Heitmeyer, C., J. Kirby, Jr., B. Labaw, M. Archer, and R. Bharadwaj, Using abstraction and model checking to detect safety violations in requirements specifications, IEEE Transactions on Software Engineering 24 (1998), 927--948.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....not Overridden Normal, High true false SafetyInjection Off On Table 4. Condition table for controlled variable SafetyInjection i.e. if the water pressure falls below Low and Block is On and Reset is Off, then Safety Injection is Off in the next state. This property has been proved in [12]. 3 Automatic Model Driven Animation In this section, we tackle automatic model driven animation for SCR specifications. Figure 1 shows the process of generation and animation of critical scenarios. Animation goals, each representing a critical system behavior to animate, are systematically ....

....Model checking applies only to finite models. Therefore, our method works for SCR specifications having variables with finite domains. However, this limitation does not preclude the application of our approach to models with infinite domains, thanks to abstraction techniques as described in [12]. Moreover, since model checkers perform exhaustive state space (possibly symbolic) exploration, they fail when the state space becomes too big and intractable. This problem is known as state explosion problem and represents the major limitation in using model checkers. Note, however, that we use ....

C. Heitmeyer, J. Kirby, Jr., B. Labaw, M. Archer, and R. Bharadwaj. Using abstraction and model checking to detect safety violations in requirements specifications. IEEE Transactions on Software Engineering, 24(11):927--948, Nov. 1998.

....conditions. In this case, they are called conditioned events. For example, in Table 1 the mode transition defined in the second row is caused by the occurrence of conditioned event F(Ignited) whose condition is that Running is false. Di#erent semantics have been used for conditioned events [11], all of which are expressible in our Event Calculus approach. In this case study, we have adopted the following interpretation. An event T(C) conditional on D means that C is false in the current mode and is changed to true in the new mode, while D is true in the current mode and stays ....

.... [8] to more formal techniques such as model checking, theorem proving [6] and other logic based approaches (e.g. 20, 27, 28] Most techniques based on model checking facilitate automated analysis of requirements specifications and generation of counterexamples when errors are detected [2, 4, 11]. However, in contrast to our approach they presuppose complete descriptions of the initial state(s) of the system to compute successor states. Moreover, they need to apply abstraction techniques to reduce the size of the state space, and can only handle finite state systems. For example, in the ....

[Article contains additional citation context not shown here]

Heitmeyer, C. L, et al. (1998). Using Abstraction and Model Checking to Detect Safety Violations in Requirements Specifications. IEEE Transaction on Software Engineering, 24(11): 927-947.

....the original speci cation. In a complete abstraction properties of the original speci cation are also properties of the reduced speci cation. Completeness avoids false negatives. That is, all errors in the original speci cation will be found in the abstract speci cation. Heitmeyer, et al. [15] formalize an abstraction which removes irrelevant variables. Brie y, to check that some property q holds for a speci cation, one may remove variables and inputs which do not occur in or contribute to q. Another abstraction removes monitored or input variables which only contribute directly to ....

Constance Heitmeyer, James Kirby, Jr., Bruce Labaw, Myla Archer, and Ramesh Bharadwaj. Using abstraction and model checking to detect safety violations in requirements speci cations. IEEE Transactions on Software Engineering, 24(11):927-948, November 1998.

....systems, distributed systems, reactive systems, embedded systems, protocols. In such cases model checking can be a very e ective way to detect errors in the earlier phases of the design cycle. Thus meeting formal methods goals of reducing time to market and increasing design quality. e.g. see [37, 36, 1, 16, 5, 4, 8, 31, 11, 35]. 1 This research has been partially supported by MURST project TOSCA 2 Area Informatica, Universit a di L Aquila, Coppito 67100, L Aquila, Italy 3 Dip. di Scienze dell Informazione, Universit a di Roma La Sapienza , Via Salaria 113, 00198 Roma, Italy 4 ....

C. Heitmeyer, J. Kirby, B. Labaw, M. Archer, and R. Bharadwaj. Using abstraction and model checking to detect safety violations in requirements speci- cations. IEEE Trans. on Software Engineering, 24(11), Nov. 1998.

