Abstract. Recent work on combining CSP and B has provided ways of describing systems comprised of components described in both B (to express requirements on state) and CSP (to express interactive and controller behaviour). This approach is driven by the desire to exploit existing tool support for both CSP and B, and by the need for compositional proof techniques. This paper is concerned with the theory underpinning the approach, and proves a number of results for the development and veri cation of systems described using a combination of CSP and B. In particular, new results are obtained for the use of the hiding operator, which is essential for abstraction. The paper provides theorems which enable results obtained (possibly with tools) on the CSP part of the description to be lifted to the combination. Also, a better understanding of the interaction between CSP controllers and B machines in terms of non-discriminating and open behaviour on channels is introduced, and applied to the deadlock-freedom theorem. The results are illustrated with a toy lift controller running example.
Introduction
Morgan's failures/divergences semantics for event systems Mor90] enables the various CSP semantics to be given to B machines. These CSP semantics allow machines to be treated as CSP components within a concurrent system, and we can combine them with other CSP components using architectural operators such as parallel composition and abstraction.
Recent work Tre00] has considered the interaction between a particular kind of B machine and a controller written as a (recursive) sequential CSP process. An important requirement of a controller for a machine is that it should invoke machine operations only within their preconditions. Previous results Tre00] have identi ed conditions su cient to guarantee P k M to be divergence-free for a controller P and machine M , which ensures this important property. These results require identi cation of a control loop invariant (CLI) on the state of the B machine M , which must be true on every recursive call. This is established by considering the semantics of the B operations as they are called within the controller, and essentially computing the weakest precondition required to establish the CLI.
In combining communicating B machines, we use a particular architecture ST02b] to restrict the interaction between components, by ensuring that each B machine interacts only with its own controller. A system will be structured as Each M i is under the control of the corresponding P i , and the P i 's can also interact with each other. This architecture is illustrated in Figure 1 . Interaction across the system can occur only between the CSP processes. This approach enables compositional veri cation, whereby we are able to verify properties of the entire system by obtaining results about smaller structures within the system. In particular, both CSP and B already have mature tool support which can be used to verify the components.
The model-checker FDR For97] performs model-checking on systems described in CSP, and is therefore suitable for analysing the controllers, individually and in combination. The paper provides theorems which enable results obtained (possibly with tools) on the CSP part of the description to be lifted to the combination 1 . We obtain a number of theorems in the various CSP semantic models.
In practice, we nd that it is often the case that a property holds in a combined system for reasons associated with the state within the B components. In this case, the CSP controller descriptions need to be augmented with the relevant state information. This paper also provides theorems which support the required manipulations of CSP controllers. In this paper, we provide informal explanations of the theorems, but for reasons of space cannot include the proofs. Instead, a fuller version of this paper ST02a] gives proofs of all the theorems and lemmas.
2 Background 2.1 CSP Events CSP processes are de ned in terms of the events that they can and cannot do. Processes interact by synchronising on events, and the occurrence of events is atomic. The set of all events is denoted by . 1 The FDR checks discussed in this paper are available at http://www.cs.rhul.ac.uk/research/formal/steve/code/lifts.fdr2
Events may be compound in structure, consisting of a channel name and some (possibly none) data values. Thus, events have the form c:v 1 :::v n , where c is the channel name associated with the event, and the v i are data values. The type of the channel c is the set of values that can be associated with c to produce events.
For example, if trans is a channel name, and N Zis its type, then events associated with trans will be of the form trans:n:z, where n 2 N and z 2 Z. For example, trans:3:8 is one such event.
A partial event, or (following Sca98]) partially completed datatype value is a channel name together with some values, but not necessarily all. For example, trans:3 is a partial event. Any channel is a special case of a partial event.
Given a set of partial events PE, we can de ne the set of events fj PE jg which are the completions of events in PE, as follows: fj PE jg = fp:w j p 2 PE^p:w 2 g
We use alphabetised CSP, so every process has an alphabet, which is the set of events whose occurrence requires its participation. The alphabet of a process P is denoted (P). For the purposes of this paper we will require that the alphabet of any process is given by a set of channels C , so that (P) = fj C jg.
CSP controllers
A controller for a B machine is a particular kind of CSP process. To interact with the B machine, it makes use of control channels which have both input and output, and provide the means for controllers to synchronise with B machines.
