Compositional Development in the Event of Interface Difference by Burton J et al.
Compositional Development in the Event of
Interface Difference
Jonathan Burton1, Maciej Koutny1, Giuseppe Pappalardo2, and
Marta Pietkiewicz-Koutny1
1 Department of Computing Science, University of Newcastle,
Newcastle upon Tyne NE1 7RU, U.K.
{j.i.burton,maciej.koutny,marta.koutny}@ncl.ac.uk
2 Dipartimento di Matematica e Informatica, Universita` di Catania,
I-95125 Catania, Italy,
pappalardo@dmi.unict.it
Abstract. We present here an implementation relation which allows
compositional development of a network of communicating processes, in
the event that corresponding specification and implementation compo-
nents have different interfaces. This relation enjoys two basic properties
which are fundamental to its success. It is compositional, in the sense that
a target composed of several connected systems may be implemented by
connecting their respective implementations. In addition, an implemen-
tation, when plugged into an appropriate environment, is to all intents
and purposes a conventional implementation of the target. We illustrate
our approach by outlining the development of a fault-tolerant system
based on co-ordinated atomic actions (CA actions). As a formal frame-
work of concurrent computation, we use the model of Communicating
Sequential Processes (CSP).
Keywords: Theory of parallel and distributed computation, behaviour
abstraction, communicating sequential processes, compositionality, CA
actions.
Introduction
Consider the situation that we have a specification network, Pnet , composed
of n processes Pi, where all interprocess communication is hidden. Consider
an implementation network, Qnet , also composed of n processes, again with all
interprocess communication hidden. Assume that there is a one-to-one relation-
ship between component processes in Pnet and those in Qnet . Intuitively, Pi is
intended to specify Qi in some sense. Finally, assume that the interface of Qnet ,
in terms of externally observable actions, is the same as that of Pnet .
In process algebras, such as those used in [11, 15], the notion that a process
Qnet implements a process Pnet is based on the idea that Qnet is more deter-
ministic than (or equivalent to) Pnet in terms of the chosen semantics. (In the
following, we shall also refer to such specifications as target or base systems.)
The process of refining the target into the implementation also allows the
designer to change the control structure of the latter. In such a case, Qnet has
2 J.Burton, M.Koutny, G.Pappalardo and M.Pietkiewicz-Koutny
implemented Pnet by describing its internal structure in a more concrete and
detailed manner. However, we are able to hide the details of that internal struc-
ture, and then verify that this new internal structure still gives correct behaviour
at the interface of Qnet , which is still that of Pnet . Indeed, the standard notions
of refinement, such as those of [11, 15], are interested only in observable actions,
i.e., in the behaviour available at the interface of processes. However, the in-
terfaces of the specification and implementation processes must be the same to
facilitate comparison.
A question naturally arises. What if we wish to approach this verification
problem compositionally? What if we want to verify that Qnet implements Pnet
simply by verifying that Qi implements Pi, for each 1 ≤ i ≤ n. In general, this
is only possible if Qi and Pi have the same communication interface. Thus, Qi
may implement Pi by describing its computation in a more concrete manner,
but it may not do so by refining its interface, at least if we wish to carry out
compositional verification.
Yet in deriving an implementation from a specification we will often wish
to implement abstract, high-level interface actions at a lower level of detail and
in a more concrete manner. For example, the channel connecting Pi to another
component process Pj may be unreliable and so it may need to be replaced by
a data channel and an acknowledgement channel. Or Pi itself may be liable to
fail and so its behaviour may need to be replicated, with each new component
having its own communication channels to avoid a single channel becoming a
bottleneck (such a scenario was one of the major historical motivations behind
the present work [3, 4, 8, 9]). Or it may simply be the case that a high-level action
of Pi has been rendered in a more concrete, and so more implementable, form. As
a result, the interface of an implementation process may end up being expressed
at a lower (and so different) level of abstraction to that of the corresponding
specification process. In the process algebraic context, where our interest lies
only in observable behaviour, this means that verification of correctness must be
able to deal with the case that the implementation and specification processes
have different interfaces.
The relation between processes detailed in the remainder of this paper allows
us to carry out such compositional verification in the event that Qi and Pi have
different interfaces.
An important notion in the development of this relation is that of extraction
pattern. Extraction patterns interpret the behaviour of a system at the level
of communication traces, by relating behaviour on a set of channels in the im-
plementation to behaviour on a channel in the specification. In addition, they
impose some correctness requirements upon the behaviour of an implementation;
for example, the traces of the implementation should be correct with respect to
the interface encoded by the extraction pattern. The set of extraction patterns
defined for all channels in an implementation system appears as a formal pa-
rameter in a generic implementation relation.
Compositional Development in the Event of Interface Difference 3
The motivating framework given above for the implementation relation pre-
sented here leads to the identification of two natural constraints which must be
placed upon any such implementation relation.
The first, realisability, ensures that the abstraction built into the implemen-
tation relation may be put to good use. In practice, this means that plugging
an implementation into an appropriate environment (see, e.g., [8]) should yield
a conventional implementation of the specification. A related requirement arises
when the implementation relation is parameterized with a special set of extrac-
tion patterns, known as identity extraction patterns, which essentially formalise
the fact that implementation and specification processes are represented at the
same level of abstraction; in this case, the implementation relation should reduce
to a satisfactory notion of behaviour refinement.
Compositionality, the other constraint on the implementation relation, re-
quires it to distribute over system composition. Thus, a specification composed
of a number of connected systems may be implemented by connecting their re-
spective implementations. It is remarkable that although in general Qi and Pi
do not have the same interface, we know that, when all of the components Qi
have been composed, the result — namely Qnet — will have the same interface
as the corresponding specification process — namely Pnet . Compositionality is
important in avoiding the state explosion problem when we approach automatic
verification, algorithms for which have been developed in [3].
The paper is organised as follows. In the next section, we introduce some basic
notions used throughout the paper. In section 2, we present extraction patterns
— a central notion to characterising the interface of an implementation. Section 3
deals with the implementation relation, while section 4 applies our approach to
the compositional development of a concurrent system based on co-ordinated
atomic actions. Comparison with other work, in particular [1, 2, 6, 10, 14, 16],
can be found in [4, 9].
1 Preliminaries
Traces, failures and divergences Processes are represented in this paper us-
ing the failures-divergences model of Communicating Sequential Processes (CSP)
[7, 15] — a formal model for the description of concurrent computing systems.
A CSP process can be regarded as a black box which may engage in interaction
with its environment. Atomic instances of this interaction are called actions and
must be elements of the alphabet of the process. A trace of the process is a finite
sequence of actions that a process can be observed to engage in. In this paper,
structured actions of the form b:v will be used, where v is a message and b is a
communication channel. For every channel b, µb is the message set of b, i.e., the
set of all v such that b:v is a valid action, and αb df= {b:v | v ∈ µb} is the alphabet
of b. For a set of channels B, αB df=
⋃
b∈B αb.
