We reflect on the formal development models applicable to embedded control systems in light of our experience with safety-critical applications from the aerospace domain. This leads us to propose two complementary enhancements to Parnas' four-variable model, one elaborating the structure outside the control computer, and the other elaborating the structure inside the control computer. We then identify several challenges which illustrate why formal development in this domain is difficult, and report our own progress in meeting these challenges. Finally, we outline the residual issues, which form the agenda for our future work.
展开▼
