Lightweight Formal Methods

Alcoa is a tool for analyzing object models. It has a range of uses. At one end, it can act as a support tool for object model diagrams, checking for consistency of multiplicities and generating sample snapshots. At the other end, it embodies a lightweight formal method in which subtle properties of behaviour can be investigated. Alcoa's input language, Alloy, is a new notation based on Z. Its development was motivated by the need for a notation that is more closely tailored to object models (in the style of UML), and more amenable to automatic analysis. Like Z, Alloy supports the description of systems whose state involves complex relational structure. State and behavioural properties are described declaratively, by conjoining constraints. This makes it possible to develop and analyze a model incrementally, with Alcoa investigating the consequences of whatever constraints are given. Alcoa works by translating constraints to boolean formulas, and then applying state-of-the-art SAT solvers. It can analyze billions of states in seconds.

This paper looks at the independent verification and validation (IV&V) of NASA's Space Shuttle Day of Launch 1-Load Update (DoLILU) project. IV&V is defined. The system's development life cycle is explained. Data collection and analysis are described. DoLILU Issue Tracking Reports (DITRs) authored by IV&V personnel are analyzed to determine the effectiveness of IV&V in finding errors before the code, testing, and integration phase of the software development life cycle. The study's findings are reported along with the limitations of the study and planned future research.

In order to develop trustworthy distributed systems, verification techniques and formal methods, including lightweight and practical approaches, have been employed to certify the design or implementation of security protocols. Lightweight formal methods offer a more accessible alternative to traditional fully formalised techniques by focusing on simplified models and tool support, making them more applicable in practical settings. The technical advantages of formal verification over manual testing are increasingly recognised in the cybersecurity community. However, applying formal methods, even in their more practical forms, outside highly specialised research settings remains challenging. For practitioners, formal modelling and verification are often too complex and unfamiliar to be used routinely. In this paper, we present an Eclipse Integrated Development Environment for the design, verification, and implementation of security protocols and evaluate its effectiveness, including feedback from users in educational settings. It offers user-friendly assistance in the formalisation process as part of a Model-Driven Development approach. This IDE centres around the Alice & Bob (AnB) notation, the AnBx Compiler and Code Generator, the OFMC model checker, and the ProVerif cryptographic protocol verifier. For the evaluation, we identify the six most prominent limiting factors for formal method adoption, based on relevant literature in this field, and we consider the IDE’s effectiveness against those criteria. Additionally, we conducted a structured survey to collect feedback from university students who have used the toolkit for their projects. The findings demonstrate that this contribution is valuable as a workflow aid and helps users grasp essential cybersecurity concepts, even for those with limited knowledge of formal methods or cryptography. Crucially, users reported that the IDE has been an important component to complete their projects and that they would use again in the future, given the opportunity.

In order to develop trustworthy distributed systems, verification techniques and formal methods, including lightweight and practical approaches, have been employed to certify the design or implementation of security protocols. Lightweight formal methods offer a more accessible alternative to traditional fully formalised techniques by focusing on simplified models and tool support, making them more applicable in practical settings. The technical advantages of formal verification over manual testing are increasingly recognised in the cybersecurity community. However, applying formal methods, even in their more practical forms, outside highly specialised research settings remains challenging. For practitioners, formal modelling and verification are often too complex and unfamiliar to be used routinely. In this paper, we present an Eclipse Integrated Development Environment for the design, verification, and implementation of security protocols and evaluate its effectiveness, including feedback from users in educational settings. It offers user-friendly assistance in the formalisation process as part of a Model-Driven Development approach. This IDE centres around the Alice & Bob (AnB) notation, the AnBx Compiler and Code Generator, the OFMC model checker, and the ProVerif cryptographic protocol verifier. We surveyed master-level students on their knowledge prior to completing their projects, and noticed considerable misconceptions. After project completion, we asked them to report on their experience with our IDE. Our findings demonstrate that this contribution is valuable as a workflow aid and helps users grasp essential cybersecurity concepts, even for those with limited knowledge of formal methods or cryptography. Crucially, users reported that the IDE has been an important component to complete their projects, that they would use again in the future, given the opportunity.

