Auditdraw: Generating Audits the FAST Way

Auditdraw: Generating Audits the FAST Way Neeraj K. Gupta Lalita Jategaonkar Jagadeesan Eleftherios E. Koutsofios David M. Weiss January 1997 In Proceedings of the 3rd IEEE International Symposium on Requirements Engineering, January 1997. Copyright 1997 IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.

Auditdraw:GeneratingAuditstheFASTWay (InProceedingsoftheIEEEInternationalSymposiumonRequirementsEngineering, January1997) NeerajK.Gupta1,LalitaJategaonkarJagadeesan2,EleftheriosE.Koutsoos3 anddavidm.weiss2 Abstract Througharesearch/developmentcollaboration,we haveappliedthefastdomainengineeringprocessto theauditssoftwareinlucenttechnologies'5esstelephoneswitchingsystem.ourcollaborationhasdevelopedanapplication-orientedlanguage,toolset,and accompanyingprocessforspecifyingtherequirements andgeneratingthecodeforthe5essauditssoftware. WedescribetheFASTprocess,ourlanguage,andthe expectedbenetsofthisproject. Keywords requirementsspecication,requirementselicitation, softwarereuse,domainanalysis,domainengineering, telecommunications,application-orientedlanguages, applicationgenerators,process,softwareengineering, requirementsengineering 1Introduction Industrialsoftwareengineerscontinuallyfacethe questionofhowtoproducetheirsoftwarefaster,at lowercost,withmorefeatures.oneapproachtoansweringthisquestionistoorganizesoftwareintofamilies,identifytherequirementsforthefamily,parameterizetherequirementsforindividualfamilymembers,andtoreuseassetswithinandacrossfamilies togeneratefamilymembersrapidly[9].wedescribe hereacollaborationbetweenresearchersanddeveloperstoapplyaprocess,calledfast,thatembodies suchanapproach.ourtargetfamilywasthesetof programsthatauditthedatabaseinlucenttechnologies'5essrtelephoneswitchingsystemtoensurethat theswitchoperatesreliably.eachmemberofthefamilyisknownasanaudit.thefastprocessguided ustodevelopasetofreusableassetsthatenableusto 1IndependentConsultant,withLucentTechnologies5ESS SoftwareDevelopmentOrganization,ngupta@dt2k.com 2SoftwareProductionResearchDept.,BellLaboratories,1000E.WarrenvilleRd.,Naperville,IL60566(USA) flalita,weissg@bell-labs.com 3NetworkServicesResearchCenter,AT&TLabs{Research,600MountainAve,MurrayHill,NJ07974(USA) ek@research.att.com generatetheccodeforauditsthatiscurrentlydevelopedmanually. Inparticular,ourcollaborationhasdevelopedthe following: anapplication-orientedlanguage,calledauditdraw,designedespeciallyforspecifyingtherequirementsandgeneratingthecodeforthe5ess auditssoftware, asetoftoolstohelpauditsdevelopersuseauditdraw,and anewprocessfordevelopingauditsusingauditdraw. WeexpectthatAuditdrawanditstoolsetandprocesswillsignicantlyincreaseproductivityandsignificantlydecreasecostandintervalinauditssoftware developmentinthe5essswitch;wenote,however, thatitisnotyetinproductionuse. Section2ofthispapergivesabriefdescriptionof LucentTechnologies'5ESSswitchanditsauditssoftware,section3describestheFASTprocess,andsection4describeshowweappliedittotheauditsdomain.Section5containsourconclusions. 2LucentTechnologies'5ESSTelephoneSwitchingSystemandAudits LucentTechnologies'5ESStelephoneswitchingsystem[8]provideshighlyreliabletelecommunications services;oneofthekeyfactorsinensuringsystemintegrityandstabilityisthepresenceofreliabledata. Inparticular,audits[4]areprogramsthathelpensurefault-toleranceofrelationaldatabases.Inthe 5ESStelephoneswitchingsystem,theseprogramsperformrun-timechecksontheconsistencyofdataentities,andperformtheappropriatecorrectionsondata whenaninconsistencyisdetected.forexample,in a5essswitch,thestatusofunitsconnectedtothe switchismaintainedintheswitch'sdatabase.some unitsarearrangedinhierarchies,andunitsthatare

