A unified, comprehensive presentation of simulation techniques for verification of concurrent systems is given, in terms of a simple untimed automaton model. In particular, (1) refinements, (2) forward and backward simulations, (3) hybrid forward-backward and backward-forward simulations, and (4) history and prophecy relations are defined. History and prophecy relations are abstract versions of the history and prophecy variables of Abadi and Lamport, as well as the auxiliary variables of Owicki and Gries. Relationships between the different types of simulations, as well as soundness and completeness results, are stated and proved. Finally, it is shown how invariants can be incorporated into all the simulations. Even though many results are presented here for the first time, this paper can also be read as a survey (in a simple setting) of the research literature on simulation techniques. The development for untimed automata is designed to support a similar development for timed automata...

It is argued that refinement, in which I/O signatures stay the same, preconditions are weakened and postconditions strengthened, is too restrictive to describe all but a fraction of many realistic developments. An alternative notion is proposed called retrenchment, which allows information to migrate between I/O and state aspects of operations at different levels of abstraction, and which allows only a fraction of the high level behaviour to be captured at the low level. This permits more of the informal aspects of design to be formally captured and checked. The details are worked out for the B-Method.

Superposition refinement enhances an algorithm by superposing one computation mechanism onto another mechanism, in a way that preserves the behavior of the original mechanism. Superposition seems to be particularly well suited to the development of parallel and distributed programs: an originally simple sequential algorithm can be extended with mechanisms that distribute control and state information to many processes, thus permitting efficient parallel execution of the algorithm. We will in this paper show how superposition of reactive systems is expressed in the refinement calculus. We illustrate the power of this method by a case study, showing how a distributed broadcasting system is derived through a sequence of superposition refinements.

The action system framework for modelling parallel and reactive programs...

. We are investigating a component-based approach for formal design of distributed systems. In this paper, we introduce the framework we use for specication, composition and communication and we apply it to an example that highlights the dierent aspects of a compositional design, including top-down and bottom-up phases, proofs of composition, renement proofs, proofs of program texts, and component reuse. Key-words: component-based design, distributed systems, formal speci cation, formal verication, temporal logic, Unity. 1 A Compositional Approach 1.1 Introduction Component technology is becoming increasingly popular. Microsoft's COM, JavaSoft 's beans, CORBA, and new trade magazines devoted to component technology attest to the growing importance of this area. Component-based software development is having an impact in the development of user interfaces. Such systems often have multiple threads (loci of control) executing in dierent components that are synchronized wit...

The refinement calculus, based on predicate transformer semantics, is proving useful in the construction of sequential programs. It is argued that the refinement calculus provides a suitable development formalism for (possibly real-time) dataflow-like processes. Conventional precondition and postcondition specifications of sequential programs are generalised to assumption and effect specifications of processes. Such specifications may be given predicate transformer semantics and then formally refined to implementations in much the same way as precondition and postcondition specifications of sequential programs. A minimal collection of dataflowprocess operators and associated refinement laws is considered. Small examples of dataflow-process development are presented to demonstrate the utility of the approach. The compositionality of the approach is considered in detail. 1 Introduction The aims of formal process development methods are firstly to ensure our expectations of ...

Refinement is reviewed in a partial correctness framework, highlighting in particular the distinction between its use as a specification constructor at a high level, and its use as an implementation mechanism at a low level. Some of its shortcomings as specification constructor at high levels of abstraction are pointed out, and these are used to motivate the adoption of retrenchment for certain high level development steps. Basic properties of retrenchment are described, including a justification of the operation PO, simple examples, simulation properties, and compositionality for both the basic retrenchment notion and enriched versions. The issue of framing retrenchment in the wide variety of correctness notions for refinement calculi that exist in the literature is tackled, culminating in guidelines on how to `brew your own retrenchment theory'. Two short case studies are presented. One is a simple digital redesign control theory problem, the other is a radiotherapy dos...

The refinement calculus is proving a useful tool for the specification and refinement of sequential processes. In this paper we contend that it is also useful in the timed case. This paper displays the use of the refinement calculus for a small embedded system. 1

We show that the action systems framework combined with the re nement calculus is a powerful method for handling a central problem in hardware design, the design of pipelines. We present a methodology for developing asynchronous pipelined microprocessors relying on this framework. Each functional unit of the processor is stepwise brought about which leads to a structured and modular design. The handling of di erent hazard situations is realized when verifying re nement steps. Our design is carried out with circuit implementation using speed-independent techniques in mind.

Discussion of a simple example demonstrates various expressive limitations of the refinement calculus, and suggests a liberalization of refinement, called retrenchment, which will support an analogous formal development calculus. Useful concrete system behaviour can be specified outside the domain of pure refinement, and a case is made for fluidity between I/O and state components across the development step. A syntax and a formal definition are presented for retrenchment, which has some necessary properties for a formal development calculus: transitivity gives stepwise composition of retrenchments, and monotonicity w.r.t. the specification language constructors gives piecewise construction of retrenchments.