Business has been highlighted as a one of the critical dimensions of software product line engineering. This paper's main contribution is to increase the understanding of the influence of key business factors by showing empirically that they play an imperative role in managing a successful software product line. A quantitative survey of software organizations currently involved in the business of developing software product lines over a wide range of operations, including consumer electronics, telecommunications, avionics, and information technology, was designed to test the conceptual model and hypotheses of the study. This is the first study to demonstrate the relationships between the key business factors and software product lines. The results provide evidence that organizations in the business of software product line development have to cope with multiple key business factors to improve the overall performance of the business, in addition to their efforts in software development. The conclusions of this investigation reinforce current perceptions of the significance of key business factors in successful software product line business.

We describe Java-MaC, a prototype implementation of the Monitoring and Checking (MaC) architecture for Java programs. The MaC architecture provides assurance that the target program is running correctly with respect to a formal requirements specification by monitoring and checking the execution of the target program at run-time. MaC bridges the gap between formal verification, which ensures the correctness of a design rather than an implementation, and testing, which does not provide formal guarantees about the correctness of the system. Use of formal requirement specifications in run-time monitoring and checking is the salient aspect of the MaC architecture. MaC is a lightweight formal method solution which works as a viable complement to the current heavyweight formal methods. In addition, analysis processes of the architecture including instrumentation of the target program, monitoring, and checking are performed fully automatically without human direction, which increases the accuracy of the analysis. Another important feature of the architecture is the clear separation between monitoring implementation-dependent low-level behaviors and checking high-level behaviors, which allows the reuse of a high-level requirement specification even when the target program implementation changes. Furthermore, this separation makes the architecture modular and allows the flexibility of incorporating third party tools into the architecture. The paper presents an overview of the MaC architecture and a prototype implementation Java-MaC.

Alcoa is a tool for analyzing object models. It has a range of uses. At one end, it can act as a support tool for object model diagrams, checking for consistency of multiplicities and generating sample snapshots. At the other end, it embodies a lightweight formal method in which subtle properties of behaviour can be investigated. Alcoa's input language, Alloy, is a new notation based on Z. Its development was motivated by the need for a notation that is more closely tailored to object models (in the style of UML), and more amenable to automatic analysis. Like Z, Alloy supports the description of systems whose state involves complex relational structure. State and behavioural properties are described declaratively, by conjoining constraints. This makes it possible to develop and analyze a model incrementally, with Alcoa investigating the consequences of whatever constraints are given. Alcoa works by translating constraints to boolean formulas, and then applying state-of-the-art SAT solvers. It can analyze billions of states in seconds.

Coordination and Adaptation are two key issues when developing complex distributed systems. Coordination focuses on the interaction among software entities. Adaptation focuses on solving the problems that arise when the interacting entities do not match properly. This is the report of the third edition of the WCAT workshop, that took place in Nantes jointly with ECOOP 2006. In this third edition, the topics of interest of the participants covered a large number of fields where coordination and adaptation have an impact: models, requirements identification, interface specification, extra-functional properties, automatic generation, frameworks, middleware, and tools.

This paper describes a reusable approach using automatic use case scenario generation to specify system of systems (SoS) behaviors. The approach leverages the Monterey Phoenix (MP) language and tools which extend current methods significantly by making a larger number of SoS use case scenario variants available to SoS analysts. Having described how MP structures behavior models to accomplish this task in previous papers this paper provides model-building details and advice that takes readers through the approach so they may repeat it on a SoS of their own interest. A simplified SoS model of three systems interacting in a humanitarian assistance and disaster relief (HADR) scenario is used to demonstrate the approach. The HADR example highlights the model structure features that enable automatic SoS use case scenario generation and supporting descriptions of each part of the model are provided. The paper concludes with a summary and brief discussion of ongoing research areas that supp...

Coordination and Adaptation are two key issues when developing complex distributed systems. Coordination focuses on the interaction among software entities. Adaptation focuses on solving the problems that arise when the interacting entities do not match properly. This is the report of the third edition of the WCAT workshop, that took place in Nantes jointly with ECOOP 2006. In this third edition, the topics of interest of the participants covered a large number of fields where coordination and adaptation have an impact: models, requirements identification, interface specification, extra-functional properties, automatic generation, frameworks, middleware, and tools.

