CLEOPATRA Building Responsive Systems from Physically-correct Speci cations

Predictability { the ability to foretell that an implementation will not violate a set of speci ed reliability and timeliness requirements { is a crucial, highly desirable property of responsive embedded systems. This paper overviews a development methodology for responsive systems, which enhances predictability by eliminating potential hazards resulting from physically-unsound speci cations. The backbone of our methodology is the Time-constrained Reactive Automaton (TRA) formalism, which adopts a fundamental notion of space and time that restricts expressiveness in a way that allows the speci cation of only reactive, spontaneous, and causal computation. Using the TRA model, unrealistic systems { possessing properties such as clairvoyance, caprice, in nite capacity, or perfect timing { cannot even be speci ed. We argue that this \ounce of prevention" at the speci cation level is likely to spare a lot of time and energy in the development cycle of responsive systems { not to mention the elimination of potential hazards that would have gone, otherwise, unnoticed. The TRA model is presented to system developers through the CLEOPATRA programming language. CLEOPATRA features a C-like imperative syntax for the description of computation, which makes it easier to incorporate in applications already using C. It is event-driven, and thus appropriate for embedded process control applications. It is object-oriented and compositional, thus advocating modularity and reusability. CLEOPATRA is semantically sound; its objects can be transformed, mechanically and unambiguously, into formal TRA automata for veri cation purposes, which can be pursued using model-checking or theorem proving techniques. Since 1989, an ancestor of CLEOPATRA has been in use as a speci cation and simulation language for embedded time-critical robotic processes. This research was partially conducted while the author was at Harvard University and was partially supported by DARPA N00039-88-C-0163.