Analyzing Consistency of Formal RequirementsThis work has been partially funded by the German Federal Ministry of Education and Research (BMBF) under research grant 01IS15031H (ASSUME).


Electronic Communications of the EASST
Volume 076 (2019)

Automated Verification of Critical Systems 2018
(AVoCS 2018)

Analyzing Consistency of Formal Requirements

Jan Steffen Becker

26 pages

Guest Editors: David Pichardie, Mihaela Sighireanu
ECEASST Home Page: http://www.easst.org/eceasst/ ISSN 1863-2122

http://www.easst.org/eceasst/


ECEASST

Analyzing Consistency of Formal Requirements∗

Jan Steffen Becker

becker@offis.de
OFFIS – Institute for Information Technology

Oldenburg, Germany

Abstract: In the development of safety-critical embedded systems, requirements-
driven approaches are widely used. Expressing functional requirements in formal
languages enables reasoning and formal testing. This paper proposes the Simplified
Universal Pattern (SUP) as an easy to use formalism and compares it to SPS, another
commonly used specification pattern system. Consistency is an important property
of requirements that can be checked already in early design phases. However, formal
definitions of consistency are rare in literature and tent to be either too weak or
computationally too complex to be applicable to industrial systems. Therefore this
work proposes a new formal consistency notion, called partial consistency, for the
SUP that is a trade-off between exhaustiveness and complexity. Partial consistency
identifies critical cases and verifies if these cause conflicts between requirements

Keywords: Formal Methods, Requirements Engineering, Consistency Analysis,
Verification

1 Introduction

In designing safety critical embedded systems, requirements driven processes are widely used.
These processes usual start with a textual description of the system requirements, that are further
refined during the development process. For illustration purposes, imagine the design of a car’s
light system where a feature called tip-blinking is specified using the following requirements:

Req 1 If the pitman arm is moved down for less than 0.5s, left blinking shall be active for 3s.

Req 2 If the pitman arm is moved up for less than 0.5s, right blinking shall be active for 3s.

Furthermore we have normal blinking:

Req 3 If the pitman arm is moved down for at least 0.5s, left blinking shall be active until the
pitman arm leaves the down position.

Req 4 If the pitman arm is moved up for at least 0.5s, right blinking shall be active until the
pitman arm leaves the up position.

The final requirement concerns safety:

∗ This work has been partially funded by the German Federal Ministry of Education and Research (BMBF) under
research grant 01IS15031H (ASSUME).

1 / 26 Volume 076 (2019)

mailto:becker@offis.de


Analyzing Consistency of Formal Requirements

Req 5 Left and right blinking must not be active together.

State of the art tool suites for embedded systems development, such as BTC EmbeddedPlatform1,
allow generating and executing test cases directly from requirements. For this it is necessary to
formalize the textual requirements, by expressing them in a formal language that is understood
by the testing tool. This paper focuses on the formal language proposed by the the Embedded-
Platform, the Simplified Universal Pattern (SUP). Pattern languages, such as SUP, are easier to
use for engineers than temporal logics such as LTL coming from theoretical computer science.
Pattern languages provide a limited set of templates (patterns) with a fixed and well defined
semantic. For formalizing a requirement, the engineer picks a pattern and fills in the pattern
parameters with simple expressions describing states and events.

Since the requirements form the basis for designing models and test cases, it is important to
have high quality requirements. One quality indicator is consistency of requirements [25]. In-
formally, a set of requirements is consistent if it is free of contradictions. Having formalized
requirements enables reasoning about consistency of requirements. Of course, this requires a
formal definition of requirement consistency itself. This paper introduces a new formal defini-
tion called partial consistency. Partial consistency focuses on requirements expressing a trig-
ger/action relationship, where the action shall occur in response to the trigger. E.g. in Req 1
above, “the pitman arm is moved down for less than 0.5s” is the trigger and “left blinking shall
be active for 3s” is the action. Checking parial consistency consists of two parts. Firstly, the set
of requirements is divided into one set consisting of all the requirements where the action is a
response to the trigger (such in requirements Req 1 to Req 4 above) and another set containing
all the other requirements (Req 5 in the example above, which does not have a trigger). Sec-
ondly, the requirements in the first set are analyzed pairwise for critical cases where timing of
the triggers causes a conflict. Here, a conflict means that two actions have to occur at the same
time (because of the timing of the triggers), but either contradict each other or violate (together)
the requirements in the second set. In the example requirements above, Req 1 and Req 2 cause
together a violation of Req 5: If the pitman arm is moved up and down shortly in sequence,
either both right and left blinking is active at the same time, which violates Req 5, or one of
Req 1 or Req 2 is violated. Note that partial consistency does not forbid that a system variable
is affected by two actions at the same time as long both actions are satisfied. For example Req
1 and Req 3 are partially consistent although it is possible to trigger normal blinking while tip
blinking is still active.

The rest of the paper is organized as follows: In Section 2 the SUP notation is completely
described. It is compared to other pattern languages in Section 3 by sketching a mapping between
SUP and SPS, a popular pattern system proposed by Dwyer et. al. [10] and extended by Konrad
and Cheng [20]. In Section 4 existing definitions of consistency are presented followed by partial
consistency in Section 5. A prototype implementation is described in Section 6 and evaluated in
Section 7. The paper closes with a brief outlook on future work in Section 8.

1 https://www.btc-es.de/

AVoCS 2018 2 / 26

https://www.btc-es.de/


ECEASST

TC AC

Lmin Amin=AmaxLmax

Figure 1: SUP in the EmbeddedPlatform

2 Simplified Universal Pattern

The SUP has been designed for use in BTC EmbeddedPlatform to overcome the difficulties for
engineers to learn the syntax and semantic of a complex formal language, while providing a for-
malism that is expressive enough to formalize functional requirements for real-world embedded
systems [8, 6]. The SUP can be seen as a template for formal requirements with gaps, called
parameters, that are filled by the engineer with side-effect free expressions over the system vari-
ables. In the EmbeddedPlatform, a rich C-like expression language has been chosen. In our
prototype implementation, we have adopted this expression language but restrict ourselves to
boolean combination of linear constraints (over integer and real variables). The EmbeddedPlat-
form provides a graphical editor together with a methodology to guide the engineer through the
formalization process.

2.1 Syntax and Semantics

The SUP assumes discrete time with a fixed step size. An instance of the SUP can be seen
as some kind of state machine that consumes a trace (see Definition 1) of the system under
development and decides if the SUP instance is satisfied or violated.

This paper uses a mathematical notation of the SUP that is inspired by the graphical represen-
tation in the EmbeddedPlatform given in Figure 1. In fact it is an extension of the notation found
in [8]. We denote SUP instances by

(T SE,T C,T EE)[T min,T max]
[Lmin,Lmax]
−−−−−−→ (ASE,AC,AEE)[Amin,Amax].

An SUP instance consists of two parts, the trigger (T SE,T C,T EE)[T min,T max] and the
action (ASE,AC,AEE)[Amin,Amax]. Both trigger and action describe behavior of the system,
and the action shall occur at the same time or after the trigger. Both trigger and action have a
start and end condition (called events) and optionally a minimum and maximum duration. The
time between trigger and action is called local scope and given as an interval [Lmin,Lmax]. All
together the SUP has 15 parameters that are summarized in Table 1. The trigger exit condition,
action exit condition and the maxTime parameters are not used in this paper and therefore not
part of the above notation. Most of the parameters have a default value (third column in Table 1),
e.g. T SE = T EE = T C which allows to omit the T SE and T EE parameters in the notation (see
Section 2.2). Most time parameters may be set to infinity (last column) to indicate an open time
bound.

3 / 26 Volume 076 (2019)



Analyzing Consistency of Formal Requirements

Parameter Abbrev. Type Default Inf
Trigger Start Event TSE Bool TC –
Trigger End Event TEE Bool TC –
Trigger Condition TC Bool true –
Trigger Exit Condition TEC Bool false –
Trigger Duration Min Tmin Time 0 3
Trigger Duration Max Tmax Time 0 3
Local Scope Min Lmin Time 0 7
Local Scope Max Lmax Time 0 3
Action Start Event ASE Bool AC –
Action End Event AEE Bool AC –
Action Condition AC Bool – –
Action Exit Condition AEC Bool false –
Action Duration Min Amin Time 0 3
Action Duration Max Amax Time 0 3
Global Scope maxTime Time ∞ 3

Table 1: SUP parameters

Besides the parameters, the semantics of an SUP instance is controlled by its interpretation,
activation mode and startup phase. There are three different interpretations for the SUP that
define the relation of trigger and action:

progress If the trigger occurs, the action must occur in response.

invariant If the trigger occurs, the action must occur in the same step.

ordering If the action occurs, the trigger must have occurred before.

