A formal design language for real-time systems with data  by Bradley, Steven et al.
Science of Computer Programming 40 (2001) 3{29
www.elsevier.nl/locate/scico
A formal design language for real-time systems with data
Steven Bradleya ; , William Hendersonb, David Kendallb,
Adrian Robsonb
aDepartment of Computer Science, Durham University, South Road, Durham DH1 3LE, UK
bSchool of Computing and Mathematics, University of Northumbria at Newcastle, Ellison Place,
Newcastle upon Tyne NE1 8ST, UK
Received 16 October 1998; received in revised form 31 August 2000; accepted 1 September 2000
Abstract
AORTA has been proposed as an implementable real-time language for concurrent systems
where event times, rather than values of data, are critical. In this paper we describe how to
use AORTA with a formal data model, allowing integration with a variety of model-based data
specication languages. Example denitions are given of time-critical systems with important
data attributes. A development technique and supporting software tools for AORTA are also
described. c© 2001 Elsevier Science B.V. All rights reserved.
1. Introduction
While many people argue that formal methods and mathematical proof are necessary
to provide the high levels of assurance required for critical systems of whatever sort, it
seems paradoxical that many of the reported applications of formal methods involve the
use of formal specication without formal renement or proof [49,16]. Similarly, one
of the oft-quoted triumphs of formalisation is in the area of presentation of language
syntax in Backus{Naur form (BNF). However, the principal use that is made of this
formalisation is not in the area of verication, but rather in that of code generation:
few people nowadays would consider writing a parser by hand, but would rather use
one of the standard parser generator tools, such as yacc [40], which are based on a
formal notation for syntax. In light of such examples, we suggest that the motivation
for providing a formalised notation must be examined carefully, especially where this
inuences language design.
Let us consider some of the benets which we claim might be gained from adopting
a formal approach to system development.
 Corresponding author.
E-mail address: s.p.bradley@durham.ac.uk (S. Bradley).
0167-6423/01/$ - see front matter c© 2001 Elsevier Science B.V. All rights reserved.
PII: S 0167 -6423(00)00025 -3
4 S. Bradley et al. / Science of Computer Programming 40 (2001) 3{29
Discipline in specication. Simply by providing a relatively unambiguous and re-
strictive language for writing things down we enforce a discipline of precision during
early phases (of a ‘waterfall’ model) of system development. The necessity for being
prescriptive can lead to a more complete and accurate set of requirements; the eco-
nomic advantages of addressing problems early in development are well-known, and
are borne out by some case studies of the use of formal methods [16].
Better communication. A formally dened meaning for a notation provides the basis
for better communication about things expressed with that notation. Arguments over
how a particular shaped element in a diagram should be interpreted are seldom pro-
ductive, particularly if no denitive resolution can be found.
Evaluation before implementation. In xing the interpretation of notations at all
stages of development, evaluation of proposed solutions becomes much more of a
possibility. One such evaluation technique is to try to prove reassuring properties of
(say) a specication. Alternatively, if an executable, or at least exercisable, semantics
can be given, then people who are less expert in the inner workings of the formalism
can perform some evaluation.
Code generation. One view of a formal semantics is as a formal virtual machine.
As well as a basis for reasoning about systems, it can be viewed as a specication for
implementation generators, such as compilers. One example of how this has been done
in practice is the use of the formal semantics of the functional programming language
standard ML [44] as the basis for an ML compiler [7]. Depending on the nature of
the systems being constructed, and the properties which they might need to satisfy
(functional, timing, reliability) dierent techniques will be required to demonstrate that
a particular implementation or implementation method faithfully follows the dened
semantics.
Testing. An area which has received an increasing amount of attention is that of
automatic generation of test cases from formal specications [17,27,35,37,46,59,61].
It is widely considered to be good practice to develop test cases alongside develop-
ment: acceptance tests with specication of requirements; integration tests with system
specication; module tests with module design (the ‘vee’ model of development [24]).
Enough test cases and expected results are given so as to dene the required behaviour
and to provide enough coverage to justify some level of assurance that the system
behaves as it should. Formal specication can be thought of as a generalisation of
the notion of a test case by describing the required behaviour in all cases, not just a
few. It can also be used to describe the range of expected behaviours of the system
precisely, as might be implied by dening a set of black-box test cases with boundary
values. One-half of the function fullled by the provision of test cases (i.e. denition
of required behaviour) is then fullled by formal specication, and the other half (i.e.
gaining assurance of an implementation’s faithfulness) can either be given by deriving
test cases from the specication, and=or by the use of proof.
Proof. Finally, as is most often stated, a formal specication, along with a formal
model of an implementation can be used to increase assurance about system correctness
by allowing mathematical proof that the implementation model satises the requirement.
S. Bradley et al. / Science of Computer Programming 40 (2001) 3{29 5
Some formal verication procedures such as model-checking [18] can be totally auto-
mated, and others partially automated, using mechanised proof assistants such as HOL
[32] and PVS [52]. One technique that is often proposed is that of renement, where a
series of transformations are carried out from the specication to the implementation,
each of which leads to a set of proof obligations or verication conditions, which must
be discharged to complete a proof that the implementation satises its specication.
Examining our ‘wish-list’ of things we would like to be able to do with a formal
method, we can now look at one particular area of application, that of real-time, and
discuss how these might bear on language design. Concurrent real-time systems might
be considered a prime target for formalisation for many reasons, such as
{ the inherent complexity of concurrent systems,
{ the diculty of performing repeatable tests,
{ the availability of automated verication procedures, and
{ the criticality of many real-time application areas.
One of the crucial choices in the design of a language is the level or levels of
abstraction that can be used. Languages which support renement operate over a range
of abstraction levels, from specication through to implementation modelling. However,
we argue that renement is not an appropriate development method for real-time for
two main reasons. Firstly, during the development of real-time systems, many choices
and compromises have to be made, particularly with respect to how time is to be
alloted to various tasks. The correctness of these decisions can only really be known
once the nal implementation is in place, even if some early evaluation takes place.
Small changes to the implementation of the system may have large eects on real-time
behaviour. This can require a much more iterative approach to development, making
veried step-wise renement a rather expensive approach, as many of the proofs will
have to be done several times as changes are made. Secondly, the proof techniques
which have been suggested for renement of untimed concurrent systems, such as
bisimulation [43], do not extend well to the timed setting, as the notion of equivalence
is too restrictive to allow useful development.
Considering these two together, we have chosen to use a xed abstraction level,
rather than a wide-spectrum language, and one which matches available implementation
techniques as closely as possible. This pays dividends for several of the benets listed
above: the language can be kept relatively small, easing communication; exercising the
semantics corresponds to an intuitive understanding of how the system will eventually
operate; code generation and verication can be simplied, as the virtual machine is
close to the level of the target; automatic proof via model-checking can be carried out
on some parts of the language. Clearly there are down-sides to this approach, in that a
dierent language must be used by specifying requirements as properties of the system,
and some expressivity is sacriced.
The structure of the paper is as follows: in Section 2 we deal with our choices of
abstraction for time, data, concurrency and communication, followed by the denition of
the syntax of our design language AORTA (Application Oriented Real Time Algebra).
