# Sequence-Based Specification

Tom Swain tomswain@comcast.net

# Specification Objectives

#### Completeness

a response is defined for every stimulus history

#### Consistency

each stimulus history maps to only one response

#### Correctness

the specification is explicitly traceable to the requirements

# How Can We Ensure Correct Operation of Critical Software?

- Testing?
  - A sampling process
  - As complexity increases, a sufficient sample becomes impractical
- Peer Review of Documentation/Code?
  - Often subjective
  - Labor intensive
  - No objective criteria for sufficiency

# The Only Practical Alternative: Rigorous Specification and Design

#### Basic Premise

A <u>software program</u> is a rule for computing a <u>mathematical function</u> that maps <u>all</u> possible stimulus histories to <u>all</u> possible responses

#### Approach

- Derive mathematically <u>rigorous specification</u>
   and design from requirements
- Prove critical design properties using basic mathematics of software

# Problem: How Do We Produce the Formal Specification?



# Security Alarm Example



# Security Alarm Requirements



#### Requirements

- Individual requirements tagged for traceability.
- Initial requirements assumed to be incomplete, inconsistent, and possibly incorrect.
- Enumeration is a systematic process for discovering omissions and ambiguities.
- Domain experts review clarified requirements for correctness.

# Rigorous Specification Process

- Establish <u>system boundary</u>.
- Define human/software/hardware interfaces.
- Itemize <u>stimuli</u>.
- Itemize responses.
- Perform <u>enumeration</u>.
- Perform <u>canonical sequence analysis</u>.
- Generate <u>state machine specification</u>.
- Transform to <u>formal notation</u> (e.g., ACL2).

#### System Boundary and Interfaces



# Level of Detail to Specify

#### Necessary Detail Test

A behavioral detail is necessary to the spec if it affects interface development or long-run system behavior.

#### Detail to be Deferred

Specific algorithm used for internal calculation.

#### Necessary Detail

Changes to default settings.

#### **Definitions**

- Stimulus an event resulting in information flow from the outside to the inside of the system boundary
- Response information flow from inside to outside the system boundary

### Security Alarm Stimuli



# Security Alarm Responses



#### **Enumeration Overview**

- Define response to all possible stimulus sequences by considering them in order of length.
- Continue until all sequences of a given length are illegal or equivalent to previous sequences.
- Identify canonical sequences.

#### **Enumeration Mechanics**

- For each sequence of length n, do the following:
  - If illegal, mark it illegal and do not extend further.
  - Document correct response based on requirements.
  - If no requirement found, create derived requirement.
  - Record requirements trace.
  - Check for equivalence with previous sequences.
- Extend only those sequences that are not illegal or equivalent.

# Important Definitions

- A sequence is
  - illegal by definition if it is impossible for the system to observe it or for the environment to generate it
  - illegal by design if it violates the system definition

#### More Important Definitions

#### A sequence is

- equivalent to another sequence if their responses to any future stimulus sequences are identical
- <u>reduced</u> if it has been declared equivalent to a previous sequence
- <u>canonical</u> if it is legal and unreduced when enumeration is complete

#### **Abstract Stimulus**

- Single stimulus representing multiple events.
- Examples:
  - Menu selection, toolbar button, and keyboard accelerator that initiate the same function.
  - Numeric input mapped into ranges (e.g., normal, critical, invalid).

#### Sequence Abstraction

- Arrival of a stimulus with certain historical conditions in effect.
- Uses-Examples:
  - Temporal Semantics Replace individual clock pulses with every n<sup>th</sup> pulse.
  - Interface Details Combine multiple keystrokes/mouse clicks into a single selection stimulus.
  - Function Isolation Separate specification of largely independent interfaces or subsystems.

