specifying software requirements for complex system:

Specifying Software Specifying Software Requirements for Complex Requirements for Complex

System:System:New Techniques and Their New Techniques and Their ApplicationApplication

Guanghui WengGuanghui Weng

About this paperAbout this paper

• Author: Kathryn L. HeningerAuthor: Kathryn L. Heninger

• Published in IEEE Transactions on Published in IEEE Transactions on software Engineering VOL. SE-6software Engineering VOL. SE-6

• January 1980January 1980

A-7 aircraftA-7 aircraft• Model Type:Model Type:

– Attack BomberAttack Bomber– Tactical FighterTactical Fighter– TrainerTrainer

• First flew in 1965First flew in 1965• Flew in 1990 Gulf WarFlew in 1990 Gulf War• Retired in 1993Retired in 1993

• One of the most One of the most successful military successful military aircraft aircraft

• greatest bargain in the greatest bargain in the weapon systemweapon system

A-7 aircraft continuedA-7 aircraft continued• New Techs used:New Techs used:

– Head-up displayHead-up display– Central navigation-weapon delivery software Central navigation-weapon delivery software

systemsystem– Many other avionics innovationsMany other avionics innovations

• CapabilityCapability– Heavy weapon loads (up to 20,000 pounds)Heavy weapon loads (up to 20,000 pounds)– Low maintenance requirements Low maintenance requirements – Superior weapon delivery accuracySuperior weapon delivery accuracy– Long range ( up to 4,250 nautical miles)Long range ( up to 4,250 nautical miles)– Low loss rate in combat (0.04%)Low loss rate in combat (0.04%)– Very low accident rate Very low accident rate

AbstractAbstract

• Purpose:Purpose:– Create a model that make the specsCreate a model that make the specs

• PrecisePrecise

• ConciseConcise

• UnambiguousUnambiguous

• Complex Complex real-timereal-time software system software system

• Example:Example:– Navy’s A-7 aircraft operation softwareNavy’s A-7 aircraft operation software

OutlineOutline

• IntroductionIntroduction• A-7 Program CharacteristicsA-7 Program Characteristics• ObjectivesObjectives• Design PrinciplesDesign Principles• Techs for Techs for

– Describing Hardware InterfaceDescribing Hardware Interface– Describing Software FunctionsDescribing Software Functions– Specifying Undesired EventsSpecifying Undesired Events– Characterizing Types of ChangeCharacterizing Types of Change

• Discussion and ConclusionDiscussion and Conclusion

IntroductioIntroductionn• Problem:Problem:

– Software is difficult to understand, change Software is difficult to understand, change and maintainand maintain

• New techniques:New techniques:– ModularityModularity– Information hidingInformation hiding– Abstract InterfaceAbstract Interface– Formal specFormal spec– Cooperating sequential processesCooperating sequential processes– Process synchronization routinesProcess synchronization routines– Resource monitorsResource monitors

• Naval Research Lab and Naval Weapons Naval Research Lab and Naval Weapons Center tried to use above techs to Center tried to use above techs to redesign and rebuilt the A-7 aircraft redesign and rebuilt the A-7 aircraft operation softwareoperation software

Why redesign?Why redesign?

• Identical to the existing programIdentical to the existing program

• Old program is hard to updateOld program is hard to update

• No spec!No spec!

• Very common in the real worldVery common in the real world– BarclaysBarclays

OutlineOutline




A-7 Program CharacteristicsA-7 Program Characteristics

• Tight memory(16K)Tight memory(16K)• Time constrainsTime constrains• 12,000 assembler instructions12,000 assembler instructions• Part of the Navigation/Weapon Delivery Part of the Navigation/Weapon Delivery

SystemSystem• InputsInputs

– SensorsSensors– CockpitsCockpits– PanelPanel

• It controls display devices and position It controls display devices and position sensorssensors

• 22 devices are connected to the computer22 devices are connected to the computer

OutlineOutline




Requirements Document Requirements Document ObjectivesObjectives

• Specify external behavior onlySpecify external behavior only– Without implying implementationWithout implying implementation

• Specify constraints on the Specify constraints on the implementationimplementation

• Be easy to changeBe easy to change• Serve as a reference toolServe as a reference tool• Record forethought about the life cycle Record forethought about the life cycle

of the systemof the system• Characterize acceptable responses to Characterize acceptable responses to

undesired eventsundesired events

OutlineOutline




Requirements Document Requirements Document Design PrinciplesDesign Principles

•State questions before State questions before trying to answer them.trying to answer them.– Timing constraints?Timing constraints?– Accuracy constraints?Accuracy constraints?– Changes expected?Changes expected?