6 S. Bradley et al. / Science of Computer Programming 40 (2001) 3{29
AORTA was originally dened without a model for data [13], but we include a general
data model here. Section 4 gives the formal semantics of the language, and can be
omitted from an initial reading of the paper. Examples of the use of AORTA with
dierent instantiations of the data model are given in Section 5, whilst tools and the
development process are discussed in Section 6. Tools have been an important part
of the development of the language. A parallel might be drawn here with high-level
language programming: whilst writing high-level language programs and translating by
hand to machine language might lead to ‘better’ programs than coding at the machine
level directly, it would be unthinkable to use a modern programming language without
a compiler. Similarly, although a pure formalist might argue that using formal methods
without machine support should lead to ‘better’ systems, in practice their advice is
unlikely to be heeded by the working programmer. Finally, Section 7 outlines other
work in the area, and draws some conclusions. This paper expands and revisits the
material from an earlier paper [13], which was presented at FASE ’98 [5].
2. Model abstractions
In constructing a semantic model for a language to be used with concurrent real-
time systems, attention has to be paid to the modelling of time, data, concurrency and
communication. These are dealt with in turn in the following subsections.
2.1. Time model
For a real-time system, the choice of time model is clearly going to be an important
one. The main choices lie between discrete or dense time values (exemplied by the
natural numbers and the positive real numbers respectively), and between an interleav-
ing or true concurrency model. A discrete time model is characterised by the notion
of a ‘next point’ in time, and has the advantage that it is easier to reason with, as all
bounded sets are nite. It can also be argued that most computer systems are clocked,
and hence are discrete in their nature. However, if the time quantum is chosen to be
that of a typical clock cycle, then sets that are reasonably bounded may be extremely
large. Verication techniques that rely on the niteness of bounded sets of time val-
ues tend to have algorithmic complexities heavily dependent on the size of such sets,
and so become intractable for small time quanta. Also, choosing an abstraction based
on a processor clock rate relies on xing this rate before specication begins, rather
than during implementation, where it would more naturally be chosen. An analogous
example would be in reasoning about xed-length integers: most representations can
only model a nite number, so verication by exhaustive testing or case analysis is a
possibility. However, in practice the number of numbers is so large that most algo-
rithms will take much too long, and the analysis also depends on the choice of memory
allocation for integers, which would be better left until an implementation stage.
S. Bradley et al. / Science of Computer Programming 40 (2001) 3{29 7
Since the availability of abstraction techniques for dense time which allow automatic
verication via model-checking [2], the arguments in favour of discrete over dense time
models have been somewhat diminished. However, there is also a choice to be made
between an interleaving model of time, in which it is impossible for two events to co-
incide, and a true concurrency model, where such behaviour is allowed. For distributed
systems it might well be argued that a true concurrency model is more appropriate
in general, but if we restrict ourselves to modelling multitasking concurrency then an
interleaving model of time can be justied. For these reasons we have chosen to use
an interleaving model of time, and to allow discrete or dense time values.
2.2. Data model
Our data model should allow us to specify and dene functional behaviour of a
purely sequential process, as the model of concurrency will be given separately (see
Section 2.3). There are two main types of functional specication language: model-
based (such as Z [50], VDM-SL [39] and B [1]) and algebraic (such as ACT ONE
[38] and OBJ [31]). In a model-based language, an abstract formal model of the data
in the system is built, and operations are specied and described as transformations
of that model. An algebraic approach does not require a complete model to be built,
and operations are specied only in terms of each other. These two approaches are not
entirely incompatible, as model-based specications can be written in an algebraic style,
and models can be built into an algebraic specication, but for the purposes of this
paper the distinction is important, and we have chosen to use model-based languages.
There are no pressing reasons for choosing one model-based language over another
in our model, and in particular this work is equally applicable to Z, VDM, B, and
formally dened imperative languages. Rather than choosing one of these languages
arbitrarily, a more general model is used. Bowen and Hinchey [9] make the point that in
industrial application of formal methods it is important to t in with existing working
practices. This point can be extended to the integration of formal methods, where
integration with a variety of formal methods has the advantage that as little as possible
extra eort has to be made in learning new notations. Therefore we feel that the loose
coupling of AORTA with model-based specication languages, rather than a particular
language, is a strong point. The specics of how VDM can be used with AORTA
are given with an example in Section 5.2, and an example with a simple imperative
programming language is described in Section 5.1. The data model could also be used
as an interface to informal development methods, with structured English specications
of the data state and operations on it. Note that code fragments can be separately
associated with these formal descriptions, and are used during code generation (see
Section 6).
We now describe a fairly general framework for the description of model-based
languages, and explain our assumptions. The basic model is that each process has a set
of possible states, States, over which the variable  may range. The state  includes
evaluations for a set of state variables. Each variable A has a set of values over which
8 S. Bradley et al. / Science of Computer Programming 40 (2001) 3{29
it may range, given by values(A). Variables can be read using a projection :A, and
may be updated using the standard notation [A= v] where A is a variable name and
v 2 values(A). Operations are represented using a three-place relation on states, so an
operation  which can act on state  to give state 0 is written
 )0:
The operation which changes nothing is then the identity relation on states , where
 ):
We write () for the set of states 0 such that  )0, and insist that () is
non-empty for every . As well as accessing individual variables and performing op-
erations on states, decisions have to be made based on the data state, which requires
the denition of predicates on states, written p(). Finally, we will need two distin-
guished state variables: A, with values(A)=None= f?g, and T, with values(T) as
the time domain in use (positive reals or natural numbers).
2.3. Concurrency and communication model
In choosing the concurrency and communication models, the relationship between
the semantics of the language and available implementation techniques comes to the
fore. For a successful model, it must be possible to derive an implementation, and also
to give a justication that the time behaviour in particular is faithful to the semantics.
In order to do this we have chosen to make the number of sequential processes for any
given system static, making the provision of timing guarantees by scheduling analysis
much more straightforward. These processes are also persistent (i.e. they do not ter-
minate), as they may carry control state information. Processes can communicate via
statically dened communication channels with a synchronous (blocking) communica-
tion mechanism. This is the only way for processes to share information; in particular,
processes do not have access to each other’s data state. Access to the environment is
via named communication channels.
3. Syntax
In this section we introduce the syntax of our language AORTA. We have xed on
a level of abstraction which we claim is suitable for designing concurrent real-time
systems, and we aim to be able to simulate, verify, and generate implementations for
our designs. On a pragmatic note, we have xed the concrete syntax of the language
so that it is expressible in pure ASCII, in order to make the provision of tool support
easier, and to give the language more of a programming feel, rather than a mathe-
matical one. In line with our model of concurrency, a system is dened as a static
parallel composition of sequential processes, linked by explicit communication chan-
nels. In its description of processes, AORTA inherits some notation from CCS [43],
S. Bradley et al. / Science of Computer Programming 40 (2001) 3{29 9
but other ideas, such as communication channels, are borrowed from elsewhere. Within
a (sequential) process, actions can be oered on named gates, which must be matched
by a communicating partner before the process can proceed. A choice may be oered
between a number of actions: as in CCS action prex and choice (sometimes called
summation) are represented by  and + respectively, with 0 for the null process which
oers no actions. A process can oer communication over several gates, and by using
action choice the control ow will depend on which communication is available rst,
like a select statement in an Ada rendezvous. Recursion can be written using the same
equational format as used in CCS (e.g. A = a.A), but all recursion must be guarded
(i.e. all process names must appear inside an action prex). Data can be associated
with communication by either sending a value x on gate a, written a!x or by updating
variable y to have the received value, written a?y. The other constructs do not have
analogues in CCS, and are concerned with including time information into the process
description.
