Home > Publications > Preserving System Safety                                                                                              Word Doc.

Preserving System Safety across the Boundary between System Integrator and Software Contractor

by Jeffrey Howard. Presented at SAE World Congress 2004, Detroit, March 2004.  

For Power Point Presentation, click here.


Complex automotive systems are not developed entirely by one organization.  OEMs purchase subsystems from integrators who, in turn, purchase hardware components from suppliers and contract for the development of software components.  Safety is an emergent property of the system as a whole, making it difficult to preserve safety-related information across the organizational boundaries between OEMs, integrators, and contractors.  We propose the intent specification, an improved specification format, and SpecTRM-RL (SpecTRM Requirements Language), a readable component requirements modeling language, to communicate requirements, design, and safety information across organizational boundaries in a form that promotes its effective use.


Although engineering processes vary between organizations, every sensible engineering effort shares some steps.  A business goal drives the development of a new system or the evolution of an existing system.  System engineers develop system-level requirements to achieve those business goals and make design decisions allocating responsibilities to components.  Specialists, such as mechanical, electrical, and software engineers design components according to the requirements given to them by system engineers.  These pieces are tested individually, integrated into a finished system, and tested together.

System safety engineering begins with identifying hazards in the system and developing constraints on the system design that mitigate these hazards.  For example, cruise control systems have the constraint that the system must disengage when the brake pedal is pressed.  System safety continues by ensuring that components are designed in such a way as to enforce the safety constraints.  Accidents occur when a safety constraint is not adequately enforced by the system’s components.

Ensuring that components enforce system safety constraints is a difficult task.  Safety engineers often perform safety analyses separated from the system engineers, who are meanwhile making critical design decisions.  The results of safety analyses are often presented later, as a design critique.  This information is frequently ignored or rationalized away because it is too costly and too time-consuming to change the design that late in the process.

The problem is compounded during component development.  Safety is an emergent property of the whole system.  Component developers do not have sufficient perspective on the system as a whole to fully evaluate the safety of their component.  They must rely on information communicated by the system and safety engineers.  If this safety information is incomplete or ambiguous, risk increases.  Some companies have tried to solve this problem with integrated product teams.  While a step in the right direction, there are additional communication barriers that must be overcome.  Different engineering disciplines receive very different training.  Miscommunication is common because of differing backgrounds, perspectives, and assumptions.

This problem of communicating safety information to component engineers is exacerbated when the engineering effort is spread across multiple organizations.  Today’s complex automotive systems are built by original equipment manufacturers (OEMs).  OEMs purchase subsystems from integrators who in turn purchase parts and contract software development from suppliers.  The sophistication of these subsystems and components requires specialized engineering knowledge.  Working with external suppliers is a cost effective strategy.  However, working with suppliers greatly increases the difficulty of building a system with the right system-level properties, such as safety.

This paper describes software’s susceptibility to difficulties in enforcing safety constraints across organizational boundaries.  The vehicle for communicating technical information about software to component developers is the software requirements specification.  Common problems with specifications are used to develop a list of properties a requirements document should possess for successfully communicating safety information to suppliers.  Lastly, a form of specification, called an intent specification, and a component requirements modeling language, called SpecTRM-RL, are introduced.  Intent specifications and SpecTRM-RL models help ensure complete and unambiguous communication about system and component properties, including safety. 

Throughout the introduction of intent specifications and SpecTRM-RL, we use an example of a simple cruise control system.  The software controller takes input from the driver as well as from the vehicle.  During operation, information about the vehicle’s speed is used to generate commands for the throttle control.


Complex, safety-critical systems are becoming increasingly software intensive.  Software delivers substantial benefits because of it its flexibility.  System designs can be changed without retooling or remanufacturing.  Software changes do not adversely impact subsystem weight or space constraints.  Once developed, the per-copy production cost of software is negligible.  Other than memory and performance requirements on the underlying hardware, software imposes no physical constraints on the designs that can be implemented.

The same flexibility that makes software so useful gives rise to its greatest flaws.  Software lacks the physical constraints that enforce discipline on the design process and control complexity.  A mechanical part of a given volume can only support so many interconnections with other parts.  Software has no limiting sense of distance between components; only the designer’s decisions limit coupling and complexity. 

The flexibility of software also induces a sense of complacency and convenience.  Problems discovered in hardware are often solved by adding compensating features, and thus complexity, to software.  Because software is so easy to adapt and change, frequently software development efforts begin before there’s a sufficient understanding of what the software needs to do.  Engineers presume they can tweak software later if their initial guesses don’t work out.