....the search depth required was reduced to 10 percent of the initial value, but they do not involve abstraction away from the original model. On the contrary, if anything, they could be said to reduce the level of abstraction. Unlike other abstraction methods (see for example [9] 20] and [23]) our techniques are simple, and merely involve making simple checks that unnecessary states have not been unintentionally introduced. We believe that these kinds of state space explosions are not uncommon. All SPIN users should be aware that they may be introducing spurious states when coding ....

Constance L. Heitmeyer, James Jr. Kirby, Bruce Labaw, Myla Archer, and Ramesh Bharadwaj. Using abstraction and model checking to detect safety violations in requirements specications. IEEE Transactions on Software Engineering, 24(11), November 1998.

....the search depth required was reduced to 10 percent of the initial value, but they do not involve abstraction away from the original model. On the contrary, if anything, they could be said to reduce the level of abstraction. Unlike other abstraction methods (see for example [6] 11] and [13]) our techniques are simple, and merely involve making simple checks that unneccessary states have not been unintentionally introduced. We believe that these kinds of state space explosions are not uncommon. All SPIN users should be aware that they may be introducing spurious states when coding ....

Constance L. Heitmeyer, James Jr. Kirby, Bruce Labaw, Myla Archer, and Ramesh Bharadwaj. Using abstraction and model checking to detect safety violations in requirements specications. IEEE Transactions on Software Engineering, 24(11), November 1998.

....Ksters, Pagel and Winter focus on the transition from scenarios to a class model. Buhr uses scenarios for visualizing the dynamics of the object model. Other work on detecting inconsistency in requirements specifications typically deals with analyses based on a formal specification, for example [15] Another track of related work deals with managing inconsistency in requirements specifications, which means living with inconsistency. These approaches typically require a formal specification too, and focus on managing intra model inconsistencies that arise among different stakeholder ....

Heitmeyer, C., Kirby, J., Labaw, B., Archer, M. Bharadwaj, R. (1998). Using Abstraction and Model Checking to Detect Safety Violations in Requirements Specifications. IEEE Transactions on Software Engineering 24, 11 (Nov. 1998). 927-948.

No context found.

Heitmeyer, C., J. Kirby, Jr., B. Labaw, M. Archer, and R. Bharadwaj, Using abstraction and model checking to detect safety violations in requirements specifications, IEEE Transactions on Software Engineering 24 (1998), 927--948.

No context found.

C. Heitmeyer, J. Kirby, B. Labaw, M. Archer, and R. Bharadwaj. Using abstraction and model checking to detect safety violations in requirements specifications. IEEE Trans. on Softw. Eng., 24(11), November 1998.

No context found.

C. Heitmeyer, J. Kirby, B. Labaw, M. Archer, and R. Bharadwaj. Using abstraction and model checking to detect safety violations in requirements specifications. IEEE Trans. on Softw. Eng., 24(11), Nov. 1998.

No context found.

C. Heitmeyer, J. Kirby, B. Labaw, M. Archer, and R. Bharadwaj. Using abstraction and model checking to detect safety violations in requirements specifications. IEEE Trans. on Softw. Eng., 24(11):927--948, Nov. 1998.

....; x 2 ; verification is the process of establishing that each SOL predicate x i 2 X is an invariant of Sigma . 7 SOL Agent Modules A SOL agent module describes both an agent s environment, which is usually nondeterministic, and the required agent behavior, which is usually deterministic [5, 9]. A SOL agent module describes the required relation between monitored variables, environmental quantities that the agent monitors, and controlled variables, environmental quantities that the agent controls. Additional internal variables are often introduced to make the description of the agent ....

C. Heitmeyer, J. Kirby, B. Labaw, M. Archer, and R. Bharadwaj. Using abstraction and model checking to detect safety violations in requirements specifications. IEEE Transactions on Software Engineering, 24(11), November 1998.

....In recent years, model checking has emerged as a remarkably effective technique for the automated analysis of descriptions of hardware systems and communication protocols. To analyze software system descriptions, however, a direct application of model checking rarely succeeds [1, 3], since these descriptions often have huge (often infinite) state spaces which are not amenable to the finite state methods of model checking. More important, the computation of a fixpoint (the hallmark of the model checking approach) is not always needed in practice for the verification of an ....

