Formal Aspects of Computing Superposition: composition vs refinement of non-deterministic, action-based systems by Antónia Lopes & José Luiz Fiadeiro
DOI 10.1007/s00165-003-0021-6
BCS © 2004
Formal Aspects of Computing (2004) 16: 5–18
Formal Aspects
of Computing
Superposition: composition vs reﬁnement
of non-deterministic, action-based systems
Ant´ onia Lopes1 and Jos´ e Luiz Fiadeiro2
1Department of Informatics, Faculty of Sciences, University of Lisbon, Lisbon, Portugal
2Department of Mathematics and Computer Science, University of Leicester, Leicester, UK
Abstract. The traditional notion of superposition has been used for supporting two distinct aspects of parallel
program design: composition and reﬁnement. This is because, when trace-based semantics of concurrency are
considered, which is typical of most formal methods, these two relationships are modelled as inclusion between
sets of behaviours. However, when forms of non-deterministic behaviour have to be considered, which is the case
for component and service-based development, these two aspects do not coincide. In this paper, we show how the
two roles of superposition can be separated and supported at the language and semantic levels. For this purpose,
we use a categorical formalisation of program design in the language CommUnity that we are also using for
addressing architectural concerns, another area in which the distinction between composition and reﬁnement is
particularly important.
Keywords: Composition, Reﬁnement, Superposition
1. Introduction
Superposition (or superimposition) has been proposed (and used) as a powerful mechanism for structuring the
developmentofparallelprogramsanddistributedsystems[ChM88,FrF96,BaS96,Kat93,Bos99,BoF88].Itsup-
portsalayeredapproachtosystemsdesignbywhichweareallowedtobuildon(partially)developedcomponents
by augmenting them with new features while preserving the original properties.
Typically, superposition is formalised as a relationship between two units of design (programs, commands,
actions, etc.), which blends well with the traditional stepwise reﬁnement method initiated by Dijkstra [Dij76]:
startingwithaspeciﬁcationoftheintendedbehaviourofthesystem,oneprogressesbyaddingdetail(superposing
activities, computation mechanisms, etc.) until a design is reached that satisﬁes certain criteria. These criteria,
the notions of ‘speciﬁcation’ and ‘unit of design’, as well as the notion of ‘progress’ (superposition step) itself,
vary according to the formalism that is being used to support development. Nevertheless, there is a reassuring
uniformity of concepts that one normally takes as the result of a process of crystallisation that has lasted decades
– one of the few Computing Science can claim.
Correspondence and offprint requests to: Ant´ onia Lopes, Department of Informatics, Faculty of Sciences, University of Lisbon, Campo
Grande, 1749-016 Lisbon, Portugal.6 A. Lopes and J. L. Fiadeiro
There is, however, an interesting twist in the notion of superposition that is best captured in the way it is
formalised by Francez and Forman for a language called ‘Interacting Processes’ [FrF96]. They capture super-
position as a (generalised) parallel composition operator that, basically, introduces a rendez-vous style of syn-
chronisation between processes. This view is not inconsistent with the previous one: it is just more ‘operational’
in the sense that it provides a means of achieving the extension required in a reﬁnement step by interconnect-
ing components. In the past [FiM97], we have actually shown how the two notions can be brought together
in a mathematical framework in which the relational, transformation-based view is captured through a notion
of homomorphism between units of design for which the composition operation is achieved through a colimit
construction.
What is interesting in this dual view of superposition is that composition and reﬁnement are not necessarily
two sides of the same coin. For instance, in the failure or ready semantics of CSP [Hoa85], parallel composition
does not induce reﬁnement (P||Q is not necessarily a reﬁnement of P) and reﬁnement cannot always be expressed
as the result of a parallel composition (P may reﬁne Q and, yet, there may not exist a Q’ such that P is Q||Q’).
The notion of superposition as composition supports a process of system development, but one that aims
at constructing complex systems from simpler components rather than adding detail to more abstract but, in
some sense, ‘equivalent’ representation of the whole system. In fact, both processes are inherent to Software
Engineering; what one often disregards is the fact that they are not the same.
This seems to suggest that there is a separation of concerns that is worth making in regard to the role of
superposition in program development: the composition and the reﬁnement views. Our purpose in this paper
is to contribute to this goal by showing that the difference between these two views of superposition can be
related to another fundamental, but often ignored, separation of concerns: that between non-determinism and
underspeciﬁcation. More concretely, we show that the composition view can be associated with a (horizontal)
process of removing non-determinism from a system by constraining the way its components interact, whereas
the reﬁnement view can capture an orthogonal (hence, vertical) process of making speciﬁcations more precise.
Finally, we show how the two processes can be related, leading to a notion of compositionality that is at the heart
of what is known today as the ‘architectural’ approach to system development. Our discussion will be conducted
over a generalisation of the language CommUnity [FiM97].
2. Component design in CommUnity
CommUnity is a parallel program design language in the style of Unity that was initially proposed in [FiM97]
to show how programs ﬁt into Goguen’s categorical approach to General Systems Theory [Gog73]. Since its
original deﬁnition, the language and the design framework have been extended to provide a formal platform
for architectural design of open, reactive, reconﬁgurable systems [FiL97, WeF98, LoF99]. One of the extensions
we have made to CommUnity concerns the support for higher levels of design. The basic building blocks of the
formalism are not programs but abstractions of programs – called designs – that can be reﬁned into programs in
later stages of the development process.
The support for abstraction in CommUnity is twofold. On the one hand, designs account for what is usually
called underspeciﬁcation, i.e. they are structures that do not denote unique programs but collections of programs.
On the other hand, designs can be deﬁned over a collection of data types that do not correspond necessarily to
those that will be available in the ﬁnal implementation platform. Therefore, there are two reﬁnement procedures
that have to be accounted for in CommUnity: on the one hand, the removal of underspeciﬁcation from designs in
order to deﬁne programs over the layer of abstraction deﬁned by the data types that have been used; on the other
hand, the reiﬁcation of the data types in order to bring programs into the target implementation environment.