One pair of trigger and action is called an observation cycle of the SUP. Because the SUP instance
is an automaton, after the trigger has been observed further occurrences of the trigger are ignored
until the action occurs. The activation mode defines whether there is one or multiple observation
cycles. There are three activation modes:

cyclic If an observation cycle is finished, a new observation cycle starts.

first After the first complete observation cycle, the SUP instance is satisfied; no second obser-
vation cycle starts.

init Same as first, but the trigger must occur at the start of the observation cycle.

The startup phase determines the start of the first observation cycle of the SUP. There are three
startup phases defined:

immediate The observation cycle starts immediately, i.e. in step 0.

after N steps The observation cycle starts in step N, where N is a parameter of type Time.

AVoCS 2018 4 / 26



ECEASST

after reaching R The observation cycle starts in step following the first occurrence of R, where
R is a condition.

The arrow notation introduced above is for the invariant and progress interpretation with startup
phase immediate and activation mode cyclic. For the ordering interpretation the right-pointing
arrow (→) in the notation is replaced with the reverse arrow (←). To denote that one of the acti-
vation modes first or init is used instead of the default cyclic activation mode, the SUP instance
is prefixed with a keyword first resp. init.

In the following, the details of the SUP semantics for the progress interpretation are described,
followed by a more detailed description of the ordering interpretation. The invariant interpre-
tation is a special case of the progress interpretation where all parameters except TC, AC and
maxTime are set to default values. Note that this is a description of the semantics implemented
in the consistency analysis prototype.

Trigger The trigger starts with the first observation of the Trigger Start Event (TSE). In ac-
tivation mode initial, the TSE must occur exactly at the end of the startup phase. The
trigger phase ends with the first observation of the trigger end event (TEE) in the inter-
val tT SE + T min ≤ tT EE ≤ tT SE + T max, where tT SE , tT EE are the time points at which the
events are observed. Between TSE and TEE, i.e. at tT SE < t < tT EE the Trigger Condition
(TC) must hold. If this interval exceeds without TEE being observed, or the TC is violated,
the observation cycle is aborted. In activation modes cyclic and first, a new activation cycle
starts by awaiting the next TSE.

Action The action consisting of Action Start Event (ASE), Action Condition (AC), Action End
Event (AEE), and Action Duration [Amin,Amax] works analogous to the trigger, except
that the observer stops with the failure signal on violation of the AC or the bounds. If
the AEE is successfully observed within the specified interval, the observation cycle ends
successfully (without emitting failure). In activation mode cyclic, a new observation cycle
is started; the TSE of the next cycle may occur together with the last cycle’s AEE.

Local Scope The Local Scope is a time interval [Lmin,Lmax] describing the time window for
the ASE, i.e. the first occurence tASE of ASE after TEE must be located in the interval
tT EE + Lmin ≤ tASE ≤ tT EE + Lmax. Otherwise, the observer emits failure and stops.

The following special cases have to be considered:

Infinite Time Bounds All time bounds except Lmin and the parameter N from the startup phase
after N steps may be set to infinity. This means the following: Setting Lmax = ∞ means
that the ASE may occur any time (but at least Lmin steps after TEE) in the future. Set-
ting Amin = ∞ means that the AC must be true forever after ASE is observed, except the
observation cycle is canceled by the AEC.

In the interpretation ordering, the local scope has only a lower bound and the upper bound is
always infinite. The above behavior is modified as follows: If the ASE occurs together with the
start of the trigger or earlier than Lmin steps after complete observation of the trigger, i.e. on
tASE < tT EE + Lmin, the observer emits failure. If the AEE occurs too early or too late or the AC
is violated, the observation does not fail but the observer waits for another ASE.

5 / 26 Volume 076 (2019)



Analyzing Consistency of Formal Requirements

2.2 Examples

In the remaining of the paper we omit parameters with default values in the SUP notation. Inter-
vals [`,`] are abbreviated to [`]. For example p → q is a shorthand for

(p, p, p)[0,0]
[0,0]
−−→ (q,q,q)[0,0]

and p[5]→ (q,r,s)[0,∞) abbreviates

(p, p, p)[5,5]
[0,0]
−−→ (q,r,s)[0,∞).

In the following, we formalize the requirements from the introduction. We model the pitman
arm’s positions as two predicates up, down and left/right blinking as left resp. right. We use a
fixed step size of 0.1s.

Req 1 If the pitman arm is moved down for less than 0.5s, left blinking shall be active for 3s.

(down,down,¬down)[0,5]→ left[30]

Note that the trigger duration includes the step where the TEE (¬down) occurs. So in fact
a strict upper bound for the duration of down is encoded.

Req 2 Right tip blinking analogous: (up,up,¬up)[0,5]→ right[30]

Req 3 If the pitman arm is moved down for at least 0.5s, left blinking shall be active until the
pitman arm leaves the down position.

down[5]→ (left,left,¬down)[0,∞)

Req 4 Right blinking analogous: up[5]→ (right,right,¬up)[0,∞)

Req 5 Left and right blinking must not be active together.

true →¬(left∧right)

2.3 Observer Automata

In the EmbeddedPlatform, formal requirements are translated into observers. Observers monitor
executions of a system and indicate if a requirement is violated. System executions are modeled
as traces over system variables (i.e. input, output and internal variables of the system). A trace
assigns a value to every variable and time step.

Definition 1 (Trace) A finite (infinite) trace over variables X is a finite (infinite) sequence
σ = σ0σ1σ2 ... where σi : X→ V assigns a value σi(x)∈Vtype(X) to every variable x ∈X in step
i.

AVoCS 2018 6 / 26



ECEASST

We denote the set of all infinite traces over X by T (X), and the set of finite traces of length
k by Tk(X). For Y ⊆ X we denote by σ ↓Y the restriction of σ to variables in Y and by σ ↓n=
σ0σ1 ...σn−1 the prefix of length n ∈N of σ .

In this paper, observers are modeled as Büchi automata with counters and a special failure
state, called counter automata2 [11], that accept traces over a subset of the system variables,
called the observed variables of the automaton in the following. Counter automata consist of
finite sets of states, transitions and counter variables that are distinct from the observed variables.
Every transition is labeled with a boolean expression over observed variables and counters, called
guard. In every step, a transition with satisfied guard is taken and counters are either incremented,
set to some integer constant, or left unchanged.

Definition 2 (Counter Automaton) A counter automaton over a set X of variables is a tuple
A =

〈
S,X,W,s0,s f ,F,T

〉
with states S, integer counter variables W (disjoint from X), initial

and failure state s0,s f ∈ S, a set F ⊆ S of fair states such that s f 6∈ F , and a set T of transitions. A
transition 〈s,g,γ,s′〉∈ T consists of source and target states s,s′ ∈ S, a guard g ∈ Ex prB(X∪W)
(a boolean expression over X∪W) and a function γ : W→N∪{INC,ST ABLE}.

A trace σ over X∪W∪{s} with Vtype(s) = S is a run of A if σ0(s) = s0, σ0(c) = 0 for c ∈W
and for all i ∈N (i < n−1 for finite traces of length n) exists 〈s,g,γ,s′〉∈ T such that σi(s) = s,

σi+1(s) = s′, σi |= g and σi+1(c) =




γ(c) if γ(c)∈N
σi(c)+ 1 if γ(c) = INC
σi(c) if γ(c) = ST ABLE

for c ∈ W. A run is weak

accepting if σi(s) 6= s f for all i ∈ N (i < n for finite runs of length n). A run is accepting if it is
weak accepting and σi(s) ∈ F for infinitely many steps i ∈ N (in case of an infinite run), resp.
σi(s)∈ F for some step i ∈N (in case of a finite run).

