v a b l r o y r e c o r t C t e m y s s S

P

ProCoS II ESPRIT Basic Research 7071

A ProCoS II Project Final Report: ESPRIT Basic Research project 7071 Jonathan Bowen1 C.A.R. Hoare1 Hans Langmaack2 Ernst-Rudiger Olderog3 Anders P. Ravn4 1 Oxford University, UK 2 Christian-Albrechts-Universit at Kiel, Germany 3 University of Oldenburg, Germany 4 Technical University of Denmark Email: [email protected] URL: http://www.comlab.ox.ac.uk/archive/procos.html Abstract

An overview of the research and associated activities of the European collaborative ESPRIT Basic Research ProCoSII project (no. 7071) on \Provably Correct Systems" which ran from 1992 to 1995 is presented. This was a follow-on project to ProCoS (no. 3104) and ran in parallel with the ProCoS-WG Working Group (no. 8694), all previously announced in the Bulletin of the EATCS [3, 17, 18]. A comprehensive bibliography of publications with selected project documents is included for those wishing to study the results of the project in greater depth. Now a lecturer at the Department of Computer Science, University of Reading, Whiteknights, PO Box 225, Reading, Berks RG6 6AY, UK, since 1st October 1995. Email: [email protected] URL: 

http://www.cs.reading.ac.uk/people/jpb/

1 Introduction

The ESPRIT ProCoSII Project [17, 95, 96] on \Provably Correct Systems" reformed after the original ProCoSI project (1989{1991) [3] as a tightly focussed project with just four partners from 1992 until 1995. The project aimed to perform research in the fundamental technical aspects of a development process for critical embedded systems, from the original capture of requirements all the way down to the computers and special purpose hardware on which the programs run. The approach adopted was inspired by pioneering work at Computational Logic Inc. (CLInc) in Austin, Texas [166]. The distinctive approach of the European eort was to emphasise the following: 1. A constructive approach to correctness, using proven transformations between speci cations and designs and programs and compilers and hardware. Thus errors at this stage are avoided, so their absence never needs proving subsequently. 2. The use of a common abstract mathematical model to aid global consistency across all the interfaces between design phases, notations, and technologies. 3. The inclusion of explicit parallelism and timing constraints within the development. In these ways we aimed to achieve an advance in technology and to deliver theories and transformations which could be reused subsequently. The partners in the project were as follows: 1. Oxford University Computing Laboratory, Wolfson Building, Parks Road, Oxford, OX1 3QD, U.K. Responsible for technical and managerial coordination. The site concentrated on theoretical underpinning to secure consistency of all the interfaces involved and also in the area of hardware compilation. Prof. Tony Hoare led the site and the project, with the help of Jonathan Bowen, Stephen Brien, He Jifeng, Wayne Luk, Ian Page and Augusto Sampaio. 2. DTU, Computer Systems Section, Department of Information Technology, Building 344, Technical University of Denmark, DK-2800 Lyngby, Denmark. Responsible for case studies, interface to control engineering, etc. Concentrated on capture and formalisation of requirements, and the development of speci cations from these for the computer-controlled components of the system. Anders P. Ravn (who was at Kiel as a DFG-Visiting Professor for a half year semester during the project) was the site leader, aided by Kirsten M. Hansen, Michael R. Hansen (who visited Oldenburg for an extended period during the project), Jens Nordahl, Hans Rischel, Jens U. Skakkebk and E.V. Srensen. Longer term visitors who contributed to the project were Marcin Engel, Zhiming Liu and Paulo Masiero. Zhou Chaochen was an inspirational visitor at DTU from UNU/IIST, Macau, during the project. 3. University of Oldenburg, FB10 - Informatik, Ammerlander Heerstrae 114{118, D2900 Oldenburg, Germany. Responsible for production of correct programs. Concentrated on the design process from speci cation to the code of programs. Prof.

Figure 1: Work part interdependencies and responsibilities



Uni ed theories: Oxford

Requirements: Lyngby





 Speci cation: Oldenburg

 



 H JJHHH JJ HH Program: Kiel ````` J `````` JJ ```` JJ Hardware: Oxford Machine: Kiel

Ernst-Rudiger Olderog was the site leader, with Jurgen Bohn, Stephan Kleuker, Stephan Rossig and Michael Schenke (who is currently at Oxford for a year) as team members. 4. Christian-Albrechts-Universitat Kiel, Institut fur Informatik und Praktische Mathematik, Preuerstrae 1{9, D-2300 Kiel 1, Germany. Responsible for production of correct machine code from timed high-level programs. Concentrated on development techniques for a provably correct compiler. Prof. Hans Langmaack led the site with Bettina Buth, Karl-Heinz Buth, Martin Franzle, Burghard von Karger (who visited Oxford for a year during the project) and Markus Muller-Olm as members of the research group that did work for or related to the project. Each site was responsible for progressing case studies, in particular a gas burner example that has become something of a benchmark for formal methods intended for application in embedded systems [61]. In addition, there was a great deal of associated work not funded by the CEC, but of direct relevance to the project. This symbiosis was highly bene cial at all the project sites. Oxford was in charge of overall technical and managerial coordination and Figure 1 shows the main work parts of the project. The workplan for ProCoS II was structured around the research areas discussed in the following sections.

2 Technical Coordination { Oxford It has been a great privilege to work with excellent colleagues in the countries of the European Union. Our collaboration in the ProCoS project has led directly to a better general understanding of the relationship between a range of theories, and how their combination can be used in the planning and development of critical software tasks. As in any basic research, not everything went according to plan: indeed, it is the unexpected deviations from plan that signal the most interesting discoveries. The project was inspired by the CLI Stack project of Computational Logic Inc. (Austin, Texas, USA) [166], which has obtained mechanical veri cation of the correctness of a range of components involved in the implementation of a computer program { a veri cation condition generator, a compiler, an assembler, an operating system and a computer architecture. The ProCoS project therefore paid more attention to the stages of speci cation design and development of application programs, particularly for embedded real time control. This required treatment of input, output and concurrency, for which we adopted the Occam/CSP theories [88, 89, 104]. We regarded our work as largely conceptual, and made no commitment to machine checked proofs. In summary, the project was suciently dierent from the U.S. achievement that little direct use could be made of their results. In the rst phase (ProCoS I), proof methods were based on the Milner and Plotkin techniques of operational semantics and bisimulation, particularly for the compiling task. This was surprisingly laborious; and speci c to a particular choice of compiler / language / machine. We could not see any easy method of generalising the results to other combinations such as would be needed for practical application. Operational reasoning seemed less appropriate for the higher levels of abstraction at which design is discussed. Quite early in the second phase of the project, the operational approach was abandoned in favour of a somewhat more abstract algebraic approach for validating the compiling transformations. The design of an application program was expected to pass through several conceptually distinguished stages. In the rst stage of requirements capture the concepts should be close to the application domain; for this we chose the \Duration Calculus" (DC) [173], an extended version of Interval Temporal Logic; further extensions were made as the need arose. Coding is the last stage in program design; and for this the conceptual level must be the same as that of the implemented programming language. Here, the theory of CSP [89] was the starting point; but various extensions and simpli cations were made to meet the speci c goals of the compiler project. The conceptual gap between Duration Calculus and Occam code is wide; the former is concerned with evolution of state through time, whereas the latter hides the local state of processes. Its observable behaviour is described in terms of sequences of essentially instantaneous events, with the passage of time controlled by explicit waits. The transition between these levels can be split into several stages (and substages): 1. Reduction of the DC speci cation to a subset of the notations of DC, known as \implementables".

