Validating Requirements Determining Completeness and Correctness of Requirements

  • Slides: 46
Download presentation
Validating Requirements Determining Completeness and Correctness of Requirements Using the System Reference Model IV&V

Validating Requirements Determining Completeness and Correctness of Requirements Using the System Reference Model IV&V Workshop 16 September 2009

Overview • Validation Purpose and Definitions • A Correct and Complete SRM, and the

Overview • Validation Purpose and Definitions • A Correct and Complete SRM, and the Three Questions • SRM Correlation Mapping • Analysis of Correlation Results • Correct, Complete, Incorrect, and Incomplete Examples • Best practices, lessons learned, and challenges

IV&V’s Validation Definition • The process of evaluating artifacts to ensure that the right

IV&V’s Validation Definition • The process of evaluating artifacts to ensure that the right behaviors have been defined in the artifacts. • The right behaviors are those that adequately describe – what the system is supposed to do – what the system is not supposed to do, and – what the system is supposed to do under adverse conditions. • Validation ensures that the software system performs to the user’s needs under operational conditions. – Contains the desired capabilities to accomplish the mission goals – Does not contain unspecified limitation that impedes the capabilities

Validation Goal • To ensure that – The right behaviors have been defined •

Validation Goal • To ensure that – The right behaviors have been defined • Adequately describe – What the system is supposed to do – What the system is not supposed to do – What the system is supposed to do under adverse conditions • Correct and Complete – The requirement specifications are of high quality • Unambiguous, Consistent, and Verifiable

Correct (IVV 09 -1) • Applicable requirement(s) meet all or part of the goals

Correct (IVV 09 -1) • Applicable requirement(s) meet all or part of the goals and behaviors of the system – Note: not all requirements can be evaluated in isolation; it may require a set of requirements to be evaluated together in order to determine that a particular goal or behavior is being met). • The requirements are an accurate elaboration of the defined objectives or goals – e. g. , the use of temporal modal operators like “next”, “until”, “always”, and “eventually”, are appropriately used to reflect the desired behavior • The requirements adequately refine the higher-level requirements • Design or implementation-specific information is specified as constraints to the behaviors captured in the requirements

Complete (IVV 09 -1) • All the needed information to completely specify a desired

Complete (IVV 09 -1) • All the needed information to completely specify a desired behavior is identified (i. e. , all preconditions, postconditions, and invariants are specified for the described behavior). • Threads of behavior are represented by more than one requirement, versus one compound requirement that attempts to capture the entire thread (i. e. , that each requirement specifies only one “thing”). • The use of conjunctions (e. g. , “and”, “or”) are restricted to preconditions, postconditions, and invariants.

How? “This goal is achieved through the development and application of a system reference

How? “This goal is achieved through the development and application of a system reference model (SRM) that will include a formal specification. The SRM can then be used to show (e. g. , validate) that the right system behaviors are specified and the associated requirements are unambiguous, correct, complete, consistent, and verifiable. The SRM can also be used to validate (or develop) a test design that will demonstrate that the software products meet the specification and the operational need. ” – IVV 09 -1

The System Reference Model • Includes sets of Modeling Artifacts – – – Use

The System Reference Model • Includes sets of Modeling Artifacts – – – Use cases Activity Diagrams, Sequences Diagrams Statecharts Domain Models (Class Diagrams, Communication Diagrams) Statechart Assertions JUnit Test Cases • A concise description of the IV&V team’s understanding of the problem – Analysis tool – Communication tool • Captures expected system behaviors – 3 Questions

What’s In the SRM? Validation and Verification involves answering the following three questions: 1.

What’s In the SRM? Validation and Verification involves answering the following three questions: 1. Will the System do what it is supposed to do? 2. Will the System not do what it is not supposed to do? 3. Will the System maintain operations under adverse conditions? Note, in order to answer these questions, we must first have an independent understanding of: – What the system is supposed to do – What the system is not supposed to do – What the system is supposed to do to maintain operations under adverse conditions This information can be found within different areas of our model.