Throughout the paper we use notations similar to those of [7]. A trace t[b′/b]
is obtained from trace t by replacing each action b:v by b′:v, and tB is ob-
tained by deleting from t all the actions that do not occur on the channels in
4 J.Burton, M.Koutny, G.Pappalardo and M.Pietkiewicz-Koutny
B. For example, if t = 〈b:2, c:3, b:2, c:6, d:7〉, then t[e/b] = 〈e:2, c:3, e:2, c:6, d:7〉
and t{b, d} = 〈b:2, b:2, d:7〉. A mapping from a set of traces to a set of traces
f : T → T ′ is monotonic if t, u ∈ T and t ≤ u implies f(t) ≤ f(u), where ≤
is the prefix relation on traces. For a set T of traces, Pref (T ) is the set of all
prefixes of the traces in T . Finally, ◦ is the concatenation operation for traces.
We use the standard failures-divergences model of CSP [7, 15] in which a pro-
cess P is a triple (αP, φP, δP ) where αP (the alphabet) is a non-empty finite set
of actions, φP (the failures) is a subset of αP ∗×P(αP ), and δP (the divergences)
is a subset of αP ∗. The conditions imposed on the three components are given
below, where τP denotes the traces of P , τP df= {t | ∃R ⊆ αP : (t, R) ∈ φP}:
– τP is non-empty and prefix-closed.
– If (t, R) ∈ φP and S ⊆ R then (t, S) ∈ φP .
– If (t, R) ∈ φP and a ∈ αP is such that t ◦ 〈a〉 6∈ τP then (t, R ∪ {a}) ∈ φP .
– If t ∈ δP then (t ◦ u,R) ∈ φP , for all u ∈ αP ∗ and R ⊆ αP .
Moreover,we will associate with P a set of channels, χP , and stipulate that the
alphabet of P is that of χP .
If (t, R) ∈ φP then P is said to refuse R after t. Intuitively, this means that
P can deadlock, should the environment offer R as the set of possible actions
to be executed after t. If t ∈ δP then P is said to diverge after t. In the CSP
model this means the process behaves in a totally uncontrollable way. Such
a semantical treatment is based on what is often referred to as ‘catastrophic’
divergence whereby the process in a diverging state is modelled as being able to
engage in any action and generate any refusal.
CSP operators Although for our purposes neither the syntax nor the semantics
of the whole standard CSP [7, 15] are needed — essential are only the parallel
composition of processes, hiding of the communication over a set of channels
and renaming of channels — we shall now recall additionally other operators
used in the examples throughout this paper. Notice that in all the definitions,
the direction of a channel (i.e., whether it is an input or output one) remains
unchanged after application of the operator.
Parallel composition P‖Q models synchronous communication between pro-
cesses in such a way that each of them is free to engage independently in any
action that is not in the other’s alphabet, but they have to engage simultane-
ously in any action that is in the intersection of their alphabet. Formally, the
channels of P‖Q are the union of those of P and Q, and
δ(P‖Q) df= {t ◦ u | (tdχP, tdχQ) ∈ (τP × δQ) ∪ (δP × τQ) ∧ u ∈ (αP ∪ αQ)∗}
φ(P‖Q) df= {(t, R ∪ S) | (tdχP,R) ∈ φP ∧ (tdχQ, S) ∈ φQ} ∪
δ(P‖Q)× P(α(P‖Q)) .
Parallel composition is commutative and associative; we shall use P1‖ · · · ‖Pn to
denote the parallel composition of processes P1, . . . , Pn.
Compositional Development in the Event of Interface Difference 5
Let P be a process and B be a set of channels of P ; then P\B is a process that
behaves like P with the actions occurring at the channels in B made invisible.
Formally, the channels of P\B are those belonging to χP −B, and
δ(P\B) df= {tdχ(P\B) ◦ u | u ∈ α(P\B)∗ ∧ (t ∈ δP ∨
∃a1, a2, . . . ∈ αB ∀n ≥ 1 : t ◦ 〈a1, . . . , an〉 ∈ τP )}
φ(P\B) df= {(tdχ(P\B), R) | (t, R ∪ αB) ∈ φP} ∪ δ(P\B)× P(α(P\B)) .
Hiding is associative in that (P\B)\B′ = P\(B ∪ B′). A crucial property in-
volving the parallel composition and hiding operators states that if P and Q are
two processes and B ⊆ χP − χQ then (P\B)‖Q = (P‖Q)\B. Such a property
is needed in order to treat process networks in a compositional way.
Let P be a process and b∈χP , b′ /∈χP channels such that µb = µb′. Then
P [b′/b] is a process that behaves like P except that each action b:v by P is
replaced by b′:v. The channels of P [b′/b] are those of P with b replaced by b′,
and
δP [b′/b] df= {t[b′/b] | t ∈ δP}
φP [b′/b] df= {(t[b′/b], R[b′/b]) | (t, R) ∈ φP} ,
where R[b′/b] is obtained from R by replacing each action b:v by b′:v.
In the next two operations on processes it is assumed that P and Q have
the same channels. Then the deterministic choice (P []Q) and non-deterministic
choice (P uQ) are processes with the same channels as P and Q, the divergences
being the union of those of P and Q, and the failures given respectively by
φ(P []Q) df= {(〈 〉, R) | (〈 〉, R) ∈ φP ∩ φQ} ∪ {(t, R) | t 6=〈 〉 ∧ (t, R)∈φP ∪ φQ}
φ(P uQ) df= φP ∪ φQ .
The last operator is prefixing. Assuming that a is an action in the alphabet of a
process P , a→ P is the process with the same alphabet as P and
δ(a→ P ) df= {〈a〉 ◦ t | t ∈ δP}
φ(a→ P ) df= {(〈a〉 ◦ t, R) | (t, R) ∈ φP} ∪ {〈 〉} × P(αP − {a}) .
We also use StopB , or simply Stop if B is clear from the context, to denote
a deadlocked process with channel set B.
In examples, we use simple (mutually) recursive process definitions of the
form P df= E, where E is an expression built using the prefix, deterministic and
non-deterministic choice, and Stop constructs. For example, P df= (a→ P )[](b→
Stop) defines a process which can execute action a any number of times, and
then perhaps execute b and terminate. It is beyond the scope of this paper to
give a precise treatment of recursive processes, and the reader is referred to, e.g.,
[15] for a full account of this aspect of CSP.
Networks of processes Processes P1, . . . , Pn form a network if no channel is
shared by more than two Pi’s. We define P1 ⊗ · · · ⊗ Pn to be the process ob-
tained by taking the parallel composition of the processes and then hiding all
6 J.Burton, M.Koutny, G.Pappalardo and M.Pietkiewicz-Koutny
interprocess communication, i.e., the process (P1‖ · · · ‖Pn)\B, where B is the set
of channels shared by two different processes in the network. Network composi-
tion is commutative and associative. As a result, a network can be obtained by
first composing some of the processes into a subnetwork, and then composing
the result with the remaining processes. Moreover, the order in which processes
are composed does not matter.
The definition of process network used in this paper assumes a one-to-one
interprocess communication at the specification level. However, more general
base process networks, such as those based on multicasting, may be modelled,
e.g. by explicitly adding processes replicating messages sent, and forwarding
them to several processes.
