Safe Comp 95 pp 353-371 | Cite as

Requirements Analysis and Safety: A Case Study (using GRASP)

  • A. Coombes
  • J. McDermid
  • J. Moffett
  • P. Morris
Conference paper


Modifications to requirements take place under many circumstances. In the case of safety critical systems, the most tragic is following an accident. Although this may ensure that the particular accident will be avoided by the modified system in the future, there is no guarantee that systems often involves compromises between different failure modes.

GRASP (Goal based Requirements Analysis Specification and Proof) is an evolving goal-driven requirements specification method, incorporating a causal modelling language, intended for the development of requirements for safety critical systems. In this paper, we show how GRASP can be used to model an accident and use it to shed light on the causes of that accident. We then demonstrate the use of GRASP in redefining the requirements to prevent future occurrences of this accident, while remaining mindful of the need to meet previously established safety requirements.


Landing Gear Goal Structure Safety Critical System Safety Case Unsafe Behaviour 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [Abowd91]
    G. Abowd, “Formal Aspects of Human Computer Interaction”, YCS 161, Department of Computer Science, University of York, 1991.Google Scholar
  2. [Conklin91]
    E. Conklin, K Yakemovic, “A Process Oriented Approach to Design Rationale”, Human-Computer Interactions, 6(3–4), 1991.Google Scholar
  3. [Coombes92]
    A. C. Coombes, J. A. McDermid, “High-Level Requirements Modelling - A Causal Approach”, BCS-FACS Christmas Workshop, Imperial College, London, 16th–17th December 1992.Google Scholar
  4. [Coombes94]
    A. C. Coombes, P. Morris, J. A. McDermid, “Causality as a means for the expression of requirements for safety-critical systems”, COMPASS ’94, Gaithersburg, MD, 1994.Google Scholar
  5. [Dardenne93]
    A. Dardenne, A. van Lamsweerde, S. Fickas, “Goal Directed Requirements Acquisition”, Science of Computer Programming, 20(1–2), 1993.Google Scholar
  6. [de Kleer84]
    J. de Kleer and J. S. Brown, “A Qualitative Physics Based on Confluences”, Artificial Intelligence, 24(1–3), 1984.Google Scholar
  7. [FI93a]
    “Rain Factor in Loss of Lufthansa A320” Flight International, 144(4388):14, 22–28 September 1993.Google Scholar
  8. [FI93b]
    “Aquaplaning ‘An A320 Crash Factor’”, Flight International, 144(4389):15, 29 September-5 October 1993.Google Scholar
  9. [FI93c]
    “Actuation Delay was Crucial at Warsaw”, Right International, 144 (4391):10, 13–19 October 1993.Google Scholar
  10. [FI93d]
    “Early Warsaw Result Provokes Questions”, Flight International, 144(4394):14, 3–9 November 1993.Google Scholar
  11. [FI93e]
    “Warsaw Overrun was Preventable”, Flight International, 144 (4399):8 8–14 December 1993.Google Scholar
  12. [KrÖger87]
    F. Kroger, “The Temporal Logic of Programs”, Springer-Verlag, 1987.CrossRefGoogle Scholar
  13. [Kuipers]
    B. Kuipers, “Qualitative Simulation: then and now”, Artificial Intelligence, 59(1–2), 1993.Google Scholar
  14. [Ladkin94]
    P. B. Ladkin, “Analysis of a Technical Description of the Airbus A320 Braking System”, CRIN-CNRS & INRIAGoogle Scholar
  15. [Leitch93]
    R. Leitch, “Recent Progress in the Development of Qualitative Reasoning”, Herriot-Watt University, 1993Google Scholar
  16. [Lister90]
    A. Lister, A. Burns, “An Architectural Framework for Timely and Reliable Distributed Information Systems (TARDIS): Description and Case Study”, YCS 140, Department of Computer Science, University of York, 1990.Google Scholar
  17. [Mackie75]
    J. Mackie, “Causes and Conditions” in “Causation and Conditionals”, Ed. E. Sosa, Oxford University Press, 1975.Google Scholar
  18. [Maibaum87]
    T. Maibaum, “A Logic for the Formal Requirements Specification of Real-Time Embedded Systems”, Imperial College, 1987.Google Scholar
  19. [McDermid94a]
    J. A McDermid, “Support for Safety Cases and Safety Arguments using SAM”, Reliability Engineering and System Safety, 43(3), 1994.Google Scholar
  20. [McDermid94b]
    J. McDermid, D. Pumfrey, “A Development of Hazard Analysis to Aid Software Design”, COMPASS ’94, Gaithersburg, MD, 1994.Google Scholar
  21. [Moffett95]
    J. Moffett, J. Hall, J. McDermid, “A Model for a Causal Logic”, in prep. 1995Google Scholar
  22. [Morris94]
    P. Morris, A. Coombes, J. McDermid, “Requirements and Traceability”, REFSQ ’94, Utrecht, Netherlands, 1994.Google Scholar
  23. [Mylopoulos92]
    J. Mylopoulos, L. Chung, B. Nixon, “Representing and Using Non-functional Requirements: A Process-Oriented Approach”, IEEE Transactions of Software Engineering, 18(6), 1992.Google Scholar
  24. [Pearl88]
    J. Pearl, “Embracing causality in default reasoning”, Artificial Intelligence, 35(2), June 1988Google Scholar
  25. [Ward89]
    P. Ward, S. Mellor, “Structured Analysis for Real-Time Systems”, Prentice-Hall, 1989.Google Scholar

Copyright information

© Springer-Verlag London 1995

Authors and Affiliations

  • A. Coombes
    • 1
  • J. McDermid
    • 1
  • J. Moffett
    • 1
  • P. Morris
    • 2
  1. 1.High Integrity Systems Engineering Group and BAe Dependable Computing Systems Centre, Department of Computer ScienceUniversity of YorkUnited Kingdom
  2. 2.Institute for Systems Engineering and InformaticsCommission of the European Communities Joint Research CentreIspra (VA)Italy

Personalised recommendations