## Completeness and consistency in hierarchical state-base requirements (1996)

### Cached

### Download Links

Venue: | IEEE Transactions on Software Engineering |

Citations: | 105 - 15 self |

### BibTeX

@ARTICLE{Heimdahl96completenessand,

author = {Mats P. E. Heimdahl and Nancy G. Leveson},

title = {Completeness and consistency in hierarchical state-base requirements},

journal = {IEEE Transactions on Software Engineering},

year = {1996},

pages = {363--377}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract-This paper describes methods for automatically analyzing formal, state-based requirements specifications for some aspects of completeness and consistency. The approach uses a low-level functional formalism, simplifying the analysis process. State-space explosion problems are eliminated by applying the analysis at a high level of abstraction; i.e., instead of generating a reachability graph for analysis, the analysis is performed directly on the model. The method scales up to large systems by decomposing the specification into smaller, analyzable parts and then using functional composition rules to ensure that verified properties hold for the entire specification. The analysis algorithms and tools have been validated on TCAS 11, a complex, airborne, collision-avoidance system required on all commercial aircraft with more than 30 passengers that fly in U.S. airspace. Index Terms-Completeness, methods. 1

### Citations

2930 | Graph-based algorithms for Boolean function manipulation
- Bryant
- 1986
(Show Context)
Citation Context ...tables and requiring costly logical and and or operations on the transitions (satisfiability of boolean functions is known to be an NP problem). Our analysis tools use Binary Decision Diagrams (BDDs) =-=[3]-=- for the manipulation of the conditions. BDDs are data structures used to represent boolean functions in a canonical form. Initially, our main concern was the performance of the and and or operations ... |

2123 | Statecharts: A Visual Formalism for Complex Systems”; Sci
- Harel
- 1987
(Show Context)
Citation Context ...ew of the RSML Notation RSML is a state-based requirements specification language suitable for the specification of reactive systems. RSML includes several features developed by Harel for Statecharts =-=[9, 10]-=-: superstates, AND decomposition, broadcast communication, and conditional connectives. 4 D C B A Figure 1: A Basic State Machine In addition, RSML has some unique syntactic and semantic features that... |

1179 | Automatic Verification of Finite-State Concurrent Systems using Temporal Logic Specifications
- Clarke, Emerson, et al.
- 1986
(Show Context)
Citation Context ...y graph and, therefore, quickly runs into a state-space explosion problem. Model checking: Model checking is conceptually simple and is applicable in a wide variety of languages and application areas =-=[1, 6, 7]-=-. Early work in model checking also relied on a global reachability graph. Consequently, the approach suffered from statespace explosion problems. Newer approaches relying on a symbolic representation... |

587 |
Safeware: System Safety and Computers
- Leveson
- 1995
(Show Context)
Citation Context ...ments stage have been shown to be more difficult and more expensive to correct than errors introduced later in the lifecycle, and they are more likely than implementation errors to be safety critical =-=[24, 25]-=-. Therefore, it is important to provide methods and techniques to eliminate requirements-related errors as early as possible. To provide analysis procedures to find errors in specifications, it is fir... |

536 | A.: “STATEMATE Semantics of Statecharts
- Harel, Naamad
- 1996
(Show Context)
Citation Context ...ew of the RSML Notation RSML is a state-based requirements specification language suitable for the specification of reactive systems. RSML includes several features developed by Harel for Statecharts =-=[9, 10]-=-: superstates, AND decomposition, broadcast communication, and conditional connectives. 4 D C B A Figure 1: A Basic State Machine In addition, RSML has some unique syntactic and semantic features that... |

323 |
Symbolic model checking: 10 states and beyond
- Burch, Clarke, et al.
- 1990
(Show Context)
Citation Context ...proach suffered from statespace explosion problems. Newer approaches relying on a symbolic representation of the 3 state space can significantly improve the performance of the model checking approach =-=[5]-=-. Symbolic model checking has been applied to large models [5, 4], but only for systems with simple, repetitive elements---such as those commonly found in hardware applications. The time and space com... |

307 |
A.: On the development of reactive systems
- Harel, Pnueli
- 1989
(Show Context)
Citation Context ...r the system in which it is embedded. This type of software is often reactive in that it must react or respond to environmental conditions as reflected in the inputs arriving at the software boundary =-=[11]-=-. A robust system will detect and respond appropriately to violations of assumptions about the system environment (such as unexpected inputs). Robustness with respect to a state-machine description im... |

222 | Symbolic model checking for sequential circuit verification - Burch, Clarke, et al. - 1994 |

213 | Requirements Specification for Process Control Systems
- Leveson, Heimdahl, et al.
(Show Context)
Citation Context ...achine Language). RSML was developed by the Irvine Safety Research Group using a real aircraft collision-avoidance system called TCAS II (Traffic alert and Collision Avoidance System II) as a testbed =-=[23]-=-. This paper defines the formal semantics of RSML and describes an automated approach to analyzing an RSML specification for two qualities: (1) completeness with respect to a set of criteria related t... |

