Weak refinement in Z

An important aspect in the specification of distributed systems is the role of the internal (or unobservable) operation. Such operations are not part of the user interface (i.e. the user cannot invoke them), however, they are essential to our understanding and correct modelling of the system. Various conventions have been employed to model internal operations when specifying distributed systems in Z. If internal operations are distinguished in the specification notation, then refinement needs to deal with internal operations in appropriate ways. However, in the presence of internal operations, standard Z refinement leads to undesirable implementations. In this paper we present a generalization of Z refinement, called weak refinement, which treats internal operations differently from observable operations when refining a system. We illustrate some of the properties of weak refinement through a specification of a telecommunications protocol

Five years of observations of ozone profiles over Lauder, New Zealand

Altitude profiles of ozone (O3) over Lauder (45°S, 170°E) performed using a lidar, ozonesondes, and the satellite-borne Stratospheric Aerosol and Gas Experiment (SAGE II) instrument are presented. These data form one of the few long-term sets of O3 profiles at a Southern Hemisphere location. In the 5 years of data presented, the dominant variation is the annual cycle, the phase and amplitude of which differ below and above 27.5 km. Superposed are irregular episodic variations, caused by various processes. The first process studied is stratosphere-troposphere exchange, characterized by dry and O3-rich air residing in the troposphere, which was found in 21% of the measurements. The second relates to the positioning of the higher polar vortex over Lauder, often in combination with the exchange of air between midlatitude and subtropical stratospheric regions. We present examples of this which were observed over Lauder during the 1997 winter. This winter was selected for further study because of the record-low O3 amounts measured. The third process is mixing of O3-depleted vortex air with midlatitude air after the vortex breakup. We present one example, which shows that a filament originating from the depleted Antarctic vortex significantly lowers O3 amounts over Lauder around 27 November 1997. There is thus a connection between Antarctic O3 depletion and later decrease of O3 amounts at a Southern Hemisphere midlatitude location, namely Lauder

Applications of Fair Testing

In this paper we present the application of the fair testing pre-order, introduced in a previous paper, to the specification and analysis of distributed systems. This pre-order combines some features of the standard testing pre-orders, viz. the possibility to refine a specification by the resolution of nondeterminism, with a powerful feature of standard observation congruence, viz. the fair abstraction from divergences. Moreover, it is a pre-congruence with respect to all standard process-algebraic combinators, thus allowing for the standard algebraic proof techniques by substitution and rewriting. In this paper we will demonstrate advantages of the fair testing pre-order by the application to a number of examples, including a scheduling problem, a version of the Alternating Bit-protocol, and fair communication channels

Testing refinements by refining tests

One of the potential benefits of formal methods is that they offer the possibility of reducing the costs of testing. A specification acts as both the benchmark against which any implementation is tested, and also as the means by which tests are generated. There has therefore been interest in developing test generation techniques from formal specifications, and a number of different methods have been derived for state based languages such as Z, B and VDM. However, in addition to deriving tests from a formal specification, we might wish to refine the specification further before its implementation. The purpose of this paper is to explore the relationship between testing and refinement. As our model for test generation we use a DNF partition analysis for operations written in Z, which produces a number of disjoint test cases for each operation. In this paper we discuss how the partition analysis of an operation alters upon refinement, and we develop techniques that allow us to refine abstract tests in order to generate test cases for a refinement. To do so we use (and extend existing) methods for calculating the weakest data refinement of a specification

Dependability for high-tech systems: an industry-as-laboratory approach

Abstrac

Full abstraction for fair testing in CCS

In previous work with Pous, we defined a semantics for CCS which may both be viewed as an innocent presheaf semantics and as a concurrent game semantics. It is here proved that a behavioural equivalence induced by this semantics on CCS processes is fully abstract for fair testing equivalence. The proof relies on a new algebraic notion called playground, which represents the 'rule of the game'. From any playground, two languages, equipped with labelled transition systems, are derived, as well as a strong, functional bisimulation between them.Comment: 15 pages, to appear in CALCO '13. To appear Lecture notes in computer science (2013

Viewpoint consistency in Z and LOTOS: A case study

Specification by viewpoints is advocated as a suitable method of specifying complex systems. Each viewpoint describes the envisaged system from a particular perspective, using concepts and specification languages best suited for that perspective. Inherent in any viewpoint approach is the need to check or manage the consistency of viewpoints and to show that the different viewpoints do not impose contradictory requirements. In previous work we have described a range of techniques for consistency checking, refinement, and translation between viewpoint specifications, in particular for the languages LOTOS and Z. These two languages are advocated in a particular viewpoint model, viz. that of the Open Distributed Processing (ODP) reference model. In this paper we present a case study which demonstrates how all these techniques can be combined in order to show consistency between a viewpoint specified in LOTOS and one specified in Z. Keywords: Viewpoints; Consistency; Z; LOTOS; ODP

Conformance relations for distributed testing based on CSP

Copyright @ 2011 Springer Berlin HeidelbergCSP is a well established process algebra that provides comprehensive theoretical and practical support for refinement-based design and verification of systems. Recently, a testing theory for CSP has also been presented. In this paper, we explore the problem of testing from a CSP specification when observations are made by a set of distributed testers. We build on previous work on input-output transition systems, but the use of CSP leads to significant differences, since some of its conformance (refinement) relations consider failures as well as traces. In addition, we allow events to be observed by more than one tester. We show how the CSP notions of refinement can be adapted to distributed testing. We consider two contexts: when the testers are entirely independent and when they can cooperate. Finally, we give some preliminary results on test-case generation and the use of coordination messages. © 2011 IFIP International Federation for Information Processing

Validation of IFE-1.6 SCIAMACHY limb ozone profiles

International audienceThe IFE-1.6 scientific data set of SCIAMACHY limb ozone profiles is validated for the period August?December 2002. The data set provides ozone profiles over an altitude range of 15?45 km. The main uncertainty in the profiles is the imprecise knowledge of the pointing of the instrument, leading to retrieved profiles that are shifted in altitude direction. To obtain a first order correction for the pointing error and the remaining uncertainties, the retrieved profiles are compared to their a-priori value and ozone sondes based on absolute distance and equivalent latitude criteria. A vertical shift of the satellite profiles with 2 km downward is found to be an appropriate correction for the data set studied. A total root-mean-square difference between limb profiles and sondes of 10?15% remains for the stratospheric ozone profile after application of the correction. Small biases are left above and below the ozone maximum at mid latitudes, where the vertical gradients in the retrieved product are in general too strong