UML-based specification, validation, and log-file based verification of the Orion Pad Abort Software by Drusinsky, Doron
Calhoun: The NPS Institutional Archive
Reports and Technical Reports All Technical Reports Collection
2010-05-15
UML-based specification, validation, and
log-file based verification of the Orion
Pad Abort Software
Drusinsky, Doron















      UML-based Specification, Validation, 
and Log-file based Verification of the Orion 
Pad Abort  Software 
 
 
By Doron Drusinsky 
 
        
15 May 2010 
           
Approved for public release; distribution is unlimited 
 
 






















THIS PAGE INTENTIONALLY LEFT BLANK 
 
NAVAL POSTGRADUATE SCHOOL 




Daniel T. Oliver  Leonard A. Ferrari 
President                                                                     Executive Vice President and 






This report was prepared for and funded by the Department of Computer Science, Naval 
Postgraduate School.  
 
 










____________________________________                                                   
Doron Drusinsky 
Associate Professor of Computer Science  









________________________  _______________________ 
Peter J. Denning, Chairman Karl A. van Bibber  
Department of Computer Science Vice President and 






















THIS PAGE INTENTIONALLY LEFT BLANK 
 REPORT DOCUMENTATION PAGE 
Form Approved 
OMB No. 0704-0188 
Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and 
maintaining the data needed, and completing and reviewing this collection of information.  Send comments regarding this burden estimate or any other aspect of this collection of information, 
including suggestions for reducing this burden to Department of Defense, Washington Headquarters Services, Directorate for Information Operations and Reports (0704-0188), 1215 Jefferson 
Davis Highway, Suite 1204, Arlington, VA  22202-4302.  Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to any penalty for failing to 
comply with a collection of information if it does not display a currently valid OMB control number.  PLEASE DO NOT RETURN YOUR FORM TO THE ABOVE ADDRESS. 
1. REPORT DATE (DD-MM-YYYY) 
May 2010  
2. REPORT TYPE
  Technical Report 
3. DATES COVERED (From - To)
January 2009 – May 2010
4. TITLE AND SUBTITLE 
UML-based Specification, Validation, and Log-file based Verification of the 
Orion 




5b. GRANT NUMBER 
 
 5c. PROGRAM ELEMENT NUMBER 
6. AUTHOR(S) 
Doron Drusinsky 
5d. PROJECT NUMBER 
 
 5e. TASK NUMBER 
 
 5f. WORK UNIT NUMBER
7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 
 
Naval Postgraduate School 
8. PERFORMING ORGANIZATION REPORT  
NUMBER  





9. SPONSORING / MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S) 
N/A   
   
  
11. SPONSOR/MONITOR’S REPORT  
  
      NUMBER(S) 
12. DISTRIBUTION / AVAILABILITY STATEMENT 
Approved for public release; distribution is unlimited   
13. SUPPLEMENTARY NOTES 
The views expressed in this report are those of the author and do not reflect the official policy or position of the Department of 
Defense or the U.S. Government.  
14. ABSTRACT  
This paper described the first end to end application of a novel light weight formal specification, validation, and verification 
technique. The technique is novel is two aspects. First, it uses an intuitive, familiar, and diagrammatic notation for formal 
specification, a notation that being Turing equivalent and supports the capture of real-life requirements. Second, the technique 
includes a computer aided approach for validating the correctness of requirements early in the development process, allowing 
sufficient time for the correction of ambiguous and underspecified requirements. In the verification phase the technique is based 
on off-line verification using log-files. This approach scales well and is applicable to almost every mission critical system, 
including real-time systems.  
The paper describes the application of this technique towards the specification, validation, and verification of the Pad Abort 
subsystem of NASA’s Orion mission. 
15. SUBJECT TERMS 
Specification, validation and verification, formal methods, UML, scenarios, requirements, patterns, Orion.  
16. SECURITY CLASSIFICATION OF: 
Unclassified  





