ii

“program” — 2005/5/2 — 10:23 — page 1 — #1 ii

ii

ii

10th International Conference on

Reliable Software Technologies

Ada-Europe 2005

York, UK, June 20{24, 2005

ADVANCE PROGRAMME

http://www.ada-europe.org/conference2005.html

ii

“program” — 2005/5/2 — 10:23 — page 2 — #2 ii

ii

ii

PresentationThis year the 10th International Conference on Re-liable Software Technology takes place in York dur-ing the week of June 20th–24th . The conferencehas a number of highlights including three keynotepresentations by John McDermid, Martyn Thomasand Bev Littlewood, a full three day technical pro-gramme of fully refereed papers (including one dayon industry focused presentations), an industrial ex-hibition with more than ten exhibitors, two daysof tutorials including a special half day presenta-tion on the new Ada 2005 language by four of itsdesigners: John Barnes, Alan Burns, Pascal Leroyand Tucker Taft.

The conference offers an international forum forresearchers, developers and users of reliable soft-ware technologies. Presentation and discussionscover applied and theoretical work currently con-

ducted to support the development and mainte-nance of software systems.

York is a beautiful and historical (small) cityin the north of the UK. It has a first class uni-versity with one of the best Computer Science de-partments in the world. The department has beeninvolved with the development of programming lan-guages for a number of years (indeed it ran the firstseries of technical meetings on Ada in the 1970s). Itis pleased to host this meeting on reliable softwaretechnology.

York can be reached easily by train from Lon-don (approximately two hours) or Manchester air-port. The conference is held at the Royal York Ho-tel which is adjacent to the York train station a fewminutes from the centre of York and the Minster(Cathedral).

Overview of the WeekMorning Late Morning After Lunch Afternoon

MondayJune 20thTutorials

J.-P. RosenDeveloping Web-aware Applications in Ada with AWS

J. L. Tokar & B. LewisSAE Architecture Analysis and Design Language

P. Amey & N. WhiteCorrectness by Construction—A Manifesto for High

Integrity Engineering

B. DobbingHigh-Integrity Ravenscar Using SPARK

B. M. BrosgolReal-Time Java for Ada Programmers

TuesdayJune 21stSessions &Exhibition

Invited Talk:John McDermid

Model-based Developmentof Safety-critical Software:

Opportunities andChallenges

Applications Formal Methods Ada and Education,Distributed Systems

Design and SchedulingIssues Vendor Session

WednesdayJune 22ndSessions &Exhibition

Invited Talk:Martyn ThomasExtreme Hubris

IndustrialPresentations

IndustrialPresentations

IndustrialPresentations

ThursdayJune 23rdSessions &Exhibition

Invited Talk:Bev Littlewood

Assessing theDependability of

Software-based Systems: AQuestion of Confidence

Certification andVerification Language Issues Ravenscar Technology

FridayJune 24thTutorials

J. Barnes, A. Burns, P. Leroy, S. T. TaftAda 2005

M. HeaneyProgramming with the Ada 2005 Standard Container

Library

W. BailRequirements Engineering for Dependable Systems

P. RogersSoftware Fault Tolerance

J. McDermid, R. WeaverSoftware Safety Cases

2 Ada-Europe 2005

ii

“program” — 2005/5/2 — 10:23 — page 3 — #3 ii

ii

ii

Invited SpeakersModel-based Development ofSafety-critical Software:Opportunities and ChallengesJohn McDermid,University of York, UK

Tuesday June 21st , 9:00

There is a growing use of model-based software develop-ment, including the automatic generation of code fromthe models, in mainstream software engineering. Thereis a perception that the use of such technology couldreduce the cost of safety critical software development.The use of model-based approaches offers some bene-fits, including better validation of designs, and shorterchange cycles. However, it also has some problems, in-cluding the trustworthiness of code generation methodsand tools, and the comparatively low level of abstrac-tion at which the tools operate. The talk will discussthe opportunities and challenges of model-based devel-opment, including the role of program-level verification,aiming to identify the likely future development of suchtechnology.

PresenterJohn McDermid has beenProfessor of Software Engi-neering at the University ofYork since 1987. He runs theHigh Integrity Systems Engi-neering research group whichis probably the world’s largestacademic group focusing onsystems and software safety.He has undertaken researchon a range of topics including

hazard and safety analysis, safety cases, requirements en-gineering and formal methods, and has been successfulin transferring research results into industry, especiallythe aerospace and defence industries. He has been influ-ential in the development of standards for safety criticalsystems and software, including guiding the developmentof Issue 3 of Defence Standard 00-56.

Extreme HubrisMartyn Thomas,Thomas Associates, UK

Wednesday June 22nd , 9:00

The software industry frequently behaves like a fashionbusiness, with crazes taking hold on the basis of novelty,an attractive name, and a few memorable slogans. Thecurrent infatuation with “extreme programming” is onesuch craze that combines several valuable but largely un-original approaches to software development with severalthat are original but unhelpful or actively dangerous.

This talk examines the principles of XP, distinguish-ing the sane from the absurd, and proposes an alterna-tive Manifesto for Dependable Software Development.

Presenter

Martyn Thomas is an inde-pendent consultant softwareengineer. He specialises inthe assessment of large, real-time, safety-critical, softwareintensive systems, softwareengineering, and engineeringmanagement. He is a mem-ber of the Expert Witness In-stitute and acts as an expertwitness where complex soft-

ware engineering issues are involved.He is Visiting Professor in Software Engineering at

the University of Oxford, and a Visiting Professor atthe University of Bristol and the University of Wales,Aberystwyth.

In 1983, he founded Praxis, to exploit modern soft-ware development methods. Martyn Thomas serves onthe IT policy-making bodies of both UK professionalcomputing institutions, the British Computer Society(BCS) and the Institution of Electrical Engineers (IEE).He chairs the steering committee for the UK’s majorresearch collaboration in dependable systems, DIRC,and he is the only European member of a US NationalAcademy of Sciences study into Certifiably DependableSoftware.

Assessing the Dependability ofSoftware-based Systems: AQuestion of Confidence

Bev Littlewood,City University, London, UK

Thursday June 23rd , 9:00

Issues of uncertainty lie at the heart of dependabilityassessment. Most obviously, we cannot predict with cer-tainty when a system will fail—that’s why we use proba-bilistic measures of dependability (mean time to failure,failure rate, probability of surviving mission time, etc.).Less obviously—and often ignored—is the uncertaintyassociated with assessments of uncertainty. Claims suchas ‘this system has a probability on demand better than10−3’ can never be made with certainty. Uncertaintyabout the truth of such a claim might come from weak-ness (or paucity) of supporting evidence for the claim; itmight arise because we are uncertain about the truth ofsome underlying assumptions. In the talk I shall suggestthat we need to associate with dependability claims anacknowledgement (and assessment) of this uncertaintyabout the truth of a claim. Essentially, we need tosay how confident we are in the truth of the claim. Ishall argue that probability is sometimes an appropri-ate formalism to represent confidence. I shall speculateabout similarities between confidence in arguments anddependability of systems. For example, I shall claimthat just as we can use design diversity to increase the

Ada-Europe 2005 3

ii

“program” — 2005/5/2 — 10:23 — page 4 — #4 ii

ii

ii

dependability of a system, so we can use argument di-versity (multi-legged arguments) to increase confidencein claims. I shall suggest that, in addition to ALARP(As Low As Reasonably Practicable), which concerns thelevel of dependability of a system, we need ACARP (AsConfident As Reasonably Practicable). Needless to say,some of this stuff might be a bit controversial...