2. Expression of these implementables in the framework of timed regular expressions. But this transformation is only partial; some of the state variables of DC are preserved as local variables of sequential processes of the Occam language. The mixture of regular expressions with state machines is known as SL. To assist in translation to code, another mixed language MIX has been used. An additional design path has been explored, leading directly from duration calculus to a hardware language that compiles to netlists, as implemented on eld programmable gate arrays. This compiler too is designed on algebraic principles. The work was carried out at Oxford, and has been inspired by contacts with Cornell University, supported by ESPRIT/NSF funding from ProCoS-US. In a development that progresses through several conceptual levels, it is essential that the interfaces between the levels should be secure; and the ProCoS II plan was that this should be achieved by embedding all the levels into a single mathematical model, misleadingly called universal. This model became too complicated, and was discarded in favour of a variety of locally developed models. It therefore became necessary to organise a range of theories into related families by investigating the algebraic properties which they share. The most general of these were formalised as a series of axioms within a newly developed theory, called the \Sequential Calculus" [161, 164]; this bids to unify relational algebra with regular expressions, and provides a basis for various kinds of temporal logic. There are also interesting links with r-algebras, arrow logic, quantale theory; and with an interesting development of diagrammatic reasoning. A major challenge in the ProCoS project was to show the possibility of international collaboration in Computing Science; particularly in the development of an integrated range of theories, and their application and evaluation on experimental case studies. The hope was to counteract the prevalent divisive tendencies of theoretical research in computing, that each student, researcher, research centre or school needs to concentrate on some private theory, for which the widest possible applicability can be claimed. Of course, much of the work must concentrate on the theories to be linked [91, 101, 98]; but very signi cant and successful eorts have been devoted to the links as well; and the goal of linking theories for the bene t of application is now more widely recognised in Europe than at the beginning of the project. The project has made determined eorts to maintain contacts with industrial practice [32, 85, 152]. Students graduating from the project have found relevant employment in safety-conscious industries [33]; and there are a number of nationally sponsored projects with industrial partners which build directly on the achievements of ProCoS. As a result, there has been no need for a European funding to promote the next phase of technology transfer. However, collaborative work has not ended with the termination of funding. The ProCoS-WG Working Group is enabling the partners to meet together again after the end of of the project. Funding under the European \Keep In Touch" (KIT) scheme has provided a similar service for ProCoS collaborators now in Brazil and Macau. Publications, perhaps tutorials, perhaps even some of the postponed monographs originally proposed as part of the project, will continue to appear in the coming years.

In addition to its more practical spin-os, the project has also helped to direct the interests of the theoretical researchers towards potential application. The Duration Calculus has attracted the interest of temporal logicians and the model checking community; and the Sequential Calculus is providing encouragement to arrow logicians and relational algebraists. At Oxford, we will be hoping to extend and apply techniques of theory linkage to explore the family relationships among the various computational paradigms current in Computing Science [98] { procedural, functional, logical, parallel, probabilistic, etc. This relatively pure research is now funded from national sources.

3 Requirements Engineering { Lyngby

The ProCoS project has given the Computer Based Systems Group at ID/DTU in Lyngby a much cherished opportunity to interact with colleagues in Britain and in Germany and furthermore through the continuing ProCoS-WG Working Group with teams throughout Europe. The basic belief of our group is that theory is useful in developing computer based systems. Overall, the project has consolidated this view in our group. Yet, one must still consider to what extent the project has contributed to the foundations of development techniques for embedded, real-time systems. No conclusive answer can really be given at the end of the project; but it was encouraging during recent EUROMICRO conferences and workshops to hear several presentations that directly or indirectly referenced the ProCoS framework and used it as justi cation for their otherwise unrelated work. It is also illuminating to read the objectives for the FTRTFT'96 school and symposium: Computer systems are becoming increasingly widespread in real-time and safety-critical applications. Such systems are characterised by the crucial need to manage their complexity in order to produce reliable designs. Formal techniques oer a foundation for systematic design of complex systems. They have bene cial applications throughout the engineering process, from the capture of requirements through speci cation, design, coding and compilation, down to the hardware which embeds the system into its environment. Their use may presuppose novel system architectures and design principles. The school and symposium are devoted to considering the problems and the solutions in safe system design, and to examining how well the use of advanced design techniques and formal methods for design, analysis and veri cation serves in relating theory to practical realities. These objectives should not surprise participants in ProCoS, and that may be seen as a success for the project. A recurring challenge during the project has been to coordinate tutorial presentations [19, 16, 31, 80]. However, it has been encouraging to see the links between the layers becoming smoother over the period, thus providing some hope that the bold plan for the project had some merit.

Within the Lyngby group, the project has fostered ideas to more than ten M.Sc. projects and to the Ph.D. dissertations of Jens Nordahl [127], Jens Ulrik Skakkebk [154], and Kirsten Mark Hansen (to be completed in 1996). The work on requirement speci cations and top level design is described elsewhere (e.g., [138, 136, 141, 131]), so it is not elaborated here. More interesting are the plans for exploitation of the results of the project. A direct extension of the work with Duration Calculus and associated design techniques is applications in Hybrid Systems [61]. The eort here is both theoretical, anchored in Zhou Chaochen's stay during 1995{96 together with planned visits in the following years [69, 176], and practical, where a collaboration with control engineering at DTU [139] and computer science and control engineering at Aalborg University is supported through national projects. Our aim in the experimental projects is to develop techniques to solve industrial size problems, e.g., \An intelligent actuator for a fuel-index in marine diesel engines". This eort is assisted by the support of a European/US working group, jointly sponsored by CEC and NSF, and managed by INRIA, Grenoble, France. Some of the ideas incorporated in the DC \implementables" and to some extent the ProCoS speci cation language SL may turn out to be very fruitful in developing architectures for hardware/software codesign. In particular, the implementables may be used to specify timing properties of interconnection protocols. This work is part of an ongoing national project. Another task contributes to safety analysis of the interlocking systems that DSB (the Danish State Railways) will install in the coming two years. This work includes giving semantics to specialised interlocking system languages where the experiences with speci cation oriented semantics will play a role. A collaboration with Oldenburg and Bremen (Germany) is also planned within this area.

4 Speci cation and Design { Oldenburg

The beginning of the original ProCoS I project in October 1989 coincided with the start of our new group in informatics at the University of Oldenburg. From the very beginning the ideas of ProCoS in uenced our whole work. The essential idea of ProCoS, to look at the design trajectory from initial requirements down to machine code or hardware as passing through several levels of abstraction represented in dierent description techniques that need to be linked in a semantically correct way, has been extremely motivating. Perhaps also because we saw ProCoS as an extension of the \three views of concurrent processes" as presented in [128], originally written 1989 as habilitation thesis at the University of Kiel, to a much larger scale. The speci c task of Oldenburg in the \ProCoS tower" of abstraction levels was to link speci cation and programming language semantically and by a suitable design calculus. While the programming language PL was xed from the start of the project as being Occam, the speci cation language had to be developed during the project. During ProCoSI we proposed a language, internally called SL, which is a simple combination of static interface information, regular expressions and (possibly in nite) state machines speci ed in a Z-style assertional technique. This language is embedded in a language MIX

in which speci cation and programming notation can be freely mixed. For MIX a design calculus consisting of various transformation rules and some transformation strategies has been developed. Its current version is reported in the Ph.D. thesis of Stephan Rossig [143], who has worked for ProCoS. So far this \MIX approach" to the design of communicating systems is the main work horse in our group used for teaching (in a new lecture course for graduate students called \Speci cation and Transformation of Communicating Systems") and in masters theses. MIX has also been the starting point for the group to engage in tool building: using national funding (Project TRAVERDI { see below) the MIX calculus has been implemented on the basis of the higher-order logic interactive prover LAMBDA by Jurgen Bohn [4]. With this tool students veri ed parts of their handwritten transformational designs as part of their masters theses. But for external users the LAMBDA system is too dicult to handle. Therefore we have also implemented a user friendly transformation application system for MIX where the user has to assert that certain application conditions are satis ed. These ideas will be further explored within a new national project UniForM. During ProCoSII the main concern was the integration of time in the whole design trajectory. Michael Schenke has extended SL to a language SLtime which adds the speci cation of lower and upper bounds of communication readiness and channel latencies to the concepts of SL [146, 145]. He has been able to extend the untimed MIX transformation strategies so that they now bridge the gap between SLtime and the programming language TimedPL de ned by our ProCoS partners in Kiel. The main diculty, however, was to establish a link to the level of requirements expressed in Duration Calculus. Here a subset of Duration Calculus called \implementables" and developed by our ProCoS partners at Lyngby has been very helpful. Michael Schenke and myself have proposed transformation rules that start from requirements stated as Duration Calculus implementables and use SLtime as a stepping stone towards programs in TimedPL [133, 147]. This approach has been tested in several case studies (gas burner, railway crossing, accounting system for phone calls, Karlsruhe production cell and steam boiler), two of them performed as masters theses [48, 116]. Altogether, nine masters theses and one Ph.D. thesis with ProCoS related topics were completed during the project time. We have helped to disseminate the insights of ProCoS in ve invited lectures at international conferences (e.g., [129]) and 15 invited talks at universities. We have also organised tutorial sessions at two conferences where among others the Duration Calculus was presented. The ProCoS project has helped our group to acquire additional funding for three related national projects. In all cases the work done in ProCoS was essential for acquiring these projects: TRAVERDI. This BMFT project on \Transformation and Veri cation of Distributed Systems" (August 1991 { March 1994) was part of the large national KORSO (Korrekte Software) initiative with 14 universities and one industrial partner. The speci c result for the Oldenburg was an initial version of the implementation of the MIX calculus in the LAMBDA logic, a work that has (partially funded) continued under ProCoS II [4].