These problems are exacerbated by dividing system and software engineering between separate organizations.  Software vendors are frequently instructed to begin work before the system’s needs are well defined.  Software requirements are changed as the project progresses.  In some cases, there may not be a good record of the changes requested, meaning that the software requirements documents fall behind the behavior actually required of the software.  If the requirements are incomplete or ambiguous, there is a far greater risk that the supplier will produce software that makes the system unsafe. 

Typically, software returned by suppliers comes with little accompanying documentation beyond what was initially provided by the integrator.  System integrators who have not kept their requirements up to date or who produced incomplete requirements initially may not have enough information to predict the behavior of the software.  Should the software be reused in a future system, out of date specifications make it difficult and costly to predict what changes in the surrounding system will require modifications to the software.  In some cases, companies are forced to throw away software developed at great expense because they do not sufficiently understand how it works to make any claim about the safety of a system employing that software.  Worse, companies may keep using software components even though their engineers are afraid to make any changes.

A successful system safety effort identifies constraints that will maintain system safety and ensures those constraints are enforced by system and component designs. Software is particularly difficult because there are no intrinsic physical properties to limit the complexity of a software system.  If complexity renders the software intellectually unmanageable, ensuring that appropriate safety constraints are present becomes impossible.  The challenge is to find a way to make software requirements and constraints intellectually manageable for everyone involved in the engineering effort.

Common Specification Problems - Software requirements specifications are used to communicate information about software requirements and constraints between organizations.  Given that software-related accidents occur when the behavior of software is not understood well enough to ensure it enforces system safety constraints, it should not be surprising that as much as 90% of the decision-making related to safety occurs in the requirements portion of the life cycle.  In fact, almost all software-related incidents and accidents are traced back to flaws in the requirements. 

Ambiguous Requirements - There are many notations for precisely describing software requirements, but most of them require a strong background in discrete mathematics.  This makes them unsuitable as a medium of exchange between different engineering disciplines and organizations.  Most specifications continue to be written in narrative text.  Unfortunately, narrative textual documents often leave readers in disagreement on the meaning of the requirements.  An engineering team that must debate the correct reading of a requirement rather than the correctness of the requirement is working with an ambiguous specification.

Incorrect Requirements - Informal, textual descriptions of component behavior cannot be executed or analyzed.  Extensive human review catches many problems, but the process is time consuming and expensive.  Schedule pressure often causes specification review to be cut.  Too often, the requirements for software are validated by running the finished code on a test bench or in a simulated environment and observing whether anything goes wrong.  By this point, fixing any requirements errors found will incur serious cost and schedule problems.

Contracting an outside organization to supply software magnifies this problem.  Undoubtedly the requirements for the software will change as the system is designed and developed.  Many system integrators lob changes over the fence to the contractor; it’s treated as the contractor’s responsibility to make sure the changes will work.  When software is returned to the customer, the requirements document may have fallen so far behind that it does not reflect the behavior of the software.  An outdated specification can cripple attempts to analyze the safety of later changes or reuse the software in another product.  On a project suffering from this problem, engineers will go to great lengths to avoid modifying existing software because they no longer understand how the software works.

Incomplete Requirements - Incompleteness is one of the most common problems in software specifications.  Omissions from specifications come in a variety of forms.  The requirements may lack a provision for when expected inputs fail to arrive.  The system may be missing a feedback path to detect the effects of an output.  There may be no description of how to handle bad values.  More subtly, different parts of the specification may prescribe conflicting behaviors.  In the best of circumstances, software developers will recognize the incompleteness and contact their customer to resolve the problem.  More often, the omission goes unnoticed, creating the possibility of an accident.

Over-specified Requirements - This error is often caused by a reaction to previous three problems.  System integrators, plagued by ambiguous, incorrect, and incomplete requirements, decide to solve the problem by specifying requirements with an extraordinary degree of precision.  Instead of focusing on the behavior the component should exhibit, the specification includes algorithms and data structures, possibly to the extent of including bit lengths for numeric data.  All of this extra information belongs in the design and implementation of the component.  While it may provide the system integrator a short-term sense of security, this solution is ultimately self-defeating and dangerous.

Software developers are quite good at writing software that satisfies its requirements.  Requirements with design information mixed in remove the flexibility that software developers use to accomplish their goals.  Providing a supplier over-specified requirements is similar to handing a construction bill of materials to an architect and demanding that the architect design a house that will use exactly those materials: no more, no less.  Software developed for a specification with excess design information will generally cost more and take longer, as the software designers must meet both the intent of the requirements and the literal written requirement statements.

Beyond the cost and schedule impact of demanding unnecessary design features from the software supplier, there is a safety risk as well.  Additional design information adds complexity.  Complexity makes it difficult to analyze, understand, and predict the behavior of the software in the context of the system as a whole.  Intellectually unmanageable requirements are much less likely to correctly enforce the safety constraints required to maintain safe system operation.

