The ERT Model of Fault-Tolerant Computing and Its Application to a Formalisation of Coordinated Atomic Actions by Koutny M & Pappalardo G
The ERT Model of Fault-Tolerant Computing and Its Application to
a Formalisation of Coordinated Atomic Actions
Maciej Koutny Giuseppe Pappalardo
Department of Computing Science Dipartimento di Matematica
Claremont Tower, Claremont Road Viale A. Doria 6
University of Newcastle Universita degli Studi di Catania
Newcastle upon Tyne NE1 7RU I-95125 Catania
U.K. Italy
February 25, 1998
Abstract
The Coordinated Atomic (CA) action concept is an approach to structuring complex concurrent
activities in a distributed environment, aimed at supporting fault tolerance in the design of object-
oriented systems. In this paper we investigate the issues involved in the formalisation of systems
based on CA actions. For this investigation we have chosen a compositional model of system
behaviour which enables one to relate the behaviour of (simple) base processes and their (complex)
implementations, and state the correctness of the latter in terms of the former. The base processes
can be thought of as specications, or ideal processes operating in an error-free environment, while
the implementationsmodel their actual realisation which can exploit CA actions, possibly combined
with a variety of fault-tolerant techniques to deliver reliable results.
Keywords: Distributed systems, CA actions, concurrency control, communicating sequential
processes, fault tolerance, nondeterminism, partial and total correctness, verication, divergence,
formal semantics.
1 Introduction
1.1 Coordinated Atomic actions
The Coordinated Atomic (CA) action concept [11, 15, 16] is an approach to structuring complex
concurrent activities in a distributed environment, aimed at supporting fault tolerance in object-
oriented systems. In its current presentation, the CA action model provides a conceptual framework
in which fault tolerance is achieved by integrating the concepts of conversations and transactions. The
former are used to control cooperative concurrency and coordinated error recovery, while the latter
are used to maintain the consistency of shared resources. The following are some of the essential
characteristics of the model [16]: (i) a CA action has roles which are activated by some external
participants (processes or threads); (ii) a CA action starts when all the roles have been activated and
nishes when each role has completed its execution; (iii) the execution of a CA action updates the
system state (represented by a set of external objects) atomically; (iv) roles can access local objects as
well as participate in nested CA actions; and (v) CA actions provide a basic framework for exception
handling that can support a variety of fault tolerance mechanisms to tolerate both hardware and
software faults.
1
1.2 Modelling fault tolerant systems with CA actions
When tackling the formalisation of some fundamental software engineering concept, such as that of
a CA action, one can envisage dierent levels of abstraction at which such a formalisation could be
developed. For example, one could specify a distributed (sub)system as a complex Petri net or a
process algebra expression, and then manipulate it in order to show that it satises its specication,
given in terms of another, simpler object, or a formula in a suitable logic. This is a well established
method when dealing with systems operating in a fault-free external environment. However, if one
adds the possibility of unpredictably faulty behaviour by the environment and the system, then it is
no longer straightforward to say what is an `acceptable' or 'adequate' behaviour of the latter. Indeed,
due to the application of fault tolerant techniques, the system may exhibit some level of incorrectness
yet without being inadequate. Thus, it is crucial to be able to say what external (or observable)
behaviour of an object is considered acceptable in the environment in which it operates. If we adopt
this view, then it becomes apparent that the property of being acceptable will depend on the fault
tolerant mechanisms employed in the context in which the system operates; of course, in particular,
in the absence of such mechanisms, the system has to be simply fault-free. We therefore propose
that a rst step on the way to produce a formal model of CA actions should be the development of
a technique allowing one to state that a model of an actual design is an acceptable realisation of its
specication. In the next (verication) step one would aim at actually proving that such a relationship
does indeed hold for a given system, using suitable techniques based, for instance, on Petri nets or
process algebras. In this paper, we shall address the former issue.
An important requirement for a formalisation of CA actions is that it should be simple, and preferably
based on a well established model of behaviour. There are at least two reasons why one might want
this to be the case. The rst is that complex behavioural models can obscure or be incompatible with
the inherent features of CA actions; the second is that a well established model can usually be adapted
with little overhead to other system modelling frameworks, which would be a signicant advantage in
the second step of the development.
The treatment of a real life distributed fault-tolerant system is complicated by the rapid growth of
the associated state space. Indeed one of the primary roles of CA actions is to control and manage
this complexity by applying appropriate structuring to the system's design. It therefore seems both
unavoidable and desirable that the formalisation of CA actions should directly support modular and
hierarchical development.
To summarise, we would aim at a model of behaviour allowing the correctness of CA actions based
systems to be stated in a framework in which modular and hierarchical reasoning is supported, and a
wide range of fault tolerant techniques is expressible.
1.3 The ERT model of behaviour
As a solution, this paper introduces a formal model of distributed behaviour which signicantly renes
and extends that proposed in [8]. We will present the model and some of its fundamental features,
and then discuss how CA actions and their properties can be cast in this general framework. We will
call the model ERT, for Extraction, Refusals and Traces, where the second and third terms come from
the CSP model [1, 2, 3] on which it is based, and the rst refers to a specic technique used to relate
systems specied at dierent levels of abstraction.
The ERT model originates from previous work on distributed replicated systems [5, 10], which has
led to the development of a formal model [6, 7, 8], based on an implementation relation capturing the
notion that a replicated system is a correct implementation of another target or base system. The rela-
tion was dened independently of replication, in an abstract way, which enabled a uniform treatment
2
both of implementation techniques dierent from replication, and of dierent fault assumptions for
replication (e.g. fail-stop faults [13], or byzantine faults [9]). Although originally introduced to model
replicated processing, implementation relations can be seen as an eective technique for a broader
range of distributed systems, with a potential of being able to deal with fault-tolerance paradigms
other than replication, and various interface renement schemes. Implementation relations are de-
ned in terms of an extraction function; intuitively, when applied to an input/output sequence of an
implementation, this function should yield an input/output sequence of the base system. Extraction
functions are used to formalise the interface of the implementation and relate it to that of the base
system.
There are two operational criteria for an implementation relation to be acceptable: realisability by
extraction and compositionality. Realisability ensures that the implementation can be used instead
of the base process in actual implementation. Compositionality requires that, if the systems in a
set implement each a base system, their composition should implement the composition of the base
systems. This meets the requirement of facilitating the modular and hierarchical development of
distributed systems.
The work on ERT has been carried out in the formal setting provided by the CSP divergence-based
model [2, 3], which incorporates not only the action sequences a process may engage in (traces), but
also the action sets it may refuse (refusals) and the traces after which it may diverge (divergences).
Traces alone provide a tool to express and prove the partial correctness of processes, while failures
and divergences enable nondeterminism (including deadlock freedom) to be treated. In the view of
[3], this amounts to total correctness.
The model of CSP leads to a natural formulation in terms of traces for the classes of input faults an
implementation system may tolerate (the input fault assumptions). Moreover, it facilitates viewing
a fault-tolerant system as an indeterminate member of a set of processes, rather than as a particular
process; this is desirable, for the behaviour of a fault-tolerant system cannot of course be fully specied
a priori but just constrained. An advantage of CSP is also its smooth treatment of process composition,
which is crucial to the above compositionality property, and therefore to the modular design and
analysis of distributed systems.
1.4 Outline of this paper
In this paper we generalise and substantially strengthen the model introduced in [8], by extending
the notion of compositionality to extraction functions, and by allowing more general networks of
communicating processes. The resulting ERT model is initially provided with two implementation
relations: weak | for dealing with acyclic networks of base processes, and strong | for dealing with
cyclic networks of base processes. In each case the implementation can be shown to be compositional
and support realisability.
The paper is organised as follows. In the next section we introduce some basic notions used throughout
the paper. In section 3 we introduce extraction patterns | a central notion to dening the interface
of an implementation | and discuss examples of extraction patterns. Section 4 deals with acyclic
networks of processes of a suitable class, which is followed in section 5 by the discussion of implemen-
tations in cyclic process networks. In section 6 we present an example in which the ERT model is
used to model implementation of replication on a concrete architecture. In section 7 we discuss how
the CA actions could be dealt with within the ERT based framework. The proofs of all the theorems
stated in the paper, together with some auxiliary results, are included in the appendix.
3
2 Preliminaries
This section contains a brief introduction to that part of CSP which we will need to formulate our
denitions and results.
2.1 Actions and traces
Communicating Sequential Processes (CSP) [1, 2, 3] is a formal model for the description of concurrent
computing systems. A CSP process can be regarded as a black box which may engage in interaction
with its environment. Atomic instances of this interaction are called actions and must be elements of
the alphabet of the process. A trace of the process is a nite sequence of actions that a process can
be observed to engage in. In this paper, as in several other application-oriented papers, structured
actions of the form b!v will be used, where v is a message and b is a communication channel. b!v is
said to occur at b and to cause v be exchanged between processes communicating over b. For every
channel b, msg b is the message set of b - the set of all v such that b!v is a valid action. We dene
b = fb!v j v 2 msg bg to be the alphabet of channel b. It is assumed that msg b is always nite and
non-empty. For a set of channels B, B =
S
b2B
b.
The following notation is similar to that of [3] (below t; u are traces; b; b
0
; b
00
channels; B
1
; : : : ; B
n
, B
disjoint sets of channels; A a set of actions; and T; T
0
sets of traces):
 h i is the empty trace;
 t = ha
1
; : : : ; a
n
i is the trace whose i-th element is a
i
, and whose length, jtj, is n; we will denote
t[i] = a
i
, for i  n; if n  1 then head(t) = a
1
and tail(t) = ha
2
; : : : ; a
n
i;
 t  u is the trace obtained by appending u to t;
 A

is the set of all traces of actions from A;
 T

is the set of all traces t = t
1
     t
n
(n  0) such that t
1
; : : : ; t
n
2 T ;
 Pref(T ) denotes the prex-closure of T ;
  denotes the prex relation on traces;
 t < u if t  u and t 6= u;
 t[b
0
=b] is a trace obtained from t by replacing each action b!v by b
0
!v;
 tdB is obtained by deleting from t all the actions that do not occur on the channels in B; for
example, hb
00
!3; b!1; b
00
!2; b!3; b
0
!3; b
00
!6; b
0
!2idfb; b
0
g = hb!1; b!3; b
0
!3; b
0
!2i;
 t#b is the message sequence obtained by projecting t on b and then deleting the channel name;
for example, hb!1; b
0
!2; b!3; b
00
!6i#b = h1; 3i;
 Let T
i
, for i  n, be sets of traces over the channels in B
i
; their shue, denoted by T
1
jjjT
2
jjj    jjjT
n
,
is the set of all traces t over B
1
[    [B
n
such that tdB
i
2 T
i
, for all i;
 A mapping f : T ! T
0
between non-empty sets of traces is monotonic if t  u and t; u 2 T implies
f(t)  f(u) (for functions on vectors of traces, the prex relation is dened component-wise); f
is strict if f(h i) = h i; and f is a homomorphism if t; u; t  u 2 T implies f(t  u) = f(t)  f(u);
 A family of sets X is subset-closed if Y  X 2 X implies Y 2 X .
4
2.2 Processes
We use the divergence model of CSP [2, 3] in which a process P is a triple (P; P; P ) where P |
alphabet | is a non-empty nite set of actions, P | failures | is a subset of P

 2
P
, and P |
divergences | is a subset of P

. The conditions imposed on the three components are given below,
where P denotes the traces of P , P = ft j (t; R) 2 Pg:
CSP1 P is non-empty and prex-closed.
CSP2 If (t; R) 2 P and S  R then (t; S) 2 P .
CSP3 If (t; R) 2 P and a 2 P is such that t  hai 62 P then (t; R [ fag) 2 P .
CSP4 If t 2 P then (t  u;R) 2 P , for all u 2 P

and all R  P .
If (t; R) 2 P then P is said to refuse R after t. Intuitively, this means that if the environment
oers R as a set of possible events to be executed after t, then P can deadlock. If t 2 P then P is
said to diverge after t. In the CSP model this means the process behaves in a totally uncontrollable
way. Such a semantical treatment is based on what is often referred to as `catastrophic' divergence
whereby the process in a diverging state is modelled as being able to accept any trace and generate
any refusal. This facilitates a smooth denition of xpoints used to give the semantics of recursively
dened processes.
We will associate with P a set of channels, chan P , and stipulate that the alphabet of P is that of
chanP . Thus, we shall be able to identify P with the triple (chanP; P; P ) in lieu of (P; P; P ).
2.3 CSP operators
For our purposes neither the syntax nor the semantics of the whole standard CSP is needed. Essential
to the treatment of ERT are only the parallel composition of processes, hiding of the communication
over a set of channels and renaming of channels. In the modelling of CA actions and examples we
also use deterministic choice, P Q, non-deterministic choice P u Q, and prexing, a ! P . All the
operators are formally dened in the appendix.
Parallel composition PkQ models synchronous communication between processes in such a way that
each of them is free to engage independently in any action that is not in the other's alphabet, but they
have to engage simultaneously in all actions that are in the intersection of their alphabet. Parallel
composition is commutative and associative; we will use P
1
k   kP
n
to denote the parallel composition
of processes P
1
; : : : ; P
n
.
Let P be a process and B be a set of channels of P ; then PnB is a process that behaves like P with
the actions occurring at the channels in B made invisible. Hiding is associative in that (PnB)nB
0
=
Pn(B [ B
0
).
Let P be a process with a channel b 2 chan P , and b
0
be a channel not in chan P such that msg b =
msg b
0
. Then P [b
0
=b] is a process that behaves like P except that each action b!v is replaced by b
0
!v.
A crucial property [2] involving the parallel composition and hiding operators states that if P and Q
are two processes and B  chanP   chanQ then (PnB)kQ = (PkQ)nB. Its relevance follows from an
application to modelling of networks of processes.
Processes P
1
; : : : ; P
n
form a network if no channel is shared by more than two P
i
's. We then dene
P
1