CoCoN. This industrially funded project on \Provably Correct Communication Net-

works" (April 1993 { March 1996) was performed in collaboration with the Philips Research Laboratories in Aachen. The application area is telecommunications. We apply ProCoS methods (the MIX approach) to establish correct service implementation on some level of abstraction. Additionally, a technique of extending speci cations developed by Stephan Kleuker is used [107, 108]. UniForM. This new BMBF project on a \Universal Workbench for Formal Methods" (June 1995 { May 1998) starts from the observation that in system design several methods will have to be combined and this combination should be tool supported. In particular, the aim is to develop time-critical communicating systems with an industrially usable application to a distributed railway control. The partners of Oldenburg are the University of Bremen and a Berlin based company engaged in railway control. Speci cally, the methods of Duration Calculus, CSP and Z should be integrated. In 1994 Ernst-Rudiger Olderog had the privilege of receiving the Leibniz Prize of the German Research Council (DFG), to some extend also due to the work in ProCoS. It provides our research group with generous funding during the period October 1994 { September 1999. We are happy to say that by the end of ProCoSII our research group in Oldenburg has acquired considerable knowledge how to specify and stepwise design correct time-critical and communicating systems. It is clear that this is a preliminary knowledge that need to re ned and elaborated on during the coming years but it is a sound basis for doing so. We have enormously bene ted by being a partner in a relatively small Basic Research project (with only four sites to coordinate) which gave us the chance to understand each other (better and better) and work together on a coherent topic over the period of six years. In our view the ProCoS theme of correctly linking dierent formalisms engaged in the design trajectory of systems is more relevant than ever. Nevertheless, it is perhaps good that the ProCoS project has now nished because some of the constraints of the project that were de ned six years ago need to be lifted so that we can make even better use of the ProCoS ideas.

5 Software Compilation { Kiel

The ProCoS project has given a wonderful opportunity to cooperate with excellent and reputed colleagues in our neighbouring European countries. It has been a great pleasure to introduce gifted students to the forefront of informatics research and to see how they pick up newest ideas and successfully tackle deepest problems. Since some years there is a severe and controversial debate going on, both in Europe and overseas, about the role of informatics or computing science between structure sciences (like mathematics and logics) and classical engineering sciences. The ProCoS project gives valuable and decisive help to nd the due role. ProCoS with its tower of abstraction and

language levels demonstrates that the idea of correctness and its systematic proof is not con ned to software systems, but can be extended to complete engineering processes for entire computer based technical systems (hybrid systems), including non-discrete, continuous components high up at the requirements and architectural level (Duration Calculus) and low down at the synchronous and even asynchronous circuits level, implemented in VLSI, with sensors and actuators [110, 111]. Kiel's contribution at the lowest level of abstraction is Martin Franzle's work, funded by Deutsche Forschungsgemeinschaft DFG. He has demonstrated how to establish physically sound models of the dynamics of hybrid systems which have their discrete components built from, for example, MOS transistors [56]. Starting from a continuous model of MOS transistor dynamic behaviour and exploiting knowledge about physical bounds of sensor and actuator performance (e.g., their latencies), discrete-state and even discrete-time models of VLSI dynamics can be derived from the continuous behavioural model [53, 54, 55]. This provides safe models for analysis and development of hybrid systems on a variety of abstraction levels. One ProCoSII characteristic is to orient at realistic processors and languages. So we have envisaged an existing processor, the Transputer [105], and a project language, TimedPL [117, 118, 120, 122], close to a realistic programming language, namely Occam [104]. Important ProCoSII work, done by Markus Muller-Olm, has been to construct a compiler and to prove its compiling function correct [57, 124, 123, 121]. Idealised machine and language would have made proofs easier, but would have left unclear fully correct transition towards industrial practice. To master the large amount of real processor and language details he concentrates on modularising the veri cation and he derives a hierarchy (Galois connections) of increasingly more abstract views of the target processor's behaviour [125]. Therefore the actual code generator proof can be performed more clearly on a higher abstraction level; single processor instructions and single source language constructs can be handled separately due to algebraic laws and re nement techniques as advocated by ProCoS. A design goal of TimedPL was to provide convenient and implementable means for expressing timing requirements. Sources for delays in executed machine programs are latencies of communications and active time spent for code execution. Due to drift and granularity of the hardware clock knowledge about these delays is inaccurate. At the programming language level all these eects can safely be subsumed in just one concept, viz. under-determined communication latencies. TimedPL has been designed and can actually be compiled such that time is spent in communications only. For the comfort of the user normal sequential constructs do not take time, clever compilation hides time used by compiled machine instructions in succeeding communications. The prototype compiler and compiling veri cation are described in the nal deliverables for the project [121]. A forthcoming doctoral thesis contains model theoretic justi cation of algebraic laws, especially a diligent treatment of timing. Future research can investigate other interesting processors and even more abstract views such that more elaborate tasks can be handled. Timing requirements might be represented by more exible formulas than just constants (like so called run-time formulas for

compiling programs into code for parallel processors with distributed memories). Combination of synchronous communications and timing is not appropriate in every respect. Synchronous communication is a good abstraction for qualitative untimed reasoning about communications' progress. Future research should investigate timing in connection with other kinds of practically used communication mechanisms like shared variables, (memory mapped) ports and interrupts. The ProCoS project's orientation towards realistic processors and languages and Markus Muller-Olm's modularisation techniques have led to DFG-projects \Veri ed Compilers { Veri x" and \Veri ed Compiler Implementation { VerComp" set up together with G. Goos, Karlsruhe, F.W. von Henke, Ulm, and J S. Moore, CLInc., Austin. In his articles, J S. Moore has stressed that beside compiling function veri cation compiler implementation correctness proof down to binary processor code is an inevitable requirement for full compiler correctness. We intend to form a board of persons especially from safety-critical systems industries such that they can check and exploit our techniques as soon as possible. Burghard von Karger's contribution (supported by DFG, jointly with C.A.R. Hoare) to the ProCoS project is the Sequential Calculus [161, 164]. Like the calculus of relations it provides an axiomatic basis for point-free reasoning about programs, but it is not limited to the description of just the input{output behaviour. The Sequential Calculus is intended for reasoning about arbitrary phenomena that have a duration in time, such as the real-time behaviour of reactive systems. One purpose of the Sequential Calculus is to provide a number of algebraic laws valid in many more speci c calculi; another merit is the integration of temporal and sequential reasoning. In particular, it allows the treatment of temporal logics such as the Duration Calculus of Hoare, Ravn and Zhou Chaochen [173] or the LTL of Manna and Pnueli. Various other calculi can be obtained by instantiation, including Tarski's calculus of binary relations, Hoare's theory of Communicating Sequential Processes [89], and Dijkstra's regularity calculus. One objective of future research is to use the Sequential Calculus as a framework for a taxonomy of theories for reactive systems. We also wish to investigate its application in the mathematical construction of programs, linking up with Backhouse's relational theory of datatypes and the Bird-Meertens calculus for functional programs. Bettina Buth and Karl-Heinz Buth (funded by CAU and DFG) have examined mechanical veri cation support for problems in the ProCoS eld. Bettina Buth has constructed a proof assistant PAMELA for VDM-like speci cations [42]. PAMELA is working with strongest postconditions propagation plus term rewriting. The user has to invent and specify the appropriate invariants for recursive functions and procedures. Small compiling veri cation tasks have been successfully treated. Karl-Heinz Buth has developed techniques for modelling structured operational and denotational semantics de nitions with term rewriting systems [44, 45, 46]. Using the LP system (Larch Prover) he has mechanically proved the equivalence of dierent semantics de nitions of PLR0 , a project language of ProCoS I. Existing theorem provers and proof assistants applied to compiling veri cation seem to work successfully only if the user has a clear strategy how a manual proof would go. In the DFG compiler veri cation project mentioned above we will use the Rushby's PVS

veri cation system of SRI in order to (re)prove our ProCoS-oriented compiling theorems. PVS has shown to be appropriate in Duration Calculus derivations [156, 157]. It is evident that the reputation of ProCoS has opened supplementary support from national research funds. This has contributed substantially to ProCoSII's success.