For each operation w ? e(v) of a controlled machine with v of type T in (e) and w of type T out (e) there will be a channel e of type T in (e) T out (e), so communications on e are of the form e:v:w.
Controller descriptions may also include assertions about the values of variables they are using. These are incorporated in CSP either as blocking assertions (which block if the assertion is false) or as diverging assertions (which diverge if the assertion is false), depending on the role they play in veri cation.
When we talk about a CSP controller P we mean a process which has a given set of control channels C . The controlled B machine will have exactly fj C jg as its alphabet: it can communicate only on channels in C .
Controller syntax Controllers are generated from the following subset of the CSP syntax, as discussed in ST02b]. channel, x is a data variable, v is a data value, E(x) is a predicate on x (it may be elided, in which case it is considered to be true), b is a boolean expression, and S(p) is a process expression.
The process a ! P is initially prepared to engage in an a event, after which it behaves as P. The input c?x ! P is prepared to accept any value x along channel c, and then behave as P (whose behaviour can be dependent on x). The output d!v ! P provides v as output. The operation call e!v?xfE(x)g ! P is an interaction with an underlying B machine: the value v is passed from the process as input to the B operation, and the value x is accepted as output from the B operation. If x meets the condition E(x) then the process behaves as P. If x does not meet the condition then the process diverges. On the other hand, e!v?xhE(x)i ! P only allows e:v:x if E(x), otherwise the event is blocked.
Behaviour subsequent to e:v:x is that of P.
The external choice process P 1 2 P 2 is initially prepared to behave either as P 1 or as P 2 , and the choice is resolved on occurrence of the rst event. Binary and general internal choice are possible, though not used in the example presented here. The conditional choice if b then P 1 else P 2 behaves as P 1 or P 2 depending on the evaluation of the condition b. The process expression S(p) expresses a recursive call. Finally, processes can be de ned using (recursive) de nitions of the form S(p) b = P.
CSP semantic models
There are three semantic models used in this paper: the Traces model, the Stable Failures model, and the Failures/Divergences model. We introduce the relevant features of them here. Full details of these models can be found in Ros97, Sch99] .
Traces A trace is a nite sequence of events. A sequence tr is a trace of a process P if there is some execution of P in which exactly that sequence of events is performed. The set traces(P) is the set of all possible traces of process P. The traces model for CSP associates a set of traces with every CSP process. If traces(P) = traces(Q) then P and Q are equivalent in the traces model, and we write P = T Q.
Stable Failures A stable failure is a pair (tr; X ) consisting of a trace tr and a set of events X . Such a pair is a stable failure of a process P if there is some execution of P on which tr is the sequence of events performed, reaching a state in which all events in X can be refused, and also no internal progress is possible. Failures and Divergences A divergence is a nite sequence of events tr. Such a sequence is a divergence of a process P if it is possible for P to perform an in nite sequence of internal events (such as a livelock loop) on some pre x of tr.
The set of divergences of a process P is written
A failure is a pair (tr; X ) consisting of a trace tr and a set of events X . It is a failure of a process P if either tr is a divergence of P (in which case X can be any set), or (tr; X ) is a stable failure of P. The di erent models are used to analyse CSP systems with respect to different properties. This paper is concerned with the failures-divergences model, which is used to check for liveness properties such as divergence-freedom. If a system description includes the possibility of divergence (for example, if it includes internal events), then it is necessary to use the failures-divergences model to check for divergence-freedom.
An important relationship between the stable failures model and the failures divergences model is that if a process is divergence-free (i.e. its set of divergences is empty), then its failures are the same as its stable failures. This is captured in the following theorem: Theorem 1. If 
This theorem is useful because it allows us to carry out analysis in the stable failures model, which is generally easier and more e cient, and to establish results which remain valid in the failures-divergences model. For example, once it has been established that a process P is divergence-free, then to check that it is deadlock-free (i.e. that (tr; (P)) cannot be a failure of P for any tr), it is su cient to check this in the stable failures model (that (tr; (P)) cannot be a stable failure). The model-checker FDR For97] can carry out divergence-freedom and deadlock-freedom checks mechanically. There are also CSP theorems (for example, Theorem 3 in this paper) for establishing that a process P is divergencefree. 3 A motivating toy example: a lift controller
CSP semantics for B machines
As motivation for the results presented in this paper, we consider a toy example of a collection of lift machines described in B, controlled by CSP controller processes. We will indicate the use of the theorems presented later in the paper. An individual lift is given in Figure 2 . It describes a particular lift, indexed by i. We will then go on to de ne a system consisting of a collection of such lifts. { on i ground, it is required to move the lift to the ground oor. To do this, it repeatedly checks (using i isZero) whether the lift is on the ground oor, and if not then it moves the lift down a oor with i dec. We are rstly interested in each controlled lift combination i LiftSys b = (i Lift k i LiftCtrl) n fj i inc; i dec; i isZero jg which is pictured in Figure 3 . We require as a minimum that this combination is deadlock-free and divergence-free.
