Using UML-B and U2B for formal refinement of digital components by Snook, Colin & Sandstrom, Kim
Using UML-B and U2B for formal refinement of digital 
components
1 
 Colin  Snook
   Kim Sandström 
   University of Southampton,
   Nokia Research Centre,  
   Southampton, UK  Helsinki, Finland 
  cfs@ecs.soton.ac.uk kim.g.sandstrom@nokia.com 
Abstract 
 In this paper we look at using formal methods to verify the transformation of a digital 
design from abstract functional specification to bit level implementation. As both authors are in-
experienced in formal proof we saw this as a test of the practicality of introducing proof tools in 
an industrial setting rather than an exemplar of such methods Rigorous verification is desirable 
in digital design because mistakes can be extremely costly. However, there are drawbacks and 
barriers to introducing formal notations. Formal notations are abstraction hungry, viscous and 
require insight, experience and look-ahead. Hence we specialise the UML to alleviate these 
problems by providing a semi-graphical form of the formal notation B based on existing visual 
modelling tools. With a small case study, we show the use of B-UML using an event style of 
modelling to refine a macro level function into a cascade of single bit cells. We attempt to prove 
the refinement with the assistance of available proof tools but find that the problem is 
deceptively difficult.  
1 Introduction 
In digital design, the problem is getting from a behavioural specification of a function or algorithm 
down to the RTL (Real Transfer Logic) implementation-level hardware description using a HDL 
(Hardware Definition Language) from which a netlist can be synthesised, without making any 
mistakes. Mistakes are extremely costly to rectify due to the production set-up and high volume 
output. The consequences of a product recall and the impact this can have on market perception are 
dire. Generally the behavioural specification of the hardware is quite detailed. Typically it will 
consist of a block diagram schematic of some kind that expresses the required functionality of the 
device precisely and in detail except for timing and synchronisation. However, there is still a long 
way to go before hardware can be implemented. For example, macro level functions may have to be 
implemented as a collection of single operations (as in our example) and even then the implied 
netlist connectivity must be chosen in such a way as to optimise the use of logic gates (for minimum 
silicon area, timing delay, and power consumption). 
Using formal methods we can prove that there are no mistakes in these transformations. An event 
style of B is particularly suitable for some of these transformations because it expresses the event 
nature of hardware operation and allows us to model and control the refinement of high-level events 
into a sequence of more detailed ones.  
The aim of digital design is to produce circuits for silicon chips. Digital design implements 
algorithms using highly integrated transistors on a small piece of silicon. Such transistors in turn 
implement basic elements called gates. Gates are quite simple logic units: AND, NAND, OR, NOR, 
XOR or INVERTER. The physical silicon technology used usually implements just a subset of these 
gates. There are silicon libraries for each physical silicon process that uses gates to implement actual 
                                                      
1 This work was funded by the EU Research Project, PUSSEE (IST-2000-30103). [9] 1.3  The B Language and Toolkit 
The B language is a formal specification notation that has strong decomposition mechanisms and 
good tool support. The primary aim of decomposition in B is to obtain compositionality of proof. B 
is designed to support formally verified development from specification through to implementation. 
To do this it provides tool support for generating and proving proof obligations at each refinement 
stage. To make large-scale development feasible, B provides structuring mechanisms to decompose 
a project into ‘modules’. Each module consists of ‘components’ (machines, refinements or 
implementations). Each module includes an abstract machine and possibly, refinements until an 
implementation is reached. The implementation may then import abstract machines of other 
modules in a hierarchical module structure. 
Event B. In our example, we use an event style of B where operations represent events that occur in 
the system. In conventional B, operations represent the response of a system to some external 
stimulus. In event B [7], operations are replaced by events and represent something that occurs 
spontaneously (subject to a guarding predicate) within a closed system. Some events model 
interfaces and can be viewed as the occurrence of both the stimulant and the reaction. Further 
intermediate events may be added, or existing events may be split or merged, as refinements add 
more detail to the model. There is no prover for event B at this time. Instead a translator [5] converts 
event B into conventional B so that the AtelierB tool can be used. 
2  Adder Case Study 
Because of the causal nature of a cascading structure event B was chosen to describe an abstract 
specification and a refinement of the design.  
