From System Requirements to Software Requirements in the Four-Variable Model Electronic Communications of the EASST Volume 66 (2013) Proceedings of the Automated Verification of Critical Systems (AVoCS 2013) From System Requirements to Software Requirements in the Four-Variable Model Lucian M. Patcas, Mark Lawford and Tom Maibaum 15 pages Guest Editors: Steve Schneider, Helen Treharne Managing Editors: Tiziana Margaria, Julia Padberg, Gabriele Taentzer ECEASST Home Page: http://www.easst.org/eceasst/ ISSN 1863-2122 http://www.easst.org/eceasst/ ECEASST From System Requirements to Software Requirements in the Four-Variable Model Lucian M. Patcas1, Mark Lawford2 and Tom Maibaum3 1patcaslm@mcmaster.ca, 2lawford@mcmaster.ca, 3maibaum@mcmaster.ca Department of Computing and Software, McMaster University, Canada Abstract: The four-variable model of software-controlled embedded systems origi- nally proposed by Parnas and Madey has been used successfully in the development of safety-critical applications in various industries. The model does not explicitly specify the software requirements, but rather bounds them by specifying the system requirements and the input and output hardware interfaces of the system. The soft- ware engineers are left with the problem of how to construct software that satisfies the system requirements and hardware interfacing constraints. After formalizing the properties of acceptable system and software implementations using the demonic calculus of relations, we provide (i) a necessary and sufficient condition for the existence of an acceptable software implementation and (ii) a mathematical charac- terization of the software requirements in terms of their weakest specification. Keywords: safety-critical, requirements, four-variable model, specification and re- finement, demonic calculus of relations, verified system development 1 Introduction Many safety-critical systems monitor and control physical processes. Such systems typically are embedded systems that have sensors, actuators, and a controller. Based on the measured values of the physical quantities of interest obtained from the sensors, the controller commands the ac- tuators with the purpose of maintaining certain properties in the physical process. The controller usually has a software implementation that runs on a digital computer. The four-variable model proposed by Parnas and Madey [PM95] (Figure 1) helps to clarify the behaviour of, and the boundaries between, the physical process, sensors, actuators, and control software. The model was used as early as 1978 as part of the Software Cost Reduction (SCR) program of the Naval Research Laboratory for specifying the flight software of the U.S. Navy’s A-7 aircraft [VS90]. The ideas from SCR were later integrated in the Consortium Requirements Engineering (CoRE) methodology, which was used for specifying the avionics system of the C-130J aircraft in the 1980s [FFK+94]. Another significant example of a successful use of the four-variable model is the redesign of the software in the shutdown system of the Darlington nuclear power plant in On- tario, Canada in the 1990s [LMFM00, WL03, WL06]. More recently, in 2009, the four-variable model was used extensively in the Requirements Engineering Handbook [LM09], put together at the request of the Federal Aviation Administration in the United States. In the four-variable model (Figure 1), REQ models the system requirements. At the system requirements level, a system is seen as a black-box that relates physical quantities measured by 1 / 15 Volume 66 (2013) mailto:patcaslm@mcmaster.ca mailto:lawford@mcmaster.ca mailto:maibaum@mcmaster.ca From System Requirements to Software Requirements in the Four-Variable Model M C I O NAT REQ IN SOF OU T Figure 1: The four-variable model. the system, called monitored variables, to physical quantities controlled by the system, called controlled variables. For example, monitored variables might be the pressure and temperature inside a nuclear reactor while controlled variables might be visual and audible alarms, as well as the trip signal that initiates a reactor shutdown; whenever the temperature or pressure reach abnormal values, the alarms go off and the shutdown procedure is initiated. The sets of the possible values of the monitored and controlled variables are denoted by M and C, respectively. If tolerances are allowed on the system requirements, then REQ will be a relation, as opposed to a function, because there will be values in M for which more than one value in C will be acceptable. The environmental constraints on the system are described by the relation NAT (from “nature”), which restricts the possible values of the monitored and controlled variables. An environmental constraint might be the maximum rate of climb of an aircraft in the case of an avionics system, for instance. As an extreme example, if everything was possibile in the physical environment, then NAT would be the universal relation between M and C. The possible system designs are modelled by a sequential composition of IN, SOF, and OUT. Here, IN models the input hardware interface (sensors and analog-to-digital converters) and relates values of monitored variables to values of input variables in the software. The input vari- ables model the information about the environment that is available to the software. For example, IN