Formal Aspects of Computing

, Volume 28, Issue 1, pp 45–63 | Cite as

Analysing sanity of requirements for avionics systems

  • Jiří Barnat
  • Petr Bauch
  • Nikola Beneš
  • Luboš Brim
  • Jan Beran
  • Tomáš Kratochvíla
Original Article


In the last decade it became a common practice to formalise software requirements to improve the clarity of users’ expectations. In this work we build on the fact that functional requirements can be expressed in temporal logic and we propose new sanity checking techniques that automatically detect flaws and suggest improvements of given requirements. Specifically, we describe and experimentally evaluate approaches to consistency and redundancy checking that identify all inconsistencies and pinpoint their exact source (the smallest inconsistent set). We further report on the experience obtained from employing the consistency and redundancy checking in an industrial environment. To complete the sanity checking we also describe a semi-automatic completeness evaluation that can assess the coverage of user requirements and suggest missing properties the user might have wanted to formulate. The usefulness of our completeness evaluation is demonstrated in a case study of an aeroplane control system.


Requirement engineering Linear temporal logic Sanity checking 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. ALW89.
    Abadi M, Lamport L, Wolper P (1989) Realizable and unrealizable specifications of reactive systems. In: Proceedings of ICALP, pp 1–17Google Scholar
  2. BB09.
    Bormann J, Busch H (2009) Method for the determination of the quality of a set of properties, usable for the verification and specification of circuits. U. S. Patent No. 7,571,398 B2Google Scholar
  3. BBB12a.
    Barnat J, Bauch P, Brim L (2012) Checking sanity of software requirements. In: Proceedings of SEFM, pp 48–52Google Scholar
  4. BBB+12b.
    Barnat J, Beran J, Brim L, Kratochvíla T, Ročkai P (2012) Tool chain to support automated formal verification of avionics simulink designs. In: Proceedings of FMICS, pp 78–92Google Scholar
  5. BBČR10.
    Barnat J, Brim L, Češka M, Ročkai P (2010) DiVinE: parallel distributed model checker. In: Proceedings of HiBi/PDMC, pp 4–7Google Scholar
  6. BBDER01.
    Beer I, Ben-David S, Eisner C, Rodeh Y (2001) Efficient detection of vacuity in temporal model checking. Form. Methods Syst. Des 18(2): 141–163CrossRefzbMATHGoogle Scholar
  7. BCG+10.
    Bloem R, Cimatti A, Greimel K, Hofferek G, Könighofer R, Roveri M, Schuppan V, Seeber R (2010) RATSY—a new requirements analysis tool with synthesis. In: Proceedings of CAV, pp 425–429Google Scholar
  8. BFG+01.
    Blom S, Fokkink W, Groote J, van Langevelde I, Lisser B, van de Pol J (2001) μCRL: a toolset for analysing algebraic specifications. In: CAV, vol 2102 of LNCS. Springer, New York, pp 250–254Google Scholar
  9. CAB+98.
    Chan W, Anderson RJ, Bea P, Burns S, Modugno F, Notkin D, Reese JD (1989) Model checking large software specifications. IEEE Trans. Softw Eng 24: 498–520CrossRefGoogle Scholar
  10. CCG+02.
    Cimatti A, Clarke EM, Giunchiglia E, Giunchiglia F, Pistore M, Roveri M, Sebastiani R, Tacchella A (2002) NuSMV 2: an opensource tool for symbolic model checking. In: CAV, vol 2404 of LNCS. Springer, New York, pp 241–268Google Scholar
  11. CKKV01.
    Chockler H, Kupferman O, Kurshan R, Vardi MY (2001) A practical approach to coverage in model checking. In: CAV, vol 2102 of LNCS. Springer, New York, pp 66–78Google Scholar
  12. CKV01.
    Chockler H, Kupferman O, Vardi MY (2001) Coverage metrics for temporal logic model checking. In: TACAS, vol 2031 of LNCS. Springer, New York, pp 528–542Google Scholar
  13. CRST08.
    Cimatti A, Roveri M, Schuppan V, Tchaltsev A (2008) Diagnostic information for realizability. In: Proceedings of VMCAI, pp 52–67Google Scholar
  14. CVWY92.