relatedtoeachotherbythehierarchymusthaveconsistentstatus,e.g.,ifaparentunitisoutofservice, thenallofitschildrenmusteitherbeoutofserviceor inatransientstate. Agroupofsoftwaredevelopersareresponsiblefor the5essauditssoftware.therequirementsforaudits comefromdevelopersfromothersubsystems,andare writteninenglish.theserequirementsaretypically givenafterthedatadesignforanewormodiedfeaturehasbeencompleted,andtheyspecifythedata entitiesthatneedtobeaudited,howtoaccessthose dataentities,andwhatconsistencycheckstoperform betweendierentdataentities.requirementscapture isfollowedbytheconstructionofanauditdesign,and thisdesignissubsequentlyreviewedatahighlevel designmeetingandthenalowleveldesignmeeting. Basedonthisdesign,theauditdevelopersprogram theauditinc;thisprogramisthenreviewedina formalinspection.theerrorsfoundduringthecode inspectionarecorrectedandthenthetestingprocess begins.therstphaseconsistsofunittesting,where theauditsdeveloperstesttheindividualcfunctions. Thesecondphaseconsistsofintegrationtesting,where otherdeveloperstestalloftheccodecomprisingthe newfeature{includingcodefromothersubsystems {byexecutingscenariosbasedontherequirements. ThisprocessisdepictedinFigure1. Withtheencouragementofbothresearchanddevelopmentmanagement,weformedacollaborationbetweenresearchersintheBellLabsSoftwareProductionResearchDepartmentanddevelopersinthe5ESS auditsgrouptoimprovetheauditsdevelopmentprocess.thecollaborationhasbeenapplyingthefast processtotheauditsdomain. 3TheFASTProcess TheFASTprocessassumesthatmostsoftwaredevelopmentisredevelopment,andthatsoftwareproductioncanbeorganizedaroundfamiliesofsystems toavoidmuchofthereworktypicallyinvolvedin redevelopment.1thegoaloffastistoprovideasystematicapproachtoanalyzingpotentialfamiliesand todevelopfacilitiesforecientproductionoffamily members.keytotheprocessisndingtherequirementsforthefamilyandappropriateabstractionsfor representingthem,creatingalanguageforspecifying therequirementsofindividualfamilymembers,and 1FASTisavariantofSynthesis,whichisdescribedin[2,10, 11].TheprimarydierencesarethatFASTdoesnothavea separateactivityforboundingadomain,andusesamuchmore structuredapproachfordeningafamilythandoessynthesis.inaddition,fastreliesmoreheavilyoncompiler-building technologythandoessynthesis. thentranslatingspecicationsoffamilymembersinto deliverablesoftware.putanotherway,fastisasystematicprocessforfamily-oriented,abstraction,specication,andtranslation. FASThastwosubprocesses,asshowninFigure2. Deningtherequirementsforthefamilyanddevelopingasetofreusableassetsforproducing familymembers.thissubprocessisknownasdomainengineering.wecallitsearlyphasesdomain analysis. Usingtheassetstoproducefamilymembers,primarilybygeneration.Thissubprocessisknown asapplicationengineering. Thetwosubprocessesareconnectedbyfeedback loopstoguidetheevolutionofthefamilyanditsassets. 3.1DeningtheFamilyandDeveloping thereusableassets Deningthefamilymeansidentifyingtherequirementsforpotentialfamilymembers,characterizing whattheyhaveincommon,andhowtheydier.for example,everyauditmustcheckfortheexistenceof databeforeitattemptstoaccessthevalueofthedata. Furthermore,suchacheckmustbedonewithinthe sametimesegmentaswhenthedataareaccessed.all membersofthefamilyof5essauditsmustobeythis rule.ontheotherhand,theparticulardatatobe accessed,thewayinwhichthecheckismade,andthe wayinwhichthedataareaccessedvaryoverreasonablywell-denedsets,andtherearecertaincombinationsthatarenotincludedinthefamily. Justasonemayorganizerequirementsforsingle systemsinavarietyofways,onemayorganizerequirementsforfamiliesinthesamevarietyofways.asan example,onemightusecategoriessuchasinterfacesto devices,interfacestoexternalsystems,andbehavior. Withineachcategory(orfurthersub-categories),one maydescribewhat'strueforallfamilymembers(commonalities),whatvariesamongfamilymembers(variabilities),andwhattherangeofvariabilityis.section 3.1.1describestheprocessthatweuseforeliciting suchrequirementsandtheartifactthatresults. Notethatnomatterwhetheroneprefersobjectorientedapproaches,functionalapproaches,orother approaches,onemustdecidewhatthepotentialfamilymembersare.webelievethatthisisequivalent topredictingwhatkindsofrequirementschangesare likelytooccurduringthelifetimeofthefamily,andis ofcrucialimportanceindevelopingfamilymembers.