might model a pressure sensor that converts temperature values to analog voltages; these volt- ages are then converted via an A/D converter to integer values stored in a register accesible to the software. The output hardware interface (digital-to-analog converters and actuators) is modelled by OUT, which relates values of the output variables of the software to values of controlled vari- ables. An output variable might be, for instance, a boolean variable set by the software with the understanding that the value true indicates that a reactor shutdown should occur and the value false indicates the opposite. The sets of the possible values of the input and output variables are denoted by I and O, respectively. To account for the inaccuracies introduced by the hardware interfaces, IN and OUT are in general relations and not functions. For example, assume that IN models an A/D converter that converts analog voltages in the range 0–5V with an accuracy of ±0.5V; then, for an actual monitored voltage of 2.5V, the value of the corresponding input variable in the software can be any of the digital representations that correspond to 2V, 2.5V, and 3V, hence IN is a relation and not a function. Relating values of input variables to values of out- put variables is SOF, which models the control software. If we want to capture all the possible implementations of the control software, then SOF will typically have to be a relation. The relations NAT and REQ are described by domain experts. The system designers allo- cate the system requirements between hardware and software, and describe IN and OUT. The software engineers must determine SOF and verify whether it meets the constraints imposed by NAT, REQ, IN, and OUT. Considering that changes in the specifications of the system require- ments and hardware interfaces arise often in the early stages of system development, the task Proc. AVoCS 2013 2 / 15 ECEASST of determining SOF is repetitive and, thus, even more demanding. An important question for software engineers to ask themselves before investing resources to develop and verify a detailed implementation is whether an acceptable software implementation exists at all given the system requirements and hardware interfaces as currently specified. A positive answer to this question would allow the software engineers to proceed with a software design having the confidence that their efforts are not destined to fail from the start. In the case of a negative answer, the next step would be to determine what needs to be changed in REQ, IN, or OUT in order for a software implementation to be possible. Another question to consider is what are the software requirements? The four-variable model does not explicitly specify the software requirements, but rather bounds them by specifying the system requirements and the input and output hardware interfaces of the system. Extracting the software requirements from these specifications is “often an exercise in frustration” [MT01] and an automated method would be a significant advantage. Moreover, a mathematical characteri- zation of the software requirements would offer a sound starting point for the software design process. 1.1 Related work Methods for asserting the existence of a software implementation in the four-variable model have not received much attention in the literature. Of the few examples, Lawford et al. [LMFM00] give, without proof, a necessary condition for the existence of SOF in a functional variant of the four-variable model. In the context of real-time systems, Hu et al. [HLW09] address in a functional four-variable model the ability of a software implementation to meet continuous-time requirements, such as the detection of physical events that have been enabled for a predefined amount of time; necessary and sufficient existence conditions for SOF are given for different as- sumptions made about the access of the software to the time of the environment. In this paper we address the need for existence conditions of a software implementation in the general, relational case of the four-variable model. The relational case is more realistic as it can model hardware inaccuracies and tolerances on requirements. Techniques for deriving the software requirements from the specifications of the system re- quirements and input/output hardware interfaces in the four-variable model are mentioned in [BH00, HT00, MT01, WL06]. These techniques are variations of the same idea of manually de- composing SOF into three subrelations that model the input device drivers, output device drivers, and, respectively, the system functionality required by REQ; the latter subrelation of SOF closely resembles REQ and is regarded as the software requirements. In this paper, we do not decom- pose SOF and present a method for “calculating” the weakest (i.e, least restrictive) specification of SOF that still satisfies the constraints imposed by NAT, REQ, IN, and OUT. We regard this weakest specification of SOF as the software requirements specification. Gunter et al. [GGJZ00] pointed out that the system and software acceptability conditions given in Parnas and Madey [PM95] are too weak and allow undesirable system and software specifi- cations, in particular specifications that are inconsistent with the physical environment. We fix the acceptability conditions by giving a new semantics for