Specification Of Embedded, Real-time Systems by Skakkebæk, Jens Ulrik et al.
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
General rights 
Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners 
and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. 
 
• Users may download and print one copy of any publication from the public portal for the purpose of private study or research. 
• You may not further distribute the material or use it for any profit-making activity or commercial gain 
• You may freely distribute the URL identifying the publication in the public portal  
 
If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately 
and investigate your claim. 
   
 
Downloaded from orbit.dtu.dk on: Dec 17, 2017
Specification Of Embedded, Real-time Systems
Skakkebæk, Jens Ulrik; Ravn, Anders P.; Rischel, Hans; Chaochen, Zhou
Published in:
Proceedings of the Fourth Euromicro workshop on Real-Time Systems
Publication date:
1992
Document Version
Publisher's PDF, also known as Version of record
Link back to DTU Orbit
Citation (APA):
Skakkebæk, J. U., Ravn, A. P., Rischel, H., & Chaochen, Z. (1992). Specification Of Embedded, Real-time
Systems. In Proceedings of the Fourth Euromicro workshop on Real-Time Systems (pp. 116-121). IEEE.
Specification of Embedded, Real-Time Systems* 
Jens U.  Skakkebzk, Anders P. Ravn, Hans Rischel & Zhou Chaochen t 
Department of Computer Science 
Technical University of Denmark, Bldg. 344 
DK 2800 Lyngby, Denmark 
Abstract 
A n  approach t o  requirements specification and sub- 
sequent verification of designs for embedded, real-time 
systems is presented. A system is given by a con- 
ventional mathematical model for a dynamic system, 
where application specific state variables denote total 
f inctions of real t ime. Specifications are formulas in a 
real-time, interval temporal logic, where atomic pred- 
icates define durations of states. Requirements are 
specified by a conjunction of formulas, which reflect 
safety and functionality constraints on the total sys- 
tem.  A design specifies the behaviour of components 
and the conjunction of component specifications can 
be shown to imply the requirements. Designs can be 
refined in a similar fashion. 
1 Introduction 
Requirements engineering [4] for software that con- 
trols physical systems must investigate safety and 
functional requirements for the system as a whole. Re- 
quirements typically delimit expected behaviours over 
time for a combination of given physical processes with 
planned sensors, actuators and programmed comput- 
ers. Requirements engineering is ideally completed 
with precise specifications for components and the de- 
sign binding them together. This paper illustrates 
an approach to requirements engineering which has 
evolved during our work with case studies within the 
Provably Correct Systems (ProCoS) project [l, 131. 
The approach uses a conventional time-domain 
model of mathematical systems theory or control engi- 
neering [12] and develops predicates describing prop- 
erties of a total system in three steps: 
1. An application domain system model of the equip- 
ment and its intended environment of use is de- 
fined. This defines the overall states of the system 
model. 
as functions of time. Requirements constrain this 
*This work is partially supported by the Commission of the 
European Communities (CEC) under the ESPRIT programme 
in the field of Basic Research Action proj. no. 3104: “ProCoS: 
Provably Correct Systems” and by The Danish National Engi- 
neering Research Council 
ton leave from Software Institute, Academia Sinica, Beijing 
100080, China 
:E-mail: jusQid.dth.dk, apr@id.dth.dk, hsr@id.dth.dk and 
zcc@id.dth.dk 
0-8186-2815-4/92 $3.00 Q 1992 IEEE 
2. A control model extends the system model with an 
explicit control strategy. The strategy is verified 
to imply the requirements under a set of assump- 
tions about the intended environment of use. 
3. A design model for a distributed system defines 
separate specifications for a set of interface units 
and programs. Interface units relate system states 
to event values under certain timing and approx- 
imation constraints. Programs implement the 
control strategy by controlling timing and order 
of events, and by computing relevant event values. 
The approach is based on refinement of models. 
