Exploiting Formality within an Architectural Design Method by Paynter S et al.
Exploiting Formality Within an Architectural
Design Method
Stephen Paynter1, Jim Armstrong2, and Jan Haveman3
1 Matra BAe Dynamics (UK) Ltd, Filton, Bristol, UK
2 Centre for Software Reliability, University of Newcastle-Upon-Tyne, UK
3 Pace Micro
January 29, 2001
Abstract
This report argues that formal methods need to be properly integrated
into an architectural design method if they are to be successfully trans-
ferred into industrial practice. It outlines a number of issues which need
to be considered when performing such integration, and illustrates these
points by reference to the formal techniques for complex high-integrity
real-time systems being developed in the BAE SYSTEMS Dependable
Computing Systems Centre.
1 Introduction
Formal speci¯cation languages promise the ability to express the behavioural
requirements of software systems concisely (and when wisely used, abstractly)
in unambiguous notations. Formal speci¯cations form a suitable foundation for
system validation by proof and animation, and they de¯ne the requirements
against which the correctness of a design or implementation can be formally
veri¯ed. Formal proofs, by removing the role of intuition in interpreting symbols,
promise to provide strong evidence for the validation and veri¯cation properties
proved. Therefore, it is argued, formal techniques have a vital role to play in
the development of high-integrity and safety-critical software, [3] and [5].
It is, however, widely recognised that other aspects of the development pro-
cess play at least as important a role as formal techniques in determining the
integrity of a system; for example, the UK defence standard for developing
safety-critical software [33] places a strong emphasis on the quali¯cations and
experience of the people involved in a development; the independence of the
Auditors; the separation of the Design and Veri¯cation and Validation teams;
and the production and control of documentation. Furthermore, it is widely
recognised that not all the properties of interest can be formalised, and that
formal veri¯cation and validation is only as good as the models of the system
1
on which it is based. However, even allowing for the fact that formal methods
do not address all the issues of developing high-integrity systems, there has been
reticence in industry to adopt these techniques. The alienating e®ect of logical
symbols, the di±culty of learning the mathematics, and the uncertain cost im-
plications of adopting formal methods have all been cited as important reasons
for this lack of take up, [2]. However, it is argued in this report that a more
signi¯cant factor is the degree with which the formal techniques are integrated
into the traditional system speci¯cation and design approaches. In particular,
it is argued that formal techniques are best exploited within the context of an
architectural design method.
The structure of the report is as follows: section 2 discusses the role of for-
mal techniques, drawing on the experience of developing formalisms for indus-
try in the BAE SYSTEMS Dependable Computing Systems Centre (DCSC),
an industry-funded research programme at York and Newcastle Universities
in the UK. This is followed in section 3 with a brief introduction to DORIS,
[51, 50, 52], an architectural design method. The following three sections (4 to
6) describe the main ways that real-time formal notations have been used to
supplement and formalise DORIS. In particular, the Activity Description Lan-
guage (ADL), a language for specifying the temporal and functional behaviour
of concurrent processes; protocol semantics; and real-time transactions, are in-
troduced in these sections. Section 7 discusses tool support, and the report
closes by drawing conclusions and making a couple of general points.
2 The Role of Formal Techniques
This section contains an eight point manifesto on the best ways to exploit formal
techniques in the development of large real-time systems; the points have been
identi¯ed by re°ecting on the experience of developing real-time formalisms
for BAE SYSTEMS within the DCSC. The development of these formalisms,
which are introduced in subsequent sections, has been in°uenced by feedback
from engineers from BAE SYSTEMS.
2.1 Architectural Design is Central
Traditionally the design of large real-time systems has been based around (usu-
ally informal and graphical) architectural design notations; that is, around no-
tations which allow the identi¯cation of the main components of a system and
their interactions. This is in contrast to other notations, such as formal methods,
which concentrate on the de¯nition of the behaviour of a system. In practice,
externally imposed architectural constraints (e.g. interfacing, resource, and im-
plementation requirements) mean that the production of a formal behavioural
description is not the ¯rst design step. In the early stages, the suggestive and
intuitive notions of behaviour associated with architectural notations are ade-
quate to develop the preliminary design. It is at subsequent stages that formal
speci¯cations of behaviour come into their own.
2
This suggests that formal notations for large systems should be developed
and used in the context of an architectural design notation.
2.2 Formal Techniques Must be Placed in a Wider Process
Formal techniques need to be placed in a wider system development context for
the following reasons. Firstly, formal speci¯cation, validation, and veri¯cation
are not enough to guarantee system integrity. There are limitations on the criti-
cal properties that can be formalised; in particular, non-functional requirements
such as reliability and user-friendliness cannot be captured. Secondly, the sub-
systems to which formal development can be applied will usually only be a small
proportion of the total number of subsystems, and therefore the overall system
design will need to incorporate both low and high-integrity components.
