VDM meets LCF: Domain-Theoretic and Topological Aspects of VDM

We discuss the domain-theoretic and topological content of the operator calculus used in the Irish School of the Vienna Development Method (VDM♣) of formal systems development. Thus, we examine the Scott continuity, or otherwise, of the basic operators used in this calculus when viewed as operators on the domain (X → Y ) of partial functions mapping X into Y. It turns out that the override, one of the more important of the basic operators, is not Scott continuous, and in order to overcome this problem we introduce another topology, which we call here the strong Cantor topology, by means of the topological tool of convergence classes. Indeed, the strong Cantor topology is the smallest topology which refines the Scott and Lawson topologies and is such that, with respect to it, all the basic operators we consider are continuous. Furthermore, we examine the role of the strong Cantor topology in relation to indexed monoids, both with and without units, and display them as topological monoids in the strong Cantor topology. The totality of our results gives considerable support to the view that the strong Cantor topology is the topology of formal methods.


Introduction
The Vienna Development Method (VDM) of formal specification of software systems was originally developed by IBM at its research laboratories in Vienna with the aim of specifying the formal semantics of programming languages (initially PL1).Over time, VDM has evolved into much more than simply a means of formal specification.Indeed, it has become a powerful, well-known and sophisticated development method starting with the formal specification of the system requirements and ending, after a sequence of refinement steps, with the implemented program code.Each of these refinement steps has, associated with it, a number of proof obligations which ensure that, at each step, system requirements are met.
During its evolution, VDM has acquired a number of variants or flavours associated with certain schools, each of which has been responsible for developing the characteristics which define that flavour.One such is the Irish School of the VDM, signified appropriately by VDM ♣ and developed by Mac an Airchinnigh and his collaborators, see [Mac90] and [Hug01] for example.As in the case of VDM, VDM ♣ is model oriented and employs preconditions in defining the operations which are allowed on the system states.Where VDM ♣ differs from VDM is that it does not employ postconditions and the consequent demonstration of their satisfaction by use of formal logic.Instead, operations are explicitly constructed and proof obligation (of system invariant) is carried out constructively.Therefore, the emphasis in VDM ♣ is on constructive mathematics in contrast to the use of formal logic, and, in order to facilitate constructive proof, an extensive calculus has been developed in VDM ♣ to handle a number of operators defined on spaces of partial functions.Such a calculus has, of course, the aim of reducing complicated calculations to routine symbol manipulation, especially those calculations concerned with things like domain restriction and removal, extension of functions and, in particular, override of functions (which is an important tool in modelling the process of updating records, file systems etc.).
On the other hand, spaces of partial functions, and operators defined on them, arise as particularly important examples of domains in Scott's well-established, and extensive, Logic for Computable Functions (LCF) which formalizes an abstract model of computability, see the reference [Sco82] and many related papers.The concern of LCF is denotational semantics, domain theory, functional programming and machine assisted proof and, in view of this last named subject, may be viewed as a formal method, see [Pau87].Thus, although their aims are rather different, it is of interest to contrast VDM ♣ and LCF to the extent of investigating the operators which arise within VDM ♣ from the point of view of LCF, and specifically to determine their computability, or otherwise, in terms of Scott-continuity, and it is the purpose of this article to sketch some of the initial steps needed in carrying out this process.Thus, we intend to consider the basic operators arising in VDM ♣ when viewed as operators on the domain (X → Y ) of partial functions mapping X to Y , and to discuss their continuity in relation to the Scott topology.
However, it turns out that one of the more important operators, the override, is not Scott continuous, and this fact necessitates the introduction of other topologies, related to the Scott topology, to describe its behaviour; specifically, we introduce a topology for this purpose which we call herein the strong Cantor topology.This topology has many interesting properties and provides a foundation for the treatment of spaces of partial functions somewhat akin to the analysis of function spaces found in other parts of mathematics.Perhaps the easiest way to introduce this topology is via the notion, familiar in topology, of convergence classes of nets, from which one ultimately extracts the required topology.This approach has the advantage that one immediately builds in at the start the appropriate convergence one expects to need, and this is the way we proceed in this paper.Indeed, this strategy of using families of nets or filters to generate topologies has applications elsewhere in defining topologies of relevance in computer science.In making this comment, we have in mind a number of ongoing lines of research, including the following which we describe briefly.First, the use of convergence classes in defining topologies on spaces of truth values and on spaces of interpretations in the context of logic programming semantics, see [Sed02] for related work.Second, we have in mind the notion of "convergence space" (defined explicitly in terms of classes of filters) and its role in building formal models of hybrid systems, see [BR01].Third, it remains to be determined whether or not the methods introduced here extend to other VDM dialects and to languages, such as RAISE and VVSL, based on VDM and defined formally using denotational and axiomatic semantics, and we thank an anonymous referee for suggesting this line of investigation.Finally, noting that "constructive" and "computable" are closely related concepts, and that "computable" and "continuous" are also closely related, it should be of interest to investigate the constructive content of convergence classes.To that extent, the present paper takes a first step towards examining the possibility of constructive topology within VDM ♣ and in M ♣ C in the spirit of [Mac01], and this goal may be viewed as the secondary purpose of the paper.The ultimate objective implied by this comment is to contribute an appropriate notion of computability within the topos-theoretic framework of [Mac01], and further observations on this point are made in Section 7.
The overall structure of the paper is as follows.In Section 2, we introduce the necessary background material to support the main developments.In Section 3, we discuss convergence classes in readiness to make them available for use later on.In Section 4, we consider the basic operators used in VDM ♣ in relation to the Scott topology.In Section 5 we introduce the strong Cantor topology and its basic properties, including the fact that all the basic operators are continuous relative to it.In Section 6, we discuss indexed monoids in relation to the strong Cantor topology, and in Section 7 we present briefly our conclusions.The first three sections of this paper constitute an extended abstract of the paper [HHS02], and we present just enough of this material to give a meaningful account of our results.Therefore, we refer the reader to [HHS02] for the proofs of all of the results which are stated here without proof.On the other hand, the results in Section 6 are new and we present complete proofs of them.