6 Hardware Compilation { Oxford

The original ProCoS project concentrated almost exclusively on the veri cation of standard compilation of a high-level programming language (based on Occam [104]) down to a microprocessor (based on the Transputer [105]). However, towards the end of the rst phase of the project, a new research group at the Oxford University Computing Laboratory, the Hardware Compilation Group led by Ian Page, made rapid advances in the development of hardware compilation techniques using an Occam-like language targeted towards Field Programmable Gate Arrays (FPGAs) [102]. This inspired the ProCoS project to investigate provably correct aspects of this approach. A major advantage of proving a compilation scheme correct is that this need only be done once for an unlimited number of designs compiled using the same scheme. Thus changes may easily be made to a given design without invalidating the veri cation. Information on the hardware compilation approach adopted on the ProCoS II project may be found successively in [83, 23, 31, 84]. The normal form representation [100] of the hardware produced by the various compiling schemes investigated has become progressively closer to a hardware netlist of digital components during successive attempts to capture and prove the essence of the hardware compilation technique used by the Hardware Compilation Group. The low-level compiled hardware representation is now suciently close to a netlist representation to allow an \obvious" and direct mapping from one to the other. ProCoS provides a tower of techniques for the requirements capture, design and compilation of embedded systems in a linked and formal manner [31, 79]. Several case studies have been studied including, most extensively, a gas burner example. Hardware compilation provides an alternative route for the compilation of the ProCoS case studies, which may also be compiled onto the Transputer microprocessor architecture [123, 121]. An algebraic approach has been used successfully, and has been shown to be amenable to mechanisation, using the OBJ3 theorem prover for example [144]. A rapid prototype compiler [15] has been constructed using the logic programming language Prolog in as direct a manner as possible for the hardware compilation theorems presented at the FTRTFT'94 ProCoS tutorial [31]. The program of the gas burner in this case study has been compiled directly into hardware using this compiler in a normal form that is very close to a netlist of simple digital hardware components such as gates and latches. Hardware compilation also allows the possibility of generating a specialised microprocessor (perhaps based on a subset of an existing microprocessor, such as the Transputer). This allows a standard compilation scheme to be based on such hardware if desired. Optimisation [76, 73], decompilation [8, 37] and parsing [40, 39] have been investigated, mainly in the context of software compilation, and some of these ideas could be extended

to hardware compilation. Provably correct optimisation could be a particularly fruitful area for hardware. The compilation of hardware and software together, with consideration of the trade-os involved, also provides an exciting research area [102]. The ProCoS project helped secure national funding for an associated project on \Provably Correct Hardware/Software Co-design".

7 Working Group and Dissemination

An integral part of our original ProCoS II research plan was the formation of a Working Group of potential collaborators and industrial partners [17]. A proposal to the CEC was successful and an associated ProCoS-WG Working Group of 25 European industrial and academic partners has been established [18] to liaise with the ProCoS II project. The Working Group runs from January 1994 to December 1996. Meetings were held jointly between the project and the Working Group since its inception, approximately every six months. The continuation of the Working Group after the end of the ProCoS project is allowing further liaison of project and other Working Group members. A major open conference was held in conjunction with an existing related conference series, FTRTFT [112]. Many ProCoS II project and ProCoS-WG Working Group partners attended. An extended ProCoS tutorial was presented [31, 79]. More recently, and after the end of the project, a ProCoS tutorial [80] was presented at FME'96 [60]. EC \Keep In Touch" (KIT) initiatives with Augusto Sampaio in Brazil and Zhou Chaochen in Macau have allowed continuing contact with former project members. An ESPRIT/NSF initiative allows reciprocal funding of visits between Cornell University in the US and ProCoS project partners in the area of provably correct hardware compilation. Contact with the Z User Group has been maintained by supporting attendance at Z User Meetings [22, 26, 30] using ProCoS-WG Working Group funds when appropriate. A journal special issue on Z has been produced [29] and a Z bibliography maintained [13, 36]. A book of industrial applications of formal methods has been produced [85]. This includes a number of chapters by members of the Working Group. Two associated articles have been produced as guides to industrial users of formal methods [28, 27] with the aim of facilitating the technology transfer of formal methods. Material have been published speci cally for the standards community, especially in the area of safety-critical systems [7, 33, 24]. For further information on ProCoS, please see the World Wide Web URL (Uniform Resource Locator) or contact the electronic mail address at the top of the paper. To join the electronic mailing list for messages relating to ProCoS activities, especially notices of meetings, please email [email protected]. The bibliography that follows includes a comprehensive list of ProCoS II-related publications, together with selected project documents and other related unpublished material, for those wishing to study the results of the project in depth.

Bibliography

[1] T. O. Andersen, F. Conrad, A. P. Ravn, T. J. Eriksen, and M. Holdgaard. Mode-switching in hydraulic actuator systems { an experiment. In Proc. 8th Bath International Fluid Power Workshop. Research Studies Press, 1995. Bath, UK, September 1995. [2] R. Berghammer and B. von Karger. Formal derivation of CSP programs from formal speci cations. In B. Moller, editor, Mathematics of Program Construction, volume 947 of Lecture Notes in Computer Science, pages 180{196. Springer-Verlag, 1995. Updated version to appear in Science of Computer Programming journal. [3] D. Bjrner, C. A. R. Hoare, J. P. Bowen, He Jifeng, H. Langmaack, E.-R. Olderog, U. H. Martin, V. Stavridou, F. Nielson, H. R. Nielson, H. Barringer, D. Edwards, H. H. Lvengreen, A. P. Ravn, and H. S. Rischel. A ProCoS project description. Bulletin of the European Association for Theoretical Computer Science (EATCS), 39:60{73, October 1989. [4] J. Bohn. Formal transformational reasoning about reactive systems in the theorem prover LAMBDA. In T. Melham and J. Camilleri, editors, Supplementary Proc. 7th International Workshop on Higher Order Logic Theorem Proving and its Applications. University of Malta, 1994. [5] J. Bohn and W. Janssen. A strategic approach to transformational design. In Gaudel and Woodcock [60], pages 609{628. [6] J. Bohn and S. Rossig. On automatic and interactive design of communicating systems. In E. Brinksma, W.R. Cleaveland, K.G. Larsen, T. Margaria, and B. Steen, editors, Tools and Algorithms for the Construction and Analysis of Systems (TACAS'95), volume 1019 of Lecture Notes in Computer Science, pages 216{237. Springer-Verlag, 1995. [7] J. P. Bowen. Formal methods in safety-critical standards. In Proc. 1993 Software Engineering Standards Symposium (SESS'93), Brighton, UK, pages 168{177. IEEE Computer Society Press, 30 August { 3 September 1993. [8] J. P. Bowen. From programs to object code and back again using logic programming: Compilation and decompilation. Journal of Software Maintenance: Research and Practice, 5(4):205{234, December 1993. [9] J. P. Bowen, editor. Towards Veri ed Systems, volume 2 of Real-Time Safety Critical Systems. Elsevier, 1994. [10] J. P. Bowen. A brief history of algebra and computing: An eclectic oxonian view. IMA Bulletin, 31(1/2):6{9, January/February 1995. Dedicated to Prof. C.A.R. Hoare on his 60th birthday. Also available in a longer version as Oxford University Computing Laboratory Technical Report PRG-TR-9-94, July 1994. [11] J. P. Bowen. Comp.speci cation.z and Z FORUM frequently asked questions. In Bowen and Hinchey [30], pages 561{569. [12] J. P. Bowen. Rapid compiler implementation. In He Jifeng [73], chapter 10, pages 141{169. [13] J. P. Bowen. Select Z bibliography. In Bowen and Hinchey [30], pages 527{560. [14] J. P. Bowen. Formal Speci cation and Documentation using Z: A Case Study Approach. International Thomson Computer Press, 1996.