PresenterBev has worked for many years on problems associatedwith the modelling and evaluation of dependability ofsoftware-based systems, and has published many papersin international journals and conference proceedings andhas edited several books. He is a member of IFIP Work-ing Group 10.4 on Reliable Computing and Fault Tol-erance, of the BCS Safety-Critical Systems Task Force,and of the UK Computing Research Committee. He is

currently serving his secondterm as Associate Editor ofthe IEEE Transactions onSoftware Engineering, and ison the editorial boards of sev-eral other international jour-nals. He is a member of theUK Nuclear Safety AdvisoryCommittee, and of its Re-search Committee; he is a Fel-

low of the Royal Statistical Society.Bev Littlewood has degrees in mathematics and statis-tics, and a PhD in Statistics and Computer Science. Hefounded the Centre for Software Reliability at City Uni-versity, London, in 1983 and was its Director from thenuntil 2003. He is currently Professor of Software Engi-neering at City University.

Special Tutorial: Ada 2005

This tutorial is at a reduced price for those attending the main conference (and includes lunch).

Ada 2005

John Barnes, Alan Burns, Pascal Leroy,S. Tucker Taft

Friday June 24th, morning

Another ten years has passed, and it is time to updatethe Ada standard. This tutorial focuses on the new ver-sion of the language that is currently being finalised.

Ada people will recall that the development of Ada95 from Ada 83 was an extensive process funded bythe USDoD. Formal requirements were established af-ter comprehensive surveys of user needs and competitiveproposals were then submitted resulting in the selectionof Intermetrics as the developer under the leadership ofTucker Taft. The whole technical development processwas then comprehensively monitored by a distinct bodyof Distinguished Reviewers. Of course, the process wasalso monitored by the ISO committee concerned and thenew language finally became an ISO standard in 1995.

The development of Ada 2005/6 from Ada 95 hasbeen (and continues to be) on a more modest scale. Thework has almost entirely been by voluntary effort withsupport from within the industry itself through bodiessuch as the Ada Resource Association and Ada-Europe.The Ada Rapporteur Group (the ARG) is drafting therevised standard. The editor, who at the end of the dayactually writes the words of the standard, is the inde-fatigable Randy Brukardt. The current aim is to havethe amendment to the language (the new version of Adais strictly speaking an amendment of the Ada 95 stan-dard) completed by mid 2005, with formal acceptanceof the document defining the changes occurring towardsthe end of 2005 or early 2006 (so it might be Ada 2006).

This tutorial will give an overview of the Ada 2005/6language. The presenters are four of the key members ofthe ARG—John Barnes, Alan Burns, Pascal Leroy (chair ofARG) and Tucker Taft.

The scope of the changes can be summarised as fol-lows:

1. Improvements to the OO model, including the useof Java-like Object.Op notation

2. Introduction of Java-like interfaces (interface is anew reserved word)

3. More flexible access types4. Enhanced structure and visibility control, including

a new limited with clauses which permit types intwo packages to refer to each other.

5. Tasking and real-time improvements, including:• new dispatching policies (non-preemptive, round

robin and earliest deadline first—EDF) that workindividually or together to support hierarchicaldispatching,

• various forms of budget control (for individualtasks and for groups of tasks),

• dynamic ceilings for protected objects,• timing event that are executed when external

time reaches a specified value,• handlers that are executed when tasks terminate,

and• protected, task and synchronized interfaces.

6. Improvements to exceptions, generics etc.7. Extensions to the standard library packages, in-

cludes a comprehensive Container library (coveredin another tutorial)Together these changes represent a significant en-

hancement to Ada. Now is the time to improve yourknowledge of Ada 2005.

4 Ada-Europe 2005

ii

“program” — 2005/5/2 — 10:23 — page 5 — #5 ii

ii

ii

TutorialsDeveloping Web-awareApplications in Ada with AWS

Jean-Pierre Rosen, Adalog, France

Monday June 20th, morning

This tutorial describes AWS, the Ada Web Server, andhow to use it for the development of web-aware applica-tions. It describes the principles of AWS, from the mostbasic functionality to more advanced functions (authen-tication, SOAP interface, session management, hotplugs,multi-server applications, etc.). The seminar emphasisespractical usage of AWS, and presents design patternsthat have proved effective for developing existing appli-cations. It compares the development process with AWSto other techniques.

The tutorial provides attendees with the informationneeded to assess whether AWS is appropriate to theirneeds, and the necessary knowledge to start writing full-scale Web applications.

Presenter

J.-P. Rosen graduated fromENST in 1975, and obtainedhis PhD in 1986.

He started as a softwareengineer at the computingcenter of ENST. After a Sab-batical at New York Univer-sity on the Ada/ED Project,he worked as Professor atENST, where he was respon-sible for the teaching of Soft-ware Engineering and Ada.

He has now formed Ada-log, a company specialized in high level training, consul-tancy, and software development in the fields of Ada andOOD.

J.-P. Rosen is Chairman of the AFNOR (Frenchstandardization body) group for Ada, and the authorof “Methodes de Genie Logiciel avec Ada 95” (SoftwareEngineering Methods with Ada 95) and “HOOD: an in-dustrial approach for software development”.

Why should you participate in this tutorial?

AWS is more than a simple Web server, it allows incor-poration of Web technology into applications where theWeb interface is only part of the problem. By attendingthis tutorial, participants will gain in-depth understand-ing of the issues of Web interfaces, and will discover newsolutions to common problems, like using a browser asa GUI or providing control through Web interfaces toreal-time programs.

Correctness by Construction—AManifesto for High IntegrityEngineering

Peter Amey & Neil White, Praxis HighIntegrity Systems, UK

Monday June 20th, morning

Two of the major recurring issues in systems and soft-ware engineering are unacceptably high defect rates, andlack of ability to make changes over a significant periodof time in a reliable manner. These issues frequentlycause major impact on the usability and maintainabilityof systems, and this impact becomes intolerable whencomponents of the system become unmaintainable, orwhen high levels of security accreditation or safety cer-tification must be achieved.

