Flush: an example of development by refinements in SCADE/Lustre

  • Jan Mikáč
  • Paul Caspi
Regular Paper


In the domain of safety-critical control systems, the Lustre/SCADE development environment has proved its value, with notable achievements such as the Hong Kong subway signaling system and Airbus A380 flight controls. The interest of the approach comes from the synchronous data-flow style of the Lustre language which makes it well-adapted to the culture of control engineers. Moreover Lustre is endowed with simple formal semantics which makes it amenable to formal development. The currently running Flush project consists in building a formal system development tool on top of Lustre, by taking advantage of the language formal properties. To this end, a refinement calculus is defined, encompassing both functional and temporal aspects. Refinement proof obligations are generated, and several proof approaches can be used to discharge them: model-checking, abstract interpretation, and theorem proving through repeated induction and, finally translation to PVS proof obligations. The resulting methodology is illustrated on the island example used by J.R. Abrial for presenting the B system method.


Formal development Reactive systems Synchronous language Refinement Temporal refinement 


  1. 1.
    Abrial J.R.: The B-Book. Cambridge University Press, Cambridge (1995)Google Scholar
  2. 2.
    Abrial, J.R.: B: A formalism for complete correct system development. Conference given at Inria Rhône-Alpes (1999)Google Scholar
  3. 3.
    Behm, P., Desforges, P., Meynadier, J.: Météor: An industrial success in formal development. In: Bert, D. (ed.) B’98: Recent Advances in the Development and Use of the B Method. Lecture Notes in Computer Science, vol. 1393. Springer, Berlin (1998)Google Scholar
  4. 4.
    Bergerand, J., Pilaud, E.: SAGA; a software development environment for dependability in automatic control. In: SAFECOMP’88. Pergamon Press, New York (1988)Google Scholar
  5. 5.
    Brière, D., Ribot, D., Pilaud, D., Camus, J.: Methods and specification tools for Airbus on-board systems. In: Avionics Conference and Exhibition. ERA Technology, London (1994)Google Scholar
  6. 6.
    Caspi, P., Curic, A., Maignan, A., Sofronis, C., Tripakis, S., Niebert, P.: From Simulink to Scade/Lustre to TTA: a layered approach for distributed embedded applications. In: Languages, Compilers and Tools for Embedded Systems, LCTES 2003. ACM-SIGPLAN, San Diego (2003)Google Scholar
  7. 7.
    Caspi, P., Pouzet, M.: Synchronous Kahn networks. In: International Conference on Functional Programming. ACM SIGPLAN (1996)Google Scholar
  8. 8.
    Colaco, J.L., Pouzet, M.: Type-based initialisation analysis of a synchronous data-flow language. In: Maraninchi, F. (ed.) SLAP02, Electronic Notes in Theoretical Computer Science, vol. 65.5. Elsevier Science B. V., Amsterdam (2002)Google Scholar
  9. 9.
    Dumas, C., Caspi, P.: A PVS proof obligation generator for Lustre programs. In: 7th International Conference on Logic for Programming and Automated Reasoning. Lecture Notes in Artificial Intelligence, vol. 1955 (2000)Google Scholar
  10. 10.
    Halbwachs N., Caspi P., Raymond P., Pilaud D.: The synchronous dataflow programming language lustre. Proc. IEEE 79(9), 1305–1320 (1991)CrossRefGoogle Scholar
  11. 11.
    Halbwachs, N., Lagnier, F., Raymond, P.: Synchronous observers and the verification of reactive systems. In: Nivat, M., Rattray, C., Rus, T., Scollo, G. (eds.) Third Internmational Conference on Algebraic Methodology and Software Technology, AMAST’93. Workshops in Computing, Springer, Twente (1993)Google Scholar
  12. 12.
    Jeannet, B., Halbwachs, N., Raymond, P.: Dynamic partitioning in analyses of numerical properties. In: Static Analysis Symposium, SAS’99. Lecture Notes in Computer Science, vol. 1694. Venezia, Italy (1999)Google Scholar
  13. 13.
    Jones, C.: Systematic Software Development using VDM. Prentice-Hall, Upper Saddle River (1990).
  14. 14.
    Krüger, A., Kant, D., Buhlmann, M.: Software development process and software-components for x-by-wire systems. In: SAE WorldCongress (2004)Google Scholar
  15. 15.
    LeGoff, G.: Using synchronous languages for interlocking. In: First International Conference on Computer Application in Transportation Systems (1996)Google Scholar
  16. 16.
    Lamport, L.: The temporal logic of actions. ACM Trans. Prog. Lang. Syst. 16(3) (1994)Google Scholar
  17. 17.
    Métayer, C., Abrial, J.R., Voisin, L.: Event-B language. Deliverable 3.2, RODIN IST-511599 Project (2005).
  18. 18.
    Mikáč, J.: Raffinements et preuves de syst’s Lustre. Thèse de doctorat de l’INPG (2005)Google Scholar
  19. 19.
    Miká č, J., Caspi, P.: Temporal Refinement for Lustre. In: Maraninchi, F., Pouzet, M., Roy, V. (eds.) Synchronous Languages Applications and Programming, SLAP’05, Electronic Notes in Theoretical Computer Science. Elsevier Science, Edinburgh (2005)Google Scholar
  20. 20.
    Owre, S., Shankar, N., Rushby, J., Stringer-Calvert, D.: PVS language reference. Tech. rep., SRI International (2001)
  21. 21.
    Scaife, N., Sofronis, C., Caspi, P., Tripakis, S., Maraninchi, F.: Defining and translating a “safe” subset of Simulink/Stateflow into Lustre. In: Buttazzo, G. (ed.) 4th International Conference on Embedded Software, EMSOFT04. ACM, New York (2004)Google Scholar
  22. 22.
    Sheeran M., Stålmarck G.: A tutorial on Stålmarck’s proof procedure for propositional logic. Formal Methods Syst. Des. 16(1), 23–58 (2000)CrossRefGoogle Scholar
  23. 23.
    Spivey J.: Understanding Z: a specification language and its formal semantics. Cambridge University Press, Cambridge (1988)zbMATHGoogle Scholar
  24. 24.
    Traverse, P., Lacaze, I., Souyris, J.: Airbus fly-by-wire: a total approach to dependability. In: IFIP World Congress, Toulouse. IFIP (2004)Google Scholar

Copyright information

© Springer-Verlag 2009

Authors and Affiliations

  1. 1.INRIA Rhône-AlpesSaint IsmierFrance
  2. 2.Laboratoire Verimag (CNRS, UJF, INPG)GieresFrance

Personalised recommendations