131 | State-based model checking of event-driven system requirements
- Atlee, Gannon
- 1993
(Show Context)
Citation Context ...y graph and, therefore, quickly runs into a state-space explosion problem. Model checking: Model checking is conceptually simple and is applicable in a wide variety of languages and application areas =-=[1, 6, 7]-=-. Early work in model checking also relied on a global reachability graph. Consequently, the approach suffered from statespace explosion problems. Newer approaches relying on a symbolic representation... |

97 | Consistency checking of SCR-style requirements specifications
- Heitmeyer, Labaw, et al.
- 1995
(Show Context)
Citation Context ...rating a global reachability graph. Thus, the analysis is both conceptually simple and eliminates the problem with state-space explosion. Recently, Heitmeyer, Labow, and Kiskis have published a paper =-=[15]-=- discussing some aspects of consistency and completeness in the context of SCR-style (Software Cost Reduction [16, 17]) requirements specifications. SCR is a state-based approach using an assortment o... |

68 |
Software requirements analysis for real-time process-control systems
- Jaffe, Leveson, et al.
- 1991
(Show Context)
Citation Context ... related to safety and accidents. The definition of specification completeness provided by Jaffe was subsequently formalized using a simple Mealy-machine model called RSM (Requirements State Machine) =-=[20]-=-. The RSM notation was developed solely as a means for formally defining our criteria, and lacks most desirable properties of a true requirements specification language. To be useful in practical appl... |

61 | Completeness and Consistency Analysis of StateBased Requirements
- Heimdahl, Leveson
- 1995
(Show Context)
Citation Context ...gure 9: D-completeness analysis result for Auto-SL state ASL-1 5.1.1 Spurious Error Reports During initial experiments with our first prototype tool, spurious error reports were not a serious problem =-=[14]-=-. All spurious reports could be traced either to (1) a lack of type checking capability or (2) the inability of the tool to adequately include information about the structure of the state machine in t... |

49 |
Software Requirements for the A-7E Aircraft
- Heninger
- 1978
(Show Context)
Citation Context ... state-space explosion. Recently, Heitmeyer, Labow, and Kiskis have published a paper [15] discussing some aspects of consistency and completeness in the context of SCR-style (Software Cost Reduction =-=[16, 17]-=-) requirements specifications. SCR is a state-based approach using an assortment of tabular notations to define state transitions (or mode transitions as they are called in SCR) and output variables. ... |

46 | Targeting safety-related errors during software requirements analysis
- Lutz
- 1993
(Show Context)
Citation Context ...ments stage have been shown to be more difficult and more expensive to correct than errors introduced later in the lifecycle, and they are more likely than implementation errors to be safety critical =-=[24, 25]-=-. Therefore, it is important to provide methods and techniques to eliminate requirements-related errors as early as possible. To provide analysis procedures to find errors in specifications, it is fir... |

40 |
Formal verification of algorithms for critical systems
- Rushby, Henke
- 1993
(Show Context)
Citation Context ... static analysis techniques such as reachability analysis and model checking. Formal proof systems: Formal proof systems can be powerful tools in the verification of critical properties of algorithms =-=[29]-=-. Attempts have been made to extend the use of formal proofs and apply them to requirements specifications, for example, the ProCoS (Provably Correct Systems) project [27, 28]. Unfortunately, the lang... |

38 |
State Space Caching Revisited
- Godefroid, Holzmann, et al.
(Show Context)
Citation Context ...is: Modeling a system as a finite-state machine and then performing reachability analysis of the global state space has been successfully used in the analysis of communication protocol specifications =-=[8, 18, 19]-=-. The main problem with reachability analysis is that it relies on the generation of a global reachability graph and, therefore, quickly runs into a state-space explosion problem. Model checking: Mode... |

38 | Tracing Protocols
- Holzmann
- 1985
(Show Context)
Citation Context ...is: Modeling a system as a finite-state machine and then performing reachability analysis of the global state space has been successfully used in the analysis of communication protocol specifications =-=[8, 18, 19]-=-. The main problem with reachability analysis is that it relies on the generation of a global reachability graph and, therefore, quickly runs into a state-space explosion problem. Model checking: Mode... |

27 | Automated protocol validation in Argos, assertion proving and scatter searching
- Holzmann, J
- 1987
(Show Context)
Citation Context ...is: Modeling a system as a finite-state machine and then performing reachability analysis of the global state space has been successfully used in the analysis of communication protocol specifications =-=[8, 18, 19]-=-. The main problem with reachability analysis is that it relies on the generation of a global reachability graph and, therefore, quickly runs into a state-space explosion problem. Model checking: Mode... |

