Model-checking CSP-Z: strategy, tool support and industrial application  by Mota, Alexandre & Sampaio, Augusto
Science of Computer Programming 40 (2001) 59{96
www.elsevier.nl/locate/scico
Model-checking CSP-Z: strategy, tool support and
industrial application
Alexandre Mota , Augusto Sampaio
Federal University of Pernambuco, Centre of Informatics, P.O. Box 7851 Cidade Universitaria,
50740-540 Recife, PE, Brazil
Received 30 September 1998; received in revised form 31 August 2000; accepted 1 September 2000
Abstract
Model-checking is now widely accepted as an ecient method for analysing computer system
properties, such as deadlock-freedom. Its practical applicability is due to existing automatic tools
which deal with tedious proofs. Another research area of increasing interest is formal language
integration where the capabilities of each language are used to capture precisely some aspects of
a system. In this paper we propose a general strategy for model-checking CSP-Z specications
using as tool support the FDR model-checker. The CSP-Z language is a semantical integration of
CSP and Z, such that CSP handles the concurrent aspects of a system, and Z the data structures
part. We also present a modular approach for model-checking complex CSP-Z specications,
specically to verify deadlock-freedom. Finally, we present a CSP-Z specication for a subset
of a real Brazilian articial microssatellite, and apply the proposed strategy to prove that this
specication is deadlock-free. c© 2001 Elsevier Science B.V. All rights reserved.
Keywords: Model-checking; Linking theories and tools; Industrial case study; Formal
verication; concurrent and model-based specications; Satellite
1. Introduction
There is an increasing interest, among the Computer Science community, in model-
checkers. These are programs that work by checking every possible state of a system
to verify some specied property such as deadlock-freedom. Although model-checking
is limited to certain problems, those without exponential state explosion, it has a
great advantage, from an industrial application perspective: it is fully automatic. For
process algebras, model-checking normally means building a labelled transition system
(LTS) from the formal description of the system and verifying that this satises a
desired property, via a logical or behavioural specication. Its eciency and usefulness
 Corresponding author.
E-mail addresses: acm@cin.ufpe.br (A. Mota), acas@cin.ufpe.br (A. Sampaio).
0167-6423/01/$ - see front matter c© 2001 Elsevier Science B.V. All rights reserved.
PII: S 0167 -6423(00)00023 -X
60 A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96
is directly related to the generation and manipulation of the LTS; that is, complex
specications (needing elaborate data structures) are harder to analyse than smaller
ones. Further, it is assumed that exponential state explosion does not occur; otherwise
it is impossible to carry out the analysis without restructuring the specication.
Linking theories is also a recent trend in the area of formal methods. The general
purpose of this eort is to combine concepts and notations in a uniform framework
which allows one to capture more than one aspect of a system. For example, concurrent
specication languages, such as CSP [17] or CCS [23], can characterise precisely the
behavioural aspects of a system, whereas they are not suitable for modelling concisely
(and abstractly) the system data structures. This is because the data structures in these
languages correspond to those of a programming language. Another viewpoint is that
languages such as Z [32], VDM [19] and OBJ [14] have great expressive power to
describe abstract data structures but lack the notion of operation evaluation order.
Currently, there are a lot of language integration proposals. Some examples are LOTOS
[1], Temporal Logic and CSP [22], LOTOS and Z [8], and CSP-Z and CSP-OZ [9{11].
This paper is based on CSP-Z, a language which integrates CSP and Z both syn-
tactically and semantically. CSP-Z was dened such that apart from enabling one to
deal with the behavioural and the data structure aspects of a system independently,
the resulting specication can also be rened independently, i.e., the approach to re-
nement is compositional in the sense that rening the CSP or the Z part (with some
constraints) leads to the renement of the whole specication [9].
In [25], we proposed a strategy for model-checking CSP-Z specications emphasis-
ing deadlock analysis. Some ideas were discussed on how to implement this strategy
using the FDR model-checker [29] through its notation CSPM . An independent eort
to rene the ideas introduced in [25] is reported in [12] whose main contribution is a
more structured presentation of the conversion to CSPM . The work reported in [12] uses
CSP-OZ (the object-oriented version of CSP-Z) instead of CSP-Z, although inheritance
has not been explored. Here we further develop the strategy proposed in [25], consid-
ering the representation of all CSP-Z operators into the FDR notation. As in [12], we
show how the Z part of a CSP-Z specication can be characterised as a CSP process,
parameterised by the state-space, using abstract conversion patterns. The behaviour of
a CSP-Z specication is then captured by the parallel composition of the CSP part
and a CSP process which characterises the Z part. In this way we can combine CSP-Z
specications as ordinary CSP processes.
A subtle and important aspect of this translation strategy is to consider the termi-
nation state of the CSP part of the CSP-Z specication. This is missing in [12]. Our
treatment of input and output channels and operations are also slightly dierent from
the one given in [12], which considers only single-event channels and methods (oper-
ations), whereas here we further develop this aspect giving full treatment to complex
event channels and operations.
As an additional contribution of this paper, we show how the network decomposition
strategy developed for CSP in [5] can be adapted for CSP-Z, permitting the analysis of
complex specications in a modular fashion. As presented in Section 5, the advantages
A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96 61
of a modular analysis are signicant. Finally, we present a CSP-Z specication of
a subset of the On-Board Computer (OBC) of a Brazilian articial microssatellite
(SACI-1) [26] developed by the Brazilian Space Research Institute (INPE), and we
apply our strategy for deadlock analysis with the aid of FDR to this case study.
The rest of this paper is organised as follows. Section 2 introduces the CSP-Z lan-
guage using an example, and briey considers its syntax and semantics. In Section 3
we describe a strategy for model-checking CSP-Z together with a more detailed ex-
planation on how to translate CSP-Z specications into the FDR notation. A modular
approach to deadlock analysis of CSP specications and its extension to handle CSP-Z
specications are presented in Section 4. Section 5 illustrates this approach through
the specication and analysis of the SACI-1 OBC. Finally, we consider what are the
benets of using an integrated language and the practical advantages and limitations of
using FDR in this setting. We assume some familiarity with the languages CSP and Z.
2. An overview of CSP-Z
The language CSP-Z [9,10] is a conservative extension of both CSP and Z in the
sense that almost all syntactical and semantical aspects of CSP and Z are preserved.
An overview of CSP-Z is given using an example which is part of the specication
of our case study, fully described in Section 5. In [10] the integration of CSP with an
object-oriented extension of Z is presented. Here we consider the plain Z notation only.
2.1. A simple example
The Watch-Dog Timer, or simply WDT, is a process of the SACI-1 OBC responsible
for waiting periodic reset signals that come from another OBC process, the fault-tolerant
router (FTR). If such a reset signal does not come, the WDT sends a recovery signal
to the FTR asynchronously, to normalise the situation. This procedure is repeated three
times; if, after that, the FTR still does not respond, then the WDT considers the FTR
faulty, nishing its operation successfully.
A CSP-Z specication is encapsulated into a spec and end spec scope, where
the name of the specication follows these keywords. The interface is the rst part of
a CSP-Z specication and is used to declare the external channels (keyword channel)
and the local (or hidden) ones (keyword local channel). As CSP-Z is based on the
version of CSP presented by Roscoe in [28] (instead of the original version intro-
duced by Hoare [17]), the union of all interfaces gives the alphabet denoted by .
Each list of channels has an associated record type. The general form of such type is
[v1 : T1; : : : ; vn : Tn] where v1; : : : ; vn are lists of variables and T1; : : : ; Tn their re-
spective types. This is actually a simplication of schema types in Z where a predi-
cate P might be used to constrain the values that might be assigned to the variables.
The empty schema ([]) denotes the type of channels which do not communicate val-
ues. The types T1; : : : ; Tn could be built-in or user-dened types; in the latter case, they
62 A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96
might be declared outside the spec and end spec scope, as illustrated by the given-set
CLK introduced below and used to build the type of the channel clockWDT.
[CLK]
The WDT interface is made up of a communicating channel clockWDT (it can send
or receive data of type CLK through the variable clk), two external or visible events
(reset and recover), and four internal or hidden events (timeOut, noTimeOut, failFTR,
and oWDT).
spec WDT
channel clockWDT: [clk : CLK]
channel reset, recover: []
local channel timeOut, noTimeOut, failFTR, oWDT: []
The concurrent behaviour of a CSP-Z specication is introduced by the keyword main,
where other equations can be added to obtain a more structured description: a hierarchy
of processes. The equation main describes the WDT behaviour in terms of a parallel
composition of two other processes, Signal and Verify, which synchronise in the event
oWDT. The process Signal waits for consecutive reset signals (coming from the
FTR process, described in Section 5) or synchronises with Verify (through the event
oWDT) when the FTR goes down. The process Verify waits for a clock period,
then checks whether a reset signal arrived at the right period or not via the choice
operator (). If a timeOut occurs then the WDT tries to send, at most for three
times, a recovery signal to the FTR through the process A R whose only purpose is
to implement an asynchronous communication between the WDT and the FTR (see
Section 5.1). If the FTR is not ready to synchronise in this event, after the third attempt,
then Verify assumes that the FTR is faulty (enabling failFTR) and then synchronises
with Signal (at oWDT), in which case both terminate (behaving like skip). From
the viewpoint of the SACI-1 project, the WDT is turned o because it cannot restart
(recover) the FTR anymore.
main=Signal [j foWDTg j] Verify
Signal=(reset!Signal  oWDT!skip)
Verify=(clockWDT?clk!(noTimeOut !Verify
 timeOut!(recover!Verify
 failFTR!oWDT!skip)))
The Z part complements the main equation by means of a state-space and operations
which dene the state change produced by each CSP event. The system state (State)
has simply a declarative part recording the number of cycles that the WDT tries to
recover the FTR, and the value of the last clock received. The initialisation schema
(Init) asserts that the number of cycles begins at zero; prime (0) variables are used to
describe the resulting state. To enumerate the cycles allowed, the constant set LENGTH
A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96 63
is added to be used in the declarative part of the state-space.
