MACHINE Team SETS ANSWER={in, out} VARIABLES team INVARIANT team <: 1..22 & card(team)=11

16. MACHINE Team SETS ANSWER={in, out} VARIABLES team INVARIANT team <: 1..22 & card(team)=11 INITIALISATION team := 1..11 OPERATIONS substitute (pp, rr) = PRE pp : team & rr : 1..22 & not(rr:team) THEN team := (team \/{rr})-{pp} END ; aa <-- query(pp) = PRE pp : 1..22 IF pp : team THEN aa := in ELSE aa := out END END END

17. REFINEMENT TeamR REFINES Team VARIABLES teamr INVARIANT teamr <: 1..11 >-> 1..22 & ran(teamr)=team INITIALISATION teamr := %nn.(nn:1..11|nn) OPERATIONS substitute (pp, rr) = teamr(teamer~(pp)) := rr ; aa <-- query(pp) = IF pp : ran(teamr) THEN aa := in ELSE aa := out END END END

18. REFINEMENT TeamR REFINES Team VARIABLES teama INVARIANT teama : 1..22 --> ANSWER & team = teama~[{in}] INITIALISATION teama :=(1..11)*{in}\/(12..22)*{out} OPERATIONS substitute (pp, rr) = BEGIN teama(pp) := out; teama(rr) := in END ; aa <-- query(pp) = BEGIN aa := teama(pp) END END

19. MACHINE Exam SETS CANDIDATE VARIABLES marks INVARIANT marks : CANDIDATE +-> 1..100 INITIALISATION marks := {} OPERATIONS enter (cc, nn) = PRE cc : CANDIDATE & cc /: dom(marks)& nn : 1.. 100 THEN marks(cc) := nn END ; aa <-- average = PRE marks /= {} THEN aa:= SIGMA zz.(zz:dom(marks)|marks(zz)) / card(dom(marks)) END nn <-- number = nn := card(dom(marks)) END END

20. MACHINE ExamR REFINES Exam SETS CANDIDATE VARIABLES total, num INVARIANT num = card(dom(marks)) & total = SIGMA zz.(zz:dom(marks)|marks(zz)) INITIALISATION total := 0; num := 0; OPERATIONS enter (cc, nn) = BEGIN total := total + nn || num := num+1 END ; aa <-- average = aa := total / num ; nn <-- number = nn := num END END

28. Initialization in refinements • Abstract machine initialization T establishes the invariant I • Refinement machine initialization T1 establishes the linking invariant J • Every possible state that T1 can reach must match (via the linking invariant J) some possible state that T can reach.

29. NOT(J) means that J is false • [T]NOT(J) means that every transition of T guarantees that J is false • NOT([T]NOT(J)) means that not every transition of T guarantees that J is false • i.e., some transition of T guarantees that J is true

30. MACHINE Colours SETS COLOUR = {red. Green, blue} VARIABLES cols INVARIANT cols <: COLOUR INITIALISATION cols :: POW(COLOUR - {blue}) OPERATIONS add (cc) = PRE cc : COLOUR THEN cols := cols \/ {cc}; END ; cc <-- query = PRE cols /= {} THEN cc :: cols END ; change = cols :: (POW(COLOUR) - {cols}) END

31. REFINEMENT ColoursR REFINES Colours SETS COLOUR = {red. Green, blue} VARIABLES colour INVARIANT colour <: cols INITIALISATION colour :: COLOUR - {blue} OPERATIONS add (cc) = colour :: {colour, cc} ; cc <-- query = cc := colour ; change = colour :: COLOUR - {colour} END

32. T T {}, {red}, {green}, {red, green} T1 blue red green For T1 to be a refinement of T we require that NOT([T]NOT(J)) must be true for any state that T1 can reach! That is [T1]NOT([T]NOT(J))

33. For T1 to be a refinement of T we require that NOT([T]NOT(J)) must be true for any state that T1 can reach! That is [T1]NOT([T]NOT(J)) • Any transition T1 must reach a state in which some transition of T can establish the linking invariant J