Linking Functional Requirements and Software Verification ∗ Hendrik Post, Carsten Sinz University of Karlsruhe Institute for Theoretical Computer Science Karlsruhe, Germany {post, sinz}@ira.uka.de Florian Merz, Thomas Gorges, Thomas Kropf Robert Bosch GmbH Chassis Systems Control Leonberg, Germany Thomas.Gorges@de.bosch.com Abstract Synchronization between component requirements and implementation centric tests remains a challenge that is usually addressed by requirements reviews with testers and traceability policies [16]. The claim of this work is that linking requirements, their scenario-based formalizations, and software verification provides a promising extension to this approach. Formalized scenarios, for example in the form of low-level assume/assert statements in C, are eas- ier to trace to requirements than traditional test sets. For a verification engineer, they offer an opportunity to better par- ticipate in requirements changes. Changes in requirements can be more easily propagated because adapting formal- ized scenarios is often easier than deriving and updating a large set of test cases. The proposed idea is evaluated in a case study encom- passing over 50 functional requirements of an automotive software developed at Robert Bosch GmbH. Results indi- cate that requirement formalization together with formal verification leads to the discovery of implementation prob- lems missed in a traditional testing process. 1 Introduction The importance of linking testing and requirements,e.g., via test traceability has been investigated in a recent case study reporting practices and experiences from Finnish or- ganizations [16] and is supported by previous work, e.g., by Graham [10]. A tight link will likely improve the outcome of the software development process. Lindstrom [13] even claims that missed links between people or documents will lead to a flawed product. * This work was supported in part by the “Concept for the Future” of Karlsruhe Institute of Technology within the framework of the German Excellence Initiative. In this work, an emerging trend in industry, employing software verification, is integrated into this scenario. Soft- ware verification is a technique to provide formal guaran- tees that software implementations conform to their speci- fications. Recently, several approaches for verification have reached a status where successful integration into the indus- trial software development process has been achieved [1, 5, 6, 12]. The applicability of formal methods is also reflected in formal requirements analysis. The aim of this ap- proach is the qualitative improvement of requirement doc- uments by directly translating them into a formal language. The goals—formally proved consistency and early defect detection—are shared between both approaches. A differ- ence, though, is that integration of formal methods is per- ceived on the implementation level for verification, and on the level of documents or artifacts for requirements analy- sis. If testing and requirements need to be linked, the same should hold for requirements and software verification. We therefore review and perform software verification from the perspective of checking consistency between component re- quirements and C implementations. In contrast to other software verification case studies, specifications are not derived from an abstract correctness goal (e.g., termination), but from a set of dynamically changing functional requirements. Up to now, it was mainly unknown whether verification can handle the timing con- straints posed by industrial development processes and how the technique can be linked to component requirements. The case study performed by Uusitalo et al.[16] analyzed best practices and experiences for linking testing and re- quirements by interviewing experts. We cannot adapt their interviewing technique in our setting because verification is not yet integrated into the industrial development process. Therefore we provide our own case study, where we for- malize a set of 50 requirements, and verify that software re- leases conform to them using an automatic technique called