LENGTH == 0 : : 3
State =^ [cycles : LENGTH ; time : CLK]
Init =^ [State0 j cycles0 = 0]
To x a time out period we introduce the constant WDTtOut of type CLK . To nd out
whether the current time of the clock is a time out, we introduce the constant WDTP
which is a relation used to express when one element of CLK is a multiple of another.




WDTtOut : CLK
WDTP : CLK $ CLK
The following operations are dened as standard Z schemas (with a declaration part
and a predicate which constrains the values of the declared variables) whose names
originate from the channel names, prexing the keyword com . Informally, the mean-
ing of a CSP-Z specication is that, when a CSP event c occurs the respective Z
operation com c is executed, possibly changing the data structures. Further, when a
given channel has no associated schema, this means that no change of state occurs.
For events with an associated non-empty schema type, the Z schema must have input
and=or output variables with corresponding names in order to exchange communicated
values between the CSP and the Z parts. Hence, the input variable clk? (in the schema
com clockWDT below) receives values communicated through the clockWDT channel
(with type [clk : CLK]). For schemas where prime variables are omitted, we assume
that no modication occurs in the corresponding component; for instance, in the schema
com reset below it is implicit that the time component is not modied (time0 = time).
com reset =^ [State j cycles0 = 0]
com clockWDT =^ [State; clk? : CLK j time0 = clk?]
Note that the precondition of the schema com noTimeOut below is given by the pred-
icate : WDTP(time;WDTtOut), meaning that the current time is not a multiple of the
time out constant, and therefore the time out has not yet occurred; complementarily,
the precondition of com timeOut species the occurrence of a time out.
com noTimeOut =^ [State j : WDTP(time;WDTtOut)]
com timeOut =^ [State j WDTP(time;WDTtOut)]
As already explained, the recovery procedure is attempted for 3 times, after which the
WDT assumes that the FTR is faulty. This forces the occurrence of failFTR and then
turns o the WDT process.
com recover =^ [State j cycles < 3 ^ cycles0 = cycles+ 1]
com failFTR =^ [State j cycles = 3]
end spec WDT
64 A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96
2.2. Brief explanation of the semantics of CSP-Z
The standard semantic model of CSP is the Failures-Divergences model [4]. In
this model a specication is characterised by a set of pairs (F; D) where F is
the failures set and D is the set of divergences. The failures of a process P is a
set of pairs (s, X ), where s is a trace (sequence of events) and X is a refusal
(set of events); after P performs the trace s it cannot engage in any event of the
refusal set X . The divergences of a process P are sets of traces such that after
P performs any trace of this set it engages in an innite loop of hidden events.
The language CSP-Z is a semantical integration of CSP and Z in which a Failures-
Divergences meaning is given to Z [9,10]. This interpretation is required in order to
allow Z components to be combined using the CSP operators like interleaving (jjj) and
parallelism (jj).
A CSP-Z specication is dened as the parallel combination of the CSP and the Z
parts via the interface, such that if a channel c occurs the related Z schema com c is
executed [9{11]. As the semantics of CSP-Z is based on the standard model of CSP,
we should explain what happens when a given event c occurs successfully, when it is
refused, and when it leads the prexed process to diverge.
Before detailing the semantics of CSP-Z related to the Z part we introduce the
notions of blocking and non-blocking views of a Z operation. In the tradition of Z,
schemas can be evaluated freely. If, for a given state and input parameters, there are
no values for the nal state and output parameters which satisfy the schema predi-
cate then the behaviour of the operation is not predictable; this is the non-blocking
view [32]. On the other hand, for describing concurrent and distributed systems it is
useful to express when an operation is disabled, i.e., it cannot occur. A common ap-
proach is to use the precondition as the guard of an operation; this is the blocking
view [31].
2.2.1. The blocking view of CSP-Z
Let pi? and po! stand for lists of input and output parameters, respectively, and
consider the general form of a schema com c (associated with a channel c):
com c =^ [State;pi? : Ti;po! : To j Pcom c]
where Pcom c is the schema predicate.
Then the precondition of a schema com c is given by
pre com c =^9 State0;po! : To j com c
This is the standard Z precondition denition; see for example [32].
As CSP-Z is intended to be the parallel combination of the CSP and the Z parts
then what happens with the state of a system after some trace is performed? Let tr
A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96 65
Fig. 1. Normal behaviour of a CSP-Z process.
be a trace of a CSP-Z specication. Hence, after the occurrence of tr the state of the
system is given by:
 com hi =^ Init, for an empty trace;
 com (hci_ tr) =^ com c com tr, where _ is the concatenation operator and is the
Z schema composition operator.
Consequently, assuming the blocking view approach, when pre com c evaluates to true
then we have a normal behaviour, that is, a CSP event occurs and a new nal state
is produced. In Fig. 1, we illustrate the normal behaviour for the trace ha; bi for two
events a and b. Let S be the state of the process P then the state after the trace ha; bi
is given by S com a com b.
On the other hand, if the guard of a Z operation is false (: pre com c) then the
process behaves like the stop process (see Fig. 2).
Although we adopt the blocking view in this paper, it is worth pointing out that
CSP-Z supports the blocking and the non-blocking views simultaneously [9{11] using
the special prex keywords enable and eect instead of simply com in front of a
channel c. This enables the Z part to introduce refusals (guards) and divergence,
Fig. 2. Event b being refused by the guard.
66 A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96
as will be explained in what follows. The formal denitions of eect c and enable c
are given by
eect c =^ com c
enable c =^ 9 State0; pi? : Ti; po! : To  com c
Note that eect c is dened as com c itself, whereas enable c can be regarded as the
guard of com c. Therefore, c can occur only if enable c is true. Recall that in the
blocking view only the precondition (pre com c) plays the role of the guard. Here
enable c is the guard and pre com c is associated with divergence which occurs when
enable c is true and pre com c is false. As mentioned above, in this paper we take the
simplied view of not dealing with divergence and, therefore, we adopt the blocking
view.
3. Model-checking CSP-Z
Instead of developing a technique and a tool for model-checking CSP-Z speci-
cations from scratch, our eort is in the direction of reusing and linking theories
and tools. Generally, model-checking means verifying automatically the satisfaction
relation M j=p, which states that the model M satises the property p (described
as a logical formula) [15]. Roscoe [27] observed that this verication could be
made via a renement-checking for CSP: (M j=p), (Spv SM ), where Sp and SM
are CSP specications and Sp is built (or predened in cases such as deadlock-
freedom) as abstract as possible exhibiting the desired property p. Since CSP-Z is
a language whose semantics is based on the standard model of CSP, and rene-
ment in the CSP part leads to renement of the CSP-Z specication, it seems wise
attempting to extend the existing model-checking technology for CSP in the FDR
system [29] to CSP-Z. In order to achieve that, we need to answer the following ques-
tions which, together, record some necessary conditions for embedding a subset of Z
into CSP:
(1) How to describe a state-space in CSP?
(2) How to constrain the CSP behaviour based on the state values?
(3) How to completely characterise the Z part as a CSP process?
(4) How to combine and synchronise the CSP part and the Z part of a CSP-Z
specication?
Each of these questions is answered in a separate subsection. For this purpose we
will use a simple CSP-Z innite buer specication to ease the illustration of our
strategy. But, before that, we present a summary of the CSP notation as well as
the machine-readable version CSPM (the notation used by FDR). Since CSPM has
a direct correspondence with pure CSP (but in some cases allows a more structured
A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96 67
presentation, especially due to the let clause) we use the CSPM notation in the fol-
lowing subsections.
Correspondence between CSP and CSPM constructs. This summary, together
with the strategy developed in the following sections, allows one to easily under-
stand the conversion process from CSP-Z specications to the FDR notation
(CSPM ).
CSP CSPM Explanation
stop STOP Deadlock
skip SKIP Successful termination
a! P a -> P Simple prex
a?x ! P a?x -> P Input prex
a!v! P a!v -> P Output prex
a?x?y : A!v! P a?x?y:A!v -> P Complex (mix) prex
P Q P [] Q External choice
P u Q P |~| Q Internal choice
PnA P\A Hiding
P j< b >j Q if b then P else Q Conditional choice
P j< b >j stop b & P Boolean guard
P[j X j]Q P [|X|] Q Parallel composition
P j j j Q P ||| Q Interleaving
P >> Q P [c <-> c’] Q Piping
P(s) P(s) Parametrisation
P(f(s)) let s’=f(s) within P(s’) Local declaration
P Q P;Q Sequential composition
i2T Pi [] i:T @ P(i) Process indexing1
Pi P(i) Parametrisation
Our simple buer CSP-Z specication starts with the introduction of a given set which
is the type of the elements of the buer.