[15] J. P. Bowen. Hardware compilation of the gas burner case study. ProCoS II document [OU JB 8/1], Oxford University, UK, 11 October 1996. [16] J. P. Bowen, B. Buth, E.-R. Olderog, and A. P. Ravn. Provably correct systems { tutorial material for Formal Methods Europe 93. ProCoS II document [ID/DTH APR 20/1], Technical University of Denmark, March 1993. In [114]. [17] J. P. Bowen et al. A ProCoS II project description: ESPRIT Basic Research project 7071. Bulletin of the European Association for Theoretical Computer Science (EATCS), 50:128{137, June 1993. [18] J. P. Bowen et al. A ProCoS-WG Working Group description: ESPRIT Basic Research 8694. Bulletin of the European Association for Theoretical Computer Science (EATCS), 53:136{145, June 1994. [19] J. P. Bowen, M. Franzle, E.-R. Olderog, and A. P. Ravn. Developing correct systems. In Proc. 5th Euromicro Workshop on Real-Time Systems, Oulu, Finland, pages 176{189. IEEE Computer Society Press, June 1993. [20] J. P. Bowen and M. J. C. Gordon. Z and HOL. In Bowen and Hall [22], pages 141{167. [21] J. P. Bowen and M. J. C. Gordon. A shallow embedding of Z in HOL. Information and Software Technology, 37(5{6):269{276, May/June 1995. [22] J. P. Bowen and J. A. Hall, editors. Z User Workshop, Cambridge 1994, Workshops in Computing. Springer-Verlag, 1994. [23] J. P. Bowen, He Jifeng, and I. Page. Hardware compilation. In Bowen [9], chapter 10, pages 193{207. [24] J. P. Bowen and M. G. Hinchey. Formal methods and safety-critical standards. IEEE Computer, 27(8):68{71, August 1994. [25] J. P. Bowen and M. G. Hinchey. Seven more myths of formal methods: Dispelling industrial prejudices. In Naftalin et al. [126], pages 105{117. [26] J. P. Bowen and M. G. Hinchey. Report on Z User Meeting (ZUM'94). Information and Software Technology, 37(5{6):335{336, May/June 1995. [27] J. P. Bowen and M. G. Hinchey. Seven more myths of formal methods. IEEE Software, 12(4):34{41, July 1995. Previously available as University of Cambridge Computer Laboratory Technical Report 357, December 1994 and Oxford University Computing Laboratory Technical Report PRG-TR-7-94, June 1994. [28] J. P. Bowen and M. G. Hinchey. Ten commandments of formal methods. IEEE Computer, 28(4):56{63, April 1995. Previous version available as University of Cambridge Computer Laboratory Technical Report 350, September 1994. [29] J. P. Bowen and M. G. Hinchey. Z special issue: Editorial. Information and Software Technology, 37(5{6):258{259, May/June 1995. [30] J. P. Bowen and M. G. Hinchey, editors. ZUM'95: The Z Formal Speci cation Notation, volume 967 of Lecture Notes in Computer Science. Springer-Verlag, 1995. [31] J. P. Bowen, C. A. R. Hoare, M. R. Hansen, A. P. Ravn, H. Rischel, E.-R. Olderog, M. Schenke, M. Franzle, M. Muller-Olm, He Jifeng, and Zheng Jianping. Provably correct systems { FTRTFT'94 tutorial. ProCoS II document [COORD JB 7/1], Oxford University, UK, September 1994.

[32] J. P. Bowen and V. Stavridou. The industrial take-up of formal methods in safety-critical and other areas: A perspective. In J. Woodcock and P. G. Larsen, editors, FME'93: Industrial-Strength Formal Methods, Lecture Notes in Computer Science, pages 183{195. Springer-Verlag, 1993. [33] J. P. Bowen and V. Stavridou. Safety-critical systems, formal methods and standards. IEE/BCS Software Engineering Journal, 8(4):189{209, July 1993. Winner of the 1994 IEE Charles Babbage Premium award. [34] J. P. Bowen and V. Stavridou. Formal methods: Epideictic or apodeictic? IEE/BCS Software Engineering Journal, 9(1):2, January 1994. Personal view. [35] J. P. Bowen and V. Stavridou. Safety-critical systems and formal methods. In Bowen [9], chapter 1, pages 3{33. [36] J. P. Bowen, S. Stepney, and R. Barden. Annotated Z bibliography. Information and Software Technology, 37(5{6):317{332, May/June 1995. [37] P. T. Breuer and J. P. Bowen. Decompilation: The enumeration of types and grammars. ACM Transactions on Programming Languages and Systems (TOPLAS), 16(5):1613{1647, September 1994. [38] P. T. Breuer and J. P. Bowen. Towards correct executable semantics for Z. In Bowen and Hall [22], pages 185{209. [39] P. T. Breuer and J. P. Bowen. A concrete grammar for Z. Technical Report PRG-TR-22-95, Oxford University Computing Laboratory, UK, September 1995. Presented as a poster at the FME'96 symposium [60]. [40] P. T. Breuer and J. P. Bowen. A PREttier Compiler-Compiler: Generating higher order parsers in C. Software { Practice and Experience, 25(11):1263{1297, November 1995. [41] S. Brien, M. Engel, He Jifeng, A. P. Ravn, and H. Rischel. Z model for Duration Calculus. ProCoS II document [OU HJF 12/2], Oxford University, UK, September 1993. [42] B. Buth. Operation Re nement Proofs for VDM-like Speci cations. PhD thesis, Technische Fakultat, Christian-Albrechts-Universitat Kiel, Germany, 1995. [43] B. Buth, K.-H. Buth, M. Franzle, B. von Karger, Y. Lakhneche, H. Langmaack, and M. Muller-Olm. Provably correct compiler development and implementation. In U. Kastens and P. Pfahler, editors, Compiler Construction, volume 641 of Lecture Notes in Computer Science, pages 141{155. Springer-Verlag, 1992. [44] K.-H. Buth. Using SOS de nitions in term rewriting proofs. In U. Martin and J. Wing, editors, Proc. 1st International Workshop on Larch, Dedham, 1992, Workshops in Computing, pages 36{54. Springer-Verlag, 1993. Full version available as Bericht 9214, Institut fur Informatik und Praktische Mathematik, Christian-Albrechts-Universitat Kiel, Germany. [45] K.-H. Buth. Simulation of SOS de nitions with term rewriting systems. In D. Sannella, editor, Programming Languages and Systems, volume 788 of Lecture Notes in Computer Science, pages 150{164. Springer-Verlag, April 1994. [46] K.-H. Buth. Techniques for Modelling Structured Operational and Denotational Semantics De nitions with Term Rewriting Systems. PhD thesis, Mathematisch-Naturwissenschaftliche Fakultat, Christian-Albrechts-Universitat Kiel, Germany, 1994. Also available as ProCoS II document [Kiel KHB 4/1].