In goal-oriented requirements engineering approaches, conflict analysis has been proposed as an abstraction for risk analysis. Intuitively, given a set of expected goals to be achieved by the system-tobe, a conflict represents a subtle situation that makes goals diverge, i.e., not be satisfiable as a whole. Conflict analysis is typically driven by the identify-assess-control cycle, aimed at identifying, assessing and resolving conflicts that may obstruct the satisfaction of the expected goals. In particular, the assessment step is concerned with evaluating how likely the identified conflicts are, and how likely and severe are their consequences. So far, existing assessment approaches restrict their analysis to obstacles (conflicts that prevent the satisfaction of a single goal), and assume that certain probabilistic information on the domain is provided, that needs to be previously elicited from experienced users, statistical data or simulations. In this paper, we present a novel automated approach to assess how likely a conflict is, that applies to general conflicts (not only obstacles) without requiring probabilistic information on the domain. Intuitively, given the LTL formulation of the domain and of a set of goals to be achieved, we compute goal conflicts, and exploit string model counting techniques to estimate the likelihood of the occurrence of the corresponding conflicting situations and the severity in which these affect the satisfaction of the goals. This information can then be used to prioritize conflicts to be resolved, and suggest which goals to drive attention to for refinements.

The ability of reusing existing software has always been a major concern of Software Engineering. The reuse and integration of heterogeneous software parts is an issue for current paradigms such as Component-Based Software Development, or Coordination Models and Languages. However, a serious limitation of current approaches is that while they provide convenient ways to describe the typed signatures of software entities, they offer a quite limited support to describe their concurrent behaviour. As a consequence, when a component is going to be reused, one can only be sure that it provides the required interface, but nothing else can be inferred about the behaviour of the component with regard to the interaction protocol required by its environment. To deal with this problem, a new discipline, Software Adaptation, is emerging. Software Adaptation promotes the use of adaptors-specific computational entities guaranteeing that software components will interact in the right way not only at the signature level, but also at the protocol and semantic levels. This paper summarizes the results and conclusions of the First Workshop on Coordination and Adaptation Techniques for Software Entities (WCAT'04).

Alcoa is a tool for analyzing object models. It has a range of uses. At one end, it can act as a support tool for object model diagrams, checking for consistency of multiplicities and generating sample snapshots. At the other end, it embodies a lightweight formal method in which subtle properties of behaviour can be investigated. Alcoa's input language, Alloy, is a new notation based on Z. Its development was motivated by the need for a notation that is more closely tailored to object models (in the style of UML), and more amenable to automatic analysis. Like Z, Alloy supports the description of systems whose state involves complex relational structure. State and behavioural properties are described declaratively, by conjoining constraints. This makes it possible to develop and analyze a model incrementally, with Alcoa investigating the consequences of whatever constraints are given. Alcoa works by translating constraints to boolean formulas, and then applying state-of-the-art SAT solvers. It can analyze billions of states in seconds.

Large, complex projects face significant barriers to coordination and communication due to continuous, rapid changes during a project's lifecycle. Such changes must be tracked, analyzed, and reconciled to ensure high-quali_ in the end-product, otherwise problems may. be get lost or

The engineering of high-quality software requirements generally relies on properties and assumptions about the environment in which the software-to-be has to operate. Such properties and assumptions, referred to as environment conditions in this paper, are highly subject to change over time or from one software variant to another. As a consequence, the requirements engineered for a specific set of environment conditions may no longer be adequate, complete and consistent for another set. The paper addresses this problem through a tool-supported requirements adaptation technique. A goal-oriented requirements modelling framework is considered to make requirements' refinements and dependencies on environment conditions explicit. When environment conditions change, an adapted goal model is computed that is correct with respect to the new environment conditions. The space of possible adaptations is not fixed a priori; the required changes are expected to meet one or more environment-independent goal(s) to be satisfied in any version of the system. The adapted goal model is generated using a new counterexample-guided learning procedure that ensures the correctness of the updated goal model, and prefers more local adaptations and more similar goal models. CCS CONCEPTS • Software and its engineering → Requirements analysis; Software evolution; Model-driven software engineering.