Preliminaries
By the term monoid we mean a non-empty set M endowed with a closed and associative binary operation * , called the law of composition or multiplication, which possesses an identity element u for the composition.There are several monoids of interest in VDM ♣ , and two such examples of particular importance are (P(X), ∪, ∅) and (P(X), ∩, X).In both these examples, P(X) denotes the set of all subsets of a set X.In the first, the law of composition is the union of sets and the identity is the empty set; in the second the law of composition is the intersection of sets and the identity is the whole set X. We say that a monoid (M, * , u) is a topological monoid if M is a topological space and the law of composition * is a continuous function on M × M , where M × M is endowed with the usual product topology determined by the topology on M .
We shall use the term domain (or Scott domain) with the meaning employed in [SLG94], which is our general reference to this subject.Thus, a domain (D, , ⊥), or simply D when no confusion is caused, is a consistently complete algebraic complete partial order.We let D c denote the set of compact elements of D, and, given x ∈ D, we let approx(x) denote the set {a ∈ D c ; a x}.Of course, approx(x) is directed and x = sup approx(x) for each x ∈ D, where in general sup A denotes the supremum of the directed set A. Any complete partial order (cpo), and hence any domain, may be endowed with the well-known Scott topology, see [GHKLMS80,SLG94], in which a set O is open if and only if it satisfies: (i) whenever x ∈ O and x y, then y ∈ O, and (ii) whenever A is directed and sup A ∈ O, then A ∩ O = ∅.In the case of a domain, this topology has a rather simple description in that the collection {↑ a; a ∈ D c } is a basis for the Scott topology, where ↑ x = {y ∈ D; x y} for any x ∈ D. We remind the reader of the well-known connection between topological continuity and order-theoretic continuity as given by the following result: a function f : D → E between domains D and E is continuous with respect to the Scott topologies on D and E if and only if it satisfies the property that whenever A ⊆ D is directed, we have that f Apart from being the carrier set of a monoid, the power set P(X) of a non-empty set X is a domain, when ordered by set inclusion, and its compact elements are the finite sets.It therefore may be endowed with the Scott topology.In fact, it is sometimes useful to identify P(X) with the set of all total functions from X to 2, by means of the characteristic functions of subsets of X, or with the product Π i∈X 2 i of X copies of 2, where 2 denotes the two-element set {0, 1} and 2 i = 2 for each i ∈ X.If we think of {0, 1} as the truth-value poset, ordered as usual in classical logic by requiring 0 < 1, then the resulting Scott topology on {0, 1} has as open sets ∅, {1} and {0, 1}.The (Tychonoff) product topology on Π i∈X 2 i , when 2 is endowed with the Scott topology, results in the Scott topology on Π i∈X 2 i and hence on P(X).On the other hand, we may endow 2 with the discrete topology in which all subsets of {0, 1} are open.In this case, we will call the resulting topology on Π i∈X 2 i , and hence on P(X), a Cantor topology since Π i∈X 2 i is homeomorphic to the Cantor set in the real line whenever X is denumerable.This topology also has significance in computing for a number of reasons.First, the Cantor set plays an important role in domain theory in examples of sets of maximal elements and in relation to universal domains, see [SLG94].Second, it coincides with the Lawson topology on P(X); this latter topology is the common refinement of the Scott topology and the lower topology and is discussed in detail in [GHKLMS80].More recently, the Cantor topology was studied extensively in [Sed95] in the context of negation in logic programming semantics (where Scott continuity does not hold in general), and it was shown in [HS99] to be highly satisfactory in that context in handling questions concerned with termination and verification.In relation to the present work, the Cantor topology will be shown to be important in handling the override operator.
As already noted, we intend to approach topological issues here via convergence and, indeed, via convergence of nets.Our terminology, and much of our notation, in regard to nets in general will follow that of [Kel75,HHS02,Wil70].Thus, if (x i ) i∈I , usually written just (x i ) for simplicity, is a net in a set X, then a property will be said to hold eventually with respect to (x i ) if it holds for all i ≥ i 0 for some element i 0 of the index set I. Nets may also be denoted by (x n ), so that the symbol n in this context does not necessarily refer to a natural number.Of course, topological (and order-theoretic) continuity of a function f : D → E between domains (indeed, between arbitrary topological spaces) is easily described in terms of nets as follows: f is continuous if and only if whenever x i → x we have that f (x i ) → f (x); in particular, this applies when the convergence involved is relative to the Scott topology, giving Scott continuity of f .
The following is a simple but useful characterization of net convergence in the Scott topology.
2.1 Proposition Let D be a domain.A net x i → x in the Scott topology on D if and only if for each a ∈ approx(x) there is an index i 0 such that a x i whenever i 0 ≤ i.
The following are useful technical facts in dealing with the two topologies we have been discussing when applied to the power set P(X) of a set X, see [Sed95].In fact, they were derived in [Sed95] from considerations of the product topologies on Π i∈X 2 i , but the first is a simple application of Proposition 2.1 noting again that the compact elements of (P(X), ⊆) are the finite subsets of X. Actually, the conditions stated in the following result can be, and later on will be, viewed as defining conditions on convergence classes, see Section 3.