19a. NAME OF RESPONSIBLE PERSON 







UU  23  19b. TELEPHONE NUMBER (include area code) 
(831) 656. 2168 
 Standard Form 298 (Rev. 8-98) 
Prescribed by ANSI Std. Z39.18 




















THIS PAGE INTENTIONALLY LEFT BLANK
UML-based Specification, Validation, and Log-file based 




This paper described the first end to end application of a novel light weight formal 
specification, validation, and verification technique. The technique is novel is two 
aspects. First, it uses an intuitive, familiar, and diagrammatic notation for formal 
specification, a notation that being Turing equivalent and supports the capture of real-life 
requirements. Second, the technique includes a computer aided approach for validating 
the correctness of requirements early in the development process, allowing sufficient time 
for the correction of ambiguous and underspecified requirements. In the verification 
phase the technique is based on off-line verification using log-files. This approach scales 
well and is applicable to almost every mission critical system, including real-time 
systems. 
The paper describes the application of this technique towards the specification, 
validation, and verification of the Pad Abort subsystem of NASA’s Orion mission. 
1. Introduction 
Runtime Verification (RV), also known as Runtime Execution Monitoring (REM), is a 
light weight formal verification technique in which formal specification properties are 
evaluated in run time and compared with the behavior of the System Under Test (SUT) 
for the purpose of detecting requirement violations. Some such systems are the Temporal 
rover and DBRover [D1], NASA’s Java Path Explorer [HR], and U. Penn’s MaC tool 
[SLS], and the StateRover [D2], the tool used in this effort. 
Clearly, a key component of any RV process is accurate formal specifications. Automatic 
translation of Natural Language (NL) specifications to formal specifications seems at first 
glance as a promising approach to formal specification creation; however, given the 
present state of technology, such NL processing technology is not readily available. 
Hence, RV tools typically use manually written formal specifications. The process by 
which one assures that a formal specification conforms to a NL requirement is called 
validation, a term consistent with the software engineering use of the term discussed 
below.   
In addition, even if such NL technology did exist, inherent ambiguities in many 
underlying NL requirement specifications require a human in the loop to assure that the 
formal specification of choice conforms to the letter and spirit of the favored NL 
interpretation. This is yet another reason for our emphasis on the validation process, in 
which the developer assures that the formal specification assertion of choice is a true 
representative of the chosen NL interpretation. We will provide an example of such 
ambiguity and corresponding validation in section 2.  
Traditional software engineering distinguishes between validation, a process for getting 
the right product, and verification, a process for getting the product right [BD]. However, 
                                                                                                                                              1 
validation and verification (V&V) are transitionally interleaved within a single phase of 
the development process, as illustrated in Fig. 1a. In contrast, our approach suggests a 
more coherent approach to V&V illustrated in Fig. 1b, where validation testing assures 
that the formal specification conforms to the letter and spirit of the NL requirement, and 
verification testing assures that the SUT conforms to the formal specification assertions. 
This paper demonstrated an application of the entire V&V process to the Pad Abort  (PA) 
component of the Orion mission. This process includes NL requirements, formal 
specification assertions, validation tests, and the run-time verification process using 
source code instrumentation and log-files.  The paper is organized as follows. Sections 2, 
3, and 4 contain useful background information where: section 2 describes statechart 
assertions, our formal specification language of choice, section 3 describes the low-
impact log file based verification technology used in our V&V process, and section 4 
describes a qualitative tradeoff space computer aided V&V techniques operate in. This 
tradeoff space provides the motivation for using statechart-assertions as the formal 
specification language of choice combined with low impact log-file based verification.  
Section 5 discusses the PA formal specification and validation, while section 6 discusses 
