These properties are apparent in this simple example. Deadlock-freedom is immediate because the B machine is always willing to engage in any event required by the controller, and the controller itself is either waiting for an interaction from its environment or else ready to call a controller operation. Divergence could arise either (i) from a B operation being called outside its precondition, or (ii) from an in nite sequence of internal events. In the case of (i), the only operation with a non-trivial precondition is i dec, and the controller is constructed so that i dec is only ever called when the lift is not at oor 0. In the case of (ii), the lift will eventually reach the ground oor and so an in nite sequence of calls of i dec cannot occur.
In more complex examples the properties may not be so apparent, and it would be useful to be able to apply analysis tools to carry out model-checking on the combined system. However, no tools currently exist which can analyse a combination of B and CSP descriptions, so instead we analyse the descriptions separately and combine results. In particular, for considering properties such as deadlock and livelock we would aim to apply a tool such as FDR For97] to the CSP part of the description, and deduce results about the controlled combination. In particular, once it has been established that the controller does not call operations outside their precondition, then the aim is that all deadlocking and divergent behaviour is essentially contained in the controller and can be identi ed without further reference to the B machine. It has previously been established ST02b] that, under appropriate conditions, the deadlock-freedom of a controller P implies the deadlock-freedom of a controlled combination P k M . This result appears in this paper as Theorem 2 in Section 4.
We also establish in this paper (Theorem 3 in Section 5) that, under appropriate conditions, if P n E is divergence-free, then so too is (P k M ) n E.
These two theorems are exactly what is required. We have only to check that i LiftCtrl is deadlock-free to deduce the same for i LiftSys. And we have only to check that i LiftCtrl n fj i inc; i dec; i isZero jg is divergence-free to deduce this for i LiftSys. These are both checks that are easily done using FDR.
However, the second check turns out not to be correct. The description of i LiftCtrl n fj i inc; i dec; i isZero jg in fact contains a divergence arising from the in nite sequence hi ground; i isZero:false; i dec; i isZero:false; i dec; : : :i of i LiftCtrl. It is the machine i Lift that ensures that this cannot occur | but that machine was not included in the FDR analysis. The problem is that some of the control ow is dependent on the state information maintained in the B machine, and so the useful theorems we have available are not directly applicable. We need to include the relevant state information in the description of the CSP controller. We do this by introducing a new variable f , and also introducing the expectation that the value true will be received on channel i isZero exactly when f = 0. This is included as an assertion, as shown in Introducing a diverging assertion means that i LiftCtrl2(0) trivially has a divergence (i.e. the behaviour when the assertion is not met), so it is not appropriate to check i LiftCtrl2(0) n fj i inc; i dec; i isZero jg for divergencefreedom. However, in the context of i Lift we know the assertion will always be true, so we may replace the diverging assertion by a blocking one, and yield a controller with the same behaviour in the context of i Lift. The only di erence is that this controller blocks rather than diverges when the assertion is false, and since the assertion is never false in the context of i Lift, the resulting behaviour is the same. This transformation is justi ed by Corollary 1 (given at the end of Section 5). Thus, we obtain a variant i LiftCtrl3(0) of the controller, given in Now we have a transformation of the controller which is divergence-free when the internal events are hidden: i LiftCtrl3(0) n fj i inc; i dec; i isZero jg is divergence-free, and this can be checked using FDR (given a bound on the number of possible consecutive i up events). So we can conclude that (i LiftCtrl3(0) k i Lift) n fj i inc; i dec; i isZero jg is divergence-free. Now Corollary 1 also allows the assertions of i LiftCtrl2(0) to be dropped completely, resulting in a controller whose behaviour does not depend on the value of the parameter f at all, and which is therefore equivalent to i LiftCtrl. This transformation is discussed in more detail in ST02a]. We have therefore now established divergence-freedom of the original combination (i LiftCtrl k i Lift) n fj i inc; i dec; i isZero jg.