Proposition
(1) In the Scott topology on P(X), a net A i of sets converges to a set A if and only if every element of A is eventually an element of A i .
(2) In the Cantor topology on P(X), a net A i of sets converges to a set A if and only if every element of A is eventually an element of A i , and every element of X which is not in A is eventually not in A i .
It is now clear that, in the Scott topology on P(X), if A i converges to A and B ⊆ A, then A i converges to B also, so that limits of nets convergent in the Scott topology are highly non-unique.Thus, one is led to consider the greatest limit of A i , see [Sed95], which is the union of all the limits of A i .On the other hand, in the Cantor topology, limits are unique, and it is clear from Proposition 2.2 that the limit of a net A i which converges in the Cantor topology is the set {x ∈ X; x eventually belongs to A i }.

Proposition
In either the Scott topology or the Cantor topology on P(X), both (P(X), ∪, ∅) and (P(X), ∩, X) are topological monoids.

Proposition
The mapping comp : P(X) → P(X) determined by taking the complement of a set and defined by comp(S) = X \ S is continuous in the Cantor topology.Indeed, in the Cantor topology this mapping is a homeomorphism of P(X) onto itself and is an isomorphism between the topological monoids (P(X), ∪, ∅) and (P(X), ∩, X).
Proof Suppose S i converges to S in the Cantor topology on P(X), and suppose that x ∈ X \ S. Then x is not in S and therefore, by Proposition 2.2, x is eventually not in S i or, in other words, x is eventually in X \ S i .On the other hand, if x is not in X \ S, then x ∈ S. Therefore, x is eventually in S i and therefore is eventually not in X \ S i .Hence, X \ S i converges to X \ S, and comp is continuous as required.
Since comp is its own inverse, it follows that comp is a homeomorphism.Finally, the fact that comp is an isomorphism of monoids follows from De Morgan's laws.
Since comp is not even monotonic on the domain (P(X), ⊆), it is clearly not Scott continuous, and this has the consequence, as we see later, that the override operator is not Scott continuous.
To close this section, we make the following definition.