This tutorial presents the Correctness by Construc-tion high integrity approach to systems and software en-gineering. Correctness by Construction is based on aset of principles, distilled from practical project expe-rience, to realize systems and software engineering out-puts with very low defect rate and very high resilience tochange. These principles can be applied most effectivelyto new developments and upgrades. However some ofthe same principles can also be applied retrospectivelyto improve the maintainability and upgradability of ex-isting systems.

Topics covered in the tutorial include:1. The challenges that we face2. How Correctness by Construction addresses the

challenges(a) Validating the concepts of operation(b) Risk-directed requirements engineering(c) Formal specification(d) Rigorous design and implementation based on

static analysis(e) Making the case for safety and security(f) Maintaining correctness through long-term up-

grades3. Correctness by Construction in action—project ex-

amples

Presenter

Neil White is an experiencedsoftware engineer and a spe-cialist in high-integrity sys-tems. He has designed, built,validated, and certified sys-tems in the aerospace, naval,telecommunications and fi-nancial domains. The soft-ware he has worked on is cur-rently serving on ships, sub-marines, a variety of aircraft,and in over a million televi-

sion set-top boxes in homes around the country. Re-cently he has been developing a rigorous framework forthe disciplined use of UML to document designs.

Ada-Europe 2005 5

ii

“program” — 2005/5/2 — 10:23 — page 6 — #6 ii

ii

ii

Peter Amey is an aero-nautical engineer by origi-nal professional training. Heserved as an engineering of-ficer in the Royal Air Forceand spent several years at theBoscombe Down test estab-lishment working on the certi-fication of aircraft armamentsystems. Peter joined Pro-gram Validation Limited in1992 to develop SPARK and

the SPARK Examiner and continues that work todaywith Praxis High Integrity Systems. As well as devel-oping SPARK he has used it on major programmes in-cluding Tornado, Eurofighter and the Lockheed C130J.Peter, now Chief Technical Officer at Praxis, teachesSPARK and Ada on a regular basis and has lecturedwidely on the development of critical systems.

Why should you participate in this tutorial?

The challenge of producing software that has anacceptably-low defect rate is hard enough. To do so un-der time and budget pressures is harder still. Yet thepressures grow ever stronger and the trust we place insoftware-intensive systems continues to rise. There is apressing need to find ways of producing high-integritysoftware at an acceptable cost.

Over the past 16 years, Praxis has evolved a practi-cal approach to software development which delivers ex-ceptionally low defect rates with very high productivity.The approach eschews the use of fashionable technolo-gies and silver bullets preferring an engineering approachwhich favours error prevention and relentless error elim-ination at every stage of development. The result is adevelopment process that generates a continuous forwardflow from requirements to implementation.

The tutorial will describe how this approach, whichhas come to be called Correctness by Construction worksand how it has been applied to significant, real-worldprojects.

Real-Time Java for AdaProgrammers

Benjamin M. Brosgol, AdaCore, USA

Monday June 20th, full day

Although the term “real-time Java” may sound self-contradictory, serious technical activity has been under-way since early 1999 on extending the Java platform tosatisfy the requirements for real-time systems, and sev-eral implementations exist. This work is relevant to theAda community as both a challenge and an opportu-nity. On the one hand, it may compete with Ada in thereal-time marketplace, but on the other hand some of itsideas may be worthy of consideration in a future versionof the Ada language.

This tutorial will focus on the Real-Time Specifi-cation for Java (“RTSJ”), which was developed by theReal-Time for Java Expert Group under the auspices ofSun Microsystems’ Java Community Process. The tuto-rial will analyze/critique the Java platform with respect

to real-time support, summarize/illustrate the main el-ements of the RTSJ, and compare/contrast the designwith Ada’s real-time features (both in Ada 95 and un-der consideration for Ada 05). The tutorial will alsooutline the main aspects of the J-Consortium’s “CoreExtensions” (a competing real-time Java approach), willdescribe a proposed high-integrity profile for the RTSJ,and will provide a status update on the real-time Javawork and its usage and prospects.• Introduction

1. Requirements for real-time programming2. Background and goals of real-time Java activities3. Summary of Java thread model4. Critique of Java platform for real-time support

• Pervasive technical issues1. Priority inversion management2. Garbage collection3. Object Oriented Programming and real-time sys-

tems• The Real-Time Specification for Java

1. Summary2. Concurrency, scheduling and synchronization3. Memory management4. Asynchrony5. Other features6. Comparison with “Core Extensions” from the J-

Consortium7. Comparison with Ada8. High-integrity profile

• Conclusions1. Status of the definition and implementation of

Real-Time Java2. Assessment of Real-Time Java3. What Ada can learn from Real-Time Java.

Presenter

Dr. Brosgol has over 25years of experience in thecomputer software industry,with a focus on programminglanguages, software develop-ment methods, and real-timesystems. He was a primarymember of the Real-Time forJava Expert Group and aco-author of the Real-Time

Specification for Java. He is currently a member of theTechnical Interpretations Committee for the RTSJ, andhe has also served as a reviewer of the J-Consortium’sCore Extensions. He has delivered Java tutorials andcourses since 1997, and the proposed tutorial will bean up-to-date version of the “Real-Time Java for AdaProgrammers” tutorial that he delivered at Ada Europe2004 and SIGAda 2004.

Dr. Brosgol is an internationally-recognized experton Ada. He participated in both the initial language de-sign and the Ada 95 revision, and he is a past chairmanof the ACM’s Special Interest Group on Ada (SIGAda).He has published numerous papers on Ada, has deliveredpresentations and tutorials at many Ada Europe andSIGAda conferences, and has been conducting courseson real-time programming in Ada since the late 1980s.He was an invited keynote speaker at the 2003 SIGAda

6 Ada-Europe 2005

ii

“program” — 2005/5/2 — 10:23 — page 7 — #7 ii

ii

ii

conference, where his topic was “Ada and Real-TimeJava: Cooperation, Competition, or Cohabitation?” Heis a senior member of AdaCore’s technical staff in theUS, in the Boston area.

Why should you participate in this tutorial?

• You will learn the pros and cons of the Java threadmodel, both in general and for real-time applications.

• You will see how real-time Java addresses the apparent“show stopper” problem of garbage collection.

• You will be able to judge whether real-time require-ments can be met by a “pure” Object-Oriented Lan-guage.

• You will understand the effect of a dynamic and flex-ible scheduling approach, in terms of expressibility,predictability, and performance.

• You will discover who is using real-time Java, and forwhat sorts of. applications.

SAE Architecture Analysis andDesign Language

Joyce L. Tokar, Pyrrhus Software, USA,Bruce Lewis, US Army, USA

Monday June 20th, afternoon

The Architecture Analysis and Design Language(AADL) is an architecture description language (ADL)that has been developed under the auspices of the Inter-national Society of Automotive Engineers (SAE), Avion-ics Systems Division (ASD) Embedded Computing Sys-tems Committee (AS-2). The AADL was approved asan SAE standard in November of 2004.