There are two constructs which are used to introduce time, and each of these has
a deterministic and nondeterministic form. The rst construct is a delay which causes
the process to pause for the amount of time specied, during which time no actions
are oered { time-consuming operations such as computation are represented in this
way. As precise times are not always known for an implementation, the delay may
be specied with an upper and lower bound, rather than a precise gure. This lack
of precision may be because the timing forms an estimate or budget for an as yet
unimplemented function, or because the implementation itself behaves unpredictably,
due to data dependency, cache, processor instruction pipelining or scheduler behaviour.
A process which delays for precisely t time units before behaving like S is written
[t]S, and if the delay is bounded by times t1 and t2 the process is written [t1,t2]S.
A data operation called Transform can be associated with this computation by writing
[t1,t2{Transform}]S. The second construct is a time-out extension to action choice,
so that if none of the branches of the choice are taken up within the given time, control
is transferred to another branch. Again, depending on how the time-out is implemented
a precise gure for the time at which control is transferred may not be available, so an
interval of possibilities can be given instead. A process S which times out to process
T if no communication happens within time t is written S [t> T, and if the time is
bounded by t1 and t2 it is written S [t1,t2> T. A data-dependent branch is written
P++Q, and is similar to the nondeterministic choice P uQ of CSP [36] if the language is
interpreted without data. Information about how data aects the choice is given either by
attaching a predicate to each of the branches, writing P1{p1} ++ P2{p1} ++ P3{p3},
in which case branch Pn can be taken if condition pn is true, or if there are only two
branches, a predicate can be attached to the operator, written P ++{c} Q, in which
case P will be chosen unless c is true, when Q is taken.
In summary, a sequential process may be constructed from action prexes, action
choices, time delays, time-outs over choices, data-dependent choices and guarded re-
cursion. The syntax is summarised in Fig. 1. Each process has a behaviour in time
which describes which actions it is prepared to engage in, or in other words, at which
10 S. Bradley et al. / Science of Computer Programming 40 (2001) 3{29
Fig. 1. Summary of AORTA sequential process syntax.
of its gates it is prepared to engage in communication. Obviously, for communication
to take place there has to be more than one process in the system { the composition
of a system from its component processes is kept separate from process denition in
AORTA.
Parallel composition of processes in AORTA is dened statically, by listing the
names of the processes, with a vertical bar (|) as a separator. Internal communication
channels are also dened statically by giving the connection set, which lists pairs
of gates of processes, along with bounds on communication delays associated with
the connection. Each gate may be connected only once, either to another process or
to a point of interface with the environment known as an external connection. The
parallel composition and connectivity of a system is easily represented graphically: see
Section 5 for examples. The next section deals with the formalisation of the syntax
and semantics of the language, but this can be omitted upon rst reading.
4. Formalisation of AORTA
In this section we introduce the formal abstract syntax of the language (Section 4.1)
and then the formal semantics of the language (Section 4.2).
4.1. Formalised syntax
The semantics of the language is given in terms of an abstract formalised version
of the syntax, which we describe here. Translation of the concrete syntax as provided
in Section 3 into this abstract syntax is mostly direct; any subtleties are discussed for
each construct in turn.
The full abstract syntax for AORTA terms with data information is given by
S ::=
P
i2I
ai?Ai!Bi:Si
j [tfg]S
S. Bradley et al. / Science of Computer Programming 40 (2001) 3{29 11
jP
i2I
ai?Ai!Bi:Si Bt S
j [t1; t2fg]S
jP
i2I
ai?Ai!Bi:Si Bt2t1 S
jL
i2I
Sifpig
j X
where t, t1 and t2 (t1<t2) are time values taken from the time domain (either the
positive reals or the naturals), Ai and Bi are state variable names,  is a state transfor-
mation function, the pi are predicates on the state, and X is taken from a set of process
names used for recursion. A system expression is written as a product of processes
with a connection set K :
P =
Q
i2I
SihKi
In the original abstract syntax, communication (and its extensions to choice and time-
out) uses only gate names, reecting the pure synchronisation model of the semantics
[11]. Extending communication to include value-passing can be achieved by associat-
ing a dierent gate name with each data value to be oered or received (see [43]).
While attractive from a theoretical point of view, as this requires only a little syntactic
sugaring, it does raise some practical diculties in implementation. Also, the abstract
specication of data state transformation via computation is dicult to incorporate into
this model.
The approach adopted here is more akin to that adopted by LOTOS, with its inclusion
of the ACT ONE data language for value-passing [38]. Variable names can be attached
to communications as input or output parameters, using a question mark for input and
an exclamation mark for output. If a value is to be read from gate a into variable
A, this is written a?A:S, and if the value held in the variable B is to be output on
gate a, this is written a!B:S. In the general case a gate may have input and output,
written a?A!B:S, so the abstract syntax form for choice is
P
i2I ai?Ai!Bi:Si. If no
data is associated with a communication then the input and output variables are both
given as the distinguished variable A (which always has value ?), so that a:S is an
abbreviation for a?A!A:S. Similarly, a?B:S is an abbreviation for a?B!A:S and a!B:S
is an abbreviation for a?A!B:S. The variable T is used to represent a perfect global
clock, and so cannot be used as a communication variable. Communications within a
time-out are extended in exactly the same way as for choice, giving the abstract syntax
forms
P
i2I ai?Ai!Bi:SiB
t2
t1 S and
P
i2I ai?Ai!Bi:SiB
t S
The translation of computations is direct from the syntax. Some computations will
require access to a real time clock, for time-stamping or time-averaging, so a special
state variable T is used to represent a perfect local clock. In practice, a physical
12 S. Bradley et al. / Science of Computer Programming 40 (2001) 3{29
clock will not be perfect, as it may run at the wrong speed, and may have its values
discretised. This is modelled by dening a physical clock function on the perfect clock,
which gives a set of values related to the perfect clock within some level of accuracy.
During computations, time can only be accessed via the physical clock function.
In order to give the conditions under which each branch of the choice is to be
taken, a predicate on the state is attached to each using braces
L
i2I Sifpig. To trans-
late the concrete syntax form with a predicate annotating the ++ operator, the right-
hand side term is annotated (in the abstract syntax) with the original predicate, and
the left-hand side with its negation. Sometimes a degree of nondeterminism is help-
ful, so the predicates are allowed to overlap (i.e. there can be j and k such that
p−1j (true)\p−1k (true) is nonempty). There must, however, always be one predicate
which is true (i.e. 8:Wi2I pi()), to ensure that at least one branch is possible.
4.2. Formal semantics
The semantics dened in [11] gives a stratied set of operational transition rules for
dening a transition relation between AORTA terms without data. A similar approach
is adopted here, except that the transition system is enriched with the data state. An
interleaving semantic model is used, with time transitions represented by
(t)! and action
transitions (i.e. internal or external communications) represented by a!. A transition
system stratication [33] is a technique whereby transition rules with negative premises
can be meaningfully included. By evaluating the transition system in layers, or strata,
it can be shown that no transition’s validity depends on its own negation, as circular-
ities cannot be present. In our system, the lowest stratum contains transitions between
sequential expressions, the second contains all internal system communications, and the
third (and highest) contains system time transitions and external communications. By
organising the transition system in this way, the negative premise for the system time
delay rule given below can be consistently incorporated.
To dene the rst stratum, we have to consider an important subset of sequential
expressions, known as the regular expressions, on which the semantics is dened.
