Published in collaboration with the British Computer Society Relaxing Property Preservation in the Refinement of Concurrent Systems

One of the major development strategies for concurrent systems suggests to start the system development from a socalled functional design of the envisaged system and to distribute/parallelize this design in subsequent development steps towards a concurrent system. In this paper we argue that this strategy is not supported by the standard state-based refinement approaches. This phenomenon is traced back to the fact that these approaches are constructed such that necessarily all temporal properties of the refined system are preserved during refinement. We explain that the key feature of a suitable refinement notion for the above strategy has to relax this strict preservation of properties. Rather than preserving all temporal properties of the refined system the required refinement notion has to support the exclusive preservation of specific properties. We present such a refinement approach and prove that the standard state-based refinement relations are particular instances of the advocated notion.


Introduction
Since its introduction by [6,31] (stepwise) refinement is a prominent approach to the development of systems that provably satisfy their specification.An abstract system which satisfies some requirement specification is stepwise refined into a concrete system such that the specification is preserved in each refinement step.
However, formal frameworks that support stepwise refinement [5] not only have to be based on sound mathematical concepts but also have to support those practical development strategies that are used by actual system developers.
One such strategy for concurrent systems, advocated by [2,3,4,10,30] and used by many protocol designers (see, e.g., [25]), originates from the observation that the functionality of most large concurrent algorithms can be described by a sequentialized variant of the algorithm [4], called its functional design.This strategy suggests to start the development of a concurrent system from its functional design and to distribute/parallelize this design in subsequent refinement steps.The functional design is considerably easier to develop and verify than the concurrent system and is thus an adequate starting point for system development.As explained in [28,27,30] and briefly recalled below, standard state-based refinement approaches, such as [1,12,14,18,21], do not support this development pattern.
In this paper we present a parameterized refinement notion between fair transition systems [12,23] which supports the development of concurrent systems from a functional design and we show that Abadi & Lamport refinement [1], trace refinement [12,21] and partial order refinement [13,17] are particular instances of the proposed refinement relation.These results allow one tomix refinement steps according to the above development strategy and the usually supported strategy of decreasing non-determinism during system development [27].
Assuming that we are given an abstract system that satisfies some specification, the idea of (stepwise) refinement is the following: Rather than verifying directly that the more concrete system also satisfies the specification, one proves that the concrete system refines the abstract one w.r.t. a refinement relation which preserves the properties, in particular the specification, of the abstract system.
According to this informal explanation we can identify the three essential ingredients of state-based refinement approaches.Below, TS denotes a set of transition systems and LTL a set of linear temporal logic formulae [23].1.A binary refinement relation ref TS TS, defined on the basis of the semantics of systems.
BCS-FACS Northern Formal Methods Workshop 2. A satisfaction relation j = TS LTL defining which system satisfies what temporal property.3. A method to prove that C;A 2 ref holds for two given systems.In the field of state-based reasoning commonly simulation techniques are used to prove refinement between systems [1,7,8,12,14,18,20,22].Such methods induce a relation sim TS TS with the two compatibility conditions sim ref (soundness) and sim ref (completeness).
Concerning the relation between ref and the satisfaction relation j = one can distinguish two pattern in state-based refinement approaches: 1.The refinement relation is chosen such that all properties of the abstract system are preserved during refinement, formally expressed by ref ; j = j = where ';' denotes relation composition.This is the approach employed in, e.g., [1,12,14,18,21].2. A parameterized refinement relation ref ' is chosen, cf. [30, 28],which only preserves a specific property ', formally expressed by ref ' f C;AjAj = ' implies C j = 'g.

Remark:
The second pattern also comprises the case where the refinement relation preserves a finite set f' 1 ; : : : ; ' n g of properties.The respective refinement relation is defined as intersection of relations ref 'i , i 2 f 1 ; : : : ; n g , chosen according to the second pattern.When starting a system development from the envisaged functional design, stepwise refinement amounts to increasing the degree of parallelism until a concurrent variant of the functional design is obtained.Due to concurrent execution of tasks, the concurrent variant generates, in general, more observable behaviors than the functional design [28].Hence, the functional design obeys different temporal properties than the concurrent variant, such as a stronger temporal ordering of events (see [27] for concrete examples from the field of stabilizing algorithms).
Thus, a refinement setup for the above development strategy must have the capability to preserve only a specific set of desirable properties, such as the original specification, while ignoring undesired properties such as the too strong temporal ordering of events in the functional design [30].
We present a refinement setup, elaborated in full detail in [27], that relaxes property preservation during refinement.It allows a combination of refinement steps which preserve all temporal properties and refinement steps preserving only specific properties in the development of concurrent systems.
The paper is organized as follows.In the next section we present fair transition systems and a stutter closed fragment of LTL.Section 3 presents the advocated refinement relation and in Section 4 we demonstrate that Abadi & Lamport refinement, trace refinement and partial order refinement are particular instances of the suggested refinement notion.We end with some conclusions and future work in Section 5.
Remark: All omitted technical details and proofs can be found in [27].