The choice of data types determines, essentially, the nature of the elementary computations that can be
performed locally by the components, which are abstracted as operations on data elements. Although such ele-
mentary computations also determine the granularity of the services that components can provide and, hence,
the granularity of the interconnections that can be established at a given layer of abstraction, data reﬁnement is
moreconcernedwiththecomputationalaspectsofsystemsthanwithcomposition.Hence,wefocusourattention
onthereﬁnementofdesignsforaﬁxedchoiceofdatatypes:weassumeapredeﬁnedcollectionofdatatypesgiven
in the form of a ﬁrst-order algebraic speciﬁcation, i.e. a data signature <S , > ,where S is a set (of sorts) and  
is a S∗ ×S -indexed family of sets (of operations), together with a collection   of ﬁrst-order sentences specifying
the functionality of the operations. An approach similar to the reﬁnement calculus for Actions Systems [Bac90]
could be adopted to support also data reﬁnement.Superposition 7
A CommUnity component design is of the form:
design P is
in in(V)
out out(V)
prv prv(V)
do []
g∈sh( )
g[D(g)]: L(g), U(g) → R(g)
[]
g∈prv( )
prv g[D(g)]: L(g), U(g) → R(g)
V is the set of channels of design P. There are input channels, output channels and private channels. Input
channels are read-only: the component has no control on the values that they hold. Output and private channels
arecontrolledlocallybythecomponent,i.e.thevaluethatismadeavailableonthesechannelscannotbemodiﬁed
by the environment. Output channels can be read by the environment but private ones cannot. We use loc(V)t o
denote the union prv(V) ∪ out(V) of local ones. Each channel v is typed with a sort sort(v) ∈ S.
  is the set of action names of design P. The named actions can be declared either as private or shared (for
simplicity,weonlydeclarewhichactionsareprivate).Privateactionsrepresentinternalcomputationsinthesense
thattheirexecutionisuniquelyunderthecontrolofP.Sharedactionsrepresentpossibleinteractionsbetweenthe
component and the environment, meaning that their execution is also under the control of the environment. The
signiﬁcance of naming actions will become obvious in Section 4; the idea is that action names, as in IP [FrF96],
provide points of rendez-vous at which components can synchronise. For each action name g :
• D(g) consists of the local channels that can be effected by executions of the action named by g – the write
frame of g. For simplicity, we will omit the explicit reference to the write frame when R(g) is a conditional
multiple assignment (see below), in which case D(g) can be inferred from the assignments. Given a local
channel v, we will also denote by D(v) the set of actions g such that v ∈ D(g).
• L(g) and U(g) are two conditions such that U(g) ⊃ L(g). These conditions establish an interval in which the
enablingconditionofanyguardedcommandthatimplementsg mustlie.TheconditionL(g)isalowerbound
for enabledness in the sense that it is implied by the enabling condition. Therefore, its negation establishes
a blocking condition. On the other hand, U(g) is an upper bound in the sense that it implies the enabling
condition, therefore establishing a progress condition. Hence, the enabling condition is fully determined only
if L(g) and U(g) are equivalent, in which case we write only one condition.
• R(g) is a condition on V and D(g)  where by D(g)  we denote the set of primed local channels from the write
frameofg.Asusual,theseprimedchannelsaccountforreferencestothevaluesthatthechannelsexhibitafter
the execution of the action. R(g) is a speciﬁcation of the effects of the action g on the state of the component.
These conditions are usually a conjunction of implications of the form pre ⊃ pos, where pre does not involve
primed channels. They correspond to pre/post-condition speciﬁcations in the sense of Hoare. When R(g)i s
such that the primed version of each local channel in the write frame of g is fully determined, we obtain a
conditional multiple assignment, in which case we use the notation that is normally found in programming
languages. When the write frame D(g) is empty, R(g) is tautological, which we denote by skip.
It is important to notice that, in this way, actions may be underspeciﬁed. On the one hand, their enabling
conditions may not be fully determined and, hence, they are subject to reﬁnement by reducing the interval estab-
lished by L and U. On the other hand, the effects of actions on the channels may also not be fully determined
and are also subject to reﬁnement by strengthening R.
We present below an example of a CommUnity design that models a bank account with a credit facility.
design account is
in am: nat
out bal: int
do dep[bal]: true → bal =am+bal
[] wit[bal]: bal+CRE  am, bal  am→ (bal  am ⊃ bal =bal-am)
∧ (bal<am ⊃ bal   bal-am)
Deposits of any amount are always accepted and affect the balance as expected. Withdrawals are accepted
wheneverthebalanceisenoughtosatisfytherequestedamountandarerefusediftherequestedamountisgreater
than the balance plus a given credit amount. In the other situations, i.e., when am − C R E<b a l<a m , the
acceptance of a withdrawal is left unspeciﬁed. Later in the development process, one may reﬁne this design in8 A. Lopes and J. L. Fiadeiro
order to model a speciﬁc policy on withdrawals as long as it complies with the limits established in this design.
The effects of withdrawals in the balance are not completely speciﬁed either, leaving room for penalties to be
introduced in the case of withdrawals that leave the account overdrawn.
When, for every g ∈  ,L(g) and U(g) coincide, and the relation R(g) deﬁnes a conditional multiple assign-
ment, the design is called a program. Notice that a program with a non-empty set of input channels is open in
the sense that its execution is only meaningful in the context of a conﬁguration in which these inputs have been
connected to channels of other components. The notion of conﬁguration, and the execution of an open program
in a given conﬁguration, will be discussed further below.
The behaviour of a closed program is as follows. At each execution step, one of the actions whose enabling
condition holds of the current state is selected, and its assignments are executed atomically. Furthermore, pri-
vate actions that are inﬁnitely often enabled are guaranteed to be selected inﬁnitely often. See [LoF99] for a
model-theoretic semantics of CommUnity.
As an example of a program consider the following design:
design counter is
in val: int, day: nat
out count: nat
prv d: nat
do chg: true → d:=day | | count:=if(val < 0, count + (day - d),count)
[] reset: true, false → d:=day | | count: = 0
This program models a counter that counts how many days a value has been negative since the last time it
was reset. It receives from the environment the value it has to monitoring and the current day, through the input
channelsval andday,respectively.Furthermore,throughtheexecutionofactionchg, itexpectstobenotiﬁedeach
time val is updated. In order to count the elapsed time, it keeps in its private memory the date of the last update
(channel d).
3. Superposition
The design of a bank account, with a policy on withdrawals that uses the number of days the account has been
overdrawntodecideifwithdrawalsareacceptedornot,canbeobtainedfromthedesignaccountpresentedbefore
by superposing a counter:
design mon-reg-account is
in am: nat, day: nat
out count: nat, bal: int
prv d: nat
do dep[bal,d,count]: true → bal  =a m+b a l∧ d  = day ∧
(bal<0 ⊃ count  = count + (day - d)) ∧ (bal  0 ⊃ count  = count)
[] wit[bal,d,count]: bal + CRE  am ∧ count < LIM, bal  am ∧ count < LIM →
d  = day ∧
(bal  am ⊃ bal  = bal - am) ∧ (bal < am ⊃ bal   bal - am) ∧
(bal < 0 ⊃ count  = count + (day - d)) ∧ (bal  0 ⊃ count  = count)
[] reset[d,count]: true, false → d  = day ∧ count  =0
Inthedesignmon-reg-accountwehaveintroducedthenewinputchanneldayandthenewlocalchannelscount
and d (superposed channels) and the new action reset. The input channel day gives the current day. The channel
count counts how many days the account has been overdrawn since the last time the counter was reset. This is
achieved through the use of the auxiliary channel d that stores the last time the balance was changed.