These expressions have no nondeterminism or recursion before the next action, and are
characterised by the function dened in Fig. 2. A regular sequential expression is anno-
tated with a data state , written S<=. The set of sequential expression transition rules
(which are dened only on regular expressions) is given in Fig. 3. To simplify the nota-
tion, we abbreviate the updating of the perfect clock by dening +t 4[T=:T+t]
which changes the state only by adding t to the perfect clock variable. The semantics of
data-dependent choice is not given by transition rules, but by the denition of the Poss
function, which denes the set of possible regularisations of a sequential expression.
Any AORTA term which starts with
L
i2I Si is not regular, so has to be regularised
when an action transition takes place. Without any data state information, the choice
between branches is nondeterministic, but by attaching predicates to the branches, a
data dependent choice can be made. The denition of the Poss function is given in
S. Bradley et al. / Science of Computer Programming 40 (2001) 3{29 13
Fig. 2. Denition of regular expressions.
Fig. 3. Transition rules for sequential expressions with data.
Fig. 4. Note that when evaluating possible regularisations of a computation (including
resolution of time nondeterminism), the regularisations following the computation must
take note of the change to the state aected by the operation. Also, the condition on
predicates 8:Wi2I pi() ensures that Poss(S) will always be nonempty. The delays
14 S. Bradley et al. / Science of Computer Programming 40 (2001) 3{29
Fig. 4. Denition of possible regularisations.
Fig. 5. System transition rules.
function corresponds to the bounds on communication delay for a given gate, as dened
in the connection set.
Having given the semantics for sequential expressions, we can now dene the se-
mantics of system expressions. There are three rules, for internal communication, ex-
ternal communication, and time progress. These rules are given in Fig. 5. The negative
premise

6! is used here to enforce the maximum progress principle, and a simple
priority on communication { internal communication is preferred to external commu-
nication. A more sophisticated prioritisation can be achieved by making each commu-
nication dependent on all higher priority communications being impossible. To retain
the consistency of the transition system, a more complex stratication must be used,
with a dierent stratum for each priority level. The lowest priority level will always
be the for time delay, so as to enforce the maximum progress principle. Within the
rule for time progress, the function Age is used to represent the a process after a given
amount of time has passed. More formally, we dene
Age(E; t) = E0 , E (t)!E0
S. Bradley et al. / Science of Computer Programming 40 (2001) 3{29 15
In [13] a direct syntactic interpretation of Age is given, along with a theorem relating
it to the denition just given, which indirectly demonstrates that Age is well-dened
(i.e. it is a function); this result holds in the language with data provided that gates
which are connected have matching types (including the trivial type None) for any
communicated values.
5. Examples
The general data model dened in Section 2.2 allows us to use a range of instantia-
tions. Two examples are given in this section, the rst with a formally dened simple
imperative language (Section 5.1), and the second with the data specication language
VDM (Section 5.2). These illustrate the use of the concurrency, communication and
timing constructs of AORTA, and also the integration of data information within the
formal framework.
5.1. An example with a simple imperative language
In this section we outline an AORTA design for a reasonably well-known time-
driven protocol: the alternating bit protocol [6]. This protocol can be written using
AORTA without data, and formed the basis of an earlier paper on verifying properties
of AORTA designs [14]. Here we dene a fairly minimal imperative language, which
works only with boolean and integer data, and show how it can be used to describe the
protocol. Firstly, however, we need to dene the imperative language, and show how it
ts into the model of Section 2.2. The set of states for a process is dened by declaring
the variables which can be used along with their types. Data operations (program
fragments) transform the state, and are dened as mappings from environments to
environments; an environment is a mapping from variable names to values.
The syntax of the program fragments is
prog = skip
j id := expr
j prog ; prog
j if expr then prog else prog endif
j while expr do prog enddo
where expressions are dened by the usual integer arithmetic and boolean operations on
constants and variables. The semantics of evaluation of expressions in an environment
is dened as a function evaluate from an environment-expression pair to a value, but
is not dened here for brevity. The semantics of program execution is dened as a
function execute, which takes a variable environment and a program and returns an
environment, as given in Fig. 6.
Fig. 7 shows how to encode the sender and replier of the alternating bit protocol
in AORTA with an imperative language. Beginning at Send, a message is accepted
16 S. Bradley et al. / Science of Computer Programming 40 (2001) 3{29
Fig. 6. Execution semantics for a simple imperative language.
Fig. 7. Send and Reply using the alternating bit protocol in AORTA.
from the environment, and the tag is set to 0. The data tag is attached to the least
signicant bit; the rest of the data is shifted up by one bit, achieved by multiplying
by 2. The tagged data is then sent, and then (in the Sending part) the process waits
for an acknowledgement. Any acknowledgements with the wrong tag are ignored, and
S. Bradley et al. / Science of Computer Programming 40 (2001) 3{29 17
Fig. 8. Connectivity of the alternating bit system.
Fig. 9. Concrete Syntax for connection set of simple alternating bit system.
if no acknowledgement is received within about 2 s then the data is re-sent, using a
time-out operator. Once a correct acknowledgement has been received, another mes-
sage can be accepted from the environment, which is then sent out with the alternate
tag.
On the receiving end, Reply accepts tagged data, and, as long as it is tagged by 0,
it delivers it after removing the tag (dividing by 2). A tagged acknowledgment is then
sent, and the process waits for delivery of the next data item. If any more copies of the
old data item (with the old tag) are sent, a new acknowledgment is sent. Fig. 8 shows a
simple connection of these two processes, and the textual version of the connection set,
which includes information about time bounds on communication (the delays function
of the formal semantics), is shown in Fig. 9. More complex models of the transmission
and acknowledgement buers (with e.g. possible failures) can be built, as described in
our earlier paper [14].
5.2. An example using VDM
The chemical plant controller example of [10] is given as an example of how data
specications can be built into AORTA. VDM is used as the specication language
here, although Z can equally well be used. Again, before giving the example, we
need to show how to interpret VDM in our data model. Addressing the data model
assumptions given in Section 2.2 in turn, we rst have to consider how the set of
possible states of a process can be dened. In VDM this can be done by dening a
composite type, including elds for each of the state variables of the process (including
A and T). Invariants on the datatype can be used to restrict the state space. The set
18 S. Bradley et al. / Science of Computer Programming 40 (2001) 3{29
Fig. 10. Connectivity of the chemical plant controller.
of values for each state variable is dened by its type. Selectors are used to provide
projections for individual variables, and the  function gives an easy mechanism for
updating
[A = v] = (; A 7! v)
Operations are simply VDM operations which take no argument and return no result,
but have the process state as a writable external, and no (i.e. true) precondition. The
identity function on states  is simply the operation
ext wr s :States
post s = (s
Finally, predicates on states are dened simply as boolean-valued functions on states
(i.e. of type States! B).
To illustrate the use of VDM we introduce a semi-realistic example, based on a
chemical plant controller. The controller has to monitor and log temperatures within a
reaction vessel, and respond to dangerously high temperatures by sounding an alarm.
Two rates of sampling must be provided, to be selected by the plant operator, each of
which has its own output format for a logging function. In order to ensure safety of
the plant, the temperature must be sampled at least every two seconds, and if a reading
lies outside the safety threshold the alarm must be sounded.
The design presented here involves two processes, one of which handles the actual
conversion of the data, while the other is used to log the data, and to control the rate
at which data is sampled. There are two internal connections, which are used to pass
the converted data value, and to indicate a change in the required sampling rate. The
graphical representation of this system is shown in Fig. 10.
