The Z notation has been developed at the Programming Research Group at the Oxford University Computing Laboratory and elsewhere for over a decade. It is now used by industry as part of the software (and hardware) development process in both Europe and the USA. It is currently undergoing BSI standardisation in the UK, and has been proposed for ISO standardisation internationally. In recent years researchers have begun to focus increasingly on the development of techniques and tools to encourage the wider application of Z and other formal methods and notations. This volume contains papers from the Seventh Annual Z User Meeting, held in London in December 1992. In contrast to previous years the meeting concentrated specifically on industrial applications of Z, and a high proportion of the participants came from an industrial background. The theme is well represented by the four invited papers. Three of these discuss ways in which formal methods are being introduced, and the fourth presents an international survey of industrial applications. It also provides a reminder of the improvements which are needed to make these methods an accepted part of software development. In addition the volume contains several submitted papers on the industrial use of Z, two of which discuss the key area of safety-critical applications. There are also a number of papers related to the recently-completed ZIP project. The papers cover all the main areas of the project including methods, tools, and the development of a Z Standard, the first publicly-available version of which was made available at the meeting. Finally the volume contains a select Z bibliography, and section on how to access information on Z through comp.specification.z, the international, computer-based USENET newsgroup. Z User Workshop, London 1992 provides an important overview of current research into industrial applications of Z, and will provide invaluable reading for researchers, postgraduate students and also potential industrial users of Z.

In ordinary mathematics, an equation can be written down which is syntactically correct, but for which no solution exists. For example, consider the equation x = x + 1 defined over the real numbers; there is no value of x which satisfies it. Similarly it is possible to specify objects using the formal specification language Z [3,4], which can not possibly exist. Such specifications are called inconsistent and can arise in a number of ways. Example 1 The following Z specification of a functionf, from integers to integers "f x : ~ 1 x ~ O* fx = x + 1 (i) "f x : ~ 1 x ~ O* fx = x + 2 (ii) is inconsistent, because axiom (i) gives f 0 = 1, while axiom (ii) gives f 0 = 2. This contradicts the fact that f was declared as a function, that is, f must have a unique result when applied to an argument. Hence no suchfexists. Furthermore, iff 0 = 1 andfO = 2 then 1 = 2 can be deduced! From 1 = 2 anything can be deduced, thus showing the danger of an inconsistent specification. Note that all examples and proofs start with the word Example or Proof and end with the symbol.1.

The approach described in [JonSl, JonS3a, JonS3b] set out to extend operation decom- position methods for sequential programs - such as are used in VDM [Jon90] - to cover concurrent shared-variable systems. The essential step in [JonSl] was to recognise that 1 inter/erence had to be specified. This is necessary in order to achieve a notion of compo- sitionality - contrast [Owi75]. Rather than the many erudite definitions of composition- ality (e. g. [ZwiSS]), the view taken here is that, when a development task is decomposed into sub-tasks, these must be simpler than the original 'task. This is easy to achieve for sequential programs: decomposing a specified operation S into (Sl; S2), the specifica- tions of the Sj should neither include unnecessary information from each other nor from the context (i. e. S). An interesting discussion of the 'Quest for Compositionality' (in the context of concurrency) is contained in [dRS5, dRS6]. The rely/guarantee idea provided an existence proof that specifications and developments could be made powerful enough to cope with some forms of interference. The work initially attracted little attention but 2 3 there have recently been some critiques and attempts to extend the work * Most notably, Ketil St~len's thesis [St~90] addresses the main shortcomings of [JonSl]: the fact that no attempt had been made to handle synchronization has been remedied by adding a wait condition and other limitations of expressiveness have been shown to succumb to the judicious use of auxiliary variables.