•Separate concernsSeparate concerns– Divide and conquerDivide and conquer

•Be as formal as possibleBe as formal as possible

OutlineOutline• IntroductionIntroduction

• A-7 Program CharacteristicsA-7 Program Characteristics

• ObjectivesObjectives

• Design PrinciplesDesign Principles

• Techs for Techs for – Describing Hardware InterfaceDescribing Hardware Interface– Describing Software FunctionsDescribing Software Functions– Specifying Undesired EventsSpecifying Undesired Events– Characterizing Types of ChangeCharacterizing Types of Change

• DiscussionDiscussion

• ConclusionConclusion

Organization by data ItemOrganization by data Item

• Data item: for each input or output Data item: for each input or output that changes value independentlythat changes value independently– Input Data Items:Input Data Items:

•Barometric altitudeBarometric altitude

•Radar-measured distance to a ground pointRadar-measured distance to a ground point

• Inertial platform ready signalInertial platform ready signal

– Output Data Items:Output Data Items:•Coordinates Coordinates

•Rader antenna steering commandsRader antenna steering commands

•Computer failed lightsComputer failed lights

Data ItemData Item

• Designed a form to be completed Designed a form to be completed for each data itemfor each data item

• Start with the following questionStart with the following question– How to read or write these data?How to read or write these data?– How to represent the value using How to represent the value using

bit?bit?– Valid or not?Valid or not?

Symbolic Symbolic NamesNames

• Two kinds of info about data itemsTwo kinds of info about data items– Essential characteristicsEssential characteristics shared by similar shared by similar

devicedevice•Barometric altitudeBarometric altitude

– Arbitrary detailsArbitrary details changes with device changes with device•ResolutionResolution

•RepresentationRepresentation

•AccuracyAccuracy

•TimingTiming

Symbolic names for data Symbolic names for data item and valueitem and value

• Essential info must be expressed without Essential info must be expressed without referencing the arbitrary detailsreferencing the arbitrary details

• Essential info is given a mnemonic names Essential info is given a mnemonic names with different bracketswith different brackets– /input-data-item//input-data-item/– //output-data-item///output-data-item/– $nonnumeric-value$$nonnumeric-value$

• Fixed set of possible valuesFixed set of possible values– ON/OFFON/OFF

Templates for value Templates for value descriptiondescription

• Blanks to be completed for specific data Blanks to be completed for specific data itemitem

• Advantage:Advantage:– Easier to describeEasier to describe– ConsistentConsistent– Apply to the same standardApply to the same standard

• Example:Example:– Angle (?) is measured from line (?) to line (?) Angle (?) is measured from line (?) to line (?)

in the (?) direction, looking (?).in the (?) direction, looking (?).

Input data independent of Input data independent of software usesoftware use

• Refrain mentioning how the Refrain mentioning how the data is used by the software.data is used by the software.

• Avoid making any assumptions Avoid making any assumptions about the software functionabout the software function

• Define numerical values in Define numerical values in term of what they measureterm of what they measure– /RADALT//RADALT/

•Radar altimeterRadar altimeter

Example of Input Data ItemExample of Input Data Item• Input Data ItemInput Data Item: IMS Mode Switch: IMS Mode Switch• AcronymAcronym: /IMSMODE/: /IMSMODE/• HardwareHardware: Inertial Measurement Set: Inertial Measurement Set• DescriptionDescription: /IMSMODE/ indicates the position of a six-position : /IMSMODE/ indicates the position of a six-position

rotary switch on the IMS control panelrotary switch on the IMS control panelSwitch nomenclature: Switch nomenclature: OFF; GND ALIGN; NORM; INERTIAL; MAG SL; OFF; GND ALIGN; NORM; INERTIAL; MAG SL;

GRIDGRID

• Characteristics of ValuesCharacteristics of Values– Value Encoding: $Offnone$ (00000)Value Encoding: $Offnone$ (00000)