Thirdly, there are occasionally more cost e®ective analysis techniques than
formal veri¯cation for certain properties, and formal descriptions may need to be
tailored or constrained to enable these techniques to be exploited. An example
is schedulability analysis, which is easier to apply than timed re¯nement, at the
cost of constraining the computational model of the system, [1] and [8].
2.3 Formal Techniques Supplement Architectural Design
Notations
Formal speci¯cation notations can be used to provide a much needed behavioural
speci¯cation of design components; and formal static and dynamic semantics can
be used to clarify what constitutes a valid design and what it means to compose
components in various ways. It is therefore appropriate to talk of integrating
formal and informal notations, as well as of formalising informal notations.
2.4 Formal Techniques Clarify Informal Engineering Con-
cepts
Formal techniques have an important role in clarifying and formalising infor-
mal engineering concepts. For many classes of system there will be informal
concepts which have been developed and used by the engineers responsible for
designing these systems, and these concepts, although they may be ambiguous
and complex, will at least have the advantage of being derived directly from the
problem domain. It is extremely fruitful to use formalisms to clarify such con-
cepts. Firstly ambiguities and incompleteness are quickly revealed. Secondly,
formal speci¯cations expressed using the modi¯ed concepts will be at a level of
abstraction that is familiar.
The formalisation of real-time transactions, [38, 15, 14, 40], modes, [37], and
the DORIS protocols are examples of this principle, [53].
3
2.5 Design Notations Must Evolve when Formalised
When design notations are formalised it is important that the design notation is
modi¯ed according to the principles of semantic elegance and simplicity. De¯n-
ing a formal semantics for a pre-existing language will usually result in a large
unwieldly semantics, whilst the use of formal semantics as a language design
tool will result in a smaller, neater language. This principle is well known in
the domain of programming languages, [45]. Formal semantics make any hid-
den complexity explicit, and hence it becomes easier to modify the language
to keep the semantics manageable than it is to de¯ne the complicated seman-
tics. Semantic simplicity is important, because the resulting language is easier
to learn and use, and the proof-theory is simpler. Tractability of the proof-
theory will be an important, if not determining, factor in deciding whether a
formal notation will be used, since high-integrity systems are increasingly dif-
¯cult to test exhaustively, leaving proof as the only available option. Hence,
if a pre-existing formalised design notation is not suitable for a given problem,
one must have the freedom to change it. This may require modi¯cation of the
Computer Aided Software Engineering (CASE) tools which support the design
notation, and therefore the tools will usually need to be developed \in-house",
rather than being commercial-o®-the-shelf (COTS) products. This can be an
important practical consideration in in°uencing which architectural method is
chosen for formalisation and extension.
2.6 Design Notations are a \Trojan-Horse" for Formal
Techniques
The formalisation of design notations is a means of (surreptitiously) introducing
formal techniques into an existing development process. The user of the design
notation need only become aware of formal issues when analysis of the design is
needed. In practice, since the design notation will be a modi¯cation of an infor-
mal design notation, the di®erences can often only be justi¯ed by explaining the
formal semantic issues. Such discussions are a means of introducing engineers
to the bene¯ts of formal descriptions.
Furthermore, formal notations which supplement the primary design nota-
tion are more likely to be accepted since they are clearly perceived as addressing
a de¯cit in the existing approach.
2.7 Formal Techniques should not be Completely Hidden
Although formal techniques can be introduced via design notations, it is impor-
tant to realise that the full bene¯ts of formalism, and in particular the unam-
biguous abstract speci¯cation of the system's behaviour, can be realised more
fully when formal speci¯cations are written explicitly. One vital bene¯t of for-
mal speci¯cations is that they encourage the careful systematic consideration
of the system's behaviour early in the development life-cycle, [12] and [7]; it
4
is impossible to reap this bene¯t if formal detail is completely hidden under a
graphical notation.
2.8 Design and Validation is Important
Formal methods for the development of large systems need to recognise the
crucial role that design has in that process. It is not the case that real systems
are derived from their speci¯cations; rather, hard-won engineering experience is
used to jump immediately to a promising design structure. It is possible to make
sensible improvements to such structures from informal considerations, before
the precise behaviour of the components of that structure has been speci¯ed.
Correctness proofs for complex systems will therefore always be of the posit-
and-verify variety.
Furthermore, for many systems, while it may be cost-e®ective to use formal
speci¯cations in the proof of carefully selected validation conjectures of the
system's important safety and integrity properties, full correctness veri¯cation
proofs will remain impractical on a large scale for the foreseeable future. The
ability to apply formality selectively in this way is compromised if a correctness
preserving re¯nement method is adopted.