The language has been defined to provide a consis-tent and concise notation, both textual and graphical,to be used to develop models of complex, real-time, crit-ical systems such as those used in automotive, avionics,medical, robotic, and space-based systems. The AADLprovides the notation to perform various types of analy-sis of the complex critical systems.

In the early stages of design, the AADL enables thedefinition of the preliminary connectivity between ap-plication and execution platform components. As anAADL model is developed, additional components andproperties are specified. The properties provide the in-formation needed by analysis tools to determine the be-haviour and performance of the system being modelled.The AADL has been designed to facilitate the develop-ment of tools that provide automatic code generationof the system both in terms of the application softwarecomponents and the underlying execution environment.The AADL may be used to verify an actual systemagainst the specified model.

With automatic code generation, the AADL offersa system model that maintains significant informationabout a system that is useful throughout the lifetime ofthe system. Thus, the AADL offers support for all stagesof system development.

This tutorial will provide an introduction to theAADL language from a textual and graphical perspec-tive. It will also demonstrate the relationship betweenexisting systems and AADL models. The tutorial will

present several uses of the AADL in the design and anal-ysis of safety-critical real-time systems. The tutorial willalso demonstrate the relationship between AADL mod-els and UML models.

Presenter

Joyce Tokar has investedmore than seventeen years ofresearch and development inthe improvement of embed-ded systems technology, highlevel computing languages,and software and systems ar-chitectures. A recognizedleader in the embedded sys-tems community, Dr. Tokarhas received numerous awards

for her contributions including the Outstanding AdaCommunity Contribution Award 2000. Dr. Tokar hasco-authored numerous papers and reports including theSociety of Automotive Engineering Architecture Analy-sis and Description Language standard. Dr. Tokar re-ceived her PhD in Computer Engineering from ClemsonUniversity. She holds an MS and a BS in ComputerScience from the University of Pittsburgh.

Bruce Lewis is a seniorexperimental developer forthe US Army’s Aviation andMissile Command, Research,Development and Engineer-ing Laboratory, Software En-gineering Directorate (SED).His work has focused on soft-ware architecture, reuse, andsystem evolution since 1991.He has served as the gov-

ernment lead on various DARPA projects related toADLs and real-time systems, including those developingMetaH. He is the chairman of the AADL standardizationcommittee.

Why should you participate in this tutorial?

The AADL is designed to support the declaration andanalysis of systems comprised of software and hardwaremodules. As such, an understanding of AADL how soft-ware and execution platform components are representedand how they interact in an AADL model is beneficialto a variety of users.

This tutorial is useful to software and systems man-agers responsible for the development and integrationof complex critical systems. This tutorial will providea tool vendor with the information necessary to de-velop tools to support the development and analysis ofsource code and AADL models. Programmers will learnabout the relationship between source code and the cor-responding AADL specifications. This tutorial will beuseful to system integrators who are responsible for de-veloping a definition of the form of components that areacceptable for integration.

This tutorial is suitable for senior software and sys-tems engineers as an introductory course; the tutorialdoes not presume prior knowledge of AADL. The atten-dees should have an understanding of the fundamentalsof the development of complex, critical real-time sys-

Ada-Europe 2005 7

ii

“program” — 2005/5/2 — 10:23 — page 8 — #8 ii

ii

ii

tems.Attendees may learn more about AADL at

www.aadl.info

High-Integrity Ravenscar UsingSPARK

Brian Dobbing, Praxis High IntegritySystems, UK

Monday June 20th, afternoon

SPARK is a well-established, unambiguous and fully-analysable annotated subset of Ada. In its original formSPARK excluded all forms of concurrency because weak-nesses in the Ada tasking model made it incompatiblewith the design goals of SPARK. The advent of theRavenscar Profile has provided an opportunity to ex-tend SPARK to include concurrency and to enable theSPARK Examiner to analyse concurrent programs.

The tutorial will describe the way SPARK has beenextended to include the Ravenscar Profile and how staticanalysis techniques can eliminate all of the erroneousbehaviour, bounded errors and implementation-definedbehaviour that remain in the concurrency model definedby the Profile.

The outcome of the tutorial will be an apprecia-tion of how the RavenSPARK language and supportingtoolset can be used to develop concurrent programs thatare suitable for deployment at the highest safety andsecurity integrity levels.

Topics will include:1. An introduction to the Ravencar Profile2. An introduction to SPARK3. Errors and problems inherent in the Profile4. RavenSPARK in practice

(a) Program building blocks(b) Sample program—how errors are detected stat-

ically(c) Partition-wide flow analysis

Presenter

Brian Dobbing has presentedpapers and tutorials at ma-jor international conferencesfor the past twenty years. Hehas been actively involved inall aspects of Ada since 1979,including language standard-ization, Ada product develop-ment environments, and for-mal safety certification of Adaruntime systems. Brian is oneof the main designers of theRavenscar Profile Ada task-

ing subset for high integrity systems, and has played amajor role in its inclusion in the forthcoming Ada 2005standard. Within Praxis High Integrity Systems, Brianis a leading member of the Correctness by Constructionteam, which includes the SPARK language and productcapabilities. Brian was a key designer of the additionof support for the Ravenscar profile to the SPARK lan-guage and toolset, which is the subject of this tutorial.

Why should you participate in this tutorial?

All software engineers should aspire to the goal of gen-erating programs that have very low numbers of defectsand very high resilience to change. This goal shouldapply not only to high integrity software, but to allprofessionally-produced programs. As programs becomemore complex, the use of concurrency and interrupts hascaused traditional verification techniques based on test-ing alone to become insufficient. One of the key compo-nents in establishing the absolute correctness of softwareis static analysis of the design and the code, since this isbased on formality rather than on test sampling. If youare involved in complex software engineering, you needto appreciate what the RavenSPARK language can offerin terms of establishing the correctness of programs with-out resorting to hugely elaborate and exhaustive testing.

Software Safety Cases

John McDermid, Rob Weaver,University of York, UK

Friday June 24th, full day

Current best practice in the development of safety criti-cal software requires the construction of a software safetycase to demonstrate the acceptability of software in itssystem context. This is a process that should go hand inhand with software development to ensure that appro-priate software safety evidence is obtained. This tutorialexplains the role safety cases play in the developmentand certification of safety critical software. Specifically,the tutorial will consider the construction and presenta-tion of software safety cases.