In goal-oriented requirements engineering approaches, conflict analysis has been proposed as an abstraction for risk analysis. Intuitively, given a set of expected goals to be achieved by the system-tobe, a conflict represents a subtle situation that makes goals diverge, i.e., not be satisfiable as a whole. Conflict analysis is typically driven by the identify-assess-control cycle, aimed at identifying, assessing and resolving conflicts that may obstruct the satisfaction of the expected goals. In particular, the assessment step is concerned with evaluating how likely the identified conflicts are, and how likely and severe are their consequences. So far, existing assessment approaches restrict their analysis to obstacles (conflicts that prevent the satisfaction of a single goal), and assume that certain probabilistic information on the domain is provided, that needs to be previously elicited from experienced users, statistical data or simulations. In this paper, we present a novel automated approach to assess how likely a conflict is, that applies to general conflicts (not only obstacles) without requiring probabilistic information on the domain. Intuitively, given the LTL formulation of the domain and of a set of goals to be achieved, we compute goal conflicts, and exploit string model counting techniques to estimate the likelihood of the occurrence of the corresponding conflicting situations and the severity in which these affect the satisfaction of the goals. This information can then be used to prioritize conflicts to be resolved, and suggest which goals to drive attention to for refinements. CCS CONCEPTS • Software and its engineering → Requirements analysis; Risk management; • Theory of computation → Modal and temporal logics; Regular languages;

While conceptual modeling is strongly related to the final quality of the software product [15], conceptual modeling itself remains a challenging activity. In particular, modelers must ensure that conceptual models properly formalize their intended conceptualization of a domain. This paper proposes an approach to facilitate the validation process of conceptual models defined in OntoUML by transforming these models into specifications in the logic-based language Alloy and using its analyzer to generate instances of the model and assertion counterexamples. By allowing the observation of sequences of snapshots of model instances, the dynamics of object creation, classification, association and destruction are revealed. This confronts the modeler with the implications of modeling choices and allows them to uncover mistakes or gain confidence in the quality of conceptual models.

Requirements incompleteness is often the result of unanticipated adverse conditions which prevent the software and its environment from behaving as expected. These conditions represent risks that can cause severe software failures. The identification and resolution of such risks is therefore a crucial step towards requirements completeness. Obstacle analysis is a goal-driven form of risk analysis that aims at detecting missing conditions that can obstruct goals from being satisfied in a given domain, and resolving them. This paper proposes an approach for automatically revising goals that may be under-specified or (partially) wrong to resolve obstructions in a given domain. The approach deploys a learning-based revision methodology in which obstructed goals in a goal model are iteratively revised from traces exemplifying obstruction and non-obstruction occurrences. Our revision methodology computes domain-consistent, obstruction-free revisions that are automatically propagated to other goals in the model in order to preserve the correctness of goal models whilst guaranteeing minimal change to the original model. We present the formal foundations of our learning-based approach, and show that it preserves the properties of our formal framework. We validate it against the benchmarking case study of the London Ambulance Service.

Dynamically adaptive systems (DASs) are intended to monitor the execution environment and then dynamically adapt their behavior in response to changing environmental conditions. The uncertainty of the execution environment is a major motivation for dynamic adaptation; it is impossible to know at development time all of the possible combinations of environmental conditions that will be encountered. To date, the work performed in requirements engineering for a DAS includes requirements monitoring and reasoning about the correctness of adaptations, where the DAS requirements are assumed to exist. This paper introduces a goal-based modeling approach to develop the requirements for a DAS, while explicitly factoring uncertainty into the process and resulting requirements. We introduce a variation of threat modeling to identify sources of uncertainty and demonstrate how the RELAX specification language can be used to specify more flexible requirements within a goal model to handle the uncertainty.

In goal-oriented requirements engineering approaches, conflict analysis has been proposed as an abstraction for risk analysis. Intuitively, given a set of expected goals to be achieved by the system-tobe, a conflict represents a subtle situation that makes goals diverge, i.e., not be satisfiable as a whole. Conflict analysis is typically driven by the identify-assess-control cycle, aimed at identifying, assessing and resolving conflicts that may obstruct the satisfaction of the expected goals. In particular, the assessment step is concerned with evaluating how likely the identified conflicts are, and how likely and severe are their consequences. So far, existing assessment approaches restrict their analysis to obstacles (conflicts that prevent the satisfaction of a single goal), and assume that certain probabilistic information on the domain is provided, that needs to be previously elicited from experienced users, statistical data or simulations. In this paper, we present a novel automated approach to assess how likely a conflict is, that applies to general conflicts (not only obstacles) without requiring probabilistic information on the domain. Intuitively, given the LTL formulation of the domain and of a set of goals to be achieved, we compute goal conflicts, and exploit string model counting techniques to estimate the likelihood of the occurrence of the corresponding conflicting situations and the severity in which these affect the satisfaction of the goals. This information can then be used to prioritize conflicts to be resolved, and suggest which goals to drive attention to for refinements. CCS CONCEPTS • Software and its engineering → Requirements analysis; Risk management; • Theory of computation → Modal and temporal logics; Regular languages;

