A Case Study in Specifying, Verifying and Refining a Parallel System in Z

The formal specification notation Z [Spi92] is one of the most popular and widely used notations for the specification and development of software and hardware systems. There is a large literature base of industrial case studies that have used Z, growing availability of high quality tools for the notation, and an emerging ISO standard. In Z, one traditionally specifies a static (functional) system one that produces an output in response to an input. Because of this, Z is widely perceived as being unsuitable for parallel and distributed systems where concurrent behaviour must be specified. Recently however, there has been considerable interest in applying Z to parallel systems. Much of this work has concentrated on integrating Z with formalisms better suited to specifying concurrent behaviour, such as TLA [Lam94], Petri Nets [Eva94], Temporal Logic [DS89], CSP and CCS. However, a disadvantage shared by all these approaches is the difficulty of reconciling the semantics of the separate notations, resulting in problems of compatibility with the standardized definition of Z and existing Z tools for proof, type checking and printing, etc. Moreover, techniques for reasoning with the resultant hybrid notations generally makes poor use of the excellent proof system offered by Z. In this paper, a somewhat different approach to specifying parallel systems in Z is taken. Rather than integrating Z with yet another formalism, modifications are made to the Z specification approach. A traditional Z specification is augmented with an additional specification describing the system’s required behaviour. Good use is made of Z’s generic features to simplify this stage. Assertional proof rules, based on W (the emerging Z deductive system), are then used to verify safety and liveness properties of the behavioural specification. In order to facilitate refinement, the traditional refinement laws of Z are strengthened to ensure the preservation of safety and liveness properties. Because the approach is based on the standard Z notation and proof systems, it is completely compatible with existing Z proof tools, etc. The overall basis for the approach is the fair-transition model of concurrency proposed by Manna and Pneuli [MP92]. The case study used in this paper is a telecommunications protocol, Signaling System No. 7, which is specified using the traditional Z approach in [WD96]. The case study shows that the expressibility of Z specifications can be considerably improved upon, enabling important properties such as parallel behaviour, liveness and fairness to be specified, verified and refined in Z. The case study also shows that the type of mathematical reasoning employed in the approach is very similar to that used in traditional Z specifications. Also,