In this paper, we describe an approach to the design of distributed systems with B AMN. The approach is based on the action-system formalism which provides a framework for developing state-based parallel reactive systems. More specifically, we use the so-called CSP approach to action systems in which interaction between subsystems is by synchronised message passing and there is no sharing of state. We show that the abstract machines of B may be regarded as action systems and show how reactive refinement and decomposition of action systems may be applied to abstract machines. The approach fits in closely with the stepwise refinement method of B. We illustrate the approach by the abstract specification of an email service as a single machine and it's subsequent refinement into a store-and-forward network.

In the refinement calculus, program statements are modelled as predicate transformers. A product operator for predicate transformers was introduced by Martin [18] and Naumann [25] using category theoretic considerations.

The ability to construct architectural connectors in a systematic and controlled way has been argued to promote reuse and incremental development, e.g., as a way of superposing, a la carte, services like security over a given communication protocol. Towards this goal, we present a notion of high-order connector, i.e., a connector that takes connectors as parameters, for superposing coordination mechanisms over the interactions that are handled by the connectors that are passed as actual arguments. The notion is developed over the language COMMUNITY that we have been using for formalising aspects of architectural design, and illustrated with examples inspired by the case study.

Abstract. Web-based applications are the most common form of distributed systems that have gained a lot of attention in the past ten years. Today many of us are relying on scores of mission-critical Web-based systems in different areas such as banking, finance, e-commerce and government. The development process of these systems needs a sound methodology, which ensures quality, consistency and integrity. Formal Methods provide systematic and quantifiable approaches to create coherent systems. Despite this there has been limited work on the formal modelling of Web-based applications. In this paper our aim is to provide researchers with some guidelines based on results from ongoing work to model a Web-based system using the B-Method. Session and state management, developing formal models for complex data types, abstraction of distributed database systems and formal representation of communication links between different components of a web-based system are the main issues that we have examined.

Action systems are state machines that describe the behaviour of a distributed system in terms of the atomic actions that can take place during its operation. In this paper, techniques for constraining the order in which actions occur are introduced. It is shown how an event-ordering term may be added to an action system to constrain the ordering of events and it is shown how such a term may be translated into a standard action system to aid refinement.

This paper describes an approach to the analysis of security protocols using Abrial's B method. B is a general purpose formal method based on standard set theory and predicate logic. The refinement rule we use means that we only check for safety properties such as authentication rather than liveness properties such as absence of denial of service. The contribution of this paper is the development of a style of modelling and reasoning with B that allows for a straightforward and thorough analysis of security protocols. This analysis contributes to the understanding of a protocol and could lead to an improvement in the design of security protocols.

ion Our existing work on stepwise refinement [9] is the foundation for our proposed research on multi-level simulation while our existing work on behavioural abstraction [38, 40] is important for our proposed research on both multi-level simulation and infinite-state model-checking. Abstract Interpretation Our existing work on partial evaluation and abstract interpretation [36, 19] is the basis for our proposed research on infinite-state modelchecking. Animation of Formal Specifications Our work on animation tools for formal methods [20, 24, 30] is important for our proposed research on multi-level simulation. Over the last 12 months, the Southampton DSSE team has been applying all of the above expertise in a collective effort in collaboration with ICL. This involved members of the team applying a range of formal methods, including B, CSP, the -calculus, Petri-Nets, Prolog, Spin and Z, to a system being developed by ICL [23]. The results of this were presented to a group of engineers...

Database replication is traditionally envisaged as a way of increasing fault-tolerance and availability. It is advantageous to replicate the data when transaction workload is predominantly read-only. However, updating replicated data within a transactional framework is a complex affair due to failures and race conditions among conflicting transactions. This thesis investigates various mechanisms for the management of repli-cas in a large distributed system, formalizing and reasoning about the behavior of such systems using Event-B. We begin by studying current approaches for the management of replicated data and explore the use of broadcast primitives for processing transac-tions. Subsequently, we outline how a refinement based approach can be used for the development of a reliable replicated database system that ensures atomic commitment of distributed transactions using ordered broadcasts. Event-B is a formal technique that consists of describing rigorously the problem in an abstract model, introducing solutions or design details in refinement steps to obtain more concrete specifications, and verifying that the proposed solutions are correct. This technique requires the discharge of proof obligations for consistency checking and refine-

Abstract. The development of specifications often is a combination of smaller sub-components. Focusing on reuse, an interesting perspective is to formally define the combination of sub-components through refinement steps, reusing their properties and generating larger systems. The previous situation suggests the application of a reuse mechanism: composition. Event-B is a formal method that allows modelling and refinement of systems. The combination and reuse of existing sub-components is not currently supported in Event-B. We propose the development of composition by extending the Event-B formalism as an option for developing larger models, focusing in distributed systems. A tool is developed to support the shared event composition in the Rodin platform. Properties and proof obligations of sub-components are reused and sufficient proof obligations are generated to ensure valid composed models. Key words: formal methods, composition, Event-B, specification, design techniques