# **Enumeration Example**

Sequences of Lengths 1-2

| Name         | Length           | Prefix              | Action       | Responses      | Response trace       | Legal      | Equivalence     |  |
|--------------|------------------|---------------------|--------------|----------------|----------------------|------------|-----------------|--|
| ♦ B          | ★ 1              | ♦ <lambda></lambda> | ♦ B          | ♦              | ♦ D1                 | .tegai     |                 |  |
| ♦ C          | ↑ 1              | ♦ <lambda></lambda> | ♦ C          | <b>*</b>       | ◆ D1                 | <b>*</b>   | <b>*</b>        |  |
| ♦ G          | ↑ 1              |                     | <b>♦</b> G   | <b>*</b>       | ◆ D1                 | <b>*</b>   | <b>*</b>        |  |
| ♦ S          |                  |                     |              |                |                      |            |                 |  |
|              | <b>†</b> 1       | ♦ <lambda></lambda> | ♦ S          | ♦ LightOn      | <b>♦</b> 2, 3        | ♦ yes      | <b>*</b>        |  |
| ♦ T          | <b>†</b> 1       | ♦ <lambda></lambda> | ◆ T          | <b>*</b>       | ♦ D1                 | <b>*</b>   | <b>*</b>        |  |
| ♦ S.B        | <b>*</b> 2       | <b>♦</b> S          | ◆ B          | <b>*</b>       | ◆ D3                 | ♦ yes      | <b>*</b>        |  |
| ♦ S.C        | <b>♦</b> 2       | ♦ S                 | ♦ C          | <b>*</b>       | ◆ D4                 | ♦ yes      | <b>♦</b> S      |  |
| ♦ S.G        | ♦ 2              | ♦ S                 | ♦ G          | ♦ LightOn      | ◆ D5                 | ♦ yes      | <b>*</b>        |  |
| <b>♦ S.S</b> | <b>♦</b> 2       | ♦ S                 | ♦ S          | ♦ AlarmOff     | ◆ D2                 | ♦ yes      | ♦ S             |  |
| ♦ S.T        | ♦ 2              | ♦ S                 | ♦ T          | ♦ AlarmOn      | ♦ 4                  | ♦ yes      | <b>*</b>        |  |
| ♦ S.B.B      | ♦ 3              | ♦ S.B               | ◆ B          | <b>*</b>       | ◆ D3                 | ♦ yes      | ♦ S.B           |  |
| ♦ S.B.C      | → 3              | ♦ S.B               | ♦ C          | <b>*</b>       | → 7, D4              | ♦ yes      | ♦ S             |  |
| ♦ S.B.G      | → 3              | ♦ S.B               | ◆ G          | <b>*</b>       | ♦ 7                  | <b>*</b>   | <b>*</b>        |  |
| ♦ S.B.S      | → 3              | ♦ S.B               | <b>♦</b> S   | <b>*</b>       | ◆ D2                 | ♦ yes      | ♦ S.B           |  |
| ♦ S.B.T      | → 3              | ♦ S.B               | ◆ T          | ♦ AlarmOn      | <b>*</b> 4           | ♦ yes      | <b>*</b>        |  |
| ♦ S.G.B      | → 3              | ♦ S.G               | ◆ B          | <b>+</b>       | ◆ D3                 | ♦ yes      | ♦ S.B           |  |
| ♦ S.G.C      | <b>♦</b> 3       | ♦ S.G               | <b>♦</b> C   | <b>*</b>       | ♦ D4                 | ♦ yes      | <b>♦</b> S      |  |
| Requirement  | ts Interfaces St | timuli Outputs Nam  | ed Responses | Predicates Map | pings State Variable | Definition | Canonical Seque |  |
| Properties   | s 🏻              |                     |              |                |                      |            |                 |  |
| Property     |                  |                     |              |                | Value                | Value      |                 |  |
| Name         |                  |                     |              |                | E S.T.T              | © S.T.T    |                 |  |
| Length       |                  |                     |              |                | <u> </u>             |            |                 |  |

