Abstract. We describe a prototype tool, hugo/RT, that is designed to automatically verify whether the timed state machines in a UML model interact according to scenarios specified by time-annotated UML collaborations. Timed state machines are compiled into timed automata that exchange signals and operations via a network automaton. A collaboration with time constraints is translated into an observer timed automaton. The model checker uppaal is called upon to verify the timed automata representing the model against the observer timed automaton. 1

The science of computation has systematically abstracted away the physical world. Embedded software systems, however, engage the physical world. Time, concurrency, liveness, robustness, continuums, reactivity, and resource management must be remarried to computation. Prevailing abstractions of computational systems leave out these "non-functional" aspects. This chapter explains why embedded software is not just software on small computers, and why it therefore needs fundamentally new views of computation. It suggests component architectures based on a principle called "actor-oriented design," where actors interact according to a model of computation, and describes some models of computation that are suitable for embedded software. It then suggests that actors can define interfaces that declare dynamic aspects that are essential to embedded software, such as temporal properties. These interfaces can be structured in a "system-level type system" that supports the sort of design-time and run-time type checking that conventional software benefits from.

This article explores a dual approach to real-time software development. Models are written in UML, as this is expected to be relatively easy and economic. Then models are automatically translated into a formal notation that supports the verification of properties such as safety, utility, liveness, etc. In this way, developers can exploit the advantages of formal notations while skipping the complex and expensive formal modelling phase.

Abstract. An extension of the “Object Constraint Language ” (OCL) for modeling real-time and reactive systems in the “Unified Modeling Language ” (UML) is proposed, called OCL/RT. A general notion of events that may carry time stamps is introduced providing means to describe the detailed dynamic and timing behaviour of UML software models. OCL is enriched by satisfaction operators @η for referring to the value in the history of an expression at the instant when event η occurred, as well as the modalities always and sometime. The approach is illustrated by several examples. Finally, an operational semantics of OCL/RT is given. Keywords. Real-time systems, OCL, UML, events 1

Methods for developing and modeling embedded systems and rigorously verifying behavior before committing to code are increasingly important. A number of objectoriented techniques and notations have been introduced, but recently, it appears that the Unified Modeling Language (UML) could be a notation broad enough in scope to represent a variety of domains and gain widespread use. Currently, however, UML is only a notation, with no formal semantics attached to the individual diagrams. In order to address this problem, we have developed a framework for deriving VHDL specifications from the class and state diagrams in order to capture the structure and the behavior of embedded systems. The derived VHDL specifications enable us to perform behavior simulation of the UML models.

We use UML timed Sequence Diagrams to specify the realtime behaviour of a communication protocol of audio/video components. The sequence

flow models are examples of node-link diagrams used to model the structure of processes, software, or data. A modeling language that has recently gained widespread use is UML - Unified Modeling Language. UML contains a suite of diagramming techniques that allow one to model various aspects of a software system, 4 a real-time application, 5 or an enterprise structure. 6 Its versatility in several application areas results from the rich semantics it seeks to model. For example class diagrams in UML model software structures and include methods for depicting inheritance and composition. When these semantics are used, in the realm of enterprise modeling for example, UML can capture relationships between organizations or relationships between the corporation and its employees. However, although considerable attention has been given to making these UML notations general and complete, the actual choice of graphical notations appears to be

ions that can be used include the event-based model of Java Beans, semaphores based on Dijkstra's P/V systems [21], guarded communication [40], rendezvous, synchronous message passing, active messages [84], asynchronous message passing, streams (as in Kahn process networks [45]), dataflow (commonly used in signal and image processing), synchronous/reactive systems [10], Linda [18], and many others. These abstractions partially or completely define a model of computation, the modular organizational and operational principles of a system. Applications are built on a model of computation, whether the designer is aware of this or not. Each possibility has strengths and weaknesses. Some guarantee determinacy, some can execute in bounded memory, and some are provably free from deadlock. Different styles of concurrency are often dictated by the application, and the 6 choice of model of computation can subtly affect the choice of algorithms. While dataflow is a good match for signal processi...

Modular system architectures, such as integrated modular avionics (IMA) in the aerospace sector, offer potential benefits of improved flexibility in function allocation, reduced development costs and improved maintainability. However, they require a new certification approach. The traditional approach to certification is to prepare monolithic safety cases as bespoke developments for a specific system in a fixed configuration. However, this nullifies the benefits of flexibility and reduced rework claimed of IMA-based systems and will necessitate the development of new safety cases for all possible (current and future) configurations of the architecture. This paper discusses a modular approach to safety case construction, whereby the safety case is partitioned into separable arguments of safety corresponding with the components of the system architecture. Such an approach relies upon properties of the IMA system architecture (such as segregation and location independence) having been established. The paper describes how such properties can be assessed to show that they are met and trade-offs performed during architecture definition reusing information and techniques from the safety argument process.

. Seamlessness, reversibility, and software contracting have been proposed as important techniques to be supported by object-oriented methods. These techniques are used to provide a framework for the comparison of two modeling languages, the Business Object Notation (BON) and the Unified Modeling Language (UML). Elements of the UML and its constraint language that do not support these techniques are discussed. Suggestions for further improvements to both BON and UML are described. 1 Introduction ...There are two ways of constructing a software design: one way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies. C.A.R. Hoare, Turing Award Lecture 1980 [7]. As described by Brooks [1], the key factor in producing quality software is specifying, designing and implementing the conceptual construct that underlies the program. This conceptual construct is usually complex and highly ...