17 |
Requirements capture for embedded realtime systems
- Ravn, Rischel
- 1991
(Show Context)
Citation Context ...cal properties of algorithms [29]. Attempts have been made to extend the use of formal proofs and apply them to requirements specifications, for example, the ProCoS (Provably Correct Systems) project =-=[27, 28]-=-. Unfortunately, the languages used in the theorem proving approach, such as process algebras and higher order logics, are not understandable by the non-software professionals involved in most require... |

15 | What is in a step - Pnueli, Shalev - 1988 |

10 |
Specifying Software for Complex Systems: New Techniques and their Application
- Heninger
- 1980
(Show Context)
Citation Context ... state-space explosion. Recently, Heitmeyer, Labow, and Kiskis have published a paper [15] discussing some aspects of consistency and completeness in the context of SCR-style (Software Cost Reduction =-=[16, 17]-=-) requirements specifications. SCR is a state-based approach using an assortment of tabular notations to define state transitions (or mode transitions as they are called in SCR) and output variables. ... |

9 |
On the formal semantics of statecharts (extended abstract
- Harel, Pnueli, et al.
- 1987
(Show Context)
Citation Context ...obal state, that is, the machine cannot be in state B and state C simultaneously. The restrictions governing the structure of a global state have been formally defined for Statecharts by Harel et al. =-=[12]-=-. These definitions are also applicable to RSML. Although the definitions are not essential for understanding the remainder of the paper, for completeness they have been included in Appendix A. The re... |

5 |
Using temporal logic for automatic verification of finite state systems
- Clarke, Browne, et al.
- 1985
(Show Context)
Citation Context ...y graph and, therefore, quickly runs into a state-space explosion problem. Model checking: Model checking is conceptually simple and is applicable in a wide variety of languages and application areas =-=[1, 6, 7]-=-. Early work in model checking also relied on a global reachability graph. Consequently, the approach suffered from statespace explosion problems. Newer approaches relying on a symbolic representation... |

4 | Safety in Real-Time Software Requirements Specifications: A Logical Positivist Looks at Requirements Engineering - JAFFE, Robustness - 1988 |

3 |
Design technology assessment: The statecharts approach
- Bruns, Gerhart, et al.
- 1986
(Show Context)
Citation Context ... the basis for our formalization of the language and will be described in detail in Section 3. AND/OR Tables. Statecharts use predicate calculus to describe the guarding conditions on the transitions =-=[2, 9]-=-. Our TCAS external reviewers (including avionics engineers, component engineers, airline representatives, and pilots), however, did not find this notation natural or reviewable. Instead, we decided t... |

3 |
Requirements capture for computer based systems
- Richel, Ravn
- 1990
(Show Context)
Citation Context ...cal properties of algorithms [29]. Attempts have been made to extend the use of formal proofs and apply them to requirements specifications, for example, the ProCoS (Provably Correct Systems) project =-=[27, 28]-=-. Unfortunately, the languages used in the theorem proving approach, such as process algebras and higher order logics, are not understandable by the non-software professionals involved in most require... |

2 |
Static Analysis of State-Based Requirements: Analysis for Completeness and Consistency
- Heimdahl
- 1994
(Show Context)
Citation Context ... transitions in real systems seems to be fairly limited, and this straight forward approach has been shown to be adequate to analyze a major part of a large real life system (TCAS II) for determinism =-=[13]-=-. In summary, the algorithms described in this paper are all quite simple. This simplicity results from, and is an advantage of, our functional definition of the semantics of RSML. Unfortunately, the ... |

2 |
Safety in Real-Time Software Requirements and Specifications
- Completeness
- 1988
(Show Context)
Citation Context ...er or not a given set of software requirements is internally complete, i.e, closed with respect to statements and inferences that can be made on the basis of information included in the specification =-=[21]-=-. Emphasis is placed on aspects of requirements specification that are usually not adequately handled, including timing and robustness, and on aspects that are particularly related to safety and accid... |

2 |
and Dieder Pirottin. State space caching revisited
- Godefroid, Holzmann
- 1992
(Show Context)
Citation Context ...is: Modeling a system as a finite-state machine and then performing reachability analysis of the global state space has been successfully used in the analysis of communication protocol specifications =-=[8, 14, 15]-=-. The main problem with reachability analysis is that it relies on the generation of a global reachability graph and, therefore, quickly runs into a state-space explosion problem. Model checking: Mode... |

1 |
Symbolic model chacking for sequential circuit verification
- Burch, Clarke, et al.
- 1993
(Show Context)
Citation Context ...oaches relying on a symbolic representation of the 3 state space can significantly improve the performance of the model checking approach [5]. Symbolic model checking has been applied to large models =-=[5, 4]-=-, but only for systems with simple, repetitive elements---such as those commonly found in hardware applications. The time and space complexity of the symbolic approach is affected not only by the size... |

1 | Design Tecl-inology Assessment: The Statecharts Approach - Bruns, Gerhart - 1986 |

1 | Using Temporal Logic for Automatic Verification of Finite State Systems - Emerson, Sistla - 1985 |

1 | Safeware: System Safety and Computevs - Leveson - 1995 |