thierry lecomte etmf 2016
TRANSCRIPT
≡
Chain A
Voter
Chain B
inputsA
inputsB
outputs
Chain A
Chain B
inputsA
inputsB
Outputs (power)
Outputs (command)
Control
B Specification
B Implementation
C generated code
« Only inactive sequences can be added to the activesequences execution queue. »
Natural languagerequirement
Binary code
Behaviour+
properties
Behaviour+
properties
B Specification
B Implementation
C generated code
« Only inactive sequences can be added to the activesequences execution queue. »
Natural languagerequirement
Binary code
Philosophy:Avoid to introduce errors during the development (proof)
instead of trying to detect them close to the end of the development (tests)
Proof (refinement)
Proof (coherence)
Proof (coherence)