The Timed Concurrent Constraint Language tccp is a declarative synchronous concurrent language, particularly suitable for modelling reactive systems. In tccp, agents communicate and synchronise through a global constraint store. It supports a notion of discrete time that allows all non-blocked agents to proceed with their execution simultaneously. In this paper, we present a modular architecture for the simulation of tccp programs. The tool comprises three main components. First, a set of basic abstract instructions able to model the tccp agent behaviour, the memory model needed to manage the active agents and the state of the store during the execution. Second, the agent interpreter that executes the instructions of the current agent iteratively and calculates the new agents to be executed at the next time instant. Finally, the constraint solver components which are the modules that deal with constraints. In this paper, we describe the implementation of these components and present...

The Timed Concurrent Constraint Language tccp is a declarative synchronous concurrent language, particularly suitable for modelling reactive systems. In tccp, agents communicate and synchronise through a global constraint store. It supports a notion of discrete time that allows all non-blocked agents to proceed with their execution simultaneously. In this paper, we present a modular architecture for the simulation of tccp programs. The tool comprises three main components. First, a set of basic abstract instructions able to model the tccp agent behaviour, the memory model needed to manage the active agents and the state of the store during the execution. Second, the agent interpreter that executes the instructions of the current agent iteratively and calculates the new agents to be executed at the next time instant. Finally, the constraint solver components which are the modules that deal with constraints. In this paper, we describe the implementation of these components and present an example of a real system modelled in tccp. The full version of this paper [4] has been published in the proceedings of the 24th International Workshop on Functional and (Constraint) Logic Programming (WFLP 2016).

While conceptual modeling is strongly related to the final quality of the software product [15], conceptual modeling itself remains a challenging activity. In particular, modelers must ensure that conceptual models properly formalize their intended conceptualization of a domain. This paper proposes an approach to facilitate the validation process of conceptual models defined in OntoUML by transforming these models into specifications in the logic-based language Alloy and using its analyzer to generate instances of the model and assertion counterexamples. By allowing the observation of sequences of snapshots of model instances, the dynamics of object creation, classification, association and destruction are revealed. This confronts the modeler with the implications of modeling choices and allows them to uncover mistakes or gain confidence in the quality of conceptual models.

— While conceptual modeling is strongly related to the final quality of the software product [15], conceptual modeling itself remains a challenging activity. In particular, modelers must ensure that conceptual models properly formalize their intended conceptualization of a domain. This paper proposes an approach to facilitate the validation process of conceptual models defined in OntoUML by transforming these models into specifications in the logic-based language Alloy and using its analyzer to generate instances of the model and assertion counter-examples. By allowing the observation of sequences of snapshots of model instances, the dynamics of object creation, classification, association and destruction are revealed. This confronts the modeler with the implications of modeling choices and allows them to uncover mistakes or gain confidence in the quality of conceptual models.

While conceptual modeling is strongly related to the final quality of the software product [15], conceptual modeling itself remains a challenging activity. In particular, modelers must ensure that conceptual models properly formalize their intended conceptualization of a domain. This paper proposes an approach to facilitate the validation process of conceptual models defined in OntoUML by transforming these models into specifications in the logic-based language Alloy and using its analyzer to generate instances of the model and assertion counterexamples. By allowing the observation of sequences of snapshots of model instances, the dynamics of object creation, classification, association and destruction are revealed. This confronts the modeler with the implications of modeling choices and allows them to uncover mistakes or gain confidence in the quality of conceptual models.