It is important to notice that, in this design, the account is not only monitored but also regulated. This is
reﬂected in the fact that the enabling condition of withdrawals is strengthened. In this design, any request for a
withdrawal is refused if the number of days the account has been overdrawn exceeds a certain limit.
In [FiM97] it was shown that several notions of superposition can be formalised in terms of morphisms of
programs. Here, we extend the formalisation of the so-called regulative superposition for CommUnity designs.
Regulative superposition requires that the functionality of the base program in terms of the assignments of its
channels be preserved and allows for the enabling condition of its actions to be strengthened.Superposition 9
Deﬁnition 1. A composition morphism of designs σ: P1 → P2 consists of a total function σch: V1 → V2 and a
partial mapping σac:  2 →  1 s.t.:
1. For every v ∈ V1, sort2(σch(v))   sort1(v); for every o ∈ out (V1), σch(o) ∈ out(V2); for every i ∈ in(V1),
σch(i) ∈ out(V2) ∪ in(V2); for every x ∈ prv(V1), σch(x) ∈ prv(V2).
2. Foreveryg ∈  2 s.t.σac(g)isdeﬁned:ifg ∈ sh( 2)thenσac(g) ∈ sh( 1);ifg ∈ prv( 2)thenσac(g) ∈ prv( 1).
3. For every v ∈ loc(V1): σac is total on D2(σch(v)) and σac(D2(σch(v))) ⊆ D1(v).
4. For every g ∈  2 s.t. σac(g) is deﬁned: σch(D1(σac(g))) ⊆ D2(g);     (R2(g) ⊃ σ(R1(σac(g))));     (L2(g) ⊃
σ(L1(σac(g))));     (U2(g) ⊃ σ(U1(σac(g)))).
whereσ istheextensionofσ tothelanguageofexpressionsandconditions.Designsandcompositionmorphisms
deﬁne a category c-DSGN. We denote by SIGN the category of design signatures (constituted by the channels,
actions and associated types and domains) and the signature morphisms underlying the morphisms of c-DSGN.
A composition morphism σ : P1 → P2 identiﬁes a way in which P1 is ‘augmented’ to become P2 so that it
can be considered as having been obtained from P1 through the superposition of additional behaviour, namely
the interconnection of one or more components. In other words, σ identiﬁes P1 as a component of P2.
The map σch identiﬁes for every channel of the component the corresponding channel of the system. The ﬁrst
group of constraints establishes that sorts of channels have to be preserved. Notice, however, that input channels
of a component can become output channels of the system. This is because the result of interconnecting an input
channel of a component with an output channel of another component in the system is an output channel of
the system. Mechanisms for hiding communication, i.e. making it private, can be applied, but they are not the
default in a conﬁguration.
The partial mapping σac identiﬁes the action of the component that is involved in each action of the system,
if ever. The second group of constraints states that the type of actions is preserved. The last two groups of condi-
tions on actions requires that change within a component is completely encapsulated in the structure of actions
deﬁnedforthecomponentandthatthecomputationsperformedbythesystemreﬂecttheinterconnectionsestab-
lished between its components. The three conditions on write frames imply that actions of the system in which a
component is not involved cannot have local channels of the component in their write frame. In the last group,
the second condition reﬂects the fact that the effects of the actions of the components can only be preserved or
made more deterministic in the system. The last two conditions allow the bounds that the design speciﬁes for the
enabling of the action to be strengthened but not weakened. Strengthening of these bounds reﬂects the fact that
all the components that participate in the execution of a joint action have to give their permission for the action
to occur.
For instance, the composition morphism that captures the fact that mon-reg-account can be regarded as the
result of applying superposition to the design account is σ : account → mon-reg-account where
σch is the inclusion function
σac(dep)   dep,σac(wit)   wit and σac(reset) is undeﬁned (because reset does not involve the base design).
An interesting property of the composition morphisms we have just deﬁned is that they can also be used to
support the process of structuring complex systems by interconnecting simpler components. More concretely,
conﬁgurations of complex systems can be described by diagrams in the category c-DSGN.
Inordertoillustratethewaycompositionmorphismscanbeusedfordeﬁningsystemsconﬁgurationsconsider
the diagram in Fig. 1 where regulator is the following design:
design regulator is
in val:nat
do action: val < LIM → skip
This diagram deﬁnes the conﬁguration of a system with three components – account, counter and regulator.
The other designs and the composition morphisms deﬁne the interactions between these components in the sys-
tem. Notice that the other designs involved in the diagram – cable1, cable2 and cable3 – are essentially a set of
input channels and a set of shared actions. These kinds of designs are called cables. It deﬁnes:
• An i/o interconnection between channels bal of account and val of counter and the synchronisation of account
and counter each time the ﬁrst wants to perform dep or wit and the latter wants to perform chg. In this way, it
is established that the balance of the account is the value subject of the monitoring carried out by the counter.10 A. Lopes and J. L. Fiadeiro
design cable1 is  
in  x: int   design cable2 is
do  ac[]   do ac[]
counter   account
design cable3 is
in   x: nat
  val←x→bal
   chg→ac
count←x→val
←dep
←wit
wit→ac←action
regulator
Fig. 1. An example of a conﬁguration diagram
In order to ensure the counter is notiﬁed each time the balance is updated, given that dep and wit may change
the balance of the account, both actions were synchronised with the action chg.
• Ani/ointerconnectionbetweenchannelsvalofregulatorandcountofcounterthatestablishesthattheenabling
condition of action of regulator depends on the value of the counter.
• The synchronisation of action wit of account with action of regulator. This determines that requests of with-
drawals in this system are refused when the number of days the account has been overdrawn reaches a certain
limit.
Notice that we are using the notion of diagram in a technical, mathematical, sense: a graph whose nodes are
labelled with objects (in this case, CommUnity designs) and the edges with morphisms (in this case composition
morphisms) of a given category. It is often convenient to adopt the same mathematical language in the semantics
of a development approach and we will do so by looking at graphs as categorical constructions themselves: the
graph over which the diagram is built is no more than a very simple category and the labelling of nodes and
edges is no more than what is known as a functor. Hence, a diagram over the category c-DSGN is no more than
a functor I→ c-DSGN where I is the underlying graph (the ‘shape’ of the diagram).