In the rest of the report, the manifesto that has been set out in this section
is illustrated with formalisms which have been developed to be integrated with
the DORIS architectural design method.
3 An Introduction to DORIS
DORIS, the Data-Oriented Requirements Implementation Scheme, [51, 50], ad-
dresses the design and implementation of high-integrity embedded real-time sys-
tems. It consists of a design notation based on real-time networks and various
implementation techniques for system construction, implementation, and com-
missioning. DORIS is a variant of the successful MASCOT-3 design method,
[48], [26], and [58], which at one time was the UK MoD's preferred design nota-
tion, [32] and [34]1. The novel features of the DORIS design notation include:
support for a wide range of synchronous and asynchronous communication pro-
tocols, which are appropriate for both shared-memory and message-passing im-
plementations; features which support the partitioning of a design amongst large
design teams; and support for the °exible re-mapping of a design to the hard-
ware platform, as it evolves during the life of a project (as hardware inevitably
does on projects which take a number of years to develop).
The real-time network concept on which MASCOT and DORIS designs are
based involves the identi¯cation of the computational components of a system
(its subsystems and processes) and the interactions between these components
(that is, the data-°ow paths, along with the protocols or design elements which
support these interactions). DORIS extends MASCOT-3 with a particularly
rich set of pre-de¯ned protocols which are suitable for (distributed) real-time
1The UK MoD does not currently have a preferred design notation.
5
Rendezvous
0 0n
Signal Pool
Overwriting Buffer
n 00
Flash Data
Prod Stimulus 
Channel
Dataless Channel Bounded Stim Buffer
n
Bounded Buffer
n
Constant
Directed HandshakeOverwriting Stim Buffer
Figure 1: A Fragment of the DORIS Protocol Hierarchy
Read data not consumed Read data consumed
(Never held up) (Held up when no data)
Old data overwritten
(Never held up)
Pool Signal
Old data not Overwrit-
ten
(Held up when no space)
Constant Channel
Table 1: The Basic DORIS Protocols
systems. Figure 1 shows some of these protocols, the de¯nitive references for
which are [53, 54, 55].
Informally, the four basic protocols, the signal, pool, channel and constant,
can be understood as imposing di®erent synchronisation constraints on the
reader and writer of the protocol, depending on whether or not they allow
data to be destroyed when it is read or written; this is captured in Table 1.
The pool is similar to a shared variable; the channel to the one-place bounded
bu®er; and the signal to an overwriting one-place bounded bu®er. The protocol
hierarchy in Figure1 shows how these basic protocols can be modi¯ed according
to whether the protocol contains an n-place storage bu®er (indicated by an `n'
adjacent to the symbol); no storage, (indicated by a zero); or whether it only
allows `void data' or a `stimulus' to be communicated (indicated by a central
spot). Most of the commonly used basic communication protocols, such as
handshake, rendezvous, overwriting bu®er, and shared variable, are provided
in DORIS. This richness can be exploited in designs by allowing the logically
required protocol to be adopted on each communication path.
An important innovation in DORIS is the distinction of three levels of de-
6
sign abstraction, known as the functional, application, and execution network
levels. A functional network (FN) involves the identi¯cation of the main sub-
systems of which a design is comprised, along with the data-°ows between these
subsystems, annotated with protocols where appropriate. This is the overall
architecture of the design. The application network (AN) retains the same
structure as the FN, but each subsystem has been decomposed until all the pro-
cesses, and the design components which will support the interaction protocols,
have been identi¯ed.
Single-threaded processes are called activities in DORIS, and the compo-
nents which support the protocols are known as intercommunication data areas,
(IDAs). IDAs can also be used to record the presence of retained data (e.g. a
database) in the design. The AN de¯nes the logical architecture of the design
solution. The execution network (EN) extends the AN with components needed
to support its mapping to a distributed hardware implementation. This may
involve designing subsystems which will provide the infrastructure needed to
support communications across the network of processors, and the decompo-
sition of IDAs into network fragments when the IDA supports communication
across processor boundaries.
The separation of the logical design structure from the EN makes the re-
mapping of the design to changing hardware platforms relatively easy, [58]. An
implementation should follow the structure of the EN, although it need not
(and ideally will not) contain an implementation of the hierarchical aspects of
the functional and application networks; that is, only the °at network need be
implemented, and therefore there is no performance penalty for using appropri-
ate subsystem abstractions to keep the design comprehensible.
Figure 2 contains an FN, AN, and EN of an example DORIS design. The
subsystems are represented by rectangles with rounded corners; the activities are
represented by circles; and the IDAs by rectangles, annotated with the protocol
they implement. Some simpli¯cations to the DORIS design notation have been
adopted in this ¯gure to reduce clutter.
The above issues are rarely addressed in formal methods; the need to inte-
grate formal techniques into a design method is therefore underlined.
