Model Checking Early Requirements Specifications in Tropos

1
Model Checking Early Requirements Specifications
in Tropos

• Presented by Chin-Yi Tsai

2
Outline

• Introduction
• The i Modeling Language
• The Formal Tropos Language
• Formal Analysis
• From Formal Tropos to Model Checking
• Conclusions

3
Introduction

• Early requirement
• Understanding the organizational context for an
  information system
• The goal and social dependencies of its
  stakeholders
• Misunderstanding???
• Formal Method
• Formal analysis
• Automatic
• difficult
• To provide a framework for the effective use of
  formal methods in the early requirements phase

4
Introduction (contd)

• The gap between early requirements specification
  and formal methods.
• A new specification language
• Formal Tropos
• Primitive concept of early requirements framework
• Actor, goal, strategic dependency
• Rich temporal analysis technique
• Formal analysis technique
• Model checking to allow for an automatic
  verification

i
KAOS
NuSMV
5
Introduction (contd)

• T-Tool
• Extend i modeling language into a formal
  specification language called Formal Tropos
• KAOS for a rich temporal specification
• Extend an existing formal verification technique,
  model checking
• T-Tool is built on top of NuSMV
• NuSMV symbolic model checking

6
The i Modeling Language

• I modeling language
• For the description of early requirements
• Understand and model social settings (actor,
  goal)

7
The Formal Tropos Language
8
Adding class layer
Classes Entity Dependencies
Attributes are associated to the instances of
actors and dependencies (e. g. a customer wants
her car to be repaired)
9
Modeling the Temporal Aspects

• Formal Tropos places special emphasis in modeling
  the strategic aspects of the evolution of the
  dependencies
• Operationalization?
• The focus on the two central moments in the life
  of dependencies and entities
• Creation
• Fulfillment
• Formal Tropos allows the designer
• To specify different modalities for the
  fulfillment of the dependencies
• To specify temporal constraints on the creation
  of fulfillment of dependencies and goals

10
Goal Modalities
11
Behavior Properties
12
Constraint Properties
Creation properties should hold at the time of
creation of a new instance of the
dependency. Fulfillment properties should hold
when a dependency is satisfied. Invariant
properties should be true throughout the lifetime
of the dependency

• Constraint properties determine the possible
  evolution of the object in the specification
• Three kinds of properties
• Creation
• Invariant
• fulfillment
• Creation and fulfillment properties may express
• Necessary condition
• Sufficient conditions, or triggers
• Necessary and sufficient condition, or
  definitions

13
Temporal Formulas

• Properties are specified with formulas given in a
  first-order linear-time temporal logic
• Special predicates JustCreated(obj),
  Fulfilled(dep) identify particular moments in
  the life of the object
• Past and future temporal operator can be used in
  the formulas

14
Formal Analysis

• Formal Tropos allows for the following kinds of
  formal analysis
• Consistency check
• It aims to verify that there is at least one
  scenario of the system that respects all the
  constraints enforced by the requirement
  specification.
• Assertion validation
• Represent expected behavior of the system through
  assertion properties
• Possibility check
• There are some scenarios for the system that
  respects certain possibility properties
• Animation
• An effective way of communicating with the
  stakeholder
• Gives immediate feedback

15
Assertion Validation

• An assertion
• Describes expected condition for all the valid
  scenarios
• Is used to guarantee that the specification does
  not allow for unwanted scenarios

16
(No Transcript)
17
Possibility Check

• A possibility
• Describes expected, valid scenario of
  specification
• Is used to guarantee that the specification does
  not rule out any wanted execution of the system

18
The Technical Details

• The approach consists of the following 3 steps
• The analyst writes a Formal Tropos specification
• T-Tool automatically translates the specification
  into an Intermediate Language
• NuSMV performs the formal analysis on the
  Intermediate Language specification
• The Intermediate Language
• Small core language with clean semantic
• Independent from the specification of Formal
  Tropos (the Intermediate Language may be applied
  to other requirement language)
• Independent from any particular analysis
  techniques (model checking, TLT satisfiability,
  theorem proving)

19
The Intermediate Language

• The strategic flavor of Formal Tropos is lost
• Focus on the dynamic aspects of the system
• IL consists of four parts
• Class declarations
• Constraints
• Assertions
• Possibility properties

Entity, actor, dependencies
20
Conclusions

• To define
• Formal Tropos, a formal language for specifying
  early requirements
• a methodology to extend the requirements with
  assertions on expected behaviors of the system
• a prototype tool (based on NuSMV) to support the
  proposed approach

21
Future Work

• Extend the scope of the approach
• Later development phase
• Goal decomposition
• Enhance the tool
• Better interaction with user
• Improve the animation techniques
• Real case studies