[T ]
The Buer is enclosed in the spec=end spec scope, where only the interface
(the external channels) given by the channel keyword are visible outside the
specication.
spec Buer
channel in; out : [t : T ]
main = in?x ! main  out!y ! main
1 Process indexing also applies to u, [jX j], jj, >>, and jjj.
68 A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96
Note from the main equation that out!y does not make sense considered in isolation
(only the CSP part); the binding occurs when the Z part is taken into account. In this
case, y is bound to t! in the schema com out below, i.e. the CSP-Z pattern out!y acts
similarly as the CSP pattern out?y.
3.1. Introducing a state space
The standard way of associating a state with a CSP process is through parame-
terisation. Part of the above CSP-Z buer specication is captured by the equation
below:
Buffer(State) = in?x -> Buffer(State’) ...
where State0 is a new state built in some way from State and x.
Hence each process carries some expression which represents its state space; this
is essential to model CSP-Z processes. A Z state-space can be represented as a set
of tuples where the components are identied by their positions in the tuple. Then,
we have the following pattern conversion (where Inv(v1; : : : ; vn) is the invariant of the
system):
State =^ [v1 : T1; : : : ; vn : Tn j Inv(v1; : : : ; vn)]
+
State = { (v1,...,vn) | v1 <- T1,..., vn <- Tn, Inv(v1,...,vn) }
which, instantiated for our example, gives us
State = { s | s <- FSeq(T, n) }
where FSeq(T, n) is the set of all nite sequences (#s6n) of type T.
A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96 69
In particular, the initialisation schema is written as a specic case of the State
schema where the predicate Inv is replaced by a predicate init (of initialisation). For
our example we have
Init = { s’ | s’ <- State, s’==<> }
3.1.1. Z data types representation
Although in the buer example the translation of the state and of the initialisation
schemas is immediate, in general there is no one-to-one correspondence between the
elements Ti and Ti, and Inv(: : :) and Inv(...). This is why we have used dier-
ent fonts. Our objective is to emphasise higher abstract patterns rather than discuss
implementation issues of converting abstract types into more concrete types available
in CSPM . The representation of channel declarations, constants and free-types (when
based on primitive types) is a straightforward syntactic conversion, as presented in [24].
However, for some elaborate data structures such as maps, relations, bags, etc, the
conversion might be a complex data renement task, and must be built around the
denition of sets and sequences which is available in FDR. A more detailed strat-
egy for this translation is out of the scope of this paper. An approach to implement-
ing model-based specications using a functional notation can be found, for example,
in [2].
3.2. CSP behaviour as a function of the state-space
Another concern is how to restrict the CSP behaviour based on the state space of the
process. Our buer process can accept the events in and out, but out is enabled only
if the buer is not empty. To handle this kind of feature we use the CSPM notation
b & P which stands for a conditional: if b then P else STOP:
s != <> & out!y -> Buffer(State’)
where y is some element from the state variable s, s != <> (s 6= hi) is the precondition
of com_out, and State’ is a new state generated from s taking into account the eect
of the operation com_out.
Conditionals based on the current value of components of the state-space (as well as
on the values of input variables) serve as a standard pattern to check the preconditions
of Z operations described by schemas.
3.3. Modelling the Z part as a CSP process
The Z part of a CSP-Z specication can be seen as a passive process (with state
State), in the sense that it must always oer all events with the precondition satis-
ed (blocking view). In order to model the Z part completely, we must express: Z
operations, state-space initialisation and the composition of Z operations controlled by
70 A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96
the CSP part (traces), through CSPM constructs. Then, for Z operations we have the
following conversion pattern (Recalling that State =^ [v1 : T1; : : : ; vn : Tn jP]):
which, specialised to our example, gives us:
com(s, In.t) = { s’ | s’ <- State, s’==s^<t> }
com(s, Out.t) = { s’ | s’ <- State, s!=<>, t==head(s), s’==tail(s) }
Note that State is now a xed set dened previously, as illustrated by the rule in
Section 3.1.
It is worthwhile observing that the separation of pre- and post-conditions in the
Z schema of the above rule is just a convenience of the conversion strategy, since
schemas have a single predicate without such a separation. As already pointed out, the
translation of predicates into executable boolean functions is not so simple, in general,
as it might appear, but this is not the focus of this paper; see, for example, [2].
To conclude the conversion of the Z part, let Interface be the interface (set of
external and internal channels) of a CSP-Z process P. Then, its Z part without a state
initialisation is given by
Z(State) =
[] (States,Comm): {(com(State, c), c) | c <- Interface} @
States != {} &
|~| State’: States @ Comm -> Z(State’)
The idea behind representing the Z part as a CSP process is to collect all pairs of
states and communication (due to the relational nature of the state-space we can have
more than one next state for a single communication) such that only the valid ones
(States != {}) will be oered to the environment as an external choice process. As
the output and the next state are determined by the com Comm Z operation then we
have an indexed internal choice of possible next states associated with a communication.
Finally, to allow a valid initialisation state for the Z part then we extend the above
process to its nal representation (where Init is an initial valid state):
Z_CSP = let
Z(State) = (As previously defined)
within |~| iState: Init @ Z(iState)
A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96 71
An initialisation operation is like an output one, in the sense of generating the next
states from which one must be chosen nondeterministically. Then we have an indexed
internal choice of all possible initialisations. The let ... within ... construct is
used to write a recursive process in a more structured way.
3.3.1. Optimisation
The conversion pattern for schemas, introduced previously, might be inecient for
practical purposes. The reason is that the generic conversion pattern uses set compre-
hension to represent an arbitrary relation dened by the corresponding schema, and
the implementation of a set comprehension in FDR involves expanding all the pos-
sibilities (given by the types used in the denition) and then ltering the pairs for
which the relation holds. The opportunity for optimisation happens for determinis-
tic (schemas) operations. In such cases, the schema predicate can be translated to a
singleton set, provided the state invariant and precondition are satised. As an exam-
ple, consider the schema com out of the Buer process. Its general translation was
given as
com(s, Out.t) = { s’ | s’ <- State, s!=<>, t==head(s), s’==tail(s) }
but we know that there is a unique case where s’=tail(s) which denes the set
{ tail(s) } provided s!=<> and t==head(s). Therefore, instead of the more general
set comprehension we can convert the schema com out into
com(s, Out.t) = if s!=<> and t==head(s) then { tail(s) } else {}
where s!=<> and t==head(s) have to appear in this order since there is a data
dependency between s!=<> and t==head(s).
Such optimisations might be quite signicant in practice. For example, the global
analysis phase of our case-study (see Section 5) could only be performed after rewriting
all processes using the techniques explained in this section.
3.4. Combining the CSP and the Z parts
The meaning of a CSP-Z specication unit is dened in [9] (see Section 2.2) as the
parallel composition of the CSP and Z parts synchronising at the channels declared in
the interface. Let
spec P; Interface (Channels [ lChannels); main; SZ ; end spec P
be a generic CSP-Z specication, where P is the name of the specication, Interface
is its interface (where Channels is the set of visible channels introduced by the key-
word channel, and lChannels is the set of local channels introduced by the keyword
local channel), main is its CSP part, and SZ is its Z part.
According to our translation strategy into CSPM , the CSP part suers almost no
modications in its structure, except for the output channels. Recall from our simple
buer specication that the term out!y, in the main equation of the CSP-Z process
72 A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96
Buer, has no meaning considered in isolation; it needs the participation of the Z part
to behave accordingly. In order to communicate the output values generated by the Z
part to the CSP part one must enable the CSP part to generate all possible values, which
depend on the type of the respective channel, and the Z part to simply select some
of them. So, when a term like out!y is found in the main equation it is transformed
into out?y, which is justied by the equation ?x : A!P(x) =x2A x!P(x), where
A [28].
Summarising our conversion strategy, an arbitrary CSP-Z specication, say P, will
be translated to a CSPM process with the following skeleton:
P = let
-- The Interface
Channels = {|...|}
lChannels = {|...|}
Interface = union(Channels, lChannels)
-- The CSP Part
main = ...
-- The Z Part
State = {...}
Init = {...}
com(sTuple, Comm) = {...}
...
Z_CSP = ...
within (main [|Interface|] Z_CSP)\lChannels
In words, the behaviour of P is the parallel composition of the communication part
(main) and the process which represents the Z part (Z_CSP); these processes synchro-
nise in the interface I . The hiding in the above equation is necessary because CSP
does not provide a means for modularisation in the sense of scope found in CSP-Z
specications. Therefore, local channels in CSP-Z need to be explicitly hidden when
considered in CSP.