Definition
Let M be a topological monoid and let D be a domain which is also a topological space.Then M will be said to act on (the left of) D if there is a continuous function : M ×D → D, usually written (m, x) → m x, with the following properties:

Convergence Classes
One of the standard ways of generating a topology on a set X is by specifying a collection of nets which are declared to "converge" in X subject to some obviously necessary conditions on the collection.It is this way of generating topologies which turns out to be most convenient for the discussion herein.It will be appropriate, therefore, to summarize the process and we closely follow [Kel75] and [HHS02] in this respect, but see also [Wil70].
Thus, let X be a set and suppose that C is a class of pairs (x n , s), where x n is a net in X and s ∈ X.We seek a topology on X such that (x n , s) ∈ C iff x n → s in this topology.It turns out that the requirement on C in order for this problem to be solvable is that it be a convergence class in the sense made precise below.To facilitate the description of this notion, we will say that x n converges (C) to s or that lim n x n ≡ s (C) iff (x n , s) ∈ C. In terms of this notation and nomenclature, the defining properties of a convergence class may be stated thus: (a) (Constant nets) If x n is a net such that x n = s for all n, then (x n , s) ∈ C. (b) (Convergence of subnets) If x n converges (C) to s, then so does every subnet of x n .(c) (Non-convergence) If x n does not converge (C) to s, then there is a subnet of x n , no subnet of which converges (C) to s.(d) (Iterated limits) Suppose that I is a directed set, and that J m is a directed set for each m ∈ I. Form the fibred product and suppose that x : I × I m∈I J m → X.Let F denote the product directed set 1 I × m∈I J m , and let r : The main result concerning such convergence classes, see [Kel75, Chapter 2] and [HHS02], is that each convergence class C on X induces a closure operator on X which in turn induces a topology on X, in the usual way, in which the convergent nets are precisely the ones given in C.
Several examples of topologies familiar in computing can easily be specified in terms of convergence classes, and we briefly consider some examples of these next.In the following section, we introduce a topology by means of a convergence class which turns out to be satisfactory for handling the override operator, and indeed in handling all the other operators as well.

Example
(1) Take a set X and its power set P(X).Specify convergence of a net A i in P(X) to A by the requirement stated in (1) of Proposition 2.2 that each x ∈ A is eventually in A i .We obtain a convergence class which induces the Scott topology on P(X).
(2) More generally, take any domain D. Specify convergence of x i to x in D by the requirement stated in Proposition 2.1 that for each a ∈ approx(x) we eventually have a x i .We obtain a convergence class which induces the Scott topology on D.
(3) Again take a set X and its power set P(X).This time specify convergence of A i to A by the requirement stated in (2) of Proposition 2.2 that every element of A is eventually an element of A i , and every element of X which is not in A is eventually not in A i .We obtain a convergence class which induces the Cantor topology on P(X).

The Basic Operators in VDM ♣
Let X and Y be sets, and let (X → Y ) denote the set of partial functions mapping X to Y .It is well-known that (X → Y ) is a domain when ordered by graph inclusion: µ ν if and only if graph(µ) ⊆ graph(ν), where graph(µ) = {(x, y) ∈ X × Y ; x ∈ dom(µ) and y = µ(x)}, and here and elsewhere dom(µ) denotes the domain of µ.Moreover, if A = {µ α ; α ∈ I} is a directed set of elements of (X → Y ), then the supremum of A is the partial function well-defined by the union of the graphs of the µ α , α ∈ I. Finally, the compact elements of (X → Y ) are the partial functions µ for which graph(µ) is a finite set.We shall always suppose that (X → Y ) is ordered in the way just described.In addition, in the sequel all subsets of topological spaces will be assumed to be endowed with the subspace topology unless stated to the contrary.
The operators which occur in VDM ♣ are operators defined on (X → Y ), see [Mac90,Hug01] for full details.Here, we wish to study these operators from the domain-theoretic and topological point of view and, in particular, to determine the extent to which they are Scott continuous or otherwise.We work generally in formulating the results in terms 1 By a product directed set m∈I I m , we understand of course the pointwise ordering on the product m∈I I m of the directed sets I m ; thus, for elements f and g of m∈I I m , we have f ≤ g iff f (m) ≤ g(m) for each m ∈ I. of (continuous) actions of monoids on (X → Y ), and obtain the results relative to the usual operators in VDM ♣ by fixing one or other of the arguments.