   
 P
n
to be the process obtained by taking the parallel composition of the processes and then
hiding all interprocess communication, i.e. the process (P
1
k   kP
n
)nB, where B is the set of channels
shared by at least two dierent processes. We will call P
1

    
 P
n
a network.
5
CF
G
E
DK L
-
-
-
-
-
-
6 6
? ?
p
p
p
p
p
p
p
p
p
p
p
p
p p p p p p
p
1
p
m
q
1
q
n
P
-
-
-
-
p
p
p
p
p
p
Figure 1: Three generic processes
Theorem 2.1 Let P
1
; : : : ; P
k+l
, where k; l  1 be a network of processes. Then
P
1

    
 P
k

 P
k+1

    
 P
k+l
= (P
1

    
 P
k
)
 P
k+1

    
 P
k+l
:
That is, a network can be obtained by rst composing some of the processes into a subnetwork, and
then composing the result with the remaining processes. In the failure model of CSP, where a process
P is identied with the pair (P; P ), this property does not hold [2], whence the need for the more
complicated divergence model.
We can partition the channels of a process P into the input channels, inP , and output channels, outP .
It is implicitly assumed that no two processes in a network have a common input channel or a common
output channel. When composing processes, we will always assume that
in (P
1

    
 P
n
) =
n
[
i=1
inP
i
 
n
[
i=1
outP
i
and out (P
1

    
 P
n
) =
n
[
i=1
outP
i
 
n
[
i=1
inP
i
:
In the diagrams, an outgoing arrow labelled by c indicates that c is an output channel, and an incoming
arrow labelled by c indicates that c is an input channel.
For a process P , let  P = ft j (t; outP ) 2 Pg. Intuitively,  P comprises those traces of P for
which the process produced all the outputs for a given set of inputs.
2.4 Processes class employed
To facilitate the discussion, we will refer to three processes, P , K and L, such that inP = fp
1
; : : : ; p
m
g,
outP = fq
1
; : : : ; q
n
g, inK = C, outK = D [ E, inL = D [ F and outL = G (see gure 1). It is
assumed that the channel sets E [ D and G are non-empty, and P has at least one output channel
(n  1). In the case that P has no input channels, m = 0, it will be called output-only. In the proofs
we will always assume that the processes involved are not output-only. All the proofs can be easily
adapted (and simplied) for output-only processes.
Let U and V be two non-empty prex-closed sets of traces over respectively inP and outP . Then P
is input-guarded w.r.t. U and V if, for every set of traces T  P satisfying TdinP  U ,
IG1 Tdout P  V .
IG2 If T is innite then so is TdinP .
We denote this by P 2 IG(U; V ), and if U and V comprise all traces over inP and out P we simply
write P 2 IG. For an output-only P the denition reduces to requiring that P should be a nite
subset of V . Input guardedness is compositional in the sense that if T
C
, T
D
, T
E
, T
F
and T
G
are
6
pm
p
1
q
n
q
1
buer
buer
CU
buer
buer
-
-
-
-
-
-
-
-
p
p
p
p
p
p
p
p
p
p
p
p
Figure 2: Deterministic input/output process
prex-closed sets of traces over respectively the channels C, D, E, F and G, then K 2 IG(T
C
; T
D
jjjT
E
)
and L 2 IG(T
D
jjjT
F
; T
G
) implies K 
 L 2 IG(T
C
jjjT
F
; T
E
jjjT
G
).
1
A class of base processes we shall consider is that of general input/output processes [8]. These comprise
P which are input-guarded (i.e., P 2 IG) and never refuse any input (i.e., R \ inP = ;, for all
(t; R) 2 P ). Both restrictions are rather mild and a wide range of processes are GIO, e.g., Merge
(dened in the next section) which combines with a FIFO policy messages received on its input
channels into a single output stream. An output-only process P is GIO if P is nite. The GIO
process class is non-diverging and compositional, i.e., if P 2 GIO then P = ;; and if K 2 GIO and
L 2 GIO then K 
 L 2 GIO.
2
We also consider a subclass of GIO comprising functional processes P with buered input and output,
as illustrated in gure 2: P receives messages on the input channels, which are then kept in m input
buers. Messages are removed from the input buers by the computational unit CU which works out
and deposits the results in the n output buers. Such a process P can be characterised by a function
over vectors of traces [4]. Let
f : (p
1
)

     (p
m
)

! (q
1
)

     (q
n
)

be a monotonic function. (For m = 0, f is a constant vector of traces.) Then P is a deterministic
input/output process implementing f if
DIO1 P = ft j 8u  t : (udq
1
; : : : ; udq
n
)  f(udp
1
; : : : ; udp
m
)g
DIO2 (t; fag) 2 P ) t  hai 62 P .
We denote this by P 2 DIO (note that DIO  GIO). If P has exactly one input channel and one output
channel, and f(t) = t[q
1
=p
1
], then it is an unbounded deterministic buer, denoted by buer
p
1
q
1
. DIO
processes are compositional, i.e., if K 2 DIO and L 2 DIO then K 
 L 2 DIO.
3
3 Extraction Patterns
3.1 Motivating example
Consider two processes, Sgl and Buer, as shown in gure 3(a). The former generates a single binary
pulse, i.e., one belonging to B = f0; 1g, on its output channel, p, then terminates; the latter is a buer
process forwarding signals received on its input channel. Sgl is a GIO process, Buer = buer
pq
is a
DIO process.
1
See proposition A.4(3) in the appendix.
2
See theorem A.5.
3
See theorem A.6.
7
pq
Sgl
Buer
- -
(a)
r
s
q
Sgl
0
Buer
0
-
-
-
(b)
Figure 3: Two base processes and their implementations
Sgl =
v2B
p!v ! stop
Buer = B
h i
B
t
=
8
>
<
>
:
v2B
p!v ! B
hq!vi
if t = h i
head(t)! B
tail(t)
v2B
p!v! B
thq!vi
if t 6= h i
Suppose that the signal transmission between the two processes has been implemented using two
channels, r and s, as shown in gure 3(b). The signal itself is now duplicated and the two copies sent
along r and s.
Sgl
0
=
v2B
(r!v! stop k s!v! stop)
Buer
0
= B
h i;h i
0
B
t;w
k
=
8
>
>
>
>
>
>
<
>
>
>
>
>
:
v2B
(r!v ! B
thq!vi;w
k
s!v ! B
t;whq!vi
k
) if k = maxfjtj; jwjg
t[k+1]! B
t;w
k+1
v2B
(r!v ! B
thq!vi;w
k
s!v ! B
t;whq!vi
k
) if jtj  jwj ^ jtj > k
w[k+1]! B
t;w
k+1
v2B
(r!v ! B
thq!vi;w
k
s!v ! B
t;whq!vi
k
) if jwj > jtj ^ jwj > k:
That is, Sgl
0
sends the duplicated signal, while Buer
0
accepts a single copy and passes it on (possibly
after a delay) ignoring the other one. The scheme clearly works as we have Sgl
Buer = Sgl
0

Buer
0
.
Suppose now that the transmission of signals is imperfect and two types of faulty behaviour can occur:
Sgl
1
= Sgl
0
u stop and Sgl
2
= Sgl
0
u
v2B
r!v ! stop:
Sgl
1
can break down completely, refusing to output any signals, while Sgl
2
can fail in such a way
that although channel s is blocked r can still transmit the signal. Sgl
2
could be used to model the
following realistic situation: in order to improve performance, a `slow' channel p is replaced by two
channels, a high-speed yet unreliable channel s and a slow but reliable backup channel r. Since
Sgl
 Buer = Sgl
2

 Buer
0
but Sgl
 Buer 6= Sgl
1

 Buer
0
it follows that Sgl
2
is much `better' an
implementation of the Sgl process than Sgl
1
. We will now analyse the dierences between the two
processes and at the same time introduce informally some basic concepts which are subsequently used.
We start by observing that the output of Sgl
2
can be thought of as adhering to the following two
rules:
8
R1 The transmissions over r and s are consistent.
R2 Transmission over r is reliable, but there is no such guarantee for s.
The output produced by Sgl
1
satises R1 but fails to satisfy R2. To express this formally we need to
render the two conditions in some form of precise notation.
To capture the behavioural relationship that exists between Sgl and Sgl
2
we will employ an (extraction)
mapping extr which for traces over r and s returns corresponding traces over p. For example,
h i 7! h i
hr!0i 7! hp!0i
hs!0i 7! hp!0i
hs!1; r!1i 7! hp!1i
hr!1; s!1i 7! hp!1i
Note that the extraction mapping needs only be dened for traces satisfying R1. Although it will play
a central role, the extraction mapping alone is not sucient to identify the `correct' implementation of
Sgl in the presence of faults since Sgl = extr(Sgl
1
) = extr(Sgl
2
). What one also needs is an ability
to relate the refusals of Sgl
i
with the possible refusals of the base process Sgl. This, however, is much
harder than relating traces. For suppose that we attempted to `translate' the refusals of Sgl
2
using
the extraction mapping. Then, we would have had
(h i; fs!0g) 2 Sgl
2
and extr(h i; fs!0g) = (h i; fp!0g) 62 Sgl:
This indicates that the crude extraction of refusals is not going to work. What we need is a more
sophisticated device which in our case comes in the form of another mapping, ref, constraining the
possible refusals a process can exhibit after a given trace. This will help preventing, e.g., sender process
from blocking if its transmission is yet incomplete. In the example at hand, this roughly amounts
to requiring that the communication on channel e should not be blocked before the sender, Sgl
2
, has
sent a signal it (Sgl
1
fails to satisfy a similar condition). For example, we will stipulate that ref(hs!0i)
must not comprise a refusal containing both r!0 and r!1. We will denoted by dom traces conveying
information that can at least in principle be regarded as complete. According to R2, hs!0i and hs!1i
will not belong to dom.
The last notion we will need to establish the correspondence between processes is a partial inverse
of the extraction mapping, inv. It will be used to ensure that all the traces of a base process can be
extracted from the traces of its implementations.
3.2 Formal denition
An extraction pattern is dened for two non-empty sets of channels, B and B
0
, respectively called
sources and targets. It is a tuple ep = (dom; extr; ref; inv) satisfying the following:
EP1 dom is a set of traces over the sources; its prex-closure will be denoted by Dom.
EP2 extr is a strict monotonic mapping dened for traces in Dom; for every t, extr(t) is a trace over
the targets.
EP3 ref is a mapping dened for traces in Dom; for every t, ref(t) is a non-empty subset-closed family
of proper subsets of B.
9
EP4 inv is a trace homomorphism from traces over the targets to traces in Dom; for every trace w
over the targets, extr(inv(w)) = w.
The extraction mapping is monotonic as receiving more information cannot decrease the current
knowledge about the transmission. B 62 ref(t) means that for the unnished communication t we do
not allow the sender to refuse all possible transmission. From EP4 it follows that dom has at least the
same cardinality as the traces over targets. Since inv is a trace homomorphism, it suces to dene it
for single actions over the targets only.
The dierent components of the extraction patterns can be subscripted or primed to avoid ambiguity.
Note that we do not mention explicitly the source and target channels. We assume these can always
be retrieved from the domains of extr and inv. Unless explicitly stated, dierent extraction patterns
have disjoint sources and disjoint targets. A basic extraction pattern is one with a singleton target
channel (basic extraction patterns were discussed in [8]).
Let ep
1
and ep
2
be two extraction patterns with the sources (targets) respectively B
1
and B
2
(B
0
1
and B
0
2
). Then ep = ep
1
 ep
2
is an extraction pattern with the sources B = B
1
[ B
2
and targets
B
0
= B
0
1
[B
0
2
such that the following are satised:
dom = dom
1
jjjdom
2
extr(h i) = h i
ref(t) =
n
R 2 B



