Requirements Engineering

, Volume 12, Issue 1, pp 41–54 | Cite as

Using obstacle analysis to identify contingency requirements on an unpiloted aerial vehicle

  • Robyn Lutz
  • Ann Patterson-Hine
  • Stacy Nelson
  • Chad R. Frost
  • Doron Tal
  • Robert Harris
Original Research


This paper describes the use of Obstacle Analysis to identify anomaly handling requirements for a safety-critical, autonomous system. The software requirements for the system evolved during operations due to an on-going effort to increase the autonomous system’s robustness. The resulting increase in autonomy also increased system complexity. This investigation used Obstacle Analysis to identify and to reason incrementally about new requirements for handling failures and other anomalous events. Results reported in the paper show that Obstacle Analysis complemented standard safety-analysis techniques in identifying undesirable behaviors and ways to resolve them. The step-by-step use of Obstacle Analysis identified potential side effects and missing monitoring and control requirements. Adding an Availability Indicator and feature-interaction patterns proved useful for the analysis of obstacle resolutions. The paper discusses the consequences of these results in terms of the adoption of Obstacle Analysis to analyze anomaly handling requirements in evolving systems.


Contingency requirements Obstacle analysis Safety-critical software Requirements evolution Autonomy Anomaly handling 



The research described in this paper was carried out in part at the Jet Propulsion Laboratory, California Institute of Technology, under a contract with the National Aeronautic and Space Administration and funded by NASA’s Office of Safety and Mission Assurance Software Assurance Research Program. The first author’s research is supported in part by National Science Foundation Grants 0204139, 0205588, and 0541163. The authors thank Matt Whalley and the other members of the Autonomous Rotorcraft Project team for sharing their expertise and enthusiasm. The authors thank QSI for assistance with the TEAMS toolset. The first author also thanks Martin Feather and Axel van Lamsweerde for insightful feedback on an early draft.