The fact that we can handle diagrams as mathematical objects is very convenient. Through a universal con-
struction of category theory – the colimit construction – it is possible to internalise the interactions explicitly
described in a conﬁguration diagram and obtain a design for the system as a whole. Colimits in c-DSGN capture
a generalised notion of parallel composition in which the designer makes explicit what interconnections are used
between components:
• channels involved in each i/o-communication established by the conﬁguration are amalgamated;
• every set {g1,...,g n} of actions that are synchronised through the interconnections is represented by a single
action g1||...||gn whose occurrence captures the joint execution of the actions in the set.
• the transformations performed by the joint action are speciﬁed by the conjunction of the speciﬁcations of the
local effects of each of the synchronised actions, and the bounds on the enabling condition of joint actions
are also obtained through the conjunction of the bounds speciﬁed by the components.
Not surprisingly, the design mon-reg-account presented before is a colimit of the diagram above. This shows
that the several enhancements of the original design account that are underlying the superposition process can be
developed independently, as autonomous components, and hence can be used (and reused) in different contexts.
As happens in most of the languages and formalisms that are used for the conﬁguration of software systems
(and also hardware and mechanical systems), the interconnection of components in CommUnity is governed by
speciﬁcrules.InCommUnity,noteverydiagraminthecategoryc-DSGNexpressesameaningfulconﬁgurationin
the sense that it describes a well-conﬁgured system. For instance, diagrams in which output channels of different
components are connected to one another do not make sense as conﬁgurations.
Consider that Ch denotes the forgetful functor from c-DSGN to SET that maps designs to their underlying
sets of channels. The class of diagrams that represent correct conﬁgurations of interconnected components can
be formalised as follows.
Deﬁnition 2. Given a ﬁnite set J and a J-indexed multi-set of designs D, a conﬁguration diagram of a system
with those components is a ﬁnite diagram dia:I → c-DSGN s.t.:Superposition 11
1. For every j ∈ J, j ∈| I| and dia(j)   Dj.
2. For every f : i → j in I, either (i   j and f   idi)o r( j ∈ J and i  ∈ J and dia(i) is a cable).
3. For every i ∈| I|\J s.t. dia(i) is a cable, there exist distinct j,k and morphisms f : i → j and g : i → k in I.
4. If {µi : Ch(dia(i)) → V : i ∈| I|} is a colimit of dia;Ch then, for every v ∈ V, there exists at most one i ∈| I|
such that µ
−1
i (v) ∩ out(Vdia(i))   ∅and, for such i,µ
−1
i (v) ∩ out(Vdia(i)) is a singleton.
Condition 1 means that every component of a system must be involved in its conﬁguration diagram.
Condition 2 states that the elementary interconnections are established through cables. Condition 3 ensures that
a conﬁguration diagram does not include cables that are not used. Finally, condition 4 prevents the identiﬁcation
of output channels.
4. Reﬁnement
Compositionmorphismsasdeﬁnedintheprevioussectiondonotcaptureareﬁnementrelation.Inordertomake
this clear, let us analyse the example that we used for illustrating composition.
We started with the design account in which it was left unspeciﬁed if a withdrawal is accepted or refused in the
situations in which the balance is not enough to satisfy the requested amount but becomes enough if a certain
credit amount is provided. However, the design account establishes the limits for the policies on withdrawals that
can be adopted in later stages of design:
(a) withdrawals cannot be refused whenever, on its own, the balance is enough to satisfy the requested amount;
(b) withdrawalswillberefusediftherequestedamountisgreaterthanthebalanceplustheagreedcreditamount.
Thesuperpositionofadditionalbehaviourconcerningthemonitoringofhowmanydaystheaccounthasbeen
overdrawn gave rise to the design mon-reg-account. In that design, withdrawals are refused once the number of
days the account has been overdrawn reaches a certain limit. Clearly, this policy on withdrawals does not comply
with the limit (a).
We can make this observation more precise by providing a formal mapping between CommUnity designs and
speciﬁcations in an action logic whose grammar is given by
φ ::   a|(¬φ)|(φ ⊃ φ )|[γ]φ
where a denotes a ﬁrst-order sentence in the language of design channels and γ is a set of action names. Each
(modal) operator [γ] is such that the formula [γ]φ expresses that, for every action in γ,φ holds after the action
occurs.(Thefullsyntaxandsemanticsofthislogiccanbefoundin[LoF97].)Thedualof[γ]isthemodaloperator
<γ>deﬁned by the abbreviation <γ>φ≡abv (¬[γ](¬φ)). The formula <γ>φexpresses that there exists an
action in γ that establishes φ. We also adopt the abbreviation of a singleton by its element, that is, [g]φ ≡abv [g]φ
and <g>φ≡abv<g>φ . Notice, in particular, that <g>true expresses that g is enabled.
We can assign the following set of sentences with every action g, which capture the (informal) semantics of
actions that we brieﬂy discussed and can be found in [LoF97, Lop99]:
• <g>tru e⊃ L(g), i.e. actions can only take place when the lower bound of the enabling condition is true.
• U(g) ⊃<g>t r u e , i.e. actions are ready to take place when the upper bound of the enabling condition is
true.
• R(g) where R(g) is the condition obtained from R(g) by replacing every occurrence v  of a design channel v
with the term [g]v that denotes the value of the term after the occurrence of the action.
Whereas the conditions imposed on composition morphisms ensure that the ﬁrst and third classes of proper-
tiesarepreserved,thesecondsetisnot.Theseare,precisely,propertiesofrequirednon-determinism,i.e.properties
that require the system to be available, in certain states, for accepting the execution of certain actions.
This shows that, in the context of CommUnity, superposition is not a principle for design reﬁnement. Given
that composition morphisms were motivated as capturing the relationship that exists between systems and their
components, this is hardly surprising. It is well known in languages such as CSP [Hoa85] that the parallel com-
position of a collection of processes does not reﬁne, necessarily, any of the constituents.
In fact, we can even prove that composition morphisms, instead of preserving, reﬂect non-determinism,
meaning that any form of non-determinism detected in the target can be traced back to the source design. More
precisely, if we consider the language of state properties (i.e. properties of design channels):
ϕ ::  a|(¬ϕ)|(ϕ ⊃ ϕ )12 A. Lopes and J. L. Fiadeiro
where a denotes an atomic formula built over the set of channels and the operations of the underlying data type
signature, the set ofproperties deﬁned by
φ ::  ϕ|(ϕ ⊃ [γ]ϕ )
are preserved by composition morphisms. These properties capture invariants (ϕ), effects of actions (φ ⊃ [g]ϕ ),
and restrictions to the occurrence of actions (<g>true ⊃ ϕ).