R \ B
1
2 ref
1
(tdB
1
) _R \ B
2
2 ref
2
(tdB
2
)
o
extr(t  hai) =
8
<
:
extr(t)  u
1
if a 2 B
1
^ extr
1
(wdB
1
 hai) = extr
1
(wdB
1
)  u
1
extr(t)  u
2
if a 2 B
2
^ extr
2
(wdB
2
 hai) = extr
2
(wdB
2
)  u
2
inv(a) =
8
<
:
inv
1
(a) if a 2 B
0
1
inv
2
(a) if a 2 B
0
2
It is not dicult to see that ep is well-dened, i.e., it is indeed an extraction pattern, such that
Dom = Dom
1
jjjDom
2
.
4
For the proof it is essential that extraction mappings are strict and monotonic.
 is both associative and commutative. It provides an important way of building complex extraction
patterns from simpler ones, in particular the basic extraction patterns.
3.3 Examples of extraction patterns
We have already discussed a kind of `fail-stop' extraction pattern for the example in gure 3. In
general, to dene a fail-stop extraction pattern, we assume that the sources are channels B and the
target is a singleton channel b (the message sets of all the channels involved are the same). Moreover,
NF  B is a non-empty set of reliable channels. Those in B   NF may be unreliable, but even in the
worst case may only fail by doing nothing [12]. These assumptions are captured by the extraction
pattern denoted by fs(b; B;NF) and dened in the following way (below p is a xed channel in NF).
dom =
n
t



8q 2 B 8r 2 NF : t#q  t#r
o
ref(t) =
n
R



NF 6 R
o
extr(t) = max
n
(tdb)[b=q]



q 2 B
o
inv(b!v) = hp!vi:
4
See proposition A.10.
10
Note that Dom = ft j 8q; r 2 C : t#q  t#r _ t#q  t#rg.
The second basic extraction pattern is one which can be used to model systems employing majority
voting. Here we have the same sources and targets as before, with the reliable source channels being
in majority, jNFj >
1
2
jBj. Channels not in NF are in no way constrained. We dene the majority
voting extraction pattern mv(b; B;NF) in the following way (below p
1
; : : : ; p
jNFj
is a xed enumeration
of the channels in NF).
dom =
n
t



8q; r 2 NF : t#q = t#r
o
ref(t) =
n
R



NF 6 R
o
extr(t) = max
n
u



1
2
jBj < jfq 2 B j u#b  t#qgj
o
inv(b!v) = hp
1
!v; : : : ; p
jNFj
!vi:
Note that Dom =
n
t



8q; r 2 NF : t#q  t#r _ t#r  t#q
o
.
In the formal treatment we shall need a special simple extraction pattern which relates source to target
communication in a one-to-one (identity) manner. An identity extraction pattern for a channel b, id
b
,
is one for which B = B
0
= fbg, dom = Dom = b

, extr(t) = inv(t) = t and ref(t) = fR j b 6 Rg.
For a set of channels B
00
= fb
1
; : : : ; b
k
g, id
B
00
= id
b
1
     id
b
k
. (Note that id
b
= fs(b; fbg; fbg) =
mv(b; fbg; fbg).)
Our previous examples might give an impression that extraction patterns can only model implemen-
tations lending itself to unidirectional interpretation. This is, in fact, not the case. Consider again
the example of gure 3(a) and the following two processes (see gure 4(a)):
Sgl
3
=
v2B
r!v ! (s!ack ! stop s!nak ! r!v ! stop)
Buer
1
= B
h i
1
B
t
1
=
8
>
>
<
>
>
:
v2B
r!v ! (s!ack ! B
hq!vi
1
u s!nak !
v2B
r!v ! B
hq!vi
1
) if t = h i
head(t)! B
tail(t)
1
v2B
r!v ! (s!ack ! B
thq!vi
1
u s!nak !
v2B
r!v ! B
thq!vi
1
) if t 6= h i
We have Sgl
3

Buer
1
= Sgl
Buer. The processes employ a simple bi-directional protocol: a signal
sent over channel r is acknowledged by the receiver as successful (using s!ack) or failed (using s!nak) in
which case the sender will retransmit. This second transmission always succeeds. These assumptions
can be captured by the extraction pattern twice dened in the following way:
dom =
n
hr!0; s!acki; hr!0; s!nak; r!0i; hr!1; s!acki; hr!1; s!nak; r!1i
o

ref(t  u) =
8
<
:
fR j r 6 Rg if t 2 dom ^ u 2 fh i; hr!0; s!0i; hr!1; s!0ig
2
r
if t 2 dom ^ u 2 fhr!0i; hr!1ig
extr(t) =
8
>
>
<
>
>
:
h i if t = h i
extr(w)  hq!vi if t = w  hr!v; s!acki 2 dom _ t = w  hr!v; s!nak; r!vi 2 dom
extr(w) if t = w  hai 62 dom
inv(q!v) = fhr!v; s!ackig:
11
rs
q
Sgl
3
Buer
1
-
(a)
r
p
q
Sgls Merge
-
-
-
(b)
Figure 4: Processes for twice and double extraction patterns
Not all interesting extraction patterns can be factored into a set of basic extraction patterns through
the  operation. Consider the following pair of base processes:
Sgls =
v2B
p!v ! stop






v2B
r!v ! stop
Merge = M
h i
M
t
=
8
>
<
>
:
b2fp;rg;v2B
b!v ! M
hq!vi
if t = h i
head(t)! M
tail(t)
b2fp;rg;v2B
b!v ! M
thq!vi
if t 6= h i
The Sgls process generates two binary signals on its two output channel which are then combined in
the FIFO manner by the Merge process (see gure 4(b)). Suppose that in the actual implementation
an internal error can occur and the channel r can fail and its signal is then appended to that originally
sent on channel p (below the two channels are renamed as p
0
and r
0
). The receiving process has to
take this into account:
Sgls
0
=

v2B
p
0
!v ! stop






v2B
r
0
!v ! stop

u
v;v
0
2B
p
0
!vv
0
! stop
Merge
0
= M
h i
0
M
t
0
=
8
>
>
<
>
>
>
:
b2fp
0
;r
0
g; v2B
b!v ! M
hq!vi
0
v;v
0
2B
p
0
!vv
0
! M
hq!v;q!v
0
i
0
if t = h i
head(t)! M
tail(t)
0
b2fp
0
;r
0
g; v2B
b!v ! M
thq!vi
0
v;v
0
2B
p
0
!vv
0
! M
thq!v;q!v
0
i
0
if t 6= h i
We have Sgls 
 Merge = Sgls
0

 Merge
0
and the communication between Sgls
0
and Merge
0
can be
described by the extraction pattern double dened in the following way:
dom = (p
0
[ r
0
)

ref(t) =
n
R j p
0
[ r
0
6 R
o
extr(t  hai) =
8
>
>
<
>
>
:
extr(t)  hp!vi if a = p
0
!v
extr(t)  hr!vi if a = r
0
!v
extr(t)  hp!v; r!v
0
i if a = p
0
!vv
0
inv(a) =
8
<
:
hp
0
!vi if a = p!v
hr
0
!vi if a = r!v
Notice that double cannot be decomposed onto two extraction patterns. For there is a trace over p
0
generated by Sgls
0
which can be used to extract information about the intended communication on
12
both p and r. This, however, means that the targets of one of the extraction patterns would have to
include both p and r, which is not possible (the targets of composed extraction patterns are non-empty
and disjoint).
4 Extraction in Acyclic Networks
Suppose that we implemented the base GIO process P using another process Q. The correctness of the
implementation will be expressed in terms of two extraction patterns, ep and ep
0
. The former (with
sources inQ and targets inP ) will be used to relate the communication on the input channels of P
and Q; the latter (with sources outQ and targets outP ) will serve a similar purpose for the output
channels. There are four main properties that Q has to satisfy according to the denition given below.
Firstly, if a trace t of Q projected on its input channels can be interpreted by ep, then it should be
possible to interpret the projection on the output channels by ep
0
(see WI1 and IG1). Secondly, when
connected to another process and supplied with a valid input (i.e. belonging to Dom), Q should not
introduce divergence (this rules out an innite uninterrupted communication on the output channels
| see WI1 and IG2) and should not refuse `proper' input (this rules out refusals which might lead
to a deadlock with another process that provides input to Q and whose refusals are constrained by
ep | see WI2). Thirdly, if Q is to receive input from process S and send its output to process W
and after S has communicated all the input to Q, Q cannot cause a deadlock in the communication
with W until all the results produced have been sent to W (WI3). Finally, we ensure that the purely
functional behaviour of P (i.e. that in terms of traces) can be realised by Q (WI4). Formally, Q is a
weak implementation of P if the following hold.
WI1 Q 2 IG(Dom;Dom
0
).
WI2 If (t; R) 2 Q is such that tdinQ 2 Dom then inQ R 62 ref(tdinQ).
WI3 If (t; R) 2 Q is such that tdinQ 2 dom and outQ\R 62 ref
0
(tdoutQ) then tdoutQ 2 dom
0
and
extr
epep
0
(t) 2  P .
WI4 inv
epep
0
(P )  Q.
We denote this by Q 2 WI(P; ep; ep
0
). It is not dicult to see that WI(P; id
inP
; id
outP
)  GIO,
and that the process P is its own weak implementation based on identity extraction patterns, P 2
WI(P; id
inP
; id
outP
). Note also that Q 2 WI(P; id
inP
; id
outP
) does not necessarily imply Q = P even
if P 2 DIO. For an output-only P we denote Q 2 WI(P; ep
0
) if WI4 holds and the following two
conditions are satised:
WI1
0
Q is nite and included in Dom
0
.
WI3
0
If (t; R) 2 Q is such that outQ \R 62 ref
0
(t) then t 2 dom
0
and extr
ep
0
(t) 2  P .
4.1 Examples revisited
It can be checked that the following hold (below fs = fs(p; fr; sg; frg)):
Sgl
1
62 WI(Sgl; fs) Sgl
2
2 WI(Sgl; fs)
Sgl
3
2 WI(Sgl; twice) Sgls
0
2 WI(Sgls; double)
Buer
0
2 WI(Buer; fs; id
q
) Buer
1
2 WI(Buer; twice; id
q
)
Merge
0
2 WI(Merge; double; id
q
)
13
Process Sgl
1
is not a weak implementation of Sgl since it fails to satisfyWI3
0
. In fact, Sgl
1
62 WI(Sgl; ep
0
)
for any extraction pattern ep
0
since (h i; r[s) 2 Sgl
1
and r[s 62 ref
0
(h i) (see EP3). On the other
hand, (extr
0
(h i); outSgl) = (h i; p) 62 Sgl, contradicting WI3
0
. Consider two more examples, Buer
2
and Buer
3
:
Buer
2
= Buer
0
r!0! s!1! b
b = q!0! b
Buer
3
= buer
rq
kstop
s
We have Buer
2
;Buer
3
2 WI(Buer; fs; id
q
). Although Buer
2
can produce innite uninterrupted
output, this does not matter as it can only happen for the input of the form hr!0; s!1i which is not in
the domain of fs. Buer
3
is also acceptable despite s being blocked as channel r is reliable.
4.2 Compositionality and realisability
To support modular treatment of networks of implementations we will use two properties, composition-
ality and realisability. The former means that the parallel composition of two weak implementations
is a weak implementation of the parallel composition of the base processes, and is formulated as the-
orem 4.1. The latter amounts to saying that it is possible to use implementations in place of the base
processes.
Theorem 4.1 Let K and L be two GIO processes as in gure 1, and let c; d; e; f and g be extraction
patterns whose targets are respectively the channel sets C;D;E;F and G.
5
If M 2 WI(K; c; d e)
and N 2 WI(L; d f; g) then M 
N 2 WI(K 
 L; c f; e g).
2
Realisability is captured in the next theorem. In what follows, for two GIO processes P and Q, we
will denote Q  P if inP = inQ, out P = outQ, Q = P and  Q   P .
Theorem 4.2 If Q 2 WI(P; id
in P
; id
outP
) then Q  P .
2
Why can this be regarded as a result expressing an adequate notion of realisability? First, note that
given Q
0
2 WI(P; ep; ep
0
), where ep and ep
0
are general extraction patterns, compositionality in many
situations allows Q 2 WI(P; id
inP
; id
outP
) to be constructed, e.g., using the extractors and disturbers
discussed in the next section (for a DIO process P this is always possible). As for the  relation, think
of an environment for processes Q and P which is represented by an arbitrary GIO process Rcv which
is to receive the results produced by Q and P , as shown in gure 5. It turns out that Q  P implies:
6
(Q
 Rcv) = (P 
 Rcv)
(Q
 Rcv)  (P 
 Rcv):
The former property means that as far as functionality is concerned, Q
Rcv and P
Rcv are equivalent
processes. The latter property means that Q
Rcv is more deterministic a process than P 
Rcv in the
sense of [3]. This makes Q
Rcv as good as P 
Rcv (and possibly much better) process to be used in
the actual implementation. Note that the underlying philosophy of [3] is to allow as non-deterministic
processes as possible for specication, but as deterministic as possible ones for actual implementation;
our approach is thus in line with that advocated there. Hence theorem 4.2 captures an adequate
notion of realisability.
5
If any of the sets is empty, the corresponding extraction pattern is simply left out.
6
See proposition A.8.
14
p1
p
m
r
1
r
l
q
1
q
n
P
Rcv
-
-
-
-
-
-
p
p
p
p
p
p
p
p
p
p
p
p
p
1
p
m
r
1
r
l
q
1
q
n
Q
Rcv
-
-
-
-
-
-
p
p
p
p
p
p
p
p
p
p
p
p
Figure 5: Realisability of GIO processes
It is worth observing that the above realisability result can be strengthened if we assume that thai 62
P , for all t 2  P and a 2 out P . This means that P can refuse to generate any output only if its
functional specication in terms of traces rules this out. We denote P 2 GIO
0
in such a case. Note
that DIO  GIO
0
 GIO and Merge 2 GIO
0
; however, GIO
0
processes are not compositional. It then
follows
7
that if P 2 GIO
0
then Q 
 Rcv = P 
 Rcv.
4.3 Networks of processes
The compositionality result of theorem 4.1 is easily extended to process networks. Indeed, let
P
1
; : : : ; P
k
be a network of base GIO processes, and let Q
i
be a weak implementation of P
i
, for all i.
Using theorem 4.1 and induction it is straightforward to prove that the network Q
1
; : : : ; Q
k
represents
a weak implementation of the network P
1
; : : : ; P
k
. However, the possible topology of the latter is
restricted by the hypothesis (illustrated in gure 1) of theorem 4.1. The base network must be acyclic
in the sense that there should be no processes P
k
1
; P
k
2
; : : : ; P
k
l
= P
k
1
such that outP
k
i
\ inP
k
i+1
6= ;,
for i < l.
The notion of weak implementation cannot be used to deal with cyclic networks of base processes as
it is possible to introduce an extra divergence which is not present in the base network. We illustrate
this point on the following example.
Let Buf = buer
pq
kstop
r
be a process with input channel p and output channels q and r. Intuitively,
Buf behaves like buer
pq
with a dormant output channel r. Moreover, let
BUF = Buf
1
kBuf
2
kBuf
3
Buf
i
= Buf[p
i
=p][q
i
=q][r
i
=r] (i = 1; 2; 3)
buf = buer
q
1
p
1
kbuer
q
2
p
2
kbuer
0
buer
0
= q
3
!0! buer
q
3
p
3
We also need three extraction patterns mv
b
= mv(b; fb
1
; b
2
; b
3
g; fb
1
; b
2
g), for b 2 fp; q; rg. It can be
checked that BUF and buf are weak implementations of Buf and buer
qp
:
BUF 2 WI(Buf;mv
p
;mv
q
mv
r
)
buf 2 WI(buer
qp
;mv
q
;mv
p
):
Yet, when BUF and buf are combined together, the implementation relation is not preserved
BUF
 buf 62 WI(Buf
 buer
qp
;mv
r
) = WI(stop
r
;mv
r
)
7
See proposition A.9.
15
p0
m
p
0
1
q
0
n
q
0
1
ep
ep
0
Dist
Q
0
Extr
-
-
-
-
-
-
-
-
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
Figure 6: Extracting DIO process
since BUF 
 buf diverges at the very beginning (this follows from fhp
3
!0; q
3
!0ig