Requirements/ High-level design Low-level design Coding Inspections Integration Testing Unit Testing Figure1:TheCurrentAuditDevelopmentProcess 3.1.1ElicitingRequirements:TheCommonalityAnalysis Weuseaprocesscalledcommonalityanalysistoelicit therequirementsforafamily.acommonalityanalysis isastructured,moderateddiscussionamongagroup ofdomainexperts.itsresultisadocument,alsocalled acommonalityanalysis[1],whosekeypartsinclude 1.Adictionaryoftermsusedindiscussingthefamily. 2.Alistofassumptionsthataretrueforallfamily members;theseassumptionsareknownascommonalitiesandarerequirementsthateverymemberofthefamilymustmeet.anexampleofa commonalityistherequirementthateveryaudit mustcheckfortheexistenceofdatabeforeitattemptstoaccessthevalueofthedataandthat thecheckmustbedonewithinthesametimesegmentastheaccess. 3.Alistofassumptionsaboutwhatcanvaryamong familymembers;theseassumptionsareknownas variabilitiesandarerequirementsthatdistinguish amongfamilymembers.thewayinwhichdata areaccessedbyanauditisavariability. 4.Alistofparametersthatdene,foreachvariability,thepossiblesetofvaluesthatitcanhaveand thetimeatwhichavaluemustbexedwhen specifyingafamilymember.thepossibledata accessmethodsusedbyauditsformthesetofvaluesforthevariabilitydescribedinthepreceding paragraph.foragivenaudit,theaccessmethodsitusesmustbedeclaredwhentheauditis specied. 5.Alistofissuesthataroseduringthecourseofthe analysisand,foreachissue,abriefdiscussionof itsresolution. Asmuchaspossible,weusestandardformsforexpressingtheterms,commonalities,variabilities,and parametersofvariation.exceptfortheparameters ofvariationthestandardformsarejuststructured prose.oneexampleiscommonalitiesthattakethe form\thereisamechanismfor..."aninstancemight be:\thereisaxedsetofmechanismsthatanauditmayuseforaccessingdata."forparametersof variationweuseatablethatincludes,asappropriate, mathematicaldescriptionsofthevaluespacesofvariabilities.wherestandardformsdonott,weusefree

Feedback (Customer needs) Marketplace Predictions Domain Engineering Define family and develop reusable assests Feedback (Production needs) Application Engineering Environment Reusable Assets Application Engineering Produce Family Members Key: Product ProcessFigure2:TheFASTProcess Applications

textfordescribingterms,commonalities,andvariabilities. Acommonalityanalysisdocumentforafamilyprovidesthebasisfordesigningaspecicationlanguage andotherreusableassetsforthefamily. Thecommonalityanalysisprocessisorganizedinto phasesthataredesignedtoelicitterms,commonalities,variabilities,andparametersofvariationbyconsensusfromagroupof5-10domainexperts.early phasesoftheprocessconcentrateongainingagreementamongthedomainexpertsontheobjectivesof theanalysisandontheboundariesofthediscussion. Theintermediatestagesoftheanalysisfocusongainingconsensusforthedenitionsofcommonly-used, importantterms,forcommonalities,andforvariabilities.laterstagesfocusonparameterizingthevariabilitiesandonreviewingtheresultsoftheanalysis forcompleteness,consistency,andreadability. Allstagesofthecommonalityanalysisareguided byamoderatorwhounderstandsthefastprocess, theroleofcommonalityanalysiswithinthefastprocess,andthedevelopmentcultureinwhichtheprocess isbeingused.moderatorshaveconsiderablediscretion inadaptingtheprocesstodierentgroups,butrarely changethestructureoftheartifact,i.e.,weareexibleaboutthestructureoftheprocess,butinexible aboutthestructureofthedocument.amoredetailed descriptionofthecommonalityanalysisprocessand artifactcanbefoundin[12]. 