[47] K.-H. Buth. Automated code generator veri cation based on algebraic laws. ProCoS II document [Kiel KHB 5/1], Christian-Albrechts-Universitat Kiel, Germany, September 1995. [48] H. Dierks. Die Fertigungszelle als veri ziertes Realzeitsystem. Master's thesis, FB Informatik, Oldenburg Universitat, Germany, May 1995. [49] M. Engel. Specifying real-time systems with Z and the Duration Calculus. In Bowen and Hall [22], pages 282{294. [50] M. Engel, M. Kubica, J. Madey, D. L. Parnas, A. P. Ravn, and A. J. van Schouwen. A formal approach to computer systems requirements documentation. In Grossman et al. [61], pages 452{474. [51] M. Engel and J. U. Skakkebk. Applying PVS to Z. ProCoS II document [ID/DTU ME 3/1], Technical University of Denmark, 1994. [52] M. Franzle. Test preorder and re nement. ProCoS II document [Kiel MF 16/2], ChristianAlbrechts-Universitat Kiel, Germany, December 1994. [53] M. Franzle. A discrete model of VLSI dynamics in hybrid control applications. ProCoS II document [Kiel MF 17/3], Christian-Albrechts-Universitat Kiel, Germany, April 1995. [54] M. Franzle. From continuity to discreteness { ve views of embedded control hardware. ProCoS II document [Kiel MF 18/1], Christian-Albrechts-Universitat Kiel, Germany, August 1995. [55] M. Franzle. Synthesizing controllers from duration calculus. In Proc. FTRTFT '96 conference, Uppsala, Sweden, September 1996. To appear. [56] M. Franzle and M. Muller-Olm. Drift and granularity of time in real-time system implementation. ProCoS II document [Kiel MF 10/2], Christian-Albrechts-Universitat Kiel, Germany, August 1993. [57] M. Franzle and M. Muller-Olm. Towards provably correct code generation for a hard realtime programming language. In P. A. Fritzson, editor, Compiler Construction, volume 786 of Lecture Notes in Computer Science, pages 294{308. Springer-Verlag, 1994. [58] M. Franzle and B. von Karger. Proposal for a programming language core for ProCoS II. ProCoS II document [Kiel MF 11/3], Christian-Albrechts-Universitat Kiel, Germany, August 1993. [59] M. Franzle, B. von Stengel, and A. Wittmuss. A generalized notion of semantic independence. Information Processing Letters, 53:5{9, 1995. [60] M.-C. Gaudel and J. Woodcock, editors. FME'96: Industrial Bene t and Advances in Formal Methods, volume 1051 of Lecture Notes in Computer Science. Springer-Verlag, 1996. [61] R. L. Grossman, A. Nerode, A. P. Ravn, and H. Rischel, editors. Hybrid Systems, volume 736 of Lecture Notes in Computer Science. Springer-Verlag, 1993. [62] R. W. S. Hale and He Jifeng. A real-time programming language. In Bowen [9], chapter 6, pages 115{130. [63] K. M. Hansen. Validation of a railway interlocking model. In Naftalin et al. [126], pages 582{601.

[64] K. M. Hansen, A. P. Ravn, and V. Stavridou. From safety analysis to formal speci cation. ProCoS II document [ID/DTH KMH 1/1], Technical University of Denmark, 1994. Accepted for publication in IEEE TSE. [65] M. R. Hansen. Model-checking discrete Duration Calculus. Formal Aspects of Computing, 6A:826{845, 1994. [66] M. R. Hansen, E.-R. Olderog, M. Schenke, M. Franzle, B. von Karger, M. Muller-Olm, and H. Rischel. A Duration Calculus semantics for real-time reactive systems. ProCoS II document [OLD MRH 1/1], Oldenburg Universitat, Germany, September 1993. [67] M. R. Hansen, P. K. Pandya, and Zhou Chaochen. Finite divergence. Theoretical Computer Science, 138:113{139, 1995. [68] M. R. Hansen and Zhou Chaochen. Semantics and completeness of the Duration Calculus. In J. W. de Bakker, K. Huizing, W.-P. de Roever, and G. Rozenberg, editors, Real-Time: Theory in Practice, volume 600 of Lecture Notes in Computer Science, pages 209{225. Springer-Verlag, 1992. [69] M. R. Hansen and Zhou Chaochen. Lecture notes on logical foundations of Duration Calculus. Technical Report ID-TR 1995-166, Department of Computer Science, Technical University of Denmark, Building 344, DK-2800, Lyngby, August 1995. To appear in Formal Aspects of Computing. [70] M. R. Hansen, Zhou Chaochen, and J. Staunstrup. A real-time duration semantics for circuits. In Proc. TAU 1992 ACM/SIGDA Workshop on Timing Issues in Speci cation and Synthesis of Digital Systems, Princeton, USA, 18{20 March 1992. [71] He Jifeng. Hybrid parallel programming and implementation of synchronised communication. In A. M. Borzyszkowski and S. Sokolowski, editors, Mathematical Foundations of Computer Science 1993, volume 711 of Lecture Notes in Computer Science, pages 537{556. Springer-Verlag, 1993. [72] He Jifeng. From CSP to hybrid systems. In Roscoe [142], pages 171{189. [73] He Jifeng. Provably Correct Systems: Modelling of Communication Languages and Design of Optimized Compilers. International Series in Software Engineering. McGraw-Hill, 1995. [74] He Jifeng. From Duration Calculus to FPGA implementation. ProCoS II document [OU HJF 18], Oxford University, UK, 1996. Submitted to BCS FACS Re nement Workshop. [75] He Jifeng. Algebraic approach to design of delay-insensitive circuits. In G. Brown, editor, Design of Delay-Insensitive Circuits. To appear, submitted 1994. [76] He Jifeng and J. P. Bowen. Speci cation, veri cation and prototyping of an optimized compiler. Formal Aspects of Computing, 6(6):643{658, 1994. [77] He Jifeng and S. Brien. Z model for ProCoS II. ProCoS II document [OU HJF 13/1], Oxford University, UK, 1993. [78] He Jifeng and C. A. R. Hoare. From algebra to operational semantics. Information Processing Letters, 45:75{80, 1993. [79] He Jifeng, C. A. R. Hoare, M. Franzle, M. Muller-Olm, E.-R. Olderog, M. Schenke, M. R. Hansen, A. P. Ravn, and H. Rischel. Provably correct systems. In Langmaack et al. [112], pages 288{335.

[80] He Jifeng, C. A. R. Hoare, M. Muller-Olm, E.-R. Olderog, M. Schenke, M. R. Hansen, A. P. Ravn, and H. Rischel. The ProCoS approach to the design of real-time systems: Linking dierent formalisms. Presented as a tutorial at the FME'96 symposium [60], March 1996. [81] He Jifeng, A. McIsaac, and G. Barrett. Speci cation and design of a coherent cached memory. Submitted to Formal Method in System Design, 1995. [82] He Jifeng, A. McIver, and K. Seidel. Probabilistic models for the guarded command language. Presented at Mathematical Foundation of Computer Science and submitted to the special FMTA'95 issue of Science of Computer Programming, 1995. [83] He Jifeng, I. Page, and J. P. Bowen. Towards a provably correct hardware implementation of Occam. In G. J. Milne and L. Pierre, editors, Correct Hardware Design and Veri cation Methods, volume 683 of Lecture Notes in Computer Science, pages 214{225. Springer-Verlag, 1993. [84] He Jifeng and Zheng Jianping. Simulation approach to provably correct hardware compilation. In Langmaack et al. [112], pages 336{351. [85] M. G. Hinchey and J. P. Bowen, editors. Applications of Formal Methods. Prentice Hall International Series in Computer Science, 1995. [86] M. G. Hinchey and J. P. Bowen. Applications of formal methods FAQ. In Applications of Formal Methods [85], chapter 1, pages 1{15. [87] M. G. Hinchey and J. P. Bowen. To formalize or not to formalize? IEEE Computer, 29(4):18{19, April 1996. In H. Saiedian, editor, An Invitation to Formal Methods, pages 16{30. [88] C. A. R. Hoare. Communicating sequential processes. Communications of the ACM, 21(8):666{677, 1978. [89] C. A. R. Hoare. Communicating Sequential Processes. Prentice Hall International Series in Computer Science, 1985. [90] C. A. R. Hoare. Mathematical models for computing science. Oxford University Computing Laboratory, UK, August 1994. [91] C. A. R. Hoare. Uni ed theory of programming. Oxford University Computing Laboratory, UK, July 1994. [92] C. A. R. Hoare. Algebra and models. In He Jifeng [73], chapter 1, pages 1{14. [93] C. A. R. Hoare. How did software get so reliable without proof? In Gaudel and Woodcock [60], pages 1{17. [94] C. A. R. Hoare. The logic of engineering design. Microprocessing and Microprogramming, 41(8/9):525{539, April 1996. [95] C. A. R. Hoare, J. P. Bowen, et al. ProCoS II research project { parts A & B. Oxford University Computing Laboratory, UK, 14 October 1991. Commercial in Con dence, Proposal for ESPRIT Basic Research. [96] C. A. R. Hoare, J. P. Bowen, et al. Basic Research Project 7071 ProCoS II technical annex. Oxford University Computing Laboratory, UK, 16 July 1992. Commercial in Con dence, ESPRIT Basic Research. Annotated version produced for Final Review, 13 October 1995.