Theorem
The mapping (µ, ν) → µ ν is Scott continuous as a mapping on the set

The Glueing Operator, ∪
Let µ and ν be elements of (X → Y ) which coincide on the intersection of their domains.Then µ may be glued to ν to obtain the partial map µ ∪ ν ∈ (X → Y ) defined as follows:

Theorem
The mapping (µ, ν) → µ ∪ ν is Scott continuous as a mapping on the set on the intersection of their domains.

The Domain Restriction Operator, ¡
Given µ ∈ (X → Y ) and an element S of P(X), we define the restriction of µ by S to be the partial function in (X → Y ), denoted by ¡ S µ, which satisfies: (i) dom(¡ S µ) = S ∩ dom(µ), and (ii) ¡ S µ coincides with µ on S ∩ dom(µ).
4.3 Theorem Suppose that (X → Y ) is endowed with the Scott topology and that P(X) is endowed with either (1) the Scott topology, or (2) the Cantor topology.Then in either case, the mapping ¡ : P(X)×(X → Y ) → (X → Y ) defined by ¡(S, µ) = ¡ S µ determines an action of the topological monoid (P(X), ∩, X) on the domain (X → Y ).
Notice that either part of this result implies that if we fix the set S, then the map (X → Y ) → (X → Y ) defined by µ → ¡ S µ is Scott continuous, and it is this map which is normally understood in the context of domain restriction within VDM ♣ .
However, we note that for any S ∈ P(X) and any µ ∈ (X → Y ), we have the identity ¡ −(S, µ) = ¡(X \ S, µ) = ¡(comp(S), µ), so that ¡ − S µ = ¡ X\S µ.Since comp is an isomorphism of topological monoids by Proposition 2.4, it transforms the action of ¡ − into an action of ¡, and we immediately obtain from Theorem 4.3 the following result.
4.4 Theorem Suppose that P(X) is endowed with the Cantor topology and that (X → Y ) is endowed with the Scott topology.Then the mapping ¡ − : P(X) × (X → Y ) → (X → Y ) defined by ¡ − (S, µ) = ¡ − S µ determines an action of the topological monoid (P(X), ∪, ∅) on the domain (X → Y ).Thus, for any fixed S, the mapping (X → Y ) → (X → Y ) : µ → ¡ − S µ is Scott continuous, and it is this map which is normally understood in the context of domain removal within VDM ♣ .On the other hand, for any fixed µ, the mapping P(X) → (X → Y ): S → ¡ − (S, µ) is not continuous when P(X) and (X → Y ) both carry the Scott topology, as already noted, although it is when P(X) carries the Cantor topology.

The Override Operator, †
Given µ, ν ∈ (X → Y ), we define the partial map µ † ν ∈ (X → Y ), called the override of µ by ν, as follows: Thus, we obtain a mapping † : Fixing the second argument ν, the mapping µ → µ † ν can easily be seen to be Scott continuous.However, if we fix the first argument µ, and consider the mapping ν → µ † ν, it is easy to see that this mapping is not monotonic and hence is not Scott continuous.This has the consequence that † is not Scott continuous on (X → Y ) × (X → Y ).In fact, † does have certain continuity properties involving both the Cantor and Scott topologies which become apparent when one considers the canonical decomposition of µ †ν given below.Nevertheless, a proper treatment of override requires a topology which suitably refines both the Scott and Cantor topologies, and we intend to introduce a satisfactory candidate for this shortly.

Proposition
In the Scott topologies on (X → Y ) and on P(X), the mapping dom : (X → Y ) → P(X) defined by µ → dom(µ) is continuous.However, dom is not continuous if the Scott topology on P(X) is replaced by the Cantor topology, and this fact has significant bearing on subsequent developments since continuity of dom is a useful property to have available as we see in the next section.Indeed, in summary, the results above show that the Scott topology cannot be taken as a foundation for the study of all of the basic operators in VDM ♣ .