Criteria for a good specification - The four problem categories above can be used to develop criteria for specifications that will enhance communication of important design information between suppliers and integrators.

1.       Clarity – Requirements must be unambiguous.  System engineers, software engineers, domain experts, and managers should all be capable of reading the specification and deriving the same understanding of what the software component is to do.

2.       Correctness – A requirements specification should accurately describe the software to be built.  Initially, this means that the specification should lend itself to validation techniques such as simulation, analysis, and review.  Later, this means that changes to the requirements should be easy to record in the requirements specification, not simply applied to the software and forgotten.

3.       Completeness – Incomplete requirements are a repeated cause of incidents and accidents.  In this context, a software specification is complete when a reader can distinguish between acceptable and unacceptable software implementations.

4.       Conciseness – Software requirements specifications should contain only as much information as necessary to describe the relationship between inputs to the software and outputs the software produces.  Systems engineers may think of this as describing the transfer function for the software.  A completely black box view of the behavior of the software allows software developers the freedom to meet project goals.  Additional information about the design of the software hampers safety analysis efforts.

A specification that meets the above criteria will enhance communication between system integrators and the suppliers of their software.  Safety constraints on the software design are far easier for software suppliers to use in a specification with the above properties.  Such a specification also makes it easier to verify that the software developed enforces the safety constraints.

These same characteristics are helpful in other situations as well. If system integration and software development are within the same organization, clarity, correctness, completeness, and conciseness in the software specification will still benefit the project.  Specifications that can be read and understood across engineering disciplines facilitate communication between software developers, system engineers, and safety engineers.  A high quality specification is also an asset when a system is passed from research to production, leading to reduced costs and faster time to market.


Software developers cannot evaluate the safety implications of software design choices without safety-related design constraints from system safety engineering. To develop good safety constraints, system engineers and safety engineers must have a good understanding of the system as a whole.  Intent specifications are an improved format for system specifications, covering the whole life cycle of system development [1].

Intent specifications do not require additional effort compared to traditional specification formats.  Most of the information to be included in an intent specification is already generated in any reasonable system specification effort.  Intent specifications simply organize this information in a manner that supports the use of that information by engineers.  

Most systems have substantial amounts of documentation.  Often, system documentation contains a great deal of redundancy, missing information, and inconsistency.  As the system evolves during development and once deployed, system documentation is often allowed to fall out of date.  If more than one organization is involved, it is difficult to ensure all have consistent and up to date views of the system.  Evaluating the safety impact of changes becomes difficult and expensive, when possible at all.  Organizing information in an intent specification helps with these problems. 

Figure 1 - Structure of an intent specification.  Particular contents will vary based on the scope and nature of a project.

The structure of an intent specification, shown in figure 1, differs from traditional specification formats.  Current specification methodologies manage complexity by employing two forms of abstraction.  The first is part-whole decomposition: the whole is broken down into parts that are simpler when considered individually.  The horizontal headings at the top of figure 1 show this kind of breakdown.  The intent specification records information about the environment in which the system will operate, the operator’s interactions with the system, the system itself and its components, and verification and validation procedures.

The second form of abstraction already used in system specifications is refinement.  Refinement is also a form of part-whole decomposition: a complicated function is broken down into simpler steps.  Most specifications are stratified into levels of refinement.  Levels above describe what function is to be accomplished; levels below describe how the function will be accomplished by presenting a refinement of the function.

In an intent specification, the major level divisions in the specification do not represent refinement.  Each level describes the whole system from a different view, supporting different tasks.  A significant advantage of this structure is that it answers not just questions of what is to be done and how, but also why.  Each level provides motivation and intent for the decisions at the level below were made the way they were.  This information about what was intended is often the most difficult to reconstruct or deduce from traditional specification formats.  Understanding why decisions were made as they were is critical for ascertaining the safety impact of proposed changes.  Many accidents have been caused because engineers or workers making changes – different from those that built the system – did not realize they were altering a design choice originally made for safety reasons.  Part-whole decomposition and refinement are still present in an intent specification, but they’re found within each level. 

Level 0 is the top level of the intent specification.  It is the program management view of the system.  Program management plans, including a system safety plan, are kept at this level of the specification.  Traceability links from this level point to the documented results of activities described in the plans.

Level 1 is the system requirements level of the specification.  This level includes any introductory material or historical information about previous similar systems.  The goals of the system are recorded here, as well as the high level functional requirements.  The following is an example requirement from the cruise control software:

HLR0  The cruise control system shall maintain a speed set by the driver (¬ G0) (¯ 2.2).