We can partition the channels of a process P into the input channels, in P ,
and output channels, out P . It is assumed that no two processes in a network
have a common input channel or a common output channel. In the diagrams, an
outgoing arrow indicates an output channel, and an incoming arrow indicates
an input channel (being an input or output channel of a process is, in general, a
purely syntactic notion).
Base processes A channel c of a process P is value independent if, for all
(t, R) ∈ φP , αc ∩ R 6= ∅ implies (t, R ∪ αc) ∈ φP . We then define an input-
output process (IO process) to be a non-diverging process P such that all its
input channels are value independent. Intuitively, in an IO process the data
component of a message arriving on an input channel c is irrelevant as far as
its receiving is concerned; if one such message can be refused then so can any
other message. In practice, this is not a restrictive property and, in particular,
the standard programming constructs like c?x for receiving messages give rise
to value independent input channels. The requirement that an IO process P
should be non-diverging, i.e., δP = ∅, is standard in a CSP based framework, as
divergences basically signify totally unacceptable behaviour. The class of base
IO processes is compositional, i.e., a network of IO processes is an IO process
(provided that the composition does not generate a divergence).
2 Extraction patterns
We first explain the basic mechanism behind our modelling of behaviour ab-
straction, viz. the extraction pattern, using a simple example.
Consider a pair of base processes, Dbl and Buf, shown in figure 1. Dbl
receives a signal (0 or 1) on its input channel at the very beginning of its exe-
cution, forwards this signal followed by its converse on its output channel and
terminates. Buf is a buffer of capacity one, forever forwarding signals received
on its input channel. In terms of CSP, we can represent them as
Dbl df= []i∈{0,1} c:i→ d:i→ d:(1−i)→ Stop
Buf df= []i∈{0,1} d:i→ e:i→ Buf ,
Compositional Development in the Event of Interface Difference 7
and one can see that Dbl⊗Buf is semantically equal to Dbl[e/d], i.e., the com-
position of the two processes behaves like Dbl with its output channel renamed
to e.
Dbl Buf
c d e--- Dbl′ Buf′
c
rel
fst
e-
-
-
-
Fig. 1. Two base processes and their implementations.
Suppose now that the signal transmission between the two processes has
been implemented using two channels, rel and fst , as shown in figure 1. The
transmissions on d are now duplicated and the two copies sent along rel (reliable
but slow) and fst (fast but unreliable). That is, Dbl′ sends a duplicated signal,
while Buf′ accepts the first received copy of the signal and passes it on ignoring
the other one:
Dbl′ df= []i∈{0,1}c:i→ (rel :i→ rel :(1− i)→ Stop‖fst :i→ fst :(1− i)→ Stop)
and Buf′ df= Buf〈 〉, where:
Buf〈 〉 df= []i∈{0,1} rel :i→ e:i→ Buf〈fst:i〉 []
[]i∈{0,1} fst :i→ e:i→ Buf〈rel:i〉
Buf〈fst:k〉◦z df= []i∈{0,1} rel :i→ e:i→ Buf〈fst:k〉◦z◦〈fst:i〉[] fst :k → Bufz
Buf〈rel:k〉◦z df= []i∈{0,1} fst :i→ e:i→ Buf〈rel:k〉◦z◦〈rel:i〉[] rel :k → Bufz .
In the above, the traces appearing in the superscripts indicate which messages
should be ignored by Buf′, as their copies have already been received.
Such a scheme clearly works as we have Dbl ⊗ Buf = Dbl′ ⊗ Buf′. Sup-
pose next that the transmission of signals is imperfect and two types of faulty
behaviour can occur: Dbl1
df= Dbl′ u Stop and
Dbl2
df= Dbl′ u []i∈{0,1}c:i→ rel :i→ rel :(1−i)→ Stop .
In other words, Dbl1 can break down completely, refusing to output any signals,
while Dbl2 can fail in such a way that although channel fst is completely blocked,
rel can still transmit the signals (Dbl2 could be used to model the following
situation: in order to improve performance, a ‘slow’ channel d is replaced by two
channels, a potentially fast yet unreliable channel fst , and a slower but reliable
backup channel rel). Since Dbl ⊗ Buf = Dbl2 ⊗ Buf′ and Dbl ⊗ Buf 6=
Dbl1⊗Buf′, it follows that Dbl2 is much ‘better’ an implementation of the Dbl
process than Dbl1. We will now analyse the differences between the behavioural
properties of the two processes and, at the same time, introduce informally some
basic concepts used subsequently.
8 J.Burton, M.Koutny, G.Pappalardo and M.Pietkiewicz-Koutny
We start by observing that the output of Dbl2 can be thought of as adhering
to the following two rules: (R1) the transmissions over rel and fst are consistent
w.r.t. message content (the set of all traces over rel and fst satisfying such a
property will be denoted by Dom); and (R2) transmission over rel is reliable;
there is no such guarantee for fst . The output produced by Dbl1 satisfies R1, but
fails to satisfy R2, unlike Dbl2 which satisfies R1-2. To express this difference
formally, we need to render these two conditions in some form of precise notation.
To capture the relationship between traces of Dbl and Dbl2, we will employ
an (extraction) mapping extr , which for a trace over rel and fst returns the
corresponding trace over d. For example, keeping in mind that duplicates of
signals should be ignored by the receiving process, some extraction mappings
will be:
〈 〉 7→ 〈 〉
〈rel :0〉 7→ 〈d:0〉
〈fst :0〉 7→ 〈d:0〉
〈fst :1, rel :1〉 7→ 〈d:1〉
〈fst :1, rel :1, fst :0〉 7→ 〈d:1, d:0〉 .
Notice that the extraction mapping need only be defined for traces satisfying
R1, i.e., those in Dom. We further observe that, in view of R2, some of the
traces in Dom may be regarded as incomplete. For example, 〈fst :1, rel :1, fst :0〉 is
such a trace since channel rel is reliable and so the duplicate of fst :0 (i.e., rel :0)
is bound to be eventually offered for transmission. The set of all other traces
in Dom — i.e., those which in principle may be complete — will be denoted
by dom (in general, Dom = Pref (dom), meaning that each interpretable trace
has, at least in theory, a chance of being completed). For our example, dom
will contain all traces in Dom where the transmission on fst has not overtaken
that on rel . (As another example, suppose that the whole sequence of actions
a1, . . . , ak is extracted to a single action a, i.e., 〈a1, . . . , ai〉 7→ 〈〉, for i < k, and
〈a1, . . . , ak〉 7→ 〈a〉; then we do not consider such a transmission complete unless
the whole sequence a1, . . . , ak has been transmitted.)
Although it will play a central role, the extraction mapping alone is not suf-
ficient to identify the ‘correct’ implementation of Dbl in the presence of faults
since τDbl = extr(τDbl1) = extr(τDbl2), while Dbl1 is incorrect. What one
also needs is an ability to relate the refusals of potential implementations Dbl1
and Dbl2 with the possible refusals of the base process Dbl. This, however,
is much harder than relating traces. For suppose that we attempted to ‘ex-
tract’ the refusals of Dbl2 using the mapping extr . Then, we would have had
(〈c:0〉, {fst :0}) ∈ φDbl2, while extr(〈c:0〉, {fst :0}) = (〈c:0〉, {d:0}) /∈ φDbl. This
indicates that the crude extraction of refusals is not going to work. What we need
is a more sophisticated device, which in our case comes in the form of another
mapping, ref , constraining the possible refusals a process can exhibit on chan-
nels in the implementation, after a given trace t ∈ Dom. For example, we should
not allow the refusal of rel :0, after an incomplete communication t = 〈fst :0〉.