To sum up: we identi ed two new controllers which are equivalent in the presence of i Lift to the original controller i LiftCtrl, and which are each used in a di erent part of the proof. { i LiftCtrl3(0) n fj i inc; i dec; i isZero jg is divergence-free, and so (i LiftCtrl3(0) k i Lift) n fj i inc; i dec; i isZero jg is divergence-free. { And i LiftCtrl2(0) k i Lift is equivalent to the original i LiftCtrl k i Lift.
These results together establish the required result: that the original combination (i LiftCtrl k i Lift) n fj i inc; i dec; i isZero jg is divergence-free. The state information was introduced into the controller purely to enable the veri cation to take place, and can be removed once the result has been established.
We also deduce that (i LiftCtrl k i Lift) n fj i inc; i dec; i isZero jg is deadlock-free. This follows from deadlock-freedom of i LiftCtrl k i Lift.
A collection of lifts
We will now combine the lifts into a single system together with a Dispatch and DispatchCtrl component which manages requests for lifts from buttons on the various oors. When a request for a lift is made from a particular oor, only one of the lifts needs to be sent. An example architecture made up of four lifts is pictured in Figure 6 .
The Dispatch machine contains some algorithm for deciding which lift should be sent to a particular oor. It has an operation ii; nn; dd ? send( ). On input of the oor to send a lift to, it provides as output the lift ii to be sent, the number of oors nn and the direction dd that lift ii will need to travel (as computed by Dispatch). Dispatch has another operation reset, which is called when all lifts return to the ground oor. The particular details of Dispatch are not relevant to this example and will not be given here. The DispatchCtrl controller accepts requests along channel req: an input req?x is a request for a lift to go to oor x. It makes use of the Dispatch machine to decide which lift to allocate, and then sends the appropriate instruction to the relevant lift. The controller can also accept an instruction bottom to return all lifts to the ground oor. We will see in Section 6 that this system is deadlock-free and divergence-free.
Deadlock-freedom
This section introduces two new properties concerning process behaviour on channels: open on possible inputs, and non-discriminating. These are the key properties exhibited by B machines and CSP controllers respectively. As we shall see, considering components in terms of these properties enables many of the results from Sections 4 and 5 concerning individual controlled components to be lifted to interacting collections of controlled components in Section 6. They also enable easier proofs of previously established results such as Theorem 2 in this section. An essential requirement for controlled components is deadlock-freedom. This is easily checked in FDR, but only for processes that are expressed in CSP. Thus, we aim to establish a theorem that allows the deadlock-freedom of P k M to be deduced from deadlock-freedom of P (which can then be checked using FDR).
In general, parallel composition does not preserve deadlock-freedom. Fortunately, in the case of CSP controllers and B machines, we are able to identify conditions which ensure that the processes involved interact on their common channels in a particular way, ensuring that introducing a B machine cannot introduce any new deadlocks. In other words, any deadlocks possible for the controlled component P k M must already have been possible in P.
Open on possible inputs The required property of the B machine is that it should always be able to accept any input for any operation, and be able to provide some output. The need for this property is precisely why only machines with non-blocking operations are permitted. If a machine meets this property then we will say it is open on the particular operations and inputs.
In CSP terms, this is de ned formally for CSP processes Q as follows:
De nition 2. A process Q is open on a set of partial events PE if, given any (tr; X ) 2 SF Q]] and e 2 PE, there is some w such that e:w 6 2 X . This will apply to B machines as follows: given any machine operation w ?
e(v), we would expect the machine to be open on any partial event of the form e:v 0 , which corresponds to passing the input v 0 to operation e. In other words, there should be some output w 0 which is made available by the machine (and hence does not appear in the refusal set X ). The set of possible inputs for a machine will be all those partial events which correspond to operations being called with some input. The events are partial because they do not include the output values.
De nition 3. Given Observe that in the cases of i inc and i dec there are no outputs, so the partial events are in fact complete events. Being open on these events means that they cannot be refused (since their output eld is empty). There are two completions of the partial event i isZero: i isZero:true and i isZero:false. i Lift being open on this partial event means that at any stage at least one of these completions cannot be refused by i Lift.
The key property of non-blocking machines is that they will always be open on their possible inputs:
Lemma 1. Any (non-blocking) B machine M is open on pi(M ).
This states in CSP semantics terms that any operation call with any input should always produce some result.