The set of co-properties deﬁned by
ψ ::  ϕ|(ϕ ⊃<g>true)
are reﬂected by composition morphisms in the sense that, if they hold in a system, it is because they were
already true in the component. Co-properties capture the ability of actions to occur in certain states – readiness
(ϕ ⊃<g>true) – and also state propositions (ϕ). That is, state propositions can be used both as properties,
guaranteeing that they will hold in any context, and as co-properties, expressing the fact that the component will
reﬂect them. Again, refer to [LoF97] for full details.
A notion of morphism that captures reﬁnement of CommUnity designs is the following:
Deﬁnition 3. A reﬁnement morphism of designs σ : P1 → P2 consists of a total function σch : V1 → V2 and a
partial mapping σac :  2 →  1 s.t. :
1. For every v ∈ V1, sort2(σch(v))   sort1(v), for every o ∈ out(V1), σch(o) ∈ out(V2); for every i ∈ in(V1),
σch(i) ∈ in(V2); for every x ∈ prv(V1), σch(x) ∈ prv(V2); σch ↓ (out(V1) ∪ in(V1)) is injective.
2. Foreveryg ∈  2 s.t.σac(g)isdeﬁned:ifg ∈ sh( 2)thenσac(g) ∈ sh( 1);ifg ∈ prv( 1)thenσac(g) ∈ prv( 1);
if g ∈ sh( 2) then σ−1
ac (g)   ∅ .
3. For every v ∈ loc(V1):σac is total on D2(σch(v)) and σac(D2(σch(v))) ⊆ D1(v).
4. For every g ∈  2 s.t. σac(g) is deﬁned: σch(D1(σac(g))) ⊆ D2(g);     (R2(g) ⊃ σ(R1(σac(g))));     (L2(g) ⊃
σ(L1(σac(g)))).
5. For every g1 ∈  1 :     (σ(U1(g1)) ⊃∨
σac(g2) (g1)
U2(g2)
Designs and their reﬁnement morphisms constitute a category r-DSGN.
A reﬁnement morphism is intended to support the identiﬁcation of a way in which a design P1 (its source) is
reﬁned by a more concrete design P2 (its target).
The function σch identiﬁes for each input (respectively output) channel of P1 the corresponding input (respec-
tivelyoutput)channelofP2.Noticethat,contrarytowhathappenswiththecompositionrelationship,reﬁnement
does not change the border between the system and its environment and, hence, input channels can no longer be
mapped to output channels.
The mapping σac identiﬁes for each action g of P1 the set of actions of P2 that implements g –g i v e nb yσ−1
ac (g).
This set is a menu of reﬁnements for action g and can be empty for private actions. However, every action that
models interaction between the component and its environment has to be implemented.
The actions for which σac is left undeﬁned (the new actions) and the channels that are not involved in σch(V1)
(the new channels) introduce more detail into the description of the component.
The three conditions on write frames require that the new actions do not modify the channels of the more
abstract design.
The last condition in 4 and condition 5 require that the interval deﬁned by the blocking and progress condi-
tions of each action, in which the enabling condition of any guarded command that implements the action must
lie, be preserved or reduced. This is intuitive because reﬁnement, pointing in the direction of implementations,
shouldreduceunderspeciﬁcation.Thisisalsothereasonwhytheeffectsoftheactionsofthemoreabstractdesign
are required to be preserved or made more deterministic. It is easy to see that the properties that we expressed
above in temporal logic are preserved by reﬁnement morphisms.
In order to illustrate reﬁnement consider the following design.
design ref-account is
in am: nat, day: nat
out count: nat, bal: int
prv d: nat
do dep: true → bal := am + bal | |d: =d a y| |
count := if (bal<0, count + (day-d), count)Superposition 13
S1
S’2
S’1
S2
S0
S’0
1
S’2
S
S2
S0
S’0
S dia
dia'
η0
η2
η1
Fig. 2. Reﬁnement of conﬁguration diagrams
[] wit: (bal + CRE  am ∧ count < LIM) ∨ bal  am →
bal := if(bal  am, bal - am, (bal - am) * 1.1) | |
d := day | | count := if (bal < 0,count + (day - d), count)
[] reset: true, false → d := day | | count := 0
Despite the similarities between designs ref-account and mon-reg-account, ref-account is in fact a reﬁnement
of account. This is because the policy on withdrawals adopted in ref-account complies with the limits established
in the design account. The enabling condition of action wit, which is now completely deﬁned, lies in the interval
established in the design account. Withdrawals are speciﬁed to be accepted if and only if either the balance is
enough or the balance is enough if a certain credit amount is provided and the number of days the account has
been overdrawn does not exceed a certain limit. Notice that in this reﬁnement step the design decision was also
taken of charging a 10% penalty when the credit facility is used.
It is important to notice that neither mon-reg-account is a reﬁnement of account nor ref-account could be
obtained through regulative superposition over the design account. However, it is easy to see that there are
regulative superposition morphisms that are also reﬁnement morphisms. In particular, this is the case of the
subclass of regulative superposition morphisms that require that the interval of the enabling condition of actions
be preserved. Such morphisms model, to some extent, spectative superposition as in [FrF96], the kind of super-
position also used in Unity.
In what concerns the logical properties of designs, it is easy to see that reﬁnement morphisms preserve
both properties and co-properties, namely those of the form (U(g) ⊃<g>t r u e ). That is to say, reﬁnement
morphisms translate to speciﬁcation morphisms as they are normally understood in speciﬁcation theory –
theorem preserving mappings.
5. Compositionality
Reﬁnementandcompositionmorphisms,thoughdifferentasjustiﬁedabove,canberelatedbyacompositionality
property. Compositionality is a key issue in the design of complex systems because it makes it possible to reason
about a system using the descriptions of their components at any level of abstraction, without having to know
how these descriptions are reﬁned in the lower levels (which includes their implementation).
When component interconnections are explicitly modelled through conﬁgurations, as is the case for Comm-
Unity, compositionality can be formulated as the property according to which we can pick arbitrary reﬁnements
of the components of a system Sys, and interconnect these more concrete descriptions with arbitrary reﬁnements
of the connections used in Sys, and obtain a system that still reﬁnes Sys.
The notion of reﬁnement can be extended to conﬁguration diagrams in a straightforward manner. Consider
the conﬁguration diagrams dia and dia’ depicted in Fig. 2.
Given that the reﬁnement of the components is deﬁned by the reﬁnement morphisms η1 : S1 → S 
1 and
η2 : S2 → S 
2, the diagram dia’ is a reﬁnement of dia if there exists a reﬁnement morphism η0 : S0 → S 
0 that
makes the two squares, at the level of signatures, commute.