The rst of the two processes, Convert, accepts raw data on the gate in, and
compares it with a threshold value. Depending on this comparison, the data conversion
either takes place straight away, or is preceded by a warning signal. During the actual
conversion, which takes place in the Convert2 part of the process, the calculation
is done, and the result oered at the out gate, for connection to the Datalogger
S. Bradley et al. / Science of Computer Programming 40 (2001) 3{29 19
process. This output is timed out, to ensure that fresh data is always available, and
that dangerously high input values are noticed within a reasonable time. As well as
accepting data input, the Convert process allows the conversion mode to be changed,
which in this case involves a signal to Datalogger, and the recalculation of a lookup
table. Again, if no communication is available with the Datalogger process within
about 1:5 s, control is returned to the main sampling loop. Changing mode during
conversion is excluded by the choice (+) between in and mode. Without any data
annotations, the Convert process looks as follows:
Convert = in.(Convert2 ++ warning.Convert2)
+
mode.(changespeed.[0.3,0.4]Convert)[1.5,1.505>Convert
Convert2 = [0.001,0.004]
(out.Convert)[1.5,1.505>Convert
The Datalogger process is fairly simple. Data is accepted on the getdata gate, which
is then stored (requiring a computation delay). The normal sampling loop is driven by
a time-out, which regularly requests new data. The period of this loop depends on the
current mode of operation (it is either about 1:0 s or about 0:25 s), and this mode of
operation can be changed by a speed message from the Convert process. As well as
accepting mode change commands, the Datalogger process accepts requests for the
downloading of the current data set to an external machine. In this case, the packet is
constructed, and sent out via the senddata gate. This may take a considerable period
of time, depending on the size of the packet and the nature of the communication
link, and is represented by the communication delay associated with senddata in the
connection set. Having dened the individual processes, the full system is dened by
the processes which run in parallel, along with connections, both internal and external
(see Fig. 10).
To construct the set of (data) states for the Convert process, we use ve state
variables, including the perfect clock T and the dummy A . There are two gates of the
Convert process which carry data, namely in and out: the state variables associated
with these gates are input :Rawdata and output :Temp respectively. A lookup table
is used for the conversion, and this is stored in the state variable table :Lookuptable.
With the time domain represented as the type Time, the composite type representing
the state of Convert is given by
Convert :: input :Rawdata
output :Temp
table :Lookuptable
T :Time
A :None
Within Convert, there are two computations: the rst converts raw data to a temper-
ature, using a lookup table, and the second recalculates the lookup table for a dierent
20 S. Bradley et al. / Science of Computer Programming 40 (2001) 3{29
conversion mode. Assuming that we have the function
evaluate :RawdataLookuptable!Temp
evaluate (x; l)4 value for x in the table l
then the conversion operation is dened as
DOCONVERSION
ext wr conv :Convert
post conv= ((conv; output 7! evaluate((input; (table)),
Changing conversion mode depends on a function which recalculates the lookup
table:
newtable :Lookuptable!Lookuptable
newtable(l)4 new lookup table based on old value l
The operation for changing mode is then dened as
CHANGEMODE
ext wr conv :Convert
post conv= ((conv; table 7! newtable((table))
To specify the behaviour of data choice, a predicate on the state must be attached to
each branch of the choice. In the Convert process, the behaviour depends on whether
the raw data value exceeds a threshold value; if so a warning signal must be sent. The
predicates which we are interested in are
convertdatahigh :Convert!B
convertdatahigh (conv)4 input(conv)>threshold
and
convertdataok :Convert!B
convertdataok(conv)4 input(conv)6 threshold
which assume that we have dened a total order > on Rawdata and that the value
threshold :Rawdata is dened. Attaching these new data constructs to the Convert
process gives the denition
Convert = in?input.
(Convert2 {convertdataok} ++
warning.Convert2 {convertdatahigh})
+
mode.
(changespeed.
[0.3,0.4 {CHANGEMODE}]Convert)
[1.5,1.505>Convert
Convert2 = [0.001,0.004 {DOCONVERSION}]
(out!output.Convert)[1.5,1.505>Convert
S. Bradley et al. / Science of Computer Programming 40 (2001) 3{29 21
The Datalogger process has its own set of states, dened by the composite type
Datalogger :: input : Temp
packet : Loggerpacket
history : (TempTime)
T : Time
T : Time
A : None
Two of the variables, input and packet are used to carry data for communication on
gates getdata and senddata, while history is used to record data with time stamps.
The variable T is used for the physical clock, as well as the usual T and A variables.
Two computations are associated with Datalogger, which correspond to adding a data
item (with time stamp) to the store, and making up a data packet for downloading. To
get the time stamp value from the clock, we require the function
passclocks :Time!Time-set
passclocks(t)4 possible physical clock values at time t
The data which is input from the getdata port is added to history with the operation
ADDDATA
ext wr mk-Datalogger(h; i; p; t1; t2; a) :Datalogger
Post t12possclocks(t2)^ h= cons((t1; i); (h)^ t2=
(
t2
Finally, using the function
makepacket : (TimeTemp)!Loggerpacket
makepacket(h)4 formatted text version of h
we can dene the operation
MAKEPACKET
ext wr mk-Datalogger(i; p; h; t1; t2; a) : Datalogger
post p=makepacket(
(
h)^ h= []^ t2=
(
t2
There are no data choices in the Datalogger process, so the full version of the process,
including data information, is
Datalogger = getdata?input.[0.01,0.015 {ADDDATA}]
(speed.Datalogger2
+
download.[0.5,1.0 {MAKEPACKET}]
senddata!packet.Datalogger)
[1.00,1.005>Datalogger
Datalogger2 = getdata?input.[0.01,0.015 {ADDDATA}]
(speed.Datalogger
+
download.[0.5,1.0 {MAKEPACKET}]
22 S. Bradley et al. / Science of Computer Programming 40 (2001) 3{29
senddata!packet.Datalogger2)
[0.25,0.255>Datalogger2
Having dened the individual processes, the system composition is given as before,
using the | operator and a connection set, but with the addition of initial data states
for each of the processes within the parallel composition.
6. Development process and tools
A notation without supporting methods and tools is dicult to evaluate and un-
likely to nd any use. In this section we describe how systems can be developed with
AORTA, and the tools that have been built to support this process. It is possible to
apply dierent levels of rigour to the development of systems, so most steps can be
achieved in a variety of ways.
An important notion for the tool support of development is that of an annotation.
Annotations can be attached to every syntactic construct, both at system and process
level, and can provide dierent types of information, including
{ graphical layout
{ associated code (in C)
{ data specication (formal)
{ documentation=comment
{ state labelling (for use in graph generation)
6.1. Specication of requirements
The specication of requirements can be developed either formally, perhaps using
a graphical approach [24], or informally. A formal model may consist purely of a
model of the environment (as a timed automaton [3]), with failure states that we
wish to check for reachability, or as a combination of a timed automaton model, with
properties expressed in a timed temporal logic such as TCTL [2]. Examples of the
kind of properties we can express include
Within 5 s of action A occurring, action B will occur, unless action C occurs within
2 s.
An informal specication could adopt either of these approaches, but without the for-
malisation of the environment model or the required properties.
6.2. Design
Using AORTA, the design is formally dened: the concurrency, communication and
timing properties of the system are given, without the detail of how data moves through
the system, or what data transformations take place. It may seem strange that timing
S. Bradley et al. / Science of Computer Programming 40 (2001) 3{29 23
Fig. 11. Screen shot of simulator.
information should be given about operations without specifying exactly what is to be
performed, but these times are given as bounds, and are only estimates (or budgets)
at this stage; later on we may choose to verify that these bounds are satised by the
nal implementation.