The arrows at the end of the requirement indicate links to other areas of the specification.  Left and right arrows indicate information on the same level of the specification.  Up and down arrows indicate information at different levels of the intent specification.  In this case, the reference to G0 is to a goal the system is intended to accomplish.  The other reference, to section 2.2, is a reference to the design decisions motivated by this requirement.  With tool support, the labels G0 and 2.2 would be hyperlinks to navigate to those entries.  This system-level requirement will become the basis for design decisions made at level 2.

The early results of the system safety effort are recorded at level one as well.  Even as the functional requirements are being decided, a hazard log is started, noting hazards discovered during preliminary hazard analysis. 

H1  Cruise control does not maintain correct speed (® SC1).

These hazards are used to develop safety constraints.  Requirements describe what the system must do in order to achieve functional goals.  Safety constraints describe what the system must not do in order to maintain safe operations.  Just as requirements must be satisfied, these safety constraints must be enforced by the design decisions at lower levels. 

SC1  Cruise control must maintain the correct speed (¬ H1 (¯ 2.2).

By keeping both safety constraints and system requirements in the same level of the same document, the safety information is not “out of sight, out of mind” when system engineers are making important decisions about the system.  This integration of system and safety engineering makes it easier to convey safety-related information to component developers in other organizations.

Level 2 is the system engineering design view of the system.  This level assists system engineers in reasoning about the physical principles and system-level design decisions that will shape the system.  External interfaces are described, tasks are partitioned between the operator and the automation, and functions are decomposed and allocated to components.  Design decisions at this level are given traceability links back up to the requirements and constraints at level one that motivate them.  Design decisions are also linked down to the component requirements specifications at the next level.

2.2   When the driver issues a set command, the cruise control will set its speed to maintain at the current vehicle speed and engage control of the throttle

(↑ HLR0, HLR1, SC1)

(↓ 3.Throttle Delta, 3.Set Next Speed Set Point, 3.Cruise Control, 3.Compute Throttle Delta, 3.Speed Set Point, 3.Vehicle Speed, 3.Speed Error Threshold).

2.2.1  Vehicle speed will be maintained by calculating the difference between current speed and desired speed, then issuing a command to the throttle control to increase or decrease engine torque by a small step size (↑ SC3) (↓ 3.Throttle Delta, 3.Compute Throttle Delta).

            Rationale:  Changing the throttle in small increments will lead to smooth acceleration and deceleration that will not jar the driver and passengers.

The refinement of the design decision in 2.2.1 occurs at the same level of the intent specification as the larger concept being refined.  Note also that rationale and assumptions are recorded next to the design decisions they support.  Recording rationale and assumptions is invaluable for evolution of any system.  A system that is reused in another environment may not be able to rely on the assumptions that were originally made.  Without a record of where assumptions were made, it is difficult to reconstruct why some design decisions were made the way they were.

At level 3, the behaviors allocated to components are specified rigorously.  Component requirements are written as models of black box behavior.  Black box models support reasoning about individual component behavior and the interaction between components.  This level provides an unambiguous interface between system engineers and component engineers, even across organizational boundaries.  The language used at this level is SpecTRM-RL, a requirements modeling language.  The modeling language is based on finite automata theory, meaning that it can be executed and formally analyzed.  However, the language was designed for readability, and reviewers can be taught the language with about 15 minutes of training.

Level 4 is the design representation of components for the system.  The notation used here varies across projects and component types.  If the volume of design information is too great to include in one document, or if the supplier is not obligated to deliver complete design information, pointers to the location and owners of the design information are included at this level instead.

Level 5 is the physical representation of the components of the system.  For hardware components, these would be hardware assembly instructions.  For software, this would be the source code.  For very small safety-critical software components, such as the shutdown code for a nuclear reactor, it might be possible to include a listing of the code in this section.  For larger projects, such as the controller in an automotive system, the specification would contain a pointer to the location of the configuration management system housing the code.

The final level of an intent specification, level 6, describes the operations of the system.  This will include any audits performed on the system in the field.  Should there be any incidents or accidents involving the system, information about them would be recorded at this level of the specification.  Furthermore, any changes made to the system after it is fielded should have some change impact analysis recorded here.

Taken as a whole, the intent specification provides a comprehensive view of the entire life cycle of a system development effort.  Although the specification is presented in a logical ordering from initial planning through operations, a lockstep progression from one level to the next is neither necessary nor practical.  In any system engineering process, there will be iteration, skipping around, and updating of old material as new information is discovered.

Large projects may find it impractical to keep the entire intent specification in one document.  Using the intent specification format still provides an excellent interface to project information.  In large project, the intent specification is simply spread across multiple documents.  References, preferably hyperlinks, point between the documents.  Similarly, system integrators may give a supplier only a portion of the intent specification, such as the SpecTRM-RL requirements model for the component to be built by that supplier.