Our approach is restricted to non-blocking B machines. In other words, operations w ? e(v) must always be enabled (though they might be called outside their preconditions, which leads to divergence) and on any input they must provide some output. For the purposes of this paper we will henceforth take B machines to be non-blocking.
Non-discriminating controllers The condition on a controller P is that, whenever it calls an operation of the controlled B machine M , it should be able to accept any output provided by M . We call this property non-discriminating, and it can be expressed formally in CSP terms with the following de nition:
De nition 4. A CSP process P is non-discriminating on a set of partial events PE Observe that i LiftCtrl is also non-discriminating on fi inc:i j i 2 Zg and on i dec. In fact a process will trivially be non-discriminating on complete events. Controllers which do not include blocking assertions on the control channels are able to accept any output from the associated B machine whenever they call an operation with any particular inputs. Thus, they will be non-discriminating on the possible inputs to the machine. This is expressed by the following lemma:
Lemma 2. If P is a controller for machine M with no blocking assertions on any channels of M , then P is non-discriminating on the set pi(M ) of M 's possible inputs.
Observe that this lemma is illustrated by i LiftCtrl in Example 2 above.
Establishing Deadlock-freedom We now have ingredients which are sucient to deduce deadlock-freedom of P k Q from deadlock-freedom of P. The idea is that the interface between P and Q is de ned by a set of partial events PE: P should be non-discriminating on these partial events, and Q that it can itself refuse the whole set fj i isZero jg.
The same reasoning applies to all partial events in the interface between i LiftCtrl and i Lift. Thus, if i LiftCtrl k i Lift could reach a deadlock state, then all events in the interface would be refused by i LiftCtrl k i Lift, and so they could also be refused purely by i LiftCtrl. Thus, i LiftCtrl would also have a deadlock state. As observed previously, i LiftCtrl is deadlock-free. Hence Theorem 2 allows us to deduce that i LiftCtrl k i Lift is deadlock-free.
Restricting events to prevent divergence
The use of abstraction is essential in the compositional development of large systems. We will therefore generally need to hide control channels within controlled components. In the lift component example in Section 3, the channels i inc, i dec, and i isZero are hidden, leaving i up, i down, and i ground as the only external channels.
Since hiding has the potential to introduce divergence, we need to be able to establish when this does not occur. In particular, it would be useful to be able to check divergence-freedom of a controller P n C using FDR, and to be able to deduce divergence-freedom of the controlled component (P k M ) n C .
The following theorem on CSP processes P and Q gives such a condition:
Theorem 3. If P k Q is divergence-free, and C (P), and P n C is divergence-free, then (P k Q) n C is divergence-free. This is immediately applicable to controlled components (where the machine M is considered as the process Q) since C (P) as a consequence of our architecture. Thus, divergence-freedom of (P k M ) n C follows directly from divergence-freedom of P n C . However, in practice it will often be the case that P n C turns out not to be divergence-free, even if (P k M ) n C is. For instance, in the lift example we found that i LiftCtrl n fj inc; dec; isZero jg was not divergence-free, and instead we had to transform the controller description to i LiftCtrl3(0) in order to obtain a controller such that i LiftCtrl3(0) n fj inc; dec; isZero jg is divergence-free. So it is necessary to identify theorems which justify such transformations.
Our approach is to identify behaviours of controller P which cannot occur in the context of the machine M under control. We then aim to nd P 0 such that 1. P 0 is the same as P except (possibly) on the behaviours that have been identi ed, and 2. P 0 n C is divergence-free Thus, P 0 k M will be the same as P k M . We are assuming that P k M has previously been shown to be divergence-free: that P is an appropriate controller for M . Theorem 3 applied to P 0 yields that (P 0 k M ) n C is divergence-free, and hence (P k M ) n C is divergence-free.
This was the approach taken in the lift example. The relevant behaviour that cannot occur in the context of i Lift is the output of false from isZero when the lift is at the ground oor. This behaviour is blocked in i LiftCtrl3(0). However, i LiftCtrl3(0) is the same as i LiftCtrl for all behaviours that are possible in parallel with i Lift.
The way we identify traces that cannot occur is to require divergence whenever they do occur, and then look for divergences. If we are concerned with a set of traces T A , then we can express this by de ning a new process DIV A (T) which behaves as RUN A except that it diverges on any trace in T : The process DIV A (T) can then be used to mask behaviour in a process P.