In the following sections, a formalism for the speci¯cation of the DORIS
activities will be introduced; the formal semantics which have been given to the
DORIS protocols will be described; and real-time transactions, a speci¯cation
construct suitable for de¯ning the temporal behaviour of DORIS subsystems,
will be discussed.
4 Activity Description Language
Activities need a behavioural speci¯cation, and in the DORIS context it is
ideal if the temporal and functional behaviour can be speci¯ed in a common
formalism, because the functional behaviour of an activity will often in°uence
its temporal behaviour, and vice versa. (For example, the value of an input
may determine the type and duration of the computation needed to produce
7
A1 A2
A3 IDA 3
Local
IDA 2
Local 
IDA 4 A4
IDA 1
LocalA1
A3 A4
A2LocalIDA 2
Communication Infrastructure
Processor TwoProcessor One
Dataflow
Composite
SS1 SS2
SS1 SS2
IDA 1
IDA 2
IDA1
Mux. DeMux.
b)
c)
a)
Figure 2: Example of functional (a), application (b), and execution (c) networks
an output. Conversely, the number of inputs which should be handled within a
computation will vary with the duration of that computation.) The formalism
developed for specifying the behaviour of activities is the ADL, [39, 41, 42, 44].
When a formal speci¯cation is given for the temporal behaviour of a process
it is necessary to adopt a progress assumption, which de¯nes how fast the process
will advance through its behaviour. In the context of the DORIS design method,
it would be desirable to be able to use ADL speci¯cations of activities when
reasoning about the temporal behaviour of an application network. However,
from the place of the AN in the DORIS method, the maximum and scheduling
progress assumptions are inappropriate for the ADL. The maximum progress
assumption, which is used, for example, in Timed CSP, [10], is not (directly)
suitable because, in most implementations of DORIS designs, it will not be
the case that each activity will be mapped to a di®erent processor. Similarly,
the scheduling progress assumption, which is used in Hooman's work, [22], is
inappropriate because neither the mapping of activities to processors, nor all the
activities which will be competing for the processors, are identi¯ed until after the
EN is designed. This leaves the \any progress, providing a worse case deadline
8
is met" progress assumption, and it is this deadline progress assumption which
has been adopted in the ADL. (It is also used, for example, in the Temporal
Agent Model (TAM), [47] and [46]). This illustrates how the properties of a
formal speci¯cation language need to be chosen according to the place that the
formalism occupies in the wider development method.
The ADL separates the speci¯cation of the functionality of an activity into
the Activity Functional Behaviour (AFB) notation, a text-based language for
a description of the state and non-reactive functionality of an activity, and the
Activity State-Machine (ASM) notation, a graphical state-based notation for a
description of the timed reactive invocation of the non-reactive operations. The
AFB notation is based on a subset of VDM-SL, [27, 23, 11].
In the graphical ASM notation, two types of state are distinguished, static
and dynamic. Static states are used to model the potential synchronisation
points in an activity's algorithm. These arise when an activity attempts to
communicate using the DORIS synchronous protocols. An activity can be con-
sidered not to be executing when it is in a static state. In contrast, dynamic
states are used to model the periods when an activity is computing. Associated
with each dynamic state is an operation de¯ned using the AFB notation.
A dynamic state may specify that a particular data-°ow line is read or
written, and this corresponds to the `in' parameter and `result' value of the
corresponding AFB operation. A dynamic state may also associate a lower
and upper time bound with an operation. An example of the ADL graphical
notation is given in Figure 3. Ovals represent static states, and rectangles
represent dynamic states. The labels in the top left and right hand corners of a
dynamic state represent the input and output data-°ows, respectively; the labels
in the bottom left and right hand corners represent the lower and upper time
bounds. The division of dynamic states into substates by dotted lines, indicates
that the operations associated with the substates can be executed in any order.
It is appropriate that a speci¯cation language can describe non-deterministic
behaviour to avoid imposing needless constraints.
ADL descriptions are compatible with the communication con¯guration of an
activity. A formal proof-theoretic semantics has been de¯ned for this notation,
[42, 44], given in a many-sorted logic, [30], enriched with the Real-Time Logic
(RTL) occurrence relation, [24, 25, 43]. This will directly support the ability to
perform validation proofs involving activities (point 8 of our manifesto).
The explicit use of the formal speci¯cation language in the VDM-based AFB
notation has been retained so that the advantages of formal speci¯cation should
not be lost, (as advocated in point 7 of our manifesto). In particular, ADL
speci¯cations retain the notion of pre-conditions for dynamic states, and state-
invariants. These have been shown experimentally to make an important con-
tribution to speci¯cation completeness, [12].
Clearly, it has only been possible to give a brief overview of the ADL here;
more detailed treatments can be found in [44] and [42].