 (BUFkbuf)). To
cope with cyclic networks a stronger notion of correct implementation is needed. A possible approach
has been presented in [6], a more rened one is introduced in section 5.
4.4 DIO processes
For deterministic input/output processes the results from the previous section can be strengthened. To
begin with, we can do without the last component of the extraction pattern, inv, and WI4. Moreover,
the realisability result has a particularly pleasant form.
With the same assumptions as before, a process Q is a semi-weak implementation of a DIO process P
if WI1, WI2 and WI3 are satised. We denote this by Q 2 sWl(P; ep; ep
0
). The compositionality result
for sWl holds; its wording is exactly the same as that of theorem 4.1 with WI changed to sWl, and
K;L 2 DIO.
8
The relationship between a DIO process P and one of its semi-weak implementation Q
0
2 sWl(P; ep; ep
0
)
can be characterised in the following way. First we observe that it is possible to place Q
0
in an
environment such that the resulting process is a semi-weak implementation of P based on identity
extraction patterns. This environment is built using two special processes called a disturber, Dist, and
an extractor, Extr (see gure 6). Intuitively, the former provides noisy but suciently redundant input
for the implementation, the latter can interpret the results it produces. Formally, Dist and Extr are
processes satisfying the following:
Dist 2 sWl(buer
p
0
1
p
1
k   kbuer
p
0
m
p
m
; id
in Dist
; ep)
Extr 2 sWl(buer
q
1
q
0
1
k   kbuer
q
n
q
0
n
; ep
0
; id
out Extr
):
From theorem 2.1, the compositionality results for DIO processes, and the fact that DIO processes
are insensitive to buering their input and output channels [8], it follows that Q
0
composed with the
disturber and extractor is a semi-weak implementation of P :
Dist
 Q
0

 Extr 2 sWl(P [p
0
1
=p
1
]    [p
0
m
=p
m
][q
0
1
=q
1
]    [q
0
n
=q
n
]; id
in Dist
; id
outExtr
):
From this we immediately obtain that Q 2 sWl(P; id
inP
; id
outP
), where
Q = (Dist
Q
0

 Extr)[p
1
=p
0
1
]    [p
m
=p
0
m
][q
1
=q
0
1
]    [q
n
=q
0
n
]:
That is, provided that we know how to construct disturbers and extractors, Q
0
can be transformed
into a weak implementation of P based on identity extraction patterns. It now follows that if we
take the receiver process Rcv as in gure 5, Rcv 2 DIO, and connect it to both P and Q then
Q
Rcv = P 
Rcv.
9
The resulting realisability result is therefore stronger than that for GIO processes
8
See corollary A.11.
9
See proposition A.12.
16
CF
G
E
D
H
K L
-
-