For both infinite and finite runs σ ∈ T (Y) resp. σ ∈ Tn(Y) with Y ⊇ X we write σ |= A if
there exists an accepting run σ ′ of A with σ ′↓X= σ ↓X. Analogously we write σ |=w A if there
exists a weak accepting run σ ′ of A with σ ′ ↓X= σ ↓X.

Here, σi |= g indicates satisfaction of guard g in step i of σ . We assume that the set Ex prB(X∪
W) allows boolean combination of linear inequalities. Throughout this paper, we require counter
automata to be deterministic and complete, i.e. in every step exactly one transition can be taken.
Furthermore, the failure state is a sink, meaning, once entered, the failure state is never left
(technically the failure state has exactly one outgoing transition that is a self loop with the guard
true).

Note that the above definition extends counter automata with fair states, compared with the
original definition in [11]. What is called acceptance in [11] is called weak acceptance here. Fair
states are necessary to model instances of the SUP with parameters Lmax or Amax set to infinity,
because these describe unbounded liveness properties where violation cannot be detected in finite
prefixes.

2 Because transitions are labeled with expressions that also contain system variables, the term extended counter
automata might be more precise. We use the shorter term counter automaton since it is used for the same type of
automata in previous work [11].

7 / 26 Volume 076 (2019)



Analyzing Consistency of Formal Requirements

0 1

2

3

down/c := 1

¬down c > 5∧down/c := 1,
c ≤ 5∧down/c ++

c > 5∧down

c ≤ 5∧left∧¬down/
c := 1

c ≤ 5∧¬left∧¬down

c = 30∧left∧¬down

c = 30∧left∧down/
c := 1

c > 30∧left

c < 30∧left/c ++

true

Figure 2: Counter automaton for Req 1; state 0 is both the initial and a fair state, state 3 is the
failure state; c ++ denotes increment of c.

Assumption 1 For every instance R of the SUP we can construct a counter automaton AO(R),
called its observer automaton, that accepts the traces satisfying R.

Obviously, we cannot give a formal proof for the assumption above, because we describe the
SUP semantics only informally. Unfortunately there is no handy definition of the SUP semantics
in temporal logics that describes the semantics of the SUP with all its parameters precisely. The
formal semantics [24] of the SUP that have been kindly provided by BTC EmbeddedSystems
to the author for developing his prototype, use automata networks that are very close to counter
automata. Based on these formal semantics, one automata scheme for each combination of
interpretation, startup phase, and activation mode of the SUP has been constructed in a computer-
aided process. An automata scheme is a counter automaton over the SUP parameters instead
of the system variables. For reason of space, we cannot give the construction (or a proof of its
correctness) here. Unfortunately, the complete automata schemes that use all the SUP parameters
are too big to be presented in a paper. Instead, Appendix A lists simplified versions of some of
the automata schemes that cover the subset of the SUP used in this work. For any SUP instance R,
the observer automaton AO(R) can be derived from one of the automata schemes by substituting
the parameters in the guards. Afterwards the following simplification steps are applied to the
observer automata: (1) simplification of the guards, (2) removal of transitions with unsatisfiable
guards, unreachable states and unused counters, (3) merge of equivalent states.

Example 1 Figure 2 shows an observer automaton for Req 1. It starts in state 0. If the trigger
starts (i.e. left is true) it switches to state 1. If left remains true for 5 steps, it proceeds to state
2, otherwise returns to state 0. In state 2, the action is checked. If left is true for 30 steps, the
automaton returns to the initial state, otherwise it enters the failure state. This also explains what
is meant by iterative semantics of the SUP: Once state 2 is entered, the trigger variable left is not
observed any more until the current action phase is violated or completed.

AVoCS 2018 8 / 26



ECEASST

3 Other pattern languages

Since the SUP as a pattern language has limitted expressiveness compared to more complex
formal languages, we try in this section to give some evidence that the SUP is expressive enough
to model industrial use cases. In a case study [23] performed at BOSCH the Specification Pattern
System (SPS) originally proposed by Dwyer et. al. [10] and extended by Konrad and Cheng [20]
has been evaluated. SPS provides a set of natural language patterns for specifying behavioral
requirements with a formal semantic given in Modular Temporal Logic (MTL) [3]. In the case
study, 193 out of 245 requirements could be formalized within the SPS by Konrad and Cheng.
In the following we will demonstrate the usability of the SUP by presenting a mapping from the
SPS patterns used in the case study to the SUP.

Definition 3 (MTL) MTL formula over a set X of variables are inductively defined as follows:

• A predicate over X is an MTL formula.

• If φ is an MTL formula so is Xφ .

• If φ1, φ2 are MTL formula, c ∈T and ∼∈{<,≤,=,≥,>} so is φ1 U∼c φ2.

• Boolean combinations of MTL formulas are MTL formulas.

Satisfaction of MTL is defined for traces σ ∈ T (X) and i ∈N as follows:

• σ,i |= p if p is a predicate over X and σi |= p.

• σ,i |= Xφ if σ,i + 1 |= φ .

• σ,i |= φ1 U∼c φ2 if exists d ∼ c, such that σ,i + d |= φ2 and σ, j |= φ1 for all j ∈ N with
i ≤ j < i + d.

• Boolean connectives are defined as usual.

MTL defines the usual abbreviations from temporal logic: F∼cφ :⇔ true U∼c φ , G∼cφ :⇔¬F∼c¬φ ,
φ1 W φ2 :⇔ φ1 U φ2 ∨Gφ1.

The mapping from SPS to SUP is listed in Table 2. Note that there is no general mapping
from SUP to MTL and the contents of Table 2 have not been proven formally. Although the SUP
instances in the table match the MTL semantics of SPS very closely, the main purpose of the
table is to give evidence that the SUP may be used as a replacement of SPS in a formalization
process. The SUP for “Precedence Chain 2:1” uses the last operator, that gives access to the value
of P in the previous step. It is supported both in the EmbeddedPlatform as well as our analysis
prototype. The MTL semantics of time-constrained SPS patterns has been taken from [4], for
untimed patterns the original LTL semantic [10] is used. The main difference between MTL
semantics of SPS and the SUP is that in the SUP there are no overlapping observation cycles (for
one instance). After the trigger occurred, the SUP observer waits for the action belonging to the
trigger and ignores all other triggers that may occur in between. For the SPS patterns in Table 2,
a mapping is possible because (except for “Minimum duration” and “Bounded invariance”) they

9 / 26 Volume 076 (2019)



Analyzing Consistency of Formal Requirements

Pattern Name MTL semantics SUP
Absence G¬P true → (¬P)
Universality GP true → P

Existence FP init true
[0,∞)
−−−→ P

Response G(P ⇒ FQ) (P∧¬Q)
[0,∞)
−−−→ Q

Precedence (¬P) W Q first Q
[0,∞)
←−−− (P∧¬Q)

Minimum duration G(P∨(¬P W G≤d P)) (¬P,P,P)[0,∞)→ P[d]

Maximum duration G(P∨(¬P W (P∧F≤d¬P))) (¬P,P,P)[0,∞)
[0,d]
−−→ (¬P)

Periodic category GF≤d P ¬P
[0,d]
−−→ P

Bounded response G(P ⇒ F≤d Q) (P∧¬Q)
[0,d]
−−→ Q

Bounded invariance G(P ⇒ G≤d Q) (P,¬P,¬Q)[0,d]→ false

Precedence Chain 2:1 ¬P W (S∧¬P∧X(¬P W T )) first (S,true,T )[1,∞)
[0,∞)
←−−− last(P)

Table 2: Expressing SPS patterns in SUP

have only upper time bounds, so only the largest distance from a trigger to the next action shall
be observed by the automaton. The mapping for the Minimum duration pattern works because
trigger and action are exclusive. For the “Bounded invariance” pattern it is possible to construct
an SUP instance, where the observer is reset every time ¬P∧Q occurs. Note that the trigger for
“Bounded invariance” is the opposite of the SPS pattern semantics and the action is unsatisfiable.
So, if the SPS pattern is violated, the observer for the SUP instance enters its failure state. The
observer automata for the SUP instances in Table 2 are listed in Appendix A.