The refusal bounds given by ref may be thought of as ensuring a kind of live-
ness or progress condition on sets of channels upon which composition will occur
Compositional Development in the Event of Interface Difference 9
when implementation components are composed to build the full implementa-
tion system Qnet . Since these channels are to be composed upon and so hidden,
the progress enforced manifests itself in the final system as the occurrence of a τ
(invisible) transition, which leads to the instability of the states in which those
τ transitions are enabled. This then means that these states will not contribute
a failure of Qnet . Conversely, if we may not enforce progress after a complete
behaviour, then it is possible that the relevant state reached will contribute to a
failure, (t, R), of Qnet . Since, in the failures model of CSP, if Qnet ‘implements’
Pnet , φQnet ⊆ φPnet , then we must ensure that the relevant failure, (t, R), also
occurs in Pnet . We do this by ensuring that progress will not be possible on the
corresponding channel in the specification component. Here, lack of progress on
internal channels leads to stability and the fact that the relevant state will give
rise to a failure of Pnet .
Therefore, a sender implementation process, like Dbl2, can admit a refusal
disallowed by ref (t) if the target process, Dbl, admits after the extracted trace
extr(t) the refusal of all communication on the corresponding channel and, more-
over, the trace t itself is complete, i.e., t ∈ dom.
Finally, it should be stressed that ref (t) gives a refusal bound on the sender
side (more precisely, the process which implements the sender target process).
But this is enough since, if we want to rule out a deadlock in communication
between the sender and receiver (on a localised set of channels), it is now possible
to stipulate on the receiver side that no refusal is such that, when combined with
any refusal allowed by ref (t) on the sender side, it can yield the whole alphabet
of the channels used for transmission.
Formal definition of extraction pattern The notion of extraction pattern
(introduced and used in [8, 9], and slightly simplified here) relates behaviour on
a set of channels in an implementation process to that on a channel in the target
process. It has two main functions: that of interpretation of behaviour, necessi-
tated by interface difference, and the encoding of some correctness requirements.
Definition 1. An extraction pattern is a tuple ep df=(B, b, dom, extr , ref ), where:
B 6= ∅ is a set of source channels, and b is a target channel; dom 6= ∅ is a set
of traces over the sources; extr is a monotonic mapping defined for traces t ∈
Dom df= Pref (dom) such that extr(t) is a trace over the target and extr(〈 〉) = 〈 〉;
and ref is a mapping defined for traces t ∈ Dom such that ref (t) is a non-empty
family of proper subsets of αB (it is assumed that R ∈ ref (t) and R′ ⊂ R always
implies R′ ∈ ref (t)).
As already mentioned, the mapping extr interprets a trace over the source
channels B (in the implementation process) in terms of a trace over a channel b
(in the target process), and defines functionally correct (i.e., in terms of traces)
behaviour over those source channels by way of its domain. The mapping ref
is used to define correct behaviour in terms of failures as it gives bounds on
refusals after execution of a particular trace sequence over the source channels.
dom contains those traces in Dom for which the communication over B may
10 J.Burton, M.Koutny, G.Pappalardo and M.Pietkiewicz-Koutny
be regarded as complete; the constraint on refusals given by ref is only allowed
to be violated for such traces. The intuition behind this requirement is that we
cannot regard as correct a situation where deadlock occurs in the implementation
process when behaviour is incomplete, for regarding this as correct behaviour
would imply that the specification process could in some sense deadlock while in
the middle of executing a single (atomic) action. The extraction mapping extr is
monotonic as receiving more information cannot decrease the current knowledge
about the transmission. αB 6∈ ref (t) will be useful to forbid the sender to refuse
all possible transmissions after an unfinished communication t.
The extraction pattern discussed informally for the example in figure 1 can
be formalised as ep0 , where B
df= {rel , fst} and b df= d. To define the remaining
components, for a trace t over B and a channel x ∈ B, we denote by tx the trace
obtained by first projecting t onto x and then renaming the channel x to d, i.e.,
tx
df= (tx)[d/x]. Then dom is the set of all traces t over B such that tfst ≤ trel ,
and so Dom is the set of all traces t over B such that tfst ≤ trel or trel ≤ tfst .
Moreover, for every trace t in Dom, extr(t) is the longest of the traces tfst and
trel , and ref (t) is the set of all sets R ⊆ αB such that rel :0 /∈ R or rel :1 /∈ R.
Intuitively, the extraction mapping always returns a trace derived from the
longer of the two communications over fst and rel (this is acceptable since these
communications are consistent, see the definition of Dom). Complete traces are
those where rel has not fallen back behind fst in transmitting the signals. The
ref (t) component states that if behaviour is not complete on rel and fst , then
at least one action must be possible on rel .
To relate incoming communication of Dbl and Dbl2, we will need another
kind of extraction pattern. An identity extraction pattern for a channel c, idc,
is one for which B df= {c}, b df= c, dom = Dom is the set of all traces over
channel c, extr(t) df= t and ref (t) is the set of all proper subsets of αc. The idea
here is that the extraction mapping is simply the identity mapping, i.e., the
specification and implementation processes have the same input interface. Any
such communication can therefore be a terminated one, i.e., it can be regarded
as complete.
We lift two of the notions introduced above to any set of extraction patterns
Ep = {ep1, . . . , epn}, where epi = (Bi, bi, domi, extr i, ref i). DomEp is the set
of all traces t over channels B1 ∪ . . . ∪ Bn such that tBi ∈ Domi, for every
i ≤ n. Moreover, extrEp(〈 〉) df= 〈 〉 and, for every t ◦ 〈a〉 ∈ DomEp with a ∈ αBi,
extrEp(t ◦ 〈a〉) df= extrEp(t) ◦ u, where (possibly empty) u is such that
extr i(tBi ◦ 〈a〉) = extr i(tBi) ◦ u .
In what follows, different extraction patterns will have disjoint sources and
distinct targets.
3 The implementation relation
Suppose that we intend to implement a base process P using another process
Q with a possibly different communication interface. The correctness of the
Compositional Development in the Event of Interface Difference 11
implementation will be expressed in terms of two sets of extraction patterns, In
and Out . The former (with sources in Q and targets in P ) will be used to relate
the communication on the input channels of P and Q, the latter will serve a
similar purpose for the output channels.
P
b1
bm
bm+1
bm+n-
-
-
-ppp ppp QB1
Bm
Bm+1
Bm+n-
-
-
-ppp ppp
Fig. 2. Base process P and its implementation Q.