The tutorial will start with the basics of safety casesand how they can be used to show that safety require-ments are satisfied by a set of safety evidence. The roleof the safety argument within the safety case will be ex-plained, including how its development can be used toidentify suitable items of safety evidence to support thesafety case. Building upon this we will examine softwaresafety cases, in particular the principles and standardsthat affect their development. We shall consider con-struction and presentation of software safety cases fromthe perspective of the principles of software safety andthe requirements laid down in standards such as Issue 3of DS 00-56, MoD’s main safety standard. The role of asoftware safety case in the software development lifecy-cles will be discussed.

The tutorial will combine presentations with exer-cises to familiarise the attendees with the concepts in-troduced. Examples will be used throughout to demon-strate how software safety cases can be practically devel-oped. The exercises will give an opportunity for handson experience of constructing software safety arguments.This will help expand attendee’s skills at identifyingtypes of software safety evidence and their understand-ing of how evidence is combined to show the acceptabilityof software with respect to safety.

Presenter

John McDermid—see Biography in Invited Speaker Sec-tion

8 Ada-Europe 2005

ii

“program” — 2005/5/2 — 10:23 — page 9 — #9 ii

ii

ii

Dr. Rob Weaver is aTeaching Fellow in the De-partment of Computer Sci-ence and the University ofYork. Rob has been a full-time academic since 1999, thefocus of his research beingSafety. In particular Rob’s re-search concerns the effect ofsoftware on system safety and

the construction and presentation of safety cases. Helectures on the advanced MSc in Safety Critical SystemsEngineering as well as presenting on industrial coursesin System Safety Engineering and Management.

Why should you participate in this tutorial?

This tutorial will give you an opportunity to learn aboutcurrent best practice in software safety case develop-ment. The tutorial will explain how, as part of thisprocess, software safety evidence is first identified andthen combined to show safety. This process goes handin hand with software design and implementation, andthus forms an integral part of the safety critical softwaredevelopment lifecycle.

The tutorial will give you a view of the changing em-phasis in system safety cases. Previous practice relied ona process-based approach to development of safety crit-ical software, but such standards inevitably lag behindtechnology, and can be seen as restrictive. Emerging bestpractice uses an evidence-based approach to demonstrat-ing software safety as part of a system safety case.

Requirements Engineering forDependable Systems

William Bail, The MITRE Corporation,USA

Friday June 24th, morning

The development of large, complex software-intensivesystems has proven to be a significant and persis-tent challenge, despite continuing optimism about thechances for success. The experience of government andindustry has been less than encouraging, yet the needfor new complex systems is ever-increasing. We havehad some dramatic failures, yet we still have needs fornew and improved systems. When we look at systemsthat have a need to be highly dependable or even safety-critical, we recognize the urgency in finding solutions—the current situation is clearly untenable. Unfortunately,as we mature our understanding of software developmentand improve our processes, it seems that the complexityof the systems we want to develop grows almost exponen-tially. In post-mortem analyses of project failures and“near-failures”, one common root cause that has beenidentified has been the (mis)treatment of requirements.This result is not surprising since requirements form thefoundation of all development. A fragile foundation doesnot provide a good basis for a sound, dependable system.

This tutorial will examine in detail the nature androle of requirements. It will discuss the various types ofrequirements and their role in development, as well astheir impact to system success. The different ways that

requirements need to be handled will be analyzed, andrecommended techniques for process improvements willbe discussed. An overview of traditional approaches willbe provided, with an assessment of their strengths andweaknesses. In addition, a set of common challenges willbe presented, together with strategies for how to managethem. Sample challenges include the impact of changingrequirements and uncertain operational environments.While the tutorial will not specifically address particu-lar approaches to requirements definition (such as toolsand techniques), it will characterize classes of these tech-niques, and provide recommendations for how to selectthe appropriate ones for projects of interest.

The overall goal of the tutorial is to enable the at-tendees to effectively identify and handle requirementsin their systems, as well as to implement improvementsto their development processes to avoid common pitfallsthat have historically plagued projects. The tutorial willalso assist attendees in identifying risk areas within theirprojects, and in planning for effective mitigation activi-ties.

PresenterSince 1990, Dr. Bail hasworked for The MITRE Cor-poration in McLean VA asa Computer Scientist in theSoftware Engineering Center(SWEC). MITRE is a not-for-profit corporation charteredto provide systems engineer-ing services to the U.S. Gov-ernment agencies, primarilythe DoD, the FAA, and theIRS. Within MITRE, the

SWEC focuses on supporting various programs with con-sultation, particularly transitioning emerging technolo-gies into practice.

Dr. Bail’s technical areas of focus include depend-able software design and assessment, error handling poli-cies, techniques for software specification development,design methodologies, metric definition and application,and verification and validation. At MITRE, Dr. Bailis currently supporting the U.S. Navy, focusing on thepractice of software engineering within PEO IWS (Inte-grated Warfare Systems), particularly as applied to largereal-time systems. Prior to 1990, Dr. Bail worked at In-termetrics Inc. in Bethesda MD.

Previously, Dr. Bail taught part-time at The Univer-sity of Maryland from 1983-1986 in the Computer Sci-ence Department for undergraduate courses in discretemathematics, computer architecture, and programminglanguage theory. Since 1989 he has served as a part-timeAdjunct Associate Professor at the University of Mary-land University College where he develops instructionalmaterials and teaches courses in software engineering,in topics such as Software Requirements, Verificationand Validation, Software Design, Software Engineering,Fault Tolerant Software, and others.

Why should you participate in this tutorial?If you are responsible for the development of a criti-cal software intensive system, this tutorial will help youplan for and implement effective requirements processes,

Ada-Europe 2005 9

ii

“program” — 2005/5/2 — 10:23 — page 10 — #10 ii

ii

ii

helping you to manage your requirements from inceptionthrough deployment, and assist in avoiding many of thecommon pitfalls that many projects have encountered.

Software Fault TolerancePatrick Rogers, AdaCore, USAFriday June 24th, afternoon

Software for current safety-critical applications, e.g.,flight control systems, is both large and complex, suchthat full testing is not feasible. Furthermore, completeproofs of correctness are at best inherently limited bythe potential for specification errors. The combination ofpotential specification errors and overall complexity de-fine a problem of handling unanticipated software faults.Software fault tolerance is the use of software mecha-nisms to deal with these unanticipated software faults.

This half-day tutorial explores the software-basedtechniques and mechanisms available for toleratingunanticipated software design faults in safety-criticalsystems. We examine the rationale for tolerating soft-ware faults, the similarities to mechanisms for toleratinghardware faults, and the advantages and disadvantagesof the common techniques. Special attention is paid tothe concept of design diversity as the underlying theoryfor the most widely-used mechanisms (e.g., N-VersionProgramming) and, in particular, whether design diver-sity can achieve the extremely low failure rates requiredfor safety-critical systems. The mechanisms explored areillustrated with concrete implementations using Ada 95.This leads to a discussion of the issues of concurrencyand exceptions in safety-critical applications and the ap-propriate application of language features.