In SPS, a requirement has some optional scope, meaning the requirement applies only after
some event P, until some event Q, or between P and Q. The semantics in Table 2 is for the global
scope, meaning without restriction by events. The global scope and the scope “after P” directly
correspond to startup phases “immediate” and “after reaching R” of the SUP. Using the mapping
from Table 2, it shall be possible to formalize 90% of the SPS requirements from the BOSCH
case study with the SUP. The remaining 10% use one of the SPS scopes “between P and Q” and
“until Q”, that do not have SUP counterparts.3

4 Existing Consistency Notions

Before we present partial consistency, we give a short summary of related work on consistency
of formal requirements.

One of the earliest attempts for specifying formal requirements is Software Cost Reduction
(SCR) [16, 14, 13]. In SCR, a system is described as a state machine in tabular form. The
consistency checker for SCR checks for completeness and determinism of the specification. In
contrast to other approaches, the consistency checker for SCR performs only static checks, but
no reacheability analysis [15]. Similar methods are proposed for requirements state machines
[18].

3 Please note that this is not a limitation of the automata-based approach behind the SUP – introducing these missing
scopes would be a simple extension.

AVoCS 2018 10 / 26



ECEASST

Other approaches define consistency more globally. The most general definition of consis-
tency is that there exists at least one implementation for the requirements [7]. In [11] existential
consistency is presented, where a set of requirements is called consistent, if there exists at least
one trace that satisfies all requirements. In the same work, this notion is refined to bounded exis-
tential consistency that can be checked using bounded model checking and triggered existential
consistency that further restricts accepted traces to those that represent the “intended” meaning
of the requirements and exclude trivial behavior that is not of practical use. In a recent work [12]
the authors use an encoding of TCTL [2] formulas as SMT problems to check consistency of SPS
requirements. They use a notion of consistency that is comparable to existential consistency [11]
sketched above: TCTL specifications R1,...,Rn are consistent, if their conjunction is satisfiable,
i.e. there is a timed transition system M |= R1 ∧···∧Rn. The authors claim to exclude trivial
behavior, but do not explain this in detail.

Some stronger notions of consistency take into account that the system shall be able to handle
every input from the environment. In [1], requirements are implemented as labeled transition
systems. Consistency is then defined on the reachable states of the system. The set of consistent
states is the largest subset of the system state space such that for every input exists an output such
that all requirements are satisfied and the next state is again in that set. The system is consistent
if this set contains the initial state. This notion of consistency honors the fact that a component
does not have control over the inputs it receives. If the requirements are consistent there exists
an implementation that can deal with all inputs that are allowed by the specification.

In [22] a consistency notion called rt-consistency is presented that requires that every finite
trace that satisfies all requirements can be extended to an infinite one. Hence, if a set of require-
ments is rt-consistent there exists an implementation that guarantees liveness of the system. A
similar notion of consistency is implemented in the STIMULUS tool [19]. STIMULUS provides
a consistency analysis by simulating functional requirements, where local non-determinism is
resolved by linear constraint solving. If in some step no solution exists, STIMULUS reports an
inconsistency.

5 Partial Consistency

In the following we present the main contribution of this paper: A new consistency notion for
SUP called partial consistency. Partial consistency is based on triggered existential consistency
[11]. Our experience shows that existential consistency is not enough in practice, since it does
not take combinations of triggers into account. As an example, consider requirements Req 1,
Req 2 and Req 5 from Section 2.2: They are existentially consistent, since, when requesting
right and left tip blinking with a delay of three seconds, all requirements are satisfied in one
run. But if the delay is shorter, one requirement is violated. Inconsistencies of this kind are not
found by existential consistency. The user expects that a consistent set of requirement does not
restrict the inputs of the system, meaning that in every state every input has at least one possible
output without violating a requirement. This is very close to the definition of consistency in [1]
or strong consistency defined in [5].

In the following we denote, for some set R of SUP instances over system variables X, the set
of satisfied traces by T (R) ={σ ∈T (X) | σ |= AO(R) for any R ∈R}. The terms requirement

11 / 26 Volume 076 (2019)



Analyzing Consistency of Formal Requirements

and SUP instance are used as synonyms.

Definition 4 (Strong Consistency[5]) A set R of requirements is strongly consistent wrt. the
system inputs IN ⊆X if there exists a non-empty set Σ ⊆ T (R) such that

∀σ ∈ Σ,τ ∈ T (X),n ∈N : σ↓n = τ↓n ⇒∃σ ′ ∈ Σ : σ ′↓n = σ↓n ∧σ ′↓IN = τ↓IN.

However, as seen in [1] a check for this form of consistency requires some kind of quantifier
nesting in the analysis. Although current solvers have limited support for quantifiers, we consider
using SMT with nested quantifiers impractical for real-world examples. As a consequence, we
try not to consider all possible input traces, but try to characterize and check those ones that
may cause conflicts. Furthermore we don’t want to distinguish explicitly between inputs and
outputs of the system. The reason for the latter is that partial consistency shall also be applicable
to semi-formal requirements. Semi-formal requirements use so-called macros [17] instead of
the system variables. In a second development step, macros are mapped to expressions over
the system variables. This allows reasoning on requirements before the system interface is fully
specified. Since a macro can depend on both input and output variables, it is not possible to say
that a macro is an input or an output.

The partial consistency analysis focuses on those SUPs that we call reactive:

Definition 5 An instance of the SUP is reactive if it has interpretation invariant or progress
but is not of the form true

[0,0]
−−→ P.

All other requirements are called invariant in the following. SUP instances with the ordering
interpretation are not part of the reactive requirements because the action is not required to occur
in response to the trigger. We designed the partial consistency analysis with two observations in
mind:

1. The system cannot influence when the triggers of reactive SUPs occur, since they depend
usually on inputs.

2. Conflicts are most likely caused by contradicting actions, that are forced (by occurrence
of the triggers) to occur at the same time.

The strategy for consistency analysis is to inspect the Lmin, Lmax and Amin parameters of two
reactive SUP instances and to calculate a critical delay between the triggers of the two require-
ments that may cause a conflict. We call this partial consistency because this strategy will of
course only discover conflicts between pairs of requirements. Note that with the ordering inter-
pretation, the action is not required to occur finally after the trigger. For two SUP instances R1
and R2 the actions must occur at the same time if, for the time points t1 and t2 marking completion
of the trigger phases,

∀l1 ∈ LSR1∀a1 ∈ ADR1∀l2 ∈ LSR2∀a2 ∈ ADR2 :
[t1 + l1,t1 + l1 + a1]∩ [t2 + l2,t2 + l2 + a2] 6= /0 (1)

AVoCS 2018 12 / 26



ECEASST

0 3 4

down/c := 1
¬down

c > 5∧down/c := 1,
c ≤ 5∧down/c ++

c > 5∧down

c ≤ 5∧¬down
true

Figure 3: Trigger automaton for Req 1

where LSR = [LminR,LmaxR] (resp. LSR = [LminR,∞) if LmaxR = ∞) is the local scope and
ADR = [AminR,AmaxR] (resp. ADR = [AminR,∞) if AmaxR = ∞) is the action duration of an SUP
instance R ∈{R1,R2}. Eliminating the quantifiers leads to

LmaxR2 −LminR1 −AminR1 ≤ t1 −t2 ≤ LminR2 + AminR2 −LmaxR1. (2)

if all of LminR1,AminR1,LminR2,AminR2 6= ∞. If one of the parameters is set to ∞, Equation (1)
is still valid, but the result of quantifier elimination changes: If AminR1 = ∞ then the left in-
equality of Equation (2) collapses to true, and analogously the right inequality becomes true if
AminR2 = ∞. If LminR1 = ∞ and AminR2 6= ∞, or LminR2 = ∞ and AminR1 6= ∞, then Equation (1)
is unsatisfiable and Equation (2) becomes false.

Example 2 For requirements Req 1 and Req 2 (see Section 2.2) this leads to

0−0−30 =−30 ≤ t1 −t2 ≤ 0 + 30−0 = 30

meaning that right and left blinking overlaps if both right and left tip blinking is requested within
30 steps (= 3s).