Let P be a base IO process as in figure 2 and, for every i ≤ m + n, let
epi
df= (Bi, bi, domi, extr i, ref i) be an extraction pattern. We will denote by In the
set of the first m extraction patterns epi, and by Out the remaining n extraction
patterns. We then take any non-diverging process Q with the input channels
B1 ∪ . . . ∪ Bm and output channels Bm+1 ∪ . . . ∪ Bm+n, as shown in figure 2,
where thick arrows represent sets of channels. We will further say that channels
Bi are blocked at a failure (t, R) ∈ φQ if either i ≤ m and αBi−R ∈ ref i(tBi),
or i > m and αBi ∩ R 6∈ ref i(tBi). (Note that in both cases this signifies
that the refusal bound imposed by ref i has been breached.) We denote this by
i ∈ Blocked(t, R).
Definition 2. Under the above assumptions, Q is an implementation of P w.r.t.
sets of extraction patterns In and Out, denoted Q InOut P , if the following hold,
where All df= In ∪Out.1
1. τQ ⊆ DomAll and extrAll(τQ) ⊆ τP .
2. If t ≤ t′ ≤ . . . are unboundedly growing traces of Q, then the sequence of
traces extrAll(t) ≤ extrAll(t′) ≤ . . . also grows unboundedly.
3. If (t, R) ∈ φQ and i ∈ Blocked(t, R), then tBi ∈ domi.
4. If (t, R) ∈ φQ is such that tBi ∈ domi for all i ≤ m+ n, then(
extrAll(t) ,
⋃
i∈Blocked(t,R)
αbi
)
∈ φP .
In the above definition, (1) states that all traces of Q can be interpreted as
traces of P . According to (2), it is not possible to execute Q indefinitely without
extracting any actions of P . According to (3), if refusals grow in excess of their
bounds on a source channel set Bi, communication on Bi may be interpreted as
locally completed. Finally, (4) states a condition for refusal extraction, whereby
1 In our previous work (see [3, 4, 8, 9]), the condition τQ ⊆ DomAll is replaced by a
weaker rely/guarantee property (in the sense of [5]), which states that if a trace of Q
projected on the input channels can be interpreted by In, then it must be possible
to interpret its projection on the output channels by Out .
12 J.Burton, M.Koutny, G.Pappalardo and M.Pietkiewicz-Koutny
if a trace is locally completed on all channels, then any local blocking on a source
channel set Bi in Q is transformed into the refusal of the whole αbi in P .
A direct comparison of an implementation process Q with the corresponding
base process P is only possible if there is no difference in the communication
interfaces. This corresponds to the situation that, in the definition of InOut , both
In and Out are sets of identity extraction patterns. In such a case, we simply
denote Q  P and then we can directly compare the semantics of the two
processes in question.
Theorem 1. Let Q be a divergence-free process with the same set of input chan-
nels and the same set of output channels as an IO process P . Then Q  P if
and only if for every (t, R) ∈ φQ,(
t, (αin P ∩R) ∪ ⋃
b∈out Q,αb⊆R
αb
)
∈ φP .
Proof. For identity extraction patterns, the condition i ∈ Blocked(t, R) can be
reduced to αbi ∩ R 6= ∅ for an input channel bi, and to αbi ⊆ R for an output
channel bi. Then the proof follows directly from definition 2, the definition of an
identity extraction pattern, and the fact that P is an IO process. uunionsq
That is, Q  P implies that Q is a process whose functionality in terms
of traces conforms to that of the specification process P (to see this, it suffices
to take R = ∅). Moreover, all the essential refusals of Q are also present in
P . That is, all the refusals on input channels are preserved entirely, while for
output channels any refusal to output anything on a given channel b is also
present in P . The latter should indeed be considered as a very satisfactory state
of affairs: Q will never fail to provide an output consistent with the specification,
unless the specification process explicitly allows no output at all to be produced.
We therefore consider that the above result embodies a fully adequate notion of
realisability in any practical framework consistent with our setup. It is also worth
mentioning that  is a preorder (i.e., it is a reflexive and transitive relation),
and is preserved by the hiding of communication channels.
Proposition 1. If Q  P and B is a set of channels of P such that P\B is
divergence-free, then Q\B  P\B.
Proof. By theorem 1, τQ ⊆ τP . Hence, since Q is divergence-free and P\B is
divergence-free, Q\B is also divergence-free.
Suppose that (t, R) ∈ φ(Q\B) and that B′ is the set of all b ∈ out (P\B) =
out (Q\B) such that αb ⊆ R. Then, since Q\B is divergence-free, there is (w,R∪
αB) ∈ φQ such that wχ(Q\B) = t. By Q  P and theorem 1, (w, (αin P ∩R)∪
αB′ ∪ αB) ∈ φP . Thus (t, (αin P ∩ R) ∪ αB′) ∈ φ(P\B), and so Q\B  P\B,
by theorem 1. uunionsq
In the light of theorem 1, relation  provides us with a direct measure of
the closeness of the approximation of the base process P by an implementation
Compositional Development in the Event of Interface Difference 13
process Q. It therefore deserves further discussion, in particular with regard to
its relationship with the standard refinement ordering of CSP, denoted by w. In
our framework, Q w P (i.e., Q ‘CSP implements or refines’ P ) basically amounts
to stating that φQ ⊆ φP .2
To start with, it is not difficult to check that Q w P implies Q  P . Moreover,
 collapses to w for the rather wide class of output-determined IO processes. A
process P is said to be output-determined if, for any traces t ◦ 〈c:v〉 and t ◦ 〈c:v′〉
of P such that c is an output channel, it is the case that v = v′ (i.e., the result
produced by P on a given output channel c is determined at any given point of
its execution).
Theorem 2. If P is output-determined, then Q  P implies Q w P .
Proof. Since, by definition,Q is divergence-free, we need to show that the failures
of Q are included in those of P . Suppose that (t, R) ∈ φQ and that B′ is the
set of all b ∈ out P such that αb ⊆ R. Moreover, assume that R is a maximal
refusal set after t, i.e., (t, R′) ∈ φQ and R ⊆ R′ implies R = R′.
Suppose now that (t, R) /∈ φP . By theorem 1, (t, R′′) ∈ φP , where R′′ =
(αin P ∩R)∪αB′. Since (t, R′′) ∈ φP and (t, R) /∈ φP , there exists c:v ∈ R−R′′
such that t◦〈c:v〉 ∈ τP . Clearly, c ∈ out P and c /∈ B′. Hence, since P is output-
determined, t ◦ 〈c:v′〉 /∈ τP , for all v′ ∈ µc− {v}. Thus, since τQ ⊆ τP , we also
have t ◦ 〈c:v′〉 /∈ τQ, for all v′ ∈ µc − {v}. Consequently, since R is a maximal
refusal set after t, we have c:v′ ∈ R, for all v′ ∈ µc−{v}. Together with c:v ∈ R
this means that c ∈ B′, a contradiction. uunionsq
We will now investigate what can be established by considering the way P
and Q interact with a possible environment. Let P be a (specification) base IO
process, which is not assumed to be output-determined, and Q be its implemen-
tation w.r.t. suitable identity extraction pattern, i.e., let Q  P . Therefore Q
can be used in place of P in an environment T accepting all their outputs, as
shown in figure 3. Our aim now is to relate the behaviour of Q and P in the
environment provided by the process T .
P T-
-
ff
ff
-
- ? ?
? ?
ppp pppppp pppppp
p p p
p p p Q T-
-
ff
ff
-
- ? ?