The Strong Cantor Topology
Using the operators we have introduced so far, we can represent µ † ν by means of the equality µ † ν = ¡ − dom(ν) µ ν.This representation allows us to canonically decompose µ † ν into a composite of three mappings, in the following way.
(1) The first of the factors is the mapping Up to a reordering of the components, this mapping is the product [dom, Id] × Id, where Id denotes the identity map.
(2) The second factor is the mapping , and is the product ¡ − ×Id.
(3) The third factor is the mapping µ ν and is the mapping .
Thus, any topology which makes each of the mappings above continuous, makes the override operator continuous.If we give (X → Y ) the Scott topology, then the first of these mappings is continuous provided P(X) carries the Scott topology by Proposition 4.5, but not if P(X) carries the Cantor topology.On the other hand, the second of the factors in the decomposition above is continuous if P(X) carries the Cantor topology by Theorem 4.4, but not if it carries the Scott topology.The way forward appears to be to provide (X → Y ) with a suitable topology which makes both dom and ¡ − continuous when P(X) carries the Cantor topology.
To solve this problem, we define a topology by means of convergence classes as described in Section 3. Thus, let C denote the set of all pairs (µ i , µ), where µ i is a net in (X → Y ) and µ is an element of (X → Y ), which satisfy the following condition: (µ i , µ) ∈ C iff (i) whenever x ∈ dom(µ), eventually (x, µ(x)) ∈ graph(µ i ), and (ii) whenever x ∈ dom(µ), eventually x ∈ dom(µ i ).
Thus, µ i converges (C) to µ or lim i µ i ≡ µ (C) iff the conditions (i) and (ii) are satisfied.

Theorem
The condition µ i converges (C) to µ or lim i µ i ≡ µ (C) iff: (i) whenever x ∈ dom(µ), eventually (x, µ(x)) ∈ graph(µ i ), and (ii) whenever x ∈ dom(µ), eventually x ∈ dom(µ i ) determines a convergence class on (X → Y ).This theorem results in a topology on (X → Y ) which we will refer to as the strong Cantor topology.Some of the basic properties of this topology are summarized in the following result, in which the term "Cantor topology on (X → Y )" means the subspace topology of the Cantor topology on P(X × Y ) induced by the identification of a partial function in (X → Y ) with its graph.

Proposition
The following facts hold: (1) The strong Cantor topology is a refinement of the Cantor topology which in turn is a refinement of the Scott topology.
(2) The set (X → Y ) is closed in P(X × Y ) in each of the three topologies on P(X × Y ) under discussion.
(3) The space (X → Y ) is compact and T 0 in the Scott topology.(4) The space (X → Y ) is compact Hausdorff in the Cantor topology.
(5) The space (X → Y ) is Hausdorff in the strong Cantor topology and is compact iff the Cantor and strong Cantor topologies coincide.(6) In general, the Cantor and strong Cantor topologies do not coincide, and therefore the strong Cantor topology is not generally compact.(7) The strong Cantor topology is not trivial, that is, it is not the discrete topology.(8) The space Y X of all total functions mapping X into Y is not a closed subset of (X → Y ) in the Scott and Cantor topologies, but is closed in the strong Cantor topology.In each of the three topologies in question, the induced topology on Y X is not trivial, that is, is not discrete.(9) The strong Cantor and Cantor topologies coincide on the set Y X of all total functions in (X → Y ).
Notice that (9) of Proposition 5.2 applies in particular when Y is the two-element set.Therefore, the strong Cantor and Cantor topologies coincide on the power set P(X).We will, however, persist in what follows in referring to the Cantor topology on P(X), rather than using the all-embracing term "strong Cantor topology".

Proposition
If µ i converges to µ in the strong Cantor topology, then dom(µ i ) converges to dom(µ) in the Cantor topology on P(X).Hence, the map dom is continuous when (X → Y ) is endowed with the strong Cantor topology and P(X) is endowed with the Cantor topology.

Remark
The results in (6) and (8) of Proposition 5.2 actually show that the function dom is not continuous when (X → Y ) and P(X) both have the Cantor topologies, so that the Cantor topology on (X → Y ) is not a satisfactory topology for our purposes.Since the Lawson topology on P(X ×Y ) coincides with the Cantor topology, the Lawson topology is also not satisfactory in this context, see [HHS02] for more details of these points.
Despite the non-compactness of the strong Cantor topology in general, the following result shows that it is in many ways the best possible choice of topology to impose on (X → Y ).

Proposition
The strong Cantor topology is the smallest topology on (X → Y ) which refines both the Scott topology and the Lawson topology and in which the function dom is continuous when P(X) is endowed with the Cantor (or Lawson) topology.
We are now in a position to provide a uniform treatment in terms of the strong Cantor topology of all of the basic operators in VDM ♣ , including the override operator, as follows.