3.1.2ReusableAssets Thereusableassetsforafamilyconsistofalltheprocedures,tools,andartifactsneededtoproducefamily members,knowninfastasanapplicationengineeringenvironment.forexample,alanguageforspecifyingfamilymembersandatranslatorforgenerating Ccodefromaspecicationinthelanguagearetypicallyincludedintheenvironment.Thosewhousethe environmentfollowaprocessspeciedbyitsdevelopers.for5essaudits,theauditdrawlanguageandits translatorformtheinitialenvironment.asthefamilyofauditsevolves,theenvironmentwillalso,asthe translatorisenhancedandnewtoolsareaddedtothe environment. 3.2GeneratingFamilyMembers Theapplicationengineeringenvironmentisdesignedtohelpitsuserstogeneratemembersofthe familyveryrapidly.muchofitseectivenessdependsonhowaccuratelyrequirementsforpotential familymemberswerepredictedduringdomainanalysis.whenpredictionsaboutwhatfamilymembers willbeneededinthefutureareaccurate,theenvironmentwillbeveryeective.forthisreason,akey inputtothefamilydenitionprocessispredictions aboutmarketplacetrends. Keytotheenvironmentisawell-designedlanguage forspecifyingrequirements.itsusersshouldbeableto specifyparticularfamilymembersjustbyspecifying thevariationsconsideredduringthedenitionofthe family.forexample,theyshouldbeabletospecify forauditsthedatatobeaccessedbyanaudit.the languageshouldallowthemtodosoinawaynatural tothefamily,i.e.,usingtheabstractions,suchasdata itemfetch,thatareusedtodenethefamily.the environmentshouldprovidethemwithfacilitiesfor verifyingthechoicestheyhavemade,e.g.,verifying thatallvaluesforaparticulardataitemhavebeen checked. Theenvironmentembodiesboththeprocessforcreatingfamilymembersenvisionedduringthedenition ofthefamilyandthetools,procedures,andartifacts neededtocarryoutthatprocess.itsuserscreatea modelofthefamilymemberthattheywouldliketo produceandthengeneratethefamilymember.for 5ESSaudits,themodelisaspecicationexpressed inauditdraw.generationofthefamilymemberis accomplishedbysupplyingthespecicationtothe Auditdrawtranslator,whichperformscompleteness andconsistencychecksandgeneratestheappropriate code. 3.3ApplicabilityofFAST TheFASTprocessisworthapplyingwhenthecost ofdomainengineeringisrepaidbythedecreaseincost anddevelopmenttimeforfuturefamilymembers,i.e., whenthedomainengineeringcostcanbeamortized overthefamilymembersthatareproducedwiththe resultsofdomainengineering.suchrepaymentoccurs inthefollowingsituations: Whenasystemwillexistinmanyvariationsover alongperiodoftime, Whenthereisconsiderabletimeandeortbeing devotedtomakingcontinualchangestoasystem, Whentherearemanycustomersforasystem, eachofwhomwantsthesystemcustomizedfor hisorherpurposes, Whenitisimportanttoproducevariationsona systemquickly. MuchofourexperienceinapplyingFASThasbeen inlegacysystemsthatarestillindemand,where thereisareservoirofknowledgeaboutthesystem,

