The behaviour of a real-time system that interacts repeatedly with its environment is most succinctly specified by its possible traces, or histories. We present a way of using the refinement calculus for developing real-time programs from requirements expressed in this form. Our trace-based specification statements and target language constructs constrain the traces of system variables, rather than updating them destructively like the usual state-machine model. The only variable that is updated is a special current-time variable. The resulting calculus allows refinement from formal specificationswith hard real-time requirements, to high-level languageprograms annotated with precise timing constraints. 1 Introduction Refinement rules that preserve the functional requirements of procedural programs are now well established [18]. Such rules do not support real-time requirements, however. The Quartz project is defining a refinement method for multi-tasking applications with hard re...

. We show how real-time schedulability tests and program refinement rules can be integrated to create a formal development method of practical use to real-time programmers. A computational model for representing task scheduling is developed within a `timed' refinement calculus. Proven multi-tasking schedulability tests then become available as feasibility checks during system refinement. 1 Introduction There has long been a gulf between formal methods for specifying and developing real-time programs and the needs of real-time programmers `in the field'. ffl Formal methods for specifying concurrent real-time systems typically make unrealistic simplifying assumptions. In particular, `maximal parallelism' assumes that each task resides on its own processor and is thus never preempted. This is often justified by pointing to the ever-decreasing cost of hardware. ffl Embedded systems programmers, on the other hand, constrained by the realities of power, cost and space limitations, t...

Program refinement usually translates an abstract specification to a highlevel language program. However, this process can be taken further by refining a high-level language `specification' to an assembler code `implementation '. It is shown how this can be done in the familiar refinement calculus framework. Several derived refinement rules for modelling program compilation are presented. Keywords: Program refinement; compilation; action systems 1 Introduction Compilation of high-level language programs to assembler code is among the oldest and most well-explored technologies in computer programming. Nevertheless, stories of production compilers containing bugs abound! Often this is merely an annoyance, but in safety-critical applications the danger of unknown compilation errors is unacceptable. One solution to this is to develop a verified, trustworthy compilation strategy for a simplified programming language. Such a strategy can then be used as a basis for either (directly)...

A practical methodology for compilation of trustworthy real-time programs is introduced. It combines new program development and timing analysis techniques with traditional compilation and assembly technologies. Keywords and phrases: Real-time programming; compilation; timing analysis. 1 Introduction High-integrity real-time programs must always meet all their `hard' deadlines. Real-time code must exhibit not only correct functional behaviour, but predictable timing behaviour as well. Programming real-time systems in a highlevel language is difficult because it is the machine code generated by the compiler and assembler, not the high-level source program, that ultimately determines timing correctness. Contemporary compilers make no attempt to generate code with predictable timing characteristics [30, 28], undermining their value for real-time applications. Consequently, safety-critical real-time programs are typically written directly in assembler language, forsaking the well-est...

Quartz is a formal software development method for concurrent real-time systems, currently being devised by the Software Verification Research Centre. It is a program refinement theory that supports systematic production of verified real-time code from a formal specification. Its model encompasses a broad range of development steps from abstract requirements specification, through high-level language programs, down to executable assembler code with verified timing behaviour. This article illustrates the method via a detailed case study. Keywords and phrases: real time, formal methods, software engineering Introduction Quartz is a development method for verified real-time software, currently being devised by the Software Verification Research Centre. It aims to be ffl a formal program development method based on the `refinement' approach, ffl applicable to construction of concurrent systems with `hard' real-time constraints, and ffl capable of operating at a broad range of abstrac...

The safety aspects of computer-based systems as increasingly important as the use of software escalates because of its convenience and flexibility. However the complexity of even modestly sized programs is such that the elimination of errors with a high degree of confidence is extremely difficult. There are a number of approaches to enhancing safety in safety-critical control systems. These are surveyed and compared with particular emphasis on systems with software in the controlling system. A glossary of terms and an extensive bibliography for further reading are included.

s and compressed postscript files are available via http://svrc.it.uq.edu.au A Formal Model of Real-Time Program Compilation Karl Lermer and Colin Fidge Software Verification Research Centre, The University of Queensland, Queensland 4072, Australia. Abstract Program compilation can be formally defined as a sequence of equivalence-preserving transformations, or refinements, from high-level language programs to assembler code. Recent models also incorporate timing properties, but the resulting formalisms are intimidatingly complex. Here we take advantage of a new, simple model of realtime refinement, based on predicate transformer semantics, to present a straightforward compilation formalism that incorporates real-time constraints. Key words: Refinement calculus; Program compilation; Program semantics; Real-time programming; Program verification 1 Introduction Compiler correctness is a significant concern for developers of safety-critical systems. However, verifying an indus...

We show how compilation of high-level language programs to assembler code can be formally represented in the refinement calculus. New operators are introduced to widen the modelling language to encompass assembler code. A compilation strategy is then embodied as a set of derived refinement rules. 1 Introduction The idea of modelling program compilation as a formal development procedure has surfaced many times in the literature, but has presented a significant challenge. This has resulted in complex models, often using new, unfamiliar formalisms. Our goal is to develop a model of program compilation within the alreadyfamiliar refinement calculus. Normally the refinement calculus translates an abstract requirements specification into a programming language implementation, using guarded command language augmented with specification statements as the underlying modelling notation. In the context of compilation, however, our `specification' is a high-level language (HLL) program, an...