MP’s Completeness Guarantee

What makes Monterey Phoenix different—and why it matters for high-stakes systems

Most modeling approaches explore a subset of system behavior. They generate selected paths—expected scenarios, representative cases, or behaviors that have been explicitly defined.

Monterey Phoenix (MP) does something fundamentally more powerful. It generates the scope-complete set of all possible behavior traces permitted by your model—every valid combination of events, up to a user-defined scope limit.

What “Scope-Complete” Actually Means

In MP, system and environment behavior is defined using a small set of compositional rules based on two primary relations:

precedence —events occurring in sequence
inclusion —events containing other events

Events are grouped inside logical structures denoting concurrent, alternative, optional, and looping events.

Additional constraints are imposed only where necessary.

“For a given MP schema it is possible to obtain all valid traces up to a certain limit. Usually such a limit (scope) may be set by the maximum total number of events within the trace, or by the upper limit on the number of iterations in grammar rules.”

Mikhail Auguston, “Behavior Models for Software Architecture” (2024)

When you run the model, MP’s event trace generator automatically produces every possible execution path that satisfies those rules. This generation is exhaustive within a defined scope:

For models without iteration, the set of event traces is complete, without qualification.
For models with iteration, scope-complete guarantees that every valid combination of events up to the defined limit is included.

No permitted behavior within that scope is omitted.

This is an example of a lightweight formal method—providing exhaustive behavioral coverage without the overhead typically associated with formal verification approaches.

Why This Matters in Practice

Most modeling tools and diagrams (including SysML sequence and activity diagrams) represent selected behaviors.

They make it difficult to see the full set of outcomes a system specification actually permits.

MP surfaces the entire superset—including unexpected and unwanted “extra” behaviors that emerge from interactions.

When teams inspect generated traces—often beginning with small scopes (e.g., 1–3, where many meaningful behaviors surface)—they can identify:

Expected behaviors → verify they’re present.
Unexpected yet plausible behaviors → validate your assumptions and constraints.
Unwanted behaviors → add targeted constraints (which become formal requirements) to “chip them away,” like a sculptor removing marble from a rough block to reveal the angel within.

This process turns latent risks into documented, testable requirements—before they surface in operations.

From Permitted Unknowns to Controlled Awareness

As behaviors are identified, teams introduce targeted constraints to eliminate unwanted outcomes.

These constraints become explicit requirements.

The process is iterative:

generate traces
inspect outcomes
classify behavior
refine constraints
repeat

Over time, this produces a more precise and controlled specification—one that formally documents each new constraint as the consequences of its absence are discovered.

Academic Pedigree and Real-World Proof

Developed at the Naval Postgraduate School, MP has been used by students and practitioners from diverse backgrounds in systems engineering, computer science, cybersecurity, public policy, psychology, criminal justice, and other fields of study and practice. Hundreds of students from high school to graduate school have learned it in weeks and discovered previously unrealized failure modes in real systems.

MP powers the Emergeneering™ methodology at Firelight Logic: model behaviors and interactions separately (and minimally at first), generate the full set of traces, inspect with human reasoning, classify, and then control. The result is tighter, more precise specifications that preserve acceptable behaviors while eliminating the unacceptable ones.

For Technical Teams Who Want the Full Picture

Using MP dramatically expands the set of assertion checks and test cases by surfacing previously unknown unacceptable behaviors. Teams implement tighter, more precise constraints—while still preserving a healthy range of acceptable behaviors that might otherwise have been over-cautiously eliminated.

This is not sampling.

This is not “some scenarios.”

This is every permitted path, up to the scope you choose—so you can make decisions with visibility into what your system actually allows.

Ready to see it in action on your system?

For Technical Teams Who Want the Full Picture

This is not sampling.

This is not “some scenarios.”

This is every permitted path, up to the scope you choose—so you can make decisions with visibility into what your system actually allows.

Ready to see it in action on your system?

Content drawn from:

Sutherland, Joshua, Alfonso Lanza, Kristin Giammarco, Michael Pennotti, Dov Dori, and Louise Harney. 2025. “Elegant Solutions to Complex Problems – Perspectives and Practice.” INSIGHT 28 (4). International Council on Systems Engineering.
Giammarco, Kristin. 2024. “System Behavior Specification Verification and Validation (V&V).” In Systems Engineering for the Digital Age: Practitioner Perspectives, edited by Dinesh C. Verma, 219–40. Hoboken, NJ: John Wiley & Sons.
Giammarco, Kristin. 2023. “Exposing and Controlling Emergent Behaviors Using Models with Human Reasoning.” In Emergent Behavior in System of Systems Engineering, edited by Larry Rainey and O. Thomas Holland, 23–61. Boca Raton, FL: CRC Press.
Auguston, Mikhail. 2014. Behavior Models for Software Architecture. Technical Report NPS-CS-14-003. Monterey, CA: Naval Postgraduate School.