Automated Traceability Analysis
AlloyInEcore is being used to perform Automated Traceability Analysis in the tool-chain of Electronically Controlled Air Suspension (ECAS) functions.package requirementsmodel: tol= 'eu.modelwriter.examples.requirementsmodels'
{
public class Requirement [4]
{
property req: Requirement [*] {transitive, irreflexive, antisymmetric};
property refines: Requirement [*] {transitive, irreflexive, antisymmetric};
property contains: Requirement [*] {transitive, irreflexive, antisymmetric};
property conflicts: Requirement [*] {irreflexive, symmetric};
property equals: Requirement [*] {equivalence};
property partially_refines: Requirement [*] {transitive, irreflexive, antisymmetric};
attribute name: String [1];
invariant: all a, b: Requirement | (a != b) implies (a.name != b.name);
invariant: ("Daniel" + "Sarfraz" + "Emina" + "Eunsuk") in EString ;
}
public class TestCases extends Requirement{}
-- No intersection
invariant: no (req + ~req) & (refines + ~refines);
invariant: no (contains + ~contains) & (equals + ~equals);
invariant: no (conflicts + ~conflicts) & (partially_refines + ~partially_refines);
invariant: no (req + ~req + refines + ~refines) & (contains + ~contains + equals + ~equals);
invariant: no (req + ~req + refines + ~refines + contains + ~contains + equals + ~equals)
& (conflicts + ~conflicts + partially_refines + ~partially_refines);
-- Inferring new relations
invariant: req.refines in req;
invariant: req.contains in req;
invariant: req.conflicts in conflicts;
invariant: req.equals in req;
invariant: refines.req in req;
invariant: refines.contains in refines;
invariant: refines.partially_refines in partially_refines;
invariant: refines.conflicts in conflicts;
invariant: refines.equals in refines;
invariant: contains.req in req;
invariant: contains.refines in refines;
invariant: contains.partially_refines in partially_refines;
invariant: contains.conflicts in conflicts;
invariant: contains.equals in contains;
invariant: partially_refines.equals in partially_refines;
invariant: conflicts.equals in conflicts;
invariant: equals.req in req;
invariant: equals.refines in refines;
invariant: equals.contains in contains;
invariant: equals.conflicts in conflicts;
invariant: equals.partially_refines in partially_refines;
}
Axiomatization
In the following several axiom schemas are listed to formalize Traceability Theory, that is used in the Electronically Controlled Air Suspension (ECAS) System case study.Reasoning about equals relation
\begin{equation*}
\vdash \forall a, b, c \in A \mid (a,b) \in equals \wedge (b,c) \in \square \to (a,c) \in \square, \text{and}\\
\vdash \forall a, b, c \in A \mid (a,b) \in equals \wedge (c,b) \in square \to (c,a) \in \square, \text{and}\\
\vdash \forall a \in A \mid (a,a) \in equals, \\
\text{where } \square \in \{ contains , requires , refines , satisfies, conflicts \}
\end{equation*}
Reasoning about requires relation
\begin{equation*}
\vdash \forall a, b, c \in A \mid (a,b) \in \square \wedge (b,c) \in requires \to (a,c) \in requires, \text{and}\\
\vdash \forall a, b, c \in A \mid (a,b) \in requires \wedge (b,c) \in \square \to (a,c) \in requires, \\
\text{where } \square \in \{ requires, refines , contains \}
\end{equation*}
Reasoning about satisfies relation
\begin{equation*}
\vdash \forall a, b, c \in A \mid (a,b) \in \square \wedge (c,b) \in satisfies \to (c,a) \in satisfies, \text{and}\\
\vdash \forall a, b, c \in A \mid (a,b) \in \square \wedge (b,c) \in satisfies \to (a,c) \in satisfies, \\
\text{where } \square = refines
\end{equation*}
Reasoning about conflicts relation
\begin{equation*}
\vdash \forall a, b, c \in A \mid (a,b) \in \square \wedge (b,c) \in conflicts \to (a,c) \in conflicts, \text{and}\\
\vdash \forall a \in A \mid (a,a) \in conflicts, \\
\text{where } \square \in \{ requires , refines , contains \}
\end{equation*}
In the following axiom schema, transitivity is used for reasoning new traces, whereas anti-symmetry and irreflexivity are used to check consistency.
\begin{equation*}
\vdash \forall a, b, c \in A \mid (a,b) \in \square \wedge (b,c) \in \square \to (a,c) \in \square, \text{and}\\
\vdash \forall a, b \in A \mid (a,b) \in \square \wedge (b,a) \in \square \to a = b, \text{and}\\
\vdash \forall a \in A \mid (a,a) \notin \square, \\
\text{where } \square \in \; \{ contains , requires , refines , satisfies \}
\end{equation*}
Consistency of \textit{contains} Relation, which is left-unique (injective relation):
\begin{equation*}
\vdash \forall a, a', b \in A \mid (a,b) \in \square \wedge (a',b) \in \square \to a = a', \\
\text{where } \square = contains
\end{equation*}
For instance, in addition to the previously defined axioms using the following axiom schema, the system detects an inconsistency between two requirements, \(r_{60}\) and \(r_{59}\) as shown in the following Table.
\begin{equation*}
\forall a, b \in A \mid (a,b) \in \square \to (a,b) \notin \triangle \wedge (b,a) \notin \triangle, \text{where} \\
\text{for each} \; \square \in \{ requires , refines , satisfies , contains , conflicts \} \text{and}\\
(requires \; \cup \; refines \; \cup \; satisfies \; \cup \; contains \; \cup \; conflicts) \setminus \square \mapsto \triangle
\end{equation*}
Some Requirements and Code Fragments in ECAS