The vital role that real-time embedded systems are playing and will continue to play in our world, coupled with their increasingly complex and critical nature, demand a rigorous and systematic treatment that recognizes their unique requirements. The Time-constrained Reactive Automaton (TRA) is a formal model of computation that admits these requirements. Among its salient features is a fundamental notion of space and time that restricts the expressiveness of the model in a way that allows the specification of only reactive, spontaneous, and causal computations. Using the TRA formalism, there is no conceptual distinction between a system and a property; both are specified as formal objects. This reduces the verification process to that of establishing correspondences -- namely preservation and implementation relationships -- between such objects. In this paper, we present the TRA model and briefly overview our experience in using it in the specification and verification of real-time embedded systems.

We investigate the problem of planning for embedded systems where issues of safety, liveness, and responsiveness are much more important than intelligence. We argue that in such systems, a planning agent should produce a behavioral specification that, when superimposed on running behaviors, preserves the properties critical to the mission of the system. In this respect, we propose the Time-constrained Reactive Automata (TRA) formalism [Best91b] for plan generation and verification.

Predictability -- the ability to foretell that an implementation will not violate a set of specified reliability and timeliness requirements -- is a crucial, highly desirable property of responsive embedded systems. This paper overviews a development methodology for responsive systems, which enhances predictability by eliminating potential hazards resulting from physically-unsound specifications. The backbone of our methodology is a formalism that restricts expressiveness in a way that allows the specification of only reactive, spontaneous, and causal computation. Unrealistic systems -- possessing properties such as clairvoyance, caprice, infinite capacity, or perfect timing -- cannot even be specified. We argue that this "ounce of prevention" atthe specification level is likely to spare alotoftimeand energy in the development cycle of responsive systems -- not to mention the elimination of potential hazards that would have gone, otherwise, unnoticed.

ion model [12] specifically to satisfy the needs of distributed multimedia applications. This model has similarities to the I/O automaton model. Timed automaton is a general model for timing based systems. A timed automaton has three types of actions [22] - time-passage actions, visible actions and the special internal action . Timed automata has been used to verify the correctness of timed protocols for communications, audio control and real-time process control [14]. MMT automata are originally defined by Merritt, Modugno and Tuttle [25]. An MMT automaton is obtained by augmenting an I/O automaton with certain upper and lower bound information. Let A be an I/O automaton with only finitely many partition classes. For each class C, MMT automaton defines lower and upper time bounds, lower(C) and upper(C), where 0 lower(C) ! 1 and 0 ! upper(C) 1. The MMT automaton 10 model uses an external way of specifying the time bound restrictions, while the timed automata build the time bound ...

Design and implementation of embedded real-time systems is a complex and currently a major area of research. This project focuses on the implementation of one such design, the TRA model (i.e., Timeconstrained Reactive Automata), proposed and developed by Dr. Azer Bestavros. The TRA model is implemented via the embedded real-time systems specification language CLEOPATRA - C-based Language for Event driven Object-oriented Prototyping of Asynchronous Time-constrained Reactive Automata. The CLEOPATRA language has been developed to provide a way to specify TRA objects. The interconnection of multiple TRA objects via channels denotes an entire embedded system. A compiler for the specification language CLEOPATRA is the focus of this work. This project involved the design of a compiler which takes a CLEOPATRA source specification file (e.g., <file>.cleo) and generates a C-based simulator that simulates an embedded real-time, event-driven reactive system. The CLEOPATRA language is C based, and therefor follows a similar syntax to that of the C language. In the construction of the CLEOPATRA compiler, the UNIX software tools lex and yacc were utilized. These utilities provided a clean and easily extendible format for the CLEOPATRA grammar. email address: rpopp@cs.bu.edu -21

The real-time reactive nature of embedded systems and rigid timing and performance requirements imposed by the external environment significantly complicate the design process for such applications. The use of formal methods for specification and design of embedded systems is a promising solution to overcome these difficulties. This paper investigates the problem of mapping between a high-level formal specification and low-level design and implementation. We

Abstract not found