9
Ap2
u1
G
p4
p5
c2c1
p4
C
E
p3 p5
F
p3
D
p1
p2
p3
Wp5
l2 u2
l1
l3 u3
B
p2
Sp1g
Sp1a
Figure 3: An Example of the ADL ASM Notation
5 The Formalisation of the Protocols
Activities cannot be connected together directly; they must be linked by data-
°ow paths annotated with one of the DORIS protocols introduced in section
3. Therefore, to reason about a DORIS application or execution network, it is
necessary to provide a formal semantics for these protocols.
To date, two di®erent formalisms have been used to characterise the proto-
cols: CSP, [21] - see [36], and direct axiomatisation in RTL, [43] - see [53]. CSP
has been used to analyse the 4-slot protocol, [6], which supports an asynchronous
implementation of the pool protocol without imposing mutual exclusion between
readers and writers, [49]. This has provided extra con¯dence that the protocol
maintains data coherence, and it has clari¯ed a number of issues concerning
data freshness.
The de¯nition of the RTL axioms for the protocols, and in particular, the
attempt to preserve the structure of the protocol family in Figure 1 via pro-
gressive logical strengthening of the four basic axiomatic de¯nitions, has led to
slight modi¯cation of the protocols, (illustrating point 5 of our manifesto). For
example, a full bounded bu®er now allows the start of one extra write opera-
tion, although it does not allow that operation to terminate until space becomes
available, i.e. when a data item is read and consumed. This not only simpli¯es
the axioms, but incidentally, it has made the integration of the protocols with
the ADL easier.
Most users of DORIS can use the protocols without knowledge of their formal
semantics. However, when it becomes necessary to reason analytically about a
DORIS design, (for example to show that it does not deadlock) the semantics
are essential. Ideally, the growing awareness of the analysis issues is matched
by a growing awareness of how formal techniques serve to clarify and resolve
10
them. Gradually, the engineer will learn how to anticipate aspects of a design
that might unnecessarily complicate proofs, whether or not the proofs are to be
carried out by others.
6 Real-Time Transactions
DORIS subsystems bene¯t from the addition of a formal speci¯cation notation
for their temporal and functional behaviour. Expressing subsystem behaviour
appropriately imposes particular demands on a formal notation. A subsystem is
merely a place-holder for an arbitrary real-time network fragment, which may
contain (when designed and implemented) signi¯cant concurrency and distri-
bution. The behaviour will invariably be reactive, will not obey the synchrony
hypothesis (which assumes that outputs can be produced before subsequent in-
puts arrive, [4]) and will not be easily described using state-based abstractions,
[37]. The informal concept of a real-time transaction has proved useful. In line
with point 4 of our manifesto, we are formalising this concept.
Transactions are most widely known in the context of databases, where
they have the properties of independence, failure atomicity, and permanence,
[57]. Real-time transactions, in contrast, have been advocated for describing
the input-output relations of real-time systems at various levels of abstraction,
[9, 29], including at the level of precedence constraints between processes in
schedulability analysis, [56].
Real-time transactions do not share the independence and failure atomicity
properties of database transactions, [28], because they may interact, produce
intermediate results, and `fail' or `abort' to a state other than their initial state.
We distinguish transaction types, transaction localisations, and transaction
occurrences. A transaction type is the speci¯cation of the transaction, and in-
cludes a de¯nition of its activation (whether it is periodic, sporadic, or con-
ditional); inputs (with any relevant timing constraints, such as input jitter
and time windows); outputs (with any relevant timing constraints); local state;
guards; abort conditions; and functionality. Transaction types can be de¯ned
independently of a particular DORIS design. Transaction localisations are in-
stances of a transaction type in a particular subsystem; it is possible, for exam-
ple, for the same transaction type to have multiple localisations even within the
same subsystem. Transaction occurrences are particular invocations of a trans-
action localisation. It is possible for multiple invocations of the same transaction
localisation to be active at once, although later invocations may not ¯nish before
earlier ones.
A transaction type and its localisation can be de¯ned in a table, and illus-
trated graphically, as is demonstrated for a typical transaction in Table 2 and
in Figure 4. In this example, W1 and W2 are window timing constraints; D is a
deadline; input t is the input which triggers the transaction; the functionality is
only expressed informally; and the right-hand column describes one localisation
of the \Control" transaction by mapping its inputs and outputs to data°ows
around subsystem \SSA".
