A Process for Verifying and Validating Requirements for Fault Tolerant Systems using Model Checking1

Model checking is shown to be an effective tool in validating the behavior of a fault tolerant embedded spacecrafi controllel: The case study presented here shows that by judiciously abstracting away extraneous complexity, the state space of the model could be exhaustively searched allowing critical functional requirements to be validated down to the design level. Abstracting away detail not germane to the problem of interest leaves by definition a partial specification behind. The success of this procedure shows that it is feasible to effectively validate a partial Specification with this technique. Three anomalies were found in the system. One was an error in the detailed requirements, and the other two were missing/ambiguous requirements. Because the method allows validation of partial specifications, it is also an effective approach for maintaining fidelity between a coevolving specification and an implementation. We also show that two of the three anomalies were found in the implementation, demonstrating the overall effectiveness of the process and the importance of a good software design. The research described in this paper was carried out in part by the Jet Propulsion Laboratory, California Institute of Technology, under a contract with the National Aeronautics and Space Administration, and in part by West Virginia University under NASA cooperative agreement #NCC 2-979. Reference herein to any specific commercial product, process, or service by trade, name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement by the United States Government, the Jet Propulsion Laboratory, California Institute of Technology or West Virginia University Jet Propulsion Laboratory I California Institute of Technolom, MS 125-233 Pasadena, CA 91109. Computing Sciences Research, Bell Laboratories, Lucent Technologies, Murray Hill, NJ 07974