what is a specification model?
when you systematically verify a model against requirements, you generate test cases for each requirement. these tests validate the model, which you can use to generate production code and build confidence that your model satisfies requirements. to create tests that satisfy your requirements, you can construct a specification model. a specification model is an executable entity that you can use to perform requirements-based testing by using simulink® design verifier™ and requirements toolbox™.
if you have a set of requirements written in natural language text, you can express them as formal requirements by using a (requirements toolbox) block. after defining the requirements in one or more blocks, the blocks and the signals become the specification model. unlike the model that you want to test, known as the design model, the specification model only specifies what to do, not how to do it.
you can use a specification model to:
validate the set of requirements in a systematic and quantitative manner.
automate requirements-based testing.
identify issues with your design model and requirements.
use specification models in requirements-based testing
to create and deploy a specification model, follow these steps:
author the requirements — write your requirements in natural language text that describes the behavior of the system under design. author them directly in the (requirements toolbox) or import them. for more information on importing requirements, see import requirements from third-party applications (requirements toolbox).
construct the specification model — design the specification model as an formal representation of the requirements by using at least one requirements table block.
link the requirements — each requirement that you create in the requirements table block creates an equivalent requirement in the requirements editor. see (requirements toolbox). link the high-level requirements to the formal requirements from the specification model.
analyze the formal requirements for completeness and consistency — identifying incomplete and inconsistent requirement sets can be difficult to do manually. the requirements table block allows you to automatically analyze the requirements for these issues. see (requirements toolbox).
generate tests for the specification model — generate at least one test per requirement that demonstrates its conformance to that requirement. for more information on generating tests, see . simulink design verifier automatically creates test objectives from the requirements defined in requirements table blocks.
interface the specification model with the design model — the specification and design models often do not use identical input and output signals. convert the test cases that you generate in step 5 by developing an interface between both models.
develop the design model — develop the design model by using the requirements. link the requirements to the design model.
verify the design and analyze the coverage — run the tests generated in step 5 on the design model and verify whether the results agree with the specification model and requirements. generate a coverage report to identify the missing coverage and refine the requirements, if required.
this flow chart illustrates this process.
construct a specification model
consider the autopilot controller model described in use specification models for requirements-based testing. in this example, you develop requirements that contain logical and temporal conditions that define outputs.
identify the specification model interface
list the input and output signals for the specification model that are related to the requirements that you want to test. ignore the signals that the requirements do not specify and that do not affect the tested outputs. in this example, the requirements specify five inputs and two outputs. the specification model input signals are:
autopilot engage switch — a switch that enables or disables the autopilot controller
heading engage switch — a switch that specifies the mode of the autopilot controller when the autopilot switch is engaged
roll reference target turn knob — a knob that feeds the desired roll angle value to the autopilot controller
heading reference turn knob — a knob that gives the set-point value for heading mode
aircraft roll angle — the current roll angle of the aircraft
the output signals are:
aileron command — the output to the aileron actuator
roll reference command — the output on the display window that indicates the set-point value for the aileron actuator
identify preconditions, postconditions, and actions for each requirement
for the requirements that you want to verify, transform the textual requirements into logical expressions that can be represented as preconditions, postconditions, and actions. you define formal requirements as a combination of preconditions, postconditions, and actions:
precondition — a condition that must be true for a specified duration before evaluating the rest of the requirement
postcondition — a condition that must be true if the associated precondition is true for the specified duration
action — a behavior that must be performed if the associated precondition is true for the specified duration
you may find that some requirements can use a postcondition or an action interchangeably, or both postconditions and actions. specify which you want to use based on the configuration of your design model.
for example consider this high level requirement that specifies the modes of the autopilot controller:
the autopilot controller mode is determined by the
following:
the autopilot controller is off when the autopilot engage switch is not engaged.
the autopilot controller is roll_hold_mode when the autopilot engage switch is engaged and the heading engage switch is not engaged.
the autopilot controller is hdg_hold_mode when the autopilot engage switch and the heading engage switch are both engaged.
you can write these requirements as these logical expressions:
requirement | precondition | action |
---|---|---|
1 | ap_engage_switch == false | mode = off |
2 | ap_engage_switch == true &&
hdg_engage_switch == false | mode = roll_hold_mode |
3 | ap_eng_switch == true && hdg_engage_switch
== true | mode = hdg_hold_mode |
repeat this process for the remaining requirements.
identify design values representations in requirements
your requirements may specify ranges of values that your design model must satisfy, or you may want to parameterize the values that you evaluate in each requirement. these values cannot always be described easily with literal values. you can use the requirements table block to represent values in the expressions as constant or parameter data. see (requirements toolbox). you can change data throughout simulation. in addition to assigning numerical values to data, the block supports other data types, such as strings, enumerations, or ranges. use the representation of values that fits your needs.
in the autopilot controller model, the requirements specify threshold values for the aircraft roll angle. this graphic illustrates the numerical and verbal equivalents of the thresholds.
create the requirements table blocks
after identifying the signal representations, values, and the expressions that you want to use in the formal requirements, write the logical expression of the precondition, postconditions, and actions in the precondition postcondition, and action columns for each requirement respectively. if your requirements have children or dependencies, you can include those relationships in the block. see (requirements toolbox).
each requirement that you create in the requirements table block creates an equivalent requirement in the requirements editor. update additional textual properties of the requirements, such as the description, in the editor. see (requirements toolbox).
in the autopilot controller model, the specification model includes two
requirements table blocks.
ap_mode_determination
defines the formal requirements for the
autopilot controller mode.
the other requirements table block,
cmd_determination
, describes the desired output of the
aileron command and the roll reference command.
final specification model
after connecting the requirements table blocks to the inputs, outputs, and each other, the final specification model is:
prepare the specification model for test generation
simulink design verifier automatically creates test objectives from the requirements defined in requirements table blocks. if you need to constrain the values of the test objectives, you can specify them either in the signal source, or by including them in the assumptions table of the block. see (requirements toolbox). to prepare the specification model for test generation, set the model coverage objectives. in the design verifier tab, in the prepare section, click test generation settings. in the configuration parameters window, expand the design verifier list and click test generation. set model coverage objectives to the option that best captures the desired coverage.
iterate through the steps
as you develop the specification model and test your design model, you typically need to update the requirements, specification model, and design model. this process is iterative. continue iterating until you reach the desired test outcomes, such desired model outputs and test coverage.
see also
(requirements toolbox)