Participants will have an appreciation of the neces-sity for tolerating software faults as well as a firm founda-tion for further study and informed application of avail-able mechanisms. A bibliography of suggested readingis provided to that end.

PresenterPatrick Rogers is a seniorMember of the Technical Staffwith Ada Core Technologies,specializing in high-integrityapplication support. Acomputing professional since1975 and an Ada devel-oper since 1980, he has ex-tensive experience in real-time applications in Adaand C++ in both embed-ded and Linux/Unix/POSIX-

based environments. An experienced lecturer andtrainer since 1981, he has provided numerous tutori-als and courses in software fault tolerance, hard real-time schedulability analysis, object-oriented program-ming, and the Ada programming language. He holdsB.S. and M.S. degrees in Computer Science from theUniversity of Houston and a Ph.D. in Computer Sciencefrom the University of York in the Real-Time SystemsResearch Group on the topic of software fault tolerance.

Why should you participate in this tutorial?

Systems software architects and developers responsiblefor safety-critical software will gain an appreciation forsoftware fault tolerance facilities, including their limi-tations, and will have a firm foundation for informedapplication of available mechanisms as well as furtherstudy.

Programming with the Ada 2005Standard Container Library

Matthew Heaney, On2 Technologies,USA

Friday June 24th, afternoon

This tutorial provides an overview of the standard con-tainer library, describing its design and philosophy andpresenting techniques for using the library most effec-tively. Containers are divided into two main categories:sequence containers, to insert elements at specified posi-tions, and associative containers, which insert elementsin order by key. The library includes vectors and lists(from the former category), and hashed and sorted setsand maps (from the latter). All containers have variantsto support elements (or keys) that have an indefinitesubtype. Containers have various mechanisms (includ-ing both active and passive iterators) for designating andaccessing container elements.

Presenter

Matt is the author of Charles,a container library for Adaclosely modeled on the STL.Charles was the basis of theproposal selected by the ARGfor the Ada standard con-tainer library (described inAI-302). He has given manyAda tutorials on topics thatinclude object-oriented pro-gramming, design patterns,

and software systems and library design.

Why should you participate in this tutorial?

The standard container library is an important additionto the Ada language, since developers need data struc-tures with semantics more sophisticated than simple ar-rays or linked lists. For example, one often needs tomap an element to some other type (typically String),but an array is not general enough since it only pro-vides support for mapping to a discrete index subtype.The developer also needs abstractions that scale well tolarge numbers of elements, with specified time behav-ior. The standard container library solves these kindsof problems, and thus greatly simplifies many program-ming tasks that would be tedious or just very difficultotherwise. You should attend this tutorial to learn aboutthe standard container library, what features it provides,and how it solves typical programming problems.

10 Ada-Europe 2005

ii

“program” — 2005/5/2 — 10:23 — page 11 — #11 ii

ii

ii

Tutorial Schedule

MondayJune 20th

T 1 morning Jean-Pierre Rosen, Adalog, FranceDeveloping Web-aware Applications in Ada with AWS

T 2 morning Peter Amey & Neil White, Praxis High Integrity Systems, UKCorrectness by Construction—A Manifesto for High Integrity Engineering

T 3 full day Benjamin M. Brosgol, AdaCore, USAReal-Time Java for Ada Programmers

T 4 afternoon Joyce L. Tokar, Pyrrhus Software, USA, Bruce Lewis, US Army, USASAE Architecture Analysis and Design Language

T 5 afternoon Brian Dobbing, Praxis High Integrity Systems, UKHigh-Integrity Ravenscar Using SPARK

FridayJune 24th

T 6 morning John Barnes, Alan Burns, Pascal Leroy, S. Tucker TaftAda 2005

T 7 full day John McDermid, Rob Weaver, University of York, UKSoftware Safety Cases

T 8 afternoon Matthew Heaney, On2 Technologies, USAProgramming with the Ada 2005 Standard Container Library

T 9 afternoon Patrick Rogers, AdaCore, USASoftware Fault Tolerance

T 10 morning William Bail, The MITRE Corporation, USARequirements Engineering for Dependable Systems

Lunch is included for those attending full-day programmes or two half day tutorials on the same day.Additional lunch tickets are on sale throughout the conference.Tutorials will take place from 9:00 to 12:30 (morning session), and from 14:00 to 17:30 (afternoon session).There will be half-hour tea/coffee breaks at 10:30 and 15:30 on Monday and Friday.

ExhibitionThe exhibition opens in the mid-morning break onTuesday and runs until the end of the afternoonbreak on Thursday. The exhibitors include thefollowing vendors: AdaCore, Green Hills, LDRA,Praxis, ILogix, TNI, ARTiSAN, Esterel, PolySpace,Aonix and Silver Software.

The coffee breaks are held in the same exhibitionarea. Most breaks Tuesday–Thursday are one hourto allow the attendees a comfortable visit to theexhibition.

Guide to the Social Program

Wednesday Evening: Banquet andMuseum

The Conference dinner will take place at theNational Railway Museum. This York-based Mu-seum is the largest railway museum in the world,responsible for the conservation and interpretation

of the British national collection of historically sig-nificant railway vehicles and other artifacts. TheMuseum contains an unrivaled collection of locomo-tives, rolling stock, railway equipment, documentsand records.

Dinner is served amongst the exhibits and therewill be time to look over the whole Museum.

Additional tickets for the banquet can be purchased at registration.

Ada-Europe 2005 11

ii

“program” — 2005/5/2 — 10:23 — page 12 — #12 ii

ii

ii

Conference

Schedule

Pre

lim

inary

ver

sion

Tuesd

ay

21st

Wednesd

ay

22nd

Thurs

day

23rd

9:00

–10:

00

Invi

ted

Tal

k:Jo

hnM

cDer

mid

,U

nive

rsity

ofY

ork,

UK

Mod

el-b

ased

Dev

elop

men

tofS

afet

y-cr

itica

lSo

ftwar

e:O

ppor

tuni

ties

and

Cha

lleng

es

Invi

ted

Tal

k:M

arty

nT

hom

as,

Tho

mas

Ass

ocia

tes,

UK

Ext

rem

eH

ubri

s

Invi

ted

Tal

k:B

evLit

tlew

ood,

City

Uni

vers

ity,

Lon

don,

UK

Ass

essi

ngth

eD

epen

dabi

lity

ofSo

ftwar

e-ba

sed

Syst

ems:

AQ

uest

ion

ofC

onfid

ence

10:0

0–11

:00

Exhib

itio

nO

pen

ing

&C

offee

Exhib

itio

n&

Coff

eeExhib

itio

n&

Coff

ee

Applica

tion

sD

esig

nan

dSch

eduling

Issu

esIn

dust

rial

Pre

senta

tion

s1

Dis

trib

ute

dSyst

ems

11:0

0–11

:30

N.R

owde

nIL

TIS—

The

Lega

cyof

aSu

cces

sful

Pro

duct

S.Sa

ez,V

.Lor

ente

,S.

