Refinement algebra for probabilistic programs

We identify a refinement algebra for reasoning about probabilistic program transformations in a total-correctness setting. The algebra is equipped with operators that determine whether a program is enabled or terminates respectively. As well as developing the basic theory of the algebra we demonstrate how it may be used to explain key differences and similarities between standard (i.e. non-probabilistic) and probabilistic programs and verify important transformation theorems for probabilistic action systems.29 page(s

Understanding, Explaining, and Deriving Refinement

Much of what drove us in over twenty years of research in refinement, starting with Z in particular, was the desire to understand where refinement rules came from. The relational model of refinement provided a solid starting point which allowed the derivation of Z refinement rules. Not only did this explain and verify the existing rules - more importantly, it also allowed alternative derivations for different and generalised notions of refinement. In this chapter, we briefly describe the context of our early efforts in this area and Susan Stepney's role in this, before moving on to the motivation and exploration of a recently developed primitive model of refinement: concrete state machines with anonymous transitions

A Calculus of Space, Time, and Causality: its Algebra, Geometry, Logic

The calculus formalises human intuition and common sense about space, time, and causality in the natural world. Its intention is to assist in the design and implementation of programs, of programming languages, and of interworking by tool chains that support rational program development. The theses of this paper are that Concurrent Kleene Algebra (CKA) is the algebra of programming, that the diagrams of the Unified Modeling Language provide its geometry, and that Unifying Theories of Program- ming (UTP) provides its logic. These theses are illustrated by a fomalisation of features of the first concurrent object-oriented language, Simula 67. Each level of the calculus is a conservative extension of its predecessor. We conclude the paper with an extended section on future research directions for developing and applying UTP, CKA, and our calculus, and on how we propose to implement our algebra, geometry, and logic

Towards (Semi-)Automated Synthesis of Runtime Safety Models: A Safety-Oriented Design Approach for Service Architectures of Cooperative Autonomous Systems

Future automotive systems will exhibit ever-higher grades of automation up to the point of autonomy. The full potential in automation can only be unlocked when combining it with the capability of cooperation, leading to the vision of comprehensively networked cooperative autonomous systems (CAS). To enable a safe CAS cooperation at runtime, we introduced the ConSert approach in previous work, which allows fully automated safety interface compatibility checks in the field based on runtime safety models. However, a systematic engineering approach for synthesizing these runtime safety models based on design time architecture and safety models does not exist to date. As all safety-engineering activities require the functional description of a system as input, we describe in this paper, how a top-down service-based design approach can look like for CAS, preparing an effective safety analysis and formulation of black-box behavioral deviation bounds in shape of safety guarantees and demands. Thereby, we point out challenges, which especially occur due to the complexity introduced by the distributed development of CAS. These challenges are exemplified for the traffic light assistant system, an example CAS from the automotive domain

Model checking action system refinements

Action systems provide a formal approach to modelling parallel and reactive systems. They have a well established theory of refinement supported by simulation-based proof rules. This paper introduces an automatic approach for verifying action system refinements utilising standard CTL model checking. To do this, we encode each of the simulation conditions as a simulation machine, a Kripke structure on which the proof obligation can be discharged by checking that an associated CTL property holds. This procedure transforms each simulation condition into a model checking problem. Each simulation condition can then be model checked in isolation, or, if desired, together with the other simulation conditions by combining the simulation machines and the CTL properties