Each refinement removes some freedom (choice, non- 
determinism) by adding further constraints. At each 
stage the resulting model is verified to be contained in 
(or imply) the model of the previous stage. 
The following sections introduce the specification 
language, and then discuss the system and control 
models with associated refinements in more detail, us- 
ing a simple Railway Level Crossing as a running ex- 
ample. The approach has also been used on a simple 
Auto Pilot [14] (example due to Boyer and Moore) and 
on a Gas Burner [ll]. 
2 Specification language 
A system is described by a collection of state vari- 
ables which are functions of Time, modelled by the 
real numbers. Properties of systems are expressed by 
constraints on the state variables. We wish to express 
requirements and design without explicit mentioning 
of time instants, and introduce a notation which is a 
real-time, interval logic [9] based on state durations: 
The Duration Calculus [Z]. 
2.1 Syntax 
We assume names for state variables X ,  Y, . . . to- 
gether with their value domains Typex,  Typey ,  . , . 
given by declarations in a suitable specification lan- 
guage, here VDM (cf. [5]). The language should 
comprise names for constants and operators, The type 
R of real numbers should be available with the usual 
operators, and so should the type Boo1 of Boolean 
values with the usual propositional operators. The 
Boolean constants are denoted tt and 8 (the names 
true and false are reserved for duration formulas). We 
use lower case names a ,  b, . . . t o  denote constants or 
static variables of any type in the language. Static 
variables denote time-independent entities. 
Authorized licensed use limited to: Danmarks Tekniske Informationscenter. Downloaded on November 20, 2009 at 08:04 from IEEE Xplore.  Restrictions apply. 
State expressions and state assertions 
A state explression is generated b a constant, a static 
variable, a state variable or any 6ype correct) expres- 
sion op(S1, . . . , S,) formed from an operator symbol 
op and state expressions S I , .  . . , S,. 
A state assertion is a state expression with type 
Bool. 
Durations and duration terms 
For any state assertion P ,  s P  is a duration. A du- 
ration ternt (of type R) is a duration, a real con- 
stant, a real static variable or the term o p ( q , .  . . , y,), 
where op is; an n-ary operator symbol of type R and 
rl, . . . , r, are duration terms. 
The symbol .t is used as an abbreviation for the 
duration te:rm J'tt. 
Duration formulas 
If A is any n-ary predicate symbol on R and q , . . . , r, 
are duration terms, then A(q, . . . , r,) is an atomic du- 
ration formula. Atomic duration formulas, the sym- 
bols true and false,  ( ~ D I ) ,  ( 9 1  V D z ) ,  (D1 ; D2) ,  
and (V x)Dll, where x is a static variable and D1, 2 ) 2  
are duration formulas, are dumtion formulas of type 
Bool. We use standard abbreviation A, j, U for 
both state assertions and duration formulas, and we 
introduce abbreviations for commonly used duration 
formulas: 
Abbreviaition Formula Legend 
t = O  point 
s p  = L A 1  > 0 almost 
everywhere P 
OD true ; 2) ; true somewhere 2) 
OD l(0-a) always 2) 
11 
[PI 
D1 -+D2 2)1 ; true + 2)2 follows 2)1 
Dl V ( D l  ; 2 ) 2  ; true) 
The following precedence rules are used 
first: 1 1  0, 0 
third: 3, --+ 
2.2 Semantics 
A (particular) behaviour B of a system assigns a 
function [O, CO) -+ Q p e x  to each state variable X, and 
selects a value V ( z )  for each static variable z. Each 
state expression then denotes a function obtained by 
evaluating the expression for each point of time. For 
a state assertion P it seems reasonable to demand f i -  
nite variability: For each behaviour, any observation 
interval can be divided into finitely many subintervals 
with P constant on each (open) subinterval. 
