A graphical notation for representing Timed CSP (TCSP) specifications is presented. The notation, which integrates features from a number of existing specification languages, including Statecharts, is aimed at providing the means for more easily constructing and managing large TCSP specifications, with the intention of forming the basis for tools and a methodology for applying TCSP in the large. The graphical notation extends TCSP by allowing specifications to be both processes and arbitrary predicates, thus increasing the expressiveness and applicability of the notation. An extendible tool framework, designed for the graphical notation and to be integrated with other tools, is presented. We discuss the features of this framework, especially how it aims to support reasoning about TCSP specifications.

This report argues that formal methods need to be properly integrated into an architectural design method if they are to be successfully transferred into industrial practice. It outlines a number of issues which need to be considered when performing such integration, and illustrates these points by reference to the formal techniques for complex high-integrity real-time systems being developed in the BAE SYSTEMS Dependable Computing Systems Centre. 1 Introduction Formal specification languages promise the ability to express the behavioural requirements of software systems concisely (and when wisely used, abstractly) in unambiguous notations. Formal specifications form a suitable foundation for system validation by proof and animation, and they define the requirements against which the correctness of a design or implementation can be formally verified. Formal proofs, by removing the role of intuition in interpreting symbols, promise to provide strong evidence for the validation a...

This paper describes a rely-guarantee proof to show that Simpson's 4-slot single-reader, single-writer ACM is Lamport atomic (as described fully in the paper). First an abstract ACM speci cation is proved Lamport atomic using an exhaustive assertional method. A formal model of Simpson's 4-slot is then given and this has been proved to be a re nement of the abstract speci cation using Nipkow's retrieve relation rule. Simpson's 4-slot is then shown to be Lamport atomic using an interleaved concurrency rely-guarantee proof method for shared variable concurrency.

Protocol descriptions often fail to take metastability into account. Metastability, however, can under-mine protocols which depend on shared bits. In this paper, a series of increasingly realistic models of bits are developed in CSP, to explore the implications of metastability for Simpson’s 4-Slot asynchronous communication mechanism. It is shown that the 4-Slot mechanism with realistic bit models preserves data-coherence, freshness, and sequencing, and is Lamport-atomic. We demonstrate that metastability can undermine the correctness of protocols demonstrated correct with Lamport-safe models of bits; fur-thermore, realistic bit models can demonstrate protocols correct which Lamport-safe bit models would suggest were incorrect.