s and compressed postscript files are available via http://svrc.it.uq.edu.au A Set-Theoretic Model for Real-Time Specification and Reasoning C. J. Fidge I. J. Hayes A. P. Martin A. K. Wabenhorst Abstract. Timed-trace formalisms have emerged as a powerful method for specifying and reasoning about concurrent real-time systems. We present a simple variant which builds methodically on set theory, and is thus suitable for use by programmers with little formal methods experience. 1 Introduction Following an intensive period of research, formal methods for modelling realtime systems are now starting to mature. One of the most successful approaches has been to model real-time systems via time-varying functions---this accords with the way dynamic behaviour of time-dependent processes is modelled in the physical sciences. Prominent examples include the Duration Calculus [20], the Temporal Agent Model [15], and the timed refinement calculus [9]. Despite many superficial differences, th...

. We show how real-time schedulability tests and program refinement rules can be integrated to create a formal development method of practical use to real-time programmers. A computational model for representing task scheduling is developed within a `timed' refinement calculus. Proven multi-tasking schedulability tests then become available as feasibility checks during system refinement. 1 Introduction There has long been a gulf between formal methods for specifying and developing real-time programs and the needs of real-time programmers `in the field'. ffl Formal methods for specifying concurrent real-time systems typically make unrealistic simplifying assumptions. In particular, `maximal parallelism' assumes that each task resides on its own processor and is thus never preempted. This is often justified by pointing to the ever-decreasing cost of hardware. ffl Embedded systems programmers, on the other hand, constrained by the realities of power, cost and space limitations, t...

Program refinement usually translates an abstract specification to a highlevel language program. However, this process can be taken further by refining a high-level language `specification' to an assembler code `implementation '. It is shown how this can be done in the familiar refinement calculus framework. Several derived refinement rules for modelling program compilation are presented. Keywords: Program refinement; compilation; action systems 1 Introduction Compilation of high-level language programs to assembler code is among the oldest and most well-explored technologies in computer programming. Nevertheless, stories of production compilers containing bugs abound! Often this is merely an annoyance, but in safety-critical applications the danger of unknown compilation errors is unacceptable. One solution to this is to develop a verified, trustworthy compilation strategy for a simplified programming language. Such a strategy can then be used as a basis for either (directly)...

This paper presents a method of formally specifying systems involving continuous variables and real-time constraints using the object-oriented state-based specification language Object-Z together with the timed trace notation of the timed refinement calculus. The basis of this integration is a mapping of the existing Object-Z history semantics to timed traces.

A predicate transformer model for network composition of dataflow processes is developed. This model for network composition is shown to support a powerful decomposition rule which allows the arbitrary decomposition of network (liveness, safety, and timing) properties over subcomponents. The rule allows the utilisation of properties of siblings in the development of individual components through their introduction as specification assumptions. An example implementation language of synchronous dataflow machines is considered and the network composition operator specialised so as to support, within the refinement calculus, a compositional development method for this language. 1 Introduction The separation of formal specifications into assumptions about the environment of a process and effects required of the process has a venerable formal methods pedigree, stretching back through Hoare's axioms [5] to the germination of the idea in work by Floyd and even Turing [6]. The adoption of what...

. We show how a formal program development environment, previously used for sequential, non-real-time applications only, can be exploited for parallel, real-time system design. A pragmatic approach is adopted, making best use of existing technologies, in order to quickly achieve useful results. 1 Introduction After an intense period of research, formal program development environments are now maturing. Tools to support specification, refinement, verification and analysis are becoming powerful enough for industrial applications [Hart et al., 1996], although much work remains. Not surprisingly, contemporary environments and tools emphasise well-established concepts, such as sequential state machines [Abrial, 1996; Cant et al., 1996]. Nevertheless, there is an increasingly urgent demand for practical techniques that can be used in more challenging application domains, especially real-time systems. Unfortunately, this is an area where there is still considerable disagreement about f...

The refinement calculus is a well-established theory for formal development of imperative program code and is supported by a number of automated tools. Via a detailed case study, this article shows how refinement theory and tool support can be extended for a program with real-time constraints. The approach adapts a timed variant of the refinement calculus and makes corresponding enhancements to a theorem-prover based refinement tool.

We formalise the behaviour of non-preemptive, real-time, multi-tasking systems by expressing the computational components assumed by realtime scheduling theory in a trace-based notation. The model is suitable as a target implementation domain for dataflow refinements, amenable to formal schedulability analysis, and implementable in a concurrent real-time programming language. 1 Introduction We present a formal model of real-time, static-priority, non-preemptive process scheduling. The model ffl is trace-based, making it a suitable target domain for formal `dataflow' refinements [9], ffl is expressed using the computational components assumed by realtime scheduling theory, making it amenable to analysis via an alreadyproven real-time schedulability test [1], ffl has a direct implementation in the Ada 95 programming language [3], and ffl is sufficiently simple to have a good chance of acceptance in safetycritical applications [2]. 2 Background 2.1 Scheduling theory terminolo...

The timed refinement calculus is a predicate-transformerbased formalism for the specification and refinement of real-time, reactive systems. Although it has been successfully applied to a number of case studies, its scalability and ability to e#ectively model concurrent and distributed real-time systems is inhibited by its lack of a suitable parallel composition operator. In particular, previous definitions of parallel composition for the formalism lack associativity or do not behave correctly when one of the components aborts. In this paper, we provide a new definition which is well-behaved under certain restrictions.

This paper presents Real-Time Object-Z: an integration of the object-oriented, state-based specification language Object-Z with the timed trace notation of the timed refinement calculus. This integration provides a method of formally specifying and refining systems involving continuous variables and real-time constraints. The basis of the integration is a mapping of the existing Object-Z history semantics to timed traces.