We describe the COMPASS Modelling Language (CML), which is used to model large-scale Systems of Systems and the contracts that bind them together. The language can be used to document the interfaces to constituent systems using formal, precise, and verifiable specifications including preconditions, postconditions, and invariants. The semantics of CML directly supports the use of these contracts for all language constructs, including the use of communication channels, parallel processes, and processes that run forever. Every process construct in CML has an associated contract, allowing clients and suppliers to check that the implementations of constituent systems conform to their interface specifications.


Model Checker Atomic Step Galois Connection Hoare Logic Constituent System 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Andrews, Z., Fitzgerald, J., Payne, R., Romanovsky, A.: Fault Modelling for Systems of Systems. In: Proceedings of the 11th International Symposium on Autonomous Decentralised Systems (ISADS 2013), pp. 59–66 (March 2013)Google Scholar
  2. 2.
    Beg, A., Butterfield, A.: Linking a state-rich process algebra to a state-free algebra to verify software/hardware implementation. In: FIT 2010, 8th Intl Conf. on Frontiers of Information Technology, Islamabad, p. 47. ACM (2010)Google Scholar
  3. 3.
    Ben-Ari, M., Manna, Z., Pnueli, A.: The temporal logic of branching time. In: White, J., Lipton, R.J., Goldberg, P.C. (eds.) 8th Ann. ACM Symp. on Principles of Programming Languages, Williamsburg, pp. 164–176. ACM Press (1981)Google Scholar
  4. 4.
    Bryans, J., Fitzgerald, J., Payne, R., Kristensen, K.: Maintaining emergence in systems of systems integration: a contractual approach using SysML. In: INCOSE International Symposium (to appear, 2014)Google Scholar
  5. 5.
    Bryans, J., Fitzgerald, J., Payne, R., Miyazawa, A., Kristensen, K.: SysML Contracts for Systems of Systems. In: 9th Intl Conf. on Systems of Systems Engineering (SoSE). IEEE (June 2014)Google Scholar
  6. 6.
    Butler, M., Yadav, D.: An incremental development of the Mondex system in Event-B. Formal Asp. Comput. 20(1), 61–77 (2008)CrossRefGoogle Scholar
  7. 7.
    Cavalcanti, A., Sampaio, A., Woodcock, J.: Unifying classes and processes. Software and System Modeling 4(3), 277–296 (2005)CrossRefGoogle Scholar
  8. 8.
    Cavalcanti, A., Wellings, A., Woodcock, J.: The Safety-Critical Java memory model: A formal account. In: Butler, M., Schulte, W. (eds.) FM 2011. LNCS, vol. 6664, pp. 246–261. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  9. 9.
    Cavalcanti, A., Wellings, A.J., Woodcock, J.: The Safety-Critical Java memory model formalised. Formal Asp. Comput. 25(1), 37–57 (2013)MathSciNetCrossRefMATHGoogle Scholar
  10. 10.
    Cavalcanti, A., Wellings, A.J., Woodcock, J., Wei, K., Zeyda, F.: Safety-critical Java in Circus. In: Wellings, A.J., Ravn, A.P. (eds.) The 9th Intl Workshop on Java Technologies for Real-time and Embedded Systems, JTRES 2011, York, pp. 20–29. ACM (2011)Google Scholar
  11. 11.
    Cavalcanti, A., Woodcock, J.: A tutorial introduction to CSP in Unifying Theories of Programming. In: Cavalcanti, A., Sampaio, A., Woodcock, J. (eds.) PSSE 2004. LNCS, vol. 3167, pp. 220–268. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  12. 12.
    Couto, L., Foster, S., Payne, R.: Towards verification of constituent systems through automated proof. In: Proc. Workshop on Engineering Dependable Systems of Systems (EDSoS). ACM CoRR (2014)Google Scholar
  13. 13.
    Davey, B.A., Priestley, H.A.: Introduction to Lattices and Order, 2nd edn. Cambridge University Press (2002)Google Scholar
  14. 14.