As an example, the CSP-Z process Buer of Section 3 is now completely written
as:
channel in, out: {0,1}
FSeq(T, 0) = {<>}
FSeq(T, 1) = union(FSeq(T, 0), {<z> | z<-T})
FSeq(T, s) = {z^z’ | z<-FSeq(T, 1), z’<-FSeq(T, s-1)}
BUFFER =
let
-- The Interface
Channels = {|in,out|}
lChannels = {}
Interface = union(Channels, lChannels)
-- The CSP Part
main = in?x -> main [] out?y -> main
-- The Z Part
SZ = 1
SEQ_B = FSeq({0,1}, SZ)
State = { s | s <- SEQ_B }
A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96 73
Init = { <> }
com(s, in.N) = if #s<SZ then { s ^ <N> } else {}
com(s, out.N) = if s!=<> and N==head(s) then { tail(s) }
else {}
Z_CSP =
let
Z(State) = [] (States,Comm) <-
{ (com(State, c), c) | c <- Interface }
@ States != {} &
|~| State’: States @ Comm -> Z(State’)
within |~| iState: Init @ Z(iState)
within (main [|Interface|] Z_CSP)\lChannels
Note, in particular, that we instantiate type T to {0, 1}. We also dene a nite
sequence constructor (FSeq) which, when applied to (Tp, s), generates the set of all
sequences with size less than or equal to s whose elements are taken from set Tp. Then
we restrict the use of seq T in the original CSP-Z specication to SEQ_B=FSeq(T,SZ)
(which expanding gives fhi; h0i; h1ig). This is sucient to model-check this process
through data abstraction techniques which is out of the scope of this paper (see, for
example, Lazic [21] for further details).
3.5. Dealing with termination
It is worth noting that the process Z_CSP which represents the Z part of a CSP-Z
specication never terminates successfully. This might be a problem when the CSP
part does terminate, since the parallel composition of the CSP and Z parts (as dened
in the previous section) would lead to deadlock.
A simple solution to this problem is to add a new event to the alphabet of the
process which will serve as a synchronisation point between the CSP and the Z parts.
We denote this event by terminate and use it in the following way:
 Add terminate to lChannels;
 Add the external choice [] terminate -> SKIP to the Z_CSP process;
 Remove the terminate event from the interface when computing the set
{(com(State, c), c) | c <- Interface} on process Z(State);
 Concerning the CSP part, we prex every skip process with the special event
terminate. This forces the synchronisation between the CSP and the Z parts upon
terminate.
When the CSP part does not terminate successfully we skip these steps concerning
termination.
3.6. Converting the WDT process
As a further example, in this section we present the conversion of the CSP-Z spec-
ication of the WDT process (see Section 2) into the FDR notation. In particular,
74 A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96
this example illustrates the termination issue which must be taken into account in the
translation, as explained above. It also shows that the CSP part can be structured using
named processes apart from main.
In this translation the CLK given-set is implemented as a (nite) free-type
(datatype) so that FDR can analyse the process.
datatype CLK = noneClock | clk1 | clk2 | clk3 | clk4 | clk5 | clk6
channel reset, failFTR
channel recover
channel timeOut, noTimeOut
channel terminate
channel clockWDT : CLK
WDT =
let
-- Interface of WDT
Channels = {|clockWDT, reset, recover|}
lChannels = {|timeOut,noTimeOut,failFTR,terminate|}
Interface = union(Channels, lChannels)
-- CSP part initialised by the main equation
main = (Signal [|{|terminate |}|] Verify)
Signal = reset -> Signal [] terminate -> SKIP
Verify = clockWDT?c -> (noTimeOut -> Verify
[] timeOut -> (recover -> Verify))
[] failFTR -> terminate
-> SKIP))
State = {(cycles, time) | cycles <- {0,1,2,3,4}, time <- CLK}
Init = { (0, noneClock) }
-- Auxiliary elements: Constant and Function
WDTtOut = {clk3, clk6}
WDTP(time, timeout) = member(time, timeout)
com((cycles, time), reset) = { (0, time) }
com((cycles, time), clockWDT.clk) = { (cycles, clk) }
com((cycles, time), recover) = union(if cycles<3 then
{ (cycles+1, time) }
else {},
if cycles==3 then
{ (0, time) }
else {})
com((cycles, time), noTimeOut) =
if not WDTP(time, WDTtOut) then
{ (cycles, time) }
else {}
com((cycles, time), timeOut) = if WDTP(time, WDTtOut) then
{ (cycles, time) }
else {}
com((cycles, time), failFTR) = if cycles==3 then
{ (cycles, time) }
else {}
-- Z Part given by the Z_CSP equation
Z_CSP =
let
Z(state) =
A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96 75
([] (States, Comm): {(com(state, c), c) |
c <- diff(Interface,{terminate})} @ States!={} &
|~| State’: States @ Comm -> Z(State’))
[] terminate -> SKIP
within |~| State’:Init @ Z(State’)
within (main [|Interface|] Z_CSP)\lChannels
Note the terminate event in the third line above from the bottom.
3.7. Combining specications
When considering the combination of CSP-Z specications one needs only combining
the top-level processes. As explained in Section 3.4, a CSP-Z specication is translated
into a pure CSPM specication, and therefore the CSP operators can be used to combine
CSP-Z specications as ordinary CSP processes.
Surprisingly, perhaps, it is not necessary any additional conversion rule to deal with
combining CSP-Z specications.
4. A modular approach to deadlock analysis
Model-checking can be expensive, mainly when complex data structures and dy-
namic topologies must be handled. Therefore, it is important to search for suitable
strategies to support incremental validation. In this section we briey present the
deadlock analysis technique developed by Brookes and Roscoe [5], to enable incre-
mental validation of CSP specications, and then we show how it can be extended
for CSP-Z.
Brookes and Roscoe’s approach considers only CSP processes that do not diverge,
are triple-disjoint (there is no channel shared by more than two processes) and have
a static topology (recursion might not introduce new behaviour). These requirements
allow a simpler mathematical treatment while it is not too severe in practice. For
instance, practical applications are expected to be divergence-free.
The main result of Brookes and Roscoe’s approach is presented here in the form of
a theorem (see Theorem 1), based on some concepts which are informally explained
below and dened formally in Appendix A.2. Each of such concepts appears in this
section in slanted font, to ease the references to the appendix. We illustrate these
concepts in the case study developed in Section 5.
By network we mean a set of parallel processes; it is busy if all its processes are
deadlock-free. A vocabulary of a network is the set of events containing the synchro-
nisation channels of each pair of processes of the network. A request from a process
A to a process B is an indication that A intends to synchronise with B. An ungranted
request is a request (say, from A to B) that cannot be satised, i.e., B cannot oer
any event needed by A. A conict occurs when both processes involved in a request
have ungranted requests to each other; and a strong conict is a conict where the
two processes involved cannot communicate with a third one.
76 A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96
We can visualise a network using a graph where the processes are the nodes of the
graph and the edges are the events that synchronise two processes, i.e., events common
to two processes. By disconnecting edges we mean those edges whose removal increase
the number of partitions of the graph, and by essential components those that stay after
removing all disconnecting edges. A pair of processes is conict-free if one cannot nd
a trace which introduces a reciprocal ungranted request or a strong one between these
processes. Now comes the main result of Brookes and Roscoe’s approach (see [4,
Theorem 4, p. 226]).
Theorem 1. Suppose V is a busy network with essential components V1; : : : ; Vk where
the pair of processes joined by each disconnecting edge are conict-free with respect
to the vocabulary . Then if each Vi is deadlock-free; so is V .
The above theorem establishes a connection between deadlock-freedom and pairwise
conict-freedom of the essential components of a network. The conict-freedom con-
straint is necessary because if one essential component blocks then it can infect others
if the edge linking two essential components has conict. This is a very important
result because for large networks one can attempt to arrange them such that they can
be partitioned into simpler ones. Then Theorem 1 tells us that it suces to check for
deadlock-freedom of the essential components.
This deadlock analysis strategy is compositional in the sense that we verify smaller
processes and use Theorem 1 to conclude the deadlock-freedom of their parallel com-
positions. In Section 5.2 we show how FDR can be used both to verify conict-freedom
of processes linked by disconnecting edges, and deadlock-freedom of essential compo-
nents of our case study.
4.1. Extending the modular approach towards CSP-Z
According to the requirements of the formal strategy for deadlock analysis presented
above, a network can only be investigated in a modular way if it is divergence-free,
triple-disjoint, uses an associative parallel operator such as jj (dened in [17]) and has
a static topology.
If one can prove that a network has all these properties then all the results of Brookes
and Roscoe’s approach can be used. In this section we show what are the conformity
obligations for such results to generalise for CSP-Z specications. One must check the
following:
(1) Is the network of concern triple-disjoint?
(2) When is the parallel operator [jj] used by CSP-Z associative?
(3) How to guarantee that the Z part does not introduce divergence?
(4) How to guarantee that the topology is static?
To guarantee triple-disjointness of a CSP-Z network we consider each CSP-Z spec-
ication (component of this network) as a unit. The required property holds if and
A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96 77
only if no more than two such units share a same event. Therefore, just like the check
is performed in CSP, we need only look at the interface of this network. It is worth
observing, however, that when two CSP-Z specications share a same event c we ac-
tually have four processes sharing this event, since the CSP and the Z parts of each
process has the event c. But as explained above the triple-disjointness check considers
the whole CSP-Z specication as a unit: the fact that its internal representation is the
parallel composition of smaller processes is not relevant.
Question 2 is answered by Theorem 2 below.
Theorem 2 (Associativity of [jj]). Let V be a triple-disjoint network. Then [jj] is
associative. Thus; for all processes P; Q and R of V we have
P [j X j] (Q [j Y j] R) = (P [j X 0 j] Q) [j Y 0 j] R
such that X [ Y =X 0 [ Y 0.