? ?
ppp pppppp pppppp
p p p
p p p
Fig. 3. Relating base and implementation processes in the context of an environment.
We assume that, besides P , also T is an IO process, their composition is
non-diverging, and out P ⊆ in T . We then obtain
2 In general, one would also require that δQ ⊆ δP , which in our case always holds as
Q is divergence-free.
14 J.Burton, M.Koutny, G.Pappalardo and M.Pietkiewicz-Koutny
Theorem 3 ([4]). If Q  P then Q⊗ T w P ⊗ T .
Thus Q ⊗ T is at least as deterministic a process as P ⊗ T in the sense of
CSP (see [7, 15]). This makes Q at least as good as P (and possibly much better)
as a process to be used in practice. Hence we conclude that Q  P captures an
adequate notion of realisability in the context of an environment T .
We finally present a fundamental result, that the implementation relation is
compositional.
Theorem 4 ([4]). Let K and L be two base IO processes whose composition is
non-diverging, as in figure 4, and let Epc, Epd, Epe, Epf , Epg and Eph be sets
of extraction patterns whose targets are respectively the channel sets C, D, E,
F , G and H. Then
M Epc∪EphEpd∪Epe K ∧ N 
Epd∪Epf
Epg∪Eph L =⇒ M ⊗N 
Epc∪Epf
Epe∪Epg K ⊗ L .
C
F
G
E
D
H
K L-
-
ff
ff
-
-
-
-
6 6 ? ?ppp pppppp pppppp ppp
p p p p p p
Fig. 4. Base processes used in the formulation of the compositionality theorem.
Hence the implementation relation is preserved through network composi-
tion, and the only restriction is that the network of the base processes should
be designed in a divergence-free way. However, the latter is a standard require-
ment in the CSP approach (recall again that divergences are regarded as totally
unacceptable).
Returning to the example in figure 1, it can be shown that Dbl2 idcep0 Dbl
and Buf′ ep0ide Buf. Hence, it follows from theorem 4 and Dbl ⊗ Buf =
Dbl[e/d] that Dbl2 ⊗ Buf′  Dbl[e/d]. Thus, by theorem 2, Dbl2 ⊗ Buf′ w
Dbl[e/d], as process Dbl[e/d] is easily seen to be output-determined. But we can
go one step further since Dbl[e/d] is a deterministic process in the sense of CSP
(see [7, 15]). This means, in particular, that Q w Dbl[e/d] implies Q = Dbl[e/d],
for any process Q. Thus, we can finally conclude that Dbl2 ⊗Buf′ = Dbl[e/d]
and that we obtained such a result by purely compositional argument, using the
results presented in this section together with a well-known property of deter-
ministic CSP processes.
4 Compositionality and CA actions
The above approach to verification, based on abstraction of interface difference
and compositionality, will now be applied to an analysis of Coordinated Atomic
Compositional Development in the Event of Interface Difference 15
(CA) actions [12, 13]. This concept represents an approach to structuring com-
plex activities in a distributed environment, aimed at supporting fault tolerance
in object-oriented systems.
The following are some of the essential characteristics of the model: (CA1) a
CA action has roles which are activated by some external participants (processes
or threads); (CA2) a CA action starts when all the roles have been activated
and finishes when each role has completed its execution; (CA3) the execution of
a CA action updates the system state (represented by a set of external objects)
atomically; (CA4) roles can access local objects as well as participate in nested
CA actions; and (CA5) CA actions provide a basic framework for exception
handling that can support a variety of fault tolerance mechanisms.
We will interpret CA3 as stating that the desired behaviour of external ob-
jects constitutes a specification of the system design based on CA actions, and
so the CA actions design should respect the main objective which is that the
external objects must complete successfully all the stages through which they
are passing while being manipulated by the CA actions.
Modelling the production cell In the rest of this section we will discuss
an example inspired by the ‘production cell’ case study in [13]. The initial ar-
chitecture of the design is shown in figure 5, where Man is a manager process
initially holding n external objects, represented throughout as ξ1, . . . , ξn, which
are supposed to pass through the required stages of processing (three stages, in
our case). The external objects are passed as messages and every object must
be received by processes St1, St2 and St3, representing the three stages. To
keep track of progress, the three processes report to the manager after each
stage has been successfully completed. The manager Man, in turn, sends out,
over the channels resi, messages that inform the external environment how the
system as a whole is progressing. The initial system specification is given as
Sys df= Man⊗ St1 ⊗ St2 ⊗ St3, where:
Man df= Man0
St1
df= []i≤n a:ξi → b:i→ c:ξi → St1
St2
df= []i≤n c:ξi → d:i→ e:ξi → St2
St3
df= []i≤n e:ξi → f :i→ St3
Mank df=

a:ξk+1 → Mank+1[]
[]i≤n, ch∈{b,d,f} ch:i→ resi:ch→ Mank if k < n
[]i≤n, ch∈{b,d,f} ch:i→ resi:ch→ Mank if k = n .
Note that the meaning of, e.g., message resi:f is to inform the external environ-
ment that ξi has successfully passed through the third stage of processing. It is
not difficult to see that each of the processes used to define Sys is a base IO
process, and so is Sys.
16 J.Burton, M.Koutny, G.Pappalardo and M.Pietkiewicz-Koutny
res1ppp
resn
-
-
a c e
b d f
St1 St2 St3
Man
- - -
6


@
@@I
Fig. 5. Initial architecture of the system based on a manager process, and three pro-
cesses responsible for the three stages of processing.
As far as the overall correctness is concerned, we are interested in establishing
that every object ξi has successfully passed through each stage, and has done so
in the prescribed order. Such a property may be verified by showing that, when
restricted to a single output channel resi, the system behaves as the process
Speci
df= resi:b → resi:d → resi:f → Stop. Indeed, one can show (e.g., using
the tool FDR [15]), that Sys@resi = Speci, for every i ≤ n, where
P@resi
df= P\{res1, . . . , resi−1, resi+1, . . . , resn} ,
for any process P with the same channels as Sys.
res1ppp
resn
-
-
a c
e2
e1
b d1 d2 f
St1 cSt2 cSt3
[Man
- - --
66


@
@@I
Fig. 6. A modified design, with different communication interfaces between two pairs
of processes.
Introducing exception handling As stated by CA5, CA actions provide a
basic framework for exception handling. At the level where the roles of CA ac-
tions are described, exceptions could be modelled as actions which are followed
by exception handling processes. At the current, higher level of abstraction, we
will model the effects of exceptions rather than the exceptions themselves. In
particular, we can imagine the situation when an exception raised within some
CA action, representing an implementation of one of the three stages, is handled
by invoking another, alternative CA action. Suppose this can occur during the
second stage. To capture this, we replace St2 by another process, Ŝt2, which al-
lows two alternative ways of processing a recently received object ξi: it is passed
Compositional Development in the Event of Interface Difference 17
to the next stage using exactly one of the channels, e1 or e2, which has replaced
e, and the manager is informed about the successful completion using the cor-
responding new channel, d1 or d2, which has replaced d. The process Ŝt2 uses a
non-deterministic choice operator to choose between the two ways of processing
an object, and so that process rather than the environment is responsible for
resolving this choice: this models the possibility of a fault occurring. The new
system is given by Ŝys df= M̂an⊗ St1 ⊗ Ŝt2 ⊗ Ŝt3, where (see also figure 6):
M̂an df= M̂an
0
Ŝt2
df= []i≤n c:ξi → (d1:i→ e1:ξi → Ŝt2 u d2:i→ e2:ξi → Ŝt2)
Ŝt3
df= []i≤n, ch∈{e1,e2} ch:ξi → f :i→ Ŝt3
M̂an
k df=
 (a:ξk+1 → M̂ank+1)[]Zk[]W k if k < nZk[]W k if k = n
Zk df= []i≤n, ch∈{b,f} ch:i→ resi:ch→ M̂ank
W k df= []i≤n, ch∈{d1,d2} ch:i→ resi:d→ M̂an
k
.
