Abstract
Embedded real-time programs can be succinctly specified using timed traces. Each sequentially executed statement acts to define a distinct trace segment. An elegant way of defining the effect of such statements is as trace `coercers' that impose constraints on existing, but underspecified, traces. Unfortunately this model fails the usual refinement calculus feasibility test. Here we overcome this by proving that the coercive model is equivalent to a trace `extending' model that does pass the test. The proof is itself interesting because it adopts non-standard data refinement techniques. 1 Introduction The overall behaviour of an embedded real-time program is most succinctly specified using timed traces which record the value of each system variable at each moment in time. Ideally, each such trace requirement should then be refinable to a sequence of actions on consecutive trace segments that collectively achieve the total desired trace.