Figure 1. Traditional vs. contemporary V&V. 
2. Formal Requirement Specification and Validation using 
Statecharts 
While  statecharts have been part of the Unified Modeling Languages (UML) standard 
for many years, they are typically used either for documentation or for modeling and 
subsequent code generation for implementation purposes.  
A statechart specification on the other hand, is a Boolean object used only for formally 
asserting about a SUT. It contains a designated Boolean flag (bSuccess) used to qualify 
                                                                                                                                            2
whether a scenario conforms to or violates a requirement. The stateRover Eclipse plug-in 
tool used in this research extends the statechart diagrammatic notation with Java as an 
action language, resulting in a Turing equivalent notation.  
Consider for example the NL requirement R1: the system may have at most three 
successive failed login attempts within a 1 minute period that follows the start of the  
session. Figure 2 is a corresponding statechart assertion formal specification. When 
bSuccess is assigned false (being true by default) the assertion effectively declares that 
the input scenario violates the letter or spirit of the R1 NL specification. Listing 1 
contains two JUnit1 validation tests for this assertion. In the Test1 validation test of 
Listing 1a the developer expects the assertion to succeed because the scenario (visually 
depicted in the timing diagram of Fig. 3a) conforms to the NL.  In contrast, the Test2 
validation test of Listing 1b contains a scenario (visually depicted in the timing diagram 
of Fig. 3b) that violates the NL specification. 
Note that the diagrammatic notation we use mixes event driven notation of UML-
statecharts with workflow notation of flowcharts. Hence, upon the sessionStarted event 
the statechart flows through the StartTimer activity, executes its action, and continues to 
the Login state, all within a single cycle; further details are available in [D2]. Note also 
how the underlying Java action language is used to include a simulation timer object as 
well as  a member variable nCnt. Indeed, as detailed in [D2], the StateRover code 
generator generates a Java class per statechart. 
This example also illustrates the ambiguous nature of R1 as follows. It is not clear 
whether three failed login attempts are disallowed only during the first minute into the 
session, or perhaps within any one minute interval. The scenario depicted in Fig 3c for 
example conforms to R1 according to the first interpretation, but violates R1 according to 
the second interpretation. A statechart assertion is of course unambiguous, but the 
purpose of validation is to assure that its interpretation of the requirement matches the 
true spirit of the NL as seen by the person writing the requirement. In our case the 
statechart assertion was built to match the first interpretation of R1, as indicated by the 
assertTrue statement of Test1 (Listing 1a and Figure 3a).  
                                                 
1  JUnit (www.junit.org) is the de-facto standard Java testing framework. It is available as part of 
the Eclipse Java development environment. 
                                                                                                                                               3 
  public void testMe() { 
Figure 2. A statechart assertion for requirement R1. 
  a.sessionStarted(); 
  a.incrTime(10); 
  a.loginFailed(); 
  a.incrTime(10); 
  a.loginFailed(); 
  a.incrTime(30); 
  a.loginFailed(); 
  a.incrTime(20); 
  a.loginFailed(); 
  assertTrue(a.isSuccess()); 
 } 
a. Test1 validation test for the statechart assertion of Figure 2 (also depicted in Figure 3a). 
 
 public void testMe() { 
  a.sessionStarted(); 
  a.incrTime(10); 
  a.loginFailed(); 
  a.incrTime(10); 
  a.loginFailed(); 
  a.incrTime(10); 
  a.loginFailed(); 
  a.incrTime(20); 
  a.loginFailed(); 
  assertFalse(a.isSuccess()); 
 } 
b. Test2 validation test for the statechart assertion of Figure 2 (also depicted in Figure 
3b). 
 5
a. Timeline diagram for validation test Test1 of Listing 1a. 
b. Timeline diagram for validation test Test2 of Listing 1b. 
c. Timeline diagram for a scenario that illustrates the ambiguous nature of 
requirement R1. 
Figu hart re 3. Timline diagrams rendering of JUnit validation tests for the statec