$Gndal$ (10000)$Gndal$ (10000) $Norm$ (01000)$Norm$ (01000) $Iner$$Iner$ (00100) (00100) $Grid$$Grid$ (00010) (00010) $Magsl$ (00001)$Magsl$ (00001)

• Instruction SequenceInstruction Sequence: READ 24 (Channel 0): READ 24 (Channel 0)• Data RepresentationData Representation: Bits 3-7: Bits 3-7• CommentsComments: /IMSMODE/ = $Offnone$ when the switch is between : /IMSMODE/ = $Offnone$ when the switch is between

two positionstwo positions

Output Data ItemsOutput Data Items

• Described in Terms of Effects on External Described in Terms of Effects on External HardwareHardware– //STEERAZ// & //STEEREL////STEERAZ// & //STEEREL//

• Communicate the direction to point the antenna of Communicate the direction to point the antenna of the radarthe radar

– //FPANGL////FPANGL//• Determine the climb or dive angleDetermine the climb or dive angle

• Avoid giving any meaning to an output Avoid giving any meaning to an output value that is not a characteristic of the value that is not a characteristic of the hardwarehardware

Example of Output Data Item Example of Output Data Item DescriptionDescription

• Output Data ItemOutput Data Item: Steering Error: Steering Error• AcronymAcronym: //STERROR//: //STERROR//• HardwareHardware: Attitude Direction Indicator (ADI): Attitude Direction Indicator (ADI)• DescriptionDescription: : //STEEROR// controls the position of the vertical needle on the ADI. A positive //STEEROR// controls the position of the vertical needle on the ADI. A positive

value moves the pointer to the right when looking at the display. A value of zero centers the value moves the pointer to the right when looking at the display. A value of zero centers the needle.needle.

• Characteristics of ValuesCharacteristics of Values– UnitUnit:: DegreesDegrees– RangeRange: : -2.5 to +2.5-2.5 to +2.5– AccuracyAccuracy:: .1.1– ResolutionResolution:: .00122.00122

• Instruction SequenceInstruction Sequence: WRITE 229 (Channel 7): WRITE 229 (Channel 7)Test Carry Bit = 0 for request acknowledged if not, Test Carry Bit = 0 for request acknowledged if not,

restartrestart• Data Representation:Data Representation: 11-bit two’s complement number, bit 0 and bits 3-12 11-bit two’s complement number, bit 0 and bits 3-12

scale = 512/1.25=409.6 offset =0scale = 512/1.25=409.6 offset =0output value = scale * (stand value + offset)output value = scale * (stand value + offset)

() not used (() not used ( ) 0 0 0) 0 0 00 1 2 3 4 5 6 7 8 9 10 11 12 13 14 150 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15• Timing CharacteristicsTiming Characteristics: Digital to DC voltage conversion.: Digital to DC voltage conversion.• CommentsComments: The pointer hits a mechanical stop at 2.5 degrees: The pointer hits a mechanical stop at 2.5 degrees

OutlineOutline




Organization by FunctionsOrganization by Functions

• Each function determines the values Each function determines the values for one or more output data itemsfor one or more output data items

• Each output data item is given values Each output data item is given values by exactly one functionsby exactly one functions

• Every function can be described in Every function can be described in terms of externally visible effects.terms of externally visible effects.

• Not fit all the project Not fit all the project

• Most output data items are used for Most output data items are used for only as small set of purposesonly as small set of purposes

Function typeFunction type

• Demand functionDemand function– Request by the occurrence of some eventRequest by the occurrence of some event– Computer failed lightComputer failed light

• Periodic functionPeriodic function– Performed repeatedly without requestPerformed repeatedly without request– If a periodic function need not be If a periodic function need not be

performed all the time, it should be performed all the time, it should be stopped by specific eventsstopped by specific events

– Maximum delay can be tolerated between Maximum delay can be tolerated between request and action - required repetition request and action - required repetition rates.rates.