....Also, unlike general purpose theorem provers, Salsa concentrates on a single task and gains efficiency by employing a set of optimized heuristics. The design of Salsa was motivated by the need within the SCR Toolset [4] for more automation during consistency checking and invariant checking [1, 3]. Salsa achieves complete automation of proofs by its reliance on decision procedures, i.e. algorithms that establish the logical truth or falsity of formulae of decidable sub theories, such as the fragment of arithmetic involving only integer linear constraints called Presburger arithmetic. ....

C. Heitmeyer, J. Kirby, B. Labaw, M. Archer, and R. Bharadwaj. Using abstraction and model checking to detect safety violations in requirements specifications. IEEE Trans. on Softw. Eng., 24(11), November 1998.

.... including an automated consistency checker to detect missing cases and other application independent errors [14] a simulator to symbolically execute the specification to ensure that it captures the users intent [13] and a model checker to detect violations of critical application properties [3, 12]. Recently, groups at NASA and Rockwell Aviation as well as our group at NRL have used the SCR techniques to detect serious errors in requirements specifications of real world systems [7, 21, 12] By exposing defects in the requirements specification, such techniques help the user improve the ....

.... the users intent [13] and a model checker to detect violations of critical application properties [3, 12] Recently, groups at NASA and Rockwell Aviation as well as our group at NRL have used the SCR techniques to detect serious errors in requirements specifications of real world systems [7, 21, 12]. By exposing defects in the requirements specification, such techniques help the user improve the specification s quality. This improved specification provides a solid foundation for the later phases of the software development process. While high quality requirements specifications are clearly ....

[Article contains additional citation context not shown here]

C. Heitmeyer, J. Kirby, B. Labaw, M. Archer, and R. Bharadwaj. Using abstraction and model checking to detect safety violations in requirements specifications. IEEE Trans. on Softw. Eng., 24(11), November 1998.

.... proved sufficient to prove invariant properties in a wide set of applications; see, for example, 3,4,2] In addition to the proof steps shown in Figure 2, an automatic proof strategy based on these steps has been developed for proving invariant properties of automata specified in the SCR toolset [5]. This automatic strategy has been used to prove properties of a moderate sized SCR example [6] An associated analysis strategy helped in finding a counterexample to a property that was not an invariant. The layered nature of the representation of the transition function of the TAME ....

C. Heitmeyer, J. Kirby, B. Labaw, M. Archer, and R. Bharadwaj. Using abstraction and model checking to detect safety violations in requirements specifications. IEEE Trans. on Softw. Eng., 24(11):927--948, Nov. 1998.

....the Naval Research Laboratory (NRL) to document the requirements of the US Navy s A 7 aircraft [2, 17] One of the goals of SOL is to be able to directly implement specifications of high quality, such as the ones produced in SCR, in a safe and efficient manner. For illustrative SCR examples, see [5, 13, 14]. Researchers at NRL have provided a formal model for the SCR notation [5, 16] based upon which a number of tools have been developed [6, 15] For verifying programs in SOL, our intention is to build upon one of these tools, Salsa, which is an invariant checker for state machine descriptions. ....

C. Heitmeyer, J. Kirby, B. Labaw, M. Archer, and R. Bharadwaj. Using abstraction and model checking to detect safety violations in requirements specifications. IEEE Trans. on Softw. Eng., 24(11), November 1998.

....SCR is a formal method for specifying the required behavior of software systems. The SCR toolset provides a user friendly interface for writing requirements specifications in a tabular format and a number of analysis tools, including a consistency checker [18] a simulator [17] a model checker [16], a theorem prover [2] and an invariant generator [21, 24] In the toolset, the specification is displayed as a collection of tables. A context free grammar is the underlying communication medium for the different tools. By applying the SCR tools, a user can develop high confidence that a ....

....a user can develop high confidence that a specification is a correct statement of the required system behavior. The SCR method has been used successfully by many organizations in industry and in government (e.g. Bell Laboratories [20] Grumman [29] Lockheed [10] the Naval Research Laboratory [16, 25], Ontario Hydro [35] and Rockwell Aviation [30] to develop and analyze specifications of practical systems, including flight control systems [10, 30] weapons systems [16] space systems [9] and cryptographic devices [25] Most recently, the SCR tools were used by Lockheed Martin, together with ....

