A Refinement Calculus for the Development of Real-time Systems Zhiqiang Chen, Antonio Cau, Hussein Zedan Xiaodong Liu and Hongji Yang Software Technology Research Laboratory De Montfort University Leicester LE1 9BH, UK g fzqc,cau,zedan,xdl,hjy @dmu.ac.uk Abstract and mathematical verifications. In the development of real- time systems, formal methods can ensure correctness of We present a calculus which can transfer specifications both functional and temporal requirements. By now, a large to objects for the development of real-time systems. The number of formal methods for the development of real-time object model is based on a practical OO development systems have been put forward, including those based on technique—HRT-HOOD. A real-time logic is specified by logics, (process) algebra, net/graphics or model (for a more extending a sound formal method for real-time systems— detail review, we refer the readers to [3]). TAM, to formalise the object model. With integration of One of underlying formal models of our present work HRT-HOOD and TAM, the advantages of object-oriented is TAM (Temporal Agent Model) [4,5,6,7] which is a re- structured methods with the stepwise refinement techniques alistic formal software development method for real-time are combined. The result is illustrated on a case study. systems. In TAM, the stepwise refinement development method is employed by means of executable constructs to- gether with a specification statement. The TAM theory 1. Introduction views a real-time system as a collection of concurrently exe- cuting agents. These agents communicate via shunts which HRT-HOOD [1] is an object-oriented development tech- are time-stamped with the time of the most recent write. nique that extends the structured methodology HOOD [2] to The TAM real-time logic consists of first order predicate provide objects with both functional and temporal require- logic with a few extensions. A timing function is used to ments of real-time systems. Classification of objects in the represent the value found in variables and shunts at a spe- HRT-HOOD characterises temporal properties of real-time cific time and the projection functions are also used to refer systems. This domain-specific style, with the graphic repre- to the time-stamp and value found in a shunt respectively. sentation and the object description skeleton, makes HRT- Specifications are therefore constraints on the relationship HOOD a concise, cohesive, and powerful set of capabilities. between time-stamps and values found in shunts during the Moreover, HRT-HOOD provides a technique that systemat- lifetime of the system. A mechanism for specifying dura- ically transforms the design to Ada code which presents a tion is provided by the release and termination times of the unifying support to the development of real-time systems. system or agents which may be predicated over in the usual We note that most practical structured and OO software way. TAM has a set of refinement laws which are a set development techniques follow the software engineering of syntactic rewrite rules. These rules enable the software principles that can help developers to avoid errors occur developers to transform a requirement specification into an in the development process (especially at early stages) as executable program. much as possible, but fail to eliminate them completely. We also note that although immense benefits which may However, complete elimination of errors in the development be brought by formal methods, turning them into sound process has been one of the major aims in software engi- practice has proved to be extremely difficult. Some “pure” neering. formal methods may keep practically-oriented software en- Formal methods are believed the most important means gineers from employing their benefits. It has been believed which probably achieve that aim (and others) of software that combining formal methods with practical development engineering with their capabilities of precise descriptions techniques, such as SSADM and OO approaches, can be Authorized licensed use limited to: Edinburgh Napier University. Downloaded on July 20,2010 at 13:40:22 UTC from IEEE Xplore. Restrictions apply. a fruitful approach when modelling and developing large- and their executions may be either concurrent or sequen- scaled and complex software systems. On the one hand, by tial. Invocations of methods can be either asynchronous or formalising the constructs of a practical development tech- synchronous. Recursive invocations between methods are nique, formal methods can force the meaning of each sys- prohibited, neither directly nor indirectly. tem component to be more rigorous. On the other hand, An object consists of a declaration and method(s) in a using practical structured and OO techniques with formal structure. The declaration presents the definitions of at- methods can make formal methods more acceptable for use tributes and/or an execution environment for methods de- by a large community. Much work has been undertaken in fined in the object. The attributes of an object include: (1) extending formal notations such as Z and VDM to include object type —WeuseA, S, C, P and Pr to represent, re- the SSADM and OO paradigms, such as [8,9,10]. spectively, that the object is either active, sporadic, cyclic, In this paper, we present the work on combination of a passive, or protected; (2) provided methods —Weuse practical OO development technique and a formal method ProvidedMetho ds o to denote the provided method set of mentioned above by formalising HRT-HOOD [1] with TAM ; an object o. They are declared in the form of min out , [5] in which a refinement calculus is provided to transform where m is a method name which is free in the object. requirements/specifications to objects for real-time systems in and out are sets which present parameters transfered mathematically. We extended TAM with the capability of between m and its clients; (3) used methods —Weuse describing behaviours of objects (a computational object UsedMetho ds o to denote the used method set of an ob- model) and method invocations. The computational model ject o. The elements of the set UsedMetho ds o take the 0 0 is defined based on HRT-HOOD, which focuses on speci- 0 form of o ; m ,wherem is a method to be invoked by fication and may be refined by corresponding HRT-HOOD 0 o and is defined in o . UsedMetho ds o defines use rela- objects. HRT-HOOD is used to decompose the system’s re- tionships between o and objects in UsedMetho ds o .Such quirements. Each sub-requirement is formalised, using the relationships specify control flows between objects and to- TAM specification statement which is subsequently refined gether with in m and out m , data flows are also specified. into objects by using a set of refinement laws. Other attributes vary with the type of objects: (1) the ac- In the next Section, we introduce the computational ob- tivation interval of the thread for a cyclic object; (2) the ject model and its syntax. A corresponding real-time logic minimum activation interval of the thread for a sporadic ob- is given briefly in Section 3, which is used to describe ab- ject; (3) the child object set for an active object. We use stract specification and define the semantics. Based on the ChildObjects o to denote the child object set of o if o is real-time logic, a refinement calculus is specified in Section an active object. ChildObjects o specifies an include rela- 4. We demonstrate the application of the calculus with a tionship between o and its child objects based on which the case study in Section 5. Some conclusions are presented in decomposition process is achieved; (4) the environment of a the final section. non-active object is a set of data over which the methods of the object execute for computations and communications. 2. Computational Object Model The data include constants, variables and shunts. For cyclic and sporadic objects, an activation period and a minimum The computational model we used is an extension of that activation interval are specified in the environment declara- adapted in TAM [5], by introducing objects defined in HRT- tion respectively. We use ObjEnv o to denote the environ- HOOD [1]. In the model, a real-time system is viewed as ment set of an object o. a collection of concurrent activities which are initiated ei- A method consists of a head and a body. The head spec- ther periodically or sporadically with services which can be ifies a method name and a local environment (if necessary) requested by the execution of the activities. The operations of the method. The body specifies operations over either the of the activities and services, as threads and methods,are object environment or the method environment, or both. We allocated to the corresponding objects (an encapsulated op- use Metho ds o to denote the set of method defined by the eration environment for the thread or methods) according to object o. their functional and temporal requirements and the relation- The operations are described by means of agents which ships between them. may be either abstract or concrete. A method can define Like HRT-HOOD, five types of objects are defined in its local execution environment. We use MthEnv m to de- 6= ; our model: sporadic objects, cyclic objects, protected ob- note the local environment of the method m.Ifin m 6= ; MthEnv jects, passive objects and active objects. Threads are de- and/or out m , then they are defined in m .A fined in both sporadic and cyclic objects which activate and method m is defined in the form of ; ] = [MthEnv ] A terminate with the corresponding objects and are concur- m[in out def m end rent with each other.