In this way, intuitively, we are requiring that the system architecture, seen as a collection of components and
‘cables’, cannot change during a reﬁnement step. Note that the ‘cables’ used to interconnect the more abstract
designs can be replaced by ‘cables’ with more capabilities. However, the interconnection dia’ must be consistent
with dia that is, the i/o communications and synchronisations deﬁned by dia have to be preserved.14 A. Lopes and J. L. Fiadeiro
1
S’2
S’1
S2 S
S0
S’
S’0 η
S
η0
η2
η1
Fig. 3. Compositionality ensures the existence of the reﬁnement morphism η
In order to ensure compositionality, i.e., that the colimit S of dia is reﬁned by the colimit S’ of dia’, it is
necessary to further require that:
• The diagram dia’ cannot establish the instantiation of any input channel that was left ‘unplugged’ in dia.
That is to say, the input channels of the composition are preserved by reﬁnement.
• The diagram dia’ cannot establish the synchronisation of actions that were deﬁned as being independent in
dia.
In these situations, it is ensured that there exists a reﬁnement morphism η : S → S . Furthermore, this morphism
is unique if we require the preservation of the design decisions that lead from each Si to S 
i. This result can be
formulated and proved as follows (see Fig. 3).
Theorem 1. Given dia:I→c-DSGNanddia’:I→c-DSGN,twowell-formedconﬁgurationdiagramsofsystems
with a J-indexed multi-set of components, and an |I|-indexed family (ηi : dia(i) → dia (i))i∈|I| of morphisms in
r-DSGN s.t., for every morphism f : i → j in I:
1. Sig(dia(f));r-Sig(ηj)   r-Sig(ηi);Sig(dia
 (f)), where Sig and r-Sig denote the forgetful functors,
respectively, from c-DSGN to SIGN and r-DSGN to SIGN
2. For every v  ∈ in(V  
i ), if v   ∈ ηi(Vi) then dia’(f)(v’) ∈ ηj(inp(Vj)), assuming that Vi and V  
i are the set of
channels of, respectively, dia(i) and dia’(i).
3. For every g  ∈   
j,i fηj(g) ↓ and dia
 (f)(g ) ↓ then ηi(dia (f)(g )) ↓, assuming that  i and   
i are the set of
channels of, respectively, dia(i) and dia’(i).
4. For every i ∈| I|J,ηiac is injective.
there exists a unique morphism η : S → S  in r-DESC s.t. Sig(µi);r-Sig(η)   r-Sig(ηi);Sig(µ 
i), for every i ∈| I|,
where (µi : dia(i) → S)i∈|I| and (µi : dia (i) → S )i ∈| I | are colimits of, respectively, dia and dia’.
Proof. From condition 1 it follows that (r-Sig(ηi); Sig(µ 
i))i∈|I| is a candidate for being a colimit of dia;Sig
in SIGN. Because Sig preserves colimits, there exists a unique morphism η : Sig(S) → Sig(S )i nSIGN s.t.
Sig(µi);r-Sig(η)   r-Sig(ηi);Sig(µ 
i), for every i ∈| I|. It remains to prove that such η also deﬁnes a morphism
from S to S’ in r-DSGN. We shall only prove that η satisﬁes the conditions of reﬁnement morphisms that do not
necessarily hold for composition morphisms.
(i) η maps input channels into input channels:
We start by pointing out that the forgetful functor from SIGN to SET that forgets everything but channels
preserves colimits. Let v be an input channel of S. By the colimit construction in SIGN, for every i ∈| I| and
vi ∈ µ
−1
i (v),v i is an input channel of dia(i). Because reﬁnement morphisms map input channels into input
channels, we have that,
for every i ∈| I| and vi ∈ µ
−1
i (v),η i(vi) is an input channel of dia
 (i)(∗)
In order to conclude that η(v) is an input channel of S’, it is necessary to prove that for every i ∈| I| and
v 
i ∈ µ 
i
−1(η(v)), v 
i is an input channel of dia’(i). Assume that there exists i ∈| I| and v 
i ∈ µ 
i
−1(η(v)) such
that v 
i is an output channel. Because ηich is injective and (*) holds, v 
i  ∈ ηi(Vi). Because dia’ is a well-founded
diagram, the way colimits in SIGN work ensures that, in dia’, there are a cable and morphisms establishing the
i/o interconnection of v 
i with one of the input channels that is mapped into v. That is to say, there exists k ∈| I|
s.t. dia
 (k) is a cable that has an input channel x and there exist m ∈| I| s.t. µ−1
m (v) is not empty and morphismsSuperposition 15
f : k → i and g : k → m in I s.t. dia (f)(x)   v 
i and dia
 (g)(x) ∈ ηm(µ−1
m (v)). But, then, x  ∈ ηk(Vk), otherwise
it would be impossible that v 
i  ∈ ηi(Vi) (by condition 1). Then, by condition 2, dia
 (g)(x)  ∈ ηm(inp(Vm)) would
have to hold, which is a contradiction given the way m was chosen.
(ii) Every shared action g of S is implemented in S , i.e., η−1
ac (g)   ∅ .
We start by pointing out that the forgetful functor from SIGN to PFNop that forgets everything but actions
preserves colimits. Let g be a shared action of S. By the colimit construction, there exists i ∈| I| s.t. µi(g) ↓.
Furthermore, µi(g) is a shared action. Because ηi is a reﬁnement morphism, there exists a shared action g 
i in
dia’(i) s.t. ηi(g 
i)   gi. In order to conclude that η−1
ac (g)   ∅it is necessary to prove that there exists an action g 
in S’ s.t. ηac(g )   g and µ 
i(g )   g 
i. We shall prove a stronger result that will be useful later on.
Proposition. Let g be an action of S and let Ig be {i ∈| I| : µi(g) ↓}. For every Ig-indexed set of actions
G  { g 
i ∈   
i} s.t. ηi(g )   µi(g 
i), and every g 
i in G, there exists g  ∈    s.t., µ 
i(g )   g 
i, for every i ∈ Ig, µ 
i(g ) ↑,
for every i  ∈ Ig and η(g )   g.
Proof. By the limit construction in PFN, we have that for every i,j ∈ Ig and morphism f : i → j in I,
dia(f)(µj(g))   µi(g). By condition 1 of the theorem, ηi(dia (f)(g 
j))   dia(f)(ηj(g 
j))   dia(f)(µj(g))  
µi(g)   ηi(g 
i). By condition 4 of the theorem, and given that in well-formed conﬁgurations the sources of mor-
phisms that are not identities are cables, we have that ηiac is injective. Therefore, dia
 (f)(g 
j)   g 
i. Given that this
holds for every i,j ∈ Ig and morphism f : i → j in I, the result follows immediatly.
