Deriving real-time monitors from system requirements documentation

Abstract

<p>When designing safety- or mission-critical real-time systems, a specification of the required behaviour of the system should be produced and reviewed by domain experts. Also, after the system has been implemented, it should be thoroughly tested to ensure that it behaves correctly. This, however, can be difficult if the requirements are complex or involve strict time constraints. A monitor is a system that observes the behaviour of a target system and reports if that behaviour is consistent with the requirements. Such a monitor can be used as an oracle during testing or as a supervisor during operation. This thesis presents a technique and tool for generating software for such a monitor from a system requirements document. A system requirements documentation technique, based on [102], is presented, in which the required system behaviour is described in terms of the environmental quantities that the system is required to observe and control, which are modelled as the initial conditions and a sequence of events. The required value of all controlled quantities is specified, possibly using modes --equivalence classes of histories--to simplify the presentation. Deviations from the ideal behaviour are described using either tolerance or accuracy functions. The monitor will be affected by the limitations of the devices it uses to observe the environmental quantities, resulting in the potential for false negative or positive reports. The conditions under which these occur are discussed. The generation of monitor software from the requirements documentation for a realistic system is presented. This monitor is used to test an implementation of the system, and is able to detect errors in the behaviour that were not detected by previous testing. For this example the time required for the monitor software to evaluate the behaviour is less than the interval between events.</p>