We study program states that are described as tuples, i.e., product state spaces. Modeling programs as predicate transformers, we define a product operator on program statements that describes the independent execution of statements on disjoint state spaces. The algebraic properties of this product operator are studied, in particular the basic monotonicity and distributivity properties that the operator has, and their applications. We also consider how to extend the state space by adding new state components, and show how this is modeled using the product operator. Finally, we show how products are useful to formulate data refinement, both as a general concept and as a technique for replacing local state components of program blocks.

We review retrenchment as a liberalisation of refinement, for the description of applications too rich (e.g. using continuous and infinite types) for refinement. A specialisation of the notion, evolving retrenchment is introduced, motivated by the need for an approximate, evolving notion of simulation. The focus of the paper is the case study, a substantial second-order linear control system. The design step from continuous to zero-order hold discrete system is expressible as an evolving retrenchment. Thus we demonstrate that the retrenchment approach can formalise the development of useful applications, which are outside the scope of refinement. The work is presented in a data type-enriched language containing the B language of J.-R. Abrial. 1

Discussion of a simple example demonstrates various expressive limitations of the refinement calculus, and suggests a liberalization of refinement, called retrenchment, which will support an analogous formal development calculus. Useful concrete system behaviour can be specified outside the domain of pure refinement, and a case is made for fluidity between I/O and state components across the development step. A syntax and a formal definition are presented for retrenchment, which has some necessary properties for a formal development calculus: transitivity gives stepwise composition of retrenchments, and monotonicity w.r.t. the specification language constructors gives piecewise construction of retrenchments.

Discussion of a radiation dose calculation example demonstrates various expressive limitations of the refinement calculus, particularly for systems with continuous variables. A liberalization of refinement, called retrenchment, is proposed, which will support an analogous formal development calculus. Useful concrete system behaviour can be specified outside the domain of pure refinement, in particular behaviour under controlled precision decay. A syntax and a formal definition are presented for retrenchment in the B notation of J.-R. Abrial. Necessary transitivity and monotonicity properties for a formal development calculus are stated. A generalisation, evolving retrenchment, is proposed, and a simple example demonstrates its utility, by analogy, in control systems applications. Evolution in retrenchment is demonstrated to offer the expressive power to describe useful simulation-like behaviour, with evolving precision, in software for control systems. Finally, the dosimetry ...

Simple retrenchment is briefly reviewed in the B language of J.-R. Abrial [1] as a liberalization of classical refinement, for the formal description of application developments too demanding for refinement. This work initiates the study of the structuring of retrenchment-based developments in B by decomposition. A given coarse-grained retrenchment relation between specifications is decomposed into a family of more fine-grained retrenchments. The resulting family may distinguish more incisively between refining, approximately refining, and non-refining behaviours. Two decomposition results are given, each sharpening a coarsegrained retrenchment within a particular syntactic structure for operations at concrete and abstract levels. A third result decomposes a retrenchment exploiting structure latent in both levels. The theory is illustrated by a simple example based on an abstract model of distributed computing, and methodological aspects are considered.

We introduce the probabilistic action system formalism which combines refinement with performance. Performance is expressed by means of probability and expected costs. Probability is needed to express uncertainty present in physical environments. Expected costs express physical or abstract quantities that describe a system. They encode the performance objective. The behaviour of probabilistic action systems is described by traces of expected costs. Corresponding notions of refinement and simulation-based proof rules are introduced. Formal notations like B [2] or action systems [8] support a notion of refinement. Refinement relates an abstract specification A to a more deterministic concrete specification C. Knowing A and C one proves C refines, or implements, specification A. In this study we consider specification A as given and concern ourselves with a way to find a good candidate for specification according to their performance. The performance of a

ion Our existing work on stepwise refinement [9] is the foundation for our proposed research on multi-level simulation while our existing work on behavioural abstraction [38, 40] is important for our proposed research on both multi-level simulation and infinite-state model-checking. Abstract Interpretation Our existing work on partial evaluation and abstract interpretation [36, 19] is the basis for our proposed research on infinite-state modelchecking. Animation of Formal Specifications Our work on animation tools for formal methods [20, 24, 30] is important for our proposed research on multi-level simulation. Over the last 12 months, the Southampton DSSE team has been applying all of the above expertise in a collective effort in collaboration with ICL. This involved members of the team applying a range of formal methods, including B, CSP, the -calculus, Petri-Nets, Prolog, Spin and Z, to a system being developed by ICL [23]. The results of this were presented to a group of engineers...

Syntax in Nuprl ::::::::::::::::::::::::::::::::::::::::::::: 23 Eli Barzilay, Stuart Allen DOVE: a Graphical Tool for the Analysis and Evaluation of Critical Systems :::::::::::::::::::::: 33 Tony Cant, Jim McCarthy, Brendan Mahony Formalising General Correctness ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: 36 Jeremy E. Dawson Automatic Constraint Calculation using Lax Logic ::::::::::::::::::::::::::::::::::::::::::::: 48 Jeremy E. Dawson, Matt Fairtlough Automating Fraenkel-Mostowski Syntax :::::::::::::::::::::::::::::::::::::::::::::::::::::: 60 Murdoch J. Gabbay AFormal Correctness Proof of the SPIDER Diagnosis Protocol :::::::::::::::::::::::::::::::::: 71 Alfons Geser, Paul S. Miner Using HOL to Study Sugar 2.0 Semantics ::::::::::::::::::::::::::::::::::::::::::::::::::::: 87 Michael J. C. Gordon Extending DOVE with Product Automata :::::::::::::::::::::::::::::::::::::::::::::::::::: 101 Elsa L. Gunter, Yi Meng A Higher-Order System for Representing Metabolic Pathways ::::::::::::::::::::::::::::::::::: 112 Sara Kalvala Higher-Order Pattern Unification and Proof Irrelevance ::::::::::::::::::::::::::::::::::::::::: 121 Jason Reed AVerification of Rijndael in HOL :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: 128 Konrad Slind The K Combinator as a Semantically TransparentTagging Mechanism:::::::::::::::::::::::::::: 139 Konrad Slind, Michael Norrish FCM 2002 Invited Talk Real Numbers in Real Applications ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: 146 John Harrison v vi FCM 2002 Workshop Papers A PVS Service for MathWeb :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: 147 A. A. Adams, A. Franke, J. Zimmer Formalizing Real Calculus in Coq :::::::::::::::::::::::::::::::::::...

Simple retrenchment is briefly reviewed as a liberalisation of classical refinement, for the formal description of application developments too demanding for refinement. Two generalisations, output and evolving retrenchment, are presented. Simple monotonicity results for retrenchment are recalled, forming the basis of a piecewise development method.

Abstract. The development of specifications often is a combination of smaller sub-components. Focusing on reuse, an interesting perspective is to formally define the combination of sub-components through refinement steps, reusing their properties and generating larger systems. The previous situation suggests the application of a reuse mechanism: composition. Event-B is a formal method that allows modelling and refinement of systems. The combination and reuse of existing sub-components is not currently supported in Event-B. We propose the development of composition by extending the Event-B formalism as an option for developing larger models, focusing in distributed systems. A tool is developed to support the shared event composition in the Rodin platform. Properties and proof obligations of sub-components are reused and sufficient proof obligations are generated to ensure valid composed models. Key words: formal methods, composition, Event-B, specification, design techniques