Theorem The mapping
) is endowed with either: (i) the strong Cantor topology, or (ii) the Cantor topology.
Proof Since this result was not included in [HHS02], we include it and its proof here for the sake of completeness and also because our present thrust is directed at treating all the basic operators in VDM ♣ .In fact, we prove the first of the two claims made in the theorem and leave the other to the reader.
We begin by showing that ( suppose that µ i and ν i coincide on the intersection of their domains for each index i, and suppose that µ i → µ and ν i → ν in the strong Cantor topology.Let x ∈ dom(µ) ∩ dom(ν).By the convergence µ i → µ and ν i → ν, we eventually have (x, µ(x)) ∈ graph(µ i ) and (x, ν(x)) ∈ graph(ν i ), and these statements hold simultaneously beyond some index i 0 , say.But then we eventually have x ∈ dom(µ i ) ∩ dom(ν i ), and we obtain µ(x) = µ i (x) = ν i (x) = ν(x), and so µ(x) = ν(x), as required.Now suppose that (µ i , ν A similar argument holds if x ∈ dom(ν).On the other hand, if x ∈ dom(µ ∪ ν), then it is clear that eventually x ∈ dom(µ i ∪ ν i ), as required.

Theorem
The mapping ¡ : P(X) × (X → Y ) → (X → Y ) defined by ¡(S, µ) = ¡ S µ is continuous when P(X) is endowed with the Cantor topology and (X → Y ) is endowed with either: (i) the strong Cantor topology, or (ii) the Cantor topology.
Bearing in mind our earlier comments about comp transforming the action of ¡ − into one of ¡ and vice versa, we immediately obtain from Theorem 5.8 the following result.
Recalling the canonical decomposition of the override operator and using the results just established we now obtain the following result.

Indexed Monoids
In this section, we show how the results above apply to indexed monoids.In fact, we show how they apply both to indexed structures without units and to indexed structures with units, and both are central in the use of the operator calculus of VDM ♣ in system specification.In our own development, we follow that of [Hug01] quite closely as far as the algebra is concerned, augmenting this with the topological results we establish here.We begin with indexed structures without units.

Indexed Structures without Units
Let (M, * , u) be an arbitrary monoid with identity or unit u, let X be a set and, as usual, let M X denote the space of total functions mapping X into M .Then, as is easily checked, the multiplication * on M induces a monoid structure (M X , * , u X ) on M X in which the multiplication is defined pointwise, and still denoted by * without causing confusion, and the identity u X for M X is the constant map on X with value u.Indeed, (M X , * , u X ) is called the direct power monoid over X with base monoid M .Now let M denote the set M \ {u}, and form the set (X → M ) of partial functions mapping X into M .There are two important mappings which connect (X → M ) with M X as follows.The first of these is the totalizing map t : (X → M ) → M X defined by t(µ) = u X † µ, and the second is the priming map p : M X → (X → M ), where p(f ) = f is the partial map f obtained by the removal from the total map f of the set S of all those x ∈ X such that f (x) = u.In fact, both of these mappings are bijections and each is the inverse of the other.Moreover, (X → M ) is a monoid with a recursively defined multiplication * which satisfies the relation µ * ν = p(t(µ) * t(ν)) and has the the empty partial map θ as identity.The relation just given makes it easy to derive all the basic properties of * avoiding its recursive definition by using instead t, p and the properties of * , as shown in [Hug01].Furthermore, the mappings t and p are monoid isomorphisms between the direct power monoid M X and the indexed monoid without units (X → M ).
We want to consider here the properties of all these constructions in relation to the strong Cantor topology.Thus, we give each of M X , (X → M ) and (X → M ) the strong Cantor topology, and in fact M X and (X → M ) are then subspaces of (X → M ).

Proposition The totalizing map
Proof Since the override operator † : (X → M )×(X → M ) → (X → M ) is continuous, by Theorem 5.10, and M X and (X → M ) are subspaces of (X → M ), the result follows by fixing the first factor of † at u X .

Proposition
The mapping p : M X × P(X) → (X → M ), (f, S) → ¡ S f , is continuous when M X and (X → M ) have the strong Cantor topology, and P(X) has the Cantor topology.
Proof By Theorem 5.8, the domain restriction operator restricts, up to interchange of the order of the components, to a continuous mapping M X × P(X) → (X → M ) which coincides with p.
There is a naturally defined section s : (X → M ) → M X × P(X) of the mapping p just considered, where s(µ) = (u X † µ, dom(µ)).Being a section of p means, of course, that p • s is the identity mapping on (X → M ).

