Hans Rischel

Provably Correct Systems

As computers increasingly control the systems and services we depend upon within our daily lives like transport, communications, and the media, ensuring these systems function correctly is of utmost importance. This book consists of twelve chapters and one historical account that were presented at a workshop in London in 2015, marking the 25th anniversary of the European ESPRIT Basic Research project ProCoS (Provably Correct Systems). The ProCoS I and II projects pioneered and accelerated the automation of verification techniques, resulting in a wide range of applications within many trades and sectors such as aerospace, electronics, communications, and retail. The following topics are covered: An historical account of the ProCoS projectHybrid Systems Correctness of Concurrent Algorithms Interfaces and Linking Automatic VerificationRun-time Assertions Checking Formal and Semi-Formal Methods Provably Correct Systems provides researchers, designers and engineers with a complete overview of the ProCoS initiative, past and present, and explores current developments and perspectives within the field.

Specifying and verifying requirements of real-time systems

Abstracf- An approach to specification of requirements and verification of design for real-time systems is presented. A system is defined by a conventional mathematical model for a dynamic system where application specific states denote functions of real time. Specifications are formulas in duration calculus, a realtime interval logic, where predicates define durations of states. Requirements define safety and functionality constraints on the system or a component. A top-level design is given by a control law: a predicate that defines an automaton controlling the transition between phases of operation. Each phase maintains certain relations among the system states; this is analogous to the control functions known from conventional control theory. The top-level design is decomposed into an architecture for a distributed system with specifications for sensor, actuator, and program components. Programs control the distributed computation through synchronous events. Sensors and actuators relate events with system states. Verification is a deduction showing that a design implies requirements.

Specification Of Embedded, Real-time Systems

An approach to requirements specification and subsequent verification of designs for embedded, real-time systems is presented. A system is given by a conventional mathematical model for a dynamic system, where application specific state variables denote total finctions of real time. Specifications are formulas in a real-time, interval temporal logic, where atomic predicates define durations of states. Requirements are specified by a conjunction of formulas, which reflect safety and functionality constraints on the total system. A design specifies the behaviour of components and the conjunction of component specifications can be shown to imply the requirements. Designs can be refined in a similar fashion.

Development of Safety-Critical Real-Time Systems

This paper presents an approach to the development of safetycritical real-time systems linking from the Requirements Language developed in the ESPRIT Project ProCoS to the Temporal Language of Transitions (TLT) specification language developed at Siemens Corporate Research. A system is defined by a conventional mathematical model for a dynamic system where application specific states denote functions of time. Requirements are constraints on the system states, and they are given by formulas in duration calculus (DC), a real-time interval logic. A functional design is a distributed system consisting of sensors, actuators, and a program which communicate through shared states. The sensors and actuators are specified in DC while the program is specified in TLT. The design as a whole is linked together semantically by using a DC semantics for TLT. Verification is a deduction showing that a design implies requirements. The TLT specification is the basis for developing the control program. The method is illustrated by a steam-boiler example.

Hybrid Control of a Robot - A Case Study

An experiment with a distributed architecture to support a hybrid controller for a robot is described. For a desired trajectory, the controller plans a schedule for switching between a fixed set of control functions. Initial results indicate that the proposed architecture is better at achieving a desired trajectory than conventional control algorithms. The experiment also illustrates a division of concerns between software engineering and control engineering. Development of controlling realtime state machines and their mapping to processors and network is the task of software engineering, while the control engineer must identify plant phases, switching conditions and relevant control laws. These define algorithms for a planner and for the control functions. The format of schedules produced by the planner and the algorithms constitute the interface to software developers.

A design method for embedded software systems

A method for design of embedded real-time systems is described. We discuss how the method separates concerns and at what points theory is applied. We also report on our experience from teaching the method to engineers from several Danish companies and their experience in using the method in real development projects.

Engineering of Real-Time Systems with an Experiment in Hybrid Control

The core of this paper reports on development of a multi-threaded, multiprocessor program for an embedded system. It covers all phases of the development from requirements through successively refined designs with formal verification to implementation. The program controls an experimental hydraulically powered manipulator with two links. The architecture uses local control for each of the links, and has a mode switched control algorithm which detects and reacts on changes in model parameters due to variations in the forces acting on the link. The result shows that it is feasible to check a design against realistic top level requirements with specific assumptions about th control and mode detection algorithms. The design is detailed to an architecture that isolate these and other algorithms supplied by control engineers, thus providing a precise interface description with a potential for reuse. Specifications of requirements and designs are expressed in duration calculus, a real-time interval logic, which is also used in verification. The implementation is done in occam for a network of four transputers. Low level timing constraints are checked manually by calculating path lengths.

A theory-based introductory programming course

This paper presents an introductory programming course designed to teach programming as an intellectual activity. The course emphasizes understandable concepts which can be useful in designing programs, while the oddities of todays technology are considered of secondary importance. An important goal is to fight the trial-and-error approach to programming which is a result of the students battles with horribly designed and documented systems and languages prior to their studies at university. Instead, the authors strive for giving the students a good experience of programming as a systematic, intellectual activity where the solution of a programming problem can be described in an understandable way. The approach is illustrated by an example which is a commented solution of a problem posed to the students in the course.

Teaching object-oriented programming on top of functional programming

In the Informatics Programme at the Technical University of Denmark, the authors base the first course in object-oriented programming (using the Java language) on a preceding course in functional programming (using the SML language). The students may hence exploit concepts from functional programming in the construction of OO programs. This is done following a method where the program design is expressed in SML and afterwards implemented in Java. The use of different languages in design and implementation is an advantage as it makes the distinction between these two stages very clear. They give examples showing that SML designs allow them to develop and compare OO implementations with different class structures for the same programming problem. A discussion of this kind is not supported in traditional OO methodology. The program design in SML has also shown to be useful for the students when documenting the program.

Real-Time Constraints Through the ProCoS Layers

The Provably Correct Systems project [5, 6] developed links between layers of formal specifications for real-time systems. These layers cover requirements capture, design, programming and code generation. In this paper we trace real-time constraints through the layers in order to inspect their changing forms. They originate in constraints on continuous dynamical models of physical phenomena. However, in a digital system it is desirable to abstract the complexities of these models to simple clocks, and further to events in a reactive system. This paradigm is the main topic of this paper. We illustrate the different forms of timing constraints in duration calculus, a real-time interval logic