Traceability hyperlinks are used extensively within and between levels of the specification.  Links point both directions, from higher levels to lower levels and back up again.  Following these links provides a clear of view of the rationale behind design decisions.  Often, this rationale is most difficult to reconstruct from traditional specifications.  The accessibility of this rationale is a key factor in successfully writing a component specification that preserves system safety information as component development is passed from the system integrator to a software supplier.


SpecTRM-RL is a formal modeling language for component requirements [2].  These models are used at on level 3 of an intent specification.  SpecTRM-RL models clearly describe the component behavior that will effect the design decisions at level 2 of the intent specification.  The language describes only externally visible behavior, which can be thought of as the transfer function across the component.  Details about the design and implementation of the component greatly complicate review and needlessly hinder the efforts of software suppliers.  Because externally visible behavior alone is described, components may be implemented in hardware, software, or as tasks for a human operator.  Software may be designed and implemented with any combination of methodology, notation, and language desirable.

SpecTRM-RL is based on a theory of finite automata, state machines, so models are executable and analyzable.  Component behavior can be evaluated in a high fidelity system simulation or in conjunction with the behavior of other components, before turning over the specification to a supplier.  If behavior is discovered that has a negative safety impact, it can be corrected before the cost and schedule impact of the change would have to be negotiated with the development organization.  Specifications can also be automatically analyzed to detect some undesirable properties such as nondeterminism.

Despite the formal model underneath the language, SpecTRM-RL was designed to be readable and reviewable.  Many formal specification languages are difficult to read and review.  In these cases, the requirements must be maintained separately from the formal model.  When changes are made, as is inevitable, the formal model must also be updated.  Most projects do not have the resources for separate specification and modeling efforts.  SpecTRM-RL, requiring only fifteen minutes training to read, solves this problem by being both the readable specification and formal model.

In addition to being executable, analyzable, and readable, the language also strongly supports development of complete specifications.  Over sixty criteria for completeness of specifications have been identified [3] and validated at JPL [4].  These criteria cover all areas of component behavior including startup and shutdown, mode changes, acceptable values, timing, load and capacity, human-machine interface, data age, feedback, reversibility, and path robustness. 

Originally, these criteria were expressed in a checklist format.  The criteria were found to be difficult to apply as a checklist.  As a result, the criteria were built into the syntax of the SpecTRM-RL modeling language [5].  Building the criteria into the modeling language keeps the criteria in mind as the component requirements are developed.  Almost all of the completeness criteria are included in the syntax of the SpecTRM-RL modeling language.  Most of those that could not be directly included can be checked using automated tools [6].  The few remaining criteria must be checked by human review.

Figure 2, below, shows the graphical notation used in SpecTRM-RL.  The notation is similar to the engineering depiction of a control loop.  Inputs to the component are shown to the left and above the box.  Outputs from the component are drawn to the right and down.  The box in the center depicts the component for which requirements are being modeled.  The box is divided into sections for modes and for inferred state.

Modes are used for coarse-grained partitioning of system behaviors.  Engineers frequently use modes in describing real-time embedded control software because they’re a natural expression of system behavior.  The behavior of control software in a maintenance or standby mode is often entirely different from that of the operational mode, even for identical sequences of input. 

The other portion of the component box shows inferred state.  Every controller must have a model of the state of the system it controls, means to affect the system, and rules to predict the affects of changes it makes to the system.  A thermostat is a simple example.   A thermostat has a model of the current temperature and desired set point.  The thermostat is connected to a furnace or air condition system, giving it the means to affect the temperature.  Lastly, the thermostat controller is given rules to predict the how turning on or off the furnace or air conditioning will affect the temperature.  Using these things, the thermostat maintains temperature.  The inferred state variables in the thermostat controller are the set point and the current temperature.  Note that inferred state may differ from the actual state of the system.  The thermostat may have an inaccurate representation of the true temperature.  Accidents frequently occur when the controller incorrectly infers the state of the system.

Text Box:  
Figure 2 - Graphical view of a SpecTRM-RL model.
AND/OR Tables - The behavior of each of the inputs, outputs, modes, and states depicted in the graphical view is defined by AND/OR tables.  Figure 3 shows a portion of the cruise control’s logic for determining the mode of the software.  The figure shows the logic used to decide that the cruise control should be in the disengaged mode.

Figure 3 - AND/OR table

Each table evaluates, as a whole, to true or false.  If the table is true, then the state machine takes the transition to Disengaged.  If the table is false, the Disengaged transition is not taken.  To evaluate whether the table is true or false, begin by looking at the expressions in the first column.  Each of these expressions will be true or false.  For example, the first expression, “System Start,” will be true when the system is first activated, and never thereafter.  The expression in the second row, “Off,” is true if the cruise control was in the off mode just before now.  The truth values of these expressions are matched against values in the columns to the right.  Columns on the right may contain ‘F’ for false, ‘T’ for true, or ‘*’ for a don’t care which matches anything.