At this early stage we are in a position to evaluate our design in at least three ways.
Firstly, the design can be reviewed by other designers, and we can take advantage of
the unambiguous nature of the design. Secondly, and more formally, the design can be
exercised in terms of its dened semantics. This can be achieved by stepping thorough
possible behaviours of the system using a simulator which shows graphically which
communications (internal and external) are available. Fig. 11 shows the simulator in
operation; this kind of simulation is similar to that provided by tools such as the con-
currency workbench [20] for CCS [42]. Finally, a proof that the design satises any
formally dened timing requirements may be attempted. This level of formalisation
may be delayed until the development has matured, if it is reached at all. A timed
automaton [3] can be generated automatically from the AORTA design [14] and
then automatic model-checking carried out, using the Kronos [63] model-checker. The
model-checking procedure is extremely expensive in terms of space and time, and in-
evitably suers from the state-explosion problem, but some useful practical results have
been achieved [14].
24 S. Bradley et al. / Science of Computer Programming 40 (2001) 3{29
6.3. Detailed design
Having achieved the timing and synchronisation skeleton of the design, further esh
is then added to how data is handled within the system. For some systems it may be
considered that it is not worthwhile formalising this part of the process for whatever
reason. It may be that the data transformations are well-established, and that the task
in hand is essentially re-engineering a system to formalise concurrency, communication
and timing aspects. However, the benets of formalisation can be carried over into this
area of design. Indeed, the formal specication, development and verication of data
properties of systems using languages such as Z [50], VDM [38] and B [1] is very
widely discussed in the literature. Using the semantics dened in this paper, which is
supported by simulation, an early evaluation of the detailed design of the system can be
performed, as long as the chosen data language admits simulation. Obvious candidates
for this approach are simple formal languages such as the one dened in Section 5.1,
which has a simple semantics which can be (and has been) animated for simulation
purposes. For ‘heavier’ languages such as VDM, the formal semantics is complex, but
can be supported by software tools, such as the IFAD VDM-Toolbox [26]. Integrating
such tool support with existing support for AORTA is an area under study. The formal
data model described in Section 2.2 forms the basis of a module specication for tool
support of data properties within a design. The implementation of this module depends
on the language and level of formalisation that are chosen.
6.4. Implementation
The detailed design of the system will lead to code for the data parts of the system,
by whatever means and level of formalisation is deemed appropriate. Formal derivation
with proof is one alternative; code generation may be possible; traditional methods may
be the most appropriate. Code must be provided for
{ data transformations,
{ branch conditions for data choice,
{ data values to be sent, and variables to receive during communication,
{ drivers for externally connected gates
as C code annotations (see another paper [12] for more details). These correspond
directly to the data model described in Section 2.2 apart from drivers for externally
connected gates, which are features purely of the implementation. Code for each of the
processes can then be generated automatically, with the C code annotations included
in the appropriate place. Each process has a control ow graph, which is used during
code generation. This is the same graph that is used to generate timed automata for
model checking, except that in the timed automaton model the parallel composition
of the processes has to be made explicit. After generating code, the implementation
processes are executed concurrently using a dedicated multi-tasking kernel which also
provides support for communication and time-out [10]. Alternatively, we have added
S. Bradley et al. / Science of Computer Programming 40 (2001) 3{29 25
support for AORTA-style communication and time-out to the VxWorks [62] real-time
executive to provide a more familiar and ‘trusted’ implementation.
Having derived an implementation, there is further work to do to verify that the
time behaviour of the system conforms to the AORTA design. This is achieved by a
combination of code-timing analysis (using techniques such as those suggested by Park
and Shaw [47,48]) and scheduling analysis of the kernel [10] to give assurance that time
bounds specied in the design really are achieved. By choosing a simple scheduling
model such as round-robin, scheduling analysis is relatively easy to automate, both in
terms of diculty of implementation and algorithmic complexity. Work is in progress
on the use of dynamic, priority-based scheduling, which requires more analysis, but
may yield more ecient systems, and less conservative estimates.
We suggested earlier that formal renement might not be the most appropriate de-
velopment technique for real-time systems, as it is rooted in a waterfall model of
development. One of the advantages of our approach is that re-working is relatively
easy, and that formalisation of the development can be carried out iteratively if re-
quired. Also, because the ‘informal’ parts of the development, such as the C code
for computations, are attached to the design, and code generation takes place di-
rectly from the design, the design (as a document) always reects the implementa-
tion. This is in contrast to the situation where only the specication is formalised:
as the system is maintained there is a tendency for the specication to become less
and less representative of what actually happens. Such problems do not only occur
with formal specication. For CASE tools which allow generation of code stubs with
the intention that they are amended during detailed design and implementation, there
is also a tendency for implementation to drift away from the specication and=or
design.
7. Conclusions
AORTA is a timed process algebra-based design language, so comparison might be
made with other timed process algebras; however so many timed process algebras have
been dened that even a cursory list of references would be too long for the scope of
this paper, so the reader is referred elsewhere [15], and direct references given only
for (a version of) timed CCS [56], timed CSP [51], and (a version of) timed LOTOS
[8]. At this level the main distinctive feature of AORTA is the ability to generate
implementations about which timing guarantees can be made.
This paper has shown how it is possible to build a formal data model into AORTA
and how tool support for simulation and implementation generation techniques and
tools can be extended. Further work needs to be done on the use of model-checking
techniques in association with data properties. One possible approach is to provide a
(veried) renement of the data associated with the state spaces, so that required data
properties still hold, but that the state space is nite. Once the state space has been re-
duced to a nite size, data properties can be represented as propositions labelling timed
26 S. Bradley et al. / Science of Computer Programming 40 (2001) 3{29
graphs, so that model-checking of properties like ‘The alarm will come on within 5 s of
receiving a temperature reading above the safe limit’ becomes possible. The abstraction
to the trivial state space where all data information is ignored has been shown to be
equivalent to the original semantics [15], so we can at least still perform simple model-
checking with assurance of correctness. The most obvious approaches are to provide
data abstraction mechanisms which will allow automatic model-checking [19,23], or to
combine machine-assisted proof with model-checking [34].
Other research has covered some of the aspects of this work. MOSCA provides
a formalism combining CCS, VDM and time, but without providing implementation
techniques [55] whilst RAISE [54] and LOTOS [45,60] provide data modelling in
concurrent systems, with some implementation techniques, but no time. Work has also
been done with timed extensions to languages such as LOTOS [8] and Promela [58],
but without the provision of implementation techniques. Corbett [22] provides a means
of formally verifying the time behaviour of Ada multitasking programs, essentially
giving a formal semantics, but only to part of the language.
There has recently been increased interest in the area of integration of formal meth-
ods, with whole conferences devoted to the subject [4]. One style of approach involves
introducing time into data specication languages such as Z [21,29,30,41,53], with the
closest work to ours being that by Fidge et al. [28], which allows the timed rene-
ment of concurrent systems, including reasoning about implementations by embedding
scheduling theory into the Z model. This approach can only be described as ‘dierent’
to ours, with the relative merits and demerits associated with the two being the usual
ones associated with renement as opposed to code generation techniques. Also, most
of their work has been associated with providing the proof theory (as would be ex-
pected for a renement calculus), whereas our work has focussed on implementation
aspects. Work that is closest to ours concerns the integration of model-based specica-
tion languages into (timed) process algebras. Mahony and Dong [40] integrate object-Z
and timed CSP [51] into TCOZ (timed communicating object Z), whilst Treharne and
Schneider [57] combine B [1] with CSP [36]. Mota and Sampaio [44] discuss model-
checking of systems dened in an integrated language of Z and CSP. Existing work
on generating test cases from timed formal specications shows other areas that can be
assisted by formalisation [17]; we are investigating how to integrate such techniques
into a framework such as is provided by AORTA and its supporting tools.