    Dawes, J.: The VDM-SL Reference Guide. Pitman (1991) ISBN 0-273-03151-1Google Scholar
  15. 15.
    de Boer, F.S., Hannemann, U., de Roever, W.-P.: Hoare-style compositional proof systems for reactive shared variable concurrency. In: Ramesh, S., Sivakumar, G. (eds.) FST TCS 1997. LNCS, vol. 1346, pp. 267–283. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  16. 16.
    Fitzgerald, J., Larsen, P.G., Mukherjee, P., Plat, N., Verhoef, M.: Validated Designs for Object-oriented Systems. Springer (2005)Google Scholar
  17. 17.
    Fitzgerald, J., Larsen, P.G., Woodcock, J.: Foundations for Model-based Engineering of Systems of Systems. In: Aiguier, M., et al. (eds.) Complex Systems Design and Management, pp. 1–19. Springer (January 2014)Google Scholar
  18. 18.
    Foster, S., Zeyda, F., Woodcock, J.: Isabelle/UTP: A mechanised theory engineering framework. In: 5th International Symposium on Unifying Theories of Programming (to appear, 2014)Google Scholar
  19. 19.
    Freitas, L., Woodcock, J.: Mechanising Mondex with Z/Eves. Formal Asp. Comput. 20(1), 117–139 (2008)CrossRefGoogle Scholar
  20. 20.
    George, C., Haxthausen, A.E.: Specification, proof, and model checking of the Mondex electronic purse using RAISE. Formal Asp. Comput. 20(1), 101–116 (2008)CrossRefGoogle Scholar
  21. 21.
    Gibson-Robinson, T., Armstrong, P., Boulgakov, A., Roscoe, A.W.: FDR3 — A modern refinement checker for CSP. In: Ábrahám, E., Havelund, K. (eds.) TACAS 2014. LNCS, vol. 8413, pp. 187–201. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  22. 22.
    Haneberg, D., Schellhorn, G., Grandy, H., Reif, W.: Verification of Mondex electronic purses with KIV: from transactions to a security protocol. Formal Asp. Comput. 20(1), 41–59 (2008)CrossRefGoogle Scholar
  23. 23.
    Hehner, E.C.R.: Retrospective and prospective for Unifying Theories of Programming. In: Dunne, S., Stoddart, B. (eds.) UTP 2006. LNCS, vol. 4010, pp. 1–17. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  24. 24.
    Hoare, C.A.R.: Communicating Sequential Processes. Prentice-Hall (1985)Google Scholar
  25. 25.
    Hoare, C.A.R., He, J.: Unifying Theories of Programming. Prentice Hall (1998)Google Scholar
  26. 26.
    ITSEC. Information Technology Security Evaluation Criteria (ITSEC): Preliminary harmonised criteria. Technical Report Document COM(90) 314, Version 1.2, Commission of the European Communities (1991)Google Scholar
  27. 27.
    Jones, C.B.: Specification and design of (parallel) programs. In: IFIP Congress, pp. 321–332 (1983)Google Scholar
  28. 28.
    Jones, C.B.: Systematic Software Development using VDM, 2nd edn. Prentice Hall International (1990)Google Scholar
  29. 29.
    Kopetz, H.: System-of-Systems complexity. In: Proc. 1st Workshop on Advances in Systems of Systems, pp. 35–39 (2013)Google Scholar
  30. 30.
    Kuhlmann, M., Gogolla, M.: Modeling and validating Mondex scenarios described in UML and OCL with USE. Formal Asp. Comput. 20(1), 79–100 (2008)CrossRefGoogle Scholar
  31. 31.
    Liu, Y., Sun, J., Dong, J.S.: PAT 3: An extensible architecture for building multi-domain model checkers. In: Dohi, T., Cukic, B. (eds.) IEEE 22nd Intl Symp. on Software Reliability Engineering, ISSRE 2011, Hiroshima, pp. 190–199. IEEE (2011)Google Scholar
  32. 32.
    Lowe, G.: Specification of communicating processes: temporal logic versus refusals-based refinement. Formal Asp. Comput. 20(3), 277–294 (2008)CrossRefMATHGoogle Scholar
  33. 33.
    Meyer, B.: Applying ”design by contract”. IEEE Computer 25(10), 40–51 (1992)CrossRefGoogle Scholar
  34. 34.