# Derived Requirements



#### **Enumeration Continued**

Sequences of Length 3

| Name      | Length     | Prefix  | Action     | Responses  | Response trace | Legal    | Equivalence |
|-----------|------------|---------|------------|------------|----------------|----------|-------------|
| ♦ S.G     | <b>♦ 2</b> | ♦ S     | <b>♦</b> G | ♦ LightOn  | ♦ D5           | ♦ yes    | <b>*</b>    |
| ♦ S.S     | <b>♦ 2</b> | ♦ S     | <b>♦</b> S | ◆ AlarmOff | ◆ D2           | ♦ yes    | ♦ S         |
| T 2 ♠     | <b>♣</b> 2 | A C     | . T        | AlarmOn    | <b>△</b> 1     | A vec    | A           |
| ♦ S.B.B   | <b>♦ 3</b> | ♦ S.B   | ◆ B        | <b>*</b>   | ◆ D3           | ♦ yes    | ♦ S.B       |
| ♦ S.B.C   | <b>♦</b> 3 | ♦ S.B   | <b>♦</b> C | <b>*</b>   | ♦ 7, D4        | ♦ yes    | ♦ S         |
| ♦ S.B.G   | <b>♦ 3</b> | ♦ S.B   | <b>♦ G</b> | <b>*</b>   | <b>♦</b> 7     | <b>*</b> | <b>*</b>    |
| ♦ S.B.S   | <b>♦</b> 3 | ♦ S.B   | <b>♦ S</b> | <b>*</b>   | ◆ D2           | ♦ yes    | ♦ S.B       |
| ♦ S.B.T   | <b>♦</b> 3 | ♦ S.B   | ◆ T        | ◆ AlarmOn  | <b>♦</b> 4     | ♦ yes    | <b>*</b>    |
| ♦ S.G.B   | <b>♦ 3</b> | ♦ S.G   | ◆ B        | <b>*</b>   | ◆ D3           | ♦ yes    | ♦ S.B       |
| ♦ S.G.C   | <b>♦</b> 3 | ♦ S.G   | <b>♦</b> C | <b>*</b>   | ◆ D4           | ♦ yes    | ♦ S         |
| ♦ S.G.G   | <b>♦</b> 3 | ♦ S.G   | <b>♦ G</b> | <b>*</b>   | ◆ D5           | ♦ yes    | <b>*</b>    |
| ♦ S.G.S   | <b>♦</b> 3 | ♦ S.G   | <b>♦</b> S | <b>*</b>   | ◆ D2           | ♦ yes    | ♦ S.G       |
| ♦ S.G.T   | <b>♦</b> 3 | ♦ S.G   | ◆ T        | ◆ AlarmOn  | ♦ 4, D7        | ♦ yes    | ♦ S.T       |
| ♦ S.T.B   | <b>♦</b> 3 | ♦ S.T   | ◆ B        | <b>*</b>   | ◆ D3           | ♦ yes    | ♦ S.B.T     |
| ♦ S.T.C   | <b>♦ 3</b> | ♦ S.T   | <b>♦</b> C | <b>*</b>   | ◆ D4           | ◆ yes    | ♦ S.T       |
| ♦ S.T.G   | <b>♦ 3</b> | ♦ S.T   | <b>♦ G</b> | <b>*</b>   | ◆ D5           | ♦ yes    | <b>*</b>    |
| ♦ S.T.S   | <b>♦ 3</b> | ♦ S.T   | <b>♦</b> S | <b>*</b>   | ◆ D2           | ♦ yes    | ♦ S.T       |
| ♦ S.T.T   | → 3        | ♦ S.T   | <b>♦</b> T | <b>*</b>   | ◆ D6           | ◆ yes    | ♦ S.T       |
| ◆ 2.B.1.B | <b>♦</b> 4 | ♦ 2.B.1 | ♦ B        | <b>*</b>   | ◆ D3           | ♦ yes    | ♦ S.B.1     |
| ♦ S.B.T.C | <b>♦</b> 4 | ♦ S.B.T | <b>♦</b> C | <b>*</b>   | ♦ 7, D4        | ♦ yes    | ♦ S.T       |
| ♦ S.B.T.G | ♦ 4        | ♦ S.B.T | ◆ G        | <b></b>    | ♦ 7            | <b></b>  | <b>*</b>    |

