Deriving Specifications for Systems That Are Connected to the Physical World

  • Cliff B. Jones
  • Ian J. Hayes
  • Michael A. Jackson
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4700)


Well understood methods exist for developing programs from formal specifications. Not only do such methods offer a precise check that certain sorts of deviations from their specifications are absent from implementations but they can also increase the productivity of the development process by careful use of layers of abstraction and refinement in design. These methods, however, presuppose a specification from which to begin the development. For tasks that are fully described in terms of the symbolic values within a machine, inventing a specification is not difficult but there is an increasing demand for systems in which programs interact with an external physical world. Here, the task of fixing the specification for the “silicon package” can be more challenging than the development itself. Such applications include control programs that attempt to bring about changes in the physical world via actuators and measure things in that external (to the silicon package) world via sensors. Furthermore, most systems of this class must tolerate failures in the physical components outside the computer: it then becomes even harder to achieve confidence that the specification is appropriate. This paper offers a systematic way to derive the specification of a control program. Furthermore, our approach leads to recording assumptions about the physical world. We also discuss separating the detection and management of faults from system operation in the absence of faults. This discussion is linked to the distinction between “normal” and “radical” design.


Physical World Proof Obligation Control Machine Sluice Gate Normal Design 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. Abrial, J.-R.: The B-Book: Assigning programs to meanings. Cambridge University Press, Cambridge (1996)zbMATHGoogle Scholar
  2. Blokdijk, A., Blokdijk, P.: Planning and Design of Information Systems. Academic Press, London (1987)Google Scholar
  3. Burns, A., Baxter, G.: Time bands in systems structure. In: Besnard, et al. (eds.), pp. 74–90 [BGJ06] Google Scholar
  4. Besnard, D., Gacek, C., Jones, C.B.: Structure for Dependability: Computer-Based Systems from an Interdisciplinary Perspective. Springer, Heidelberg (2006)Google Scholar
  5. Burns, A., Hayes, I.J., Baxter, G., Fidge, C.J.: Modelling temporal behaviour in complex socio-technical systems. Technical Report YCS 390, Department of Computer Science, University of York (2005)Google Scholar
  6. Bjørner, D.: Software Engineering 3: Domains, Requirements, and Software Design. Springer, Heidelberg (2006)Google Scholar
  7. Broy, M., Stølen, K.: Specification and Development of Interactive Systems. Springer, Heidelberg (2001)zbMATHGoogle Scholar
  8. Chaochen, Z., Hoare, C.A.R., Ravn, A.P.: A calculus of durations. Information Processing Letters 40, 269–271 (1991)zbMATHCrossRefGoogle Scholar
  9. Coleman, J.W.: Determining the specification of a control system: an illustrative example. In: Butler, M., Jones, C., Romanovsky, A., Troubitsyna, E. (eds.) Rigorous Development of Complex Fault-Tolerant Systems. LNCS, vol. 4157, pp. 114–132. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  10. Cau, A., Zedan, H.: Refining interval temporal logic specifications. In: Rus, T., Bertran, M. (eds.) AMAST-ARTS 1997, ARTS 1997, and AMAST-WS 1997. LNCS, vol. 1231, pp. 79–94. Springer, Heidelberg (1997)Google Scholar
  11. Dawes, J.: The VDM-SL Reference Guide. Pitman (1991)Google Scholar
  12. Fix, L., Schneider, F.B.: Reasoning about programs by exploiting the environment. In: Shamir, E., Abiteboul, S. (eds.) ICALP 1994. LNCS, vol. 820, pp. 328–339. Springer, Heidelberg (1994)Google Scholar
  13. Fix, L., Schneider, F.B.: Hybrid verification by exploiting the environment. In: Langmaack, H., de Roever, W.-P., Vytopil, J. (eds.) Formal Techniques in Real-Time and Fault-Tolerant Systems. LNCS, vol. 863, pp. 1–18. Springer, Heidelberg (1994)Google Scholar
  14. Hayes, I., Jackson, M., Jones, C.: Determining the specification of a control system from that of its environment. In: Araki, K., Gnesi, S., Mandrioli, D. (eds.) FME 2003. LNCS, vol. 2805, pp. 154–169. Springer, Heidelberg (2003)Google Scholar
  15. Hooman, J.: Specification and Compositional Verification of Real-Time Systems. Springer, Heidelberg (1991)zbMATHGoogle Scholar
  16. Jackson, M.: Problem Frames: Analyzing and structuring software development problems. Addison-Wesley, Reading (2000)Google Scholar
  17. Jones, C.B.: Systematic Software Development using VDM. Prentice-Hall, Englewood Cliffs (1990)zbMATHGoogle Scholar
  18. Jones, C.B.: Accommodating interference in the formal design of concurrent object-based programs. Formal Methods in System Design 8(2), 105–122 (1996)CrossRefGoogle Scholar
  19. Langefors, B.: Theoretical Analysis of Information Systems. Studententlitteratur, Sweden (1973)Google Scholar
  20. Lewerentz, C., Lindner, T. (eds.): Formal Development of Reactive Systems. LNCS, vol. 891. Springer, Heidelberg (1995)zbMATHGoogle Scholar
  21. MacDonald, A., Carrington, D.: Some elements of Z specification style: Structuring techniques. Journal of Universal Computer Science 6(12), 1203–1225 (2000)zbMATHGoogle Scholar
  22. Mahony, B.P., Hayes, I.J.: A case study in timed refinement: A central heater. In: Proc. BCS/FACS Fourth Refinement Workshop, Workshops in Computing, pp. 138–149. Springer (January 1991)Google Scholar
  23. Mahony, B.P., Hayes, I.J.: Using continuous real functions to model timed histories. In: Bailes, P.A. (ed.) Proc. 6th Australian Software Engineering Conf (ASWEC91), pp. 257–270. Australian Comp. Soc., Australian (1991)Google Scholar
  24. Mahony, B.P., Hayes, I.J.: A case-study in timed refinement: A mine pump. IEEE Trans. on Software Engineering 18(9), 817–826 (1992)CrossRefGoogle Scholar
  25. Marzullo, K., Schneider, F.B., Budhiraja, N.: Derivation of sequential, real-time process-control programs. In: Foundations of Real-Time Computing: Formal Specifications and Methods, pp. 39–54. Kluwer Academic Publishers, Dordrecht (1991)Google Scholar
  26. Parnas, D.L., Madey, J.: Functional documentation for computer systems engineering. Sci. Comput. Program 25, 41–61 (1995)CrossRefGoogle Scholar
  27. Sites, R.L.: Some thoughts on proving clean termination of programs. Technical Report STAN-CS-74-417, Computer Science Department, Stanford University (May 1974)Google Scholar
  28. Schenke, M., Ravn, A.P.: Refinement from a control problem to programs. In: Abrial, J.-R., Börger, E., Langmaack, H. (eds.) Formal Methods for Industrial Applications. LNCS, vol. 1165, pp. 403–427. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  29. Smith, I.C., Wall, D.N.: Programmable electronic systems for reactor safety. Atom 395 (1989)Google Scholar
  30. Vincenti, W.G.: What Engineers Know and How They Know It. The John Hopkins University Press, Baltimore, MD (1990)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Cliff B. Jones
    • 1
  • Ian J. Hayes
    • 2
  • Michael A. Jackson
    • 3
  1. 1.School of Computing Science, Newcastle University, NE1 7RUEngland
  2. 2.School of Information Technology and Electrical Engineering, The University of Queensland, Brisbane, 4072Australia
  3. 3.101 Hamilton Terrace, London NW8 9QYEngland

Personalised recommendations