To verify the correctness of Ŝys compositionally, we can use the model pre-
sented earlier on in this paper. To establish that M̂an, Ŝt2 and Ŝt3 are respec-
tively implementations of Man, St2 and St3, we will use two extraction pat-
terns, both instances of a generic merge extraction pattern, mrgx, for x ∈ {d, e}.
The sources of mrgx are two channels, x1 and x2, and the target is a channel
x such that µx1 = µx2 = µx. The valid traces are all traces over αx1 ∪ αx2
and Dom = dom. The extraction mapping is a trace homomorphism such that
extr(xi:v)
df= 〈x:v〉, for i = 1, 2. The ref mapping is such that, for every trace
t ∈ Dom, ref (t) comprises all proper subsets of αx1 ∪ αx2. One can then show
(e.g., using the techniques proposed in [3]) that
M̂an mrgd,idb,idfida,idres1 ,...,idresnMan , Ŝt2 idcmrgd,mrgeSt2 and Ŝt3 
mrge
idf St3 .
Hence, by theorem 4, we obtain that Ŝys  Sys and so Ŝys@resi = Speci, for
every i ≤ n, as the implementation relation is preserved by hiding of channels (see
proposition 1), Sys@resi = Speci, and each process Speci is output-determined
(see theorem 2) and deterministic (in the CSP sense).
Refining a stage A possible implementation of Ŝt2 is to employ two processes,
Act and Act′, which represent two intended CA actions: a primary CA action
responsible for processing objects at the second stage, and another CA action
invoked when the first one cannot be completed successfully (see figure 7). The
implementation of Ŝt2 is S˜t2
df= Act⊗Act′, where:
Act df= []i≤n c:ξi → (d1:i→ e1:ξi → Act u h:ξi → g:go → Act)
Act′ df= []i≤n h:ξi → d2:i→ e2:ξi → g:go → Act′
18 J.Burton, M.Koutny, G.Pappalardo and M.Pietkiewicz-Koutny
Since Ŝt2 = S˜t2 (which can be checked using, e.g., the FDR tool [15]), we can
now refine the architecture of the design, replacing Ŝt2 with S˜t2, and obtaining
a new system composed of five processes: S˜ys df= M̂an⊗St1⊗Act⊗Act′⊗Ŝt3.
As S˜ys = Ŝys, we do not lose the correctness already established for Ŝys, i.e.,
S˜ys@resi = Speci, for every i ≤ n.
c e1
d1
Act- -
6
6
?h
g
e2
d2
Act′ -
6
Fig. 7. An architecture for a distributed implementation of the second stage of pro-
cessing.
Since all the components in S˜ys are IO processes, we can again apply the
framework developed in this paper, and indeed continue the cycle of development
until a sufficiently detailed level of modelling has been reached, at each stage
applying a compositional argument as outlined above. We stop this discussion
here, but instead look at the way in which Act could be implemented by a
process Ca, shown in figure 8, modelling more closely the intended features of
CA actions.
c e1
h
Act
-
-
-
6
6
g
d1
call1
callm
result1
resultm
rdir1
rdirm
Ca
-
-
-
-
-
-
6
6
g
d1ppp ppp
ppp
Fig. 8. Act implemented as CA action process Ca.
Modelling CA actions Ca has call df= {call1, . . . , callm} channels which are
intended to carry messages with some input data (parameters) requesting an
access to Ca, each such message corresponding to starting a role (see requirement
Compositional Development in the Event of Interface Difference 19
CA1). Ca waits for a set of m messages, each such message arriving along a
different channel call i, before accepting them for further processing (see CA2).
In general, it is not the case that any message set will be accepted as a valid call.
It is therefore assumed that there is a non-empty set of valid inputs (e.g., two out
of three results are successful in majority voting, see [8]), Valid , and a consistent
input is any set of messages which is contained in some valid input. Each V ∈
Valid is a set of m messages, {call1:v′1, . . . , callm:v′m}. It is also assumed that
for such a V there is a non-empty set result(V ) which comprises all possible
outcomes of the processing of messages in V . Each element U of result(V ) is
a set of m messages {result1:v1, . . . , resultm:vm}. It is assumed at this level of
abstraction that an execution of any CA action produces a single result for
each of the participating threads. This is a simplifying assumption which could
easily be relaxed. Note also that an aborted execution of the Ca action can
be modelled by {result1:abort , . . . , resultm:abort} ∈ result(V ). Below, for any
consistent input V , ρ(V ) df= {i ≤ m | αcall i ∩ V = ∅} identifies those channels
call i on which a suitable input is still expected and, for every i ∈ ρ(V ), the set
of all v ∈ µcall i such that V ∪ {call i:v} is still a consistent input is denoted by
pii(V ).
After assembling a valid input, Ca proceeds in one of two ways. First of all,
it can report on channel d1 that the action has been completed successfully, and
then non-deterministically produce one of the possible outcomes in result(V ).
Alternatively, it can invoke the CA action process Ca′ implementing Act′, by
redirecting the data received on call using the channels rdir1, . . . , rdirm, and
wait for a synchronisation message g:go from Ca′ before starting to construct
another valid input. We can model this by Ca df= Ca∅. To define CaV , some
notations are helpful: redir(V ) is V with each call i:v replaced by rdir i:v, ψ :
Valid → {ξ1, . . . , ξn} is a mapping which describes how an input to Ca process
is interpreted as an object at the higher level, ι(ξi) df= i is the index of every
processed object. We may now define:
CaV
df=

[]i∈ρ(V ), v∈pii(V ) call i:v → CaV ∪{calli:v}[]
[]i∈ρ(V ), v∈µcalli−pii(V ) call i:v → CaV if |V | < m⌈⌉
U∈result(V ) (d1:ι(ψ(V ))→ ĈaU ) u C˜aredir(V ) if |V | = m
ĈaU
df=
{
[]a∈U a→ ĈaU−{a} if U 6= ∅
Ca∅ if U = ∅
C˜aU
df=
{
[]a∈U a→ C˜aU−{a} if U 6= ∅
g:go → Ca∅ if U = ∅ .
Verifiying the CA action design To show that Ca indeed implements Act,
we need to find suitable extraction patterns. Below we show how to devise one
20 J.Burton, M.Koutny, G.Pappalardo and M.Pietkiewicz-Koutny
capable of relating communication on channels call to that on channel c; for the
other channels one may proceed similarly.