Preliminaries
In this section we introduce fair transition systems (cf.[12,19,23]), linear time temporal logic, as well as some technical notions and conventions.
We assume a countable set Varof typed variables in which each variable is associated with a domain describing the possible values of that variable.A state is a type consistent interpretation of a subset V Varof variables.The set of all states interpreting variables in V is denoted by Σ V .Definition 1 A fair transition system (fts) A = Σ ; I ; T ; W F;SFconsists of a set Σ of states, a set I Σ of initial states, a finite set T = ft 1 ; : : : ; t n gof transitions with t i Σ Σ including the idling transition t idle def = id Σ , as well as weak and strong fairness constraints WF T, SF T. 2 The set of all fair transition systems is denoted by FTS.Fair transition systems are typically denoted by A ; B ; C ; : : : and states of a system by the corresponding lower case letter.To refer to the components of system A we use A as index with the additional convention that V A refers to the set of variables evaluated by states in Σ A .A transition t 2 T is enabled in state s 2 Σ if there exists s 0 2 Σ with s; s 0 2 t.We also write s t ,! s 0 for s; s 0 2 t.
1. s 0 2 I, 2. for all i 2 I N there exists a transition t 2 T with s i ; s i + 1 2t , 3. for all t 2 WF that are continuously enabled from some point onwards in , there are infinitely many i 2 I N with s i ; s i + 1 2t , 4. for all t 2 SF that are infinitely often enabled in , there are infinitely many i 2 I N with s i ; s i + 1 2t . 2 We use A to denote the set of computations generated by fts A.
As specification language we consider a stutter-closed [19] fragment of linear time temporal logic [23], referred to as LTL , .Formulas are constructed from first-order state predicates and temporal operators 2 (always), 3 (eventually), and U (strong until).Temporal formulas are denoted by '; and state formulas by p.We write V p , resp.V ' , for the set of free variables of predicate p, resp.formula '.
Temporal formulas are interpreted over infinite sequences of states [23].A fair transition system A satisfies formula ' 2 LTL , , denoted by A j = ', if all its computations satisfy '.
We use the following notations for sequences of states.Σ , resp.Σ !, denotes the set of all finite, resp.all finite and infinite, state sequences over some state space Σ.Operator denotes concatenation of sequences.For a sequence , j j returns the number of elements in (j j def = !if is infinite), last returns the last element of if 1 j j !(otherwise last def = ?),and rem is defined by = rem last if 1 j j !(otherwise rem def = ?).The empty sequence is denoted by hi.For a sequence = hs 0 ; s 1 ; s 2 ; : : : iand i 2 I N we define the prefix of up to index i by i def = hs 0 ; s 1 ; : : : ; s i i .By i we refer to the i + 1-st state of .

The Refinement Relation
Refinement approaches provide a formal basis to conclude correctness of a concrete system from correctness of an abstract system.Rather than verifying directly that the more concrete system also satisfies the specification, one exploits the similarity of the abstract and the concrete system concerning the observable behavior that both systems display.The notion of similarity is formally captured by means of a refinement relation.Such a refinement relation states e.g. that every observable behavior of the concrete system has to be a possible observable behavior of the abstract system.The direct proof that the concrete system satisfies the specification is replaced by a proof that the concrete system refines the abstract one w.r.t. a predefined refinement relation.

Standard Refinement
In the state-based world there are several prominent refinement approaches based on Linear Temporal Logic and (fair) transition systems e.g.[1,11,14,18,21,29].These approaches are defined such that they preserve all temporal properties of the abstract system.This means that besides the desired properties contained in the specification also all other temporal properties of the abstract system, which are not mentioned in the specification, are preserved [30].
In case of refining a functional design we are definitely interested in preserving its specification but we are certainly not interested in preserving the strict temporal ordering of events due to sequential composition of tasks.In general the functional design obeys other temporal properties than the concurrent system and consequently a refinement approach which necessarily preserves all temporal properties of the abstract system is not able to express the relation between both systems.Examples illustrating this situation are given in [27].We use a parameterized refinement approach which supports the preservation of specific properties during refinement instead of necessarily all.
Though standard refinement approaches do not support the desired notion of refinement, they have been successfully applied for more than a decade for refinement of concurrent systems.So, we want the new refinement approach to allow both: refinement steps which preserve specific properties in order to refine a functional design into a concurrent system, and BCS-FACS Northern Formal Methods Workshop standard refinement steps which preserve all temporal properties and allow one torefine the concurrent system towards a concurrent implementation.Such a refinement framework has been elaborated in [27].The following presentation of this refinement theory is split into two parts: 1. Defining the parameterized refinement relation, and 2. proving that the refinement relations used in [1,12,14,18,13,17,21] are special instances of the suggested refinement relation.