the four-variable model based on the demonic calculus of relations [DMN97, Kah03]. In Section 2 we introduce the demonic calcu- lus of relations and prove necessary and sufficient conditions for the existence of demonic left 3 / 15 Volume 66 (2013) From System Requirements to Software Requirements in the Four-Variable Model and right factors which will later be used to prove a necessary and sufficient condition for the existence of an acceptable software implementation. In Section 3 we formalize in the demonic calculus of relations the properties of acceptable system and software implementations, giving a stronger definition for the angelic acceptability notion proposed by Parnas and Madey [PM95]; this stronger definition explicitly rejects system behaviours that are not physically meaningful. A necessary and sufficient condition for the existence of an acceptable software implementation is given in Section 4, along with a mathematical characterization of the software requirements in terms of their weakest specification. 2 Relations A relation R from a set A to a set B is a subset of the cartesian product A×B. In other words, R is a subset of the set of all ordered pairs (a,b), where a ∈ A and b ∈ B. As customary in higher-order logic, a relation can also be viewed as a binary predicate, that is, as a function of type A → B → bool. This allows us to use currying and write R a b to denote (a,b) ∈ R, and R a ={b ∈ B | R a b} to denote the image set of a under the relation R. Some elementary operations involving a relation R ⊆ A×B are: • domain of R: dom(R) ={a ∈ A | ∃b ∈ B. R a b} • range of R: ran(R) ={b ∈ B | ∃a ∈ A. R a b} • converse of R: R` ={(b,a)∈ B×A | R a b} • complement of R: R ={(a,b)∈ A×B |¬R a b} For any two sets A and B, the relation CA,B = {(a,b) ∈ A×B | true} is the universal relation between A and B, while DA,B ={(a,b)∈ A×B | false} is the empty relation between A and B. 2.1 Angelic operators The intersection of two relations P ⊆ A×B and Q ⊆ A×B is the relation P∩Q = {(a,b) ∈ A×B | P a b ∧ Q a b}. Their union is P∪Q = {(a,b) ∈ A×B | P a b ∨ Q a b}. The relation P is contained in the relation Q, written P ⊆ Q, if and only if ∀a ∈ A. ∀b ∈ B. P a b =⇒ Q a b. Relational containment (or inclusion) is a partial order. The composition of two relations P ⊆ A×B and Q ⊆ B×C is the relation: P ., Q ={(a,c)∈ A×C | ∃b ∈ B. P a b ∧ Q b c} The precedence of the relational operators introduced so far is as follows: the unary operators ` and are evaluated first; the binary operator ., is evaluated next; and the binary operators ∩ and ∪ are evaluated last. The following subrelations of a relation P ⊆ A×B are obtained by restricting the domain or range of P to the domain or range of another relation: • the subrelation of P obtained by restricting the domain of P to the domain of a relation R ⊆ A×C is P ∣∣ dom(R) = P ∩ R ., CC,B ={(a,b)∈ A×B | R a b ∧ a ∈dom(R)} Proc. AVoCS 2013 4 / 15 ECEASST • the subrelation of P obtained by restricting the domain of P to the range of a relation R ⊆C×A is: P ∣∣ ran(R) = P ∩ R ` ., CC,B ={(a,b)∈ A×B | R a b ∧ a ∈ ran(R)} • the subrelation of P obtained by restricting the range of P to the domain of a relation Q ⊆ B×C is P ∣∣dom(Q) = P ∩CA,C ., Q` ={(a,b)∈ A×B | R a b ∧ b ∈dom(Q)} The relational composition and inclusion operations induce two residuation operations: the left and right residuals [SS93, Fra95, BKS97, Kah03]. Assuming two relations R ⊆ A×C and Q ⊆ B×C, the left residual of R by Q, denoted R/Q, is the largest solution of the inequality X ., Q ⊆ R, where X ⊆ A×B is the unknown: X ., Q ⊆ R ⇐⇒ X ⊆ R/Q The value of the left residual of R by Q is: R/Q = R ., Q` ={(a,b)∈ A×B | ∀c ∈C. Q b c =⇒ R a c}={(a,b)∈ A×B | Q b ⊆ R a} Given two relations R ⊆ A×C and P ⊆ A×B, the right residual of R by P, denoted P\R, is the largest solution of the inequality P ., X ⊆ R, where X ⊆ B×C is the unknown: P ., X ⊆ R ⇐⇒ X ⊆ P\R The value of the right residual of R by P is: P\R = P` ., R ={(b,c)∈ B×C | ∀a ∈ A. P a b =⇒ R a c}= { (b,c)∈ B×C | P`b ⊆ R`c } The precedence of / and \ is the same as the precedence of the relational composition. The residuation operations are loosely analogous to division of natural numbers and the values of the residuals are a form of quotient. The left residual R/Q can be understood as what remains on the left of R after R is “divided” by Q on the right. Dually, the right residual P\R is what remains on the right of R after “dividing” R by P on the left. Hoare and He [HH86] were among the first to advocate the importance of the relational residuals to software development. They called the left residual R/Q the weakest prespecification of program Q to achieve specification R; the right residual P\R was called the weakest postspecification of program P to achieve specification R. The relational operators introduced so far have been used in the literature to formalize so called angelic semantics. In such semantics, specifications that allow bad behaviours are acceptable as long as good behaviours are also possible. In contrast, in a demonic semantics a specification is rejected if bad behaviours are possible. When developing safety-critical systems it is always wise to plan for the worst, therefore the demonic approach is more suitable. 