In the following, we denote the property stated in equation (2) as Interfere(R1,R2)(t1,t2). We
assume that the Lmin, Lmax and Amin parameters are constants4. We follow the approach of [11]
to construct for some requirement R over system variables X an observer automaton AO(R) over
X (the counter automaton as described in 1), and a second counter automaton AT (R) (over some
subset Y⊆X) called its trigger automaton. Trigger automata are constructed in a way such that
their fair state is entered when the trigger phase of R is complete. One can think of the trigger
automaton being the observer automaton for R where the action has been replaced by true. The
failure state of a trigger automaton is not reachable.

Example 3 The trigger automaton for Req 1 is depicted in Figure 3.

Definition 6 (Partial Consistency) For requirements R1, R2 and R, trace σ and k ∈N (k < n−1

4 Note that the EmbeddedPlatform allows expressions over system variables here.

13 / 26 Volume 076 (2019)



Analyzing Consistency of Formal Requirements

if σ is finite with length n) define

TriggerAtR(σ,i) :⇔ σ↓i 6|= AT (R)∧σ↓i+1 |= AT (R)
Cond{R1,R2},k(σ) :⇔∃i, j ∈N : i ≤ k∧ j ≤ k∧TriggerAtR1(σ,i)

∧TriggerAtR2(σ, j)∧Interfere(R1,R2)(i, j)

Two reactive requirements R1, R2 and a set Rinv of invariant requirements are partially consistent
if for all k ∈N(

∃σ1 ∈ T (Rinv ∪{R1}) : Cond{R1,R2},k(σ1)∧∃σ2 ∈ T (Rinv ∪{R2}) : Cond{R1,R2},k(σ2)
)

⇒
(
∃σ ∈ T (Rinv ∪{R1,R2}) : Cond{R1,R2},k(σ)

)
. (3)

In the definition, the condition TriggerAtR(σ,i) is true if the trigger of R is completed in the
trace σ at step i + 1. So Cond{R1,R2},k(σ) returns true if R1 and R2 are triggered in σ before step
k such that the Interfere condition is satisfied. We check all pairs of reactive requirements:
If we can satisfy each requirement separately while triggering both requirements, can we satisfy
both requirements at once? In both the premise (left-hand side of the implication sign (⇒) in
Equation 3) and the consequence (right-hand side of the implication), traces are searched where
all invariant requirements are satisfied and the delay between triggers of R1 and R2 is in the
interval given by Equation (2).

Theorem 1 If, for two reactive requirements R1 and R2, and a set Rinv of invariant require-
ments, the trigger automata of R1 and R2 depend only on input variables IN ⊆X (i.e. AT (R1) is
a counter automaton over some set Y1 ⊆ IN and AT (R2) is a counter automaton over Y2 ⊆ IN),
then strong consistency of {R1,R2}∪Rinv implies partial consistency of R1, R2 and Rinv.

Proof. Assume that R = {R1,R2}∪Rinv is strongly consistent. We have to show that, for any
k ∈ N, the premise of partial consistency implies the consequence of partial consistency for
the same k. Assume the premise of partial consistency holds for some k ∈ N, i.e. there exists
some trace τ ∈ T (Rinv ∪{R1}) such that Cond{R1,R2},k(τ) holds. By the definition of strong
consistency, there is some σ ′ ∈ T (R) such that σ ′ ↓IN= τ ↓IN (note that σ ↓0= τ ↓0 holds for
arbitrary σ ∈ Σ). Remember AT (R1) is a counter automaton over some set Y1 ⊆ IN. For any
prefix τ ↓i of τ , by Definition 2, τ ↓i|= AT (R1) if, and only if, there exists some finite accepting
run τ′ of AT (R1) such that τ′ ↓Y1= τ ↓i↓Y1 . Because Y1 ⊆ IN, also σ

′ ↓i↓Y1= τ
′ ↓Y1 . As a

consequence, σ ′ ↓i|= AT (R1) if, and only if, τ ↓i|= AT (R1). The same holds for AT (R2). To
sum up, Cond{R1,R2},k(σ

′) holds and, together with σ ′ ∈ T (R), finally R1, R2, and Rinv are
partially consistent.

Our implementation uses bounded model checking (BMC) [9]. BMC decides if some property
can be reached within n steps in a transition system by unrolling the transition relation n times.
Therefore we cannot check infinite traces. Instead we use finite acceptance criteria that can be
checked with BMC and allow to infer the (non)existence of satisfying infinite traces.

Definition 7 (Finite Acceptance Criteria) For a set R of requirements define the following sets
of satisfying traces over X:

AVoCS 2018 14 / 26



ECEASST

• Bounded acceptance: The set of finite traces of length k ∈ N that satisfy R is Tk(R) :=
{σ ∈ Tk(X) | σ |=w AO(R) for each R ∈ R}.

• Searching for a loop [11]: We introduce a modified acceptance relation: For i < k ∈ N
and some finite trace σ ∈ Tk(Y) (Y ⊇ X) we write σ |=loop(i,k) A if there exists a finite
accepting run σ ′ of length k + 1 for A such that σ↓X = σ ′↓X, σ ′i = σ

′
k and σ

′
j(s) ∈ F for

some j ∈ N with i ≤ j ≤ k. Here s is the state variable and F the set of fair states of A .
We define the set of satisfying traces with a loop from i to k as T(i,k)(R) :={σ ∈ T j(X) |
σ |=loop(i, j) AO(R) for each R ∈ R}.

Lemma 1 For a set R of requirements and all i,k ∈N with i ≤ k

T(i,k)(R)⊆{σ ↓k| σ ∈ T (R)}⊆ Tk(R).

proof sketch. The second inclusion {σ ↓k|σ ∈T (R)}⊆Tk(R) follows from Definition 2. The
idea behind acceptance with a loop is that the system state at start of the loop is indistinguishable
from the state at the end of the loop. Every prefix with a loop can be extended to an infinite trace
by infinitely repeating the loop, so T(i,k)(R) ⊆{σ ↓k| σ ∈ T (R)}. For details see [11]. Note
that compared to [11] our counter automata have fair states. Because we require that the counter
automaton is in a fair state at least once between i and j in the finite run σ ′, this fair state is
visited infinitely often in the infinite run.

Definition 8 (Bounded Partial Consistency) Two reactive requirements R1, R2 and a set Rinv of
invariant requirements are (α,β )-bounded partially consistent (with α,β ∈N such that α,β ≥1)
if

(∃i < α∃σ ∈ T(i,α)(Rinv ∪{R1}) : Cond{R1,R2},i(σ))
∧(∃i < α∃σ ∈ T(i,α)(Rinv ∪{R2}) : Cond{R1,R2},i(σ))

⇒ (∃σ ∈ Tα+β (Rinv ∪{R1,R2}) : Cond{R1,R2},α (σ)).

Analogous to partial consistency, we call the left-hand side of the implication in Definition 8
the premise, and the right-hand side the consequence of bounded partial consistency. Larger
values for α and β increase the completeness of bounded partial consistency wrt. partial con-
sistency, but also increase the length of the traces to be checked. Lower values for α may lead
to the case that the premise of bounded partial consistency is not satisfiable at all and thereby
no inconsistencies can be found. For example consider the observer automaton for Req 1 given
in Figure 2: A satisfying run with a loop that also satisfies Cond has to go through states 0, 1
and 2, which takes T min + Amin = 35 steps in sum. As a rule of thumb, for all SUP instances
α � T min + Lmin + Amin, because this is the minimum length of a complete observation cycle
and therefor of a trace with a loop. The consequence of bounded partial consistency checks for
the existence of a trace that satisfies all requirements, where the triggers occur before step α .
If β is too small, it might be the case that the prefixes that we are checking end before some
observer automaton is forced into its failure state. Because entering the failure state may be de-
layed up to Lmax or even Lmax + Amax steps (until the end of the action phase), set β � Lmax,
or β � Lmax + Amax if Amax 6= ∞ and AEE 6= AC.

15 / 26 Volume 076 (2019)



Analyzing Consistency of Formal Requirements

Bounded partial consistency is a sound, but not complete, under-approximation of partial con-
sistency.

Theorem 2 For any two reactive requirements R1 and R2, any set Rinv of invariant require-
ments, and any α,β ∈ N with α,β ≥ 1, partial consistency of R1, R2 and R implies (α,β )-
bounded partial consistency of R1, R2 and R.