An observation interval is a closed and bounded in- 
terval [b, e ]  CC [0, CO). For a given interval the duration 
P of a state assertion P denotes the real number 
second: V ,  A ,  ; 
J,"(if P ( t )  = t t  then 1 else 0)dt  
which is the measure of the set of points where P 
has value t t .  For any behaviour B and interval [b, e]  
duration terms denote real values and atomic duration 
formulas denote Boolean values. 
The d u e s  of complosite duration formulas are ob- 
tained by the usual interpretation of the logical oper- 
ators and quantification, cf. e.g. [6]. The value of a 
"chop" formula D1 ; D2 is t t  if and only if the in- 
terval [b, e ]  can be divided into [b, m] and Em, e]  such 
that ID1 is t t  on [b, m] and 272 is tt on [m,  e] .  
A duration formula 'D holds on the interval [b, e]  for 
the behaviour B just when D has value tt on [b ,  e]  with 
any assignment V of values to the static variables. 
The formula 2) hola!s from start for the behaviour 
B just when it holds on any interval of the form [O, 2'1 
for the behaviour B. 
A duration formula 2) is valid (a tautology) just 
when it holds for every behaviour B and every interval 
[b, e] .  It is sufficient for a formula to  be valid, that it 
holds from start for every behaviour B. 
2.3 Specifications and refinement 
A specification for a, system is a duration formula 
2). A behaviour €3 satisfies the specification if D holds 
from start for 8. 
For specifications 2 ) ~  and 2 ) 2  we say, that 2 ) 2  is a 
refinement of 2)1 if any behaviour satisfying 2 ) 2  also 
satisfy D1. It follows, that V2 is a refinement of 2)1 if 
the duration formula 232 2)1 is valid. 
2.4 Proof system, Verification 
It is almost certain, that the general Duration cal- 
culus is undecidable, and hence we cannot expect to 
find a complete set of axioms and proof rules. The 
proofs in this paper may, however, be based on the 
set of axioms and prooif rules given below. In the fol- 
lowing, P denotes a state assertion, r a non-negative 
real number and 2) denotes a formula in the Duration 
Calculus. 
Axiom 1 J'#= 0 
Axiom 2 s P  2 0 
Axiom 3 + sP2  == s( PI V P2) + s( PI A P2) 
Axiom4 ( J P = r l ) ;  ( J P = n ) *  J P = n + 4  
Axiom 5 If PI U P2 is a valid state assertion then 
JP1 = JP2 is an axiom 
The following induction rule is sound due to the finite 
variability of states. 
Induction Rule If D ( [ l  is provable, and 
D X v ( X  ; [ P I )  v ( X  ; ['P \ )) is provable from 
D[X), then D(true)  has been proved. 
It has a dual, backward induction rule. 
3 System model 
The first step in formalising requirements to a sys- 
tem is to construct a system model. Requirements are 
constraints on this mod,el. This section builds a sys- 
tem model for our running example: A railway level 
crossing. 
I I7 
Authorized licensed use limited to: Danmarks Tekniske Informationscenter. Downloaded on November 20, 2009 at 08:04 from IEEE Xplore.  Restrictions apply. 
3.1 Informal description 
The following informal description is based on the 
description found in [ lo ]  and on discussions with en- 
gineers from DSB (Danish National Railways): 
The railway level crossing is a crossing between a 
single track railway and a road. For simplicity it is as- 
sumed that all trains passing the crossing will travel in 
the same direction. The crossing is shown in figure 1.  
-- 
Approaching Passing 
Figure 1: Railway Crossing 
Road traffic is controlled by a gate at each side of 
the railway. The gates close only when road traffic is 
not stuck in the crossing. 
Train traffic is controlled by a signal on the side 
of the tracks along which the trains approach. The 
signal indicates: “stop” or “go” for oncoming trains. 
Sensors keep track of trains in the system. A sensor 
is placed in a reasonable distance from the signal such 
that a train will reach the first sensor point before it 
reaches the signal. A train enters the system, when- 
ever it is determined by this sensor. A train has left 
the crossing, whenever the sensors determine that the 
rear end of the train has passed the crossing. 