    Courcoubetis C, Vardi MY, Wolper P, Yannakakis M (1992) Memory-efficient algorithms for the verification of temporal properties. Form. Method Syst. Des 1: 275–288CrossRefzbMATHGoogle Scholar
  15. DAC98.
    Dwyer MB, Avrunin GS, Corbett JC (1998) Property specification patterns for finite-state verification. In: Proceedings of FMSP, pp 7–15Google Scholar
  16. DL11.
    Duret-Lutz A (2011) LTL translation improvements in spot. In: Proceedings of VECoS, pp 72–83Google Scholar
  17. FG03.
    Feierbach G, Gupta V (2003) True coverage: a goal of verification. In: Proceedings of ISQED, pp 75–78Google Scholar
  18. HJC+08.
    Hinchey M, Jackson M, Cousot P, Cook B, Bowen JP, Margaria T (2008) Software engineering and formal methods. Communun. ACM 51: 54–59CrossRefGoogle Scholar
  19. HL95.
    Heimdahl MPE, Leveson NG (1995) Completeness and consistency analysis of state-based requirements. In: Proceedings of ICSE, pp 3–14Google Scholar
  20. KGG99.
    Katz S, Grumberg O, Geist D (1999) “Have I Written Enough Properties?”—a method of comparison between specification and implementation. In: Proceedings of CHARME, pp 280–297Google Scholar
  21. KHB09.
    Konighofer R, Hofferek G, Bloem R (2009) Debugging formal specifications using simple counterstrategies. In: Proceedings of FMCAD, pp 152–159Google Scholar
  22. Kup06.
    Kupferman O (2006) Sanity checks in formal verification. In: CONCUR, vol 4137 of LNCS. Springer, New York, pp 37–51Google Scholar
  23. KV03.
    Kupferman O, Vardi MY (2003) Vacuity detection in temporal model checking. STTT 4: 224–233CrossRefzbMATHGoogle Scholar
  24. Lev00.
    Leveson N (2000) Completeness in formal specification language design for process-control systems. In: Proceedings of FMSP, pp 75–87Google Scholar
  25. LMS04.
    Lynce I, Marques-Silva JP (2004) On computing minimum unsatisfiable cores. In: Proceedings of SAT, pp 305–310Google Scholar
  26. LS08.
    Liffiton M, Sakallah K (2008) Algorithms for computing minimal unsatisfiable subsets of constraints. J. Autom. Reasoning 40(1): 1–33MathSciNetCrossRefzbMATHGoogle Scholar
  27. MTH03.
    Miller SP, Tribble AC, Heimdahl MPE (2003) Proving the shalls. In: FME, vol 2805 of LNCS. Springer, New York, pp 75–93Google Scholar
  28. RDB+05.
    Roy S, Das S, Basu P, Dasgupta P, Chakrabarti PP (2005) SAT based solutions for consistency problems in formal property specifications for open systems. In: Proceedings of ICCAD, pp 885–888Google Scholar
  29. RLS+03.
    Regimbal S, Lemire J-F, Savaria Y, Bois G, Aboulhamid E, Baron A (2003) Automating functional coverage analysis based on an executable specification. In Proceedings of IWSOC, pp 228–234Google Scholar
  30. RV07.
    Rozier K, Vardi MY (2007) LTL satisfiability checking. In: SPIN, vol 4595 of LNCS. Springer, New York, pp 149–167Google Scholar
  31. RWH07.
    Rajan A, Whalen MW, Heimdahl MPE (2007) Model validation using automatically generated requirements-based tests. In: Proceedings of HASE, pp 95–104Google Scholar
  32. Sch12.
    Schuppan V (2012) Towards a notion of unsatisfiable and unrealizable cores for LTL. Sci. Comput. Program 77(7-8): 908–939CrossRefzbMATHGoogle Scholar
  33. TK01.
    Tasiran S, Keutzer K (2001) Coverage metrics for functional validation of hardware designs. IEEE Des. Test. Comput 18(4): 36–45CrossRefGoogle Scholar
  34. WRHM06.
    Whalen MW, Rajan A, Heimdahl MPE, Miller SP (2006) Coverage metrics for requirements-based testing. In: Proceedings of ISSTA, pp 25–36Google Scholar

Copyright information

© British Computer Society 2015

Authors and Affiliations

  • Jiří Barnat
    • 1
  • Petr Bauch
    • 1
  • Nikola Beneš
    • 1
  • Luboš Brim
    • 1
  • Jan Beran
    • 2
  • Tomáš Kratochvíla
    • 2
  1. 1.Faculty of InformaticsMasaryk UniversityBrnoCzech Republic
  2. 2.Honeywell International, Aerospace, Advanced Technology EuropeBrnoCzech Republic

Personalised recommendations