(iii) For every g ∈  ,    (η(U(g)) ⊃∨
ηac(g ) (g)
U(g )).
By the colimit construction in c-DSGN,w eh a v et h a t
U(g)  ∧
i∈|I| s.t.µ i(g)↓
µ
i(Ui(µi(g))).
Let Ig be the set {i ∈| I| : µi(g) ↓}. For every i ∈ Ig, because ηi is a reﬁnement morphism,
    η
i(Ui(µi(g))) ⊃∨
ηi(g 
i) µi(g)
U 
i(g 
i).
For every i ∈ Ig, let g 
i be s.t. ηi(g 
i)   µi(g) and     ηi(Ui(µi(g))) ⊃ U 
i(g 
i). Then,
    η(U(g)) ⊃∧
i∈Ig
µ 
i(U 
i(g 
i)).
From the auxiliary result proved in (ii), it follows that there exists g  ∈    s.t., for every i ∈ Ig,µ  
i(g )   g 
i,f o r
every i  ∈ Ig,µ  
i(g ) ↑ and η(g )   g.W eh a v e
U (g )  ∧
i∈|I| s.t. µ 
i(g)↓
µ 
i(U 
i(µ 
i(g)))
and, therefore,
    η(U(g)) ⊃ U (g ).
6. Application to software architectures
In the previous sections, we showed that composition and reﬁnement are two ways of constructing complex
designsfromsimpleronesthataredifferentbecausetheyarerequiredtopreservedifferentproperties.Thecrucial
distinction between these two views is related to the separation that exists between non-determinism and under-
speciﬁcation. This separation of concerns is too often ignored or overlooked by formal methods but is crucial
when architectural concerns are at stake.
In order to back this claim, consider the categorical semantics proposed in [FiL97] for the notion of archi-
tectural connector proposed by [AlG97] for supporting the design of interactions between components. An
architectural connector in this sense is deﬁned by a set of roles that can be instantiated with speciﬁc components
of the system under construction, and a glue speciﬁcation that describes how the activities of the role instances
are to be coordinated.16 A. Lopes and J. L. Fiadeiro
cable    cable
 sender buffer                  
o←•→i
send→•←put
o←•→i
get→•←rec
receiver
Fig. 4. Async connector
For instance, asynchronous communication through a bounded channel can be modelled by a connector
Async with two roles – sender and receiver – and a glue that is responsible for establishing the required commu-
nication protocol – bounded buffer with FIFO discipline that prevents the sender from sending a new message
when there is no space and prevents thereceiver from reading a new message when there are no messages. The
design of this glue is given below.
design buffer [t:sort, bound:nat] is
in i: t
out o: t
prv rd: bool, b: list(t)
do put: |b| < bound → b:=b.i
[] prv next: |b| > 0 ∧¬rd → o := head(b)||b := tail(b) || rd := true
[] get: rd → rd:=false
This design is actually a program parameterised by the sort of messages that the buffer can store and its
capacity. Through the action put, messages of sort t received from the environment (the sender) through the input
channel i can be stored as long as there is space for them. The buffer can also discard stored messages, making
them available to the environment through the output channel o. Naturally, this activity is possible only when
therearemessagesinstoreandthecurrentmessageinohasalreadybeenreadbytheenvironment,moreprecisely,
by the receiver. The two roles of this connector, sender and receiver, are modelled through the following designs:
design sender[t:sort] is
out o: t
prv rd: bool
do prod[o,rd]: ¬ rd, false → rd’
[] send[rd]: rd, false →¬ rd’
design receiver [t:sort] is
in i: t
do rec: true, false → skip
The design sender[t] models a typical sender of messages. In this description, we are primarily concerned
with the interaction between the sender and its environment, ignoring details of internal computations such as
the production of messages. Notice that a sender cannot produce another message before the previous one has
been processed. After producing a message, it expects an acknowledgement (modelled through the execution of
send) to produce a new message. In order to leave unspeciﬁed when and how many messages a sender will send
and in which situations it will produce a new message, the progress conditions of prod and send are false (recall
that the progress condition deﬁnes the upper bound for enabledness). Furthermore, the discipline of production
was also left completely unspeciﬁed: the action prod includes the channel o in its write frame but the design does
not commit to any speciﬁc way of changing the value of this channel. For the receiver, we simply require that it
has an action that models the reception of a message.
The roles sender and receiver are connected to the glue (buffer) as depicted in Fig. 4.
Notice that we did not give explicit names to the actions and channels of the design cable used for the
interconnection. These can be represented through the symbol • because the interconnection does not rely on
global/implicit naming but, precisely, on associations (bindings) that need to be made explicit as above.
What we have described are connector types in the sense that they can be instantiated. More concretely, the
roles of a connector type can be instantiated with speciﬁc designs. In WRIGHT [AlG97] role instantiation has to
obeyacompatibilityrequirementexpressedviathereﬁnementrelationofCSP.InCommUnity,weusereﬁnement
morphisms for instantiation.Superposition 17
     cable    cable
user buffer
o←•→i
print→•←put
o←•→rdoc
get→•←rec
printer
Fig. 5. The result of the instantiation of Async connector with designs printer and user
Indeed, given that the roles of a connector are abstractions of the components that can use the communi-
cation protocol modelled by the connector, it is not difﬁcult to accept that the compatibility requirement that
role instantiation has to obey addresses the preservation of a class of properties which are not the same that are
required to be preserved during the superposition of the functionalities speciﬁed by the glue over the involved
components and reﬂect the fact that the components engage in the given communication protocol. For instance,
considerthefollowingdesignofauserthatproducesﬁlesthatitstoresinaprivatechannelwandcanthenconvert
themeithertoPostScriptorpdfformats,afterwhichitmakesthemavailable(forprinting)inanoutputchannelp.
design user is
out p: ps + pdf
prv rd, new: bool, w: MSWord
do work[w,new]: ¬ rd ∧¬new, false → new’
[] pr_ps: new ∧¬rd, false → p := ps(w)||rd := true
[] pr_pdf: new ∧¬rd, false → p := pdf(w)||rd := true
[] print: rd → rd := false||new := false
Through the following design, we can model a printer that copies the ﬁles it downloads from an input channel
rdoc into a private channel pdoc, after which it prints them:
design printer is
in rdoc: ps + pdf
prv busy: bool, pdoc: ps + pdf
do rec: ¬ busy → pdoc := rdoc || busy := true
[] prv end_print: busy → busy := false
The user can be connected to the printer by instantiating the roles of the architectural connector that we have
just deﬁned. Indeed, sender is reﬁned by user via the reﬁnement morphism η : sender → user deﬁned by
ηch(o)   p,ηch(rd)   rd
ηac(pr ps)   ηac(pr pdf)   prod,ηac(print)   send
In user, the production of messages (to be sent) is modelled by any of the actions pr ps and pr pdf and the
messages are made available in the output channel p. Notice which the production of messages, which was left
unspeciﬁed in sender, is completely deﬁned in user : it corresponds to the conversion of the ﬁles stored in w to ps
or pdf format.