When a train approaches, the gates are closed, pro- 
vided road traffic is not stuck in the crossing. The 
signal is only set to “go” after the gates have closed. 
When no trains are approaching or passing, the sig- 
nal must be set to “stop” and the gates opened. 
The main objective of the system controlling the 
gates and the signal is to ensure safety: The system 
must never allow train and road traffic to pass the 
crossing at the same time. 
Furthermore, the system must ensure that both 
road traffic and trains are able to pass the crossing 
within some reasonable time. 
The device that controls the system is the Railway 
Crossing Control System (RCS). The RCS gets input 
data from the train sensors and the gate sensors, and 
sends commands to the signal and the gates. 
3.2 State variables 
trains. 
The Signal can be “stop” (8) or “go” ( t t )  
The state models a signal, gates, road traffic and 
Signal : Boo1 
The gates can be open, closed, opening or closing 
Gates : {open,  closed, opening, closing) 
The road traffic can be stopped at the crossing, be 
stuck in the crossing or be free to cross 
Traffic : {stopped, stuck,free) 
Trains are either approaching or passing 
Appr : N-& 
Pass : N-& 
where a train, identified by a unique, natural number 
i, is approaching ( i  E Appr)  if some part of the train 
is between the sensor and the signal, and passing (i E 
Pass)  if some part of the train is between the signal 
and the end of the crossing. Trains are active if either 
approaching or passing (or both). We define three 
state assertions expressing the state of the trains 
Passing 2 Pass # I 
Approaching P Appr # 0 
Active 2 Act # 0 
where Act = Appr U Pass 
3.3 Requirements 
The requirements concern safety and function 
3 
Req o(SafReq A A FunReq z )  
i=l 
Safety requirement 
If the gates are not closed or road traffic is stuck in 
the crossing, the trains must not pass 
+- rlPasszng1 SafReq 2 [ (Gates  # closed) V (Trafic  = stuck)l 
Functional requirements 
The road traffic should maximally be held back 
for a predefined period of time, Tstopped 
FunReql 2 [%fie = stopped] ! 5 Tstopped 
When all trains have left the railway crossing, the 
gates must be open for at least time, Topen 
FunReq2 e [Active] ; [ l d c t i v e l ;  [Active] 
3 l ( G a t e s  = open) > Topen 
Provided the road traffic is not stuck, a single 
train must be able to pass within time, Tactive 
FunReq3 P [i E Active A (Traffic # stuck)] + L 5 Tactive 
I I X  
Authorized licensed use limited to: Danmarks Tekniske Informationscenter. Downloaded on November 20, 2009 at 08:04 from IEEE Xplore.  Restrictions apply. 
4 Control model 
We now turn to selecting the assumptions and a 
control strettegy, such that the controlled system can 
be proved to satisfy the requirements under the given 
assumpt.ions. 