Parameterized Refinement
The most general relation that we could choose for property preservation has been indicated in the introduction: Suppose ' is the property that we want to preserve, then the most general refinement relation which preserves ' obviously is ref ' def = fC;A j A j = 'implies C j = 'g (a similar definition has been investigated in [30]).Indeed, this is the largest relation that preserves '; however we would not succeed in finding a proof technique which avoids proving directly that C j = ' if A j = ' holds since there is not necessarily any similarity between system C and A, besides the fact that both satisfy '.This means, if we choose ref ' as refinement relation we would not be able to exploit the knowledge that the abstract system satisfies ' in order to prove that also the concrete system satisfies '.Consequently we look for a more restrictive relation which allows the preservation of specific properties but nevertheless is provable by standard proof techniques for state-based refinement, namely simulation.We investigate a generalization of Abadi & Lamport's refinement theory and show that the generalization actually meets the above requirements.First we briefly recall Abadi & Lamport's refinement notion.

Abadi & Lamport Refinement
In most state-based refinement setups, C refines A is defined as inclusion of observable behaviors, i.e. the set of observable behaviors generated by C has to be a subset of the observable behaviors generated by A. Also the refinement relation in [1] is defined as inclusion of observable behavior under the following definition of observable behavior.
In [1] the set of variables of a system is partitioned into a set E of so-called externally visible variables and a set of internal variables.The observable behavior of a computation is defined relative to an observer that only observes (the values of variables in) set E in the states of the computation.This is captured in the next definition, where operator Π E denotes restriction of states to the set E of variables.Operator Π E acts point-wise on sequences of states.

Definition 3 Let be a computation of some fair transition system
2 Each definition of observable behavior for computations induces a definition of observable behavior for systems: = fbeh E j 2 A g.So also for subsequent notions of observable behavior we use behA, rather than beh A to denote this lifting to systems.
Refinement in [1] is defined as inclusion of observable behaviors modulo stuttering.We say that a sequence of states seq = hs 0 ; s 1 ; s 2 ; s 3 : : : iis stutter free if s i,1 6 = s i for all 0 i j seqj where jseqj denotes the length of seq.
Operator assigns to each sequence seq its stutter free version, i.e. the stutter free sequence obtained by replacing every maximal subsequence hs i ; s i + 1 : : : iof identical elements in seq by element s i .Two sequences ; are stutter equivalent, denoted by ' , if = .To obtain a simpler proof method, operator removes final stuttering in contrast to the stutter operator in [1].No matter whether final stuttering is preserved or removed, the induced stutter equivalence ' remains unchanged in the Abadi & Lamport setup.The stutter closure of a set A of sequences is defined as ΓA def = f j 9 2 A : ' g .The refinement relation in [1] can now be defined as follows.

Definition 4 Given systems A; C and set
BCS-FACS Northern Formal Methods Workshop C ref E A iff 8 2 C : 9 2 A : beh E ' beh E 2 So, system C refines system A w.r.t set E of externally visible variables iff for every computation of C there exists a computation in A which displays, up to stuttering, the same observable behavior.The satisfaction relation j = FTS LTL , is insensitive to stuttering [19] hence we have that relation ref E preserves all LTL , formulas ' with V ' E.

