. An implementation of the steam boiler control system has been derived using a formal method based on assumption/commitment pairs. Intermediate stages of top-down design are represented in a mixed formalism where programs and assertional specifications are combined in a single framework. Design steps can be verified by means of compositional proof rules. This framework has been defined in the specification language of the verification system PVS. By the interactive proof checker of PVS, the correctness of each refinement step has been checked mechanically. 1 Introduction The steam boiler control system, as described in chapter AS of this book, has been designed in an assertional framework. That is, the system and its components are described by listing their properties in a certain logic. The formalism used here is based on Hoare logic (precondition, program, postcondition), which has been extended and modified to deal with distributed real-time systems. Verification is supp...

. Hoare triples (precondition, program, postcondition) have been incorporated in the verification system PVS. Two approaches are presented: the conventional one, with a clear distinction between syntax and semantics, and another where programs are identified with their semantics. In the last approach specifications are embedded in the semantic framework, leading to a formalism where specifications and programming constructs can be mixed freely. This framework forms the basis of a formal method for the design of distributed real-time systems. 1 Introduction General aim of our work is the formal specification and compositional verification of distributed real-time systems. To this end, a formalism based on Hoare triples (precondition, program, postcondition) has been devised and applied to a number of examples such as a distributed real-time arbitration protocol [Hoo94a], a chemical batch processing system [Hoo94c], and a mine pump system [Hoo96a]. These examples have been verif...

The refinement calculus is a well-established theory for formal development of imperative program code and is supported by a number of automated tools. Via a detailed case study, this article shows how refinement theory and tool support can be extended for a program with real-time constraints. The approach adapts a timed variant of the refinement calculus and makes corresponding enhancements to a theorem-prover based refinement tool.

It is common for a real-time system to contain a nonterminating process monitoring an input and controlling an output. Hence a real-time program development method needs to support nonterminating repetitions. In this paper we develop a general proof rule for reasoning about possibly nonterminating repetitions. The rule makes use of a Floyd-Hoare-style loop invariant that is maintained by each iteration of the repetition, a Jones-style relation between the pre- and post-states on each iteration, and a deadline specifying an upper bound on the starting time of each iteration. The general rule is proved correct with respect to a predicative semantics. In the case of a terminating repetition the rule reduces to the standard rule extended to handle real time. Other special cases include repetitions whose bodies are guaranteed to terminate, nonterminating repetitions with the constant true as a guard, and repetitions whose termination is guaranteed by the inclusion of a fixed deadline. 1