andwherechangetothesystemhasbecomeslowand costlycomparedwithmarketplacedemands.usersof FASToftenviewitasawaytogainacompetitive advantageinspeedandcost. WeusuallyapplyFASTbyseekingadomainwithin alarge,legacysystemwherethereisfrequentchange occurringatrelativelylargecost.suchadomainis oftenanisolatablesectionofthesystemwherethe changescanbeencapsulated,andwhereagroupof softwaredevelopershasresponsibilityformakingthe changes.section4describestheapplicationoffast tosuchadomainwithinthe5esssoftware.although thisisatypicalapplicationoffast,wealsobelieve itwillworkwhereverdevelopersareabletomakeinformeddecisionsaboutfamilyrequirements. 3.4OrganizingFASTApplications Inadditiontoperformingacommonalityanalysis, thefastdomainengineeringprocessincludesactivitiesfordesigningandimplementingtheapplication engineeringenvironment,andtheapplicationengineeringprocessforusingtheenvironmenttoproduce applications.adetaileddescriptionoftheseactivities isbeyondthescopeofthispaper. AsshowninFigure2.,weperformdomainengineeringandapplicationengineeringiteratively,reanalyzing,rening,andimprovingtheenvironmentas necessary.fortheearlyiterations,wegenerallyestablishacollaborationofresearchersandsoftwaredeveloperstodeveloptheinitialversion(s)oftheenvironment.forthecommonalityanalysis,themoderator isfrequentlyaresearcherteamedwith5-10domain experts.forlanguagedesignandimplementationactivities,theteamisoftencomposedofoneresearcher andtwoorthreedevelopers. Asprototypesoftheenvironmentbecomeavailable, moredevelopersareaddedtotheteamastesters. Astheenvironmentbecomesreadyforproduction,a widersetofdevelopersistrainedinitsuse,andresearcherstakeadecreasingroleinfurtherenvironment development.weexpectthatthedomainexpertswill becometheownersoftheenvironmentandcontinue itsdevelopmentbasedonthefeedbacktheygetfrom itsuseandfromforecastsofmarketplaceneeds.most ofthedomainsthatwearecurrentlyengineeringare stillintheirrstiterationofdomainengineering. Ourexperience,whichisstillverylimited,indicates thattheresourcesneededtodeveloptherstversion ofanapplicationengineeringenvironmentsuitablefor productionuseislessthanvestayearsofeort. Weconsiderthesedomainstobeintherstmajor iterationofthedomainengineering-applicationengineeringcycleshowninfigure2.wecurrentlyhave approximatelytendomainssomewhereintheirrst majoriteration. 4FASTandAudits 4.1DomainAnalysisandApplication- OrientedLanguageDevelopment Theauditssoftwaredevelopmentgroupandseveral researcherscollaboratedtoperformadomainanalysisforthe5essauditsdomain,therststepinthe FASTprocess.Thus,therequirementsdescribedin thecommonalityanalysis[1]havebeenvalidatedbya largegroupofauditsexperts. Forthelanguagedevelopmentphase,amemberof the5essauditssoftwaredevelopmentorganization visitedthesoftwareproductionresearchdepartment forapproximatelyoneyearandahalf.thisinteractionenabledaveryfruitfulandcrucialexchangeof ideasandconcernsbetweenresearchanddevelopment. Priortoourcollaboration,therehadbeenaprototypicalrule-basedlanguagedevelopedintheauditssoftwaregroup,onwhichwehavecapitalized. Basedonthedomainanalysisandthisprevious languageprototype,wedevelopedtheauditdrawlanguage[3],designedespeciallyforspecifyingtherequirementsforthe5essauditssoftware.inthecourse ofourwork,wediscoveredthatauditrequirements canbeverynaturallyrepresentedasaformofdecisiontrees,inwhichadecisioninvolvestheretrievalof adataentityfromadatabase,andthecomparisonof itsvaluetothevalueofsomeotherdata.sincesome sub-treesmaybeidentical,wehavegeneralizedthese decisiontreestodirectedacyclicgraphs.theleaves ofthesegraphsrepresentreportstobegeneratedand correctiveactionstobetaken.sincethesegraphscorrespondtoauditrequirements,thedecisions,reports, andactionsallhavepreciselyspeciedbehavior. Auditdrawisalanguageforspecifyingsuchdecision