Transactional systems have been the forte of Information Systems/Software Engineering. These systems deal with automating the functionality of systems, to provide value to the users. Initially, up to the end of the decade of the 1960s, transactional systems were simple, single-function systems. Thus, we had payroll systems that accounts people would use to compute the salary of employees and print out salary. Information Systems/Software Engineering technology graduated to multi-functional systems that looked at the computerization of relatively larger chunks of the business. Thus, it now became possible to deal with the accounts department, the human resource department, customer interface, etc. Technology to deal with such systems stabilized in the period 1960-1980. Subsequently, attention shifted to even more complex systems, the computerization of the entire enterprise, and to inter-organization information systems. The demand for engineering of ever more complex systems led to the "software crisis", a term widely used in the 1990s to describe the difficulties that industry of that time faced. A number of studies were carried out and some of the problems highlighted were systems failure/rejection by clients, inability to deliver complex and large software well. The Standish Group's "Chaos" reports [1] presented software industry's record in delivering large-sized systems using traditional development methods. The Group conducted a survey of 8380 projects carried out by 365 major American companies. The results showed that projects worth up to even $750,000 exceeded budget and time. Further, they failed to deliver the promised features more than 55% of the time. As the size of the applications grew, the success rate fell to 25% for efforts over $3 million and down to zero for projects over $10 million. Bell labs and IBM [2] found that 80% of all defects in software products lie in the requirements phase. Boehm and Papaccio [3] said that correcting requirements errors is 5 times more expensive when carried out during the design phase; the cost of correction is 10 times during implementation phase; the cost rises to 20 times for corrections done during testing and it becomes an astronomical 200 times after the system has been delivered. Evidently, such corrections result in expensive products

The Timed Concurrent Constraint Language tccp is a declarative synchronous concurrent language, particularly suitable for modelling reactive systems. In tccp, agents communicate and synchronise through a global constraint store. It supports a notion of discrete time that allows all non-blocked agents to proceed with their execution simultaneously. In this paper, we present a modular architecture for the simulation of tccp programs. The tool comprises three main components. First, a set of basic abstract instructions able to model the tccp agent behaviour, the memory model needed to manage the active agents and the state of the store during the execution. Second, the agent interpreter that executes the instructions of the current agent iteratively and calculates the new agents to be executed at the next time instant. Finally, the constraint solver components which are the modules that deal with constraints. In this paper, we describe the implementation of these components and present an example of a real system modelled in tccp. The full version of this paper [4] has been published in the proceedings of the 24th International Workshop on Functional and (Constraint) Logic Programming (WFLP 2016).

— While conceptual modeling is strongly related to the final quality of the software product [15], conceptual modeling itself remains a challenging activity. In particular, modelers must ensure that conceptual models properly formalize their intended conceptualization of a domain. This paper proposes an approach to facilitate the validation process of conceptual models defined in OntoUML by transforming these models into specifications in the logic-based language Alloy and using its analyzer to generate instances of the model and assertion counter-examples. By allowing the observation of sequences of snapshots of model instances, the dynamics of object creation, classification, association and destruction are revealed. This confronts the modeler with the implications of modeling choices and allows them to uncover mistakes or gain confidence in the quality of conceptual models.

Many small companies do requirements engineering (RE) superficially or neglect it totally. However, according to software project risk studies a cursorily done RE is one of the biggest risks for software projects. So far RE research has focused on large and complex projects that cannot be managed without proper RE practices. At the same time smaller projects have suffered from basic RE problems. To alleviate this situation we have developed a basic systematic RE method – BaSyRE – that is targeted for small projects developing administrative and business information systems. The key design rationale for BaSyRE are (1) a systematic approach to RE, (2) a ready-to-hand solution, (3) simplicity, and (4) domain specificity. The method itself consists of a requirements document template with techniques and processes for both requirements development and management. All these elements have been adapted to the specific application domain to form a simple but systematic method to be taken in ...

The Java-MaC framework is a run-time verification system for Java programs that can be used to dynamically test and enforce safety policies. This paper presents a formal model of the Java-MaC safety properties in terms of an operational seman- tics for Middleweight Java, a realistic subset of full Java. This model is intended to be used as a framework for

Alcoa is a tool for analyzing object models. It has a range of uses. At one end, it can act as a support tool for object model diagrams, checking for consistency of multiplicities and generating sample snapshots. At the other end, it embodies a lightweight formal method in which ...

In goal-oriented requirements engineering approaches, conflict analysis has been proposed as an abstraction for risk analysis. Intuitively, given a set of expected goals to be achieved by the system-tobe, a conflict represents a subtle situation that makes goals diverge, i.e., not be satisfiable as a whole. Conflict analysis is typically driven by the identify-assess-control cycle, aimed at identifying, assessing and resolving conflicts that may obstruct the satisfaction of the expected goals. In particular, the assessment step is concerned with evaluating how likely the identified conflicts are, and how likely and severe are their consequences. So far, existing assessment approaches restrict their analysis to obstacles (conflicts that prevent the satisfaction of a single goal), and assume that certain probabilistic information on the domain is provided, that needs to be previously elicited from experienced users, statistical data or simulations. In this paper, we present a novel automated approach to assess how likely a conflict is, that applies to general conflicts (not only obstacles) without requiring probabilistic information on the domain. Intuitively, given the LTL formulation of the domain and of a set of goals to be achieved, we compute goal conflicts, and exploit string model counting techniques to estimate the likelihood of the occurrence of the corresponding conflicting situations and the severity in which these affect the satisfaction of the goals. This information can then be used to prioritize conflicts to be resolved, and suggest which goals to drive attention to for refinements. CCS CONCEPTS • Software and its engineering → Requirements analysis; Risk management; • Theory of computation → Modal and temporal logics; Regular languages;