The process P k DIV A (T) behaves exactly as P, except that whenever a trace in T is performed then it diverges. Thus, if P k DIV A (T) = FD P 0 k DIV A (T), then P and P 0 have the same behaviour except possibly with regard to traces in T , which are masked by the introduction of divergence.
The following theorem allows a process P to be replaced by an alternative process P 0 in the context of another process Q. In particular, if P does not diverge in the context of Q (i.e. P k Q is divergence-free), and P 0 is the same as P except on divergent traces of P, then P and P 0 have the same executions when executed in parallel with Q (since none of P's divergent traces will be performed).
Theorem 4. If P, P 0 and Q are such that 1. P k Q is divergence-free, 2. P = FD P 0 k DIV (P ) ( 
This states that if P 0 is di erent to P only with respect to where P diverges, and P k Q does not diverge, then P and P 0 behave the same in the context of Q. This follows because if P k Q does not diverge, then none of the traces of P which lead to divergence are possible when executing in parallel with Q. Since P 0 is exactly the same as P except for these traces, and Q prevents such traces from occurring, it follows that P 0 k Q is the same as P k Q. { Firstly, we see that P k Q can only ever perform a and c events, and is deadlock-free. In particular, the process Q prevents P from performing the b event, the only event that can lead to divergence, since there is no point at which P and Q can agree to perform b.
{ The behaviour of P 0 after b occurs is di erent to that of P (which is divergent), but if b does not occur then P and P 0 behave the same. Thus, P and P 0 are the same except on the divergences of P.
{ Finally, note that P and P 0 have the same alphabet. Thus, we can conclude that P k Q = FD P 0 k Q.
The reason this result is useful is because it supports the introduction and manipulation of assertions on the control channels. If we introduce a divergent assertion on a control channel between P and M , and we then establish that P k M is divergence-free (using CLI techniques), then we can alter the behaviour of P when the assertion is false (in which case P diverges) and obtain a related controller P 0 which matches P outside P's divergences, and for which P k M = FD P 0 k M . The aim is to obtain a controller P 0 in this way for which P 0 n C is divergence-free.
The next lemma lists some ways in which diverging assertions within a controller can be transformed.
Lemma 4. If a controller P 0 is obtained from controller P by replacing clauses of the form e!v?xfE(x)g ! R(x) with one of: 1. e!v?xfE 0 (x)g ! R(x) where 8 x:E(x) ) E 0 (x) 2. e!v?x ! if E(x) then R(x) else Q(x) 3. e!v?x ! R(x) 4. e!v?xhE(x)i ! R(x) then P = FD P 0 k DIV (P ) ( 
Thus, we obtain the following corollary for controlled components: Corollary 1. If P k M is divergence-free, then behaviour in P following an input which fails a diverging assertion can be changed in accordance with Lemma 4 without a ecting the behaviour of the parallel combination.
This means that diverging assertions in P, once they have been discharged in a context M , can be replaced with blocking assertions, or else removed completely. This is precisely the justi cation for the transformation of This follows immediately from the semantics for parallel composition, which preserves divergence-freedom. Thus, we need only establish divergence-freedom for the component pairs, and the result follows. Example 5. In the parallel lift system, since each of the controlled lift components is divergence-free, and since we are given that the controlled dispatcher component is divergence-free, it follows that the overall parallel combination of all the components of the multiple lift system is divergence-free.
Establishing deadlock-freedom Associativity and commutativity of the parallel operator means that we can group the controller processes together and the machines together, rearranging the parallel composition as follows:
Now we can consider ( k i P i ) as a CSP process, and ( k i M i ) as another CSP process; and we are concerned with the parallel combination of these two processes.
The reason for grouping the components in this way is that the properties non-discriminating' and`open' are preserved by parallel composition in CSP.
We can thus obtain the following two lemmas:
Lemma 5. If P i is a collection of controllers for machines M i respectively, where each P i has no blocking assertions on any channels of its associated M i , then k i P i is non-discriminating on the set S i (pi(M i )).
Lemma 6. Any collection of (non-blocking) B machines M i has that k i M i is open on S i (pi(M i )). Lemma 6 states that if each machine is able to engage in any of its operations, then the parallel combination of all the machines is able to engage in any of the operations of any of its machines.