# More Derived Requirements



#### **Enumeration Continued**

Sequences of Length 4

| Name        | Length     | Prefix    | Action     | Responses | Response trace | Legal    | Equivalence            |
|-------------|------------|-----------|------------|-----------|----------------|----------|------------------------|
| ♦ S.T.S     | <b>♦</b> 3 | ♦ S.T     | ♦ S        | <b>*</b>  | ◆ D2           | ♦ yes    | ♦ S.T                  |
| A S T T     | <b>.</b> 3 | A 5.T     | .A. T      | A         | ♣ D6           | ♣ vec    | T2 ♠                   |
| ♦ S.B.T.B   | <b>4</b>   | ♦ S.B.T   | <b>♦</b> B | <b>*</b>  | <b>♦</b> D3    | ♦ yes    | ♦ S.B.T                |
| ♦ S.B.T.C   | <b>4</b>   | ♦ S.B.T   | ◆ C        | <b>*</b>  | ◆ 7, D4        | ♦ yes    | ♦ S.T                  |
| ♦ S.B.T.G   | <b>♦ 4</b> | ♦ S.B.T   | ♦ G        | <b>*</b>  | <b>♦</b> 7     | <b>*</b> | <b>*</b>               |
| ♦ S.B.T.S   | <b>♦ 4</b> | ♦ S.B.T   | ♦ S        | <b>*</b>  | ◆ D2           | ♦ yes    | ♦ S.B.T                |
| ♦ S.B.T.T   | <b>♦ 4</b> | ♦ S.B.T   | ◆ T        | <b>*</b>  | ◆ D6           | ♦ yes    | ♦ S.B.T                |
| ♦ S.G.G.B   | <b>♦ 4</b> | ♦ S.G.G   | ◆ B        | <b>*</b>  | ◆ D3           | ♦ yes    | ♦ S.B                  |
| ♦ S.G.G.C   | <b>♦ 4</b> | ♦ S.G.G   | <b>♦ C</b> | <b>*</b>  | ◆ D4           | ♦ yes    | ♦ S                    |
| ♦ S.G.G.G   | <b>♦ 4</b> | ♦ S.G.G   | ♦ G        | <b>*</b>  | <b>♦</b> 6     | ♦ yes    | ♦ <lamb< p=""></lamb<> |
| ♦ S.G.G.S   | <b>♦ 4</b> | ♦ S.G.G   | ♦ S        | <b>*</b>  | ◆ D2           | ♦ yes    | ♦ S.G.G                |
| ♦ S.G.G.T   | <b>♦ 4</b> | ♦ S.G.G   | ◆ T        | <b>*</b>  | ◆ 4, D7        | ♦ yes    | ♦ S.T                  |
| ♦ S.T.G.B   | <b>♦ 4</b> | ♦ S.T.G   | ◆ B        | <b>*</b>  | ◆ D3           | ◆ yes    | ♦ S.B.T                |
| ♦ S.T.G.C   | ◆ 4        | ♦ S.T.G   | ♦ C        | <b>*</b>  | ◆ D4           | ♦ yes    | ♦ S.T                  |
| ♦ S.T.G.G   | <b>♦</b> 4 | ♦ S.T.G   | ♦ G        | <b>*</b>  | ◆ D5           | ♦ yes    | <b>*</b>               |
| ♦ S.T.G.S   | <b>4</b>   | ♦ S.T.G   | ♦ S        | <b>*</b>  | ◆ D2           | ♦ yes    | ♦ S.T.G                |
| ♦ S.T.G.T   | <b>♦</b> 4 | ♦ S.T.G   | ♦ T        | <b>*</b>  | ◆ D6           | ♦ yes    | ♦ S.T.G                |
| ◆ 2.1.G.G.B | <b>*</b> 5 | ♦ 5.1.G.G | ♠ B        | <b>*</b>  | ◆ D3           | ◆ yes    | ◆ 2'R'1                |
| ♦ S.T.G.G.C | <b>♦</b> 5 | ♦ S.T.G.G | ◆ C        | <b>*</b>  | ◆ D4           | ♦ yes    | ♦ S.T                  |
| ♦ S.T.G.G.G | <b>♦</b> 5 | ♦ S.T.G.G | ♦ G        | <b>*</b>  | 3, 5, 6        | ♦ yes    | ♦ <lamb< p=""></lamb<> |
| A STGGS     | <b>♦</b> 5 | A STGG    | A 5        | ٨         | ♣ D2           | A ver    | A STGG                 |