    Mota, A., Farias, A., Didier, A., Woodcock, J.: Rapid prototyping of a semantically well founded Circus model checker. In: Giannakopoulou, D., Salaün, G. (eds.) SEFM 2014. LNCS, vol. 8702, pp. 235–249. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  35. 35.
    Oliveira, M., Cavalcanti, A., Woodcock, J.: A denotational semantics for Circus. Electr. Notes Theor. Comput. Sci. 187, 107–123 (2007)CrossRefGoogle Scholar
  36. 36.
    Oliveira, M., Cavalcanti, A., Woodcock, J.: A UTP semantics for Circus. Formal Asp. Comput. 21(1-2), 3–32 (2009)CrossRefMATHGoogle Scholar
  37. 37.
    Oliveira, M., Gurgel, A.C., Castro, C.G.: CRefine: Support for the Circus refinement calculus. In: 6th Intl. Conf. on Software Engineering and Formal Methods (SEFM 2008), pp. 281–290. IEEE Computer Society (November 2008)Google Scholar
  38. 38.
    Parnas, D.L.: Really rethinking ‘formal methods’. IEEE Computer 43(1), 28–34 (2010)CrossRefGoogle Scholar
  39. 39.
    Perna, J.I., Woodcock, J.: Mechanised wire-wise verification of Handel-C synthesis. Sci. Comput. Program. 77(4), 424–443 (2012)CrossRefMATHGoogle Scholar
  40. 40.
    Perna, J.I., Woodcock, J., Sampaio, A., Iyoda, J.: Correct hardware synthesis—an algebraic approach. Acta Inf. 48(7-8), 363–396 (2011)MathSciNetCrossRefMATHGoogle Scholar
  41. 41.
    Ramananandro, T.: Mondex, an electronic purse: specification and refinement checks with the Alloy model-finding method. Formal Asp. Comput. 20(1), 21–39 (2008)CrossRefGoogle Scholar
  42. 42.
    Roscoe, A.W.: The Theory and Practice of Concurrency. Prentice Hall International (1997)Google Scholar
  43. 43.
    Roscoe, A.W.: On the expressive power of CSP refinement. Formal Asp. Comput. 17(2), 93–112 (2005)CrossRefMATHGoogle Scholar
  44. 44.
    Woodcock, J., Cavalcanti, A.: The semantics of Circus. In: Bert, D., Bowen, J.P., Henson, M.C., Robinson, K. (eds.) ZB 2002. LNCS, vol. 2272, pp. 184–203. Springer, Heidelberg (2002)Google Scholar
  45. 45.
    Woodcock, J., Cavalcanti, A.: A tutorial introduction to designs in Unifying Theories of Programming. In: Boiten, E.A., Derrick, J., Smith, G. (eds.) IFM 2004. LNCS, vol. 2999, pp. 40–66. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  46. 46.
    Woodcock, J., Cavalcanti, A., Fitzgerald, J.S., Larsen, P.G., Miyazawa, A., Perry, S.: Features of CML: A formal modelling language for systems of systems. In: 7th Intl Conf. on Systems of Systems Engineering, SoSE 2012, Genova, pp. 445–450. IEEE (2012)Google Scholar
  47. 47.
    Woodcock, J., Davies, J.: Using Z: Specification, Refinement, and Proof. Prentice-Hall, Inc. (1996)Google Scholar
  48. 48.
    Woodcock, J., Stepney, S., Cooper, D., Clark, J.A., Jacob, J.: The certification of the Mondex electronic purse to ITSEC Level E6. Formal Asp. Comput. 20(1), 5–19 (2008)CrossRefGoogle Scholar
  49. 49.
    Zhan, N., Kang, E.Y., Liu, Z.: Component publications and compositions. In: Butterfield, A. (ed.) UTP 2008. LNCS, vol. 5713, pp. 238–257. Springer, Heidelberg (2010)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Jim Woodcock
    • 1
  • Ana Cavalcanti
    • 1
  • John Fitzgerald
    • 2
  • Simon Foster
    • 1
  • Peter Gorm Larsen
    • 3
  1. 1.University of YorkUK
  2. 2.Newcastle UniversityUK
  3. 3.Aarhus UniversityDenmark

Personalised recommendations