In this research we used the StateRover Eclipse plug-in [D2] for developing statechart 
assertion diagrams, code generation, and validation. Additional StateRover plug-ins are 
described section 3.  
3. Log File based Verification 
Most RV tools monitor the SUT in a closed loop mode by either running in-process, or  
by using a inter-process communication mechanism such as RCP or even TCP/IP 
sockets. Such an approach has an inevitable impact on the real-time characteristics of a 
real-time SUT, an impact that impedes the corresponding tools ability to truly verify the 
SUT’s conformance to time constraint requirements. 
Using log-file data for RV on the other hand, is a simpler and scalable approach because 
of the following three reasons: (i) it does not require closed loop architecture, (ii) it works 
with almost any SUT that contains a file system, and (iii) it preserves real-time 
characteristics of most SUT’s. In fact, many SUT developers routinely create log files as 
part of their n-going development and testing methodology. Consequently, log file based 
verification is applicable to a wide range of mission critical SUT’s, making it natural to 
apply log-file based monitoring to the verification of PA. This approach also fits well 
within the cuboid discussion of section 4, because log file creation necessitates almost no 
modification to the SUT’s implementation. 
The log file verification tool-set consist of the following set of Eclipse IDE plug-ins 
within the StateRover tool set: 
1. Source-code instrumentation plug-in, used to instrument the SUT source code 
with snippets that writes data to a log file. The primary artifact being logged by 
the instrumentation tool is method calls (including arguments and time of 
execution), with additional optional logging of variable assignment and source 
code branching decisions. Although the instrumentation tool is an Eclipse plug-in, 
it does not require that the SUT be built or executed within the Eclipse IDE; 
rather, is should be built and executed on the target platform.  
2. Log files. Log files are generated by one of the following two approaches:  
a. An instrumented SUT generates a log file in a pre-prescribed XML 
format. 
b. Log files created independently by the developers or contractors. Such 
files are subsequently converted into our XML log format using custom 
converters. 
3. Log file trace to JUnit converter plug-in. This tool converts a trace of method 
calls and variable assignments from a log file XML format to a JUnit test 
sequence equivalent.  
4. Namespace mapping plug-in.  It is unreasonable to expect the developers of a 
large body of statechart and propositional assertions to use the exact same 
namespace (consisting of event names, conditions, and Boolean propositions) 
presented in a log file they have not yet seen; hence enters the namespace 
mapping plug-in. It guides the end-user through a semi-automatic and 
  7
customizable namespace matching procedure. The namespace tools is also useful 
when using assertions taken from a library of assertions, in which case events and 
propositions are typically referenced with  generic names, as in the statechart 
example of Figure. The namespace mapping plug-in contains numerous 
namespace matching algorithms such as the “90% LCS” algorithm, that declares a 
match between strings r (the log file string) and s (an assertion event name string) 
if the length of the longest common subsequence (LCS) of r and s is greater than 
0.9 times the length of s and is also greater than  0.5 times the length of r. The 
namespace plug-in also provides an extension point for end-user customized 
matching algorithms.  
Fig. 4 depicts a sample namespace map for PA. 
5. Verification plug-in. This plug-in, also known as the Assertion Repository plug-in, 
provides a special Eclipse project that serves as container for all requirement-
based assertions, including both statechart assertions as well as propositional 
assertions (written in plain Java).  In addition, the repository also provides a main 
driver for collectively executing all requirement assertions. JUnit tests created 
from log files fire the log-files events and data assignments through this driver, 
which subsequently dispatches them to all assertions. This process amounts to off-
line, log-file based RV. 
Figure 4. A sample namespace map diagram for PA. 
  8
Our decision to use source code instrumentation was made after exploring two other 
alternatives: AspectC and LLVM. AspectC++ is an aspect-oriented extension of C and 
C++ [AC].  It performs source-to-source translation, translating AspectC++ source code 
to C++. Aspect-oriented programming allows modularizing cross-cutting concerns in a 
single module, an aspect. Aspects can modify existing classes, but most commonly they 
provide 'advice' that runs before, after, or around existing functionality. Three key 
drawbacks of aspectC++ when applied to instrumentation are: 
1. Poor readability.  Source code files become difficult to read and manually trace once 
aspects are put into effect. In other words, AspectC++ provides no explicit readable 
evidence that code locations of interest are indeed instrumented. A particular concern is 
over-instrumentation: it is hard to tell, by source code observation alone whether the 
Aspect part isn’t performing overkill by instrumenting too many locations in the code. 
2. Complexity. It is difficult to determine what an aspect is doing en-route from an 
inspected source-code method to the point of advice. A particular V&V concern is to 
identify the impact of Aspects on performance degradation, as well as its adverse effect 
on the deterministic nature of a real-time SUT. 
3. AspectC++ works on a limited set of platforms. In fact, AspectC++ cannot be used to 