-
-
-
-
6 6
? ?
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p p p p p p
(a) (b)
C G
E
DK L
-
-
-
-
-
-
6 6
p
p
p
p
p
p
p
p
p
p
p
p
p p p
Figure 7: Base processes for cyclic networks and processes in mixed compositionality
and similar to that for GIO
0
processes. Moreover, if we take the receiver being a simple array of buers,
Rcv = buer
q
1
r
1
k   kbuer
q
n
r
n
, then it is almost immediate to see that (Q
Rcv)[q
1
=r
1
]    [q
n
=r
n
] = P .
In this way we have shown that starting from an arbitrary semi-weak implementation of P 2 DIO it
is possible to extract process P exactly, provided that we know how to implement buer processes.
5 Extraction in Cyclic Networks
To deal with cyclic networks we need another pair of base processes K and L, as shown in gure 7(a).
The rst problem we face is that K 
 L will not, in general, be a GIO process even though both K
and L are. Our treatment is therefore restricted to well-behaved cases (i.e., those which do not lead
to divergence). We say that the processes K and L are compatible if for every innite set of traces
T  (KkL), the set Tdin (K 
 L) is also innite. It follows that if K and L are compatible GIO
processes then K 
 L 2 GIO.
10
With the same assumptions as those used in the denition of WI, Q is a strong implementation of P
if the following hold.
SI1 If T  Q and TdinQ  Dom then
(a) TdoutQ  Dom
0
.
(b) If T is innite then so is extr(TdinQ).
(c) extr
epep
0
(T )  P .
SI2 If (t; R) 2 Q is such that tdinQ 2 Dom then inQ R 62 ref(tdinQ).
SI3 If (t; R) 2 Q is such that tdinQ 2 Dom and outQ \R 62 ref
0
(tdoutQ) then
(a) tdoutQ 2 dom
0
(b) t 2 dom
epep
0
) extr
epep
0
(t) 2  P .
SI4 inv
epep
0
(P )  Q.
We denote this by Q 2 SI(P; ep; ep
0
). The main dierence between this and the previous denition
is that IG2 in the denition of input-guardedness has been replaced by a stronger condition SI1(b)
which can be interpreted as input-guardedness relative to extraction. Moreover, we have slightly
strengthened WI3 and added SI1(c) to explicitly state that extracted valid traces of Q are traces of P
10
See proposition A.13.
17
(we need this to prove compositionality). As before, P is its own implementation based on identity
extraction patterns, P 2 SI(P; id
inP
; id
outP
).
For an output-only P the last denition reduces to WI3
0
, SI4 and the requirement that Q be a nite
subset of Dom
0
such that extr
ep
0
(Q)  P . It is worth noting that extr
ep
0
(Q)  P can be derived
from WI3
0
and ep
0
being monotonic. Thus, for output-only base processes P , the notions of weak and
strong implementations coincide. This is not true in general. For example,
BUF 62 SI(Buf;mv
p
;mv
q
mv
r
) and buf 62 SI(buer
qp
;mv
q
;mv
p
)
where BUF and buf are processes used to shown that WI is insucient to deal with cyclic networks
of processes. However, we do have an expected (and immediate) result that being strong imple-
mentation implies being also weak implementation. Consequently, the realisability result for strong
implementation follows from theorem 4.2. Compositionality is given below.
Theorem 5.1 Let K and L be two compatible GIO processes as in gure 7(a), and let c, d, e, f , g
and h be extraction patterns whose targets are respectively the channel sets C, D, E, F , G and H .
If M 2 SI(K; c h; d e) and N 2 SI(L; d f; g  h) then M 
N 2 SI(K 
 L; c f; e g).
2
In this way we have shown that strong implementation is a suitable notion for dealing with cyclic
networks of processes under the proviso that the base processes are compatible | more precisely, if we
can decompose the base network down to single processes in such a way that at each stage compatibility
is satised | an assumption which roughly amounts to saying that their parallel composition does
not introduce any divergence.
5.1 Relationship between weak and strong implementability
The two notions of implementability we proposed are quite similar. And although SI is in general
stronger, there are several cases for which SI is the same as WI. We have already mentioned that
this holds for output-only base processes. In fact, a stronger result holds:
11
if ep is an extraction
pattern such that dom is prex-closed and extr
 1
(w) is always nite (note that identity extraction
patterns satisfy these two conditions), then WI(P; ep; ep
0
) = SI(P; ep; ep
0
). It is also possible to obtain
an interesting and useful (see section 6) result that two processes, a weak and a strong implementation
can be composed together to form a strong implementation. The connectivity of the base processes,
however, has to be restricted.
Theorem 5.2 Let K and L be two GIO processes as in gure 7(b), and let c; d; e and g be extraction
patterns whose targets are respectively the channel sets C;D;E and G. If M 2 SI(K; c; d e) and
N 2 WI(L; d; g) then M 
N 2 SI(K 
 L; c; e g).
2
We also dene semi-strong implementation for DIO process P , denoted Q 2 sSl(P; ep; ep
0
), by assuming
that SI1-SI3 hold. The realisability result for sSl follows immediately from that for sWl, as we clearly
have sSl  sWl. Compositionality and mixed compositionality (in combination with sWl) are also
satised.
12
11
See proposition A.15.
12
See corollaries A.14 and A.16.
18
5.2 Algebraic properties of implementation
This section provides a quick look at the process algebraic properties of implementation relations.
Their relevance stems from the fact that they can be used in the future development of verication
techniques for the ERT model.
Let Impl be any of the WI; sWl; SI and sSl. Then, for any two base process K and L with disjoint
channels the following holds (below we make the usual assumptions about the extraction patterns).
MkN 2 Impl(KkL; c f; e g) , M 2 Impl(K; c; e)^N 2 Impl(L; f; g):
A similar conclusion can be drawn for processes combined using the non-deterministic choice operator:
Let sImpl be sSl or sWl, and inQ = inQ
0
and outQ = outQ
0
. Then
Q uQ
0
2 sImpl(P; ep; ep
0
) , Q 2 sImpl(P; ep; ep
0
) ^Q
0
2 sImpl(P; ep; ep
0
):
For the general versions of the last result we have to add one condition: Let Impl be WI or SI, and
sImpl be its `semi-' version. Then
QuQ
0
2 Impl(P; ep; ep
0
) , Q 2 sImpl(P; ep; ep
0
)^Q
0
2 sImpl(P; ep; ep
0
) ^ inv
epep
0
(P ) 2 Q[ Q
0
:
Although it is interesting to see whether other CSP operators can lead to a similar characterisation
of implementation relations, from the point of view of dealing with fault tolerant systems, the results
involving the non-deterministic choice operator u are of special interest. For the possibility of the
occurrence of an internal fault in process P will often be modelled by a process P
faulty
= P u P
error
,
where P represents a correctly behaving system, and P
error
its abnormal execution. For example, we
can simplify the proof that Sgl
1
fails to be a weak implementation of Sgl by observing that Sgl
1
=
Sglu stop and stop cannot possibly a semi-weak implementation of Sgl (since, by EP3, stop can never
satisfy WI2). Similarly, the correctness proof for Sgl
2
can be simplied by breaking it down onto two
subproofs.
6 Implementing Replication
We now address the problem of proving the correctness of a standard replication scheme. Here an
important issue is the interplay between the fault assumptions and the extraction strategy. We will
present the treatment for majority voting and fail-stop processes.
The architecture of the base process P we consider is shown in gure 8. It is composed of two
subprocesses, AU 2 GIO and FU 2 DIO. The former represents the arbiter unit which receives messages
on input channels p
1
; : : : ; p
m
and then forwards them, along channels r
1
; : : : ; r
l
, to the functional unit,
FU. We independently replicate the arbiter unit, and then assemble it together with N copies of the
functional unit (some of them possibly faulty), as shown in gure 8.
The arbiter unit is implemented by process au. The communication on the input channels of au and AU
is related using an arbitrary extraction pattern ep. The output produced by au is more constrained.
It is sent along l N channels, r
ij
, msg r
i
= msg r
ij
, which are intended to carry the replicated output
feeding the N copies of the functional unit, fu = fu
1
k   kfu
N
.
The replicated arbiter process, au, produces output which can be used for the majority voting. Without
loss of generality, we assume that the rst M processes,
1
2
N < M and the associated channels, are
correct. Moreover,
19
p1
p
m
q
1
q
n
r
1
r
l
AU FU
P
-
-
-
-
-
-
p
p
p
p
p
p
p
p
p
p
p
p
ep
q
1N
q
nN
q
11
q
n1
r
1N
r
lN
r
11
r
l1
au
fu
1
fu
N
-
-
-
-
-
-
-
-
-
-
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
Figure 8: Internal structure of the base process and an architecture for replication of the base process
 The output of au is assumed to conform to the extraction pattern Mv = mv
1
    mv
l
where
mv
i
= mv(r
i
; fr
i1
; : : : ; r
iN
g; fr
i1
; : : : ; r
iM
g).
 The output produced by au 
 fu is characterised by Mv
0
= mv
0
1
     mv
0
n
where mv
0
j
=
mv(q
j
; fq
j1
; : : : ; q
jN
g; fq
j1
; : : : ; q
jM
g).
 We also assume that, for i > M, fu
i
2 IG and fu
i
= FU[r
1i
=r
1
]    [r
li
=r
l
][q
1i
=q
1
]    [q
ni
=q
n
], for
i M.
With the above assumptions it is possible to show that au 
 fu implements P according to all
four denitions of implementation. The result follows from the compositionality theorems and fu 2
WI(FU;mv;Mv
0
), the proof of which is straightforward. That is, we have the following (below Impl is
any of WI, sWl and sSl).
au 2 Impl(AU; ep;Mv) ) au 
 fu 2 Impl(P; ep;Mv
0
)
au 2 SI(AU; ep;Mv) ) au 
 fu 2 sSl(P; ep;Mv
0
)
For the fail-stop extraction patterns we make the same assumptions as before, except for M >
1
2
N,
and with the following additions:
 Fs = fs
1
     fs
l
where fs
i
= fs(r
i
; fr
i1
; : : : ; r
iN
g; fd
i1
; : : : ; r
iM
g).
 Fs
0
= fs
0
1
     fs
0
n
where fs
0
j
= fs(q
j
; fq
j1
; : : : ; q
jN
g; fq
j1
; : : : ; q
jM
g).
 For i >M, fu
i
is any process such that  fu
i
 FU[r
1i
=r
1
]    [r
li
=r
l
][q
1i
=q
1
]    [q
ni
=q
n
].
We obtain a similar result as before. Again, it follows from the compositionality theorems and fu 2
WI(FU; Fs; Fs
0
) (below Impl is any of WI, sWl and sSl).
au 2 Impl(AU; ep; Fs) ) au 
 fu 2 Impl(P; ep; Fs
0
)
au 2 SI(AU; ep; Fs) ) au 
 fu 2 sSl(P; ep; Fs
0
)
We have presented the ERT model and illustrated the ideas behind its design by means of several
examples. The model is general in that allows one to relate the behaviour of two systems which
20
may have dierent interfaces and/or dierent patterns of information exchange owing through these
interfaces. ERT also supports a natural and expressive way of specifying fault assumptions in process
behaviours. As a result, we envisage that one should be able to apply ERT to a variety of distributed
system's architectures and, in particular, dierent fault tolerant techniques, provided that the base
processes providing high level specications adhere to the GIO rules. In essence, this means that they
communicate by asynchronous message passing.
7 Modelling CA Actions
We have shown that ERT can be used to capture the correctness of a fault tolerant architecture
based on N-modular redundancy. In this section, we will discuss what could be a possible ERT
based approach to the modelling of systems built using the CA action structuring mechanism. Before
describing our approach, we briey review the main features of ERT and the extent to which they
match those of CA actions.
 Interaction between processes is through message-passing with point-to-point communication.
The former ts well with the object-oriented framework within which CA actions are dened.
The latter might cause some problems if, for instance, message broadcast was to be modelled; in
such a case one could add special processes multiplying outgoing messages and forwarding them
to several receivers.
 Base processes are GIO. The denition of a GIO process means that ERT can handle networks of
implementations whose abstract specications communicate by means of asynchronous message
passing (synchronous message passing could be implemented, if necessary, on top of an underlyng
asynchronous message passing mechanism). It is expected that a substantial part of CA actions
based systems would fall into this category.
 Realisability by extraction and compositionality. This crucial property of the ERT model for-
malises a fundamental characteristics of fault tolerant systems, namely what it does mean for
an implementation to be acceptable in the presence of faults. The parameterisation by general
extraction patterns of the various notions of implementation relation makes ERT suitable for
a wide range of concrete fault tolerant techniques. This is complemented by compositionality,
which allows each of the processes in a network to be considered separately and proved correct
with respect to an abstract specication.
We therefore conclude that the main features of the ERT model are compatible with those expected
of many potential applications of CA actions. What still remains to be discussed is the atomicity
of operations performed on external (shared) objects. At this point we do not see a direct need to
introduce such a requirement explicitly into the formalisation of CA actions. This corresponds to
the view that atomicity is a feature of a communication protocol between CA actions and external
objects, and not the property of either of these two objects alone. Thus dealing with it could be done
at the level of the network of base processes where appropriate formal specication of communication
between CA actions and shared objects could be designed and proved correct.
In the rest of this section, we rst present an abstract CA action specication which conforms to the
existing examples, such as those specied in [16] using an informal programming notation, as well
as general rules specied elsewhere. We then propose two ways in which the CA action structuring
technique could be supported by the model presented earlier in this paper. One of the crucial issues
which has emerged from our investigation of ERT modelling of CA actions is whether the roles should
21
call
1
call
m
return
1
return
m
acc
1
acc
m
CA
spec
-
-
-
-
6 6
p
p
p
p
p
p
p p p
Figure 9: A base CA action process
be modelled as computational parts of systems modelling CA actions, or as computational parts of
threads calling CA actions. We shall discuss these two alternatives separately in sections 7.2 and 7.3,
respectively. Finally, we discuss in more detail part of the CA action design presented in [16].
7.1 A formalisation of CA action
In its basic form, a CA action can be specied as a process, CA
spec
, shown in gure 9. The behaviour
of CA
spec
can be described as follows. Channels call
1
; : : : ; call
m
are intended to carry messages with
some input data (parameters) requesting an access to CA
spec
, each such message corresponding to
starting of a role within the CA action. Intuitively, CA
spec
waits for a set of m messages, each such
message arriving along a dierent channel call
i
, before accepting them for further processing. It is,
however, generally not the case that any message set will be accepted as a valid call; more precisely,
CA
spec
will only accept some of these potential input sets. It is therefore assumed that there are is a
non-empty set of valid inputs, Valid. Each V 2 Valid is a set of m messages, fcall
1
!v
1
; : : : ; call
m
!v
m
g 2
call
1
[    [ call
m
. It is also assumed that for such a V there is a non-empty set return(V ) which
comprises all possible outcomes of the processing of messages in V . Each element U of return(V ) is a
set of m messages over the channels return
i
, i.e., U = freturn
1
!v
1
; : : : ; return
m
!v
m
g 2 return
1
[    [
return
m
. Note that it is implicitly assumed that an execution of the CA action produces a single
result for each of the participating threads. This is a simplifying assumption which could easily be
relaxed. Note also that the modelling of an aborted execution of the CA action can be modelled by
U = freturn
1
!abort ; : : : ; return
m
!abortg 2 return(V ).
Since not all combinations of messages on channels call
i
are admissible, the CA action hasm additional
channels acc
i
which are used to inform each of the threads attempting to enter CA
spec
whether or not
the message has been accepted. CA
spec
keeps rejecting the calls from the threads until a message is
received whose value is acceptable; the policy employed is one which accepts a message if it is not
inconsistent with those already accepted. All messages received on call
i
are explicitly accepted or
rejected. Note that if all possible combinations of messages arriving on channels call
i
were acceptable,
then the channels acc
i
can be removed, thus simplifying the specication of CA
spec
(as in the example
discussed at the end of this section).
After assembling a set of messages V in Valid, the CA action produces (non-deterministically, as CA
spec
is a specication rather than an implementation, see our earlier discussion on realisability) one of the
possible valid outcomes in return(V ).
The specication of CA
spec
is given by CA
spec
= CA
h ih i
;
. In the denition, we use parameterised
process symbols CA
t
1
t
m
V
where V is the current set of accepted messages, and each t
i
is the current
sequence of messages still to be sent along channel acc
i
.
22
call
m
call
1
return
m
return
1
inr
1
inr
m
outr
1
outr
m
reset
acc
1
acc
m
In
role
1
role
m
Out

-
-
-
-
-
-
-
-
6 6
p
p
p
p
p
p
p p p
Figure 10: CA action CA
I
spec
with internal roles
CA
t
1
t
m
V
=
8
>
>
>
<
>
>
>
:
Q
U2return(V )
ca
t
1
t
m
U
if jV j = m
im; v2msg call
i
call
i
!v ! CA
0
if jV j < m ^ t
1
     t
m
= h i
t
i
6=h i
head(t
i
)! CA
t
1
tail(t
i
)t
m
;
im; v2msg call
i
call
i
!v ! CA
0
if jV j < m ^ t
1
     t
m
6= h i
where CA
0
is given by the following formula:
CA
0
=
8
<
:
CA
t
1
t
i
hacc
i
!yesit
m
V [fcall
i
!vg
if V \ call
i
= ; ^ 9V
0
2 Valid : V [ fcall
i
!vg  V
0
CA
t
1
t
i
hacc
i
!noit
m
V
otherwise
and process ca
t
1
t
m
V
is dened thus:
ca
t
1
t
m
V
=
8
>
>
>
>
>
>
<
>
>
>
>
>
>
:
CA
t
1
t
m
;
if V = ;
a2V
a! ca
t
1
t
m
V fag
im; v2msgcall
i
call
i
!v ! ca
t
1
t
i
hacc
i
!noit
m
V
if V 6= ; ^ t
1
     t
m
= h i
t
i
6=h i
head(t
i
)! ca
t
1
tail(t
i
)t
m
;
a2V
a! ca
t
1
t
m
V fag
im; v2msgcall
i
call
i
!v ! ca
t
1
t
i
hacc
i
!noit
m
V
if V 6= ; ^ t
1
     t
m
6= h i
One can check that CA
spec
is a GIO process, and thus can be used as a base process. Note that
CA
spec
does not have any channels to communicate with external shared objects. This is a simplifying
assumption which could be removed. To do so, one would assume that CA
spec
has a set of input
channels, and a set of output channels to connect to the external objects. The handling of the
communication on these channels would depend on the particular protocol used by the application
considered. In general, no message to the external objects would be output before a V set is accepted,
or after CA
spec
starts producing the results in U 2 return(V ). Moreover, the choice of U would depend
on the sequence of messages exchanged between CA
spec
and the external objects. The modelling of
these features is straightforward, yet strongly dependent on the application studied.
7.2 CA action with internal roles
The rst architectural model of a CA action as a base process CA
I
spec
is shown in gure 10. The
external connectivity of CA
I
spec
is the same as that of CA
spec
. Internally, CA
I
spec
comprises processes
In, Out, role
1
; : : : ; role
m
, and possibly other processes P
1
; : : : ; P
n
representing nested CA actions and
23
internal objects (not shown in gure 10). There can be channels linking together the role processes
role
1
; : : : ; role
m
as well as channels linking P
1
; : : : ; P
n
with role
1
; : : : ; role
m
.
It is assumed that CA
spec
= CA
I
spec
= In 
 Role
1