4.1 Ass,umptions 
The assumptions constrain the system environ- 
ment. In the case of the railway level crossing, it is 
necessary tlo constrain the behaviour of both the road 
traffic and the trains, as well as the devices 
2 5 3 
A S M  G D( A RTAsm i A A T A s m  i A A D A s m  i )  
i = l  i=l  i=l 
Road traffic assumptions 
1. When running freely, the road traffic might even- 
tually either be stopped properly by the gates or 
become stuck in the crossing. Stopped and stuck 
road titaffic might in turn become free again 
( r f i f f i c  = stopped] + r%afic = f i ee l )  
R T A s m l  2 
A ( [Traffic = free] -+ 
A ([Traffic = stuck] + [ D u f i c  = free])  
([Traf f ic  = stopped] V [Traffic = stuck]))  
2. Road .traffic is stopped, if and only if the gates 
are not open 
RTAsm2 2 
[%a& = stopped1 e [Gates # open] 
Train assumptions 
1. Trains must only pass if the signal is ‘‘go” 
T A s m l  [Passing1 [Signall 
2. An active train travels in one direction only (ap- 
proaches initially and passes finally) 
TAsnn2 2 
A ( ‘i E Appr A i @ Pass1 --f [z E Pass] ) 
A ( I -i E Pass] + [i 4 A c t ] )  
( [ i  @ Act1 -+ [i E Appr A i @ Pass])  
3. The last train in a series of trains passes the cross- 
ing before leaving the crossing 
TAsm3 2 
A 1 [i$Ejhing A +assing1 -+ [Passing 
A 
A [ 1-Active] t [Passing]) 
-+ [Approaching A 
-Passing] + ( [l Active] V [Active] )) 
4. The tirains do not linger if the signal is “go” 
TAsm4 2 [Signal A Active1 + -! 5 Tsched 
5 .  The railway tracks are not overloaded with trains 
TAsm5 S [Activel; r ldc t i ve l ;  [Active1 
j 1 ;. Tinactive + Twait 
-t Tgateopen + Topen 
The assumptions 1, 2 and 4 are examples of “obvi- 
ous” parts of train behaviours; but we have to state 
them explicitly in order to use them in a verification. 
Device assumptions 
1. It takes at most Tgateclose for the gates to close, 
if the road traffic is not stuck in the RLC 
DAsml  2 [Gatea = closing A Trafic # stuck] 
-! Tgateclose 
2. It takes at most I’galeopen for the gates to open 
DAsm2 S [Gates = opening] + -! 5 Tgateopen 
3. The physical properties of Gates constrain the 
value of gates to the cycle: open, closing, opening, 
open (in that order) 
DAsm3 1 
([Gates = open] t [Gates = closing]) 
A ([Gates  = closing1 -+ [Gates = closedl) 
Gates = closed) -+ [Gates = opening]) 
Gates = opening] -+ [Gates = open]) 
4. The signal switches between “stop” and “go” 
4.2 Control strategy 
The control strategy is selected by the system de- 
signer with the purpose of defining an implementable 
control satisfying the requirements under the assump- 
tions. The following strategy is a formalisation of the 
obvious finite state control, cycling through phases 
with passive, approaching and passing trains. This 
is expressed by the predicate 
7 
RCS G U (  A RCS i )  
a=1 
Approaching trains 
1. The gates will remain open when no trains are 
present 
RCSl 2 ([ lAc t i ve )  A ([Gates = open) ; true)) 
j [Gates = open1 
2. If trains are present, the gates are open for at  
RCS2 2 [Gates = open A Active] j .! 5 Beact 
3. It takes at most Tnts  before the signal is “go” 
RCS3  e [(Gates = closed) A -&gnu1 A Active] 
most Beact 
when the gates have closed 
j -! 5 Tnts  
Authorized licensed use limited to: Danmarks Tekniske Informationscenter. Downloaded on November 20, 2009 at 08:04 from IEEE Xplore.  Restrictions apply. 
Passing trains 
4. The gates remain closed as long as the signal is 
“go’, 
RCS4 2 [Signall =& [Gates = closed] 
5. The signal remains ”go”, while trains are present 
RCS5 ( [Act ive]  A ( [Signall ; tme))  
+ [Signal] 
6 .  The signal will only indicate “go” for at most 
Tinactive after the trains have left 
RCS6 e [YActive A Signal] + 1 5  Tinactive 
7. The gates will remain closed for at most Twait 
after all trains have left 
RCS7 1 [ (Gates  = closed) A TActiwe A TSignaq 
=+- C 5 Twait 
4.3 Verification of requirements 
In order to verify that the formal specification of the 
Control System satisfies the requirements, one must 
prove: ASM A R C S  =+- Req. 
The verifications all have the same structure: From 
an arbitrary interval, where the antecedent part of the 
requirement holds, it is shown through several steps 
of deduction that the consequent holds. The assump- 
tions and the control strategy can be used freely in the 
deduction, since they all hold for an arbitrary interval 
(the 0 distributes over conjunction). Since it is shown 
to hold for an arbitrary interval it also holds for any 
subinterval. 