Output values as functions of Output values as functions of conditions and eventsconditions and events

• Express requirements by giving output values as Express requirements by giving output values as functions of aircraft operating conditionsfunctions of aircraft operating conditions

• Condition is aspect of the system for a measurable Condition is aspect of the system for a measurable period of timeperiod of time– /IMSMODE/ = $Gndal$/IMSMODE/ = $Gndal$ is a is a conditioncondition that is T when the that is T when the

switch is set to the GND ALIGN positionswitch is set to the GND ALIGN position

• EventEvent occurs when condition changes T to F or F to occurs when condition changes T to F or F to TT– //LATGT70////LATGT70// should change value when the aircraft should change value when the aircraft

crosses 70 degree latitudecrosses 70 degree latitude– Events start and stop periodic functions and trigger Events start and stop periodic functions and trigger

demand functionsdemand functions– how the program detects this event is left to the how the program detects this event is left to the

implementationimplementation

Text MacrosText Macros

• Bracketed in exclamation points Bracketed in exclamation points • defined in an alphabetical dictionarydefined in an alphabetical dictionary• Abbreviations for compound conditions Abbreviations for compound conditions

that are frequently used or very detailedthat are frequently used or very detailed• Only one place in the dictionary need to Only one place in the dictionary need to

be changed if criteria changebe changed if criteria change• Example:Example:

– !Desig! Condition that is T when the pilot !Desig! Condition that is T when the pilot perform a sequence of actions that perform a sequence of actions that designates a target to computerdesignates a target to computer

EventsEvents

• @T(condition 1) denote condition 1 @T(condition 1) denote condition 1 becoming truebecoming true– @T(!ground track angle! < 30)@T(!ground track angle! < 30)

• @F(condition 2) denote condition 2 @F(condition 2) denote condition 2 becoming falsebecoming false

• @T(condition 3) WHEN (condition 4)@T(condition 3) WHEN (condition 4)– An event only occurs if condition 3 An event only occurs if condition 3

changes when condition 4 is truechanges when condition 4 is true•@T(condition 3) WHEN (condition 4)@T(condition 3) WHEN (condition 4)

ModeMode

• Organize conditions into groupsOrganize conditions into groups• Mnemonic name enclosed in asterisksMnemonic name enclosed in asterisks• Advantage:Advantage:

– Keep the function descriptions simpleKeep the function descriptions simple– If something goes wrong during flight, If something goes wrong during flight,

remember the mode instead of remember the mode instead of conditionsconditions

• Example:Example:– *DIG*: Doppler-Inertial-Gyrocompassing*DIG*: Doppler-Inertial-Gyrocompassing

Mode condition table Mode condition table ExampleExample

Mode /IMSMODE/ /ACAIRB/ !latitude! Other

*DIG* $Norm$ $Yes$ <70!IMS Up! AND !

Doppler Up!

*DI*$Norm$ OR

$Iner$$Yes$ <80

!IMS Up! AND !Doppler Up! AND !Doppler Coupled!

*I* $Iner$ X <80 !IMS Up!

*IMS fail* X X X !IMS Down!

• Navigation mode condition tableNavigation mode condition table

• X indicates that info is never appropriate for that modeX indicates that info is never appropriate for that mode

Special tables for precision and Special tables for precision and completenesscompleteness

• Condition table:Condition table: – Define some aspect of an output value that is Define some aspect of an output value that is

determined by an active mode and a condition determined by an active mode and a condition that occurs within that mode that occurs within that mode

– Periodic functionsPeriodic functions– Mutual exclusive of each rowMutual exclusive of each row

• Exactly one row should be TExactly one row should be T

• Event table:Event table: – When demand functions should be performWhen demand functions should be perform– Periodic functions start and stop pointPeriodic functions start and stop point– Each row in an event table corresponds to a Each row in an event table corresponds to a

group of modegroup of mode

Example of a conditional Example of a conditional tabletable

Mode Conditions

*DIG* *DI* *I* *Mag sl* *Grid*

Always X

*IMS fail* (NOT /IMSMODE/ = $Offnone$ /IMSMODE/ = $Offnone$

//MAGHDGH// //MAGHDGH// valuevalue

angle defined by /MAGHCOS/ angle defined by /MAGHCOS/ and /MAGHSIN/and /MAGHSIN/ 0 (North)0 (North)

• Magnetic heading (//MAGHDGH//) output valueMagnetic heading (//MAGHDGH//) output value

Example of an event tableExample of an event table

• When AUTOCAL Light Switched on/offWhen AUTOCAL Light Switched on/off

Mode Events

*Lautocal* *Sautocal*

@T (in mode) @F (In mode)

Action //AUTOCAL//:=$On$ //AUTOCAL//:=$Off$

Full demand function Full demand function exampleexample• Demand Function Name:Demand Function Name: Change scale factor Change scale factor