# Enumeration Completed Sequences of Length 5

| Name        | Length     | Prefix    | Action | Responses | Response trace | Legal    | Equivalence            |
|-------------|------------|-----------|--------|-----------|----------------|----------|------------------------|
| ♦ S.T.S     | <b>♦</b> 3 | ♦ S.T     | ♦ S    | <b>*</b>  | ◆ D2           | ♦ yes    | ♦ S.T                  |
| ♦ S.T.T     | → 3        | ◆ S.T     | ♦ T    | <b>*</b>  | ◆ D6           | ♦ yes    | ♦ S.T                  |
| ♦ S.B.T.B   | → 4        | ♦ S.B.T   | ◆ B    | <b>*</b>  | ◆ D3           | ♦ yes    | ♦ S.B.T                |
| ♦ S.B.T.C   | ♦ 4        | ♦ S.B.T   | ◆ C    | <b>*</b>  | → 7, D4        | ♦ yes    | ♦ S.T                  |
| ♦ S.B.T.G   | ♦ 4        | ♦ S.B.T   | ◆ G    | <b>*</b>  | <b>♦</b> 7     | <b>*</b> | <b>*</b>               |
| ♦ S.B.T.S   | <b>4</b>   | ♦ S.B.T   | ♦ S    | <b>*</b>  | ◆ D2           | ♦ yes    | ♦ S.B.T                |
| ♦ S.B.T.T   | <b>♦</b> 4 | ♦ S.B.T   | ◆ T    | <b>*</b>  | ◆ D6           | ♦ yes    | ♦ S.B.T                |
| ♦ S.G.G.B   | <b>♦</b> 4 | ♦ S.G.G   | ◆ B    | <b>*</b>  | ◆ D3           | ♦ yes    | ♦ S.B                  |
| ♦ S.G.G.C   | <b>4</b>   | ♦ S.G.G   | ◆ C    | <b>*</b>  | ◆ D4           | ♦ yes    | ♦ S                    |
| ♦ S.G.G.G   | <b>♦</b> 4 | ♦ S.G.G   | ♦ G    | <b>*</b>  | <b>♦</b> 6     | ♦ yes    | ♦ <lamb< p=""></lamb<> |
| ♦ S.G.G.S   | <b>4</b> 4 | ♦ S.G.G   | ♦ S    | <b>*</b>  | ◆ D2           | ♦ yes    | ♦ S.G.G                |
| ♦ S.G.G.T   | <b>4</b>   | ♦ S.G.G   | ◆ T    | <b>*</b>  | ♦ 4, D7        | ♦ yes    | ♦ S.T                  |
| ♦ S.T.G.B   | <b>♦</b> 4 | ♦ S.T.G   | ◆ B    | <b>*</b>  | ◆ D3           | ♦ yes    | ♦ S.B.T                |
| ♦ S.T.G.C   | <b>4</b> 4 | ◆ S.T.G   | ◆ C    | <b>*</b>  | ◆ D4           | ♦ yes    | ♦ S.T                  |
| ♦ S.T.G.G   | → 4        | ♦ S.T.G   | ♦ G    | <b>*</b>  | ♦ D5           | ♦ yes    | <b>*</b>               |
| ♦ S.T.G.S   | <b>4</b>   | ♦ S.T.G   | ♦ S    | <b>*</b>  | ◆ D2           | ♦ yes    | ♦ S.T.G                |
| ♦ S.T.G.T   | ♦ 4        | ◆ S.T.G   | ◆ T    | <b>♦</b>  | ◆ D6           | ♦ ves    | ◆ S.T.G                |
| ♦ S.T.G.G.B | <b>♦</b> 5 | ♦ S.T.G.G | ◆ B    | <b>*</b>  | ◆ D3           | ♦ yes    | ♦ S.B.T                |
| ♦ S.T.G.G.C | <b>♦</b> 5 | ♦ S.T.G.G | ♦ C    | <b>*</b>  | ◆ D4           | ♦ yes    | ♦ S.T                  |
| ♦ S.T.G.G.G | <b>♦</b> 5 | ♦ S.T.G.G | ♦ G    | <b>*</b>  | 3, 5, 6        | ♦ yes    | ♦ <lamb< p=""></lamb<> |
| ♦ S.T.G.G.S | <b>♦</b> 5 | ♦ S.T.G.G | ♦ S    | <b>*</b>  | ◆ D2           | ♦ yes    | ♦ S.T.G.G              |
| ♦ S.T.G.G.T | ♦ 5        | ♦ S.T.G.G | ♦ T    | <b></b>   | ♦ D6           | ♦ yes    | ♦ S.T.G.G              |

