| Introduction |
| Critical systems are found in an increasing variety of application fields and industries like electronics, control, aeronautics, health equipment, etc. Most of them are embedded systems, controlling devices that may risk lives or damage assets, hence termed safety-critical systems. These applications generally involve concurrency and control aspects, as well as real-time requirements that challenge the development process. Building such applications requires advanced tools and techniques in order to support reliable and economically feasible development and verification processes. |
| Computer Aided Verification techniques, and particularly Modelchecking, constitute a promising approach that deals with these kinds of systems. These techniques have originally and mainly been applied to the automatic verification of circuits and protocols but their use is being extended to software intensive systems (e.g.[BCP+01], [AFM+02]). Moreover, formal models are being explored as a means to perform testing [JCTG96] and monitoring [HR01] of applications. |
| Providing user-friendly means for the description of formal requirements plays an important role in this technology transfer agenda (e.g. [DAC99, HM02]). A remarkable example is the pattern-based approach and catalogue of verification properties defined in [DAC99], which bridges the gap between natural language and verification logics, and also suggests that a large number of formal properties stated in practice fall into a small set of categories. |
| When developing VTS, our scenario-based notation, we focused on expressing real-time requirements in a visual and friendly fashion, avoiding the use of formal logics such as TCTL [ACD93], and the explicit use of observers, which may become in practice an overwhelming and error-prone task, even for practitioners trained in the use of formal methods. |
| The need for visual and simple formalisms (instead of powerful but often cumbersome logics) when dealing with event-based requirements has been pointed out in several works (e.g. [SHE01, HM02]). Specifying the whole expected behavior of a system, even in an abstract form, is usually a difficult task. We believe that the use of (partial) scenarios is a key strategy in dealing with the problem of expressing event-based properties. In particular, our approach consists in graphically describing those generic scenarios of the analyzed model which violate the requirements. A VTS scenario is basically an annotated partial order of relevant events which can be regarded as a pattern, in the sense that it denotes a (possibly infinite) set of matching executions. |
| VTS is meant to existentially predicate on scenarios. That is, it is used to state a simple but yet relevant family of questions of the form "Is there a potential run of the system that can match this generic scenario?". These questions are closely related to the concept of anti-scenario or forbidden scenario (e.g. [HM02, UKM02]) as we use them to express infringements of safety or progress requirements. These questions turn out to be decidable, and we have developed a tool to edit scenarios and model check them over timed automata models of the system under analysis. |