classes are meant to define properties of a particular entity without allowing the user to directly instantiate the entity [76]. The rationale behind using abstract classes is to introduce reusability of elements and reduce redundancy of attributes and other features. Umple supports ‘abstract’ classes by allowing the use to declare any Umple class as ‘abstract’.

This paper describes our experiences in restructuring multi-perspective requirements speci cations in order to identify and analyse inconsistencies and manage change. A partial, heterogeneous and reasonably large requirements speci cation from a NASA project was analysed and decomposed into a structure of viewpoints", where each viewpoint encapsulates partial requirements of some system components described in the speci cation. Relationships between viewpoints were identi ed which included not only the interactions explicitly stated in the requirements but also some implicit and potentially problematic inter-dependencies. The restructuring process and a rst informal analysis of the resulting relationships enabled the detection of inconsistencies and the de nition of some interesting domain-dependent consistency rules. We believe that this restructuring into viewpoints also facilitated requirements understanding through partitioning, and requirements maintenance and evolution through explicit identi cation of the inter-viewpoint relationships.

This paper describes our experiences in restructuring multi-perspective requirements specifications in order to facilitate the identification and analysis of inconsistencies and the management of change. A partial, heterogeneous and reasonably large requirements specification from a NASA project was analysed and decomposed into a structure of viewpoints, where each viewpoint encapsulates partial requirements of some system components described in the specification. Relationships between viewpoints were identified which included not only the interactions explicitly stated in the requirements but also some implicit and potentially problematic inter-dependencies. The restructuring process and a first informal analysis of the resulting relationships enabled the detection of inconsistencies and the definition of some interesting domain-dependent consistency rules. We believe that this restructuring into viewpoints also facilitated requirements understanding through partitioning, and requirements maintenance and evolution through explicit identification of the inter-viewpoint relationships.

Abstract. Goal modelling is a well known rigorous method for analysing problem rationale and developing requirements. Under the pressures typical of time-constrained projects its benefits are not accessible. This is because of the effort and time needed to create the graph and because reading the results can be difficult owing to the effects of crosscutting concerns. Here we introduce an adaptation of KAOS to meet the needs of rapid turn around and clarity. The main aim is to help the stakeholders gain an insight into the larger issues that might ...

Abstract—Scenarios are increasingly recognized as an effective means for eliciting, validating, and documenting software requirements. This paper concentrates on the use of scenarios for requirements elicitation and explores the process of inferring formal specifications of ...

Mathematically-based "formal" methods for developing software and systems have had an interesting history. Over the past twenty-five years, the subject has moved from controversies surrounding code verification, through work on data types, design methodology, refinement and "Lightweight" Formal Methods, to automated proof and model-checking technology. The panel discussion recorded here brought together four computer scientists who have been active as

One of the current problems in software systems development is the increasing complexity of analysing and guaranteeing the reliable behaviour of these systems. This project is oriented towards the development of the methods, tools and techniques necessary for supporting quality software construction, with emphasis on practical application to the industrial processes of software companies. This proposal is based on the use of lightweight formal methods in Software Engineering, i.e., the partial application of formalisms at dierent levels: language, modelling, analysis and composition. The basic idea is to subordinate general methods that support the entire development process and to enhance the real application of formal methods at certain phases of the software life cycle. In order to illustrate the feasibility of this approach, most of the project activities are within the field of component-based software development. The project is a coordinated proposal of four university teams ...

Current research in specifications is emphasizing the practical use of formal specifications in program design. One way to encourage their use in practice is to provide specification languages that are accessible to both designers and programmers. With this goal in mind, the Larch family of formal specification languages has evolved to support a two-tiered approach to writing specifications. This approach separates the specification of state transformations and programming language dependencies from the specification of underlying abstractions. Thus, each member of the Larch family has a subset derived from a programming language and another subset independent of any programming languages. We call the former interface languages, and the latter the Larch Shared Language. This paper focuses on Larch interface language specifications. Through examples, we illustrate some salient features of Larch/CLU, a Larch interface language for the programming language CLU. We give an example of writing an interface specification following the two-tiered approach and discuss in detail issues involved in writing interface specifications and their interaction with their Shared Language components.