Generalizing Abadi & Lamport Refinement
In [1] there is one fixed definition of observable behavior (up to set E) just as in most existing refinement setups.We make this definition a parameter of our refinement relation.We demonstrate that this idea supports the preservation of specific temporal properties during refinement as well as gives the flexibility to capture standard refinement relations.
Technically, the generalization is based on the following observation: The amount of information necessary to decide whether a computation satisfies some temporal formula is often strictly less than the complete behavior beh E of that computation.Consider for example the property 2x = 0 !3x = 10 (informally: it is always the case that a state where x evaluates to 0 is eventually followed by a state where the value of x equals 10).To decide whether a computation satisfies this formula the only relevant information is, whether every state occurring in the computation where x = 0 holds is eventually followed by a state where x = 10 holds; the values of x in intermediate states where x is different from 0 and 10 are in fact irrelevant.So in case that we have a computation satisfying a temporal property there exists a well defined subsequence of states witnessing this satisfaction.We generalize relation ref E by defining that a concrete system refines an abstract system iff: for every computation of the concrete system there exists a computation in the abstract system that displays the same sequence of witnessing states.So also the generalization is defined as inclusion of observable behavior, however with a more liberal notion of observability.Actually, the definition of observability becomes a parameter in our refinement definition since it depends on the property of interest whether a state is a witnessing state or not.So, every property requires a specific notion of observability for its preservation.
We explained that the refinement definition of observable behavior in [1] is based on a notion of observer who observes values of variables in set E in the states of a computation.We use the following more liberal notion of observer.
Definition 6 An observer O is characterized by a tuple O = p; E consisting of a state predicate p and a set E of externally visible variables.We define the set of free variables of O as V O def = V p E. 2 An observer observes a set E of variables but only in those states of a computation that satisfy the so-called filter predicate p.The idea is that the filter predicate is used to characterize witnessing states.Using state predicates as observation criterion for states of a computation is a powerful concept; by adding auxiliary variables to the state space of a program (cf.[1]), observability of states may be defined e.g.dependent on occurrences of actions or the computation history.
The observer notion in Definition 6 induces the followingadapted definitions of observable behavior and refinement.
Here, operator Π p , for state predicate p, projects a sequence of states to its subsequence of states which satisfy p.
The fact that Γ is idempotent proves that all steps in the proof above are actually equivalences.We have for all sets A; C of computations that C ΓA iff ΓC ΓΓA iff ΓC ΓA by idempotency of Γ. Instantiating C = f beh O j 2 C g; and A = f 2 Σ !E j 9 2 beh O A: = g and observing that Γf beh O j 2 C g = f 2 Σ !E j 9 2 beh O C: = g we conclude that we can replace the 'then' by an 'iff' in the proof above.
2 Following [28]  A new aspect in refinement relations that allow one topreserve specific temporal properties is the preservation of an increasing set of properties during program development [30].The following investigation serves to build a basis for the preservation of an increasing set of properties during successive refinement steps.This composition is an important property for refinement relations that allow the preservation of specific properties during refinement.It justifies the usage of more discriminating observers in subsequent refinement steps in order to preserve an increasing set of properties.
The next proposition gives an explicit characterization when O 1 O 2 holds.Here, s = V s 0 abbreviates the expression Π V s = Π V s 0 , i.e. s = V s 0 holds iff s and s 0 coincide on the set V of variables.
3:beh O1 = hi 2. and Def.7a 4:beh O1 ' beh O1 1., 3., and the definition of ' Note, that the base case j j = 0 on its own is not sufficient for the following induction step.BCS-FACS Northern Formal Methods Workshop case: j j = n + 1; n 0 .Let = 0 h s n i 1 :beh O1 = beh O1 0 beh O1 hs n i Def.7a (i.e.s j = p 1 ^s = E2 s 0 ), then s 0 has to be an observable state of O 1 .The last property states that O 1 may not use variables in set V p1 nE 2 to judge observability of states.A simple heuristic to guarantee that the third condition holds is thus to choose E 2 to be a superset of V p1 .See [27] for more details and examples.
As demonstrated in [27] it is convenient to lift ref O to tuples of observers.In the following section we prove that this lifting allows to capture the notion of partial order refinement -as used in approaches for phased reasoning and design of distributed systems -but not vice versa.
In part b) of this definition operator Γ is defined component-wise on tuples.The corresponding element-wise characterization is: Proposition 13 Given systems A; C and Ω = O 1 ; : : : ; O n with V Oi V A V C for i 2 f 1 ; : : : ; n g .
Cref Ω A iff 8 2 C : 9 2 A : 8i 2 f 1 ; : : : ; n g : beh Oi ' beh Oi : 2 Note, that the order of observers in Ω does not matter, i.e. if C ref Ω A holds and Ω 0 is a permutation of Ω then also C ref Ω 0 A holds.Nevertheless, due to Definition 12, Ω is defined as tuple of observers.

Proposition 14
Given Ω = hO 1 ; ::; O n i and Ω 0 = hO 0 1 ; ::; O 0 m i.If for all i 2 f 1 ; : : : ; n g there exists a j 2 f 1 ; : : : ; m g such that O i O 0 j then ref Ω 0 preserves all properties that are preserved by ref Ω .