graphs.inthegraphicalview,theprogrammerinteractivelydrawsthegraphoneitheraworkstationora PC;he/sheusesagraphicalinterfacedesignedespeciallyforauditgraphs,whichisbuiltonthegraphical layouttool\dotty"[5,6].inadditiontothegraphicalspecication,theprogrammeralsowritesasimplecompaniondeclarationsectionthatspeciesthe nameoftheauditanditsinterfaces,thedatatobe audited,andthedataaccessmethodstobeused.the graphanddeclarationsectionarethentogetherautomaticallytranslatedintosemantically-equivalentexecutablecode. AsimpleAuditdrawgraphicalspecicationisgiven infigure3.thisspecicationgivesanauditdrawrepresentationofasmallpieceofanauditinthe5ess telephoneswitchingsystem,whichcheckstheconsis-

parent.bas_state child.bas_state child.transient child.transient child.transient child.bas_state DC ACT2 ACT1 ERROR ERROR ACTIVE OOS ACTIVE OOS ACTIVE OOS NO YES YES NO NO YES Figure3:AnAuditdrawExample tencyofparentandchildcircuitsappearinginhierarchicalcircuits.specically,thestatesofaparent circuitanditschildcircuitshouldbeidentical:they shouldeitherbothbeactive(active)orbothbe outofservice(oos).ifnot,thenanerrorreportshouldbegeneratedandsomecorrectiveaction (ACT1orACT2)taken.Theonlyexceptioniswhen thechildcircuitisinatransientstate,inwhichcase anyinconsistenciesshouldbeignoredanda\don't care"(dc)reportshouldbegenerated.inoursamplespecication,theovalsrepresentthedataentities tobechecked(andtheapplicationoftheirassociated retrievalmethod)andthearcsrepresenttransitions. Anarcistraversedifthevalueofthedataentityin thesourceovalofthearcmatchesthevaluewritten onthearc;controlisthenpassedtothetargetovalof thearc.trapezoidsrepresenterrorreportstobegeneratedandboxesrepresentactionstobetaken.so, forexample,iftheparentstateisactive,thechild stateisoosandthechildisnotinatransientstate, thentheerrorreportwillbegeneratedandthe actionact1performed. Asillustratedabove,Auditdrawspecicationshave apreciselydenedsemanticsthatmodelthebehaviorofaudits.thisenablesstaticanalysis{suchas completenesscheckingandoptimization{tobeperformed.forexample,figure4depictsanoptimization oftheauditdrawgraphshowninfigure3;therst checkperformedintheoptimizedversioniswhether ornotthechildcircuitiscurrentlyinatransientstate. Ifso,thegraphisexitedimmediatelyaftergenerating adcreport. TwoviewsaresupportedbyAuditdraw:agraphicalview,describedabove,andarule-basedview.In therule-basedview,theprogrammerexplicitlywrites everymaximalpathofthegraphinatextualfor- mat.thesetwoviewsareinterchangeable:aspeci- cationwrittenintherule-basedviewcanbeautomaticallytranslatedintothegraphicalview,andviceversa.bothoftheseviewscanbeautomaticallytranslatedintosemantically-equivalentexecutablecode. 4.2CurrentStatusandFuturePlans ThecommonalityanalysisfortheAuditsdomain[1] wascompletedinmay,1994.amajorityofsoftwaredevelopersfromthe5essauditssoftwaredevelopmentgroupandseveralmembersofthesoftware ProductionResearchDepartmentparticipatedinthis analysis. Thedesignof(bothviewsof)theAuditdrawlanguage,andthedevelopmentofthegraphicaltoolset andcodegeneratorwascompletedinjuly,1995.this toolsetiscurrentlyundertrialintheauditsdevelopmentgroup.aspartofthistrial,wehavedevelopeda Auditdrawgraphspecifyinganactual5ESSsoftware audit;thisgraphconsistsof56nodesand113edges.