Proof. Let e 2 X . Then, when e occurs we have one of the following transitions:
 P [j X j] (Q [j Y j] R) hei−! P0 [j X j] (Q0 [j Y j] R) (synchronisation between P
and Q).
 P [j X j] (Q [j Y j] R) hei−! P0 [j X j] (Q [j Y j] R0) (synchronisation between P
and R).
By the hypothesis of triple-disjointness we have that only one can happen (never both).
Therefore; we can partition the transitions into two sets: one containing the participation
of P and Q; and the other of P and R. Hence; let eq and er be events of X such that
Q
heqi−! Q0 and R heri−! R0. Thus; the synchronisation sets X 0 and Y 0 are; respectively;
feq jQ heqi−!Q0g and Y [ fer jR heri−!R0g:
Concerning the third question above, recall that we have adopted the blocking view.
Due to this fact and the general form of the CSP process which represents the Z part
(a distributed external choice of all the events in the interface) it is easy to verify that
the Z part does not introduce divergence. Regarding the CSP part, the check is the
same as for pure CSP.
The static topology property, required in [5], is essential only for a non-mechanised
analysis. The reason is that keeping track of the network’s structure during execution
(by hand) is unmanageable. Nevertheless, a tool such as FDR automatically controls
the execution ow and, therefore, the static topology becomes no longer a relevant
requirement.
It is important to notice that Conditions 1 and 3 above are proof obligations for all
applications; before using the modular approach to model-checking one must verify
whether the above proof obligations hold. On the other hand, Conditions 2 and 4 are
78 A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96
application independent. As explained above, Condition 2 is discharged by Theorem 2
and Condition 4 by the fact that the reasoning is conducted mechanically.
5. Case study: the SACI-1 microssatellite
In this section we present the CSP-Z specication of ve processes which combined
in parallel with that introduced in Section 2 results in a specication that represents a
simplied behaviour of the SACI-1 OBC. 2 We carry out a deadlock analysis of these
processes using FDR in a modular fashion.
The SACI-1 OBC is a fault-tolerant distributed processing system which combines
software and hardware components [7]. Its critical parts are: its Watch-Dog Timer
(WDT) and its fault-tolerant router (FTR). Due to its fault-tolerant aspects, the SACI-
1 was designed with redundant components. In particular, it has three WDTs and three
FTRs. However, for illustrative purposes, we consider here a simplication of the real
conguration, removing indices and presenting its behaviour in an abstract way. We
consider two more SACI-1 processes, responsible for the communication between the
Earth and the satellite, and vice versa, respectively: the Telecommand (TC) and the
telemetry (TM) process. Finally, we describe two auxiliary processes: one to implement
an asynchronous communication between the WDT and the FTR (A R) and the Clock
Controller (SCLOCK).
5.1. The CSP-Z specication of the SACI-1 OBC main components
Before describing the processes themselves we introduce the following types. The
free-type Message is dened in terms of the constructors TC and TM , for classifying
the messages as telecommands or telemetries. Both kinds of messages carry out a
parameter Fields which is built as the cartesian product of Data and Integers, where
Data is another free-type with three values (nullData denoting an empty message,
sendTM standing for messages which should be sent to Earth by the TM process,
and extra to represent other kinds of messages). The integer component is used for
recording message ordering.
Message ::= TChhFieldsii j TM hhFieldsii
Fields == Data Z
Data ::= nullData j sendTM j extra
2 A more detailed specication of this case study can be found in [24].
A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96 79
Fault-tolerant router: The FTR is responsible for some internal tasks, safely rout-
ing messages from process to process and for periodically sending a reset signal to
the WDT. In order to model the FTR as close as possible to its original concep-
tion we consider that it can stop temporarily or permanently. In a temporary stop
(where a failure occurs), the FTR can be reanimated through a recover signal. How-
ever, in a permanent one (where a fatal failure occurs) the FTR cannot be
restarted.
Note that no Init schema was introduced in the specication of FTR. When this
happens, any possible initialisation of the state variables is allowed.
80 A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96
Telecommand: Communications from Earth to the satellite are handled by the telecom-
mand process. Although in the original description it performs a series of tasks (such
as decoding, verication for errors, etc.) to send the received message to other SACI-
1 processes, here we simplify its functionality to receive messages from Earth, and
send to the destination process, which can be either the telemetry process or it-
self. These messages are sent through the FTR, when the destination is the teleme-
try process (a remote communication). When the message is to the Telecommand
process itself, the treatment is totally local and is omitted here. One interesting as-
pect of this process is that it maintains a counter of how many messages were re-
ceived. This value is sent to the Earth when the destination is the telemetry
process.
Telemetry: Data about the satellite are called telemetry, such as: temperature, voltage,
some process status, etc. The telemetry process is responsible to maintain the most
recent collection of stored telemetry and send it to the Earth in response to a request
A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96 81
from the FTR. Since the telemetry storage is of limited size and the information must
be as recent as possible, if data are received and the storage is full, old data must
be lost in order to allow the storage of more recent data; this is achieved in the
com storeTM schema.
Asynchronous recover: This process serves only to support an asynchronous commu-
nication between the WDT and the FTR. The event recover coming from the WDT
is always enabled while the event recover ftr can only happen if at least one recover
has occurred ( ag= true). Hence, initially, no event recover ftr can occur.
82 A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96
OBC clock: As CSP-Z cannot capture precisely the temporal aspects of a system, we
establish some conventions in order to characterise the SACI-1 as a system dependent
of time. We model a process which exhibits events, carrying clock values, which
control the behaviour of the WDT and of the FTR. By using a function incC on clock
we abstract from the way time is represented.
A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96 83
Observe that the current value of the time variable is sent to the WDT or to the
FTR processes at any moment. Note also that the time variable can be incremented
by an interruption of the tic event.
SACI-1: The simplied behaviour of the SACI-1 microssatellite is given by an al-
phabetised parallel composition ([jj]) of the previous ve CSP-Z components. In this
specication, the elements inside the brackets of the parallel operator are the synchro-
nisation points. The denition of the SACI-1 process illustrates that specication units
can be combined just like ordinary CSP processes.
SACI-1= ((((WDT [j frecoverg j] A R)
[j freset; recover ftrg j] FTR)
[j fclockWDT ; clockFTRg j] SCLOCK)
[j fTC FTRg j] TC)
[j fFTR TMg j] TM
In Appendix B we present the translation of each of the SACI-1 processes into the
FDR notation, except for the WDT whose translation was already given in Section 3.6.
5.2. Investigating the SACI-1 network
After presenting all ve processes involved in the description of the SACI-1 OBC,
we investigate this network of processes for deadlock-freedom. We follow a strategy
of deadlock analysis in order to minimise the overall eort needed (modular approach).
Recall from Section 4 that for verifying deadlock-freedom one must follow the steps
below:
Step 1. Verify whether the network is busy. If it is not busy then at least one of its
processes has a deadlock, and the strategy is not applicable.
Step 2. Decompose the network into its essential components, verify if the processes
linked by the disconnecting edges are conict-free and if each of the essential com-
ponents are deadlock-free. If all these obligations are successfully discharged then the
network is deadlock-free; otherwise it has a deadlock.
For our network, we can load the FTR process into FDR and verify that this process
has a deadlock state, specically for the trace h;fatali where  denotes an internal event.
The WDT process also deadlocks after:
h
3 times
z }| {
clockWDT:clk6; ; recover; clockWDT:clk6;
3 times
z}|{
 i
These deadlock states do not happen to be a problem because they are expected from
the requirements of the OBC. The FTR process was modelled having this behaviour
in mind; the cause of this mal-function comes from external problems (radiations,
hardware failures, etc.). With a similar argument, the WDT can only try to recover
the FTR process for three times.
84 A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96
Fig. 3. Disconnecting edges of the SACI-1 communicating graph.
The purpose of our analysis is to show that the traces above are the only pos-
sible deadlock states. Therefore we continue our analysis by removing the deadlock
possibility of the FTR process (event fatal) and allowing the WDT to attempt re-
covering the FTR an arbitrary (possibly innite) number of times. Thus, by load-
ing the processes WDT and FTR (modied as explained above), TC, TM, A R
and SCLOCK in FDR we get a \
p
" (meaning success) for each assertion of the
form assert P:[deadlock free [F]] (Is P deadlock-free according to the Failures-
model?), indicating that the network is busy.
The above result denotes the successful completion of Step 1. Then we begin the
decomposition analysis (Step 2). To achieve this we need to perform three main tasks:
detecting if there exists disconnecting edges, proving that the processes linked by the
disconnecting edges are conict-free and, nally, proving that each essential component
is deadlock-free.
Disconnecting edges can be easily found by depicting the communicating graph of
the network. Fig. 3 shows the communicating graph for the SACI-1 OBC network.
The edges de1 and de2 are disconnecting edges because their removal increases the
number of graph components, namely: hTCi, hTMi and hFTR, WDT, A R, CLKi.
With FDR we can also prove whether two processes, say P and Q, are conict-free
through renement in the traces model. Let P and Q be the alphabets of P and Q,
and S = P \ Q be the synchronisation set (the interface). First we dene how one
can check whether there is an ungranted request from P to Q, denoted P ! Q. Recall
that this happens when P oers an event in S and Q cannot engage in it. This can be
easily achieved in FDR by checking that P has a trace (of events in S) which is not
a trace of Q. Formally, we have
P ! Q  : (Qn(Q − S) vT Pn(P − S))
which means that, in the traces model, P is not a renement of Q (when both are
restricted to S).