SRM Product Dependencies

SRM Product Dependencies

System Goals

System Goals

System Goals

System Goals

Constraints, Actors, and Environment

Constraints, Actors, and Environment

Text Use Cases

Text Use Cases

Use Case Example What the system is supposed to do All parts within the

Use Case Example What the system is supposed to do All parts within the Main Success Scenarios describe the actions that must take place to accomplish the goal(s). Adverse Conditions Extension Scenarios show the system should react to adverse conditions to get back on the success path or transition to safe mode.

Activity Diagram Example What the system is supposed to do All parts within the

Activity Diagram Example What the system is supposed to do All parts within the Main Success Scenarios describe the actions that must take place to accomplish the goal(s). Goal: Flight System precesses and damps nutation to point the High Gain Antenna at earth for communication and GRAV science Precondition: Engineering Instruments are calibrated <<Main Success Scenario>> <<Extension Scenarios>> Precess to Earth Point Fails Flight System Turn on IMUs Turn on Precession catalyst bed heaters Turn on X-band Transmitters ing to [turn oint] p earth Select High Gain Antenna Flight System [IMU D on or oes not t ur malfu nctio n ns] [Ca do t bed no t tu heate rn on rs ] Return Errors [not turn ing earth poin to t] Select Forward Low Gain Antenna Use Other Thrusters Turn off cat bed heaters Pulse RCS Thrusters Turn off IMU Passive Nutation Damping [thrusters do not fire] Adverse Conditions Extension Scenarios show the system should react to adverse conditions to get back on the success path or transition to safe mode.

Sequence Diagrams Example What the system is supposed to do The interactions of the

Sequence Diagrams Example What the system is supposed to do The interactions of the Sequence Diagram describe the steps involved to accomplish the goal(s). Adverse Conditions A sequence diagram can also be developed to show the system should react to adverse condition. 18

SRM Validation Scenarios What the system is NOT supposed to do This information can

SRM Validation Scenarios What the system is NOT supposed to do This information can be found in our Assertions and the Validation scenarios we create to test against them. r () o ct or () () () se or al ct rt. F Ve se te ta As r() S to ed ec at e. V im at st St t. E ed ge at ) im e( st ru t. E rt. T ge r() se to ec As e. V ) e e. V at e( ru t e. S at tim es rt. T se As at ct Ve te ta d. S t e. S at tim es e at im st t. E ge public void test. Scenario 2() { st. get. Estimated. State. Vector(); st. estimate. State. Vector(); assert. True (st. is. Success()); st. get. Estimated. State. Vector(); assert. False (st. is. Success()); }

Validation WBS (IVV 09 -1) 1. 0 Validation 1. 1 Obtain/Develop a System Reference

Validation WBS (IVV 09 -1) 1. 0 Validation 1. 1 Obtain/Develop a System Reference Model (SRM) 1. 2 Validate System Requirements 1. 3 Validate Test Design

Validate System Requirements • For each level of system decomposition, we need to determine

Validate System Requirements • For each level of system decomposition, we need to determine – Sufficiency of the requirements • Is there a corresponding requirement for every SRM behavior and Statechart assertion at that level? – Quality of the requirements • Assess the quality of each requirement that has a corresponding SRM behavior or Statechart assertion at that level – Sufficiency of the SRM • Is there any mission-critical, safety-critical requirement not covered by an SRM behavior or Statechart assertion at that level? • A “correlation map” is built to capture these relationships

Validation Possibilities Validated Requirements SRM Correct? Requirements Complete? SRM Behaviors Unambiguous, Correct, Consistent, &

Validation Possibilities Validated Requirements SRM Correct? Requirements Complete? SRM Behaviors Unambiguous, Correct, Consistent, & Verifiable Requirements SRM Correct? Requirements In Scope and Valid? Requirements

An Example Behavior Preconditions Goal Constraints Main Success Scenario – Q 1 & Q