2
We get the corresponding composition property for ref Ω .

Composition:
Proposition 14 and composition of ref Ω taken together state that it is a sound strategy to strengthen the sets of observers used in successive refinement steps by either choosing more discriminating observers or by adding new observers in order to preserve an increasing set of properties during the development of a system.BCS-FACS Northern Formal Methods Workshop

Linking Properties and Observers
Due to the generality of the proposed refinement relation the following question arises: How do we prove that a specific temporal property is actually preserved by the chosen refinement relation?
This is an aspect which can be dealt with once and forever in standard refinement approaches such as [1,11,21,29,14,18] by proving that the chosen refinement relation preserves all temporal properties.Refinement relations that preserve specific properties inevitably have to deal with the additional proof obligation to show that the property of interest is actually preserved.
In [27] we employed the advocated refinement notion for the development of stabilizing systems [26].Since the crucial part of the behavior of stabilizing systems is defined by so-called convergence properties we had to establish a link between convergence properties and observers preserving these properties.
The following theorem states such a link.Here, p ; q ( pronounced p leads-to q) is an abbreviation for 2p !3q.Theorem 15 Given system A; C and ' = p ; q for state predicates p; q.If A j = p ; q and C ref O' A for O ' = p _ q;V p V q then C j = p ; q.
2 This theorem states that the notion of observability induced by observer O ' suffices to conclude from A j = p ; q and C ref O' A that also C j = p ; q holds.Observer O ' observes the sequence of states in a computation that witness or disprove the satisfaction of '.These relevant states in a computation are those satisfying p _ q and the relevant state information which needs to be preserved during refinement are the values of variables in set V p V q .Note, that the induced refinement relation ref O' is not complete in the sense that we do not have for all systems A; C that A j = p ; q and C j = p ; q implies C ref O' A.
Example 16 Consider two systems A; C where: A = fha 0 ; a 1 ; a 2 ; : : : ig with a i x = 1 for i 2 I N, and C = fhc 0 ; c 1 ; c 2 ; : : : ig with c i x = 2 for i 2 I N.

Both systems satisfy the convergence property
It is not difficult to see that the reason why C does not refine A w.r.t.ref O' lies in the fact that observed states in C and A have to be identical in order for ref O' to hold.In [28] we suggested observers O = p; E; where Σ E Σ E is an equivalence relation which defines when two observed states are indistinguishable for O.In this example we might have defined s s 0 iff s j = x = 1 _ x = 2 iff s 0 j = x = 1 _ x = 2 .The resulting observer is easily proven to preserve ' and we also have C ref O A. Since we do not need this generalization for subsequent results we refer to [28] for details.In [27] the proof method of delayed simulation is elaborated which can be used to actually prove that C ref O A for two given fts and observer O.
A complete characterization of observers for all properties of the temporal hierarchy [23] is work in progress.In the next section we prove that Abadi & Lamport refinement, trace refinement as well as partial order refinement are definable in our setup.

Abadi & Lamport Refinement
In the previous chapter we have given alternative point-wise characterizations of ref E and ref O .These characterizations are now used in order to prove that Abadi & Lamport refinement is a particular instance of observer refinement.

Trace Refinement
In order to define and characterize trace refinement [12,13,21] and also partial order refinement [13,17] we use a slightly different model, namely fair named transition systems [13].In this model, event names from some set E are associated with the transitions of a system.We denote the set of events generated by system S by E S .Whenever a transition is taken the corresponding event is generated.Computations of fair named transition systems are now alternating sequences of states and events.As notational convention we write s 0 e1 !s 1 e2 !s 2 e3 !instead of hs 0 ; e 1 ; s 1 ; e 2 ; s 2 ; : : : i .The e i record the fact that the occurrence of the transition corresponding to e i caused the state change from s i,1 to s i .For the definition of trace refinement, the set E is partitioned into externally visible events Ext E and into internal events Int E .This separation in internal and external events induces a corresponding separation of the transitions into external and internal transitions [13].
Extracting the sequence of externally visible events of a computation yields its observable behavior.We use operator Π Ext to project a computation to the sequence of events belonging to set Ext, generally called the trace of the computation [22].
! of some system A and set Ext E A of externally visible events of A. In order to define trace refinement in our refinement setup we assume that the state space of the systems under investigation contains a distinct variable taken recording the event generated by the occurrence of the transition which caused the last state change.Initially taken has a designated initial value.We obtain the following proposition.
This theorem states that the observer, underlying the definition of observable behavior in trace refinement, only observers the sequence of externally visible events of a computation which is a well-known fact.
BCS-FACS Northern Formal Methods Workshop