2.2 Demonic operators We now present the demonic relational operators that will be used in the paper and prove neces- sary and sufficient conditions for the existence of demonic left and right factors. These conditions will be used in Section 4 to prove a necessary and sufficient existence condition for an accept- able software implementation in the four-variable model. Overviews of the demonic calculus of relations can be found in [DMN97, Kah03]. 5 / 15 Volume 66 (2013) From System Requirements to Software Requirements in the Four-Variable Model A relation P ⊆ A × B is a demonic refinement of a relation R ⊆ A × B, written P E R, if and only if P ∣∣ dom(R) ⊆ R and dom(R) ⊆ dom(P). The demonic refinement is a partial order. Consider the relations R = {(a1,b1),(a1,b2),(a2,b2)}, P = {(a1,b1),(a2,b2),(a3,b2),(a3,b3)}, Q = {(a1,b1),(a2,b1),(a3,b3)}, and S = {(a2,b2)}. Here, P refines R, Q does not refine R because (a2,b1) /∈ R, and S does not refine R because dom(R) * dom(P). The demonic composition of relations P ⊆ A×B and Q ⊆ B×C is defined as: P2Q = P ., Q ∩ P ., Q ., CC,C ={(a,c)∈ A×C | (a,c)∈ P ., Q ∧ P a ⊆dom(Q)} Demonic composition is the same as the angelic composition when P is univalent (i.e., a total or partial function) or when Q is a total relation. As an example, consider the following rela- tions: P ={(a1,b1),(a1,b2)} and Q ={(b1,c1)}; then P ., Q ={(a1,c1)}, whereas P2Q = DA,C. Specifications P ., Q where dead ends such as (a1,b2) are possible essentially allow potential im- plementations to get stuck and not terminate for some inputs as long as they produce expected results for some other inputs; such specifications are not suitable for safety-critical systems. As was the case with angelic composition and inclusion, demonic composition and demonic refinement induce two residuation operations. The demonic left residual of a relation R ⊆ A×C by a relation Q ⊆ B×C, denoted RIQ, is defined as the largest solution with respect to E of the inequation X 2Q E R, where X ⊆ A×B is the unknown: X 2Q E R ⇐⇒ X E RIQ A solution X, also called demonic left factor of R through Q, does not always exist. As such, the demonic left residual RIQ is not always defined. For example, if Q = DB,C and R 6= DA,C, then X 2Q = DA,C for any X ⊆ A×B, in which case X 2Q is not a demonic refinement of R and RIQ is undefined. If the demonic left residual is defined, then its value is: RIQ = R/Q ∩CA,C ., Q ` = (R/Q) ∣∣dom(Q) We now state and prove a necessary and sufficient condition for the existence of a demonic left factor and, therefore, for the definedness of the demonic left residual. Lemma 1 Given two relations R ⊆ A×C and Q ⊆ B×C, there exists a demonic left factor X ⊆ A×B such that X 2Q E R if and only if ∀a ∈dom(R).∃b ∈dom(Q). Q b ⊆ R a. Proof. If direction: (∃X. X 2Q E R) =⇒∀a ∈dom(R).∃b ∈dom(Q). Q b ⊆ R a ∃X. X 2Q E R =⇒〈by definition, if X 2Q E R admits a solution, then RIQ also is a solution〉 (RIQ) 2Q E R =⇒〈by definition of E〉 dom(R)⊆dom((RIQ) 2Q) =⇒dom(R)⊆dom(RIQ) =⇒∀a ∈dom(R).∃b ∈ B. (a,b)∈ RIQ =⇒〈by value of RIQ〉 ∀a ∈dom(R).∃b ∈dom(Q). Q b ⊆ R a Proc. AVoCS 2013 6 / 15 ECEASST Only if direction: (∀a ∈dom(R).∃b ∈dom(Q). Q b ⊆ R a) =⇒∃X. X 2Q E R ∀a ∈dom(R).∃b ∈dom(Q). Q b ⊆ R a ⇐⇒ 〈by value of R/Q & value of RIQ〉 ∀a ∈dom(R).∃b ∈dom(Q). (a,b)∈ RIQ ⇐⇒ ∀a ∈dom(R).∃b ∈ B. (a,b)∈ RIQ ∧ b ∈dom(Q) ⇐⇒ 〈by definition of 2〉 ∀a ∈dom(R).∃c ∈C. ((RIQ) 2Q) a c =⇒dom(R)⊆dom((RIQ) 2Q) (1) ((RIQ) 2Q) ∣∣ dom(R) ⊆ R ⇐⇒ ∀a ∈dom(R). ((RIQ) 2Q) a ⊆ R a ⇐⇒ 〈by unfolding ⊆〉 ∀a ∈dom(R).∀c ∈C. ((RIQ) 2Q) a c =⇒ R a c ⇐⇒ 〈by definition of 2 and .,〉 ∀a ∈dom(R).∀c ∈C. (∃b ∈dom(Q). ((RIQ)a b ∧ Q b c)) =⇒ R a c ⇐⇒ 〈by value of RIQ〉 ∀a ∈dom(R).∀c ∈C. (∃b ∈dom(Q). ((Q b c) =⇒ R a c) ∧ Q b c) =⇒ R a c ⇐⇒ 〈by modus ponens〉 ∀a ∈dom(R).∀c ∈C. R a c =⇒ R a c ⇐⇒ true (2) ∀a ∈dom(R).∃b ∈dom(Q). Q b ⊆ R a =⇒〈by (1) & (2) & definition of E〉 (RIQ) 2Q E R =⇒∃X. X 2Q E R Several conditions for the definedness of the demonic left residual can be found in the litera- ture, such as, if brought to our notation: dom(R) ⊆ dom ( (R/Q) ∣∣dom(Q)) in [DBS+95, Fra95]; and, dom(R) ⊆ dom((R/Q) ., Q) in [DMN97, Kah03]. It can be shown that these conditions are equivalent to our condition in Lemma 1. The demonic right residual of a relation R ⊆ A×C by a relation P ⊆ A×B, denoted P J R, is defined as the largest solution with respect to E of the inequation P2X E R, where X ⊆ B×C is the unknown: P2X E R ⇐⇒ X E PJR A solution X to this inequation, called a demonic right factor of R through P, does not always exists. Therefore, the demonic right residual PJR is not always defined. If PJR is defined, then 7 / 15 Volume 66 (2013) From System Requirements to Software Requirements in the Four-Variable Model a1 a2 c1 c2 b1 b2 R R/Q Q a1 a2 c1 c2 b1 b2 R RIQ Q a1 a2 c1 c2 b1 b2 R P P\R a1 a2 c1 c2 b1 b2 R P PJR Figure 2: Examples of angelic and demonic residuals. its value is: PJR = (P ∩ R ., CC,B)\R ∩ (P ∩ R ., CC,B) ` ., CA,C = ( P ∣∣ dom(R) ∖ R )∣∣∣ ran ( P ∣∣∣ dom(R) ) We now give a necessary and sufficient condition for the existence of a demonic right factor and, therefore, for the definedness of the demonic right residual. Lemma 2 Given two relations R ⊆ A×C and P ⊆ A×B, there exists a demonic right factor X ⊆ B×C such that P2X E R if and only if ∀b ∈ ran ( P ∣∣ dom(R) ) . ∃c ∈C. ( P ∣∣ dom(R) )` b ⊆ R`c and dom(R)⊆dom(P). Proof. Similar to the proof of Lemma 1. The definedness conditions for the demonic right residual presented in the literature [Fra95, DBS+95, Kah03] can all be