An Example Behavior Preconditions Goal Constraints Main Success Scenario – Q 1 & Q 2 Extensions – Q 2 & Q 3 References Post-conditions

Requirement Proxies

Requirement Proxies

Requirement Proxies

Requirement Proxies

Requirement Proxies

Requirement Proxies

Requirement Proxies

Requirement Proxies

Other Analysis Tools Subject Requirement Validation Findings Parent Requirements Correlation Mapping Child Requirements

Other Analysis Tools Subject Requirement Validation Findings Parent Requirements Correlation Mapping Child Requirements

Requirement Data Subject Requirement Validation Findings Parent Requirements Correlation Mapping Child Requirements

Requirement Data Subject Requirement Validation Findings Parent Requirements Correlation Mapping Child Requirements

Parent Traces Subject Requirement Validation Findings Parent Requirements Correlation Mapping Child Requirements

Parent Traces Subject Requirement Validation Findings Parent Requirements Correlation Mapping Child Requirements

Child Traces Subject Requirement Validation Findings Parent Requirements Correlation Mapping Child Requirements

Child Traces Subject Requirement Validation Findings Parent Requirements Correlation Mapping Child Requirements

Correlation Mapping Subject Requirement Validation Findings Parent Requirements Correlation Mapping Child Requirements

Correlation Mapping Subject Requirement Validation Findings Parent Requirements Correlation Mapping Child Requirements

Validation Findings Subject Requirement Validation Findings Parent Requirements Correlation Mapping Child Requirements

Validation Findings Subject Requirement Validation Findings Parent Requirements Correlation Mapping Child Requirements

Requirement Proxies

Requirement Proxies

Correlation Mapping & Requirement Evaluation

Correlation Mapping & Requirement Evaluation

Correlation Map

Correlation Map

Re s/Is sue s ing Fin d Ma ppi ng em ent s rem

Re s/Is sue s ing Fin d Ma ppi ng em ent s rem ent qui l El Mo de Correlation Map

Correct (IVV 09 -1) • Applicable requirement(s) meet all or part of the goals

Correct (IVV 09 -1) • Applicable requirement(s) meet all or part of the goals and behaviors of the system Coverage of Model – Note: not all requirements can be evaluated in isolation; it may require a set of requirements to be evaluated together in order to determine that a particular goal or behavior is being met). • The requirements are an accurate elaboration of the defined objectives or goals Consistency with Model – e. g. , the use of temporal modal operators like “next”, “until”, “always”, and “eventually”, are appropriately used to reflect the desired behavior • The requirements adequately refine the higher-level requirements • Design or implementation-specific information is specified as constraints to the behaviors captured in the requirements Separation of Information

Complete (IVV 09 -1) • All the needed information to completely specify a desired

Complete (IVV 09 -1) • All the needed information to completely specify a desired behavior is identified (i. e. , all preconditions, postconditions, and invariants are specified for the described behavior). • Threads of behavior are represented by more than one requirement, versus one compound requirement that attempts to capture the entire thread (i. e. , that each requirement specifies only one “thing”). • The use of conjunctions (e. g. , “and”, “or”) are restricted to preconditions, postconditions, and invariants. Coverage of Model

Correlation Mapping & Requirement Evaluation

Correlation Mapping & Requirement Evaluation

Correlation Mapping & Requirement Evaluation

Correlation Mapping & Requirement Evaluation

Identifying Issues • L 2 Rqmnt - The Project shall generate, route, transport, store

Identifying Issues • L 2 Rqmnt - The Project shall generate, route, transport, store and execute a sequence containing any of the following types of time-tagged commands: absolute time, time relative to a sequence-external time value stored on-board, time relative to the execution of the previous command in the sequence. • L 3 Rqmnt - The sequence time tags shall be either an absolute execution time, time relative to a sequence external time value, or a time relative to the execution of the previous command or command file. • L 4 Rqmnt - The flight software shall provide the means for running onboard relative and absolute time, relative to a sequence external time value, tagged sequences.

