Extracting Environmental Constraints to Make Reactive System Specifications Realizable

Many fatal accidents of safety critical reactive systems have occurred in unexpected situations which had not been considered during the design and test phases of the systems. To prevent these accidents, reactive systems should be designed to respond appropriately to any requests of any timing from environments. Verifying this property at specification phase reduces the development costs of safety critical reactive systems. This property of a specification is well known as realizability. If a specification was found not to be realizable, we have to determine the flaws in the unrealizable specification. Unrealizability of a specification arises from arbitrary requirements given by system designers. From a different view, it can be thought that the unrealizable specification implicitly imposes a precondition on the behavior of environment, although a system can not control the behavior of environment. If it is possible to obtain the precondition in intuitively comprehensive forms, it is easy for system designers to understand the cause of flaws in specifications. In this paper, we propose methods for deriving constraints on the behavior of environments, which is implicitly imposed by unrealizable specifications. Instead of realizability, we use strong satisfiability which is a necessary condition for realizability, due to the fact that many practical unrealizable specifications are also strongly unsatisfiable, and strong satisfiability have the advantage of lower complexity for analysis against realizability. These methods derive constraints in propositional linear temporal logic from Buchi automata representing specifications. The expressions of derived constraints are limited to simple and intuitively comprehensive forms where only two temporal operators appear successively. We also give proofs for three correctness properties of our methods, i.e. the termination property, the soundness property, and the weakest constraints derivability. Finally, we discuss applicab- ility of our methods.