Partial Order Refinement
The previous refinement relations ref E and ref Ext have extensively been studied in the literature.Partial order refinement is a comparatively new refinement notion, see e.g.[13,17], which gained considerable interest in the automated verification community as a means to tackle the state explosion problem in enumerative model-checkers.The characterization of partial order refinement in our setup is far more involved than the characterization of the two previous refinement notions.The reason is the more complicated and rather implicit notion of observability which underlies partial order approaches, as explained next.
As explained in [24], in concurrent systems there is only a partial ordering between events of parallel processes, since there is no means to decide which one from two independent events occurs earlier than the other.The only way to establish objective ordering between events is to find their mutual dependencies and to define that a cause must always be earlier than its effect.Therefore an independence relation on events is the basis for the description of concurrent behaviors in partial order approaches.These approaches allow elegant and concise descriptions of phenomena occurring in concurrent systems such as serializability and sequential consistency as well as interesting development techniques for such systems [9].Though the underlying idea is the same in all partial order approaches their presentation differs considerably.In the following we concentrate on the definition and presentation of partial order refinement as given in [13].
The very basis of all partial order approaches that deal with linear computations rather than directly with partial orders, is the definition of a permutation equivalence amongst computations.The idea is that two computations are permutation equivalent iff an observer who only observes the relative order of dependent events does not observe any difference between the two computations.An equivalence class of permutation equivalent computations is an abstract representation of a partial order.Considering all computations of an equivalence class as total orderings on events, the intersection of these total orderings yield the partial order on events represented by the equivalence class.
As mentioned above, permutation equivalences are defined relative to a symmetrical, irreflexive independence relation I [24] on a set of external events.Two computations ; are permutation-equivalent w.r.t.I, denoted by I , if their traces differ only by permutations of independent events [24].Recall, that i denotes the prefix of state sequence up to and including index i.c) Now, permutation equivalence I E !E ! is defined by I def = I I , 1 I : 2 The permutation closure of a set A of sequences of events relative to an independence relation I is defined by Γ I A def = fj9 2 A: I g.For a given sequence , Γ I is the run [16] corresponding to .In [15] a run is also referred to as an interleaving set.This can be exploited for phased reasoning about concurrent systems [28].The point-wise characterization of partial order refinement is stated in the following proposition: 2 Note, that the sets D i , resp.D i D i , form in general not a partition but a covering of E, resp.D. The following theorem is a generalization of a main result from trace theory [24] to sequences of arbitrary (in particular infinite) length.We use operator Π E with E E to project sequences 2 E ! to the set E of events.Theorem 28 Given set E of events and independence relation I E E .For every dependence collection D i ; i2 f 1 ; : : : ; n g , of I the following holds for all ; 2 E ! : I iff 8i 2 f 1 ; ::; ng: Π Di = Π D i : 2 The proof of this theorem extends the following result from trace theory for finite sequences of events.

Theorem 29 (Mazurkiewicz)
Given set E of events and independence relation I E E .For every dependence collection D i ; i2 f 1 ; : : : ; n g , of I the following holds for all ; 2 E : I iff 8i 2 f 1 ; ::; ng:Π Di = Π D i : 2 Note, that Theorem 29 is based on the simpler notion of permutation equivalence for finite sequence of events, see part a) of Definition 23.Below, we prove that this result can be lifted to infinite sequences of events using the more general notion of permutation equivalence given in part c) of Def.23.The proof mainly consists of the two following lemmata.We use to denote the prefix relation on sequences of events.Lemma 30 Given set E of events and E 0 E .For all ; 2 E ! the following holds:  Theorem 28 states that two sequences of events are permutation equivalent iff the relative order of events belonging to the same dependence set D i is the same.
From the previous section on trace-refinement we known how to define observers that guarantee that two computations coincide when projected on a common set of externally visible events.So, we again assume that the state space of the systems under consideration evaluates a distinct variable taken which records the event that caused the last state change.Then we obtain the following characterization of partial order refinement in our setup.Summarizing Theorem 18, 22, and 32 we note that Abadi & Lamport refinement, trace refinement, and partial order refinement are definable in our setup.Note, that none of the theorems needs heavy coding but rather an explicit definition of the notion of observer underlying the various refinement approaches.