    
 Role
m

 P
1

    
 P
n

 Out and that each
process in the network CA
I
spec
is GIO. The In = In
h ih i
;
process can be dened thus.
In
t
1
t
m
V
=
8
>
>
<
>
>
>
:
in
t
1
t
m
V
if jV j = m
im; v2msgcall
i
call
i
!v ! In
0
if jV j < m ^ t
1
     t
m
= h i
t
i
6=h i
head(t
i
)! In
t
1
tail(t
i
)t
m
;
im; v2msgcall
i
call
i
!v ! In
0
if jV j < m ^ t
1
     t
m
6= h i
where
in
t
1
t
m
V
=
8
>
>
>
>
>
>
>
>
>
>
>
>
<
>
>
>
>
>
>
>
>
>
>
>
:
reset!yes ! In
t
1
t
m
;
im; v2msgcall
i
call
i
!v! in
t
1
t
i
hacc
i
!noit
m
V
if V = ; ^ t
1
     t
m
= h i
reset!yes ! In
t
1
t
m
;
t
i
6=h i
head(t
i
)! in
t
1
tail(t
i
)t
m
;
im; v2msgcall
i
call
i
!v! in
t
1
t
i
hacc
i
!noit
m
V
if V = ; ^ t
1
     t
m
6= h i
a2V
a!v ! in
t
1
t
m
V fag
im; v2msgcall
i
call
i
!v! in
t
1
t
i
hacc
i
!noit
m
V
if V 6= ; ^ t
1
     t
m
= h i
t
i
6=h i
head(t
i
)! in
t
1
tail(t
i
)t
m
;
a2V
a!v ! in
t
1
t
m
V fag
im; v2msgcall
i
call
i
!v! in
t
1
t
i
hacc
i
!noit
m
V
if V 6= ; ^ t
1
     t
m
6= h i
In the above, In
0
is given by:
In
0
=
8
>
<
>
>
:
In
t
1
t
i
hacc
i
!yesit
m
V[finr
i
!vg
if V \ inr
i
= ; ^
9V
0
2 Valid : (V [call
1
=inr
1
]    [call
m
=inr
m
])[ fcall
i
!vg  V
0
In
t
1
t
i
hacc
i
!noit
m
V
otherwise
Note that process In receives requests for accessing the CA action, and after assembling a set of m
valid messages it forwards accepted requests to the role processes, role
i
, along the channels inr
i
. The
m messages on channels outr
i
resulting from a single run of the CA action are collected by process
Out which sends them along channels return
i
. The role of the reset channel is to inform In that Out
has completed the task of sending the current result set. The Out = Out
;
process can be dened as
follows:
Out
V
=
(
out
V
if jV j = m
im; v2msg outr
i
outr
i
!v ! Out
V[freturn
i
!vg
if jV j < m
out
V
=
8
>
>
<
>
>
:
reset!yes ! Out
;
im; v2msgoutr
i
outr
i
!v ! out
V
if V = ;
a2V
a! out
V fag
im; v2msgoutr
i
outr
i
!v ! Out
V
if V = ;
Note that In and Out dened above are only examples of what might be appropriate specications;
given a particular application, their denition could be suitably modied. Having specied CA
I
spec
, we
24
call
i
acc
i
return
i
role
i
CA
II
spec
-
-

66
??
p p p p p p
Figure 11: CA action CA
II
spec
with external roles
can apply directly to it the general results obtained for the ERT model. In particular, we can choose
specic extraction patterns and implementation relations corresponding to the actual implementation
techniques, which may represent renements as well as fault tolerance measures (e.g. the replication
scheme discussed in the previous section). Recall that this may, and usually will, lead to the change
of channels used by the processes.
7.3 CA action with external roles
The structuring of the CA action shown in gure 10 implicitly assumes that each role role
i
is im-
plemented as part of the programming construct modelling the CA action. However, as some of the
existing examples of CA suggest, it may be the case that the roles are part of the specication of
programming constructs modelling threads, i.e., processes that send messages on channels call
i
and
receive messages on channels return
i
. In such a case, the architecture of gure 10 is no longer appro-
priate. We then can use an alternative structuring of CA
spec
, as shown in gure 11 (note that the
diagram depicts only one out of m role processes).
It is assumed CA
II
spec
comprises internal CA actions as well as internal objects shared by the roles
(all such processes are assumed to be GIO). Consistency with the basic CA action specication is
ensured by requiring that CA
spec
= CA
II
spec

 role
1

    
 role
m
. The subsequent application of the
ERT approach would follow the same pattern as previously, i.e., one would choose concrete extraction
patterns and implementation functions to establish the correctness of a low level implementation.
7.4 A Case Study Fragment
In this section we shall apply the modelling approach outlined in section 7.1 to a signicant fragment
of a real life CA action based application: the automated production cell described in [16]. The cell
comprises several physical components, controlled by software structured in accordance with the CA
action paradigm. The portion we shall concentrate on consist of a conveyor belt feeding a table with
metal plates (in [16] these will later be forged in a press and forwarded to a deposit).
According to the architectural choices of [16], the software controlling each physical device is to be
executed by two processes, serving the device proper and its sensors, respectively. Thus the system
fragment we describe is essentially a network of four processes FeedBelt, FeedBeltSensor, Table and
TableSensor interacting through CA action LoadTable. Interaction with the environment takes place
through CA actions LoadPlate and UnloadTable. Figure 12 provides a simplied description of the
system architecture in that, unlike Figure 9, it does not show the channels call
i
, return
i
and acc
i
through which a generic process i would interact with a CA action. In fact, channel acc
i
will not
be needed here since the case study [16] simply abstracts from exception handling issues. In the
interest of clarity, indexed channels call
i
and return
i
will be replaced by structured channel names like,
25
e.g., call.LoadPlate.FB, where the second component is the name of the CA action, and the third one
conveniently identies the participating process (in the example FB stands for FeedBelt).
The CSP code below employs some additional minor but useful conventions. The notation b?v !
P (v), where P (v) is a process with state modelled explicitly by v, stands for the deterministic choice
v2msg b
b!v ! P (v). Similarly, b!!v ! P (v) stands for the non-deterministic choice u
v2msg b
b!v !
P (v). Finally, in the formal descriptions we will omit the handling of unexpected incoming messages.
This can be incorporated in a standard fashion as it has often been done earlier (cf. process In in
Section 7.2).
At the abstract level, CA actions are viewed in [16] as `black boxes' solely characterized by their
external behaviour. In our ERT framework, this amounts to rendering a CA action as a base process
only to be accessed through call and ret channels (cf. section 7.1). Base processes exhibit a simple
cyclic behaviour.
Process FeedBelt acquires a plate through the CA action LoadPlate, passes it to the table by partic-
ipating into LoadTable and restarts. Note that LoadTable is also passed the feedBeltActuator object
through which it will eectively aect the motion of the feed belt.
FeedBelt(feedBeltActuator) =
call:LoadPlate:FB!! ret:LoadPlate:FB?plate!
call:LoadTable:FB!(plate; feedBeltActuator)! ret:LoadTable:FB!!
FeedBelt(feedBeltActuator)
Process FeedBeltSensor provides CA action LoadTable with the object photoElectricSensor. This is
intended to model the belt hardware sensor, and its state is accordingly specied, as in [16], to be
internally chosen by the hardware.
FeedBeltSensor =
call:LoadTable:FBS!!photoElectricSensor ! ret:LoadTable:FBS!!
FeedBeltSensor
Likewise, process TableSensor supplies actions LoadTable and UnloadTable with objects corresponding
to the three sensors that equip the table device.
TableSensor =
call:LoadTable:TS!!(bottomSwitchSensor; tableAngleSensor)! ret:LoadTable:TS!!
call:UnloadTable:TS!!(topSwitchSensor; tableAngleSensor) ! ret:UnloadTable:TS!!
TableSensor
FeedBelt
FeedBeltSensor
Table
TableSensor
CA LoadTable CA UnloadTableCA LoadPlate
Figure 12: System architecture.
26
Finally, process Table participates to CA action LoadTable by providing the tableActuator object and
receiving a plate, which is then passed on to the external environment through action UnloadTable.
Table(tableActuator) =
call:LoadTable:T!tableActuator ! ret:LoadTable:T?plate!
call:UnloadTable:T!(plate; tableActuator)! ret:UnloadTable:T!!
Table(tableActuator)
At the implementation level, each CA action call/return pair in base process denitions gets replaced
by a CSP code block containing invocations of lower level CA actions and (non-atomic) operations
on local objects such as, e.g., channels. This transformation (which could be easily dened formally
by means of macro-expansion and CSP sequential composition [1]) yields the implementations for the
device base processes. The implementation for the CA action LoadTable base process is the composition
of the newly introduced local objects and lower level (base) CA actions.
The implementation level CSP code rening call/return pairs for LoadTable is easy to write by simple
inspection of the corresponding code in [16]. The extraction patterns under which the intended imple-
mentation relations hold are also straightforward to dene. We shall simply give here the extraction
functions, from which call/return renements and remaining extraction pattern components can be
easily inferred.
h call:LoadTable:FB!(plate; feedBeltActuator) ; ret:LoadTable:FB i
7! h call:Wait:FB ; ret:Wait:FB ; call:MovePlate:FB!feedBeltActuator ;
ret:MovePlate:FB ; channel:in:T!plate i
h call:MovePlate:FBS!photoElectricSensor ; ret:MovePlate:FBS i
7! h call:LoadTable:FBS!photoElectricSensor ; ret:LoadTable:FBS i
h call:MoveTableDown:TS!bottomSwitchSensor ; ret:MoveTableDown:TS ;
call:RotateTable:TS!(tableAngleSensor; 0) ; ret:RotateTable:TS i
7! h call:LoadTable:TS!(bottomSwitchSensor; tableAngleSensor) ; ret:LoadTable:TS i
h call:MoveTableDown:T!tableActuator ; ret:MoveTableDown:T ;
call:RotateTable:T!tableActuator ;
call:Wait:T ; ret:Wait:T ; channel!plate:changeState(
0
Table
0
) i
7! h call:LoadTable:T!tableActuator ; ret:LoadTable:T?plate i
Acknowledgements
The authors are indebted to Luigi Mancini for his contribution made in the course of work from
which ERT has been derived. The work of the rst author was supported by ESPRIT Long Term
Research Project 20072 on \Design for Validation (DeVa)". He would also like to thank the members
of the DeVa team at Newcastle, Brian Randell, Alexander Romanovsky, Robert Stroud, Ian Welch
and Avelino Zorzo, for several discussions on the formalisation of the semantics of CA actions. In
particular, we would like to thank Jie Xu for his detailed comments on the draft version of this report.
The work of the second author was supported by the Italian MURST.
References
[1] Brookes, S.D., Hoare, C.A.R., Roscoe, A.W.: A theory of communicating sequential process.
Journal ACM 31(7), 560-599 (1984).
27
[2] Brookes, S.D., Roscoe, A.W.: An improved failures model for communicating sequential processes.
Lecture Notes in Computer Science 197, Springer-Verlag, 281-305 (1985).
[3] Hoare, C.A.R.: Communicating sequential processes. Prentice Hall International (1985).
[4] Kahn, G., and MacQueen, D.B.: Coroutines and networks of parallel processes. Information
Processing 77, B. Gilchrist (ed.), 993-998, North-Holland (1977).
[5] Koutny, M., and Mancini, L.: Synchronizing events in replicated systems. The Journal of Systems
and Software 9(3), 183-190 (1989).
[6] Koutny, M., Mancini, L., and Pappalardo, G.: Formalising Replicated Distributed Processing.
Proceedings of the 10th Symposium on Reliable Distributed Systems, Pisa, 108-117 (1991).
[7] Koutny, M., Mancini, L., and Pappalardo, G.: Modelling Replicated Processing. Proc. PARLE'93,
Bode, A. et al. (eds), LNCS 694, Springer-Verlag, (1993).
[8] Koutny, M., Mancini, L., and Pappalardo, G.: Two Implementation Relations and the Correctness
of Communicated Replicated Processing. Formal Aspects of Computing 9, 119-148 (1997).
[9] Lamport, L., Shostak, R., Pease, M.: The Byzantine Generals problem. ACM Transactions on
Programming Languages and Systems 4(3), 382-401 (1982).
[10] Mancini, L., Pappalardo G.: Towards a theory of replicated processing. Lecture Notes in Com-
puter Science 331, Springer-Verlag, 175-192 (1988).
[11] Randell, B., Romanovsky, A., Stroud, R., Xu, J., Zorzo, A.F.: Coordinated Atomic Actions: From
Concept to Implementation. Submitted to Special Issue of IEEE Transactions on Computers,
(1997).
[12] Schneider, F.B.: Implementing Fault-tolerant Services Using the State Machine Approach: A
Tutorial. ACM Comput. Surveys 22(4), 299-319 (1990).
[13] Schneider, F.B.: Byzantine generals in action: Implementing fail-stop processors. ACM Trans.
on Computer Systems 2(2), 145-154 (1984).
[14] Wensley et al.: SIFT: Design and analysis of a fault-tolerant computer for aircraft control. Proc.
IEEE 66(10), 1240-1255 (1978).
[15] Xu, J., Randell, B., Romanovsky, A., Rubira, C., Stroud, R., Wu, Z.: Fault Tolerance in Con-
current Object-Oriented Software Through Coordinated Error Recovery. Proc. 25th Int. Symp.
on Fault-Tolerant computing, IEEE CS Press, Pasadena, USA, (1995), 450-457.
[16] Zorzo, A.F., Romanovsky, A., Xu, J., Randell, B., A., Stroud, R., Welch, I.: Using Coordinated
Atomic Actions to Design Complex Safety-Critical Systems: The Production Cell Case Study.
Manuscript (1997).
28
A Appendix
A.1 Formal denitions of CSP selected operators
The operations on processes we use are dened in the following way
chan (PkQ) = chanP [ chanQ
(PkQ) = ft  u j (tdchan P; tdchanQ) 2 (P  Q) [ (P  Q)g
(PkQ) = f(t; R [ S) j (tdchan P;R) 2 P ^ (tdchanQ; S) 2 Qg [ (PkQ) 2
(PkQ)
chan (PnB) = chanP  B
(PnB) = ftdchan (PnB)  u j t 2 P _ 9a
1
; a
2
; : : : 2 B 8n  1 : t  ha
1
; : : : ; a
n
i 2 Pg
(PnB) = f(tdchan (PnB); R) j (t; R [ B) 2 Pg [ (PnB) 2
(PnB)
chan P [b=b
0
] = chanP   fb
0
g [ fbg
P [b=b
0
] = ft[b=b
0
] j t 2 Pg
P [b=b
0
] = f(t[b=b
0
]; R[b=b
0
]) j (t; R) 2 Pg
chan (a! P ) = chanP
(a! P ) = fhai  t j t 2 Pg
(a! P ) = f(hai  t; R) j (t; R) 2 Pg [ fh ig 2
P fag
chan (P Q) = chanP
(P Q) = P [ Q
(P Q) = f(h i; R) j (h i; R) 2 P \ Qg [ f(t; R) j t 6= h i ^ (t; R) 2 P [ Qg
chan (P uQ) = chanP
(P u Q) = P [ Q
(P uQ) = P [ Q:
In the above, B is a proper subset of chanP ; b 62 chanP and b
0
2 chan P are channels with the same
message sets; R[b=b
0
] is R with each b
0
!v changed to b!v; a is an action in P ; in the last two denitions
chanP = chanQ. Note that the divergences of (PnB) could have been dened as in [3], where
(PnB) = ftdchan (PnB)  u j t 2 P _ 9u
1
; u
2
; : : : 2 B