These two lemmas mean that the conditions for Lemma 3 are met for controllers with no blocking assertions:
This means that Lemma 3 is directly applicable to a collection of parallel controlled components, in which deadlock-freedom of the overall parallel combination follows from deadlock-freedom of the combination of controllers.
Theorem 6. Given a collection of CSP controllers P i and corresponding controlled machines M i , such that no controller has any blocking assertions on the control channels: then if k i P i is deadlock-free in the stable failures model, then so too is k i (P i k M i ).
In the example lift system, we have therefore only to check that ( k i=1::4 i LiftCtrl) k DispatchCtrl is deadlock-free (which is easily shown) to deduce this for the complete system. Divergence-freedom of Lift System We are really concerned with divergencefreedom of
Theorem 3 is the appropriate theorem to apply here. We need to split the system into P and Q such that P k Q is divergence-free, and P n C is divergencefree. The natural approach would take P as the combination of CSP controllers, and Q as the combination of B machines; veri cation could indeed be established by introducing assertions into the controllers along the lines of Section 3. However, we have already established the individual lifts are divergence-free, so we can re-use this result by splitting the system di erently, as pictured in Figure 7 . P is DispatchCtrl, Q is the rest of the system, and C is the interface between P and Q: 
Discussion
This paper has been concerned with providing the CSP underpinnings for developing controlled components consisting of B machines controlled by CSP controllers under a particular architecture. The work builds on the control loop invariant method for verifying individual controlled components in the context of the B Method, and develops results for combining such veri ed components.
All of the results presented in this paper have been developed using the CSP semantics of all the component processes. The emphasis has been on obtaining compositional results which enable existing CSP veri cation methods and tools to apply to our combined systems. These results enable a particular strategy for veri cation: transform system descriptions to equivalent forms which are amenable to CSP checking. In the simplest case, if the combination P k M is equivalent to P 0 k M , and properties of P 0 k M can be established by analysing P 0 (with CSP tools), then those same properties can be deduced for P k M . So our approach is to transform a controller P to a process P 0 which behaves the same way in the context of M .
Transforming system descriptions to enable pure CSP analysis may involve the introduction of state information within the CSP controller descriptions, so that the behaviour in the context of the underlying B machine is not a ected. In this paper we have illustrated the use of this technique.
Ongoing work ST02a] has obtained further results for this framework. Firstly, it is often the case that controlled components are only correct in the context of the rest of the system. In this situation we will need to introduce assertions on the channels between CSP controllers, in order to establish divergence-freedom of the individual controlled components. Treating assertions as blocking or diverging in particular cases is a delicate issue and depends on the particular veri cation under consideration. We have developed theorems ST02a] which justify the use of particular kinds of assertions. Secondly, we have results (whose proofs use the new notions of`non-discriminating' and`open') concerning re nement in the stable failures model: if SPEC v P n (M ) then SPEC v (P k M ) n (M ) under the appropriate conditions. This enables speci ed properties to be veri ed of combined systems. These results have been applied to a Bounded Retransmission Protocol EST03] for bu er-style properties, and in the Bank case study TSB03].
The toy examples and the case studies carried out to date have provided some experience in the way in which state, and conditions on it, are introduced into the CSP controllers. The necessary state emerges during the veri cation process in response to FDR checks that fail. Often it is some part of the B state that is simply duplicated in the CSP (as in our toy lift example) in order to enable veri cation. However, it is too early to identify patterns that may arise in this process (let alone automate it), and more case studies are being pursued.
Scalability of the approach is also a signi cant issue. Compositionality is a key ingredient of scalability, and it will be important to continue to identify ways in which both requirements and components can each be decomposed to minimise the amount of state required in each veri cation. This is the subject of ongoing research. In particular, the veri cation of a controlled component P k M against a collection of requirements might require di erent state to be introduced into P for each requirement, as was found in the Bounded Retransmission Protocol case study EST03] . This is better than including all the required state for all of the required properties at once, which could result in duplicating all of the B state in the CSP controller.
There are several other approaches to combining a process-style controller with a state-based system description (e.g. But00,FL03,WC01,SD01]). The approach closest to ours is Butler's csp2B tool But00], which allows a CSP process to be conjoined to a B machine in a way which corresponds to a controller for an underlying machine. However, none of the other approaches exploit the semantic models for CSP in the way presented here. The ability to develop theory and tap into existing tool support on both the concurrency side and the state-based side is an important driver of the approach presented in this paper, and originally motivated the choices of CSP and B as the methods we chose to integrate.