Conclusion
We have presented a refinement notion which allows a combination of refinement steps which preserve specific temporal properties of the refined system and those which preserve all its temporal properties.BCS-FACS Northern Formal Methods Workshop preservation of specific properties is crucial in order to support the development of concurrent systems from a functional design as applied by many protocol designer.The key feature of the advocated refinement relation is its parameterization with so-called observers.This parameterization gives the flexibility to adjust the notion of observability to the properties which are to be preserved in the current refinement step.We furthermore proved that standard state-based refinement notions can be expressed in our framework by an explicit characterization of their underlying notion of observability.
In [27] a formal development framework for stabilizing systems [26] has been elaborated which is based on temporal logic and the advocated refinement relation.This framework comprises besides simulation techniques to prove the parameterized refinement also temporal proof and development rules employing this kind of refinement.
Currently we use a variant of the refinement approach to express and prove refinement between declarative, synchronous SIGNAL-programs and their imperative, asynchronous implementation in C. Furthermore, we investigate further constructions and heuristics how to generate appropriate observers from given sets of properties which are to be preserved during refinement.

2Proposition 5
The usage of the stutter closure Γ in Definition 4 makes relation ref E invariant under stuttering.The following point-wise characterization of ref E is of use in Section 4, where we prove that Abadi & Lamport refinement is a special instance of our refinement notion.Given systems A; C and set E V A V C .

2
Now it is straightforward to complete the proof of Theorem 28.Proof:We consider the case that ; are infinite; the finite case is covered by Theorem 29.I iff I and I by Def.23c) iff 8i 2 f 1 ; ::; ng:Π Di Π Di and 8i 2 f 1 ; ::; ng:Π Di Π Di by Lemma 31 iff 8i 2 f 1 ; ::; ng:Π Di = Π D i by anti-symmetry of 2

