Parallel Refinement Mechanisms

Refinement is a fundamental design technique that has often challenged the “formal methods” community. In most cases, mathematical elegance and proof manageability have been chosen over flexibility and freedom, which are often needed in practice to deal with unexpected or critical situations. The issue of refinement becomes even more critical when dealing with real-time systems where time analysis is a crucial factor. In this case, the literature exhibits only a few, fairly limited proposals. In this paper, we propose general refinement mechanisms for real-time systems that allow several types of implementation strategies to be specified in a fairly natural way. Not surprisingly, generality has a price in terms of complexity. In our approach, however, this price is paid only when necessary. Furthermore, the proof system is amenable both for traditional hand-proofs, based on human ingenuity and only partially formalized, and for fully formalized, tool-supported proofs. The following is an excerpt from [Kol 99]. It is assumed that the reader is already familiar with ASTRAL [CGK 97] and PVS [COR 95]. Chapter VII: Interlevel Refinement Whether in programming languages or formal specification languages, refinement is the process of moving from an abstract design level to a concrete implementation by describing how the components in each upper level are implemented in the lower level. The left side of figure VII-1 shows the process of refinement, where each abstraction layer is depicted as a box. Each lower level box describes the implementation of the box above. Eventually, the complete system description is reached in the right side of the figure. Refinement allows designers to describe a system from the top down in more and more detail. That is, the desired behavior of each individual component is assumed and then the interactions between the components are specified. This allows designers to look at the components that make up the system and their interactions without looking at how each component is implemented. In this way, the design of a system can be modularized into different layers of abstraction. In formal methods, this allows the analysis of each abstraction layer to be proved without knowledge of how components in that layer are implemented. Each lower level component is then shown to implement the behavior that was assumed in