11
Control in SSA
Activation Sporadic on t P3
Inputs t trigger stim P3
s sensor data W1 P2
c command data - P1
Outputs a actuator command D P4
d display update W2 P5
Local State none
Guard NOT (c=danger)
Abort Condition dangerous(s) OR c = abort
Functionality a = calc act update(s, c)
d = update display(s, c, a)
Table 2: A Tabular Description of an RTT Localisation
P1
P2
P3
P4
P5
T1 : Control
SSA
 
Figure 4: An Example RTT
A number of constraints have been de¯ned on how transactions should be
used in a DORIS design, the dynamic properties that transaction occurrences
may exhibit, and limitations on their interactions. These properties have all
been developed with reference to the typical properties of real-time networks,
and the need to keep the transaction abstraction intuitive, [15].
The real-time transactions work is less advanced than the ADL and pro-
tocol formalisation. Outstanding issues include how best to de¯ne transaction
functionality formally, [20]; and how to formalise the re¯nement relationship
between transactions and real-time networks. However, it is believed that there
is a high probability that this research, once it has matured, will transfer suc-
cessfully into industrial practice within Matra BAe Dynamics, because of its
strong integration into the DORIS design method.
More detailed information about real-time transactions can be found in [38,
13, 15, 14, 16, 17, 40, 18] and [20]. More recent work has look at embedding
real-time transactions within real-time interactions, [19].
12
7 Tool Support
The transfer of technology into industrial practice is dependent upon the avail-
ability and quality of the tool support. Ideally, not only would all the notations
and methods be integrated properly (as argued in this report), but so would their
tool support. This implies that the CASE tool supporting the architectural de-
sign method will take the central role among the toolset, as the architectural
design method does among the notations. Unless a complete COTS method
and tool-suite is available, this CASE tool will need to be in-house so that it
can be modi¯ed and integrated with the other tools.
Matra BAe Dynamics have the graphical in-house tool, MADGE (MAscot
Design GEnerator), which supports MASCOT-3 and a number of the DORIS
extensions; including the automatic generation of Ada and SPARK code to
implement the architecture. It is planned to develop MADGE so that it supports
more of DORIS, and perhaps the ADL and real-time transaction notations when
they become more mature. Tool support, [42] has been built which checks the
syntax and static semantics of ADL speci¯cations, and which automatically
generates a formal model of the behaviour in a form suitable the PVS theorem
prover, [35].
8 Conclusions
Formal techniques for large systems should be integrated into an architectural
design method, not only to ease technology transfer, but also because they will
only be applied to selected subsystems and at certain stages of the development
process. We have presented an eight point manifesto on integrating formal
techniques into architectural design notations which distils lessons learnt from
developing formal methods for BAE SYSTEMS. The manifesto was illustrated
by reference to the integration of the ADL, real-time transactions, and protocol
semantics into the DORIS design method.
The relative immaturity of our notations and their tool support, means that
it is not yet possible to discuss actual experience of technology transfer. How-
ever, because of the philosophy adopted, and the involvement of engineers in
reviewing the work, successful technology transfer is anticipated. It is hard to
measure or anticipate the cost of adopting a new and untried technology, but
when the new technology is clearly compatible with existing practices, and over-
comes an obvious de¯ciency in current practice, this becomes a less signi¯cant
problem. Furthermore, in our experience, it is not a problem for professional
software engineers to learn formal methods, once their advantages are clearly
perceived, and their analytic capabilities have been demonstrated.
9 Acknowledgements
Matra BAe Dynamics Ltd. and the DCSC funded this research. Our ideas
have bene¯ted from conversations with Drs H.R. Simpson and J.S. Fitzgerald.
13
The authors thank anonymous referees for pointing out that the weaknesses of
this report include: the lack of appropriate interaction with the literature on
integrating formal and informal methods; and the failure to use a single example
to illustrate the notations described.
References
[1] N. Audsley, A. Burns, M. Richardson, K. Tindall, and A.J. Wellings. Ap-
plying New Scheduling Theory to Static Priority Pre-emptive Scheduling.
Software Engineering Journal, 8(5):284{292, 1993.
[2] S. Austin and G.I. Parkin. Formal Methods: A Survey. Technical report,
National Physical Laboratory, 1992.
[3] L. Barroca and J.A. McDermid. Formal Methods: Use and Relevance for
the Development of Safety Critical Systems. The Computer Journal, 35(6),
1992.
[4] G. Berry and G. Gonthier. The ESTEREL Synchronous Programming
Language: Design, Semantics, and Implementation. Science of Computer
Programming, 19:87{152, 1992.
[5] Jonathan Bowen and V. Stavridou. Safety-Critical Systems, Formal Meth-
ods, and Standards. Software Engineering Journal, 8(4):189{209, 1993.
[6] P. Brooke, J.L. Jacob, and J.M. Armstrong. Analysis of the Four-Slot
Mechanism. In Proceedings of the BCS-FACS Northern Formal Methods
Workshop, 1996.