2
For observer O = p; E with V O V A the observable behavior of w.r.t.O is defined by beh O def Also relation ref O is invariant under stuttering due to the use of operator Γ.As in the case of ref E we give a point-wise characterization of ref O .Given systems A; C and observer O with V O V A V C .C ref O A iff 8 2 C : 9 2 A : beh O ' beh O 2 C ref O A implies 8 2 C : 9 2 A : beh O ' beh O : = Π E Π p : b) Given systems A; C and observerO = p; E with V O V A V C .C refines A w.r.t.O, denoted by C ref O A, iff Γbeh O C Γbeh O A.BCS-FACS Northern Formal Methods Workshop 2 we call two computations ; equivalent w.r.t.observer O, denoted by O = , if beh O ' beh O holds.From reflexivity and transitivity of the subset relation we obtain the following proposition.For any observer O = p; E, ref O is a pre-order on the set of systems A with V O V A . 2 Relation ref preserves property ' 2 LTL , if for all systems A; C we have that (A j = ' and C ref A) implies C j = '.b) Given two observers O 1 and O 2 .Observer O 2 is more discriminating than O 1 , denoted by O 1 O 2 , iff ref O2 ref O1 . 2 Obviously, O 1 O 2 implies that all properties preserved by ref O1 are also preserved by ref O2 .As a consequence from Proposition 9 and Definition 10b) we get the following generalized transitivity.If C ref O B and B ref O 0 A with O 0 O then C ref O 0 A. 2 BCS-FACS Northern Formal Methods WorkshopComposition: 1 then O 1 O 2 : 2 First we show that it suffices to prove that the three premises and beh O2 ' beh O2 imply beh O1 ' beh O1 for all finite sequences ; of states; then we prove this claim by induction on the length of .beh O2 !beh O1 ' beh O1 def. of ' and beh O Proof:So, given two finite sequences ; of states, it remains to prove the following:Ass1:j= p 1 !p 2 The above proposition states that observer O 2 is more discriminating than O 1 if the following holds:1.O 2 observes at least those states which are observed by O 1 . 2. O 2 observes at least those variables which are observed by O 1 .3. If there is a state s 0 observed by O 2 (s 0 j = p 2 which O 2 cannot distinguish from a state s observed by O 1 The previous results for ref O can be lifted to ref Ω .For a tuple Ω = O 1 ; : : : ; O n of observers with V Oi V A for i 2 f 1 ; : : : ; n gthe observable behavior of w.r.t.Ω is defined by beh Ω def = beh O1 ; : : : ; b e h O n : b) Given systems A; C and Ω = O 1 ; : : : ; O n with V Oi V A V C for i 2 f 1 ; : : : : n g .C refines A w.r.t.Ω, denoted by Proposition 17 Given systems A; C and set E V A V C .For all computations 2 C and all computations 2 A we have for O def As a consequence of this proposition we get the desired result, which comes as no surprise since we have defined ref O as generalization of relation ref E .BCS-FACS Northern Formal Methods Workshop Relaxing Property Preservation in the Refinement of Systems Theorem 18 Given systems A; C, set E V A V C , and observer O def = true; E. C ref E A iff C ref O A: 2 This result is immediate since the observer underlying the definition of ref E observes all states in a computation but inspects only the set E of externally visible variables.So formally this observer can be captured by O def The observable behavior of w.r.t.Extis defined as: beh Ext = Π Ext : 2 Ext, denoted by C ref Ext A, is defined as C ref Ext A iff beh Ext C beh Ext A: 2 Trace refinement can now be defined as: Definition 20 Given systems A; C with a common set Ext E A E C of externally visible events.System C refines A w.r.t.
Proposition 21 Given systems A; C and set Ext E A E C .For computations 2 C and computations 2 A we have for O def = taken 2 Ext; ftakeng: beh Ext = beh Ext iff beh O = beh O 2 As in case of Abadi & Lamport refinement we have as a consequence of Proposition 21 the following characterization of trace refinement.Theorem 22 Given systems A; C with a common set Ext E A E C of externally visible events and observer O def = taken 2 Ext; ftakeng.Then the following holds Definition 23 Given a set E of events and independence relation I E E .a) Two finite sequences ; 2 E are permutation equivalent w.r.t.I, denoted by I , if = he 1 ; e 2 ; : : : ; e i , 1 ; e i ; : : : e n i = h e 1 ; e 2 ; : : : ; e i ; e i , 1 ; : : : e n i for some i 2 1; ::; n and e i,1 ; e i 2I .Relation I E E denotes the reflexive and transitive closure of I .b) For infinite sequences ; 2 E ! we define relation I E !E ! by I iff 8i 2 I N: 9j i: 9 2 E : j I i = i : Definition 24 Given systems A; C, set Ext E A E C , and independence relation I ExtExt.System C refines A w.r.t.Ext; I, denoted by C ref I Ext A, is defined by C ref I Ext A iff Γ I beh Ext C Γ I beh Ext A: 2 The interesting point in this definition is that system A may generate less traces than C. Property Preservation in the Refinement of Concurrent Example 25 Consider two systems A; C such that: beh Ext A = fha; big, and beh Ext C = fha; bi; hb; aig.Then we have C ref I Ext Asince Γ I beh Ext C Γ I beh Ext A.
[24]osition 26 Given systems A; C, set Ext E A E C , and independence relation I ExtExt.An alternative characterization of permutation equivalence, inspired by Mazurkiewicz[24], is the key to formulate partial order refinement in our setup.For this characterization we need the following definition where D denotes the dependence relation corresponding to a given independence relation I E E , i.e.D def = E E n I .Definition 27 Given set E of events and independence relation I E E .A collection of non-empty sets D i E ; i 2 f 1 ; ::; ng, is a dependence collection of I iff Assume we are relation I, some dependence collection D i ; i 2 f 1 ; : : : ; n g , of I and ; 2 E ! .I iff 8i 2 I N: 9j i: 9 2 E : i = i ^ I j by Def.23b) iff 8i 2 I N: 9j i: 9 2 E : i = i 8 k 2 f 1 ; ::; ng:Π Dk = Π D k j by Theorem 29 iff 8i 2 I N:9j i: 8k 2 f 1 ; ::; ng:Π Dk i Π Dk j by i iff 8k 2 f 1 ; ::; ng:Π Dk Π Dk Lemma 31Given set E of events and independence relation I E E .For every dependence collection D i ; i2 f 1 ; : : : ; n g , of I, the following holds for all ; 2 E ! : I iff 8i 2 f 1 ; ::; ng:Π Di Π Di :BCS-FACS Northern Formal Methods WorkshopProof: Theorem 32 Given systems A; C, set Ext E A E C , and independence relation I ExtExt.For each dependence collection D i ; i2 f 1 ; : : : ; n g , of I and corresponding Ω def = O 1 ; O 2 ; ; O n with observers O i def = taken 2 D i ; ftakeng we have: C ref I Ext A iff C ref Ω A: 2 The proof of this theorem is based on Theorem 22 and 28.Assume we are given systems A; C, a dependence collection D i ; i2 f 1 ; : : : ; n g , of independence relation I and the corresponding Ω def = O 1 ; O 2 ; ; O n .Di beh Ext = Π Di beh Ext by Theorem 28 iff 8 2 C :9 2 A : 8i 2 f 1 ; ::; ng: beh Di ' beh Di def.beh Ext : and D i Ext iff 8 2 C :9 2 A : 8i 2 f 1 ; ::; ng: beh Oi ' beh Oi by Theorem 22 iff 8 2 C :9 2 A : 8i 2 f 1 ; ::; ng: O i = by Def. of Oi = iff C ref Ω A Proof: A : 8i 2 f 1 ; ::; ng: Π