A Refinement Approach for Proving Distributed Algorithms: Examples of Spanning Tree Problems ⋆ Mohamed Tounsi 1 , Ahmed Hadj Kacem 2 , Mohamed Mosbah 1 and Dominique M´ ery 3 1 LaBRI Laboratory, Universit´ e Bordeaux 1 351 Cours de la Lib´ eration 33405 Talence France 2 ReDCAD Laboratory, ENIS-FSEGS B.P. W, 3038 Sfax, Tunisia 3 Loria, Universit´ e Henri Poincar´ e Nancy 1, BP 239, 54506 Vandoeuvre l` es Nancy France Abstract. A distributed system consists of a collection of processors running simultaneously to achieve a common task. However, the design of such systems, and the proof of their correctness is a very complex and difficult task. In order to understand, analyze and verify distributed systems and applications, we propose in this paper a general model for proving distributed systems. This model can offer systematic verification of distributed algorithms and also ensure their correct functioning. In other words, the main advantage of this model is the proof of correctness of the distributed algorithms. Moreover, we exploit the refinement technique of Event-B to propose a unified modular development of distributed algorithms. We illustrate this method by investigating examples of the distributed computation of spanning trees, and we implement them by using the Rodin platform. 1 Introduction Distributed algorithms are often deployed to drive sensitive distributed systems (in the transportation or nuclear sector, for instance) and very often some human lives are at stake. Therefore, the correctness of distributed algorithms becomes crucial, because it gives us confidence that our systems perform as designed and do not behave harmfully. Unfortunately, this imposes a heavy burden on the designer during the development process, especially for complex distributed al- gorithms. In fact, these algorithms are often characterized by a lack of knowledge of the global state and the non determinism of the execution of the processes. In order to verify and to prove the correctness of distributed algorithms, two main formal approaches have been proposed. The first one is to ensure correct- ness by an exhaustive search of the state space with a model checker [1–3]. This is a technique that relies on building a finite model of a system and checking ⋆ This work has been supported by the french project “Agence Nationale de la Recherche ANR-06-SETI-015”