[7] T. Brooks, J.S. Fitzgerald, and P.G. Larsen. Formal and Informal Spec-
i¯cations of a Secure System Component: Final results of a Comparative
Study. In Proceedings of the 3rd International Symposium of Formal Meth-
ods Europe, volume 1051 of Lecture Notes in Computer Science. Springer,
1996.
[8] Alan Burns. Preemptive Priority-Based Scheduling: An Appropriate En-
gineering Approach. In S.H. Son, editor, Advances in Real-Time Systems,
pages 225{248. Prentice-Hall, 1995.
[9] J. Buxton and J.A. McDermid. Architectural Design. In McDermid [31].
[10] Jim Davies and Steve Schneider. An Introduction to Timed CSP. Technical
Report PRG-75, Oxford University Computing Laboratory - Programming
Research Group, August 1989.
[11] J.S. Fitzgerald and P.G. Larsen. Modelling Systems: Practical Tools and
Techniques in Software Development. Cambridge University Press, 1998.
14
[12] J.S. Fitzgerald, P.G. Larsen, T. Brooks, and M. Green. Developing a
Security-critical System using Formal and Conventional Methods. In M.G.
Hinchey and J.P. Bowen, editors, Applications of Formal Methods. Prentice
Hall International Series in Computer Science, 1995.
[13] J. Haveman. Examples of the Use of Transactions in Real-Time Systems.
Technical Report DCSC/TR/96/07, BAE SYSTEMS DCSC, University of
Newcastle, 1996.
[14] J. Haveman. Transaction Decomposition: Re¯nement of Timing Con-
straints. In Proceedings of the South Paci¯c Conference on Formal Methods,
1997.
[15] J. Haveman, J.M. Armstrong, and S.E. Paynter. Transactions in Real-Time
Systems. Technical Report DCSC/TR/96/06, BAE SYSTEMS DCSC, Uni-
versity of Newcastle, 1996.
[16] J. Haveman, S.E. Paynter, and J.M. Armstrong. A Transaction Model for
Real-Time Systems. Technical Report DCSC/TR/97/05, BAE SYSTEMS
DCSC, University of Newcastle, 1997.
[17] J. Haveman and S. Pearson. Tracing Transactions. Technical Report
DCSC/TR/97/01, BAE SYSTEMS DCSC, University of Newcastle, 1997.
[18] N. Henderson. Tool Support for the Analysis of Real-Time Transactions.
Technical Report DCSC/TR/1999/03, BAE SYSTEMS DCSC, University
of Newcastle, September 1999.
[19] N. Henderson. Introducing Real-Time Interactions. Technical Report
DCSC/TR/2000/12, BAE SYSTEMS DCSC, University of Newcastle,
November 2000.
[20] N. Henderson. Specifying the Functionality of Real-Time Transactions.
Technical Report DCSC/TR/2000/05, BAE SYSTEMS DCSC, University
of Newcastle, March 2000.
[21] C.A.R. Hoare. Communicating Sequential Processes. Prentice-Hall Inter-
national Series in Computer Science, 1985.
[22] J. Hooman. Speci¯cation and Compositional Veri¯cation of Real-Time Sys-
tems. Number 558 in Lecture Notes in Computer Science. Springer-Verlag,
1991.
[23] International Standards Organisation. Vienna Development Method - Spec-
i¯cation Language { Part 1 Base Language, 1996. Information Technology -
Programming languages, their environments and system software interfaces
{ ISO / IEC 13817-1.
[24] F. Jahanian and A.K. Mok. Safety Analysis of Timing Properties in Real-
Time Systems. IEEE Transactions on Software Engineering, 12(9):890{904,
December 1986.
15
[25] F. Jahanian, A.K. Mok, and D.A. Stuart. Formal Speci¯cation of Real-time
Systems. Technical Report TR-88-25, Department of Computer Science -
University of Texas at Austin, June 1988.
[26] Joint IECCA and MUF Committee on MASCOT (JIMCOM). The O±cial
Handbook of MASCOT: Version 3.1 - Issue 1, June 1987. Crown Copyright.
[27] C.B. Jones. Systematic Software Development Using VDM: Second Edition.
Prentice-Hall International Series in Computer Science, 1990.
[28] H. Kopetz. Real-Time Systems. In McDermid [31].
[29] H. Kopetz, R. Zainlinger, G. Fohler, H. Kantz, P. Puschner, and W. Sch*tz.
The Design of Real-Time Systems: From Speci¯cation to Implementation
and Veri¯cation. Software Engineering Journal, 6(3):72{82, 1991.
[30] M. Manzano. Introduction to Many-Sorted Logic. In K. Meinke and J.V.
Tucker, editors, Many-Sorted Logic and its Applications. Wiley Professional
Computing, 1993.
[31] J.A. McDermid, editor. Software Engineering Reference Book.
Butterworth-Heinemann, 1991.