A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96 85
Fig. 4. Pairs of processes which must be conict-free.
Similarly, an ungranted request from Q to P can be checked as follows:
Q ! P  : (Pn(P − S) vT Qn(Q − S))
As we are concerned with conict-freedom we must check that there are not simulta-
neous ungranted requests between P and Q:
conict − free(P;Q) 
(Qn(Q − S) vT Pn(P − S))
_
(Pn(P − S) vT Qn(Q − S))
Fig. 4 shows the processes required to be conict-free; these are the processes inside
the regions cf1 and cf2. Doing the above renement checking in FDR through the
following assertions:
1. assert FTR\diff(Events,{|TC_FTR|}) [T= TC\diff(Events,{|TC_FTR|})
2. assert TC\diff(Events,{|TC_FTR|}) [T= FTR\diff(Events,{|TC_FTR|})
3. assert FTR\diff(Events,{|FTR_TM|}) [T= TM\diff(Events,
{|FTR_TM|})
4. assert TM\diff(Events,{|FTR_TM|}) [T= FTR\diff(Events,
{|FTR_TM|})
gives us three \
p
" for assertions 1, 3 and 4 and an \X " for assertion 2 stating that the
pair of processes hFTR; TCi and hFTR; TM i are conict-free with only one ungranted
request from FTR to TC.
Finally, we must check whether the essential components presented in Fig. 5 are
deadlock-free themselves. The analysis of all these components using FDR results in
deadlock-freedom. For the process ec3, deadlock-freedom was obtained after eliminating
the expected deadlock possibilities of the WDT and the FTR, as explained above.
To give a measure of eectiveness of this modular approach to deadlock analysis,
Table 1 summarises the results obtained by a modular and by a global analysis of
deadlock using the FDR model-checker. A global analysis of the SACI-1 specication
takes 201.168 states (see Table 1). Concerning the incremental analysis, rst we proved
that the network is busy, checking FTR, TC, TM, WDT, A R and SCLOCK against
86 A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96
Fig. 5. Essential components which must be deadlock-free.
Table 1
Summary of results: modular  global analysis
Modular analysis States Transitions
FTR Deadlock-free 123 686
TC Deadlock-free 9 44
TM Deadlock-free 76 225
WDT Deadlock-free 5 22
A R Dealock-free 2 3
SCLOCK Deadlock-free 28 56
h TC, FTR i Conict-free 9 11
h TM, FTR i Conict-free 123 506
h FTR, WDT, A R, SCLOCK i Deadlock-free 3,051 12,127
Total 3,426 13,680
Global analysis States Transitions
Total 201,168 1,705,581
deadlock. Then we checked that hTC; FTRi and hTM; FTRi are conict-free, and then
we proved that kernelSACI1 (see the group ec3 in Fig. 5) is deadlock-free. So, by
Theorem 1 SACI1 is also deadlock-free. The total number of states of the incremental
proof is 3.426, which is only 1.7% of the number of states taken by the global analysis.
Regarding the number of transitions we found a percentage of 0.8%.
A last observation is that for some specications only the modular approach can
be used to check the desired results; in this paper we used a simplied case study to
demonstrate the approach, but for real and complex systems a global analysis might
not be possible using FDR, because of the exponential increase of the number of states.
Actually, as mentioned previously, without the optimisation introduced in Section 3.3.1,
the global analysis caused a virtual memory overow for a SPARC station with 711MB
of virtual memory while the modular analysis produced the expected result with 50.876
states and 280.005 transitions.
A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96 87
6. Conclusion
In this paper we further developed a strategy for model-checking CSP-Z specica-
tions, originally presented in [25], based on the semantics of the CSP-Z language [9,10]
and on previous work for model-checking CSP [27]. In particular, we showed how the
Z part of a CSP-Z specication can be characterised as a CSP process, parameterised
by the state space. This allowed us to dene the behaviour of a CSP-Z specication
entirely in CSP, permitting the reuse of strategies and tools (originally developed for
CSP) to CSP-Z. Currently, we are in course of concluding a translation tool which
convert CSP-Z specications into CSPM ones following the approach presented here.
We presented a formal specication of a simplied model of the OBC of the SACI-1
microssatellite. In doing that, we could experience that using an integrated language
gives us more expressive power and exibility than singular approaches. The SACI-1
project as developed by the Brazilian Space Research Institute lacked formal docu-
mentation; hence, our rst contribution was to formally dene a subset of its OBC
system. From the very beginning, the goal of the formalisation task was to develop a
formal specication free from problems and, therefore, we did not nd any unexpected
deadlocks in our specication. However, some problems in the informal documentation
were detected: the documentation was found to be ambiguous (diculting the under-
standing of the system), and the description of many processes which were supposed
to cooperate did not specify synchronisation points. These problems were reported to
the members of the SACI-1 project and the specication reported in [24] serves today
as a formal reference to the implementation of this project.
We have also adapted previous work on CSP in the denition of a strategy for
incremental analysis of CSP-Z specications. The advantages of a modular approach
were illustrated by the deadlock analysis of our case study using FDR, where we
testied an impressive reduction of the eort to carry out the analysis (as summarised
by Table 1). Furthermore, we are not aware of any mechanised analysis (even for pure
CSP) based on the modular approach suggested by Roscoe.
Modular approaches like the one presented here are very much desirable mainly
for CSP-Z specications where the data structures can be expensive and hard to be
analysed by model-checkers like FDR. Related work in the direction of modular model-
checking can be found, for example, in [20], where Laster proposes a partitioning of
an integral process into a set of sequentially composed subprocesses, and the analysis
of each subprocess from which one can conclude properties about the original process.
Another eort is reported in [18], where Huhn uses the technique of net unfolding to
give a partial order semantics for Petri Nets and shows that this approach is well suited
to act as a model for branching-time logics interpreted on local states. Other works,
in the direction of linking theories, can be found in [3], where the process language
AORTA is extended to include a formal data model, or in [13], where an operational
semantics is given to the combination of CCS and Z.
The major limitation of our strategy resides on the use of data types available in
CSPM as well as its channel expansion rather than a value-passing approach [16].
88 A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96
Nevertheless, applying Z renement [32] we can transform an abstract specication
into a more concrete one, guided by the data types implemented in FDR, as well as
breaking a complex communication into an equivalent group of simpler ones.
Another interesting research area is abstraction [15,28,30] since standard techniques
of Z data renement (as suggested above) might not be as expressive to turn the orig-
inal specication into (a nite) one adequate for model-checking. The key issue of
abstraction is to minimise the eort involved in model-checking considering a more
abstract representation of the original system. Lazic [29] proposes a decision proce-
dure for CSP data independent processes combined with a symbolic model-checking
approach, aiming at integration with the FDR tool. In Lazic’s approach, once a process
is determined to be data independent then his algorithm can model-check the process
even if it was originally an innite-state system. A closer work to ours was proposed
by Heike [33], where an abstract interpretation [6] (data abstraction) approach is spe-
cialised to CSP-OZ. Heike’s work is more powerful than Lazic’s work in that it handles
data dependent processes. However, it is dicult to apply in practice, since one has
always the obligation to propose abstract data domains and operations which is clearly
a manual eort in general, whereas in a data independence approach everything is
automatic which is more in tune with the model-checking proposal. We are currently
investigating a completely mechanised extension=specialisation of both approaches to
CSP-Z, with support of the FDR tool. Broadly, the idea is to automatically generate
a nite subset of each original (possibly innite domain). This frees the user from
having to propose the abstract domain (in the abstract interpretation sense).
A nal remark is that although we have based our work on CSP-Z, the results could,
in principle, be easily adapted to other approaches to integrate CSP and Z, such as,
for example, [31].
Acknowledgements
We thank the researchers from the Brazilian Space Research Institute (INPE), and in
particular Alderico R. Paula Jr. for help in the understanding of the SACI-1. We also
thank Clemens Fischer and Paulo Borba for discussions about CSP-Z and FDR, and for
suggestions and criticisms which helped us to improve our approach to model-checking
CSP-Z.
Appendix A. Formal denitions
The whole paper was intended to describe the development of our strategy to model-
checking CSP-Z specications without too much technical details. In this section we
present the Failures-Divergence model for Z and the some denitions which were only
informally presented in Section 3.
A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96 89
A.1. Failures-divergence semantics of Z
Let c be a channel, tr be a trace, Chans(I) be the set of channels of an interface I
and Comm be the set of communications (pairs (c; v), where c is a channel and v is
a communication value), thus:
The failures-divergence interpretation for the Z part is given by the following
denition:
Denition A.1. Let I be an interface and Oz a list of Z-schemas with exactly one
schema enable c and eect c for every channel c from Chans(I). Then the semantics
of the corresponding CSP-Z specication is dened as follows:
<spec I ; State; Init; OZ end spec= = (F;D)
where
D= fs_t : seq Commj 9State0  eect s ^ (enable head(t))0 ^ :(pre eect head(t))0g
F= f(tr;R) : seqCommPCommj 9State0  (eect tr ^RREF )g
[f(tr;R) :DPCommg [ f(hi; ;)g
REF==f(c; v) j : (enable (c; v))0g
In the above denition, D is the refusal set introduced by the Z part where the pred-
icate enable c^:pre eect c is veried and F is the failures set of the Z part, where
REF is the set of communications that can be refused, i.e., the predicate :enable c is
satised.