  1. 1.
    Parnas DL, Wurges H (2001) Response to undesired events in software systems. In: Hoffmann DM, Weiss DM (eds) Software fundamentals, collected papers by David L. Parnas, Addison-Wesley, Reading, pp 231–246Google Scholar
  2. 2.
    Dearden R et al (2002) Contingency planning for planetary rovers. In: Proceedings of the 3rd Int’l NASA workshop planning and scheduling for space, HoustonGoogle Scholar
  3. 3.
    Johnson T, Sutherland H, Bush S (2001) The TRAC mission manager autonomous control executive. In: Proceedings of the IEEE aerospace conference, Big Sky, MT, USAGoogle Scholar
  4. 4.
    van Lamsweerde A, Letier E (2000) Handling obstacles in goal-oriented requirements engineering. IEEE TSE 26(10):978–1005Google Scholar
  5. 5.
    Whalley M, Freed M, Takahashi M, Christian D, Patterson-Hine A, Schulein G, Harris R (2003) The NASA/Army autonomous rotorcraft project. In: Proceedings place of American helicopter society 59th annual forum, Phoenix, AZ, USAGoogle Scholar
  6. 6.
    Letier E, van Lamsweerde A (2002) Agent-based tactics for goal-oriented requirements elaboration. In: Proceedings of the 24th ICSE. ACM Press, New York, pp 83–93Google Scholar
  7. 7.
    Letier E, van Lamsweerde A (2002) High assurance requires goal orientation. In: Proceedings of the international workshop requirements for high assurance system, Essen, GermanyGoogle Scholar
  8. 8.
    Easterbrook S, Lutz R, Covington R, Kelly J, Ampo A, Hamilton D (1998) Experiences using lightweight methods for requirements modeling. IEEE Trans Softw Eng 24(I):4–14CrossRefGoogle Scholar
  9. 9.
    Lutz R, Woodhouse R (1997) Requirements analysis using forward and backward search. Ann Softw Eng 3:459–475CrossRefGoogle Scholar
  10. 10.
    Lutz R, Shaw H-Y (1999) Applying adaptive safety analysis techniques. In: Proceedings of the 10th international symposium software reliability Eng (ISSRE’99), Boca Raton, FL, USAGoogle Scholar
  11. 11.
    Patterson-Hine A, Hindson W, Sanderfer D, Deb S, Domagala C (2001) A model-based health monitoring and diagnostic system for the UH-60 Helicopter. In: Proceedings of the American helicopter society 57th annual forum. AHS, WashingtonGoogle Scholar
  12. 12.
    Van Lamsweerde A (2004) Goal-oriented requirements engineering: a roundtrip from research to practice. In: Proceedings of the 12th IEEE international requirements engineering conference, Kyoto, JapanGoogle Scholar
  13. 13.
    Doerr J (2002) Requirements engineering for product lines. Diploma thesis, University of KaiserslauternGoogle Scholar
  14. 14.
    Mylopoulos J, Chung L, Yu E (1999) From object-oriented to goal-oriented requirements analysis, CACM 31–37Google Scholar
  15. 15.
    Anton A, Potts C (1998) The use of goals to surface requirements for evolving systems. In: Proceedings of the 20th ICSE, Computer Society, Silver Spring, pp 157–166Google Scholar
  16. 16.
    Carter A, Anton A, Dagnino A, Williams L (2001) Evolving beyond requirements creep: a risk-based evolutionary prototyping model. In: Proceedings of ISRE, Toronto, Canada, pp 94–101Google Scholar
  17. 17.
    Cleland-Huang J, Chang C, Christensen M (2003) Event-based traceability for managing evolutionary change. IEEE Trans Softw Eng 29(9):796–810CrossRefGoogle Scholar
  18. 18.
    Bennett K, Rajlich V (2000) Software maintenance and evolution: a roadmap. In: Finkelstein AF (ed) The future of software engineering. ACM Press, New York, pp 75–87Google Scholar
  19. 19.
    Lehman MM, Ramil JF (2001) Rules and tools for software evolution planning and management. Ann Softw Eng 11:15–44Google Scholar
  20. 20.
    Feather M, Fickas S (1995) Requirements monitoring in dynamic environments. In: Proceedings of the ICRE, York, UK, pp 140–147Google Scholar
  21. 21.
    Heninger K (2001) Specifying software requirements for complex systems: new techniques and their application. In: Hoffmann DM, Weiss DM (eds) Software fundamentals, collected papers by David L. Parnas. Addison-Wesley, Reading, pp 111–135Google Scholar
  22. 22.
    Berry DM, Cheng BHC, Zhang J (2005) The four levels of requirements engineering for and in dynamic adaptive systems. In: Proceedings of the workshop on the design and evolution of autonomic application software, St Louis, MO, USAGoogle Scholar
  23. 23.
    Hui B, Liaskos S, Mylopoulos J (2003) Requirements analysis for customizable software goals-skills-preferences framework. In: Proceedings of the 11th IEEE international requirements engineering conference (RE’03), Monterey Bay, CA, USA, pp 117–126Google Scholar
  24. 24.
    deLemos R (2000) Safety analysis of an evolving software architecture. In: Proceedings of the 5th IEEE International symposium high assurance systems, Computer Society, Silver Spring, pp 159–167Google Scholar
  25. 25.
    Lutz R, Mikulski I (2003) Operational anomalies as a cause of safety-critical requirements evolution. J Syst Softw 65(2):155–161Google Scholar
  26. 26.
    Lutz R, Mikulski I (2004) Empirical analysis of safety-critical anomalies during operations. IEEE TSE 30(3):172–180Google Scholar
  27. 27.
    Brat G, Drusinsky D, Giannakopoulou D, Goldberg A, Havelund K, Lowry M, Pasareanu C, Venet A, Visser W, Washington R (2004) Experimental evaluation of verification and validation tools on Martian rover software. Formal Methods Sys Design 25(2–3):167–198zbMATHCrossRefGoogle Scholar
  28. 28.
    Chien S et al (2001) Onboard autonomy on the three corner sat mission. In: Proceedings of the international symposium AI, robotics, and automation for space. IEEE, MontrealGoogle Scholar
  29. 29.
    Verma V, Langford J, Simmons R (2001) Non-parametric fault identification for space rovers. In: Proceedings of the international symposium AI and robotics in space, Montreal, Quebec, CanadaGoogle Scholar
  30. 30.
    Fox J, Das S (2000) Safe and sound, artificial intelligence in hazardous applications. AAAI Press, Menlo ParkGoogle Scholar
  31. 31.
    Schreckenghost D, Malin J, Thronesbery C, Watts G, Fleming L (2001) Adjustable control autonomy for anomaly response in space-based life support systems. In: IJCAI-01 workshop autonomy, delegation and control: interacting with autonomous agents, Seattle, Washington, USAGoogle Scholar
  32. 32.
    Software product assurance for autonomy on-board spacecraft, European space agency ESTEC. Scholar
  33. 33.
    Qualtech Systems Inc,
  34. 34.
    Lutz R, Patterson-Hine A, Bajwa A (2006) Tool-supported verification of contingency software design in evolving, autonomous systems. In: Proceedings of the 17th IEEE international symposium software reliability engineering (ISSRE’06), Raleigh, NC, USAGoogle Scholar
  35. 35.
    Dixon RW, Hill T, Williams KA, Kahle W, Patterson-Hine A, Hayden S (2003) Demonstration of an SLI vehicle health management system with in-flight and ground-based subsystem interfaces. In: Proceedings of the IEEE aerospace conference, Big SkyGoogle Scholar

Copyright information

© Springer-Verlag London Limited 2006

Authors and Affiliations

  • Robyn Lutz
    • 1
  • Ann Patterson-Hine
    • 2
  • Stacy Nelson
    • 3
  • Chad R. Frost
    • 2
  • Doron Tal
    • 4
  • Robert Harris
    • 5
  1. 1.JPL/Caltech and Iowa State UniversityAmesUSA
  2. 2.Ames Research CenterMoffett FieldUSA
  3. 3.NelsonConsulting/QSSAmes Research CenterMoffett FieldUSA
  4. 4.USRA/RIACS at NASA Ames Research CenterMoffett FieldUSA
  5. 5.255 Group, Inc. at Ames Research CenterMoffett FieldUSA

Personalised recommendations