[97] C. A. R. Hoare et al. Laws of programming. Communications of the ACM, 30(8):672{686, August 1987. [98] C. A. R. Hoare and He Jifeng. Uni ed Theories of Programming. Prentice Hall International Series in Computer Science, 1997. To appear. [99] C. A. R. Hoare, He Jifeng, and A. P. Ravn. Speci cation and implementation of a ashlight. ProCoS II document [OU CARH 2/2], Oxford University, UK, June 1994. [100] C. A. R. Hoare, He Jifeng, and A. Sampaio. Normal form approach to compiler design. Acta Informatica, 30:701{739, 1993. [101] C. A. R. Hoare, He Jifeng, and A. Sampaio. Algebraic derivation of an operational semantics. Oxford University Computing Laboratory, UK. Submitted for publication, January 1995. [102] C. A. R. Hoare and I. Page. Hardware and software: Closing the gap. Transputer Communications, 2(2):69{90, June 1994. [103] M. Holdgaard, T. J. Eriksen, and A. P. Ravn. A distributed implementation of a mode switching control program. In Proc. 7th Euromicro Workshop on Real-Time Systems, pages 164{168. IEEE Computer Society Press, 1995. [104] INMOS Limited. Occam 2 Reference Manual. Prentice Hall International Series in Computer Science, 1988. [105] INMOS Limited. Transputer Instruction Set { A Compiler Writer's Guide. Prentice Hall International, 1988. [106] M. Karamees. Transforming designs towards implementations. In Proc. 7th Euromicro Workshop on Real-Time Systems, pages 197{204. IEEE Computer Society Press, 1995. [107] S. Kleuker. Case study: Stepwise re nement of a communication processor using trace logic. In D. J. Andrews, J. F. Groote, and C. A. Middelburg, editors, Semantics of Speci cation Languages, Workshops in Computing, pages 252{269. Springer-Verlag, 1994. [108] S. Kleuker. A gentle introduction to speci cation engineering using a case study in telecommunications. In P. D. Mosses, M. Nielsen, and M. I. Schwartzbach, editors, TAPSOFT'95, volume 915 of Lecture Notes in Computer Science, pages 636{650. Springer-Verlag, 1995. [109] S. Kleuker and H. Tjabben. The incremental development of correct speci cations for distributed systems. In Gaudel and Woodcock [60], pages 479{498. [110] H. Langmaack. The ProCoS-way towards correct systems. Technical Report 9506, Institut fur Informatik und Praktische Mathematik, Christian-Albrechts-Universitat Kiel, Germany, 1995. [111] H. Langmaack. The ProCoS approach to correct systems. Real-Time Systems journal, 1996. To appear. [112] H. Langmaack, W.-P. de Roever, and J. Vytopil, editors. Formal Techniques in Real-Time and Fault-Tolerant Systems: Proc. 3rd International Symposium Organized Jointly with the Working Group Provably Correct Systems { ProCoS, Lubeck, Germany, volume 863 of Lecture Notes in Computer Science. Springer-Verlag, September 1994. [113] H. Langmaack and A. P. Ravn. The ProCoS project: Provably correct systems. In Bowen [9], pages 249{265. Appendix B.

[114] P. G. Larsen, editor. Tutorial Material for FME'93: Industrial-Strength Formal Methods. Proc. 1st International Symposium of Formal Methods Europe, Odense, Denmark, April 1993. [115] P. C. Masiero, A. P. Ravn, and H. Rischel. Re nement of real-time speci cations. ProCoS II document [ID/DTH PCM 1/1], Technical University of Denmark, July 1993. [116] R. Muller. Anforderungsgerechte spezi kation eines zeitabhangigen gebuhrenabrechnungssystems. Master's thesis, FB Informatik, Oldenburg Universitat, Germany, April 1995. [117] M. Muller-Olm. On translation of TimedPL and capture of machine instruction timing. ProCoS II document [Kiel MMO 6/2], Christian-Albrechts-Universitat Kiel, Germany, August 1993. [118] M. Muller-Olm. A new proposal for TimedPL's semantics. ProCoS II document [Kiel MMO 10/1], Christian-Albrechts-Universitat Kiel, Germany, May 1994. [119] M. Muller-Olm. A process language and its model. ProCoS II document [Kiel MMO 9/1], Christian-Albrechts-Universitat Kiel, Germany, May 1994. [120] M. Muller-Olm. Proposal for concrete syntax for TimedPL. ProCoS II document [Kiel MMO 11/1], Christian-Albrechts-Universitat Kiel, Germany, May 1994. [121] M. Muller-Olm. Compiling the gas burner case study. ProCoS II document [Kiel MMO 16/2], Christian-Albrechts-Universitat Kiel, Germany, 12 September 1995. [122] M. Muller-Olm. The concrete syntax of TimedPL. ProCoS II document [Kiel MMO 13/3], Christian-Albrechts-Universitat Kiel, Germany, August 1995. [123] M. Muller-Olm. A short description of the prototype compiler. ProCoS II document [Kiel MMO 14/1], Christian-Albrechts-Universitat Kiel, Germany, August 1995. [124] M. Muller-Olm. Structuring code generator correctness proofs by stepwise abstracting the machine language's semantics. ProCoS II document [Kiel MMO 12/3], Christian-AlbrechtsUniversitat Kiel, Germany, January 1995. Draft. [125] M. Muller-Olm. Modular Compiler Veri cation. PhD thesis, Technische Fakultat, Christian-Albrechts-Universitat Kiel, Germany, 1996. [126] M. Naftalin, T. Denvir, and M. Bertran, editors. FME'94: Industrial Bene t of Formal Methods, volume 873 of Lecture Notes in Computer Science. Springer-Verlag, 1994. [127] J. Nordahl. Speci cation and Design of Dependable Communicating Systems. PhD thesis, Department of Computer Science, Technical University of Denmark, Lyngby, March 1992. ID-TR 1992-105. [128] E.-R. Olderog. Nets, Terms and Formulas: Three Views of Concurrent Processes and Their Relationship. Cambridge University Press, 1991. [129] E.-R. Olderog. Interfaces between languages for communicating systems. In W. Kuich, editor, Automata, Languages and Programming, volume 623 of Lecture Notes in Computer Science, pages 641{655. Springer-Verlag, 1992. Invited paper. [130] E.-R. Olderog, editor. Programming Concepts, Methods and Calculi, volume A-56 of IFIP Transactions. North-Holland, 1994.

[131] E.-R. Olderog, A. P. Ravn, and J. U. Skakkebk. Re ning system requirements to program speci cations. In C. Heitmeyer and D. Mandrioli, editors, Formal Methods for Real-Time Computing, volume 5 of Trends in Software, chapter 5, pages 107{134. Wiley, 1996. [132] E.-R. Olderog and S. Rossig. A case study in transformational design of concurrent systems. In M.-C. Gaudel and J.-P. Jouannaud, editors, TAPSOFT'93: Theory and Practice of Software Development, volume 668 of Lecture Notes in Computer Science, pages 90{104. Springer-Verlag, 1993. [133] E.-R. Olderog and M. Schenke. Design of real-time systems: The interface between Duration Calculus. In J. Desel, editor, Structures in Concurrency Theory, Workshops in Computing, pages 32{54. Springer-Verlag, 1995. [134] G. J. Pace. From parallel speci cation to clocked circuits. Msc thesis, Oxford University Computing Laboratory, UK, 1994. [135] J. L. Petersen and H. Rischel. Formalizing requirements and design for a production cell system. In Proc. ADPM'94, pages 37{46, 1994. [136] A. P. Ravn. Design of embedded real-time computing systems. Technical Report ID-TR 1995-170, ID/DTU, Technical University of Denmark, Lyngby, October 1995. [137] A. P. Ravn and H. Rischel. Requirements capture for embedded real-time systems. In Proc. IMACS-MCTS'91 Symposium on Modelling and Control of Technological Systems, Villeneuve d'Ascq, France, May 7-10, 1991, volume 2, pages 147{152. IMACS, May 1991. [138] A. P. Ravn, H. Rischel, and K. M. Hansen. Specifying and verifying requirements of realtime systems. IEEE Transactions on Software Engineering, 19(1):41{55, January 1993. [139] A. P. Ravn, H. Rischel, M. Holdgard, T. J. Eriksen, F. Conrad, and T. O. Andersen. Hybrid control of a robot { a case study. In P. Antsaklis, W. Cohn, A. Nerode, and S. Sastry, editors, Hybrid Systems II, volume 999 of Lecture Notes in Computer Science, pages 391{404. Springer-Verlag, 1995. [140] A. P. Ravn and J. Staunstrup. Interface models. In Proc. Codes/CASHE'94, pages 157{164. IEEE Computer Society Press, September 1994. [141] H. Rischel, J. Cuellar, S. Mrk, A. P. Ravn, and I. Wildgruber. Development of safetycritical real-time systems. In M. Bartosek, J. Staudek, and J. Wiedermann, editors, SOFSEM'95: Theory and Practice of Informatics, volume 1012 of Lecture Notes in Computer Science, pages 206{235. Springer-Verlag, 1995. [142] A. W. Roscoe, editor. A Classical Mind: Essays in Honour of C.A.R. Hoare. Prentice Hall International Series in Computer Science, 1994. [143] S. Rossig. A Transformational Approach to the Design of Communicating Systems. PhD thesis, Department of Computer Science, University of Oldenburg, October 1994. [144] A. Sampaio. An algebraic approach to compiler design. Technical Monograph PRG-110, Oxford University Computing Laboratory, UK, October 1993. DPhil thesis. [145] M. Schenke. Speci cation and transformation of reactive systems with time restrictions and concurrency. In Langmaack et al. [112], pages 605{621. [146] M. Schenke. A timed speci cation language for concurrent reactive systems. In D. J. Andrews, J. F. Groote, and C. A. Middelburg, editors, Semantics of Speci cation Languages, Workshops in Computing, pages 152{167. Springer-Verlag, 1994.

