Systems-on-chip (SoCs) and SoC architectures provide a collection of challenging problems related to spec- ification, modelling techniques, security issues and structur- ing questions. We describe a design methodology integrating the event B method and characterized by the incremental and proof-controlled construction of SoC models. The essence of the methodology is the refinement of models, starting from system requirements and producing event B models for char- acterizing the system under development. The refinement is a unifying concept that ensures the consistency of the differ- ent models produced and our contribution is an illustration through a case study, namely a system for measuring the parameters of audio/video quality in the digital video broad- casting (DVB) set of digital TV standards. The first part is the derivation of an architecture of parameters from the docu- ment ETSI TR 101 290 and the validation of the architecture using invariants of B models. The second part is the proposal of B models of the SystemC scheduler and an instantiation of these abstract models of the simulation semantics by param- eters of the SystemC codes automatically translated from the B models of the DVB system. Finally, the third part relies upon a proof-based methodology for deriving an operational semantics of a given system that is expressed by an event B model including invariant properties. 1 Introduction The design of safe and secure systems-on-chip (SoCs)can be improved through the use of formal methods, and our work is based on the development of a system [1] that measures the quality of audio/video signals in digital video broadcast- ing (DVB). The purpose of the paper is not to describe the complete development of the system but to present a part of the methodology based on the event B method [3, 12] used while developing the system. Our report is focussed on the integration of the refinement process into the validation of the resulting SystemC programs derived from the event B models; the validation is carried out through a modelling of the SystemC scheduler, and the scheduler models are derived by refinement. Figure 1 summarizes the complete process for integrat- ing the event B method into the SoC design; the key con- cept is refinement, which is a way to have a progressive view of a system while adding details; each step is validated by a proof built, either interactively, or automatically, and checked by a tool called Click'n'Prove [4, 17]. The progres- sive and proved transformation process is applied both for developing models of the system and models of the sched-