Ter

rasa

,A

.C

resp

oE

ffici

entA

ltern

ativ

esfo

rIm

plem

entin

gFi

xed-

prio

rity

Sche

dule

rs

A.C

alve

rt(M

onde

x,M

aste

rcar

dIn

t’l)

Des

ign

and

Mai

nten

ance

ofth

eM

ULT

OS

KM

A—

AH

igh-

Secu

rity

Ada

App

licat

ion

J.R

owla

nds

(BA

ESy

stem

s,U

K)

MD

Afo

rA

daSo

ftwar

eE

ngin

eers

J.-P

.R

osen

(Ada

log,

Fran

ce)

On

the

Ben

efits

for

Indu

stri

als

ofSp

onso

ring

Free

Softw

are

Dev

elop

men

t

O.H

ainq

ue(A

daC

ore,

Fran

ce),

R.W

hite

(MB

DA

Mis

sile

Syst

ems,

UK

)B

indi

ngth

ePo

wer

PC

Alti

Vec

Ext

ensi

ons

inA

da—

Mot

ivat

ion,

Dev

elop

men

tand

Indu

stri

alFe

edba

ck

D.A

yavo

o,M

.J.

Pon

t,S.

Par

ker

Obs

ervi

ngth

eD

evel

opm

ento

faR

elia

ble

Em

bedd

edSy

stem

11:3

0–12

:00

F.O

rtiz

,D

.A

lons

o,B

.A

lvar

ez,

J.A

.Pas

tor

AR

efer

ence

Con

trol

Arc

hite

ctur

efo

rSe

rvic

eR

obot

sIm

plem

ente

don

aC

limbi

ngVe

hicl

e

M.B

ordi

n,T

.V

arda

nega

AN

ewSt

rate

gyfo

rth

eH

RT-

HO

OD

toA

daM

appi

ng

J.M

.M

artı

nez,

M.G

onza

lez-

Har

bour

RT-

EP

:AFi

xed-

Pri

ority

Rea

l-tim

eC

omm

unic

atio

nP

roto

colo

ver

Stan

dard

Eth

erne

t

12:0

0–12

:30

L.M

.P

inho

,L.N

ogue

ira,

R.B

arbo

saA

nA

daFr

amew

ork

for

QoS

-Aw

are

App

licat

ions

T.V

ergn

aud,

L.Pau

tet,

F.K

ordo

nU

sing

the

AA

DL

toD

escr

ibe

Dis

trib

uted

App

licat

ions

From

Mid

dlew

are

toSo

ftwar

eC

ompo

nent

s

M.M

asm

ano,

J.R

eal,

A.C

resp

o,I.

Rip

oll

Dis

trib

utin

gC

ritic

ality

Acr

oss

Ada

Part

ition

s

12:3

0–14

:00

Lunch

Lunch

Lunch

ii

“program” — 2005/5/2 — 10:23 — page 13 — #13 ii

ii

ii

Conference

Schedule

(con

t.)

Pre

lim

inary

ver

sion

Tuesd

ay

21st

Wednesd

ay

22nd

Thurs

day

23rd

For

mal

Met

hods

Ven

dor

Ses

sion

1In

dust

rial

Pre

senta

tion

s2

Lan

guag

eIs

sues

14:0

0–14

:30

D.A

tiya

,S.

Kin

gE

xten

ding

Rav

ensc

arw

ithC

SPch

anne

ls

R.S

trah

le,P.

Sand

berg

(SA

AB

Syst

ems,

Swed

en)

Livi

ngin

Tow

ers

J.M

iran

da,E

.Sc

honb

erg,

G.D

ism

ukes

,Th

eIm

plem

enta

tion

ofA

da20

0In

terf

ace

Type

sin

the

GN

ATC

ompi

ler

14:3

0–15

:00

S.E

vang

elis

ta,C

.K

aise

r,C

.Paj

ault

,J.

F.P

rada

t-Pey

re,

P.R

ouss

eau

Dyn

amic

Task

sVe

rific

atio

nw

ithQ

uasa

r

See

final

prog

ram

for

sche

dule

B.St

adlm

ann

(Uni

vers

ity

ofA

pplie

dSc

ienc

es,W

els,

Aus

tria

)A

daD

evel

opm

entf

ora

Bas

icTr

ain

Con

trol

Syst

emfo

rR

egio

nalB

ranc

hlin

es

M.A

ldea

-Riv

as,J.

Mir

anda

,M

.G

onza

lez-

Har

bour

Inte

grat

ing

App

licat

ion-

Defi

ned

Sche

dulin

gw

ithth

eN

ewD

ispa

tchi

ngPo

licie

sfo

rA

daTa

sks

15:0

0–15

:30

R.E

.Sw

ard,

L.C

.B

aird

III

Pro

ving

func

tiona

lequ

ival

ence

for

prog

ram

slic

ing

inSP

AR

KTM

A.B

rand

on(A

RA

)Th

eA

daE

mbe

dded

Syst

ems

Mar

ketT

oday

and

Tom

orro

w

P.R

oger

s,A

.J.

Wel

lings

The

App

licat

ion

ofC

ompi

le-t

ime

Refl

ectio

nto

Softw

are

Faul

tTol

eran

ceU

sing

Ada

95

15:3

0–16

:00

Exhib

itio

n&

Coff

eeExhib

itio

n&

Coff

ee

Exhib

itio

n&

Coff

ee

Rav

ensc

arTec

hnol

ogy

16:0

0–16

:30

J.F.R

uiz

GN

ATP

rofo

rO

n-B

oard

Mis

sion

-Cri

tical

Spac

eA

pplic

atio

ns

Ada

and

Educa

tion

Ven

dor

Ses

sion

2In

dust

rial

Pre

senta

tion

s3

16:3

0–17

:00

D.Si

mon

,G

.V

ogel

,E

.P

lode

rede

rTe

achi

ngSo

ftwar

eE

ngin

eeri

ngw

ithA

da95

M.A

dam

s(Q

inet

iQ,U

K)

Indu

stri

alE

xper

ienc

esof

Com

plia

nce

Ana

lysi

sof

Con

trol

Syst

emSo

ftwar

e

R.B

erre

ndon

ner,

J.G

uitt

onTh

eE

SAR

aven

scar

Ben

chm

ark

17:0

0–17

:30

B.M

.B

rosg

olA

Com

pari

son

ofth

eM

utua

lE

xclu

sion

Feat

ures

inA

daan

dth

eR

eal-

Tim

eSp

ecifi

catio

nfo

rJa

vaTM

See

final

prog

ram

for

sche

dule

N.D

avid

son

(BA

ESy

stem

s,U

K)

Safe

tyC

ritic

alSo

ftwar

ew

ithU

ML,

Art

isan

and

SPA

RK

Clo

sing

Ses

sion

&A

war

ds

Cer

tifica

tion

and

Ver

ifica

tion

17:3

0–18

:00

P.A

mey

,R

.C

hapm

an,N

.W

hite

Smar

tCer

tifica

tion

ofM

ixed

Cri

tical

itySy

stem

s

A.M

arri

ott

(Whi

teE

leph

ant

Gm

bH,

Swit

zerl

and)

Ada

Bug

Find

er

18:0

0–18

:30

K.Lun

dqvi

st,J.