[Article contains additional citation context not shown here]

Heitmeyer, C., J. Kirby, B. Labaw, M. Archer, and R. Bharadwaj: 1998a, `Using Abstraction and Model Checking to Detect Safety Violations in Requirements Specifications'. IEEE Trans. on Softw. Eng. 24(11).

....serious, in the requirements specification of a flight guidance system [22] Recently, NRL used the SCR tools to uncover numerous errors, including a safety violation, in a sizable contractor produced requirements specification of a weapons control panel for a safety critical U.S. military system [13]. 2.2. Modes and Mode Invariants Three kinds of tables found in most SCR specifications are mode transition tables, condition tables, and event tables. Although this paper focuses on the generation of invariants from mode tables, extending the GROUP algorithm to event tables is straightforward ....

....4.3 gives a more general, but less intuitive, formalization that also applies to nondeterministic systems and to mode tables with self transitions. The weaker formalization in Section 4.2 appears so far to be sufficient in practice. While much of the notation in this section is borrowed from [13] and [18] some definitions have been simplified. The proofs of the two theorems presented in this section appear in [19] The correctness of our results has been checked using the PVS prover [10] 4.1. Mode Machines as Abstract State Machines We represent a system as a state machine Sigma = ....

C. Heitmeyer, J. Kirby, B. Labaw, M. Archer, and R. Bharadwaj. Using abstraction and model checking to detect safety violations in requirements specifications. IEEE Trans. Softw. Eng., 24(11):927--948, Nov. 1998.

....Like a theorem prover, it uses decision procedures, can handle infinite state systems, and can use auxiliary lemmas to complete an analysis. The design of Salsa was motivated by the need within the SCR Toolset [23] for more automation during consistency checking [24] and invariant checking [9, 22]. Salsa achieves complete automation of proofs by its reliance on decision procedures, i.e. algorithms that establish the logical truth or falsity of formulae of decidable sub theories, such as the fragment of arithmetic involving only integer linear constraints called Presburger arithmetic. ....

....automatic generator) Produce auxiliary Is Counterexample Reachable I an invariant of Is S Salsa I = New I L Fig. 1. Process for applying Salsa. Related Work. The use of SMV [28] and SPIN [25] on software specifications for consistency and invariant checking has been well documented [2, 9, 16, 22]. SCR [23] is a toolset that includes a consistency checker which uses a method based on semantic tableaux extended to handle simple constraints over the integers and reals. This tool has proved very useful in a number of practical case studies; however, the tool is unable to complete the checks ....

[Article contains additional citation context not shown here]

C. Heitmeyer, J. Kirby, B. Labaw, M. Archer, and R. Bharadwaj. Using abstraction and model checking to detect safety violations in requirements specifications. IEEE Transactions on Software Engineering, 24:927--947, November 1998.

No context found.

Heitmeyer C, Kirby J, Labaw B, Archer M, Bharadwaj R. Using abstraction and model checking to detect safety violations in requirements specifications. IEEE Trans Software Eng 1998; 24(11):927--948

No context found.

C. Heitmeyer. Using abstraction and model checking to detect safety violations in requirements speci cations. IEEE TSE, 24(11):927-948, nov 1998.

No context found.

C. Heitmeyer, J. Kirkby, B. Labaw, M. Archer and R. Bharadwaj, "Using Abstraction and Model Checking to Detect Safety Violations in Requirements Specifications", IEEE Transactions on Software Engineering Vol. 24 No. 11, November 1998, 927-948

No context found.

Constance Heitmeyer, James Kirby, Jr., Bruce Labaw, Myla Archer, and Ramesh Bharadwaj. Using abstraction and model checking to detect safety violations in requirements speci cations. IEEE Transactions on Software Engineering, 24(11):927-948, November 1998.

No context found.

C. Heitmeyer,; J. Kirby Jr; B. Labaw; M. Archer; R. Bharadwaj. Using abstraction and model checking to detect safety violations in requirements specifications. IEEE Trans. on Software Engineering, Volume: 24 Issue: 11, Nov. 1998 Page(s): 927 --948.

No context found.

Heitmeyer, C. L., et al. (1998). Using Abstraction and Model Checking to Detect Safety Violations in Requirements Specifications. IEEE Transaction on Software Engineering, 24(11): 927-947.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC