We describe a tool for data refinement based on the Refinement Calculator. The tool supports the calculational approach to data refinement. As a consequence of the program calculation, a refinement theorem is automatically derived. The operation of the tool is illustrated with a case study.

Sharp retrenchment is introduced and briefly justified informally, as a liberalisation of refinement. In sharp retrenchment the relationship between an abstract operation and its concrete counterpart is mediated by extra predicates, allowing most particularly the description of nonrefinement -like properties, and the mixing of I/O and state aspects in the passage between levels of abstraction. Sharp retrenchments are briefly contrasted with unsharp ones. Sharp retrenchments are shown to have a natural law of composition, and the way in which refinements may be viewed as sharp retrenchments is discussed. Modulated refinement is introduced as a version of refinement allowing mixing of I/O and state aspects, in order to facilitate comparison between sharp retrenchment and refinement, and various notions of simulation are considered in this context, specifically: stepwise simulation, the ability of simulator to mimic a sequence of execution steps of the simulatee; strong simulation, in w...

: In addition to static structures, the Unified Modelling Language UML supports the specification of dynamic properties by means of state charts and interaction diagrams. Each diagram, however, only reflects partial aspects of the system. A common behavior model is lacking while it is necessary to relate the diagrams with each other and to enable the verification of dynamic system properties. The formal process specification technique cTLA provides for modular descriptions of behavior constraints and its process composition operation corresponds to superposition. Therefore, a UML diagram can be represented by a cTLA description which is as well modular as it can be combined with the descriptions of other diagrams. Keywords: formal object model, cTLA, UML, state chart, interaction diagram 1

We report on experiences gained from the application of data re nement techniques to the development of examples of secure communications systems. The aim was to the carry the development from initial abstract speci cation of security services through to detailed designs. The development approach was based on action systems, with B and CSP being used as concrete notations. The security services in question are a con dential communications service and an authenticated transaction service. Re nements include explicit representations of intruder behaviour.

From a software engineering perspective, is the singleton failures semantic model a useful model in its own right? The answer to this is yes. Certainly it will often be the case that the traces model is su#cient for a software engineer's needs. And at other times they may need the full strength of the stable failures model or indeed the failures-divergences model. But the singleton failures model lies between these. It may well be the case---testing springs to mind---that we need more information than the traces model but not as much as the stable failures model.

. We use Girard's linear logic (LL) to produce a semantics for Gamma, a multiset transformation language. The semantics improves on the existing structured operational semantics (SOS) of the language by highlighting Gamma's inefficiencies, which were hidden by the SOS. We propose a new logic called local linear logic (Local LL), which adds locality-consciousness to the resource-consciousness of linear logic. As a case study, we use this logic to propose a new semantics for Gamma. The new semantics suggests an annotation of Gamma which increases its efficiency without compromising its programming style. We show how the new semantics also gives us a better understanding of parallel Gamma and its implementation, and offers insight into the nature of chemicalreaction based computational models in general. 1 Introduction Languages based upon the chemical reaction model combine terse expression of parallel programs with terrible efficiency problems. Gamma [9] is such a language. The tendenc...

Abstract: This paper presents three forms of incremental change or refinement which are considered appropriate for Coloured Petri Nets. The intention is to recommend forms which are appropriate to Petri Nets and not primarily driven by the desire to emulate object-oriented programming languages. Nevertheless, the proposals are compared with others in the literature — with objectoriented programming languages, with practical case studies of the application of formal methods, and with other object-oriented Petri Net formalisms.

We compare and contrast two formal approaches for system development: state-based notation with verification by deductive reasoning, exemplified here by action systems; and event-based notation with verification by model checking, here using CSP/FDR. Our purpose is to identify specific similarities and differences, and strengths and weaknesses of the two approaches by direct comparison on the same application. We examine a small case study of a store-and-forward network specified and refined using the two notations. Our work illustrates that different approaches lead to different developmental strategies and can reveal complementary aspects of a system, indicating that unified techniques may be effective. 1 Introduction There are many varieties of formal methods, a term referring to the application of mathematics and mathematically derived techniques to the specification and development of software and hardware. They all have the same purpose: improving the quality and relia...

Action systems are state machines that describe the behaviour of a distributed system in terms of the atomic actions that can take place during its operation. In this paper, techniques for constraining the order in which actions occur are introduced. It is shown how an event-ordering term may be added to an action system to constrain the ordering of events and it is shown how such a term may be translated into a standard action system to aid refinement.

This report presents a new framework of program refinement, that is based on a refinement relation between UNITY programs. The main objective of introducing this new relation it to reduce the complexity of correctness proofs for existing classes of related distributed algorithms. It is shown, however, that this relation is also suitable for the stepwise development of programs, and incorporates most of the program transformations found in existing work on refinements