 I am working on validating large software system requirements specifications using symbolic model checking. This is joint work with a group of smart people: <a href="http://www.cs.washington.edu/homes/anderson/">Richard Anderson</a>, <a href="http://www.cs.washington.edu/homes/beame/beame.html">Paul Beame</a>, <a href="http://www.cs.washington.edu/homes/burns/">Steve Burns</a>, <a href="http://www.cs.washington.edu/homes/fm/">Francesmary Modugno</a>, <a href="http://www.cs.washington.edu/homes/notkin/">David Notkin</a>, and <a href="http://www.cs.washington.edu/homes/jdreese/">Jon Reese</a>. Recently we analyzed an early version of the <a href="http://www.cs.washington.edu/homes/jdreese/TCAS-II-Description.htm">TCAS II</a>  (Traffic Alert and Collision Avoidance System) System Requirements Specification written in  the <a href="http://www.cs.washington.edu/research/projects/safety/www/papers/rsml-grammar/rsml-grammar.html">Requirements State Machine Language</a> (RSML) using a <a href="http://www.cs.cmu.edu/afs/cs.cmu.edu/user/bryant/www/bdd.html">BDD</a> based model checker, the  <a href="http://www.cs.cmu.edu/~modelcheck/smv.html">Symbolic Model Verifier</a> (SMV). A  <a href="#fse4">paper</a> appeared in <a href="http://www.csl.sri.com/sigsoft96/">ACM SIGSOFT '96</a> (FSE 4).  <p>