[147] M. Schenke and E.-R. Olderog. Design of real-time systems: From Duration Calculus to correct programs. ProCoS II document [OLD MS 17/1], Oldenburg Universitat, Germany, August 1995. [148] R. Schlor and W. Damm. Speci cation and veri cation of system level hardware designs using timing diagrams. In Proc. European Conference on Design Automation, pages 518{ 524, February 1993. [149] D. Scole eld, H. Zedan, and He Jifeng. A predictive semantics for the re nement of the realtime systems. In M. Main, A. Melton, M. Mislove, and D. Schmidt, editors, Mathematical Foundations of Programming Semantics, volume 802 of Lecture Notes in Computer Science, pages 230{250. Springer-Verlag, 1993. [150] D. Scole eld, H. Zedan, and He Jifeng. Real-time re nement: Semantics and application. In A. M. Borzyszkowski and S. Sokolowski, editors, Mathematical Foundations of Computer Science 1993, volume 711 of Lecture Notes in Computer Science, pages 693{703. SpringerVerlag, 1993. [151] D. Scole eld, H. Zedan, and He Jifeng. A speci cation-oriented semantics for the re nement of real-time systems. Theoretical Computer Science, 131:219{241, 1994. [152] D. E. Shepherd and J. P. Bowen. Transfer into industrial design. In Bowen [9], chapter 11, pages 211{221. [153] J. U. Skakkebk. Liveness and fairness in a Duration Calculus. In B. Jonsson and J. Parrow, editors, CONCUR'94: Concurrency Theory, volume 836 of Lecture Notes in Computer Science, pages 283{298. Springer-Verlag, 1994. [154] J. U. Skakkebk. A Veri cation Assistant for a Real-Time Logic. PhD thesis, Department of Computer Science, Technical University of Denmark, Lyngby, November 1994. ID-TR 1994-150. [155] J. U. Skakkebk, A. P. Ravn, H. Rischel, and Zhou Chaochen. Speci cation of embedded, real-time systems. In Proc. Euromicro Workshop on Real-Time Systems, pages 116{121. IEEE Computer Society Press, 1992. Athens, June 1992. [156] J. U. Skakkebk and N. Shankar. A Duration Calculus proof checker: Using PVS as a semantic framework. Technical Report SRI-CSL-93-10, Computer Science Laboratory, SRI International, Menlo Park, CA 94025, USA, December 1993. [157] J. U. Skakkebk and N. Shankar. Towards a Duration Calculus proof assistant in PVS. In Langmaack et al. [112], pages 660{679. [158] E. V. Srensen, J. Nordahl, and N. H. Hansen. From CSP models to Markov models. IEEE Transactions on Software Engineering, 19(6):554{570, 1993. [159] M. U. Srensen, O. E. Hansen, and H. H. Lvengreen. Combining temporal speci cation techniques. In D. M. Gabbay and H. J. Ohlbach, editors, Temporal Logic, volume 827 of Lecture Notes in Arti cial Intelligence, pages 1{16. Springer-Verlag, 1994. [160] B. von Karger. Plotkin, Hoare and Smyth order: On observational models for CSP. In Olderog [130], pages 383{402. [161] B. von Karger. Sequential calculus. ProCoS II document [Kiel BvK 15/10], ChristianAlbrechts-Universitat Kiel, Germany, 1994.

[162] B. von Karger. Temporal logic via Galois connections. ProCoS II document [Kiel BvK 19], Christian-Albrechts-Universitat Kiel, Germany, 1994. [163] B. von Karger. An algebraic approach to temporal logic. In P. D. Mosses, M. Nielsen, and M. I. Schwartzbach, editors, TAPSOFT'95: Theory and Practice of Software Development, volume 915 of Lecture Notes in Computer Science, pages 232{246. Springer-Verlag, 1995. [164] B. von Karger and C. A. R. Hoare. Sequential calculus. Information Processing Letters, 53(3):123{130, 1995. [165] Xu Qiwen and He Jifeng. Laws of parallel programming with shared variables. In D. Till, editor, 6th Re nement Workshop, Workshops in Computing. BCS FACS, Springer-Verlag, 1994. [166] W. D. Young. System veri cation and the CLI stack. In Bowen [9], pages 225{248. Appendix A. [167] Zhiming Liu, J. Nordahl, and E. V. Srensen. Composition and re nement of probabilistic real-time systems. In J. Gorski, editor, SAFECOMP'93, volume 7 of Dependable Computing and Fault-Tolerant Systems, pages 31{40. Springer-Verlag, 1993. [168] Zhiming Liu, J. Nordahl, and E. V. Srensen. Composition and re nement of probabilistic real-time systems. In C. Mitchell and V. Stavridou, editors, Mathematics of Dependable Systems, volume 55 of Institute of Mathematics and Application Conference New Series, pages 149{163. Oxford University Press, 1995. [169] Zhiming Liu, A. P. Ravn, E. V. Srensen, and Zhou Chaochen. A probabilistic Duration Calculus. In H. Kopetz and Y. Kakuda, editors, Responsive Computer Systems, volume 7 of Dependable Comp. and Fault-Tolerant Systems, pages 29{52. Springer-Verlag, 1993. [170] Zhiming Liu, A. P. Ravn, E. V. Srensen, and Zhou Chaochen. Towards a calculus of systems dependability. High Integrity Systems, 1(1):49{75, January 1994. Also ProCoS document [DTH LZ 1/1]. [171] Zhou Chaochen, M. R. Hansen, A. P. Ravn, and H. Rischel. Duration speci cations for shared processors. In J. Vytopil, editor, Formal Techniques in Real-Time and Fault-Tolerant Systems, volume 571 of Lecture Notes in Computer Science, pages 21{32. Springer-Verlag, 1991. [172] Zhou Chaochen, M. R. Hansen, and P. Sestoft. Decidability results for Duration Calculus. In P. Enjalbert, A. Finkel, and K. W. Wagner, editors, STACS 93, volume 665 of Lecture Notes in Computer Science, pages 58{68. Springer-Verlag, 1993. [173] Zhou Chaochen, C. A. R. Hoare, and A. P. Ravn. A calculus of durations. Information Processing Letters, 40(5):269{276, December 1991. [174] Zhou Chaochen and Li Xiaoshan. A mean value calculus of durations. In Roscoe [142], pages 431{451. [175] Zhou Chaochen, A. P. Ravn, and M. R. Hansen. An extended Duration Calculus for hybrid real-time systems. In Grossman et al. [61], pages 36{59. [176] Zhou Chaochen, Wang Ji, and A. P. Ravn. A formal description of hybrid systems. In R. Alur, T. Henzinger, and E. Sontag, editors, Hybrid Systems III, Lecture Notes in Computer Science. Springer-Verlag, 1996. To appear.