The safety requirement 
The safety requirement is verified without any timing 
constraints 
D a f i c  = stuck)] {Trafic} 
D a f i c  # stopped)] {RTAsm2} 
j [( Gates # closed) V (Gates  = open)] {Gates} 
{RCS4} 
{TAsml} 
cZosed) V (Gates  # closed)] 
The functional requirements 
The proof of the first functional requirement ensur- 
ing the flow of the road traffic relies on the maximum 
opening and closing times for the gates, and the cal- 
culated maximum time the gates can be closed: 
[Tra f i c  = stoppedl { RTAsmft} 
{ DAsm3) j [Gates # open1 
Gates = closing1 V 
Gates = closedl V r 
{DAsml} 
{RTAsm2} ( [ G a t e s  = opening] V [I) 
+ ! 5 Tgateclose V [I); 
=+- C 5 Tgateclose V 11); j( 5 Tclosed V [I); 
[Gates = opening1 V []) 
(l 5 Tgateclose V [I); 
5 Tclosed V [ I ) ;  
! 5 Tgateopen V [I)) 
\[Gates = closed] V [I 
( [ G a t e s  = opening] V 
(DAsm2) 
+ 
{DurCalc} 
j 5 Tgateclose + Tclosed + Tgateopen 
where we have used the following lemma: 
The time that the gates are closed is limited by a 
sum of the time the gates are closed before the signal 
indicates “go”, the active time with the signal on “go”, 
the time the signal is after the trains have left the 
crossing, and finally the time the gates can be closed 
while the system is inactive 
Lemma G U( [Gates = closed] =j ! 5 Tclosed) 
where Tclosed = Tnts + Tsched + Tinactive + Twait 
Thus, we should choose Tstopped such that: 
Tgateclose + Tclosed + Tgateopen 5 Tstopped 
The second and third functional requirements are 
proved in a similar manner. 
5 Refining the control model 
The control model presented above (from now on 
referred to  as RCSO) specified a set of properties of 
the control system. This control model can be refined 
to introduce a less abstract control model (RCSl), a 
design. In this model, the control system is defined by 
describing the communication between a controlling 
processor and some interface units. 
5.1 Informal description 
The refined control model comprises: 
A controlling processor 
A unit monitoring the positions of the trains 
A unit controlling the train signal 
A unit controlling the gates 
A unit monitoring the gates 
The communication history between the processor 
and the units is captured by extending RCSo with a 
state variable 
t r  : Event’ 
Authorized licensed use limited to: Danmarks Tekniske Informationscenter. Downloaded on November 20, 2009 at 08:04 from IEEE Xplore.  Restrictions apply. 
which contains a finite trace (i.e. list) of events. An 
event occurring at time t is appended to  the previous 
value of tr .  Hence, events occur at the points in time 
where the value of tr changes, and tr holds the history 
of events occurring prior to or at time t .  
A detailed description of the refinement can be 
found in [15]. 
5.2 Correctness of refinement 
of the original control strategy RCSo if 
The control strategy RCSI is a correct refinement 
RCSi + RCSo 
Since RCSo together with the assumptions has been 
shown to satisfy the requirements, it follows that 
RCSl A AS.M 3 Req 
RCSo is a conjunction of 7 formulas: 
RCS1, ..., RCS7. Verifying that RCSo holds whenever 
RCS, holds, is therefore done by separately verifying 
each of the conjuncts. The complete calculations can 
be found in [15]. 
6 Conclusion 
We have illustrated an approach to requirements 
engineering for real-time systems using a mathemat- 
ical specification of system requirements and system 
design, where a design is verified by calculations. In 
the first stage a system model is built. Requirements 
for the system together with assumptions for the sys- 
tem environiment are stated. A control model is then 
constructed, and it is proved that the control model 
satisfies the requirements whenever the assumptions 
hold. Desigin for a particular control system is then 
introduced and verified to preserve the properties of 
the control model. The end result is a set of verified 
specifications, which clearly expresses the responsibil- 
ities of component implementors. 