brought to the following common form in our notation: dom(R) ⊆ dom(P) and CB,C ⊆ ( P ∣∣ dom(R) ∖ R ) ., CC,C. These conditions are stated only as sufficient, but it can be shown that they are equivalent to our condition in Lemma 2. The advantage of our conditions for the definedness of demonic left and right residuals when used by engineers is that the formulations in first-order logic give a better insight into their meaning compared to the abstract relation algebraic formulations found in the literature. Examples of angelic and demonic residuals are depicted in Figure 2. Here, if seen as speci- fications, the angelic residual R/Q allows the dead end (a1,b2) where an implementation could get stuck, whereas the demonic residual RIQ does not allow any dead ends. Moreover, both de- monic residuals in the figure are less restrictive than their angelic counterparts without breaking refinement; for example, P\R, but not P J R, asks its implementations to produce an output for b2, which is not something of interest for R. Two relations P ⊆ A×B and Q ⊆ A×B are compatible if and only if dom(P)∩dom(Q) ⊆ dom(P∩Q). The demonic refinement partial order induces a complete join-semilattice [DMN97, Kah03]. In this paper we will be using the meet operation of this semilattice, also called the de- monic intersection. The demonic intersection of two relations P⊆A×B and Q⊆A×B is defined if P and Q are compatible. If the demonic intersection of P and Q is defined, its value is: PGQ = (P∩Q) ∪ ( P ∩ Q ., CB,B ) ∪ ( P ., CB,B ∩ Q ) = (P∩Q) ∪ P ∣∣ dom(Q) ∪ Q ∣∣ dom(R) For example, let P = {(a1,b1),(a2,b1),(a2,b3)} and Q = {(a2,b2),(a2,b3),(a3,b3)}; in this case, PGQ ={(a2,b3),(a1,b1),(a3,b3)}. Proc. AVoCS 2013 8 / 15 ECEASST dom(NAT ) dom(REQ) m1 m2 c1 c2 c3 NAT REQ SY S Figure 3: Problems with acceptability conditions in [PM95]. 3 System and software acceptability What conditions must a software implementation satisfy to be acceptable? A first intuition is that an acceptable software implementation must be part of an acceptable system implementation. In this section we formalize the properties of acceptable system and software implementations. The starting point is system requirements that are consistent with the physical laws of the environ- ment. In Parnas and Madey [PM95], the system requirements REQ are feasible with respect to NAT if and only if the following conditions are both satisfied: dom(NAT )⊆dom(REQ) (3) dom(NAT ∩REQ) = dom(NAT )∩dom(REQ) (4) These conditions do not imply computability, nor that an implementation of the system require- ments is even practical. The intention of the authors was for the feasibility conditions to allow only required behaviours (as described by REQ) that are allowed by the natural environment (as described by NAT ). Condition (3) means that the system requirements should specify behaviour for all monitored values that can arise in the environment. It can be assumed that the inputs that are outside the domain of NAT will never occur. Condition (4) says that for each input in the common subset of their domains, NAT and REQ should agree on at least one output. Together, conditions (3) and (4) postulate that, for every input possible in the environment, the system re- quirements should ask the system to produce at least one output that is physically meaningful. If (3) and (4) are not satisfied, then there will be no realizable system implementation. For the rest of the paper, REQ will be assumed to be feasible unless otherwise stated. Another assumption is that the system requirements are consistent [HJL96]. Parnas and Madey [PM95] define acceptability of software using the following condition: NAT ∩ (IN ., SOF ., OU T )⊆ REQ (5) A system implementation SY S = IN ., SOF ., OU T is then acceptable if and only if it satisfies: NAT ∩ SY S ⊆ REQ (6) These acceptability conditions are, however, not strong enough. Let us consider the relations NAT, REQ, and SYS in Figure 3, where m1,m2 are values of monitored variables in the set M and c1,c2,c3 are values of controlled variables in the set C. These relations satisfy the conditions (3), (4), and (6). Therefore, according to [PM95], the system requirements REQ are feasible with respect to NAT and the system implementation SYS is acceptable although: 9 / 15 Volume 66 (2013) From System Requirements to Software Requirements in the Four-Variable Model • (m2,c3) ∈ NAT , (m2,c3) ∈ REQ, and (m2,c3) /∈ SY S. A system implementation SYS that does not deal with all the inputs in dom(NAT ) is deemed acceptable. It is mentioned elsewhere in [PM95] that dom(NAT )⊆dom(IN); this, however, does still not ensure that dom(NAT )⊆dom(IN ., SOF ., OU T ). • (m1,c2) ∈ SY S and (m1,c2) /∈ NAT . A system specification SYS that asks an implementa- tion to produce outputs not physically possible is deemed acceptable. From an engineering perspective, such systems are not realizable and it is important to reject early specifications that allow them. A similar problem with the acceptability condition in [PM95] was pointed out in Gunter et al. [GGJZ00]. In the remainder of the section, the conditions (5) and (6) will be strengthened using the demonic calculus of relations, introduced in Subsection 2.2. Condition (4) of the system require- ments feasibility is in fact equivalent to the compatibility condition (Subsection 2.2) of NAT and REQ because dom(NAT ∩ REQ) ⊆ dom(NAT )∩ dom(REQ) is a tautology. Therefore, if REQ is feasible with respect to NAT, then NAT G REQ is defined. In Figure 3, if we implement NAT G REQ = {(m1,c1),(m2,c3)} instead of REQ, then (m1,c2) will not be allowed to be part of SYS and (m2,c3) will be required to belong to SYS. That is, NAT G REQ captures only that part of the system requirements that is physically meaningful. We need to clarify at this point what it means for an implementation to satisfy a specification. As a satisfaction concept, we choose the demonic refinement of relations, also known as “total correctness” in the relation algebra literature and introduced in Subsection 2.2. The interpre- tation of the demonic refinement is twofold. First, if a specification is defined for some input, then any implementation must produce a result allowed by the specification. Second, if the spec- ification is not defined for some input, then producing arbitrary results or producing no result whatsoever are both allowed for that input. We now redefine the acceptability notion of Parnas and Madey [PM95] in the demonic calculus of relations. Definition 1 A system implementation SYS is acceptable if and only if SY S E NAT GREQ. For an acceptable system implementation SYS, the demonic refinement, demonic intersec- tion, and feasibility of system requirements ensure that dom(NAT ) ⊆ dom(NAT GREQ) ⊆ dom(REQ) ⊆ dom(SY S). Consequently, an acceptable system implementation will sense all the inputs that are possible in the environment. For these inputs, the system is asked to produce only outputs allowed by the physical environment. The inputs outside the domain of NAT, but in the domain of REQ, can be assumed to never happen under normal circumstances; these inputs can be used for specifying fault-tolerant behaviour for abnormal circumstances. Allowing arbi- trary behaviour outside the domain of REQ should present no danger as it is assumed that, for a final product, hazard analyses have been conducted and all the inputs that could lead to hazardous system behaviour have been added to the domain of REQ as additional safety requirements. In Parnas and Madey [PM95], a system implementation is given as SY S = IN ., SOF ., OU T . As seen in Subsection 2.2, the angelic composition allows dead ends between the composed rela- tions. We argue that this may allow undesirable system behaviours. For example, let us consider a relation IN that models an 8-bit resolution A/D converter such that a monitored analog voltage m = 0V is mapped to a digital value i = 0, m = 2.49V is mapped to i = 127, and m = 4.99V Proc. AVoCS 2013 10 / 15 ECEASST A D B C R P X Q RIQ PJR Figure 4: Existence of a demonic mid factor. is mapped to i = 255 (i.e., i = bm∗28/5c). The requirements ask the system to produce at the output the double of the input. Because the relation NAT says that the monitored voltages will be in the range 0–2.49V, it is decided that 8-bit unsigned integers will be used to represent the values of the output variable o = 2∗ i set by the software. If the converter has an accuracy of ±0.03V, the following situation can occur: a monitored voltage of m = 2.49V can be mapped to any of the software inputs between i = 125 (m = 2.46V) and i = 129 (m = 2.52V); in the cases when the software input i is greater than or equal to 128, the corresponding software out- put o = 2∗ i will be greater than 255 and will not fit in the 8-bit variable. In practice this means an overflow that can cause a fatal runtime error, in which case the system will not produce an expected result. At the specification level, this situation manifests itself as a dead end between SOF and OUT. Angelic composition allows such system behaviours because, even if the im- plementation fails to produce expected results when i ≥ 128, expected results will be produced when 125 ≤ i ≤ 127. Demonic composition will discard the behaviours that correspond to the system input m = 2.49V altogether since some of them (i ≥ 128) are prone to failure. Therefore, we redefine the description of a system implementation to be SY S = IN 2SOF 2OU T . Definition 2 A software implementation SOF is acceptable if and only if IN 2SOF 2OU T E NAT GREQ. 4 Existence of an acceptable software implementation In the previous section we formalized what it means for a software implementation to be accept- able, but does such a software implementation exist at all? The mathematical question we ask is, given relations NAT, REQ, IN, and OUT in the four-variable model, does a relation SOF exist such that IN 2SOF 2OU T E NAT GREQ? To reduce notational verbosity, we switch momentarily to using R to denote NAT G REQ, P for IN, Q for OUT, and X for SOF (Figure 4). We are interested in necessary and sufficient conditions for the existence of a demonic factor X such that P2X 2Q E R. Demonic composition is an associative operation [BW93]: P2 (X 2Q) = (P2X) 2Q. Associativity of 2 indicates that both diagonals AC and BD are necessary for X to exist. This suggests that the existence of the diagonals might also be a sufficient condition. As it turns out, this is not the case. By applying Lemma 2 in 4A,B,D, the necessary and sufficient condition for diagonal BD to exist is: dom(R)⊆dom(P) ∧∀b ∈ ran ( P ∣∣ dom(R) ) .∃d ∈ D. ( P ∣∣ dom(R) )` b ⊆ R`d (7) By definition, the largest relation, with respect to E, for the diagonal BD is the demonic right residual PJR. The necessary and sufficient condition for the existence of diagonal AC is obtained by applying Lemma 1 in 4A,C,D: ∀a ∈dom(R).