Towards usable and relevant model checking techniques for the analysis of dependable interactive systems Karsten Loer and Michael Harrison BAE SYSTEMS Dependable Computing Systems Centre Department of Computer Science, University of York York, YO10 5DD, UK {Karsten.Loer, Michael.Harrison}@cs.york.ac.uk Abstract Model checking is a formal technique for the automated analysis of system models against formal requirements. Once a suitable model and property have been specified, no further interaction by the analyst is required. However, this does not make the method necessarily user friendly since the checker must be provided with appropriate and complex input data. Furthermore, counter-examples generated by the system are often difficult to interpret. Because of this complexity, model checking is not commonly used, and ex- haustive exploration of system models based on finite state descriptions is not exploited within industrial dependable systems design. The paper describes the development of an integrated collection of tools around SMV, intended to make it more accessible to practicing software engineers and in particular those concerned with the human interface issues in complex safety critical systems. 1 Introduction An obstacle to the take-up of formal methods is the in- comprehensibility of the notations and tools that underly them. In practice only the originators of the methods or committed (usually academic) users will accept the cost of them. Model checking, a process that involves the ex- haustive analysis of finite state descriptions appears to be a promising approach to making the benefits of formal meth- ods more accessible to designers. The paper focusses specifically on one such tool, the SMV model checker and its derivatives [Cimatti et al., 2002]. It describes the development of an integrated system based on SMV, intended to make it more accessible to practicing engineers (a group of engineers developing human computer interfaces within the avionics industry). The integrated system includes interfaces that make information available to designers in a comprehensible form. Although model checking has usability advantages because it is a decidable approach to analysis, there are also disadvantages. 1. The initial specification of the model is expressed as a state transition diagram using notations such as SMV. These notations must be learnt and may be counter- intuitive particularly if, as in our case, designers are human factors experts. The number of states in these models can quickly explode and techniques must be adopted to manage the number of states. 2. The notation for specifying the properties, usually modal or temporal logic, is difficult to understand and to apply. Only a subset of possible property types are available, for example representational properties are not possible. 3. The form of the result is difficult to interpret. The an- swer is either true or a trace is presented which is a counter-example. The answer true may actually mean that the property has been wrongly formulated and is therefore vacuously true. Even when false, it is diffi- cult to make sense of the traces that arise as counter- examples. In practice because model checking is an iterative process involving a process of property refine- ment it is important to make these counter-examples as helpful as possible. 2 System models and property patterns Models involved in the development or derivation of re- quirements in the avionics and automotive domains are of- ten expressed as statecharts [Harel, 1987]. Specifications of system models are either validated by structured analysis, for example by simulation or testing, or verified by formal proof.