In further refinement steps towards concrete pro- 
grams, we need to know the relationship between pro- 
gramming language semantics and duration formulas. 
In [3] the Dluration Calculus is used to  give a real- 
time semant.ics to communicating sequential processes 
and also gives various specifications of schedulers for 
shared processors. Furthermore, the Duration Calcu- 
lus has in [7] been used to give semantics to circuits, to 
prove the correctness of a circuit transformation, and 
to give a precise definition of delay-insensitive circuits. 
Current work is going on to extend Duration Calculus 
to a version with probabilities [8] as well as to mech- 
anise the calculations using existing theorem provers. 
Zhou Chaochen, C.A.R. Hoare, A.P. Ravn: A Cal- 
culus of Durations, Information Processing Letters, 
40(5), 1992. 
Zhou Chaochen, Michael R. Hansen, A. P. Ravn: 
Duration Specifications for Shared Processors. In: 
Proceedings of Symposium on Formal Techniques in 
Real-time and Fault Tolerant Systems, Nijmegen, 
January 6-10, 1992. (To appear in the LNCS se- 
ries.) 
A.M. Davis and P.A. Freeman: Guest Editors’ 
Introduction: Requirements Engineering, IEEE 
Trans. Software Eng., 17, March 1991, p. 210-211. 
John Dawes: The VDM-SL reference guide, Pit- 
mann, 1991. 
A.G. Hamilton: Logic for Mathematicians, Cam- 
bridge University Press, Revised Edition, 1988. 
M. R. Hansen, Zhou Chaochen and J0rgen 
Staunstrup: A Real- Time Duration Semantics for  
Circuits. ProCoS Rep. ID/DTH MRH 7/1, Septem- 
ber 1991. 
Zhiming Liu: A Probabilistic Duration Calculus. 
Working Paper, Department of Computer Science, 
Technical University of Denmark, December 1991. 
Ben Moszkowski: ,4 Temporal Logic for Multilevel 
Reasoning about Hardware, IEEE Computer, vol. 
18, no. 2, 1985, pp. 10-19. 
J. Nordahl: Requirements Specification for a Rail- 
way Level Crossing, ProCoS Note ID/DTH JNO 2, 
Feb. 1990. 
K.M. Wansen, A.€’. Ravn, H. Rischel: Specifying 
and Verifying Requirements of Real-Time Systems, 
Proceedings of the ACM SIGSOFT ’91 Conference 
on Software for Critical Systems, New Orleans, 
December 4-6, 1991, ACM Software Engineering 
Notes, vol. 15, no. 5, pp. 44-54, 1991. 
David G. Luenberger: Introduction to Dynamic 
Systems. Theory, Models 5’ Applications, Wiley, 
1979. 
A.P. Ravn, H. Rischel and V. Stavridou: Provably 
Correct Safety Critical Software, in Proceedings of 
IFAC SafeComp’913, London, England, Oct. 1990. 
A.P. Ravn, H. Rischel: Requirements Capture 
for Embedded Read-Time Systems, Proceedings of 
IMA CS-MCTS Symp., Villeneuve-d’Asq, France, 
May 1991, Vol. 2, p. 147-152. 
J. U. Skakkebcek: Development of Provably Cor- 
rect Systems, Master’s thesis, Dept. of Computer 
Science, Technical University of Denmark, 1991. 
References 
[I] Dines Bjqirner: A ProCoS Project Description, ES- 
PRIT BRA 3104, EATCS Bull., No 39, October 
1989. 
121 
Authorized licensed use limited to: Danmarks Tekniske Informationscenter. Downloaded on November 20, 2009 at 08:04 from IEEE Xplore.  Restrictions apply. 
