Software Engineering for Real-Time Systems:
the Synchronous Approach can help.

Abstract
The synchronous approach to the development of real-time safety-critical systems has been studied for 20 years now, and has given birth to several languages, among which Lustre and Esterel, in France. Telelogic sells the programming environment Tau-Scade, based upon Lustre; Esterel is now developed by Esterel Technologies. They are both used for operational projects.

The basic models of concurrency and time, as defined by the synchronous paradigm, are now very well understood. However, there is still ongoing research in this area.

In the talk, we briefly review the main principles of the synchronous approach, and how it can be instanciated in two very different programming styles (with examples in Esterel for event-driven systems, in Lustre for sampled systems). We also explain how formal validation (testing, model-checking, connection to provers, etc.) can be applied to synchronous programs.

Then we show the new directions of research (mixing synchronous systems with asynchronous ones, focusing on properties related to the numerical aspects of systems, extending the languages with new constructs, ...).

The last part of the talk is devoted to the presentation of the SeeS project at Verimag (``Software Engineering for Embedded Systems''). The goal of the project is to define a software development methodology for embedded real-time systems, powered by a very early use of formal specification and verification techniques, and able to produce efficient embeddable code.

The general idea is to try and adapt the more traditional software engineering methods to the case of embedded systems. For this purpose, there are mainly two approaches.

The first one starts from very high level design techniques, and introduces some elements related to the constraints imposed by the implementation (timing, memory, etc.). For instance, a lot of real-time patterns have been proposed, in the UML framework. The main problem with this approach is that the models used at this very high level are far from the well-formalized models of time and concurrency needed for the validation of real-time safety-critical systems. Even if these methods help in taking timing constraints into account at a very early stage of development, there is little support for formal validation of these constraints.

SeeS adopts the second approach, which is in some sense bottom-up. Starting from the well-understood techniques that we use for implementing and validating real-time software in the synchronous approach, we propose to define the higher level design phases, in an object-oriented style. For instance, one of the goals is to apply the ``design by contract'' principles to real-time components. This requires that we extend the notion of contract to accomodate real-time aspects; we also need to understand how objects can fit in a synchronous language; and finally we need to apply validation tools for the proofs induced by the definition of contracts.