We define by induction Dom and extr , together with an auxiliary mapping ζ :
Dom → P(αcall), which for any trace in Dom yields the last unfinished consistent
input built along this trace. To begin with, we have 〈 〉 ∈ Dom, extr(〈 〉) df= 〈 〉 and
ζ(〈 〉) df= ∅. Suppose now that t ∈ Dom and v ∈ µcall i. Then u = t ◦ 〈call i:v〉 ∈
Dom if i ∈ ρ(ζ(t)). Let V df= ζ(t) ∪ {call i:v} if v ∈ pii(ζ(t)), and V df= ζ(t)
otherwise. If |V | = m then extr(u) df= extr(t) ◦ 〈c:ψ(V )〉 and ζ(u) df= ∅; otherwise
extr(u) df= extr(t) and ζ(u) df= V . Finally, dom is the set of all t ∈ Dom such that
ζ(t) = ∅, and for every t ∈ Dom, ref (t) comprises all subsets, R, of αcall such
that αcall i 6⊆ R, for at least one i ∈ ρ(ζ(t)).
Having designed the extraction patterns establishing that Ca is an implemen-
tation of Act, one might refine our design both by ‘looking inside’ Ca, capturing
its internal architectural details (we can handle this using, for instance, FDR and
the standard CSP theory) and/or further refining the interface of the process, for
example, by specifying in detail communication protocols used to receive inputs
on the channels call (we can handle this using the approach proposed in this
work, as Ca is an IO process, and applying the algorithms presented in [3]).
5 Conclusions
Compositional development, as outlined in the case study of the previous section,
is a cyclic process, which starts with an initial system design given in the form of
a process network Sys0
df= P1⊗· · ·⊗Pr (r ≥ 1). For such a high-level description,
one can relatively easily verify the relevant correctness requirements, e.g., using
FDR or a similar tool. Suppose now that, after a number of iterations, the current
system description comes in the form of a network Sysi
df= Q1⊗· · ·⊗Qs satisfying
Sysi  Sys0. According to the argument put forward in the previous section,
Sysi constitutes a suitable implementation of the initial (correct) design. There
are now two directions for further development:
– Find a process of Sysi, e.g., Qs, and implement it as a sub-network
Q′1 ⊗ · · · ⊗Q′q w Qs .
By compositionality, the resulting network,
Sysi+1
df= Q1 ⊗ · · · ⊗Qs−1 ⊗Q′1 ⊗ · · · ⊗Q′q
satisfies Sysi+1  Sysi as Q w P always implies Q  P , and so we have
Sysi+1  Sys0.
– Find IO processes of Sysi, e.g., Qs−1 and Qs, whose intercommunication in-
terface can be refined, and replace them by their respective implementations,
Q′s−1 and Q′s, designed according to suitably chosen extraction pattern(s).
The resulting network,
Sysi+1
df= Q1 ⊗ · · · ⊗Qs−2 ⊗Q′s−1 ⊗Q′s
Compositional Development in the Event of Interface Difference 21
satisfies Sysi+1  Sysi, and so we have Sysi+1  Sys0.
In further stages, if the second kind of development is to be applied, both Q′s−1
and Q′s must be IO processes and, in the previous section, this was always
the case. However, if more complex refinement steps are carried out, the situ-
ation may require a degree of care. A typical example would be to implement
a communication on a channel ch, from Qs−1 to Qs, using two communication
channels, data and ack passing messages of a feedback-controlled protocol. In
such a situation, it is usually not the case that ack is a value-independent chan-
nel of Q′s and, strictly speaking, such a process is no longer an IO process with
ack treated as its input channel. Fortunately, channels like ack will generally be
value-independent in Q′s−1, and a simple way out of the problem is to syntacti-
cally make ack an output channel of Q′s and an input channel of Q′s−1, before
proceeding with further development of the network.
Of course, the first kind of iteration step can also present us with the problem
of maintaining the property of value-independence for the channels internal to
the sub-network Q′1 ⊗ · · · ⊗ Q′q. This, however, is usually easy to address by
looking up the code of the processes.
Acknowledgments This research was supported by an EPSRC studentship
grant and the EU-funded DSoS project.
References
1. M.Abadi and L. Lamport: The Existence of Refinement Mappings. Theoretical
Computer Science 82 (1991) 253-284.
2. E. Brinksma, B. Jonsson, and F.Orava: Refining Interfaces of Communicating Sys-
tems. Proc. of Coll. on Combining Paradigms for Software Development, Springer-
Verlag, Lecture Notes in Computer Science 494 (1991) .
3. J. Burton, M.Koutny and G.Pappalardo: Verifying Implementation Relations in
the Event of Interface Difference. Proc. of FME 2001, Springer-Verlag, Lecture
Notes in Computer Science 2021 (2001) 364-383.
4. J. Burton, M.Koutny and G.Pappalardo: Implementing Communicating Processes
in the Event of Interface Difference. Proc. of ACSD 2001, IEEE Computer Society
(2001) 87-96.
5. P.Collette and C.B. Jones: Enhancing the Tractability of Rely/Guarantee Speci-
fications in the Development of Interfering Operations. CUMCS-95-10-3, Depart-
ment of Computing Science, Manchester University (1995).
6. R.Gerth, R.Kuiper and J. Segers: Interface Refinement in Reactive Systems. Proc.
of CONCUR ’92, Springer-Verlag, Lecture Notes in Computer Science 630 (1992)
77-93.
7. C.A.R.Hoare: Communicating Sequential Processes. Prentice Hall (1985).
8. M.Koutny, L.Mancini and G.Pappalardo: Two Implementation Relations and the
Correctness of Communicated Replicated Processing. Formal Aspects of Comput-
ing 9 (1997) 119-148.
9. M.Koutny and G.Pappalardo: Behaviour Abstraction for Communicating Sequen-
tial Processes. To appear in Fundamenta Informatica (2002) .
22 J.Burton, M.Koutny, G.Pappalardo and M.Pietkiewicz-Koutny
10. L. Lamport: The Implementation of Reliable Distributed Multiprocess Systems.
Computer Networks 2 (1978) 95-114.
11. R.Milner: Communication and Concurrency. Prentice Hall (1989).
12. B.Randell, A.Romanovsky, R. J. Stroud, J.Xu and A.F. Zorzo: Coordinated
Atomic Actions: From Concept to Implementation. CSTR-595, University of New-
castle (1997).
13. B.Randell, A.Romanovsky, R. J. Stroud, J.Xu, A. F. Zorzo, D. Schwier and F. von
Henke: Coordinated Atomic Actions: Formal Model, Case Study and System Im-
plementation. Manuscript (1997).
14. A.Rensink and R.Gorrieri: Vertical Implementation. To appear in Information and
Computation (2002) .
15. A.W.Roscoe: The Theory and Practice of Concurrency. Prentice-Hall (1998).
16. H. Schepers and J.Hooman: Trace-based Compositional Reasoning About Fault-
tolerant Systems. Proc. of PARLE’93, Springer-Verlag, Lecture Notes in Computer
Science 694 (1993) .