In this paper we present the state/event-based temporal logic µUCTL which is a logic oriented towards a natural description of dynamic properties of UML models. This logic allows to specify the basic properties that a runtime system configuration should satisfy and to combine these basic predicates with logic and temporal operators which allow to take into consideration also the events performed by the system when evolving from one system configuration to another. Doubly Labelled Transition Systems are the semantic domain for µUCTL. The logic is supported by a prototypical verification environment under development at ISTI built around the "on the fly" UMC model checker. * Work partially founded by FET-IST 016004 project SENSORIA.

This paper presents, from a user point-of-view, the mechanism of cooperation between constraint domains that is currently part of the system T OY , an implementation of a constraint functional logic programming scheme. This implementation follows a cooperative goal solving calculus based on lazy narrowing. It manages the invocation of solvers for each domain, and projection operations for converting constraints into mate domains via mediatorial constraints. We implemented the cooperation among Herbrand, real arithmetic (R), finite domain (F D) and set (S) domains. We provide two mediatorial constraints: The first one relates the numeric domains FD and R, and the second one relates F D and S.

We begin by describing the Larch approach to speci cation and illustrating it with a few small examples. We then discuss LP, the Larch proof assistant, a tool that supports all the Larch languages. Our intent is to give you only a taste of these things. For a comprehensive look at Larch see 12].

One of the most important approaches to requirements engineering of the last ten years is the KAOS model. The authors introduce a profile that allows the KAOS model to be represented in the UML. The paper includes an informal presentation of the profile together with a full account of the new stereotypes and tags. They also outline an integration of requirements models with lower level design models in the UML, leading to a uniform and comprehensive specification document. A UML profile can increase the usefulness of ...

In recent years, there has been a growing interest in the use of reference conceptual models to capture information about complex and sensitive business domains (e.g., finance, healthcare, space). These models play a fundamental role in different types of critical semantic interoperability tasks. Therefore, domain experts must be able to understand and reason with their content. In other words, these models need to be cognitively tractable. This paper contributes to this goal by proposing a model clustering technique that leverages on the rich semantics of ontology-driven conceptual models (ODCM). In particular, we propose a formal notion of Relational Context to guide the automated clusterization (or modular breakdown) of conceptual models. Such Relational Contexts capture all the information needed for understanding entities "qua players of roles" in the scope of an objectified (reified) relationship (relator). The paper also presents computational support for automating the identification of Relational Contexts and this modular breakdown procedure. Finally, we report the results of an empirical study assessing the cognitive effectiveness of this approach. Keywords Ontology-driven conceptual modeling • Complexity management in conceptual modeling • Conceptual model clustering • OntoUML B Giancarlo Guizzardi

Abstract. Goal modelling is a well known rigorous method for analysing problem rationale and developing requirements. Under the pressures typical of time-constrained projects its benefits are not accessible. This is because of the effort and time needed to create the graph and because reading the results can be difficult owing to the effects of crosscutting concerns. Here we introduce an adaptation of KAOS to meet the needs of rapid turn around and clarity. The main aim is to help the stakeholders gain an insight into the larger issues that might ...

Tabular notations, in particular SCR specifications, have proved to be a useful means for formally describing complex requirements. The SCR method offers a powerful family of analysis tools, known as the SCR Toolset, but its availability is restricted by the Naval Research Laboratory of USA. This toolset applies different kinds of analysis considering the whole set of behaviours associated with a requirements specification. In this paper we present a tool for describing and analyzing SCR requirements descriptions, that complements the SCR Toolset in two aspects. First, its use is not limited by any institution, and resorts to a standard model checking tool for analysis; and second, it allows to concentrate the analysis to particular sets of behaviours (subsets of the whole specifications), that correspond to particular scenarios explicitly mentioned in the specification. We take an operational notation that allows the engineer to describe behavioural "scenarios" by means of programs, and provide a translation into Promela to perform the analysis via Spin, an efficient off-the-shelf model checker freely available. In addition, we apply the SCR method to a Pacemaker system and we use its tabular specification as a running example of this article.