A.2. Denitions for deadlock analysis
Denition A.2. The process P is deadlock-free if 8s 2 (P)  (s; P) =2F<P=.
CSP operators are compositional in the sense that given two processes P and Q,
P Q or P jj Q are also processes. Thus, we can see a concurrent system as a
composition of parallel processes.
Denition A.3. A network is a parallel combination of processes. Let V be a network
composed of the processes P1; : : : ; Pn then V = hP1; : : : ; Pni.
In the following denitions, let V be a network such that V = hP1; : : : ; Pni.
Denition A.4. A network is triple-disjoint i Pi \ Pj \ Pk = ;, i 6= j 6= k.
Denition A.5. A graphical view of a network is a communication graph where the
processes are the nodes and an arc exists between two nodes i Pi \ Pj 6= ;, i 6= j.
90 A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96
Denition A.6. The vocabulary  of a network V is the set [fPi \ Pjj16i<j6ng.
Denition A.7. A state  of a network V is a trace s of V and an indexed tuple
hX1; : : : ; Xni of refusal sets Xi such that for each i, (s  Pi; Xi) 2F<Pi=.
Denition A.8. Let  = (s; X ) be a state and  be the vocabulary of the network V .
A pair of indices hi; ji (with i 6= j) is:
 a request if (Pi − Xi)\ Pj 6= ; (Pi ! Pj or Pi ;! Pj);
 a strong request if ; 6= (Pi − Xi) Pj (Pi ) Pj or Pi ;) Pj);
 ungranted if in addition Pi \ Pj Xi [Xj (Pi ! Pj or Pi ;! Pj).
Denition A.9. A state  of the pair hP;Qi is a  -conict if P ; ! Q and Q ; ! P
and strong  -conict if P ; ) Q or Q ; ) P (with respect to  ).
Denition A.10. A pair hP;Qi is free of   -conict if none of its states is a  -conict.
Denition A.11. A network V is (strong) conict-free i for all i 6= j the pair hPi; Pji
is free of strong -conict.
Denition A.12. The edges (nodes) V1; : : : ; Vk are the disconnecting edges of the
network V i they are nodes of the communication graph of V whose removal would
increase the number of connected components (partitions).
Denition A.13. The essential components of V are the connected components of the
graph that remains after all disconnecting edges were removed.
Appendix B. SACI-1 in FDR
In this section we present the translation of the CSP-Z specication of the SACI-1
into FDR.
The rst process to be translated is the SCLOCK, whose specication was presented
in the beginning of this section. In this translation the CLK given-set is declared as a
free type (datatype) so that FDR can analyse the process.
datatype CLK = noneClock | clk1 | clk2 | clk3 | clk4 | clk5 | clk6
channel clockWDT,clockFTR: CLK
channel tic
SCLOCK =
let
-- The Interface
Channels = {|clockWDT,clockFTR|}
lChannels = {|tic|}
Interface = union(Channels, lChannels)
A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96 91
-- The CSP Part
main = sendClock [> updateClock
sendClock = clockWDT?clk -> sendClock
[] clockFTR?clk -> sendClock
updateClock = tic -> main
-- The Z Part
-- IncC definition
IncC(noneClock) = clk1
IncC(clk1) = clk2
IncC(clk2) = clk3
IncC(clk3) = clk4
IncC(clk4) = clk5
IncC(clk5) = clk6
IncC(clk6) = noneClock
State = { time | time <- CLK }
Init = { noneClock }
com(time, clockWDT.clk) = if clk==time then { time } else {}
com(time, clockFTR.clk) = com(time, clockWDT.clk)
com(time, tic) = { IncC(time) }
Z_CSP =
let
Z(State) = [] (States,Comm):
{ (com(State, c), c) | c <- Interface }
@ States!={} &
|~| State’: States @ Comm -> Z(State’)
within |~| iState: Init @ Z(iState)
within (main [|Interface|] Z_CSP)\lChannels
The next converted process is the Telecommand which uses preconditions to con-
strain the CSP behaviour.
datatype Dest = TCp | TMp
datatype Data = sendTM | extra
nametype Counter = {0..2}
nametype Message = Dest.Data.Counter
channel TC_FTR: Message
channel waitEarth:Message
channel localTask, remoteTask
TC =
let
-- The Interface
Channels = {|TC_FTR, waitEarth|}
lChannels = {|localTask, remoteTask|}
Interface = union(Channels, lChannels)
-- The CSP Part
main = waitEarth?d.m.c -> (localTask -> main
[] remoteTask -> TC_FTR?d.m.c -> main)
-- The Z Part
State = { (message, counter) | message <- Message,
counter <- Counter }
Init = { (message’, 0) | message’ <- Message }
92 A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96
com((message, counter), TC_FTR.msg) =
{ (message’, counter’) | (message’, counter’) <- State,
d <- Data, n <- Counter,
message==(TMp.d.n),
msg==(TMp.d.counter), counter’==0,
message’==message }
com((message, counter), waitEarth.msg) =
union(if counter<2 then
{ (message, counter+1) }
else {},
if counter==2 then
{ (message, 0) }
else {})
com((message, counter), localTask) =
if {d | d <- Data, n <- Counter,
message==(TCp.d.n)}!={} then
{ (message, counter) }
else {}
com((message, counter), remoteTask) =
if {d | d <- Data, n <- Counter,
message==(TMp.d.n)}!={} then
{ (message, counter) }
else {}
Z_CSP =
let
Z(State) = [] (States,Comm) <- { (com(State, c), c) |
c <- Interface } @ States != {} &
|~| State’: States @ Comm -> Z(State’)
within |~| iState: Init @ Z(iState)
within (main [|Interface|] Z_CSP)\lChannels
The Telemetry process is the next, with a slightly more complex state space, where
is used a sequence.
datatype Dest = TCp | TMp
datatype Data = sendTM | extra
nametype Counter = {0..2}
nametype Message = Dest.Data.Counter
channel FTR_TM: Message
channel sendEarth: Message
channel emptyTM, moreTM, storeTM, sendSTM
TM =
let
-- The Interface
Channels = {|FTR_TM,sendEarth,emptyTM,moreTM,storeTM,sendSTM|}
lChannels = {}
Interface = union(Channels, lChannels)
-- The CSP Part
main = FTR_TM?d.m.c -> (sendSTM -> SENDTM [] storeTM -> main)
SENDTM = emptyTM -> main [] moreTM -> sendEarth?d.m.c -> SENDTM
-- The Z Part
maxTM = 1
A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96 93
SEQM = FSeq(Message, maxTM)
State = { (STM, actMsg) | STM <- SEQM, actMsg <- Message }
Init = { (<>, actMsg’) | actMsg’ <- Message }
com((STM, actMsg), FTR_TM.msg) = { (STM, msg) }
com((STM, actMsg), sendSTM) =
if {n | n <- Counter,
(actMsg==(TMp.sendTM.n)) or
(actMsg==(TCp.sendTM.n))}!={}
then { (STM, actMsg) } else {}
com((STM, actMsg), storeTM) =
if {d | d <- Data, n <- Counter, d!=sendTM,
((actMsg==(TMp.d.n)) or
(actMsg==(TCp.d.n)))}!={}
then
union(if #STM<maxTM then
{ (STM^<actMsg>, actMsg) }
else {},
if #STM>=maxTM then
{ (tail(STM)^<actMsg>, actMsg) }
else {})
else {}
com((STM, actMsg), emptyTM) = if STM==<> then
{ (STM, actMsg) }
else {}
com((STM, actMsg), moreTM) = if STM!=<> then
{ (STM, actMsg) }
else {}
com((STM, actMsg), sendEarth.msg) = if STM!=<> and msg==head(STM)
then
{ (tail(STM), actMsg) }
else {}
Z_CSP =
let
Z(State) = [] (States,Comm):
{ (com(State, c), c) | c <- Interface }
@ States!={} &
|~| State’: States @ Comm -> Z(State’)
within |~| iState: Init @ Z(iState)
within (main [|Interface|] Z_CSP)\lChannels
The simplest process of all is A R. It is used to introduce asynchronism between the
WDT and the FTR which can be implemented using the interleave operator.
channel recover, recover_ftr
A_R =
let
-- The Interface
Channels = {|recover, recover_ftr|}
lChannels = {}
Interface = union(Channels, lChannels)
-- The CSP Part
main = IntRequest ||| IntExecution
IntRequest = recover -> IntRequest
IntExecution = recover_ftr -> IntExecution
94 A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96
-- The Z Part
State = { flag | flag <- Bool }
Init = { false }
com(flag, recover) = { true }
com(flag, recover_ftr) = if flag==true then { false } else {}
Z_CSP =
let
Z(State) = [] (States,Comm): { (com(State, c), c) |
c <- Interface } @ States != {} &
|~| State’: States @ Comm -> Z(State’)
within |~| iState: Init @ Z(iState)
within (main [|Interface|] Z_CSP)\lChannels
The last process converted is the FTR. Observe that the same implementation time
out previously explained is adopted here for enabling failure or fatal events.