Proof. Assume two reactive requirements R1 and R2 and some set Rinv of invariant require-
ments are partially consistent. Choose some arbitrary α ∈ N such that α ≥ 1. If, for the cho-
sen α , the premise of bounded partial consistency does not hold, then the requirements are
bounded partially consistent by definition. In the following consider the other case, i.e. the
premise of bounded partial consistency holds for the chosen α . By Lemma 1, existence of some
σ1 ∈ T(i,α)(Rinv ∪{R1}) implies existence of some σ ′1 ∈ T (Rinv ∪{R1}) such that σ

′
1 ↓α = σ1,

and, by definition, Cond{R1,R2},i(σ1) implies Cond{R1,R2},α (σ
′
1) for i < α . The same is true for

Rinv ∪{R2}. Hence the premise of partial consistency holds for k = α . Assuming R1, R2 and
Rinv are partially consistent, also the consequence of partial consistency holds for k = α . I.e.,
there exists some trace σ ∈ T (Rinv ∪{R1,R2}) such that Cond{R1,R2},α (σ) holds. By Lemma 1,
σ ↓α+β∈ Tα+β (Rinv ∪{R1,R2}) for any β ∈ N with β ≥ 1. Again, Cond{R1,R2},α (σ) implies
Cond{R1,R2},α (σ ↓α+β ), so the consequence of bounded partial consistency holds as well. To
sum up: R1, R2 and Rinv are bounded partially consistent.

Although (bounded) partial consistency is based on (bounded) triggered existential consis-
tency, they are incomparable. The example from the introduction is triggered existentially con-
sistent but not partially consistent, as shown in Section 7. On the other hand, the running example
from [11] is bounded partially consistent but not triggered existentially consistent. Note also that
bounded triggered consistency implies triggered consistency while partial consistency implies
bounded partial consistency.

6 Implementation

We implemented a prototype of the partial consistency using the general-purpose SMT solver
Z3 [21] as a backend. We widely reuse the implementation from [11] and extend it with the
Interfere condition. Checking a pair of requirements for bounded partial consistency results
in three BMC problems: Two for the premise (the left-hand side of the implication sign ⇒) and
one for the consequence (the right hand side of ⇒) in Definition 8.

A BMC problem consists of three conditions over the system state X in the current and the
next step, denoted by X′: The initial condition I(X), the transition relation T (X,X′) and the
target F(X). To check if F can be reached within n steps we introduce n + 1 copies X0,...,Xn of
the system variables X and check if

I(X0)∧
n∧

i=1

T (Xi−1,Xi)∧F(Xn)

AVoCS 2018 16 / 26



ECEASST

is satisfiable. The size of the resulting SMT problems for the pair (R1,R2) is in

O

(
(α + β )

(
|AT (R1)|+|AT (R2)|+ ∑

R∈Rinv∪{R1,R2}
|AO(R)|

))
.

Here, |A | is the size of a counter automaton5.
The encoding choosen in [11] introduces for every observer or trigger automaton A a boolean

variable failA resp. fairA that is true if the automaton is in its failure resp. a fair state
in the current step. We found a finite trace satisfying some set R of requirements if, for each
requirement R ∈ R, in some step in every step fairAO(R) = true and failAO(R) = false in all
steps. Because the failure states cannot be left, it is enough to check failAO(R) = false in the
last step. To encode Trigger{R1,R2},k, we introduce a variable tR for R ∈{R1,R2} that is set to
the current step index at the time fairAT (R) becomes true and remains stable in the rest of the
trace. Then we encode Cond{R1,R2},k in the target as

fairAT (R1)∧fairAT (R2)∧tR1 < k∧tR2 < k∧Interfere(R1,R2)(tR1,tR2).

We encode satisfiability with a loop by introducing a copy xstore for each state variable x ∈
SVars. Here the state variables SVars consists of, for each counter automaton, the variable s
holding the current state and the counters. We let the BMC solver “guess” the beginning of the
loop by setting a boolean variable loop to true in some arbitrary step. When setting loop, the
current state is stored into the copy variables that remain stable to the end of the trace. The
transition relation of the BMC problem is extended as follows (unprimed variables denote the
values in the current step and primed variables values in the next step):(

loop ⇒ loop′∧
∧

s∈SVars
s′store = sstore

)
∧

((
¬loop∧loop′

)
⇒
∧

s∈SVars
s′store = s

)

The trace has a loop if in the last step if the state variables again equal the copy variables. So we
add

loop∧
∧

s∈SVars
sstore = s

to the target of the BMC problem.

7 Evaluation

We evaluate the partial consistency on the example from the introduction. Since it is physically
impossible to move the pitman arm up and down at the same time, we add a further invariant
requirement:

Req 6 true →¬(up∧down)
5 More precisely the size of the formula that is required to encode its transition relation for a single step, which grows
with the number of counters, transitions and the size of the guards, i.e. |A |∈ O

(
∑(s,g,γ,s′)∈T (|g|+|W|)

)
.

17 / 26 Volume 076 (2019)



Analyzing Consistency of Formal Requirements

Set Premise 1 Premise 2 Consequence
Req 1, Req 2 2.88s 3.49s 7.21s
Req 1, Req 3 2.78s 2.61s 2.86s
Req 1, Req 4 3.59s 2.73s 3.79s
Req 2, Req 3 5.33s 2.37s 4.79s
Req 2, Req 4 3.21s 2.07s 2.58s
Req 3, Req 4 3.14s – –

Table 3: Solver run times for the analysis

The analysis finds three pairs in the example that together with Req 5 form an inconsistency:
{Req 1,Req 2}, {Req 1,Req 4}, and {Req 2,Req 3}. All three cases refer to conflicts with Req
5 that occur when requesting blinking in one direction while tip blinking in the other direction is
still active. The run times of Z3 solver (divided into the two premises and the consequence for
each pair) are listed in Table 3. For the pair {Req 3,Req 4}, the first premise is unsatisfiable,
and therefor the BMC problems for the second premise and consequence have been skipped
(indicated by a dash in Table 3). For the remaining four pairs, both premise and consequence
hold. We choose as bounds α = 40 and β = 20. The test has been run on a Windows 7 PC with
an Intel Core i5-2400@3.10GHz using Z3 4.6.0 as a backend.

It turned out that the BMC unrolling depth is the crucial factor influencing performance.
Therefore we repeated our experiments using symbolic time, meaning we contract multiple steps
into one if only counter values change6. This allows us to get the same results as above with only
25 unrolling steps. As another evaluation, using symbolic time we are able to check consistency
of the industrial case study from [6] containing 16 formalized requirements in 80s. Although the
author has not been able to prove the formal soundness results from Section 5 for symbolic time
yet, no false findings of the analysis have been experienced so far.

Compared to bounded existential consistency, bounded partial consistency does not produce
false inconsistencies. In contrast to [11, 12], more complex inconsistencies are found. Unfortu-
nately in [12] no performance results are given, but we assume our approach being comparable
in performance. Simulation, as in the ArgoSim7 STIMULUS tool [19] is another promising and
interesting approach. For the running example of this paper, STIMULUS finds the same incon-
sistencies as the bounded partial consistency analysis. However, simulation-based techniques
are less powerful in resolving non-determinism and therefore require another – more imperative
– style of requirements.

8 Conclusion and Future Work

In this paper, partial consistency has been introduced. Partial consistency is an extension of ex-
istential consistency that checks pairs of reactive SUPs, under the assumption that they interfere
with each other. Interference of SUPs means that they are triggered in a way such that their

6 The basic idea is to introduce an explicit integer time variable t and increase counters in every step by ti+1 − ti
instead of 1. The maximum increment is calculated from the guards.
7 https://argosim.com/

AVoCS 2018 18 / 26

https://argosim.com/


ECEASST

actions must occur at the same time. We skip pairs, where interference is not possible. Partial
consistency finds more true conflicts between requirements than existential consistency alone.
However, there are cases that are not recognized by partial consistency, for example

• Conflicts that involve more than two reactive requirements

• Cases where the conflict is not between the actions of two requirements but between e.g.
an action and the local scope. This means that one requirement causes the action of another
requirement to occur too early.

It is ongoing work to make the interference relation more generic in order to analyze a wider
range of conflicts. This will also allow to adopt partial consistency for other pattern languages,
for example SPS or RSL [5]. In this paper we propose a mapping from SPS to SUP instead.