– Mode in which function requiredMode in which function required::• *Lautocal* *Sautocal* *Landaln* *SINSaln* *HUDaln*, *Airaln*

– Output data item:Output data item: //IMSSCAL// //IMSSCAL//– Function Request and Output Description:Function Request and Output Description:

• Event Table: When the scale factor is changedEvent Table: When the scale factor is changed

Mode Events

*Lautocal* *Sautocal*

@T(in mode) WHEN (//IMSSCAL// = $Coarse$

X

*HUDaln*@T(in mode) WHEN (//IMSMODE// =

$Gndal$ and (//IMSSCAL// = $Coarse$

@T(in mode) WHEN (NOT //IMSMODE// = $Gndal$

and (//IMSSCAL// = $Fine$)

*Lautocal* *SINSaln*

*Airaln*X

@T(in mode) WHEN (//IMSSCAL// = $Fine$)

Action //IMSSCAL// = $Fine$ //IMSSCAL// = $Coarse$

Completed periodic function Completed periodic function formform• Periodic function namePeriodic function name: update flight path marker coordinates: update flight path marker coordinates

– Modes in which function requiredModes in which function required::• *DIG* *DI* *I* *Mag sl* *Grid* *IMS fail*

– Output data item: //FPMAZ//, //FPMEL//– Initiation and termination events:

• Start: @T(//HUDVEL// = $On$)Start: @T(//HUDVEL// = $On$)• Stop: @T(//HUDVEL// = $Off$)Stop: @T(//HUDVEL// = $Off$)

– Output description:Output description:• The flight Path marker (FPM) symbol on the head-up display shows the direction of The flight Path marker (FPM) symbol on the head-up display shows the direction of

the aircraft velocity vector. ……the aircraft velocity vector. …… Condition table: Coordinates of the Flight Path MarkerCondition table: Coordinates of the Flight Path Marker

Mode Conditions

*DIG* *DI* X Always X

*I* /ACAIRB/ = $No$ /ACAIRB/ = $Yes$ X

*Mag sl* *Grid* /ACAIRB/ = $No$!ADC Up! And /ACAIRB/ = $Yes$

!ADC Down! And /ACAIRB/ = $Yes$

*IMS fail* /ACAIRB/ = $No$ X /ACAIRB/ = $Yes$

//MAGHDGH// value//FPMAZ// := 0

//FPMEL// := 0based on !System

velocities!//FPMAZ// := 0 //FPMEL// := /AOA/

OutlineOutline




List of undesired eventList of undesired event

• Classification schemeClassification scheme– Resource FailureResource Failure

• TemporaryTemporary• PermanentPermanent

– Incorrect input dataIncorrect input data• Detected by examining input onlyDetected by examining input only• Detected by comparison with internal dataDetected by comparison with internal data• Detected by user realizing he made a mistakeDetected by user realizing he made a mistake• Detected by user from incorrect outputDetected by user from incorrect output

– Incorrect internal dataIncorrect internal data• Detected by internal inconsistencyDetected by internal inconsistency• Detected by comparison with input dataDetected by comparison with input data• Detected by user from incorrect outputDetected by user from incorrect output

OutlineOutline




Techs for characterizing types of Techs for characterizing types of changeschanges

• Discover possible changesDiscover possible changes

• Make a feasible changes listMake a feasible changes list

• Example:Example:– Assignment of devices to channels Assignment of devices to channels – The rate of symbol movement on the display in The rate of symbol movement on the display in

response to joystick displacementresponse to joystick displacement– New sensors may be addedNew sensors may be added– More weaponsMore weapons– Self test might be required in the airSelf test might be required in the air– Cease lower priority functions to free resources for Cease lower priority functions to free resources for

higherhigher

OutlineOutline




Discussion and ConclusionDiscussion and Conclusion

• These techs are not limited to this These techs are not limited to this projectproject

• These techs helps:These techs helps:– Obtaining informationObtaining information– Controlling its complexityControlling its complexity– Avoiding with implementation detailsAvoiding with implementation details

• Plan for project systematicallyPlan for project systematically

Q & AQ & A

specifying software requirements for complex system:

Documents

software requirements

software engineering

existing programold

weapon systema

aircraft continuednew

accuracy constraints

timing constraints

maintainnew techniques