Abstract not found

The drawbacks of using refinement alone in the construction of specifications from simple abstract models is used as the spur for the introduction of retrenchment — a method based on the main ideas of refinement but one which is more liberal in character. The basics of the retrenchment mechanism are reviewed in preparation for exploring its integration with refinement. The particular aspect of integration investigated in this paper is the factorisation of a retrenchment step from an abstract to a concrete model into a refinement followed by a retrenchment. The objective is to engineer a system which is at the level of abstraction of the concrete model, but is refinable from the abstract one. The construction given here solves the problem in a universal manner, there being a canonical factorisation of the original retrenchment into an I/O-filtered refinement to the universal system followed by a retrenchment. The universal property arises from the fact that the refinement component of any similar factorisation is refinable to the universal system. An idempotence property supports the claim that the construction is at the correct level of abstraction. A synopsis of an earlier result which factorised a retrenchment step into a canonical retrenchment to a universal system followed by a refinement is presented. A refinement relationship is then shown to exist between the two universal systems. Finally, the consequences of including termination criteria are briefly explored.

Abstract. Retrenchment is a flexible model evolution formalism that compensates for the limitations imposed by specific formulations of refinement. Its refinementlike proof obligations feature additional predicates for accommodating design data describing the model change. The best results are obtained when refinement and retrenchment cooperate, the paradigmatic scheme for this being the commuting square or Tower, in which ‘horizontal retrenchment rungs ’ commute with ‘vertical refinement columns ’ to navigate through a much more extensive design space than permitted by refinement alone. In practice, the navigation is accomplished via ‘square completion ’ constructions, and a full suite of square completion theorems is presented and proved.

Abstract. It is widely agreed that building correct fault-tolerant systems is very difficult. To address this problem, this paper introduces a new model-based approach for developing masking fault-tolerant systems. As in component-based software development, two (or more) component specifications are developed, one implementing the required normal behavior and the other(s) the required fault-handling behavior. The specification of the required normal behavior is verified to satisfy system properties, whereas each specification of the required faulthandling behavior is shown to satisfy both system properties, typically weakened, and fault-tolerance properties, both of which can then be inferred of the composed fault-tolerant system. The paper presents the formal foundations of our approach, including a new notion of partial refinement and two compositional proof rules. To demonstrate and validate the approach, the paper applies it to a real-world avionics example. 1

Noting that the usual ‘propositionally’ based way of composing retrenchments can yield many ‘junk’ cases, alternative approaches to composition are introduced (via notions of tidy, neat, and fastidious retrenchments) that behave better in this regard. These alternatives do however make other issues such as associativity harder. The technical details are presented for vertical composition of retrenchments (i.e. the composition of successive retrenchment steps).

The ingredients of typical model based development via refinement are re-examined, and some well known frameworks are reviewed in that light, drawing out commonalities and differences. It is observed that alterations in semantics take place de facto due to applications pressures and for other reasons. This leads to a perspective on tools for such methods in which the proof obligations become programmable and/or configurable, permitting easier co-operation between techniques and interaction with an Evidential Tool Bus. This is of intrinsic interest, and also relevant to the Verification Grand Challenge.

UseCase-wise Development, the introduction of functionality into an application in stages, with each stage being carried through to (ideally) implementation before the next is considered, is examined with a view to its being treated via an Event-B methodology. The need to modify top level behaviour in a non-skip way precludes its naive treatment via Event-B refinement, and paves the way for the use of retrenchment in Event-B. The details of an Event-B formulation of retrenchment, aligned to the practical details of the Rodin toolset, are described. The details of refinement/retrenchment interworking needed to handle UseCase-wise development are outlined, and a simple case study is given.

Promotion, a familiar data structuring mechanism in Z, is reviewed. Retrenchment, a generalization of classical data refinement, is reviewed and presented in Z. A theory of the promotion of retrenchments in Z is developed, which supports a variety of requirements scenarios and demonstrates that promotion is also a useful tool in the requirements engineering toolkit of retrenchment. This amplifies its utility in the pure refinement arena, when refinement and retrenchment are made to interwork. A simple case study of promoted retrenchment is presented to illustrate the theory.

Noting that the usual propositionally based way of composing retrenchments can yield many ‘junk ’ cases, alternative approaches to compositionality are introduced (via notions of tidy, neat, and fastidious retrenchments) that behave better in this regard. These alternatives do however make other issues such as associativity harder; the technical details are presented. This technology is used to give a retrenchment account of elementary feature engineering, the full flexibility of which, refinement can struggle to capture.

In conventional model-oriented formal refinement, the abstract model is supposed to capture all the properties of interest in the system, in an as-clutter-free-as-possible manner. Subsequently, the refinement process guides development inexorably towards a faithful implementation. However refinement says nothing about how to obtain the abstract model in the first place. In reality developers experiment with prototype models and their refinements until a workable arrangement is discovered. Retrenchment is a formal technique intended to capture model in a formal manner that will integrate with refinement. This is in order that the benefits of a formal approach can migrate further up the development hierarchy. After a presentation of the basic ideas of retrenchment, a simple telephone system feature interaction case study is given to illustrate how retrenchment can relate incompatible partial models to a more definitive consolidated model during the development of the contracted specification.