Bibliography

[1] Aichernig, B.K., Hörmaier, K., Lorber, F., Ničković, D., Tiran, S.: Require, test and trace
IT. In: Formal Methods for Industrial Critical Systems - 20th International Workshop,
FMICS 2015, Proceedings. LNCS, vol. 9128, pp. 113–127. Springer (2015)

[2] Alur, R., Courcoubetis, C., Dill, D.: Model-checking in dense real-time. Information and
computation 104(1), 2–34 (1993)

[3] Alur, R., Henzinger, T.A.: Real-time logics: Complexity and expressiveness. Information
and Computation 104(1), 35–77 (1993)

[4] Autili, M., Grunske, L., Lumpe, M., Pelliccione, P., Tang, A.: Aligning qualitative, real-
time, and probabilistic property specification patterns using a structured english grammar.
IEEE Transactions on Software Engineering 41(7), 620–638 (2015)

[5] Baumgart, A., Böde, E., Büker, M., Werner Damm, G.E., Gezgin, T., Henkler, S., Hungar,
H., Josko, B., Oertel, M., Peikenkamp, T., Reinkemeier, P., Stierand, I., Weber, R.: Ar-
chitecture modeling. Tech. rep., OFFIS (3 2011), http://ses.informatik.uni--oldenburg.de/
download/bib/paper/OFFIS--TR2011{ }ArchitectureModeling.pdf

[6] Becker, J.S., Bertram, V., Bienmüller, T., Brockmeyer, U., Dörr, H., Peikenkamp, T., Teige,
T.: Interoperable toolchain for requirements-driven model-based development. In: ERTS
2018 (2018)

[7] Benveniste, A., et al.: Contracts for system design. Foundations and Trends in Electronic
Design Automation 12(2-3), 124–400 (2018)

[8] Bienmüller, T., Teige, T., Eggers, A., Stasch, M.: Modeling requirements for quantitative
consistency analysis and automatic test case generation. In: FM&MDD 2016. Computing
Science Technical Report Series, vol. CS-TR-1503. Newcastle University (2016)

19 / 26 Volume 076 (2019)

http://ses.informatik.uni--oldenburg.de/download/bib/paper/OFFIS--TR2011{_}ArchitectureModeling.pdf
http://ses.informatik.uni--oldenburg.de/download/bib/paper/OFFIS--TR2011{_}ArchitectureModeling.pdf


Analyzing Consistency of Formal Requirements

[9] Biere, A., Cimatti, A., Clarke, E., Zhu, Y.: Symbolic model checking without bdds. In: In-
ternational conference on tools and algorithms for the construction and analysis of systems.
pp. 193–207. Springer (1999)

[10] Dwyer, M.B., Avrunin, G.S., Corbett, J.C.: Patterns in property specifications for finite-
state verification. In: Proceedings of the 21st international conference on Software engi-
neering. pp. 411–420. ACM (1999)

[11] Ellen, C., Sieverding, S., Hungar, H.: Detecting consistencies and inconsistencies of
pattern-based functional requirements. In: Formal Methods for Industrial Critical Systems
- 19th International Conference, FMICS 2014. pp. 155–169 (2014)

[12] Filipovikj, P., Rodriguez-Navas, G., Nyberg, M., Seceleanu, C.: Smt-based consistency
analysis of industrial systems requirements. In: Proceedings of the Symposium on Applied
Computing. pp. 1272–1279. ACM (2017)

[13] Heitmeyer, C., Archer, M., Bharadwaj, R., Jeffords, R.: Tools for constructing requirements
specification: the scr toolset at the age of ten. Tech. rep., Naval Research Lab Washington
DC Center for High Assurance Computing Systems (CHACS) (2005)

[14] Heitmeyer, C., Kirby, J., Labaw, B.: Tools for formal specification, verification, and val-
idation of requirements. In: Computer Assurance, 1997. COMPASS’97. Are We Making
Progress Towards Computer Assurance? Proceedings of the 12th Annual Conference on.
pp. 35–47. IEEE (1997)

[15] Heitmeyer, C.L.: Formal methods for specifying, validating, and verifying requirements.
Journal of Universal Computer Science 13(5), 607–618 (2007)

[16] Heitmeyer, C.L., Jeffords, R.D., Labaw, B.G.: Automated consistency checking of re-
quirements specifications. ACM Transactions on Software Engineering and Methodology
(TOSEM) 5(3), 231–261 (1996)

[17] Holberg, H.J., Brockmeyer, U.: Computer-aided formal specification to enable a fully
automated requirements-based testing process (2012), https://www.btc-es.de/assets/files/
whitepapers/computer-aided-formal-specification-to-enable.pdf

[18] Jaffe, M.S., Leveson, N.G., Heimdahl, M.P.E., Melhart, B.E.: Software requirements analy-
sis for real-time process-control systems. IEEE transactions on software engineering 17(3),
241–258 (1991)

[19] Jeannet, B., Gaucher, F.: Debugging embedded systems requirements with stimulus: an
automotive case-study. In: 8th European Congress on Embedded Real Time Software and
Systems (ERTS 2016) (2016)

[20] Konrad, S., Cheng, B.H.: Real-time specification patterns. In: Proceedings of the 27th
international conference on Software engineering. pp. 372–381. ACM (2005)

AVoCS 2018 20 / 26

https://www.btc-es.de/assets/files/whitepapers/computer-aided-formal-specification-to-enable.pdf
https://www.btc-es.de/assets/files/whitepapers/computer-aided-formal-specification-to-enable.pdf


ECEASST

[21] de Moura, L., Bjørner, N.: Z3: An efficient smt solver. In: Tools and Algorithms for
the Construction and Analysis of Systems: 14th International Conference, TACAS 2008.
Proceedings. pp. 337–340. Springer (2008)

[22] Post, A., Hoenicke, J., Podelski, A.: rt-inconsistency: A new property for real-time require-
ments. In: Fundamental Approaches to Software Engineering - 14th International Confer-
ence, FASE 2011. Proceedings. pp. 34–49 (2011)

[23] Post, A., Menzel, I., Hoenicke, J., Podelski, A.: Automotive behavioral requirements ex-
pressed in a specification pattern system: a case study at bosch. Requirements Engineering
17(1), 19–33 (2012)

[24] Teige, T.: Simplified Universal Pattern Syntax and Semantics. BTC EmbeddedSystems (06
2017), confidential

[25] Zowghi, D., Gervasi, V.: On the interplay between consistency, completeness, and cor-
rectness in requirements evolution. Information & Software Technology 45(14), 993–1009
(2003)

A SUP Counter Automata Schemes

In the following, simplified versions of some of the counter automata are listed that the consis-
tency analysis prototype uses as the SUP semantics. Note that the prototype has been imple-
mented independently from the BTC embedded platform. Although the counter automata have
been created based on EmbeddedPlatform documentation, the SUP semantics that is used in the
BTC EmbeddedPlatform may be different.

21 / 26 Volume 076 (2019)



Analyzing Consistency of Formal Requirements

0

3

5

4 2

g1 ∨g2
g4/c := 1

g5/c := 1

g6/c := 1

true

g7 ∨g9

g8 ∨g10/c := 1
g14/c ++

g12/c := 1
g13/c := 1

g15g16

g18/c := 1
g21/c ++

g19/c := 1

g20/c := 1

g22

g23

g24/c := 1
g27/c ++

g25/c := 1

g26/c := 1

Figure 4: Counter automata scheme for interpretation progress, activation mode cyclic. If
Amin = ∞, then state 4 is also a fair state.