#### Canonical Sequence Analysis

| Name                   | State var values                                    |  |  |  |  |  |
|------------------------|-----------------------------------------------------|--|--|--|--|--|
| ♦ <lambda></lambda>    | Alarm = [ANY], Code = [ANY], Invoked = No           |  |  |  |  |  |
| ♦ S                    | ♦ Alarm = Off, Code = None, Invoked = Yes           |  |  |  |  |  |
| ♦ S.B                  | ♦ Alarm = Off, Code = Error, Invoked = Yes          |  |  |  |  |  |
| ♦ S.G                  | ♦ Alarm = Off, Code = 1_OK, Invoked = Yes           |  |  |  |  |  |
| ♦ S.T                  | ♦ Alarm = On, Code = None, Invoked = Yes            |  |  |  |  |  |
| ♦ S.B.T                | ♦ Alarm = On, Code = Error, Invoked = Yes           |  |  |  |  |  |
| ♦ S.G.G                | ♦ Alarm = Off, Code = 2_OK, Invoked = Yes           |  |  |  |  |  |
| ♦ S.T.G                | ♦ Alarm = On, Code = 1_OK, Invoked = Yes            |  |  |  |  |  |
| ♦ S.T.G.G              | ♦ Alarm = On, Code = 2_OK, Invoked = Yes            |  |  |  |  |  |
|                        |                                                     |  |  |  |  |  |
| Requirements Interface | s Stimuli Outputs Named Responses Predicates Mappir |  |  |  |  |  |
| ■ Properties ⊠         |                                                     |  |  |  |  |  |

#### Canonical Sequence Analysis

- Construct a table and list the canonical sequences in the order enumerated.
- Define one or more state variables such that each canonical sequence corresponds to a unique combination of values.

#### State Machine Spec

- Start with state variables from canonical sequence analysis.
- Invent state variables required to compute abstractions\*.
- Invent state variables required to compute abstract responses.
- Simplify state data, if possible.
- Recast stimulus/condition/response table (Black Box) to stimulus/start state/end state/response table (State Box).

\*Removal of some abstractions may be deferred to the clear box specification.

#### State Box Specification Excerpt:

#### Stimulus: G, Good Digit

| Initial State |       |         | Doononoo       | Final State  |      |         |  |
|---------------|-------|---------|----------------|--------------|------|---------|--|
| <u>Alarm</u>  | Code  | Invoked | Response       | <u>Alarm</u> | Code | Invoked |  |
| [ANY]         | [ANY] | No      | illegal        |              |      |         |  |
| Off           | None  | Yes     | <u>LightOn</u> | Off          | None | Yes     |  |
| Off           | Error | Yes     | illegal        |              |      |         |  |
| Off           | 1_0K  | Yes     | null           | Off          | 1_0K | Yes     |  |
| On            | None  | Yes     | null           | On           | None | Yes     |  |
| On            | Error | Yes     | illegal        |              |      |         |  |
| Off           | 2_0K  | Yes     | null           | Off          | 2_0K | Yes     |  |
| On            | 1_0K  | Yes     | null           | On           | 1_0K | Yes     |  |
| On            | 2_0K  | Yes     | null           | On           | 2_0K | Yes     |  |

#### Implementation

- Define high level architecture.
- Define stimulus gathering implementation.
- Define response generation implementation.
- Map state data to specific architectural components.
- Define implementation of each transition in State Box table.
- Map implementation of State Box table entries to architecture.

#### State Machine ⇒ Code



# Rigorous Specification and Software Development Process

- Automatically transform enumeration to state machine or formal spec
- Generate code and test usage model from state machine spec
- Perform formal verification based on spec
- Generate test oracle from spec

#### Overview



#### Summary and Conclusion

- Sequence-Based Specification is a method for producing consistent, complete, and traceably correct software specifications.
- The method is based on a simple sequence enumeration procedure and basic requirements analysis skills.
- The results can be freely converted to state machines and other formal representations for
  - Automatic Code Generation
  - Formal Verification via Theorem Provers
  - Test Case Generation and Results Analysis