DC ACT2 ACT1 ERROR ERROR child.bas_state parent.bas_state child.bas_state ACTIVE OOS OOS ACTIVE OOS ACTIVE child.transient YES NO DC Figure4:AnAuditdrawOptimizationExample TheCcodeautomaticallygeneratedfromthisgraph usingauditdrawconsistsofapproximately600lines. Sinceaformally-denedlanguageandtoolsetnow existforthegraphicalviewofauditdraw,weplanto buildonandextendthistoolsetafterthecompletion ofthetrial.inparticular,weplantodevelopatoolset fortherule-basedversionofauditdraw,aswellasa debugger,optimizer,and\auditdi"toolforcomparingthegraphs/textofdierentauditsspeciedusing Auditdraw;thislattertoolshouldbeespeciallyuseful inthemaintenanceofaudits.wealsoplantodevelop atrainingcourseforauditdraw. 4.3ExpectedBenets The5ESSauditssoftwaredevelopmentgrouphas begunatrialoftheauditdrawlanguageandtoolset. Inthistrial,several5ESSauditswillbespeciedusing Auditdraw,andtheresultingexecutablecodewillbe testedinthe5essproductionenvironments. SinceAuditdrawisahigh-levellanguagedesigned especiallyforspecifyingaudits,webelievethatauditswritteninauditdrawwillbefasterandeasierto writeandmaintain.inparticular,auditrequirements canbespecieddirectlyinauditdraw,andexecutable codecanbeautomaticallygenerated.weexpectthat thiswillsignicantlyreducecodingerrors,andthat theresultingauditswillbeofahigherquality.furthermore,automaticcodegenerationfromhigh-level specicationseliminatestheneedforseveralphases inthecurrentdevelopmentprocess:namely,thelowleveldesign,coding,codeinspectionandunittesting phases.theauditdrawprocessisshowninfigure5; thereadershouldcontrastthiswiththecurrentaudit developmentprocessshowninfigure1. Asasidebenetofthisstreamlinedprocess,weexpectthatauditswillbeavailabletoothersubsystems earlier,aidinginthedebuggingofthosesubsystems. Thus,webelievethattheAuditdrawlanguageand toolsetwillsignicantlyincreaseproductivityandsignicantlydecreasecostandintervalinauditssoftware developmentinthe5essswitch.whileauditdraw isspecictotheauditssubsystemin5ess,itisalso readilyadaptabletootherplatforms.forexample, thegeneratedcodecouldbere-targetedtoadierentlanguage.moregenerally,auditdrawisgenericto databases;namely,itcanprovidefault-tolerancefora verylargevarietyofdata.wearecurrentlyinvestigatingpossibleapplicationstootherlucenttechnologies switchingplatforms. 5Conclusions OurapplicationofFASTtotheauditsdomain shouldsignicantlyimprovetheeciencyoftheauditsdevelopmentprocess.webelievethisisaresult primarilyofthefollowingfactors:

Requirements/ High-level design Integration Testing Figure5:TheAuditdrawProcess Family-orientedviewpoint TheFASTprocessisbasedonidentifyingthe commonrequirementsforafamilyofsystems,parameterizingtherequirementsforindividualfamilymembers,andndingtheappropriateabstractionsforeasilyexpressingthecommonalitiesand variabilitiesinrequirementsamongfamilymembers.thecommonalityanalysisprocesshelpsto ensurethattheserequirementsandtheabstractionsremaincorrectandsuitablyexpressiveas thefamilyofsystemsevolves. Generationofcodefromrequirementsspecications Requirementsexpressedintheseabstractionsare automaticallytranslatedintoexecutablecode. Thisstreamlinesthedevelopmentprocessandensuresthatthesoftwaresatisestherequirements. Maintainabilityofsoftware Sincetheabstractionsforexpressingrequirementsaretailoredforaparticularfamily,inthis casethe5essauditssoftware,changesinthe requirementsareeasilyexpressedbymodicationsintherequirementsspecications.furthermore,maintainabilityofthesoftwareintheface ofchangesinrequirementsisgreatlyaidedbythe automaticgenerationofcode. Staticanalysisofrequirementsspecications