In summary, then, this paper has shown how a fairly general formal data model
can be integrated syntactically and semantically into AORTA. Tool support for simu-
lation and code generation has been discussed, and examples of using AORTA with
an imperative language and with VDM have been included. Proof support for data
properties needs further work, so some may raise the question as to what purpose a
formal semantics serves where no proof support is to be oered. In our introduction,
we argued that formal methods and good for more than just proof, and we feel that
this has been borne out by the provision of useful simulation tools, and also a clear
statement of the necessary assumptions about the data model, which have formed the
basis of tool support for the data-enriched language.
S. Bradley et al. / Science of Computer Programming 40 (2001) 3{29 27
References
[1] J.-R. Abrial, The B-Book, Cambridge University Press, Cambridge, 1996.
[2] R. Alur, C. Courcoubetis, D. Dill, Model-checking for real-time systems, IEEE 5th Annual Symp. On
Logic In Computer Science, Philadelphia, June 1990, pp. 414{425.
[3] R. Alur, D. Dill, Automata for modeling real-time systems, 17th Internat. Colloquium on Automata,
Languages and Programming (ICALP 90), Lecture Notes in Computer Science, vol. 443, Springer,
Berlin, 1990.
[4] K. Araki, A. Galloway, K. Taguchi (Eds.), 1st Internat. Conf. on Integrated Formal Methods, Springer,
Berlin, June 1999.
[5] E. Astesiano (Ed.), in: Fundamental Approaches to Software Engineering (FASE 98), Lecture Notes in
Computer Science, vol. 1382, Springer, Berlin, 1998.
[6] K.A. Bartlett, R.A. Scantlebury, P.T. Wilkinson, A note on reliable full-duplex transmission over
half-duplex links, Comm. ACM 12 (5) (1969) 260{261.
[7] L. Birkedal, N. Rothwell, M. Tofte, D.N. Turner, The ML kit (version 1). Tech. Report DIKU-Report
93=14, Department of Computer Science, University of Copenhagen, Universitetsparken 1, DK-2100
Copenhagen, 1993.
[8] T. Bolognesi, F. Lucidi, LOTOS-like process algebras with urgent or timed interactions, in: K.R. Parker,
G.A. Rose (Eds.), Formal Description Techniques IV, FORTE ’91, Sydney, Elsevier, Amsterdam,
November 1991,, pp. 249{264.
[9] J.P. Bowen, M.G. Hinchey, Ten commandments of formal methods, IEEE Software 28 (4) (1995)
56{63.
[10] S. Bradley, W. Henderson, D. Kendall, A. Robson, A formally based hard real-time kernel,
Microprocessors Microsystems 18 (9) (1994) 513{521.
[11] S. Bradley, W.D. Henderson, D. Kendall, A.P. Robson, Application-oriented real-time algebra, Software
Eng. J. 9 (5) (1994) 201{212.
[12] S. Bradley, W.D. Henderson, D. Kendall, A.P. Robson, Validation, verication and implementation of
timed protocols using AORTA, in: P. Dembinski, M. Sredniawa (Eds.), Protocol Specication, Testing
and Verication XV (PSTV ’95), Warsaw, IFIP, North-Holland, Amsterdam, June 1995, pp. 193{208.
[13] S. Bradley, W. Henderson, D. Kendall, A. Robson, Integrating AORTA with model-based data
specication languages, in: E. Astesiano (Ed.), Fundamental Approaches to Software Engineering (FASE
98), Lecture Notes in Computer Science, vol. 1382, Springer, Berlin, 1998, pp. 54{71.
[14] S. Bradley, W. Henderson, D. Kendall, A. Robson, S. Hawkes, A formal design and implementation
method for real-time embedded systems, in: P. Milligan, K. Kuchinski (Eds.), 22nd EUROMICRO
Conf. (EUROMICRO 96), Prague, IEEE, New York, September 1996, pp. 77{84.
[15] S.P. Bradley, An implementable formal language for hard real-time systems, Ph.D. Thesis, Department
of Computing, University of Northumbria, UK, October 1995.
[16] T.M. Brookes, J.S. Fitzgerald, P.G. Larsen, Formal and informal specications of a secure system
component: nal results in a comparative study, in: M.-C. Gaudel, J. Woodcock (Eds.), 3rd Internat.
Symp. of Formal Methods Europe (FME 96: Industrial Benet and Advances in Formal Methods),
Lecture Notes in Computer Science, vol. 1051, Springer, Berlin, March 1996, pp. 214{228.
[17] R. Cardell-Oliver, T. Glover, A practical and complete algorithm for testing real-time systems, in:
A.P. Ravn, H. Rischel (Eds.), Formal Techniques for Real-Time and Fault-Tolerant Systems 1998,
Lecture Notes in Computer Science, vol. 1486, Springer, Berlin, September 1998.
[18] E.M. Clarke, E.A. Emerson, A.P. Sistla, Automatic verication of nite-state concurrent systems using
temporal logic specications, ACM Trans. Programming Languages Systems 8 (2) (1986) 244{263.
[19] E.M. Clarke, O. Grumberg, D.E. Long, Model checking and abstraction, ACM Trans. Programming
Languages Systems 16 (5) (1994) 1512{1542.
[20] R. Cleaveland, J. Parrow, B. Steen, The concurrency workbench: A semantics-based tool for the
verication of concurrent systems, ACM Trans. Programming Languages Systems 15 (1) (1993)
36{72.
[21] A. Coombes, J. McDermid, Specifying temporal requirements for distributed real-time systems in Z,
Software Eng. J. 8 (5) (1993) 273{283.
[22] J.C. Corbett, Timing analysis of Ada tasking programs, IEEE Trans. Software Eng. 22 (7) (1996)
461{483.
28 S. Bradley et al. / Science of Computer Programming 40 (2001) 3{29
[23] D. Dams, R. Gerth, Abstract interpretation of reactive systems., ACM Trans. Programming Languages
Systems 19 (2) (1997) 253{291.
[24] J. McDermid (Ed.), Software Engineer’s Reference Book, Butterworth Heinemann, London, 1994.
[25] C. Dietz, Graphical formalization of real-time requirements, in: B. Jonsson, J. Parrow (Eds.), Formal
Techniques in Real-Time and Fault-Tolerant Systems (FTRTFT 96), Lecture Notes in Computer Science,
vol. 1135, Springer, Berlin, September 1996, pp. 366{384.
[26] R. ElmstrHm, P.G. Larsen, P.B. Lassen, The IFAD VDM-SL toolbox: a practical approach to formal
specications, ACM Sigplan Notices 29 (9) (1994) 77{80.
[27] J.-C. Fernandez, C. Jaud, T. Jeron, L. Ndedelka, C. Viho, An experiment in automatic generation of
test suites for protocols with verication technology, Tech. Report 2923, INRIA, June 1996.