∃c ∈dom(Q). Q c ⊆ R a (8) 11 / 15 Volume 66 (2013) From System Requirements to Software Requirements in the Four-Variable Model a1 a2 b1 c1 c2 c3 d1 d2 d3 R P X Q Figure 5: Diagonals are not sufficient for a demonic mid factor. The largest relation, with respect to E, for the diagonal AC is the demonic left residual R I Q. While conditions (7) and (8) are both necessary for X, Figure 5 provides a counterexample to the sufficiency of their conjunction. Condition (7) is satisfied because dom(R) ⊆ dom(P) and( P ∣∣ dom(R) )` b1 = {a1,a2}⊆ R `d2 = {a1,a2}. Condition (8) is also satisfied because Q c1 = {d1}⊆ R a1 ={d1,d2} and Q c3 ={d3}⊆ R a2 ={d2,d3}. However, if (b1,c1)∈ X , then a2 can be connected to d1 via P2X 2Q although (a2,d1) /∈ R; similarly, if (b1,c3)∈ X , then a1 can reach d3 via P2X 2Q although (a1,d3) /∈ R. Consequently, there is no relation X such that P2X 2Q E R, although both (7) and (8) are satisfied. It is only when (c2,d2)∈ Q that there is an X ={(b1,c2)} such that P2X 2Q E R. It can be seen in Figure 5 that d2 enjoys a special property: the amount of “confusion” at the input of R to produce d2 is at least the same as the amount of “confusion” at the input of P to produce b1, that is, ( P ∣∣ dom(R) )` b1 ={a1,a2}⊆ R `d2 ={a1,a2}. This suggests that Q reaching points similar to d2 must be part of a necessary and sufficient condition for X to exist. Lemma 3 Given three relations R ⊆ A×D, P ⊆ A×B, and Q ⊆ C ×D, there exists a de- monic factor X ⊆ B ×C such that P2X 2Q E R if and only if dom(R) ⊆ dom(P) and ∀b ∈ ran ( P ∣∣ dom(R) ) .∃c ∈dom(Q). Q c ⊆ { d ∈ D | ( P ∣∣ dom(R) )` b ⊆ R`d } . Proof. The geometrical interpretation (Figure 5) of the associativity of 2 is that it does not matter if we use the diagonal BD or the diagonal AC to arrive to the conditions for the existence of X. As such, it suffices to use the diagonal BD and show that the conditions in Lemma 3 are necessary and sufficient for X such that P2 (X 2Q) E R. ∃X. P2 (X 2Q) E R ⇐⇒〈by definition of J & Lemma 2 applied in 4A,B,D〉 (∃X. X 2Q E PJR) ∧ (7) ⇐⇒〈by Lemma 1 applied in 4B,C,D〉 ∀b ∈dom(PJR).∃c ∈dom(Q). Q c ⊆ (PJR)b ∧ (7) ⇐⇒ 〈 dom(PJR) = ran ( P ∣∣ dom(R) ) & (PJR)b = { d ∈ D | ( P ∣∣ dom(R) )` b ⊆ R`d }〉 dom(R)⊆dom(P) ∧∀b ∈ ran ( P ∣∣ dom(R) ) .∃c ∈dom(Q). Q c ⊆ { d ∈ D | ( P ∣∣ dom(R) )` b ⊆ R`d } Proc. AVoCS 2013 12 / 15 ECEASST Lemma 4 Given relations R ⊆ A×D, P ⊆ A×B, X ⊆ B×C, and Q ⊆C×D, if P2X 2Q E R, then X E PJRIQ. Proof. For any X such that P2 (X 2Q) E R we have that P2 (X 2Q) E R ⇐⇒ X 2Q E PJR ⇐⇒ X E (PJR)I Q by using the definitions of J and I, respectively. Considering that the demonic composition is associative, it is also the case that any X that satisfies (P2X) 2Q E R is also a demonic refinement of the residual P J(RIQ) and that (PJR)I Q = P J(RIQ). Therefore, we drop the parentheses and say that any solution of the inequality P2X 2Q E R, if it exists, is a demonic refinement of the residual PJRIQ. In other words, this residual is the largest solution, with respect to E, of P2X 2Q E R. At this point we are ready to present the main results of the paper. The following theorem states a necessary and sufficient condition for the existence of an acceptable software implementation in the four-variable model (Figure 1). Theorem 1 There exists an acceptable software implementation SOF if and only if for any software input i ∈ ran ( IN ∣∣ dom(NATGREQ) ) there exists a software output o ∈ dom(OU T ) such that OU T o ⊆ { c ∈C | ( IN ∣∣ dom(NATGREQ) )` i ⊆ (NAT GREQ)` c } , and dom(NAT GREQ) ⊆ dom(IN). Proof. Direct consequence of Lemma 3. Following from Definition 2 and Lemma 4, we have that any acceptable software implemen- tation, if it exists, is a demonic refinement of the residual IN J(NAT GREQ)IOU T . As a result, this residual is the least restrictive software specification, or the weakest software specification, as it leaves open most software design options. The weakest software specification describes all the possible acceptable software implementations and, in this sense, it describes the software requirements. An actual software implementation is a functional (i.e., deterministic) demonic refinement of the software requirements. 5 Conclusions A method for assessing the existence of an acceptable software implementation early in the development of a safety-critical system may save time and resources. We have addressed this need and proved a necessary and sufficient condition for the existence of an acceptable software implementation in a general, relational variant of the four-variable model in which inaccuracies of the sensing and actuating hardware as well as tolerances can be modelled. To be useful in practice, the existence check for acceptable software needs to be supported by tools. Satisfiability Modulo Theories (SMT) solving may be a fruitful direction for a completely automated check, although a point of concern is the existential quantifier that falls within the scope of the universal quantifier in our existence condition. When SMT solving does not work, verifying whether the existence condition is satisfied or not will still be possible in an interactive proof assistant. 