Reactive Systems: Modelling, Specification and Verification - Cs.ioc.ee
Reactive Systems: Modelling, Specification and Verification - Cs.ioc.ee
Reactive Systems: Modelling, Specification and Verification - Cs.ioc.ee
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
3.1. CRITERIA FOR A GOOD BEHAVIOURAL EQUIVALENCE 39<br />
C<br />
P<br />
C<br />
C(P ) C(Q)<br />
Q<br />
Figure 3.1: P R Q implies that C[P ] R C[Q]<br />
refinement steps which are known to preserve some behavioural relation R. In this<br />
approach, we might begin from our specification Spec <strong>and</strong> transform it into our<br />
implementation Imp via a sequence of intermediate stages Spec i (0 ≤ i ≤ n) thus:<br />
Spec = Spec 0 R Spec 1 R Spec 2 R · · · R Spec n = Imp .<br />
Since each of the steps above preserves the relation R, we would like to conclude<br />
that Imp is a correct implementation of Spec with respect to R—that is, that<br />
Spec R Imp<br />
holds. This is guarant<strong>ee</strong>d to be true if the relation R is transitive.<br />
From the above discussion, it follows that a relation supporting implementation<br />
verification should at least be a preorder. The relations considered in the classic<br />
theory of CCS, <strong>and</strong> in the main body of this book, are also symmetric, <strong>and</strong> are<br />
therefore equivalence relations.<br />
Another intuitively desirable property that an equivalence relation R that supports<br />
implementation verification should have is that it is a congruence. This means<br />
that process descriptions that are related by R can be used interchangeably as parts<br />
of a larger process description without affecting its overall behaviour. More precisely,<br />
if P R Q <strong>and</strong> C[ ] is a program fragment with ‘a hole’, then<br />
C[P ] R C[Q] .<br />
This is pictorially represented in Figure 3.1.<br />
Finally, we expect our notion of relation supporting implementation verification<br />
to be based on the observable behaviour of processes, rather than on their structure,<br />
the actual name of their states or the number of transitions they afford. Ideally,<br />
we should like to identify two processes unless there is some sequence of ‘interactions’<br />
that an ‘observer’ may have with them leading to different ‘outcomes’.