[32] Ministry of Defence. Modular Approach to Software Construction, Opera-
tion, and Test - MASCOT, 1985. Defence Standard 00-17.
[33] Ministry of Defence. The Procurement of Safety-Critical Software in De-
fence Equipment, 1997. Defence Standard 00-55.
[34] Ministry of Defence { Sea Systems Controllerate. Requirements for Software
for use with Digital Processors, 1991. Naval Engineering Standard NES 620
{ Issue 4.
[35] S. Owre, N. Shanker, J.M. Rushby, and D.W.J. Stringer-Calvert. PVS
System Guide: Version 2.3. Technical report, Computer Science Laboratory
- SRI International, September 1999.
[36] S.E. Paynter. The Formalisation of Software Development Using MAS-
COT. PhD thesis, Department of Mathematics, University of Southamp-
ton, September 1993.
[37] S.E. Paynter. Real-Time Mode-Machines. In Bengt Jonsson and Joachim
Parrow, editors, Proceedings of the 4th International Symposium on For-
mal Techniques in Real-Time and Fault Tolerant Systems, number 1135 in
Lecture Notes in Computer Science, pages 90{109. Springer, 1996.
[38] S.E. Paynter. Towards Transactions for Real-Time Networks. Technical
Report DR 10869, British Aerospace Defence - Dynamics, 1996.
[39] S.E. Paynter. Progress in Developing a Formal Activity Description Lan-
guage. Technical Report DR 14727, Matra BAe Dynamics, 1997.
16
[40] S.E. Paynter. Real-Time Transactions Revisited. Technical Report DR
16972, Matra BAe Dynamics, 1999.
[41] S.E. Paynter. The Syntax and Semantics of the Activity Description Lan-
guage. Technical Report DR 18159, Matra BAe Dynamics, 1999.
[42] S.E. Paynter. RTN-SL: The Real-Time Network Speci¯cation Language.
Technical Report DR 20656, Matra BAe Dynamics, 2000.
[43] S.E. Paynter. Real-Time Logic Revisited. In Proceedings of Formal Methods
Europe 2001, Lecture Notes in Computer Science. Springer, 2001.
[44] S.E. Paynter, J.M. Armstrong, and J. Haveman. ADL: An Activity De-
scription Language for Real-Time Networks. Formal Aspects of Computing,
12(2):120{144, 2000.
[45] D.A. Schmidt. Denotational Semantics: A Methodology for Language De-
velopment. Wm. C. Brown Publishers, 1986.
[46] D. Schole¯eld. Real-Time Re¯nement in Manna and Pnueli's Temporal
Logic. Formal Aspects of Computing, 8(4):408{427, 1996.
[47] D. Schole¯eld and H.S.M. Zedan. TAM: A Formal Framework for the
Development of Distributed Real-Time Systems. In J. Vytopil, editor,
Proceedings of the 2nd International Symposium on Formal Techniques in
Real-Time and Fault Tolerant Systems, number 571 in Lecture Notes in
Computer Science. Springer-Verlag, 1992.
[48] H.R. Simpson. The MASCOT Method. Software Engineering Journal,
1(3):103{120, 1986.
[49] H.R. Simpson. Four-Slot Fully Asynchronous Communication Mechanism.
IEE Proceedings, 137 Part E(1):17{30, January 1990.
[50] H.R. Simpson. Architecture for Computer Based Systems. In IEEE Work-
shop on the Engineering of Computer Based Systems, 1994.
[51] H.R. Simpson. Methodological and Notational Conventions in DORIS Real-
time Networks. Technical Report IED Supporting Predictable Implementa-
tion of Requirements in Timing and Safety (SPIRITS) Deliverable, Matra
BAe Dynamics, 1994.
[52] H.R. Simpson. Layered Architecture(s): Principles and Practice in Con-
current and Distributed Systems. In Proc. of the 8th IEEE Symposium on
Parallel and Distributed Processing, 1996.
[53] H.R. Simpson. Protocols for Process Interaction: Part 1 - Rationale and
Speci¯cation. Technical Report DR 20197, Matra BAe Dynamics, 2000.
[54] H.R. Simpson. Protocols for Process Interaction: Part 2 - Application.
Technical Report DR 20198, Matra BAe Dynamics, 2000.
17
[55] H.R. Simpson. Protocols for Process Interaction: Part 3 - Realisation.
Technical Report DR 20199, Matra BAe Dynamics, 2000.
[56] K. Tindall. Adding Time-O®sets to Schedulability Analysis. Technical
Report YCS-221, Department of Computer Science - University of York,
January 1994.
[57] R.P. Whittington. Database Systems. In McDermid [31].
[58] G. Woodward. Rapier 2000 Software Development Programme. Software
Engineering Journal, 11(2):82{87, 1996.
18