8n  1 : t  u
n
2 P ^ ju
n
j  ng:
We also use stop
B
(or simply stop if B is clear from the context) to denote a deadlocked process with
the channel set B, stop
B
= (B; ;; ;).
A.2 General properties of processes
Proposition A.1 [8] Let B and B
0
be two non-empty nite sets of channels, B  B
0
. If T is an
innite prex-closed set of traces over B
0
such that ftd(B
0
  B) j t 2 Tg is a nite set then there is
t 2 T and a
1
; a
2
; : : : 2 B satisfying t  ha
1
; : : : ; a
k
i 2 T , for all k  1.
2
Proposition A.2 Let (t; R) 2 (PnB) be such that t 62 (PnB). Then there is (w;R [ B) 2 P
such that w 62 P and wdchan (PnB) = t.
Proof. Follows directly from the denition of PnB.
2
29
Proposition A.3 Let P 2 IG(U; V ) and t 2 P . Then tdin P 62 U .
Proof. Suppose tdinP 2 U . From CSP4 and outP 6= ; it follows that there are a
1
; a
2
; : : : 2 outP
such that t
k
= t  ha
1
; : : : ; a
k
i 2 P , for all k  1. Dene T = ft
k
j k  1g. Then TdinP = ftdPg,
contradicting IG2.
2
A.3 Basic compositionality results
In the proofs that follow, we will use X to denote the sources, and X to denote the targets, of an
extraction pattern x, for x 2 fc; d; e; f; g; hg. We will also use Z to denote the channel set of a process
Z, for Z 2 fI; J;K; L;M;N;O; Sg, where I = KkL, J = K 
 L, S = MkN and O = M 
 N . The
union of sets of channels, say C[D, will be simply denoted as CD, and when denoting the composition
of extraction patterns, such as e f , we will leave out the symbol .
The following diagram may be useful when reading the proofs of proposition A.4, and theorems A.5
and 4.1.
C
F
G
E
DK L
J
-
-
-
-
-
-
6 6
? ?
p
p
p
p
p
p
p
p
p
p
p
p
p p p p p p
Proposition A.4 Let T
C
, T
D
, T
E
, T
F
and T
G
be prex-closed sets of traces over respectively the
channels C, D, E, F and G. If K 2 IG(T
C
; T
D
jjjT
E
) and L 2 IG(T
D
jjjT
F
; T
G
) are processes as in
gure 1, then the following hold.
1. t 2 (KkL) ^ td(C [ F ) 2 T
C
jjjT
F
) t 2 T
C
jjjT
D
jjjT
E
jjjT
F
jjjT
G
.
2. t 2 (K 
 L)) td(C [ F ) 62 T
C
jjjT
F
.
3. K 
 L 2 IG(T
C
jjjT
F
; T
E
jjjT
G
).
Proof. Let V = ft 2 I

j tdCF 2 T
C
jjjT
F
g. Clearly, V is prex-closed. First, we prove that:
(1) t 2 I \ V ) t 62 I .
Suppose that t 2 I \V . Then there is u 2 I such that u  t and at least one of the following holds:
(i) udK 2 K and udL 2 L, or (ii) udK 2 K and udL 2 L. Clearly, u 2 V since V is prex-closed.
Then (i) contradicts proposition A.3 since (udK)dC = udC 2 T
C
, so (ii) must be satised. Hence,
by (udK)dC 2 T
C
and IG1 for K, (udK)dD 2 T
D
. Thus (udL)dDF = udDF 2 T
D
jjjT
F
. This and
udL 2 L produces a contradiction with proposition A.3. Hence (1) holds.
To prove A.4(1), suppose that t 2 I \V . By (1) and the denition of parallel composition, tdK 2 K
and tdL 2 L. Together with IG1 for K and L, applied in this order, this yields tdK 2 T
C
jjjT
E
jjjT
D
and
tdL 2 T
D
jjjT
F
jjjT
G
. Hence A.4(1) holds.
To prove A.4(2), suppose that t 2 J\V . Then there is u 2 I such that udJ  t and at least on of the
following holds: (iii) u 2 I , or (iv) there are a
1
; a
2
; : : : 2 D such that u
k
= u  ha
1
; : : : ; a
k
i 2 I , for
all k  1. Clearly, u 2 V as both T
C
and T
F
are prex-closed. Hence (iii) contradicts (1). Moreover,
(iv) leads to a contradiction in the following way. Since, for all k  1, u
k
2 V (as u
k
dCF = udCF )
we obtain, by (1), that u
k
62 I , for all k  1. Thus, by the denition of parallel composition,
30
wk
= u
k
dK 2 K, for all k  1. But w
k
= (udK)  ha
1
; : : : ; a
k
i 2 K and w
k
dC = (udK)dC 2 T
C
, for
all k  1, produces a contradiction with IG2 for K. Hence A.4(2) is satised.
We nally show that A.4(3) is satised. From A.4(2) and proposition A.2 it follows that, for every
t 2 J\V , there is w 2 I such that t = wdJ . This and the denition of hiding imply the following:
(2) J \ V = (I \ V )dJ .
We then observe that from (2) and A.4(1) it follows that IG1 holds for J . Suppose that IG2 does not
hold. Then, by proposition A.1, there are traces t
1
< t
2
< : : : 2 J \ V such that
(3) t
k
dCF = t
1
dCF , for all k  1.
From (2) it follows that there are w
1
; w
2
; : : : 2 I \ V such that t
k
= w
k
dJ for all k  1. Let
U = fw
k
dK j k  1g and T = fw
k
dL j k  1g. From (1) it follows that U  K and T  L. Let
Y = Pref(U) and Z = Pref(T ). We will show that both U and T are nite sets, which will produce a
contradiction with t
1
< t
2
< : : : and prove that J satises IG2.
By (3), w
k
dC = t
k
dC = t
1
dC, for all k  1, so fydC j y 2 Y g is a nite set. Thus, by Y  K \ V
and IG2 for K, Y is a nite set. Hence U is nite.
From the niteness of U it follows that fzdD j z 2 Zg is nite. This and w
k
dF = t
k
dF = t
1
dF (by
(3)) means that fzdDF j z 2 Zg is a nite set. Thus, by Z  L \ V and IG2 for L, Z is a nite set.
Hence T is nite.
2
Theorem A.5 If P 2 GIO then P = ;, and if K;L 2 GIO are as in gure 1, then K 
 L 2 GIO.
Proof. That P = ; follows from proposition A.3. From proposition A.4(3) it follows that J 2 IG.
Suppose that (t; R) 2 J . By proposition A.4(2), t 62 I . Hence from proposition A.2 it follows
that there is (w;R [ D) 2 I such that w 62 I and wdJ = t. Thus, by the denition of parallel
composition, there are R
1
and R
2
such that R[D = R
1
[R
2
, (wdK; R
1
) 2 K and (wdL; R
2
) 2 L.
Hence, by the denition of GIO processes, R
1
\ C = ; and R
2
\ F = ;. Thus R \ CF = ;. As a
result, J is a GIO process.
2
Theorem A.6 [8] If K;L 2 DIO are as in gure 1, then K 
 L 2 DIO.
2
A.4 Properties of the relation 
Let P , Q and Rcv be GIO processes with channels as indicated in gure 5. In the proofs of proposi-
tions A.8, A.9 and A.12, we will denote U = Q
 Rcv and W = P 
 Rcv. Moreover, the following two
diagrams may be useful when reading these proofs.
p
1
p
m
r
1
r
l
q
1
q
n
P Rcv
W
-
-
-
-
-
-
p
p
p
p
p
p
p
p
p
p
p
p
p
1
p
m
r
1
r
l
q
1
q
n
Q
Rcv
U
-
-
-
-
-
-
p
p
p
p
p
p
p
p
p
p
p
p
Proposition A.7 If P  Q and  Q   P then Q = P .
Proof. Let t 2 Q. Since Q 2 IG and outQ 6= ;, by CSP3, there is w 2 outQ