When matching truth values, columns represent OR relationships, while rows represent AND relationships.  The table as a whole is true if any one column is true.  A column is true if every row in the column matches.  Thus, the AND/OR table in figure 3 can be read as:

Cruise Control transitions to Disengaged if (1) the system is not just starting up, Cruise Control was just previously in Off mode, and the Driver Command is On, or (2) if the system is not just starting up, Cruise Control was just previously in Disengaged mode, Driver Command is not Off, and Driver Command is not Set Speed, or (3) if the system is not just starting up, Cruise Control was in the Engaged mode, and the Cruise Control Override state value is not in a state of None.

To fully understand the behavior of the mode change described above, one would want a more information about the meaning of Cruise Control Override, the various Driver Command values, and the intended effects of the driver commands.  All of this information is readily available from the full model, and the table makes very clear and readable how these concepts relate to determine whether the mode change to Disengaged takes place.

The AND/OR table format is easy enough to read that reviewers quickly can be taught to understand the language syntax.  Readers often find AND/OR tables clearer and easier to understand than English textual descriptions.  The tables lack the ambiguity of textual descriptions.  Arguments over the meaning of requirements are replaced by disagreements over what appropriate behavior for a component really is.  The input, output, mode, and state definitions demonstrated below all make use of AND/OR tables to describe the behavior of the component.

Outputs - An output specification from the cruise control example is shown in figure 4.  This output is a command to the throttle control.  Throttle control commands are sent to keep the car moving at its set speed despite variations in the slope of the road.  The first section of the output is a series of attribute value pairs.  These attributes provide information about the output beyond what can be expressed in an AND/OR table.  Much of this information enforces the completeness of the requirements specification.

Figure 4 - Output command definition.

Each of the fields in the output must be described.  The type is noted, as are acceptable values within that type.  Granularity, units, and any possible hazardous values for the output are recorded.  Simple mistakes such as writing software to use the wrong system of units do occur.  Providing a clear, complete specification to the organization supplying the software will help avoid these problems.

Timing attributes record how long an actuator will take to act on a command and how long the action is expected to take.  Load information is also important.  In the Three Mile Island nuclear reactor accident, a line printer was used to report errors as alarms tripped [7].  At one point during the accident, so many alarm messages were queued up to print that the printer output was running three hours behind the state of the reactor.  At times the printer jammed, losing some information altogether.  With a specification in SpecTRM-RL, development organizations can be made aware of limitations in the software’s environment without requiring full knowledge of the rest of the system.

The attributes for feedback information ensure that the controller has some way of detecting the effect of the outputs.  The last few attributes show how the output can be reversed and provide a place for a general description of and comments on the output.  The references attribute is a convenience for navigating through the model.  It lists the states, modes, and inputs used to define this output.  Reviewers use this information to find related portions of the model.

As shown in figure 4, it may not be possible to fill in all the attributes associated with an output.  When reverse engineering an existing incomplete specification, the information may not be available.  Researchers who are working with a proof of concept system do not need the same level of completeness necessary for productizing a system.  In these cases, marking the attribute as unknown is sufficient.  Doing so has the advantage of making it obvious where information is missing.

The second portion of the output specification is labeled, “Definition.”  An AND/OR table is used to describe when the output will be issued by the component.  If the AND/OR table for the triggering condition evaluates to true, then the output is sent.  If the triggering condition is false, then the output is not sent.  Since the AND/OR table in figure 4 has only a single column, it is a simple AND of all the conditions in the table.  To paraphrase the table, a throttle delta command is sent whenever the cruise control is in the “Engaged” mode and the difference between the speed set point and vehicle speed exceeds an error threshold.

The final portion of the output definition is a table showing the contents of the output.  For this output, the only field is the delta in the throttle setting to be sent to the throttle control.  Other outputs could be more complex, such as telemetry data or the results of internal diagnostic checks on the component.

Modes - The behavior of most controllers divides into large groupings.  Engineers are used to thinking of these divisions in terms of modes.  For example, as shown in figure 4 above, the cruise control behaves very differently depending on whether the system is engaged.  When not engaged, the triggering condition can never be true, so the throttle delta output cannot be sent.  SpecTRM-RL directly represents mode logic.  An example of a mode definition is shown in figure 5.

Figure 5 - Example of a SpecTRM-RL mode definition.

The mode definition begins with a set of attributes, including a description of the mode and any comments on it.  The “References,” and “Appears In,” attributes are conveniences for navigation, listing all of the other definitions in the model that this mode uses and all of the definitions that use this mode, respectively.  When the model is developed using a software tool, these listings can be hyperlinked.