AVoCS 2018 22 / 26



ECEASST

A.1 cyclic-progress-immediate

With interpretation progress, activation mode cyclic, and Lmin = 0, the semantics of the SUP is
given by the counter automata scheme in Figure 4 with following guards:

g1 :=¬T SE
g2 := AEE ∧(Amin ≤ 0)∧T SE ∧ASE ∧T EE ∧(T min ≤ 0)
g4 := ((Amin > 0)∨¬AEE)∧ASE ∧T EE ∧T SE ∧(T min ≤ 0)
g5 := T EE ∧T SE ∧(T min ≤ 0)∧¬ASE
g6 := ((T min > 0)∨¬T EE)∧T SE
g7 := ((((T min > c)∨¬T EE)∧¬T C)∨(c > T max))∧¬T SE
g8 := ((((T min > c)∨¬T EE)∧¬T C)∨((c > T max)∧((T min > 0)∨¬T EE)))∧T SE
g9 := (((c > T max)∧T SE ∧(T min ≤ 0))∨((T min ≤ c)∧(c ≤ T max)∧¬T SE))

∧AEE ∧(Amin ≤ 0)∧ASE ∧T EE
g10 := AEE ∧(Amin ≤ 0)∧T SE ∧(c ≤ T max)∧ASE ∧T EE ∧(T min ≤ c)
g12 := ((T min ≤ c)∧(c ≤ T max)∧((Amin > 0)∨¬AEE)
∨(T SE ∧(T min ≤ 0)∧((Amin > 0)∨¬AEE)))∧ASE ∧T EE

g13 := (((T min ≤ c)∧(c ≤ T max))∨(T SE ∧(T min ≤ 0)))∧T EE ∧¬ASE
g14 := ((T min > c)∨¬T EE)∧T C∧(c ≤ T max)
g15 := (((Amin > c)∨¬AEE)∧¬AC)∨(c > Amax)
g16 :=¬T SE ∧(c ≤ Amax)∧AEE ∧(Amin ≤ c)
g18 := AEE ∧T SE ∧(c ≤ Amax)∧ASE ∧T EE ∧(Amin ≤ c)∧(T min ≤ 0)
g19 := (c ≤ Amax)∧AEE ∧T EE ∧(Amin ≤ c)∧T SE ∧(T min ≤ 0)∧¬ASE
g20 := ((T min > 0)∨¬T EE)∧(c ≤ Amax)∧AEE ∧(Amin ≤ c)∧T SE
g21 := ((Amin > c)∨¬AEE)∧AC∧(c ≤ Amax)
g22 := c > Lmax

g23 :=¬T SE ∧AEE ∧ASE ∧(Amin ≤ 0)∧(c ≤ Lmax)
g24 := (AEE ∧ASE)∧(Amin ≤ 0)∧T EE ∧T SE ∧(c ≤ Lmax)∧(T min ≤ 0)
g25 := ((T min > 0)∨¬T EE)∧AEE ∧ASE ∧(Amin ≤ 0)∧T SE ∧(c ≤ Lmax)
g26 := ((Amin > 0)∨¬AEE)∧ASE ∧(c ≤ Lmax)
g27 := (c ≤ Lmax)∧¬ASE

Every state corresponds to a phase of the SUP observation cycle: In state 0, the automaton waits
for the TSE to occur, in state 3 it awaits the TEE, in state 5 the ASE, and finally in state 4 the
AEE.

23 / 26 Volume 076 (2019)



Analyzing Consistency of Formal Requirements

0 5 4 6 1

2

g16/c := 1

g15/c := 1

g14/c := 1

g11 ∨g12

g9/c := 1

g8/c := 1

g5 ∨g6

g10/c ++

g3/c := 1

g1

g2
g4/

c ++

g17

g18

g19/c ++ true

true

Figure 5: Counter automata scheme for interpretation progress, activation mode init. If Amin = ∞
then state 6 is also a fair state.

A.2 init-progress-immediate

With interpretation progress, activation mode init, and Lmin = 0, the semantics of the SUP is
given by the counter automata scheme in Figure 5 with the following guards:

g1 := AEE ∧ASE ∧(Amin ≤ 0)∧(c ≤ Lmax)
g2 := c > Lmax

g3 := ((Amin > 0)∨¬AEE)∧ASE ∧(c ≤ Lmax)
g4 := (c ≤ Lmax)∧¬ASE
g5 := (((T min > c)∨¬T EE)∧¬T C)∨(c > T max)
g6 := AEE ∧ASE ∧(Amin ≤ 0)∧T EE ∧(T min ≤ c)∧(c ≤ T max)
g8 := ((Amin > 0)∨¬AEE)∧ASE ∧T EE ∧(T min ≤ c)∧(c ≤ T max)
g9 := T EE ∧(T min ≤ c)∧(c ≤ T max)∧¬ASE

g10 := ((T min > c)∨¬T EE)∧T C∧(c ≤ T max)
g11 :=¬T SE
g12 := AEE ∧(Amin ≤ 0)∧T SE ∧ASE ∧T EE ∧(T min ≤ 0)
g14 := ((Amin > 0)∨¬AEE)∧ASE ∧T EE ∧T SE ∧(T min ≤ 0)
g15 := T EE ∧T SE ∧(T min ≤ 0)∧¬ASE
g16 := ((T min > 0)∨¬T EE)∧T SE
g17 := (c ≤ Amax)∧AEE ∧(Amin ≤ c)
g18 := (((Amin > c)∨¬AEE)∧¬AC)∨(c > Amax)
g19 := ((Amin > c)∨¬AEE)∧AC∧(c ≤ Amax)

AVoCS 2018 24 / 26



ECEASST

3

6

8

2

g1

g3/c := 1

ASE
g2

g4

g6

ASE

g5/c := 1,
g7/c ++

truetrue

Figure 6: Counter automata scheme for interpretation ordering, activation mode first

A.3 first-ordering-immediate

With interpretation ordering, activation mode first, Lmin = 0, and Lmax = ∞, the semantics of
the SUP is given by the counter automata scheme in Figure 6 with following guards:

g1 := T EE ∧T SE ∧(T min ≤ 0)∧¬ASE
g2 :=¬T SE ∧¬ASE
g3 := (T min > 0)∨¬T EE ∧T SE ∧¬ASE
g4 := (((T min ≤ c)∧(c ≤ T max))∨(T SE ∧(T min ≤ 0)))∧T EE ∧¬ASE
g5 := ((((((T min > c)∨¬T EE)∧¬T C)∨((c > T max)∧(((T min > 0))∨¬T EE)))
∧T SE ∧¬ASE

g6 := ((((((T min > c)∨¬T EE)∧¬T C)∨(c > T max))∧¬T SE ∧¬ASE
g7 := ((T min > c)∨¬T EE)∧T C∧(c ≤ T max)∧¬ASE

B SUP Observer Automata for SPS Patterns

In the following, the observer automata for the SUP instances in Table 2 are listed.

25 / 26 Volume 076 (2019)



Analyzing Consistency of Formal Requirements

0 2,5

0 2,5

0,4 1

¬P

P

true

P

¬P

true

¬P

P

true

Absence (top),
Universality,

Existence

0

5

¬P∨Q

P∧¬Q

¬Q

Q

Response

6

2 3

¬P∧¬Q

P∧¬Q Q

true true

Precedence

0 3

4

2

P

¬P

¬P

P∧(d = 0)

P∧(d > 0)/c := 1

P∧(c < d)/c ++

P∧(c = d)

¬P∨(c > d)

true

Minimum duration

0

3

5

2

P

¬P

¬P

P/c := 1

P∧(c ≤ d)/c ++

¬P∧(c ≤ d)

c > d

true

Maximum duration

0

5

2

P

¬P/c := 1

¬P∧(c ≤ d)/c ++

P∧(c ≤ d)

c > d

true

Periodic category

0

5

2

¬P∨Q

P∧¬Q/c := 1

¬Q∧(c ≤ d)/c ++

Q∧(c ≤ d)

c > d

true

Bounded response

0 3

2,4

¬P

P∧Q/c := 1

P∧¬Q

P∧Q/c := 1
¬P∧Q∧(c ≤ d)/c ++

¬P∧(c > d)

((c ≤ d)∨P)∧¬Q

true

Bounded invariance

6

8

3

2

¬S∧¬last(P)

S∧¬last(P)

last(P)

¬T ∧¬last(P)

T ∧¬last(P)

last(P)

true

true

Precedence chain 2:1

AVoCS 2018 26 / 26


	Introduction
	Simplified Universal Pattern
	Syntax and Semantics
	Examples
	Observer Automata

	Other pattern languages
	Existing Consistency Notions
	Partial Consistency
	Implementation
	Evaluation
	Conclusion and Future Work
	SUP Counter Automata Schemes
	cyclic-progress-immediate
	init-progress-immediate
	first-ordering-immediate

	SUP Observer Automata for SPS Patterns