such that tw 2  Q.
Hence t  w 2  P  P which means, by CSP1, that t 2 P .
2
31
Proposition A.8 If Q  P then (Q 
 Rcv) = (P 
 Rcv) = ;, (Q 
 Rcv) = (P 
 Rcv) and
(Q
 Rcv)  (P 
 Rcv).
Proof. By theorem A.5, U;W 2 GIO and U = W = ;. The latter and Q = P implies that
U = W .
Suppose (t; R) 2 U . Then, by U = ; and proposition A.2, there exists (w;R[ outQ) 2 (QkRcv)
such that t = wdchanU . Since Q;Rcv 2 GIO, we have wdchanQ 2  Q and (wdchan Rcv; R) 2 Rcv.
By  Q   P , (w;R [ out P ) 2 (PkRcv) yielding (t; R) 2 W .
2
Proposition A.9 If Q  P and P 2 GIO
0
then Q
 Rcv = P 
 Rcv.
Proof. By proposition A.8, it suces to show that W  U .
Suppose (t; R) 2 W . By propositions A.2 and A.8, there is (w;R [ outP ) 2 (PkRcv) such that
t = wdchanW . Since P;Rcv 2 GIO, we have wdchanP 2  P and (wdchan Rcv; R) 2 Rcv. From
P 2 GIO
0
it follows that (wdchanP )  hai 62 P , for all a 2 out P . Thus, by Q = P and CSP3,
wdchanQ 2  Q. Hence (t; R) 2 U .
2
A.5 Compositionality in acyclic networks and realisability
Proposition A.10 Let ep
1
and ep
2
be extraction patterns as in the denition of ep
1
 ep
2
.
1. ep = ep
1
 ep
2
is an extraction pattern such that Dom = Dom
1
jjjDom
2
.
2. For every t 2 Dom, extr(t)dB
0
1
= extr
1
(tdB
1
) and extr(t)dB
0
2
= extr
2
(tdB
2
).
3. For every t 2 Dom, R
1
 B
1
and R
2
 B
2
,
R
1
[R
2
62 ref(t) , R
1
62 ref(tdB
1
) ^ R
2
62 ref(tdB
1
):
Proof. Follows directly from the denition of .
2
The following diagram may be useful when reading the next proof.
C
F
G
E
DM N
O
-
-
-
-
-
-
6 6
? ?
p
p
p
p
p
p
p
p
p
p
p
p
p p p p p p
Proof of theorem 4.1. By proposition A.4(3), WI1 holds for O. Suppose that (t; R) 2 O and
tdCF 2 Dom
cf
. From proposition A.4(2) we have that t 62 O. Hence, by proposition A.2, there is
(w;R [ D) 2 S such that w 62 S and t = wdO. Together with proposition A.4(1) and WI1 for M
and N , this implies that there are R
0
and R
1
such that
(1) R
0
[R
1
= R [ D
(2) (wdM; R
0
) 2 M , (wdN ; R
1
) 2 N and w 2 Dom
cdefg
.
By (2) and WI2 for M and N , C   R
0
62 ref
c
(wdC) = ref
c
(tdC) and DF   R
1
62 ref
df
(wdDF) =
ref
df
(tdDF). Hence, by (1) and proposition A.10(3), CF   R 62 ref
cf
(tdCF) which means that WI2
holds. Moreover, from (1,2) and WI2 for N it follows that
32
(3) D \R
0
62 ref
d
(wdD).
To show WI3 we additionally assume tdCF 2 dom
cf
and EG \R 62 ref
eg
(tdEG). This, (1,2,3) and WI3
forM , implies that wdDE 2 dom
de
and extr
cde
(wdM) 2  K. Furthermore, fromWI3 for N , we obtain
wdG 2 dom
g
and extr
dfg
(wdN ) 2  L. Hence tdEG = wdEG 2 dom
eg
and (extr
cdefg
(w); DEG) 2 I .
Thus, by proposition A.10(2), extr
cefg
(t) 2  J .
To prove WI4 we take t 2 J . By proposition A.2 and theorem A.5, there is w 2 I such that w 62 I
and t = wdJ . Thus, since WI4 holds for both K and L, inv
cde
(wdK) 2 M and inv
dfg
(wdL) 2 N .
Let x = inv
cdefg
(w). Clearly, xdM = inv
cde
(wdK) 2 M and xdN = inv
dfg
(wdL) 2 N . Hence x 2 S
and inv
cefg
(t) = xdO 2 O.
2
Corollary A.11 Let K and L be two DIO processes as in gure 1, and let c; d; e; f and g be extraction
patterns whose targets are respectively the channel sets C;D;E;F and G. If M 2 sWl(K; c; d e)
and N 2 sWl(L; d f; g) then M 
N 2 sWl(K 
 L; c f; e g).
Proof. In the proof of theorem 4.1, WI4 was not needed to show that WI1-WI3 hold.
2
Proposition A.12 Let P , Q and Rcv be processes as in gure 5. Moreover, let P;Rcv 2 DIO and
Q 2 sWl(P; id
inP
; id
outP
). Then Q
 Rcv = P 
 Rcv.
Proof. Let U = Q 
 Rcv and W = P 
 Rcv. From corollary A.11 and theorems 2.1 and A.6, it
follows that W 2 DIO and U 2 sWl(W; id
inW
; id
outW
). Hence U = W = ; and it suces to show
that U = W .
Let (t; R) 2 U . By WI1 and WI2 for U , we have U 2 GIO. Hence there is (w;R [ outQ) 2
(QkRcv) such that t = wdchanU , wdchanQ 2  Q and (wdchan Rcv; R) 2 Rcv. Thus, by WI3 for Q,
wdchanP 2  P . Hence (w;R [ out P ) 2 (PkRcv) which implies (t; R) 2 W .Hence, by U = W ,
(t; R [ fag) 2 U , a contradiction. Thus U  W .
We now observe that U = W . Otherwise we would have t 2 U \ W and t  hai 2 W   U ,
for some t and a. This, CSP3 for U and DIO2 for W , implies that (t; fag) 2 U and (t; fag) 62 W ,
contradicting U  W . Thus U  W .
Suppose W 6 U . Then, by U = W , we have (t; R) 2 U \ W and (t; R[ fag) 2 W   U , for
some t; R and a. From DIO2 forW it follows that thai 62 W . Hence, by U = W , (t; R[fag) 2 U ,
a contradiction. Thus W  U .
2
Proof of theorem 4.2. From WI1-WI4 and the denition of id it follows that Q 2 IG, (t; R) 2
Q ) inQ \ R = ;,  Q   P and P  Q. The rst two properties imply Q 2 GIO. Hence, by
the last two properties and proposition A.7, we obtain Q  P .
2
A.6 Compositionality in cyclic networks
The following diagram may be useful when reading the next two proofs.
C
F
G
E
D
H
K L
J
-
-


-
-
-
-
6 6
? ?
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p p p p p p
Proposition A.13 If K and L are compatible GIO processes as in gure 7(a), then K 
 L 2 GIO.
33
Proof. From K and L being compatible and deadlock-free (theorem A.5), it follows that J is
divergence-free and input-guarded. This, K;L 2 GIO and the denition of the parallel composition
and hiding operators, imply that R \ CF = ;, for every (t; R) 2 J .
2
The following diagram may be useful when reading the next proof.
C
F
G
E
D
H
M N
O
-
-


-
-
-
-
6 6
? ?
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p p p p p p
Proof of theorem 5.1. Let V = ft 2 S j tdCF 2 Dom
cf
g and V
0
= ft 2 O j tdCF 2 Dom
cf
g.
Suppose that V \ S 6= ;. Then, without loss of generality (note that, unlike in gure 1, the roles
of K and L are now fully symmetric), there is t 2 V \ S such that tdM 2 M and tdN 2 N .
From SI1(a) for M and N , and by induction on the length of the prexes of t, it can be shown that
w 2 Dom
cdefgh
, for all w  t. In particular, t 2 Dom
cdefgh
which means that tdCH 2 Dom
ch
. Thus
tdM 2 M and tdCH 2 Dom
ch
. From CSP4 and ED 6= ; it follows that there are a
1
; a
2
; : : : 2 ED
such that t
k
= (tdM)  ha
1
; : : :a
k
i 2 M , for all k  1. Then, by taking T = ft
k
j k  1g, we obtain
a contradiction with S1(b) for M . Thus we have
(1) V \ S = ;.
We now observe that from (1) and SI1(a) for M and N , and by induction on the length of the traces,
it can be shown that
(2) V  Dom
cdefgh
.
Suppose V
0
\ O 6= ;. Then, by (1), there is an innite sequence of traces t
1
; t
2
; : : : 2 S \ V such
that t
1
< t
2
< : : : and t
1
dO = t
i
dO, for all i  1. Hence ft
i
dM j i  1g is innite. Consequently, by
(2) and SI1(b) for M ,
(3) fextr
ch
(t
i
dCH) j i  1g is innite.
For every i  1, consider w
i
= extr
cdefgh
(t
i
) which is, by (2), a well-dened trace. We have the
following: (i) w
1
; w
2
; : : : 2 I (follows from proposition A.10(2) and SI1(c) forM and N); (ii) fw
i
j i 
1g is innite (follows from (3)); and (iii) w
1
dJ = w
i
dJ , for all i  1 (follows from proposition A.10(2)
and t
1
dO = t
i
dO, for all i  1). But (i,ii,iii) contradict the assumed compatibility of K and L. Hence
V
0
\ O = ;. This and the denition of the hiding operator means that
(4) V
0
= V dO.
We now proceed with the proof proper. From (2,4) it follows immediately that SI1(a) holds for O. To
show SI1(b), we take an innite T  V
0
. From (4) it follows that there is W  V such that T = W dO.
By (1), X = W dM  M and Y = W dN  N . From T being innite it follows that X or Y
also is. Without loss of generality, we assume X is innite. Then, by SI1(b) for M , extr
ch
(XdCH)
is innite. If extr
c
(XdC) is innite then SI1(b) holds for O. Otherwise, extr
h
(XdH) is innite and so
is Y dH = XdH. Therefore, by SI1(b) for N , extr
df
(Y dDF) is innite. If extr
f
(Y dF) is innite then
SI1(b) holds for O. Otherwise, extr
d
(Y dD) is innite.
We are still left with the case when extr
hd
(W dHD) is innite, while extr
cf
(W dCF) is nite. Dene
Z = extr
cdefgh
(W ). By (2) and SI1(c) for M and N , Z is well-dened and Z  I . But we have that
34
ZdHD is innite and ZdCF is nite, contradicting the compatibility of K and L. Hence SI1(b) holds
for O.
As for the remaining conditions, SI1(c) and SI2 for O follow directly from (1,2,4), SI1(c) and SI2 for
M and N , and proposition A.10(2). Furthermore, from (1,2,4), SI2 and SI3(a) for M and N , and
proposition A.10(2), it follows that SI3(a) holds for O.
To show SI3(b), suppose (t; R) 2 O, t 2 V
0
, EG\R 62 ref
eg
(tdEG) and t 2 dom
cefg
. Then, by (1,2,4),
we can nd w and R
0
; R
1
such that (w;R[HD) 2 S, t = wdO, (wdM; R
0
) 2 M , (wdN ; R
1
) 2 N
and R [ HD = R
0
[ R
1
. Thus, by SI3(a) for M and N , it follows that w 2 dom
cdefgh
. We then
proceed, similarly as in the proof of WI3 in theorem 4.1, to show that extr
cefg
(t) 2  J . Hence SI3(b)
holds.
Finally, SI4 can be proved similarly as WI4 was in theorem 4.1.
2
Corollary A.14 Let K and L be two compatible GIO processes as in gure 7(a), and let c, d, e, f ,
g and h be extraction patterns whose targets are respectively the channel sets C, D, E, F , G and H .
If M 2 sSl(K; c h; d e) and N 2 sSl(L; d f; g  h) then M 
N 2 sSl(K 
 L; c f; e g).
Proof. In the proof of theorem 5.1, SI4 was not needed to show that SI1-SI3 hold.
2
A.7 Combining weak and strong implementability
Proposition A.15 Let ep be an extraction pattern such that dom is prex-closed and extr
 1
(w) is
always nite. Then WI(P; ep; ep
0
) = SI(P; ep; ep
0
).
Proof. We need to show that WI implies SI. The rst assumption ensures that IG1 in WI1 and WI3
imply SI3; the second one ensures that IG2 in WI1 implies SI1(b). To show SI1(c) we observe that
WI1 implies that for every t 2 Dom there is w 2  Q such that t  w and wdinQ = tdinQ 2 Dom.
This, dom = Dom and WI3, implies extr
epep
0
(w) 2 P . Hence SI1(c) holds by the monotonicity of
extraction mappings.
2
The following two diagrams may prove useful when reading the next proof.
C G
E
DK L
J
-
-
-
-
-
-
6 6
p
p
p
p
p
p
p
p
p
p
p
p
p p p
C
G
E
DM N
O
-
-
-
-
-
-
6 6
p
p
p
p
p
p
p
p
p
p
p
p
p p p
Proof of theorem 5.2. By theorem 4.1, O 2 WI(J; c; e  g). This means SI4 and SI1(a) hold.
Dene V = ft 2 S j tdC 2 Dom
c
g and V
0
= ft 2 O j tdC 2 Dom
c
g. From proposition A.4(2) and
O 2 IG(Dom
c
;Dom
eg
) it follows that V \ S = V
0
\ O = ;. Hence
(1) V
0
= V dO, V dM  M and V dN  N .
Suppose T  V
0
is innite and extr
c
(TdC) is nite. By (1), there is W  V such that T = W dO. From
SI1(a) for M , (1) and O 2 IG(Dom
c
;Dom
eg
) and proposition A.10(2), it follows that W  Dom
cdeg
.
By SI1(b) forM , W dM is nite. Hence W dN is innite since T is. As a result, W dD is nite whereas
W dN is innite, contradicting N 2 IG(Dom
d
;Dom
g
). Hence SI1(b) for O holds.
To show SI1(c), suppose that t 2 O and tdC 2 Dom
c
. From O 2 IG(Dom
c
;Dom
eg
) it follows that
there is w 2 O such that t  w, tdM = wdM and w 2  O. We will show that extr
ceg
(w) 2 J
which will be sucient due to the monotonicity of extraction functions.
From (1) it follows that there is z 2 S and R
0
, R
1
such that
35
(2) R
0
[R
1
= D [ DEG
(3) (zdM; R
0
) 2 M , (zdN ; R
1
) 2 N and w = zdO.
From WI2 for N , (2,3) and SI3(a) for M , it follows that zdDE 2 dom
de
. This, (2,3) and WI3 for
N , implies that extr
dg
(zdN ) 2 L. Together with SI1(c) for M this yields extr
cdeg
(z) 2 I . Hence
extr
ceg
(w) 2 J , by proposition A.10(2).
To show SI3(a) we take (w;R) 2 O satisfying wdC 2 Dom
c
and EG \R 62 ref
eg
(wdG). By proceeding
similarly as above we can nd z; R
0
; R
1
satisfying (3) and R
0
[R
1
= D[R. We then have, as before,
zdD 2 dom
d
. This, and WI3 for N implies wdG = zdG 2 dom
g
.
SI3(b) for O follows from SI3(b) for M and WI3 for N , the proof is similar to that for SI3(a); SI4
follows from SI4 for M and WI4 for N .
2
Corollary A.16 Let K and L be two GIO processes as in gure 7(b), and let c; d; e and g be extraction
patterns whose targets are respectively the channel sets C;D;E and G. If M 2 sSl(K; c; d e) and
N 2 sWl(L; d; g) then M 
N 2 SI(K 
 L; c; e g).
Proof. In the proof of theorem 5.2, WI4 and SI4 were not needed to show SI1-SI3 that hold.
2
36