datatype CLK = noneClock | clk1 | clk2 | clk3 | clk4 | clk5 | clk6
datatype Dest = nullDest | TCp | TMp
datatype Data = nullData | sendTM | extra
nametype Counter = {0..2}
nametype Message = Dest.Data.Counter
channel clockFTR: CLK
channel TC_FTR, FTR_TM: Message
channel failure, fatal, reset
channel recover_ftr, task
FTR =
let
-- The Interface
Channels = {|clockFTR, reset, failure, recover_ftr,
TC_FTR, FTR_TM |}
lChannels = {|task, fatal|}
Interface = union(Channels, lChannels)
-- The CSP Part
main = Normal [> Problem
Normal = clockFTR?clk -> (reset -> Normal
[] task -> Normal
[] TC_FTR?d.m.c -> FTR_TM?d.m.c
-> Normal)
Problem = (failure -> recover_ftr -> main [] fatal -> STOP)
-- The Z Part
WDTRstP = {clk3, clk6}
WDTP(time, timeout) = member(time, timeout)
State = { (message, time) | message <- Message, time <- CLK }
Init = { (message’, noneClock) | message’ <- Message }
com((message, time), clockFTR.clk) = { (message, clk) }
com((message, time), reset) = if WDTP(time, WDTRstP) then
{ (message, time) } else {}
com((message, time), task) = if not WDTP(time, WDTRstP)
then { (message, time) } else {}
com((message, time), TC_FTR.msg) = { (msg, time) }
com((message, time), FTR_TM.msg) = if msg==message then
{ (message, time) }
else {}
A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96 95
com((message, time), failure) = { (message, time) }
com((message, time), recover_ftr) = { (message, time) }
com((message, time), fatal) = { (message, time) }
Z_CSP =
let
Z(State) = [] (States,Comm): { (com(State, c), c) |
c <- Interface } @ States != {} &
|~| State’: States @ Comm -> Z(State’)
within |~| iState: Init @ Z(iState)
within (main [|Interface|] Z_CSP)\lChannels
Now we have the top-level specication of the SACI-1’s kernel process, which is the
parallel composition of four processes. Finally, we have our kernel process combined
with the Telecommand and the Telemetry processes.
kernelSACI1 = ((WDT [|{|recover|}|] A_R)
[|{|reset, recover_ftr|}|] FTR)
[|{|clockWDT, clockFTR|}|] SCLOCK
SACI1 = (kernelSACI1 [|{|TC_FTR|}|] TC) [|{|FTR_TM|}|] TM
References
[1] T. Bolognesi, E. Brinksma, Introduction to the ISO specication language LOTOS, Comput. Networks
ISDN Systems 14 (1) (1987) 25{59.
[2] P. Borba, S. Meira, From model based specications to functional prototypes, IEEE TENCON’91
Session on Rapid Prototyping with Functional Programming Languages, August 1991.
[3] S. Bradley, W. Henderson, D. Kendall, A. Robson, Integrating AORTA with Model-Based Data
Specication Languages, in: E. Astesiano (Ed.), Fundamental Approaches to Software Engineering,
Lecture Notes in Computer Science, vol. 1382, Springer, Berlin, 1998, pp. 54{70.
[4] S.D. Brookes, A.W. Roscoe, An Improved Failures Model for Communicating Processes, Lecture Notes
in Computer Science, vol. 197, Springer, Berlin, 1985, pp. 281{305.
[5] S.D. Brookes, A.W. Roscoe, Deadlock analysis in networks of communicating processes, Distributed
Comput. (1991) 209{230.
[6] P. Cousot, R. Cousot, Abstract interpretation frameworks, J. Logic Comput. 2 (4) (1992) 511{547.
[7] A.R. de Paula, Fault-tolerance aspects of the on-board computer of the rst INPE microsatellite for
scientic applications, VI Brazilian Symp. on Fault-Tolerant Computers, August 1995.
[8] J. Derrick, E. Boiten, H. Bowman, M. Steen, Viewpoint Consistency in Z and LOTOS: a case study,
in: J. Fitzgerald, C.B. Jones, P. Lucas (Eds.), FME’97: Industrial Applications and Strengthened
Foundations of Formal Methods, Springer, Berlin, 1997, pp. 644{664.
[9] C. Fischer, Combining CSP and Z, Tech. Report, University of Oldenburg, 1996.
[10] C. Fischer, CSP-OZ: a combination of object-Z and CSP, 2nd IFIP Internat. Conf. on Formal Methods
for Open Object-based Distributed Systems (FMODDS’97), Chapman & Hall, London, 1997.
[11] C. Fischer, How to combine Z with a process algebra, in: A. Fett, J. Bowen, M. Hinchey (Eds.), ZUM’98
The Z Formal Specication Notation, Lecture Notes in Computer Science, vol. 1493, Springer, Berlin,
1998, pp. 5{23.
[12] C. Fischer, H. Wehtheim, Model-Checking CSP-OZ specications with FDR, in: K. Araki, A. Galloway,
K. Taguchi (Eds.), Proc. 1st Internat. Conf. on Integrated Formal Methods (IFM), Springer, Berlin, 1999,
pp. 315{334.
[13] A.J. Galloway, W. Stoddart, An operational semantics for ZCCS, in: M. Hinchey, S. Liu (Eds.), Internat.
Conf. of Formal Engineering Methods (ICFEM), 1997.
[14] J.A. Goguen, T. Winkler, Introducing OBJ3, Tech. Report, SRI International, SRI-CSL-88-9, August
1988. Revised version to appear with additional authors J. Meseguer, K. Futatsugi, J.-P. Jouannaud, in:
Applications of Algebraic Specication using OBJ.
96 A. Mota, A. Sampaio / Science of Computer Programming 40 (2001) 59{96
[15] O. Grumberg, E.M. Clarke, D.A. Peled, Model Checking, The MIT Press, Cambridge, MA, 1999.
[16] M. Hennessy, A proof system for communicating processes with value-passing, Formal Aspects Comput.
3 (1991) 346{366.
[17] C.A.R. Hoare, Communicating Sequential Processes, Prentice-Hall, Englewood Clis, NJ, 1985.
[18] M. Huhn, P. Niebert, F. Wallner, Verication based on local states, in: B. Steen (Ed.), Tools and
Algorithms for the Construction and Analysis of Systems, Lecture Notes in Computer Science, vol.
1382, Springer, Berlin, 1998, pp. 36{51.
[19] C.B. Jones, Systematic Software Development Using VDM, Prentice-Hall International, Englewood
Clis, NJ, 1986.
[20] K. Laster, O. Grumberg, Modular Model Checking of Software, in: B. Steen (Ed.), Tools and
Algorithms for the Construction and Analysis of Systems, Lecture Notes in Computer Science, vol.
1382, Springer, Berlin, 1998, pp. 20{35.
[21] R. Lazic, A semantic study of data-independence with applications to the mechanical verication of
concurrent systems, Ph.D. Thesis, Oxford University, 1999.
[22] Z. Manna, A. Pnueli, The Temporal Logic of Reactive and Concurrent Systems, Springer, Berlin, 1991.
[23] R. Milner, in: A Calculus of Communicating Systems, Lecture Notes in Computer Science, vol. 92,
Springer, Berlin, 1980.
[24] A. Mota, Formalisation and analysis of the SACI-1 microsatellite in CSP-Z, Master’s Thesis, Federal
University of Pernambuco, 1997 (in Portuguese).
[25] A. Mota, A. Sampaio, Model-Checking CSP-Z, in: E. Astesiano (Ed.), Fundamental Approaches
to Software Engineering, Lecture Notes in Computer Science, vol. 1382, Springer, Berlin, 1998,
pp. 205{220.
[26] J.A.C.F. Neri et al., SACI-1: a cost-eective microssatellite bus for multiple mission payloads, Tech.
Report, Instituto Nacional de Pesquisas Espaciais - INPE, 1995.
[27] A.W. Roscoe, Model checking CSP, in: A.W. Roscoe (Ed.), A Classical Mind: Essays in Honour of
C.A.R. Hoare, Prentice-Hall, Englewood Clis, NJ, 1994.
[28] A.W. Roscoe, The Theory and Practice of Concurrency, Prentice-Hall International, Englewood Clis,
NJ, 1998.
[29] B. Scattergood, FDR: User Manual and Tutorial, version 2.27, Formal Systems (Europe) Ltd, July 1998.
[30] D.A. Schmidt, Abstract interpretation of small-step semantics, Proc. 5th LOMAPS Workshop on
Analysis and Verication of Multiple-Agent Languages, Lecture Notes in Computer Science, vol. 1192,
Springer, Berlin, June 1997, pp. 76{99.
[31] G. Smith, A semantic integration of Object-Z and CSP for the specication of concurrent systems, in:
J. Fitzgerald, C.B. Jones, P. Lucas (Eds.), FME’97: Industrial Applications and Strengthened
Foundations of Formal Methods, Lecture Notes in Computer Science, vol. 1313, Springer, Berlin, 1997,
pp. 62{81.
[32] M. Spivey, The Z Notation: A Reference Manual, 2nd Edition, Prentice-Hall International, Englewood
Clis, NJ, 1992.
[33] H. Wehrheim, in: Data Abstraction for CSP-OZ, FM’99 World Congress on Formal Methods, Lecture
Notes in Computer Science, vol. 1709, Springer, Berlin, 1999.