Proposition
The section s is continuous when (X → M ) and M X are endowed with the strong Cantor topology, and P(X) is endowed with the Cantor topology.
Proof The map µ → u X †µ is continuous by Proposition 6.1, and the map µ → dom(µ) is continuous by Proposition 5.3.Hence, s is continuous by elementary universal properties of products.
The projection map p and the section s determine an endomap e = s • p of the product space M X ×P(X) to itself which is continuous in the topologies under discussion.Indeed, noting that elements f of M X are total, so that dom(¡ S f ) = S, we see that e is the composite ( and so e is idempotent.Thus, e(e(f, S)) = (e • e)(f, S) = e(f, S) and so e(f, S) is a fixed point of e for each pair (f, S).Letting F = fix(e) denote the set of all fixed points of e, we note the following facts which are established in [Hug01], see also [LS97]: 2. F is equal to the image set of s and is also equal to the image set of e.
3. The restriction p| F of p to F is an inverse of the section s.
It follows immediately from Proposition 6.5 that (F, •, (u X , ∅)) is a topological submonoid of (M X × P(X), •, (u X , ∅)).Now (X → M ) is also a monoid (the indexed monoid with units) with operation * defined (recursively) by However, once again the operation * can be defined in terms of • using p| F and s, and it is shown in [Hug01] that we have the relationship µ * ν = p| F (s(µ) • s(ν)) connecting all these entities.Again, this allows one to avoid using the recursive definition of * and gives a simple proof of the monoidal properties of (X → M ) and * .Moreover, p| F and s are monoid isomorphisms and are also homeomorphisms.Therefore, we obtain the following corollary of this discussion.

Corollary
The indexed monoid with units ((X → M ), * , θ) is a topological monoid in the strong Cantor topology.
We finish with the following result.
6.9 Proposition The set F of all fixed points of e is a closed set in M X × P(X) when M X is endowed with the strong Cantor topology and P(X) is endowed with the Cantor topology.
Proof Let (f i , S i ) be a net in M X × P(X) converging to (f, S) in the product of the strong Cantor topology and the Cantor topology, and suppose that (f i , S i ) ∈ F for each index i.We must show that (f, S) ∈ F , and to do this we must show that f (x) = u for each x ∈ X \ S.So let x ∈ X \ S. Since S i → S in the Cantor topology, eventually we have x ∈ X \ S i .Therefore, eventually we have f i (x) = u.Since f i → f in the strong Cantor topology, we have that eventually (x, f (x)) ∈ graph(f i ).From this fact it follows that f (x) = u, as required.

Conclusions
This study shows that in relation to VDM ♣ , the Scott topology is not satisfactory: certain of the standard basic operators encountered in VDM ♣ are Scott continuous, but others are not.Overcoming this has necessitated the introduction of new topologies such as the strong Cantor topology, and in fact then all the basic operators considered here are continuous and we obtain a pleasing analysis.Indeed, all the standard constructions we have considered turn out automatically to be continuous and so the strong Cantor topology is "convenient" in the categorical sense.Furthermore, the strong Cantor topology is a refinement of the Scott topology, and is the smallest which works.
The algebra of formal methods as manifested through VDM ♣ now seems to be fairly well-worked out.We view the results presented here as strong evidence that the strong Cantor topology is perhaps the topology of formal methods, and that it may well contribute to the ongoing search for a geometry of formal methods.
Despite the previous remark, the question of effectiveness and computability remains to be settled.It seems possible that a suitable framework in which to do this is the topos-theoretic framework for VDM ♣ being investigated by Mac an Airchinnigh and by Hughes, see [Hug01,Mac01], and it should present an interesting line of investigation perhaps involving constructive topology.
Here, we have only investigated those basic operators in VDM ♣ which involve domain restriction and domain removal, and we have not considered those pertaining to range restriction and range removal at all.These questions will be treated elsewhere and, again, should prove interesting to settle.
and all x ∈ D. (iii) m a ∈ D c for all m ∈ M and all a ∈ D c .Given an action of M on D, fixing m ∈ M determines a continuous function x → m x of D to itself which preserves the compact elements.Similarly, fixing x ∈ D determines a continuous function m → m x from M to D.