instrument programs built on a real-time platform such as VxWorks or QNX. 
The Low Level Virtual Machine (LLVM) was originally designed as a register-based 
compiler framework to support transparent, lifelong program analysis and transformation 
for arbitrary programs [LLVM], by providing high-level information to compiler 
transformations at compile-time, link-time, and run-time. Like other virtual machines it 
contains an intermediate representation (IR) language. The IR has two representations: 
bitcode - the form executed by the virtual machine, and IR assembly, a human readable 
representation of the bitcode.  
Two key drawbacks of LLVM when applied to instrumentation are: 
1. Full implementation on a limited set of platforms such as Apple Darwin (MacOS), 
Linux on X86-32 and X86-64, Windows on X86-32,  and certain versions of Linux on 
ARM. Notably absent from this list are real-time operating system platforms. 
2. Name mangling. Name mangling is the technique that achieves C++ function 
overloading. Name mangling results in the obfuscation of source-code function names, a 
critical issue for our RV-based instrumentation approach where function names need to 
match assertions, as done by our namespace mapping tool. 
4. The Specification, Implementation, and Verification Tradeoff 
Space 
State of the art light-weight and heavy-weight requirement-based computer-aided 
verification (CAV) techniques suffer from an inherent trade-off represented by the three 
dimensional cuboid of Figure 5 [DMS]. The three axes of the cuboid qualitatively 
represent metrics for three orthogonal efforts that take place while performing 
requirement-based CAV, as follows. The central axis is the verification axis; in Figure 5a 
it represents the effectiveness of a given technique (as qualitatively measured by its 
ability to cover the test space), while in Figure 5b it represents the cost of using the 
   9
technique. For most techniques, this axis represents the holy grail of the entire effort, 
being the axis in which most techniques claim a return on investment - typically by 
providing a level of coverage that is impossible or prohibitively expensive to achieve 
using trasitional techniques. The other two axes, the specification and validation axis and 
the implementation axis, qualitatively represent the effectiveness (Figure 5a) and cost 
(Figure 5b) of the associated specification and validation effort and the induced impact to 
the target code base, respectively. Hence, these techniques represent hidden impedances 
associated with a chosen technique, as described below. Clearly, moving outwards on any 
axis of Figure 5a represents an improved level of effectiveness, while moving inwards on 
any axis of Figure 5b represents lower costs. 
Consider for example the following natural language (NL) requirement for requirement 
R2 of an infusion pump controller: if pump pressure drops below the threshold more than 
N times per 15 second interval then the average pressure during that interval may not be 
lower than P. Such a NL requirement would is not within the range of specifications 
catered by most model-checkers and theorem provers because their respective 
specification languages (e.g., Propositional Linear Time Temporal Logic (PLTL) [P] or 
Buchi Automata [T] do not cater for real time constrains, counting, or time series data 
constraints. Consequently, those techniques register a low level of effectiveness along the 
specification and validation axis of Figure 5a. In addition, the use of unfamiliar and non-
standard specification languages and the absence of validation tools for those languages 
induce a high cost of validation along the same axis in Figure 5b. In contrast, Figure 6a is 
the UML-based statechart assertion for requirement R1, and Figure 6b is a timeline 
diagram rendering of a JUnit validation test for this assertion. 
As with most mission critical systems, the infusion pump in the above mentioned 
example is implemented in C or C++ on a real-time operation system (RTOS) platform 
such as VxWorks, Green Hills, or QNX. Most model-checkers and theorem provers 
require that the code base under verification be ported and rebuilt within a dedicated 
verification environment, one that has no access to the RTOS and its libraries. Most 
mission critical programs are not readily available for porting, thereby inducing a  low 
level of effectiveness along the implementation axis of Figure 5a. Even when doable, 
such porting is often a non trivial effort requiring an experienced human driver, resulting 
in a high cost ranking along the implementation axis of Figure 5b. More specifically, in 
the Orion case described in this paper, the only available code based executed under the 
Trick simulation environment discussed in section 6 on a secure Unix platform, a 
configuration that does not permit on-line communication with an external tool. 
The technique presented in this paper represents a deliberate choice within the CAV 
tradeoff space, where the effectiveness and cost of verification is traded for improved 
effectiveness and cost along the other two axes. In other words, the philosophy behind the 
technique is that its ability to specify and validate right product (using an easy to use, 
diagrammatic, Turing-equivalent and familiar UML-based specification language) 
accompanied by its ability to subsequently verify it in-place on its real platform (using 
the log file verification approach discussed in the sequel), is often more important than 
reaching the promised land along the verification axis.   
   10
 a. The effectiveness tradeoff space 
Figure 5. The specification and validation, implementation, and verification tradeoff 
cuboids. 
b. The cost tradeoff space 
Figure 6. A statechart assertion for requirement R2. 
 