The definition section of the mode shows how the component transitions between different modes.  When one of the AND/OR tables is true, the system transitions to that mode.  In figure 5, the cruise control transitions to the startup mode whenever the system first starts.  The system transitions to the Engaged mode when (1) driver sets a speed to maintain or (2) the system was just in the Engaged mode and the driver has not accelerated or braked, overriding the cruise control system.  Lastly, the system transitions to an internal fault detected mode if the system is not receiving the inputs it needs.

States - An inferred state is something the component observes about the thing it controls: the plant, in control theory terminology.  Figure 6 shows the attributes for an example from the cruise control, the state that determines whether an obstacle is in the car’s path.  The cruise control system uses a sensor to detect other vehicles in the driving path.  If an obstruction is found within a threshold distance, the cruise control system automatically reduces the set speed.  The attributes on the state value are similar to the mode attributes.

Figure 6 - Definition of a state value.

Figure 6 shows the definition of the Path state from the cruise control example.  Every state value definition in a SpecTRM-RL model must have an unknown state.  Inferred system state is not guaranteed to correspond to the true state of the system.  Many accidents have been caused by a software controller’s model becoming inconsistent with the true state of the system.  One of the first systems modeled with a precursor language to SpecTRM-RL was an air traffic collision avoidance system.  In an early version of that system, when reset, the software assumed the plane was on the ground, where warnings are not issued.

Accidents have also been caused when systems, taken offline for maintenance, were put back online and resumed operations exactly where they left off.  State values should include logic to transition to the unknown state when the system is first started or returns from a mode that suspends input processing.  Beginning in the unknown state forces the software to rebuild its model with the true state of the system.

Inputs - Figure 7 shows the attribute portion of the input definition for a reading of the vehicle’s speed.  The attributes for input definitions enforce a number of completeness criteria.  The type of the input is recorded, as are its possible values within that type, units, and granularity.  Timing behavior is also covered, including the minimum and maximum time between consecutive inputs.  The obsolescence attribute handles stale data.  No input is good forever, and the obsolescence attribute describes how long data remains valid.  Accidents have resulted from systems working with outdated data.  Obsolescence also affects the definition of the input.  There are three possible ways for the input to take on a value.  First, when new data arrives for the input, the input takes on the value of the new data.  Second, when new data has not arrived, but the existing data is still valid, the input keeps its value.  Third, after enough time has passed, the input becomes obsolete.

Figure 7 - Definition of an input

Execution and Analysis - With outputs, modes, states, and inputs for a component all defined in SpecTRM-RL, the component has a clear, complete, and concise definition.  SpecTRM-RL also assists in validating that the requirements are correct.  Without correct requirements, a good software supplier will provide exactly the software asked for: the wrong software.

SpecTRM-RL is readily reviewable by domain experts.  Pilots, air traffic controllers, doctors, project leaders, and office managers have all been trained to read SpecTRM-RL models in fifteen minutes.  Human review remains one of the most effective techniques for achieving correctness of requirements.

In addition to human review, the formal model underlying SpecTRM-RL requirements specifications allows the model to be parsed, executed, and analyzed.  The behavior of the software component can be validated before the specification is delivered to a software development contractor.  If the software is found not to enforce required safety constraints, it can be modified with little cost or schedule impact.

Although simulation is a powerful tool for exploring the behavior of software, it is heavily dependent on the data used to drive the simulation.  Automated analyses of the model are possible as well.  For example, one of the completeness criteria states that for every possible combination of system states and inputs, at least one table in a state, mode, or input should be true.  This is a kind of robustness: no matter what happens to the system, some response is defined.  If the robustness criterion is not met, there is some combination of system state and input that the requirements don't handle.  Cases where a specification is not robust can be identified by an automated analysis.

Another completeness criterion states that specifications should be deterministic.  Determinism means that for any combination of states and inputs, each state, mode, or input should have no more than one table true.  If more than one table were true, it would indicate that more than one behavior was defined as valid for a particular combination of states and inputs.  Predicting the behavior of nondeterministic systems is difficult, making it hard to assure that the system is safe.  Nondeterminism in a SpecTRM-RL specification can be identified by automated analysis.


It is all too easy for important safety information to be lost at the interface between system engineering and software development.  System engineers and software engineers come from different backgrounds, have different training, and view the system from different perspectives.  Additionally, software developers do not have a holistic system perspective to work from; they are dependent on clear communication of safety constraints from system engineering.  These problems are magnified when software development is outsourced to a separate supplier organization.

Safety-related decision-making occurs very early in the development life cycle.  Almost all software-related incidents and accidents have been traced back to flaws in the requirements for the software.  An improved format for writing specifications can help engineers and domain experts reason about a system’s behavior and build desirable properties, such as safety, into the system from the beginning.