Srin

ivas

an,

S.G

orel

ovN

on-i

ntru

sive

Syst

emLe

vel

Faul

t-To

lera

nce

18:3

0–A

da-

Euro

pe

Gen

eral

Ass

embly

Con

fere

nce

Ban

quet

ii

“program” — 2005/5/2 — 10:23 — page 14 — #14 ii

ii

ii

Registration and AccommodationConference Registration

Three days of conference (June 21st–June 23rd ) including one copy of the proceedings, coffee breaks,lunches, as well as the museum and banquet on Wednesday 22nd. All prices in British Pounds Sterling.

member Ada-Europe or ACM SIGAda non membernon academia academia non academia academia

Early registration(by May 23rd)

£380 £340 £410 £380

Late registration(after May 23rd)

£410 £410 £450 £450

Individual day registration(per day) £190 £190 £210 £210

Tutorial Registration

The prices are per tutorial, including tutorial notes and coffee breaks. Lunches are only included whenregistered for a full day tutorial or two half day tutorials on the same day.

Ada 2005 Tutorial half dayfull day or twohalf days on the

same dayEarly registration(by May 23rd)

£75 £95 £170

Late registration(after May 23rd)

£85 £105 £190

Please Note

No registration request will be confirmed until the payment has been processed. Cancellations must begiven in writing. A cancellation fee of £100 will be applied to all cancellations. No refunds will be givenfor cancellations received after June 1st. Substitutions will be accepted. To save on administrative costsand postage, receipts will be given out at the conference.For latest information see the web page at http://www.ada-europe.org/conference2005.html. Foradditional information, please contact: Alan Burns (conference chair), Department of Computer Sci-ence, University of York, York, YO10 5DD, UK. Tel: +44 1904 2779, Fax: +44 1904 434331. Email:burns@cs.york.ac.uk

Accommodation

We have negotiated specially reduced rates at the Royal York (booking deadline applies) and Marriott.Please consult their own web sites, or the following for more information about these hotels and otherestablishments before making your booking. There are also numerous online booking agencies which canprovide a good rate.

Further information is available on the conference website:http://www.ada-europe.org/conference2005.html.

Please book accommodation as early as possibleYork gets very busy at this time of year.

14 Ada-Europe 2005

ii

“program” — 2005/5/2 — 10:23 — page 15 — #15 ii

ii

ii

10th International Conference on Reliable Software Technologies - Ada-Europe 2005

York, UK, June 20-24, 2005

REGISTRATION FORM

Online registration available: http://www.ada-europe.org/conference2005.html

PARTICIPANT Please use block capitals

Ms/Mrs [ ] Mr [ ] TitleFamily name First nameAffiliation/OrganizationStreetCity Post/Zip code CountryTelephone Fax EmailSpecial requirements (e.g. diet)Reduced registration fee

[ ] member Ada-Europe; national organization [ ]academia[ ] member ACM; membership number

Additional CommentsRegistration time Early registration (by May 23rd) [ ] Late or on site (after May 23rd) [ ]

REGISTRATION FEES (see table on previous page)Conference registration feeThree day conference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . £Individual days (Tue [ ] Wed [ ] Thu [ ]) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . £Tutorial registration Please indicate the tutorials for which you want to register:

Monday, June 14th T1 [ ] T2 [ ] T3 [ ] T4 [ ] T5 [ ]Friday, June 18th T6 [ ] T7 [ ] T8 [ ] T9 [ ] T10 [ ]

Tutorial registration fee . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . £Extra Banquet ticket: tickets @ £39 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . £Extra proceedings: proceedings @ £20 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . £

TOTAL PAYMENT DUE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .£

PAYMENT METHODBy credit card. Credit card information:

[ ] Visa [ ] Mastercard Credit Card Number:

Cardholder Name:

Credit Card Expiration Date:

Signature:

By bank draft to account number: GB37MIDL40473120898201. The account is for the University of York and is held atHSBC Bank, 13 Parliament Street, York, Y01 8XS, UK. Please give a clear reference to the bank i.e. ‘Ada-Europe 2005’ andparticipant’s name. Also please attach a copy of the bank draft to this form.

Post or fax this form to: Mrs Sue Helliwell, Department of Computer Science, University of York, Heslington, York,YO10 5DD, U.K. Fax : (+44) 1904 434331

There are a number of other “in cooperation” conferences in this area (such as the ACM SIGAda Conference). Tick this

box if you do not want to receive information about these conferences: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [ ]

Ada-Europe 2005 15

ii

“program” — 2005/5/2 — 10:23 — page 16 — #16 ii

ii

ii

Organization

Conference ChairAlan BurnsUniversity of YorkDept of Computer ScienceYork, YO10 5DD, UKburns@cs.york.ac.uk

Program Co-chairsTullio VardanegaUniversita di PadovaDipartimento di MatematicaVia Belzoni 7, 35131 Padova, Italia.tullio.vardanega@math.unipd.itAndy WellingsUniversity of YorkDept of Computer ScienceYork, YO10 5DD, UKandy@cs.york.ac.uk

Tutorial ChairIain BateUniversity of YorkDept of Computer ScienceYork, YO10 5DD, UKiain.bate@cs.york.ac.uk

Exhibition ChairRod ChapmanPraxis High Integrity Systems20 Manvers Street, Bath,BA1 1PX, UKrod.chapman@praxis-his.com

Publicity Co-chairsIan BrosterUniversity of YorkDept of Computer ScienceYork, YO10 5DD, UKianb@cs.york.ac.uk

Dirk CraeynestAubay Belgium & K.U. LeuvenB-1180 Brussels, BelgiumDirk.Craeynest@cs.kuleuven.ac.be

Local OrganizationAdministratorSue HelliwellUniversity of YorkDept of Computer ScienceYork, YO10 5DD, UKsue@cs.york.ac.uk

Ada-Europe ConferenceLiaisonLaurent PautetENST Paris, F-75013 Paris, Francepautet@enst.fr

In cooperation with:

The organisers thank the exhibitors (preliminary list):

Praxis High IntegritySystems

http://www.ada-europe.org/conference2005.html