[28] C. Fidge, M. Utting, P. Kearney, I. Hayes, Integrating real-time scheduling theory and program
renement, in: M.-C. Gaudel, J. Woodcock (Eds.), FME ’96: Industrial Benet and Advances in Formal
Methods, Lecture Notes in Computer Science, vol. 1051, FME, Springer, Berlin, 1996, pp. 327{346.
[29] C.J. Fidge, Specication and verication of real-time behaviour using Z and RTL, in: J. Vytopil (Ed.),
Formal Techniques in Real-Time and Fault-Tolerant Systems 2nd Internat. Symp., Nijmegen, Lecture
Notes in Computer Science, vol. 571, Springer, Berlin, 1992, pp. 393{409.
[30] C.J. Fidge, Real-time renement, in: J.C.P. Woodcock, P.G. Larsen (Eds.), Formal Methods Europe
’93: Industrial-Strength Formal Methods, Lecture Notes in Computer Science, vol. 670, Springer, Berlin,
1993, pp. 314{331.
[31] J.A. Goguen, T. Winkler, Introducing OBJ3, Tech. Report SRI-CSL-88-9, SRI, August 1988.
[32] M.J.C. Gordon, T.F. Melham (Eds.), Introduction to HOL: A Theorem Proving Environment for Higher
Order Logic, Cambridge University Press, Cambridge, 1993.
[33] J.F. Groote, Transition system specications with negative premises, in: J.C.M. Baeten, J.W. Klop (Eds.),
CONCUR ’90, Amsterdam, Lecture Notes in Computer Science, vol. 458, Springer, Berlin, 1990, pp.
332{341.
[34] K. Havelund, N. Shankar, Experiments in theorem proving and model checking for protocol verication,
in: M.-C. Gaudel, J. Woodcock (Eds.), 3rd Internat. Symp. of Formal Methods Europe (FME 96:
Industrial Benet and Advances in Formal Methods), Lecture Notes in Computer Science, vol. 1051,
Springer, Berlin, 1996, pp. 662{681.
[35] I.J. Hayes, Specication directed module testing, IEEE Trans. Software Eng. 12 (1) (1986) 124{133.
[36] C.A.R. Hoare, Communicating Sequential Processes, Prentice-Hall, New York, 1985.
[37] M. Holcombe, An integrated methodology for the specication, verication and testing of systems,
Software Testing Verication Reliability 3 (1993) 149{163.
[38] International.Standards Organisation, Informations Processing Systems | Open Systems Interconnection
| LOTOS | A Formal Description Technique Based on the Temporal Ordering of Observational
Behaviour, vol. ISO 8807, ISO, 1989-02-15 edition, 1989.
[39] C.B Jones, Systematic Software Development Using VDM, Prentice-Hall, New York, 1986.
[40] B.W. Kernighan, R. Pike, The UNIX Programming Environment, Program Development, Prentice-Hall,
Englewood Clis, NJ, 1984, pp. 233{288 (Chapter 8).
[41] B. Mahony, J.S. Dong, Timed communicating object Z, IEEE Trans. Software Eng. 26 (2) (2000)
150{177.
[42] B.P. Mahony, I.J. Hayes, A case-study in timed renement: a mine pump, IEEE Trans. Software Eng.
18 (9) (1992) 817{825.
[43] R. Milner, Communication and Concurrency, Prentice-Hall, New York, 1989.
[44] R. Milner, M. Tofte, R. Harper, The Denition of Standard ML, MIT Press, Cambridge, MA, 1990.
[45] A. Mota, A. Sampaio, Model-checking CSP-Z, in: E. Astesiano (Ed.), Fundamental Approaches to
Software Engineering (FASE 98), Lecture Notes in Computer Science, vol. 1382, Springer, Berlin,
1998, pp. 205{220.
[46] B. Ormsby, An approach to testing during formal development with the B-method, in: P. Milligan,
K. Kuchinski (Eds.), 22nd EUROMICRO Conference (EUROMICRO 96), Prague. IEEE, New York,
September 1996. Short contribution.
[47] C.Y. Park, Predicting program execution times by analyzing static and dynamic program paths,
Real-Time Systems 5 (1) (1993) 31{62.
[48] C.Y. Park, A.C. Shaw, Experiments with a program timing tool based on source-level timing schema,
IEEE Comput. 24 (5) (1991) 48{57.
S. Bradley et al. / Science of Computer Programming 40 (2001) 3{29 29
[49] M. Phillips, CICS=ESA 3.1 Experiences, in: J.E. Nicholls (Ed.), Z User Workshop, Oxford, Springer,
Berlin, 1989, pp. 179{185. Workshops in Computing, 1990.
[50] B. Potter, J. Sinclair, D. Till, An Introduction to Formal Specication and Z, Prentice-Hall, New York,
1991.
[51] S. Schneider, J. Davies, D.M. Jackson, G.M. Reed, J.N. Reed, A.W. Roscoe, Timed CSP: Theory and
practice, in: J.W. de Bakker, C. Huizing, W.P. de Roever, G. Rozenberg (Eds.), Real-Time: Theory in
Practice (REX Workshop), Mook, Lecture Notes in Computer Science, vol. 600, Springer, Berlin, June
1991, pp. 640{675.
[52] N. Shankar, S. Owre, J.M. Rushby, The PVS Proof Checker: A Reference Manual, Computer Science
Laboratory, SRI International, Menlo Park, CA, February 1993. A new edition for PVS Version 2 is
expected in 1998.
[53] G. Smith, I. Hayes, Towards real-time object-Z, in: K. Araki, A. Galloway, K. Taguchi (Eds.), 1st
Internat. Conf. on Integrated Formal Methods, Springer, Berlin, June 1999, pp. 49{65.
[54] The RAISE Language Group, The RAISE Specication Language, BCS Practitioner Series,
Prentice-Hall, Englewood Clis, NJ, 1992.
[55] H. Toetenel, VDM + CCS + Time = MOSCA; 18th IFAC=IFIP Workshop on Real-Time Programming
| WRTP ’92, Bruges, Pergamon Press, Oxford, June 1992.
[56] C. Tofts, Timed concurrent processes, in: Semantics for Concurrency, 1990, pp. 281{294.
[57] H. Treharne, S. Schneider, Using a process algebra to control B operations, in: K. Araki, A. Galloway,
K. Taguchi (Eds.), 1st Internat. Conf. on Integrated Formal Methods, Springer, Berlin, June 1999,
pp. 437{456.
[58] S. Tripakis, C. Courcoubetis, Extending promela and spin for real time, in: T. Margaria, B. Steen
(Eds.), Tools and Algorithms for the Construction of Systems (TACAS 96), Passau, Lecture Notes in
Computer Science, vol. 1055, Springer, Berlin, March 1996, pp. 329{348.
[59] P. Tripathy, B. Sarikaya, Test generation from LOTOS specications, IEEE Trans. Comput. 40 (4)
(1991) 543{552.
[60] M. van Sinderen, L. Ferreira Pires, C.A Vissers, Protocol design and implementation using formal
methods, Comput. J. 35 (5) (1992) 478{491.
[61] E. Weyuker, T. Goradia, A. Singh, Automatically generating test data from a Boolean specication,
IEEE Trans. Software Eng. 20 (5) (1994) 353{363.
[62] Wind River Systems, VxWorks Programmer’s Guide v5.1, December 1993.
[63] S. Yovine, Kronos: a verication tool for real-time systems, Software Tools Technol. Transfer 1 (1+2)
(1997) 123{133.