A good specification will be clear, correct, complete, and concise.  The specification must be clear so that readers with a variety of backgrounds, including system engineering, system safety engineering, software safety engineering, software engineering, and domain expertise, can all read the specification and form similar mental models of how the system will operate.  With a clear specification, contractors outside the integrator’s organization will have a similar understanding of the software to be built as the system engineers who developed the requirements for the software.  A clear understanding of the safety-critical design constraints will assist the software developer in ensuring that the software delivered is safe.  Intent specifications increase the clarity of a system specification by organizing information so that engineers can find what they’re looking for quickly and see the rationale behind engineering decisions.  SpecTRM-RL models make component behavior clear with the use of easily readable AND/OR tables, which offer an unambiguous description of system behavior.

Correctness is a necessary property of a specification that will act as a medium for preserving safety information between suppliers and customers.  Software developed to an incorrect specification will not correctly enforce constraints required for system safety.  A very common source of incorrectness in requirements specifications comes from asymmetric evolution of the system and its documentation.  If the specification is not up to date with the system, it cannot be relied upon to help evaluate the safety of proposed changes.  Intent specifications assist in evaluating correctness of the specification by including information on the verification and validation at every level of the system development effort.  The SpecTRM-RL modeling language assists in developing correct specifications in several ways.  The models are conducive to expert review, allowing many errors to be caught early.  Due to the formal nature of the models, they can also be simulated and analyzed, allowing violations of safety constraints to be detected before the generation of a component design and implementation.

Completeness is necessary in a specification that preserves safety information.  Software suppliers that are provided incomplete specifications may not realize what information is missing.  The software delivered meet the requirements, such as they are, but if an unhandled system state is encountered, the software may not behave in a safe manner.  Many accidents have been caused by incompleteness in specifications.  The strong traceability in intent specification assists in developing complete by ensuring that important design and safety information is not overlooked.  The syntax of the SpecTRM-RL requirements modeling language was carefully developed to incorporate over sixty completeness criteria.  Where insufficient information is available, the attribute templates call attention to what is missing.

A specification that preserves safety information between organizations needs to be concise.  Large volumes of irrelevant information distract from what is important.  By focusing only on true requirements and design constraints for a software development effort, the specification assures that important constraints will not be lost in excessive documentation.  Additionally, by avoiding over-specification, the software supplier is afforded as much flexibility as possible to meet the goals of the development project as quickly and economically as possible.  The intent specification is a concise representation of a system, offering an organizational structure that reduces duplication and conflicting information.  SpecTRM-RL models are a concise representation of component requirements.  No internal design information is included in a SpecTRM-RL model.  The model describes purely black box behavior, the relationship between the inputs and outputs.

Intent specifications and SpecTRM-RL have been developed through decades of academic research and industrial project experience.  The language has been used on projects in the medical device, aerospace, and automotive industries.  Intent specifications and SpecTRM-RL models enhance reasoning about system and component behavior, act as bridges between engineering disciplines, and help preserve safety information across organizational boundaries.


This paper would not have been possible without the valuable comments of Mr. Grady Lee of Safeware Engineering Corporation, Professor Nancy Leveson of MIT, and the SAE World Congress’ reviewers.


1.       Nancy G. Leveson. Intent Specifications: An Approach to Building Human-Centered Specifications, IEEE Transactions on Software Engineering, January 2000.

2.       Nancy G. Leveson, Mats Heimdahl, and Jon Damon Reese. Designing Specification Languages for Process Control Systems: Lessons Learned and Steps to the Future, Presented at SIGSOFT FOSE ’99 (Foundations of Software Engineering), Toulouse, September 1999.

3.       Nancy G. Leveson. Safeware: System Safety and Computers, Addison-Wesley Publishing Company, Reading Massachusetts, 1995.

4.       Robyn R. Lutz. Targeting Safety-Related Errors during the Software Requirements Analysis, Proceedings of SIGSOFT ’93: Foundations of Software Engineering, ACM Press, New York, 1993.

5.       Nancy G. Leveson.  Completeness in Formal Specification Language Design for Process Control Systems, Proceedings of Formal Methods in Software Practice Conference, August 2000.

6.       Mats Heimdahl and Nancy G. Leveson.  Completeness and Consistency Analysis of State-Based Requirements, IEEE Transactions on Software Engineering, May 1996.

7.       John G. Kemeny. Saving American Democracy: The Lessons of Three Mile Island, Technology Review, June 1980.



Jeffrey Howard is a systems engineer for Safeware Engineering Corporation.  He graduated a master of engineering from MIT in computer science.  Currently, he works on the development of tools to support working with intent specifications and SpecTRM-RL models.  He can be reached at howard@safeware-eng.com.

Home Products Services Publications White Papers About Us

Copyright © 2003 Safeware Engineering Corporation. All rights reserved