 11
5. Specification and Validation of PA 
In this section we demonstrate the application of our V&V approach to the Orion PA 
subsystem. Because Orion and PA are ITAR protected, we cannot publish the real PA 
specifications. However, we describe two requirements in a distilled format, after 
changing event names and time constraint values. 
Requirement PA.2.1: The software shall monitor the ModeA Command in every  
N Hz frame, until mode B is entered. 
Figure 7a depicts a statechart assertion for this requirement and Figure 7b depicts a 
validation test for this assertion.  
 
a. Statechart assertion for requirement PA.2.1 
 
 
b. Timeline diagram of a validation test for statechart-assertion in Fig. 7a. 
 
Figure 7. Formal specification and validation for requirement PA.2.1. 
 
Requirement PA.2.3: The software shall issue a mode C indication only if both of the 
following criteria are met:  
a. Good health and status indications from sensors 
 12
b. A positive mode C indication 
 A positive positive mode C  indication is that the mode C command has maintained a 
logical high state in each of the last N M-Hz frames. 
Figure 8a depicts a statechart assertion for this requirement, and Figure 8b depicts a 
validation test for this assertion.  
a. A statechart assertion for requirement  PA.2.3 
 
b. Timeline diagram for a validation test for the statechart assertion of Fig. 8a. 
 