Theformally-denednatureofthegraphicalrepresentationmakesitpossibletoanalyzestatically theauditsrequirementsforconsistencyandcompleteness,relativetothedatathatisbeingaudited. Reuse Artifactsoftherequirementsengineeringprocess canbereusedinthefollowingways: Abstractionsholdoverlargesubsetsofaudits familymembers.inparticular,commonalitiesare re-usedinallthemembersofthefamily.forexample,every5essauditmustcheckfortheexistenceofdatabeforeitattemptstoaccessthe valueofthedata.similarly,variabilitiestypically holdacrosslargesubsetsoffamilymembers:for example,manyauditssharethesamedataaccess operations. Thelanguagetranslatorreusestheseabstractions formanyauditdesigns,sincethecommonalities andvariabilitiesarebuiltintothelanguage.for example,existencechecksandappropriatedata accessoperationsareautomaticallyinsertedinto auditdesignsduringcodegeneration. Abstractionsareoftensharedbetweenfamilies. Forexample,wefullyexpectthatmanyabstractionscommonto5ESSauditswillalsobeshared byauditsinotherswitchingplatforms.thus,auditdrawanditsprocesscanbetailoredtoavarietyoffault-tolerantdatabases. Inaddition,webelievethatthecollaborativenatureoftheFASTprojects,i.e.,researchersandsoftwaredevelopersworkingtogethertousetheFAST processtocreatereusableassets,willgreatlyimprove thechancesforsuccess.notonlydideachtypeofcollaboratorbringspecializedknowledgeneededforthe domainanalysisanddomainimplementation,butwe expectthattransferofthenewtechnologythatresultedfromthecollaborationwillbegreatlyeasedby havingthetechnologyusersbepartoftheprocess.

Acknowledgments Wethankthe5ESSAuditsgroupformanyhelpful discussionsonthisproject,andchrisrammingand CurtTuckeyformanyhelpfuldiscussionsonthelanguageandtoolset.WearegratefultoBobColby,Cy Rubald,andMaryZajacfortheirvigoroussupportof thiscollaboration,andjoepauleandericsumner,jr. fortheirvisionininitiatingit. References [1]G.Babu,M.Baron,A.Charles,J.D'Mello, D.Ebright,N.Gupta,L.Jagadeesan,S.Ozdemir, S.Patel,J.Paule,M.Phreykz,R.Trygar,and D.Weiss.Commonalityanalysisforaudits.Technicalreport,AT&TBellLaboratories,May1994. InternalDocument. [2]G.H.Jr.Campbell,S.R.Faulk,andD.M.Weiss. Introductiontosynthesis. TechnicalReport INTRO-SYNTHESIS-PROCESS-90019-N,SoftwareProductivityConsortium,1990. [3]N.K.Gupta,L.J.Jagadeesan,E.E.Koutsoos, andd.m.weiss.user'sguideforauditdraw. Technicalreport,AT&TBellLaboratories,May 1995. [4]G.Haugk,F.M.Lax,R.D.Royer,andJ.R. Williams.The5ESS(TM)switchingsystem: Maintenancecapabilities.AT&TTechnicalJournal,64(6part2):1385{1416,July-August1985. [5]E.E.KoutsoosandS.C.North.Viewinggraphs withdotty.technicalreport59113-930120- 04TM,AT&TBellLaboratories,1993. [6]E.E.KoutsoosandS.C.North.Applicationsof graphvisualization.ingraphicsinterface'94, Ban,Alberta,pages235{245,1994. [7]R.C.T.LaiandD.M.Weiss. Aformal modelofthefastprocess.technicalreport BellLabsTechnicalMemorandum,BL0112650-950707-30TM,AT&TBellLaboratories,July 1995. [8]K.E.MartersteckandA.E.Spencer.Introductiontothe5ESS(TM)switchingsystem.AT&T TechnicalJournal,64(6part2):1305{1314,July- August1985. [9]D.L.Parnas.Onthedesignanddevelopmentof programfamilies.ieeetransactionsonsoftware Engineering,SE-2:1{9,March1976. [10]Synthesisguidebook,volumei,methodologydefinition.TechnicalReportSPC-91122-MC,v. 01.00.02,SoftwareProductivityConsortium,December1991. [11]Synthesisguidebook,volumeii,casestudies. TechnicalReportSPC-91122-MC,v.01.00.02, SoftwareProductivityConsortium,December 1991. [12]D.M.Weiss.Deningfamilies:Thecommonalityanalysis.SubmittedtoIEEETransactionson SoftwareEngineering,July1996.