s/Is sue s ing Fin d Requirements Ma ppi ng rem ent qui em

s/Is sue s ing Fin d Requirements Ma ppi ng rem ent qui em ent s Model Re l El Mo de Identifying Issues Findings

Lessons Learned & Best Practices

Lessons Learned & Best Practices

Challenges • • Varying levels of detail between the SRM and requirements being validated

Challenges • • Varying levels of detail between the SRM and requirements being validated What vs. How – “Requirements Model” vs. “Design Model” Terminology differences between SRM behaviors and requirements Lack of adequate tools, work instructions, product descriptions/templates – particularly MKS Artifact Mapping capability

Questions?

Questions?

Italian Community Institutional Completeness Institutional Completeness The conceptItalian Community Institutional Completeness Institutional Completeness The concept
Political correctness v Emotional correctness Understand empathize andPolitical correctness v Emotional correctness Understand empathize and
Conciseness Courtesy Clarity Completeness Consideration Concreteness Correctness SevenConciseness Courtesy Clarity Completeness Consideration Concreteness Correctness Seven
Conciseness Courtesy Clarity Completeness Consideration Concreteness Correctness SevenConciseness Courtesy Clarity Completeness Consideration Concreteness Correctness Seven
Conciseness Courtesy Clarity Completeness Consideration Concreteness Correctness SevenConciseness Courtesy Clarity Completeness Consideration Concreteness Correctness Seven
Conciseness Courtesy Clarity Completeness Consideration Concreteness Correctness SevenConciseness Courtesy Clarity Completeness Consideration Concreteness Correctness Seven
Conciseness Courtesy Clarity Completeness Consideration Concreteness Correctness SevenConciseness Courtesy Clarity Completeness Consideration Concreteness Correctness Seven
Type Correctness Type Correctness Contracts provide signature preconditionType Correctness Type Correctness Contracts provide signature precondition
Program Correctness William Groesbeck Sam Delaney Program CorrectnessProgram Correctness William Groesbeck Sam Delaney Program Correctness
Program Correctness William Groesbeck Sam Delaney Program CorrectnessProgram Correctness William Groesbeck Sam Delaney Program Correctness
CIS 720 Correctness of Sequential Programs Correctness ofCIS 720 Correctness of Sequential Programs Correctness of
Program Correctness an introduction Program Correctness How doProgram Correctness an introduction Program Correctness How do
Validating the Planning Model Concept Validating the PlanningValidating the Planning Model Concept Validating the Planning
Validating the PRIDIT method for determining hospital qualityValidating the PRIDIT method for determining hospital quality
Operationalising and Validating ESEC Information Requirements and PotentialOperationalising and Validating ESEC Information Requirements and Potential
Requirements their Consistency and Completeness RSML Formulation ofRequirements their Consistency and Completeness RSML Formulation of
NRC REQUIREMENTS FOR COMPLETENESS AND ACCURACY OF INFORMATIONNRC REQUIREMENTS FOR COMPLETENESS AND ACCURACY OF INFORMATION
Completeness Robustness and Safety in the Requirements EngineeringCompleteness Robustness and Safety in the Requirements Engineering
Completeness Robustness and Safety in the Requirements EngineeringCompleteness Robustness and Safety in the Requirements Engineering
Requirements their Consistency and Completeness RSML Formulation ofRequirements their Consistency and Completeness RSML Formulation of
Software Requirements Nonfunctional requirements 2 Requirements measures RequirementsSoftware Requirements Nonfunctional requirements 2 Requirements measures Requirements
On requirements completeness analysis method Viktoria Gingina ScientificOn requirements completeness analysis method Viktoria Gingina Scientific
Chemical Formulas and Compounds Determining Chemical Formulas DeterminingChemical Formulas and Compounds Determining Chemical Formulas Determining
CDF Requirements for RUNJob Or Determining the RequirementsCDF Requirements for RUNJob Or Determining the Requirements