on the one hand, the correctness of requirements is not formally defined; on the other hand that the formalization and the validation of the requirements usually demands a strong involvement of domain experts. We report on a methodology and a series of techniques that we developed for the formalization and validation of high-level requirements for safety-critical applications. The main ingredients are a very expressive formal language and automatic satisfiability procedures. The language combines first-order, temporal, and hybrid logic. The satisfiability procedures are based on model checking and satisfiability modulo theory. We applied this technology within an industrial project to the validation of railways requirements. 1 Introduction Formal methods are widely used in the development process of safety-critical systems. The application of formal verification techniques relies on the formalization of the system’s design into a mathematical language. Several formal languages are available according to the different aspects that are relevant to the verification, and many design tools can automatically formalize the design into one of these languages. The verification techniques typically trade-off the automation of the analysis with the expressiveness of the specification language. State-of-the-art approaches mix model checking and theorem proving in order to tackle the verification of infinite-state systems with a sufficient level of automation. Another important aspect of the development process is the correctness of the requirements. Very often bugs in the late phases are caused by some flaws in requirements specification. These are difficult to detect and have a huge impact on the cost of fixing the bug. Nevertheless, formal methods on require- ments validation are not yet mature. In particular there is no precise definition of correct requirements. The most relevant solution has been proposed in the context of the property-based approach to de- sign, where the development process starts from listing a set of formal properties, rather than defining an abstract-level model. The requirements validation is performed with a series of checks that improve the confidence in the correctness of the requirements. These checks consist of verifying that the require- ments do not contain contradictions and that they are neither too strict to forbid desired behaviors, nor too weak to allow undesired behaviors. This process relies on the availability of a sufficiently expres- sive logic so that properties as well as desired and undesired behaviors can be formalized into formulas. ∗A. Cimatti, M. Roveri, and A. Susi have been partly supported by the European Railway Agency under the project Eu- RailCheck, service contract ERA/2007/ERTMS/02. S. Tonetta has been supported by the Provincia Autonoma di Trento (project ANACONDA). A. Cimatti, M. Roveri, A. Susi, S. Tonetta 69 The approach considers a one-to-one mapping between the properties and the logical formulas. This allows for traceability of the formalization and the validation results, and for incremental and modular approaches to the validation. In the context of safety-critical applications, the choice of the language used to formalize the re- quirements is still an open issue, requiring a delicate balance between expressiveness, decidability, and complexity of inference. The difficulty in finding a suitable trade-off lies in the fact that the requirements for many real-world applications involve several dimensions. On the one side, the objects having an ac- tive role in the target application may have complex structure and mutual relationships, whose modeling may require the use of rich data types. On the other side, static constraints over their attributes must be complemented with constraints on their temporal evolution. One of the main obstacle in applying this approach to the industrial level is that requirements are often written in a natural language so that a domain knowledge is necessary both to formalize them and to define which behaviors are desirable and which not during the validatio

…(Full text truncated)…

This content is AI-processed based on ArXiv data.