In this paper we define a combination of Object-Z and CSP called CSP-OZ. The basic idea is to define a CSP-semantics for every Object-Z class. Special care is taken to capture the characteristics of input and output parameters properly and to preserve the expected refinement rules. CSP-OZ is well suited for the specification and development of communicating distributed systems. It provides powerful techniques to model data- and control-aspects in a common framework. The language is easy to use for Z and Object-Z users. A shorter version of this paper appeared as [10].

This paper describes the tool csp2B which provides a means of combining CSP-like descriptions with standard B specifications. The notation of CSP provides a convenient way of describing the order in which the operations of a B machine may occur. The function of the tool is to convert CSP-like specifications into standard machine-readable B specifications which means that they may be animated and appropriate proof obligations may be generated. Use of

In this paper, we describe an approach to the design of distributed systems with B AMN. The approach is based on the action-system formalism which provides a framework for developing state-based parallel reactive systems. More specifically, we use the so-called CSP approach to action systems in which interaction between subsystems is by synchronised message passing and there is no sharing of state. We show that the abstract machines of B may be regarded as action systems and show how reactive refinement and decomposition of action systems may be applied to abstract machines. The approach fits in closely with the stepwise refinement method of B. We illustrate the approach by the abstract specification of an email service as a single machine and it's subsequent refinement into a store-and-forward network.

Product and summation operators for predicate transformers were introduced by Naumann [21] and by Martin [15] using category theoretic considerations. In this paper, we formalise these operators in the higher order logic approach to the refinement calculus of [4], and examine various algebraic properties of these operators. There are several motivating factors for this analysis. The product operator provides a model of simultaneous execution of statements, while the summation operator provides a simple model of late binding. We also generalise the product operator slightly to form an operator that corresponds to conjunction of specifications. We examine several applications of the these operators showing, for example, how a combination of the product and summation operators could be used to model inheritance in an object-oriented programming language. 1 Introduction Dijkstra introduced weakest-precondition predicate transformers as a means of verifying total correctness properties of ...

The action system formalism [4] is a state-based approach to distributed computing. In this paper, it is shown how the action system formalism may be used to describe systems that communicate with their environment through synchronised value-passing. Definitions and rules are presented for refining and decomposing such action systems into distributed implementations in which internal communication is also based on synchronised value-passing. An important feature of the composition rule is that parallel components of a distributed system may be refined independently of the rest of the system. Specification and refinement is similar to the refinement calculus approach [2, 22, 24]. The theoretical basis for communication and distribution is Hoare's CSP [11]. Use of the refinement and decomposition rules is illustrated by the design of an unordered buffer, and then of a distributed message-passing system. 1 Introduction The action system formalism, introduced by Back & Kurki-Suonio [4], i...

The B-Method is a state-based formal method that describes behaviour in terms of MACHINES whose states change under OPERATIONS. The process algebra CSP is an event-based formalism that enables descriptions of patterns of system behaviour. We present a combination of the two views where a CSP process acts as a control executive and its events simply drive corresponding OPERATIONS. We define consistency between the two views in terms of existing semantic models. We identify proof conditions which are strong enough to ensure consistency and thus guarantee safety and liveness properties. Keywords: B-Method, CSP, Embedded Systems, Programming Calculi, Combining Formalisms.

In this paper we compare and contrast two alternative semantics as a means of combining CSP with Object-Z. The purpose of this combination is to more effectively specify complex, concurrent systems: while CSP is ideal for modelling systems of concurrent processes, Object-Z is more suitable for modelling the data structures often needed to model the processes themselves. The first semantics, the finite trace model, is compatible with the standard CSP semantics but does not allow all forms of unbounded nondeterminism to be modelled (i. e. where a choice is made from an infinite set of options) . The second semantics, the infinite trace model, overcomes this limitation but is no longer compatible with the standard CSP semantics. Issues involving specification, refinement and modelling fairness are discussed. Keywords CSP, Object-Z, concurrent systems, combining FDTs, semantics, refinement 1 INTRODUCTION CSP [15] is a process algebra developed for the formal specification of concurrent ...

We report on experiences gained from the application of data re nement techniques to the development of examples of secure communications systems. The aim was to the carry the development from initial abstract speci cation of security services through to detailed designs. The development approach was based on action systems, with B and CSP being used as concrete notations. The security services in question are a con dential communications service and an authenticated transaction service. Re nements include explicit representations of intruder behaviour.

From a software engineering perspective, is the singleton failures semantic model a useful model in its own right? The answer to this is yes. Certainly it will often be the case that the traces model is su#cient for a software engineer's needs. And at other times they may need the full strength of the stable failures model or indeed the failures-divergences model. But the singleton failures model lies between these. It may well be the case---testing springs to mind---that we need more information than the traces model but not as much as the stable failures model.

We compare and contrast two formal approaches for system development: state-based notation with verification by deductive reasoning, exemplified here by action systems; and event-based notation with verification by model checking, here using CSP/FDR. Our purpose is to identify specific similarities and differences, and strengths and weaknesses of the two approaches by direct comparison on the same application. We examine a small case study of a store-and-forward network specified and refined using the two notations. Our work illustrates that different approaches lead to different developmental strategies and can reveal complementary aspects of a system, indicating that unified techniques may be effective. 1 Introduction There are many varieties of formal methods, a term referring to the application of mathematics and mathematically derived techniques to the specification and development of software and hardware. They all have the same purpose: improving the quality and relia...