Figure 8. Formal specification and validation for  requirement PA.2.3. 
6. Verification of PA 
The PA verification phase was performed on top of the Orion simulation, built within the 
Trick simulation environment [Trick], often used by NASA to simulate space missions. 
The PA Trick simulation operates on a Unix workstation denoted Twinkie. The RV 
verification process consisted of the following steps. 
1. Source code files were imported from their location on Twinkie into an Eclipse 
environment on Twinkie or a connected Windows machine. 
2. The instrumentation tool was applied to those source code files resulting in code that 
will eventually log all method calls and global variable assignments. 
 13
3. The instrumented source code files were copied back to their original location on 
Twinkie. 
4. Make files on Twinkie were modified to include two additional auxiliary source code 
files (files with customizable logging utilities). 
5. PA was rebuilt using the modified source code and Make files. 
6. PA was executed in its Trick environment. The step was repeated several times, one 
for each PA test scenario. Each execution resulted in a new log file on Twinkie. 
7. The resulting log files were imported into the Eclipse environment using the Log file 
trace to JUnit converter  plug-in described earlier. Note that each such test fires its events 
at a main Java class, called the main repository driver that resides in the assertion 
repository. This driver dispatches events to all assertions in the repository. 
8. A name space map diagram was created for each such imported log file. Each name 
space map describes the testers mapping between the SUT name space and the name 
space used by assertions in the repository. The name space mapping plug-in also 
generated a Java class that performs actual name space mapping during RV, as discussed 
in step 9 below. 
9. Each JUnit test created in step 7 was executed, in Eclipse. The JUnit test fires events at 
the main repository driver, after using the name space translation described in step 8 to 
translate events from their SUT name space to the assertion repository name space. The 
main repository driver dispatches those events to all assertions in the repository, and 
collects their isSuccess Boolean status. When an assertion  fails the main driver logs the 
name of the assertion that failed and passes this information to the end user at the end of 
the test. 
 
Figure 9 depicts some of the above mentioned verification related artifacts. 
 14
 Assertion repository package
Main assertion repository driver. It 
dispatches events to all assertions.
Auto generated name space translator 
Location of JUnit tests created 
from log files.
Statechart assertion. Each 
package contains the assertion 
and its validation tests 
Imported log files. 
 
Figure 9. The assertion repository with its verification related artifacts. 
 15

























[AC] AspectC++: www.aspectc.org/ 
[BD] Bourque, P. and Dupuis, R. eds., SWEBOK: Guide to the Software Engineering 
Body of Knowledge (2004 Version), IEEE, 2004 
[D1] Drusinsky, D., The Temporal Rover and the ATG Rover, in Proc. SPIN 2000 
Workshop, 2000, LNCS 1885, Springer-Verlag, pp. 323-329. 
[D2] Drusinsky, D., Modeling and Verification Using UML Statecharts - A Working 
Guide to Reactive System Design, Runtime Monitoring and Execution-based Model 
Checking, Burlington, MA: Elsevier, 2006. 
[DMS] Drusinsky, D., Michael, J.B. and Shing, M., A Visual Tradeoff Space for Formal 
Verification and Validation Techniques, IEEE Systems Journal, 2(4), pp. 513-519, Dec. 
2008. 
[HR] Havelund K. and Rosu, G., An Overview of the Runtime Verification Tool Java 
PathExplorer, Formal Methods in System Design, vol. 24, Springer Netherlands, pp. 189-
215, 2004. 
[LLVM] LLVM: http://llvm.org/ 
[SLS] Sammapun, U., Lee, I., and Sokolsky, O., RT-MaC: Runtime Monitoring and 
Checking of Quantitative and Probabilistic Properties, in Proc. 11th IEEE Int’l Conf. 
Embedded and Real-Time Computing Systems and Applications, 2005, IEEE, pp. 147-
153. 
[P] Pnueli A., The Temporal Logic of Programs,  in Proc. 18’th IEEE Symp. on 
Foundations of Computer Science, 1977, pp. 46-57. 
[T] Thomas, W., “Automata on infinite objects,” in Handbook of Theoretical Computer 
Science (vol. B): Formal Models and Semantics, J. van Leeuwen (ed.), Cambridge, MA: 
MIT Press, pp. 133–191, 1990. 
[Trick] TRICK: A SIMULATION DEVELOPMENT TOOLKIT 
pdf.aiaa.org/preview/CDReadyMMST03_842/PV2003_5809.pdf 
 
  INITIAL DISTRIBUTION LIST 
 
 
1. Defense Technical Information Center 
 Ft. Belvoir, Virginia  
 
2. Dudley Knox Library 
      Naval Postgraduate School 
      Monterey, California  
 
3.         Research and Sponsored Programs Office, Code 41  
Naval Postgraduate School 
Monterey, California  
 
 