Likewise, printer is a reﬁnement of receiver via the reﬁnement morphism κ : receiver → printer deﬁned by
κch(i)   rdoc, κac(rec)   rec
In printer, the reception of a message from the input channel (named rdoc) corresponds to downloading it
into the private channel pdoc. This action is only enabled if the previous message has already been printed.
Because both superposition and reﬁnement morphisms coincide on the signatures, they can be composed so
that, as a result of the instantiation, the user and the printer are connected to the buffer as depicted in Fig. 5.
Architectural connectors are used for systematising software development by offering ‘standard’ means for
interconnecting components that can be reused from one application to another. In this sense, the ‘typical’ glue is
aprogramthatimplementsawell-establishedpatternofbehaviourthatcanbesuperposedtoexistingcomponents
ofasystemthroughtheinstantiationoftherolesoftheconnector.However,architecturesalsofulﬁlanimportant
role in supporting a high-level description of the organisation of a system by identifying its main components
and the way these components are interconnected. An early identiﬁcation of the architectural elements intended
for a system will help to manage the subsequent design phases according to the organisation that they imply,
identifying opportunities for reuse or the integration of third-party components. From this point of view, it is
useful to allow for connectors to be based on glues that are not yet fully developed as programs but for which
concrete commitments have already been made to determine the type of interconnection that they will ensure.18 A. Lopes and J. L. Fiadeiro
For instance, at an early stage of development, one may decide on adopting a client-server architecture without
committing to a speciﬁc protocol of communication between the client and the server.
In such a more general framework, we have to account for the possible reﬁnements of the glue. The results
that we presented in Section 5 under compositionality ensure that if we reﬁne the glue of a connector that has
beeninstantiatedtogivencomponentsofasystem,theresultingdesignisareﬁnementofthemoreabstractdesign
from which we started. More generally, it ensures that connectors propagate through design, be it because the
instances of the roles are reﬁned or the glue is reﬁned.
7. Conclusions
ByadoptingacategoricalformalisationofdesignsforthelanguageCommUnity,wehavemadeclearthatcompo-
sitionandreﬁnementaretwodifferentwaysofconstructingcomplexdesignsfromsimplerones:theyarerequired
to preserve different properties which, in categorical terms, means that they are supported by different notions
of morphism, leading to different categories of designs. This is more than an interesting (if ever) observation
because it has an important impact on the way we can support incremental design of software systems as shown
through a formalisation of architectural constructs.
On the other hand, the paper also shows that at the core of the distinction between these two concerns
(composition and reﬁnement) is the difference between underspeciﬁcation and non-determinism. Because, in the
trace-based semantics that are typically used in formal methods for concurrency, both notions are modelled as
inclusion of behaviours, the notion of superposition, the mechanism that supports stepwise design of parallel
programs, has been used in [ChM88, FrF96, BaS96, Kat93, Bos99] for expressing both composition and reﬁne-
ment. Our work around CommUnity shows how this separation can be supported at the language and semantic
levels of architectural modelling.
Further work is going on which addresses yet another dimension that is becoming prevalent in the age of the
Internetandwirelesstechnologies:distributionandmobility.WearecurrentlyextendingCommUnityandtheuse
of superposition in order to support the externalisation of the mechanisms that are responsible for managing the
distribution topology of systems [LFW02]. This work has provided more evidence of the need for distinguishing
between composition and reﬁnement.
References
[AlG97] Allen R, Garlan D (1997) A formal basis for architectural connectors. ACM TOSEM 6(3):213–249
[BoF88] Boug´ e L, Francez N (1988) A compositional approach to superposition. In: Proceedings of the 14th ACM POPL, pp 240–249
[Bos99] Bosch J (1999) Superimposition: a component adaptation technique. Inf Software Technol
[Bac90] Back RJ (1990) Reﬁnement calculus II: parallel and reactive programs. Stepwise Reﬁnement of Distributed Systems, LNCS
430, Springer, Berlin Heidelberg New York, pp 67–93
[BaS96] Back RJ, Sere K (1996) Superposition reﬁnement of reactive systems. Formal Aspects Comput 8(3):324–346
[ChM88] Chandy K, Misra J (1988) Parallel program design: a foundation. Addison-Wesley
[Dij76] Dijkstra E (1976) A discipline of programming. Prentice-Hall International
[FrF96] Francez N, Forman I (1996) Interacting processes. Addison-Wesley
[FiL97] Fiadeiro JL, Lopes A (1997) Semantics of architectural connectors. In: Proceedings of TAPSOFT’97, LNCS 1214. Springer,
Berlin Heidelberg New York, pp 505–519
[FiM97] Fiadeiro JL, Maibaum T (1997) Categorical semantics of parallel program design. Sci Comput Programming 28:111–138
[Gog73] Goguen J (1973) Categorical foundations for general systems theory. In: Advances in Cybernetics and Systems Research.
Transcripta Books, pp 121–130
[Hoa85] Hoare CAR (1985) Communicating sequential processes. Prentice-Hall International
[Kat93] Katz S (1993) A Superimposition control construct for distributed systems. ACM TOPLAS 15(2):337–356
[Lop99] Lopes A (1999) Non-determinism and compositionality in the speciﬁcation of reactive systems. PhD Thesis, Universidade de
Lisboa
[LoF97] Lopes A, Fiadeiro JL (1997) Preservation and reﬂection in speciﬁcation. In: Proceedings of AMAST’97 LNCS 1349. Springer,
Berlin Heidelberg New York, pp 380–394
[LFW02] Lopes A, Fiadeiro JL, Wermelinger M (2002) Architectural primitives for distribution and mobility. In: Proceedings of 10th
symposium on the foundations of software engineering, ACM Press, pp 41–50
[LoF99] Lopes A, Fiadeiro JL (1999) Using explicit state to describe architectures. In: Proceedings of fundamental approaches to
software engineering, LNCS 1577. Springer, Berlin Heidelberg New York, pp 144–160
[ShG96] Shaw M, Garlan D (1996) Software architecture: perspectives on an emerging discipline. Prentice-Hall
[WeF98] Wermelinger M, Fiadeiro JL (1998) Connectors for mobile programs. IEEE Trans Software Eng 24(5):331–341
Received November 2002
Accepted in revised form June 2003 by B. T. Denvir and E. Boiten