13 / 15 Volume 66 (2013) From System Requirements to Software Requirements in the Four-Variable Model In this paper we also have formalized the acceptability conditions for system and software implementations using the demonic calculus of relations and fixed the angelic conditions of Par- nas and Madey [PM95]. In the process, we provided a mathematical characterization of the software requirements in terms of their weakest specification. The main advantage for having a relation algebraic characterization for the software requirements is the high potential for mecha- nization. Given the finite relations NAT, REQ, IN, and OUT, it is possible to calculate the residual IN J(NAT GREQ)I OU T by turning the relational calculus into matrix operations on the adja- cency matrices of the graphs associated with the relations [SS93]. If this proves unfeasible for very large relations, or in the case of infinite relations, reasoning about relational specifications will still be possible in an interactive proof assistant. For increased confidence in our results, we formalized and verified the mathematical develop- ment presented in this paper with the proof assistant Coq. Acknowledgements: The authors would like to thank Dave Parnas for clarifications about the four-variable model. Thanks also go to Wolfram Kahl who has always found time to answer our questions about relation algebra. Bibliography [BH00] R. Bharadwaj, C. Heitmeyer. Developing High Assurance Avionics Systems with the SCR Requirements Method. In Proceedings of the 19th Digital Avionics Systems Conference. October 2000. [BKS97] C. Brink, W. Kahl, G. Schmidt (eds.). Relational Methods in Computer Science. Advances in Computing. Springer-Verlag, 1997. [BW93] R. C. Backhouse, J. van der Woude. Demonic Operators and Monotype Factors. Mathematical Structures in Computer Science 3(4):417–433, December 1993. [DBS+95] J. Desharnais, N. Belkhiter, S. B. M. Sghaier, F. Tchier, A. Jaoua, A. Mili, N. Za- guia. Embedding a Demonic Semilattice in a Relation Algebra. Theoretical Com- puter Science 149(2):333–360, 1995. [DMN97] J. Desharnais, A. Mili, T. Nguyen. Refinement and Demonic Semantics. In [BKS97], chapter 11, pp. 166–183, 1997. [FFK+94] S. Faulk, J. Finneran, J. Kirby, S. Shash, J. Sutton. Experience Applying the CoRE Method to the Lockhead C-130J Software Requirements. In Ninth Annual Confer- ence on Computer Assurance. Gaithersburg, Maryland, June 1994. [Fra95] M. Frappier. A Relational Basis for Program Construction by Parts. PhD thesis, Computer Science Department, University of Ottawa, 1995. [GGJZ00] C. A. Gunter, E. L. Gunter, M. Jackson, P. Zave. A Reference Model fo Require- ments and Specifications. IEEE Software 17(3):37–43, May/June 2000. Proc. AVoCS 2013 14 / 15 ECEASST [HH86] C. A. R. Hoare, J. He. The Weakest Prespecification. Fundamenta Informaticae 9(1):(Part I) 51–84, (Part II) 217–252, 1986. [HJL96] C. L. Heitmeyer, R. D. Jeffords, B. G. Labaw. Automated Consistency Checking of Requirements Specifications. ACM Transactions on Software Engineering and Methodology 5(3):230–261, 1996. [HLW09] X. Hu, M. Lawford, A. Wassyng. Formal Verification of the Implementability of Timing Requirements. In Formal Methods for Industrial Critical Systems. Lecture Notes in Computer Science 5596, pp. 119–134. Springer, 2009. [HT00] M. Heimdahl, J. Thompson. Specification Based Prototyping of Control Systems. In Proceedings of the 19th IEEE Digital Avionics Systems Conference. October 2000. [Kah03] W. Kahl. Refinement and Development of Programs from Relational Specifications. Electronic Notes in Theoretical Computer Science (ENTCS) 44(3):51–93, 2003. [LM09] D. L. Lempia, S. P. Miller. Requirements Engineering Management Handbook. Technical report DOT/FAA/AR-08/32, U.S. Department of Transportation, Federal Aviation Administration, June 2009. [LMFM00] M. Lawford, J. McDougall, P. Froebel, G. Moum. Practical Application of Func- tional and Relational Methods for the Specification and Verification of Safety Crit- ical Software. In Proceedings of Algebraic Methodology and Software Technology, AMAST. Lecture Notes in Computer Science 1816, pp. 73–88. Springer, 2000. [MT01] S. P. Miller, A. C. Tribble. Extending the Four-Variable Model to Bridge the System- Software Gap. In Proceedings of the 20th IEEE Digital Avionics Systems Confer- ence. October 2001. [PM95] D. L. Parnas, J. Madey. Functional Documents for Computer Systems. Science of Computer Programming 25(1):41–61, 1995. [SS93] G. Schmidt, T. Ströhlein. Relations and Graphs: Discrete Mathematics for Com- puter Scientists. EATCS Monographs on Theoretical Computer Science. Springer- Verlag, 1993. [VS90] A. Van Schouwen. The A-7 REquirements Model: Re-examination for Real-Time Systems and an Application to Monitoring Systems. Technical report 90-276, Queens University, Ontario, Canada, 1990. [WL03] A. Wassyng, M. Lawford. Lessons Learned from a Successful Implementation of Formal Methods in an Industrial Project. In Araki et al. (eds.), FME 2003. Lecture Notes in Computer Science 2805, pp. 133–153. Springer, 2003. [WL06] A. Wassyng, M. Lawford. Software Tools for Safety-Critical Software Develop- ment. International Journal on Software Tools for Technology Transfer (STTT) 8(4– 5):337–354, August 2006. 15 / 15 Volume 66 (2013) Introduction Related work Relations Angelic operators Demonic operators System and software acceptability Existence of an acceptable software implementation Conclusions