The abstract design is attributed one event for data input and one event for data output. At closer 
inspection it turns out that these two events correspond to the active and the passive edge of the 
clock pulse. Data inputs are read at the active edge of clock and outputs are ready at the passive 
edge of the clock. Events that occur in between are defined in the refinement 
In the refinement an event is defined for every physical step of the calculus process. Data 
acquisition and calculus for every cell is added separately. The final definition is very close to actual 
physical events on the silicon chip. 
Adder general structure. In a digital design with arithmetic operations, numerical values are 
implemented as bits. A bit vector represents a value. It's actual semantic is determined by the 
designer. A bit vector might be an integer or it might be a fixed or floating-point number. For 
simplicity we chose to implement an integer adder of fixed width. In the case of our adder the 
semantics of a bit vector is an integer. For the example, we defined the bit width of the inputs and 
outputs to be four. In addition an input carry and an output carry were added as a control structure 
for overflow exceptions.   
The abstract adder can be seen as a black box with two inputs and one output and a known 
relationship between inputs and outputs. Such an abstraction is suitable for any digital module of 
any size. Thus, the adder can within this study represent the abstraction of much more complex 
structures and we get a hint of typical design problems using formal proof. In no way do we imply 
that a bigger more complex design would be equally ‘easy’ to prove using formal methods, but some 
conclusions may be drawn. 
Bit vectors are semantically integers. In order to implement a digital module at this level we need 
to define bit level operations. These operations operate on bit vectors. In our example two bit 
vectors and a single bit (representing carry from some previous operation) are added. The abstract 
functional specification of the circuit is described using integers. Since the bit vectors are 
semantically interpreted as integers we have to define the relationship between bit vectors and 
integers to facilitate formal proof. To solve this problem the bit vector operation is considered a 
refinement of the integer operation. This refinement turns out to be surprisingly difficult to prove. 2.1  The Adder as a Generic Component 
Initially we defined a generic addition component with parameterised bit vector length. The aim was 
to extract the common addition function that exists once as a four bit addition in the abstract 
specification and four times as single bit additions in the refinement. This resulted in the class 
structure shown in Fig.1. However, although the generic adder component allows some reuse of 
proof between abstraction and refinement its proof is very easy and mostly automatic. On the other 
hand, the generic adder component was found to make the refinement proof much more complicated 
especially as many of the operators used in the genericity were not supported by rules in the prover 
rule base. We could not achieve a proof with this structure.  
On the one hand, the difficulty of proof (as well as other re-use motivations) makes the 
identification of generic functions desirable in order to promote the re-use of proven specifications. 
On the other hand the difficulty of proof requires that we keep the specifications as simple as 
possible and this prevents the addition of features needed to provide genericity. We see this as a 
major obstacle in the adoption of B throughout industry. Work to tackle this problem is underway 
[13].  
length
ADDER
inpA_data : 0..2**length-1 = 0
inpB_data : 0..2**length-1 = 0
out_data : 0..2**length-1 = 0
inp_carry : 0..1 = 0
out_carry : 0..1 = 0
idata_valid : BOOL = FALSE
icarry_valid : BOOL = FALSE
evol_procedure()
setInputs_procedure(inpA_val : 0..(2**length-1), inpB_val : 0..(2**length-1))
setCarry_procedure(carry_val : 0..1)
ADD4R2
clock_state : BOOL = FALSE
rise()
evol0()
setc1()
evol1()
setc2()
evol2()
setc3()
evol3()
fall()
ADD4R1
clock()
setInputs()
ADD4
inpA : 0..15 = 0
inpB : 0..15 = 0
inpc : 0..1 = 0
out : 0..15 = 0
outc : 0..1 = 0
valid : BOOL = TRUE
calculate()
reset()
(4) <<bind>>
bit0(1)
<<bind>>
bit1(1)
<<bind>>
bit2(1)
<<bind>>
bit3(1)
<<bind>>
 
Fig. 1 - Attempt to use generic parameterised addition component 
2.2 Abstract  Specification 
The abstract specification is a singular class, ADD4, (Fig. 2) that has attributes representing the 
inputs and outs of the addition and two operations representing the setting of new input data and the 
availability of the output. A boolean attribute, valid, indicates when the output is ready. A class 
invariant is defined that the events must obey. This defines that when valid is true the outputs must 
equal the addition of the inputs. 
Verification. The verification of this component verifies that the operations obey the invariant (i.e. 
that types of attributes are not violated and that the output is the addition of the inputs when the 
valid flag indicates that the calculation operation was the last event. Since this level is purely a we were led away from this approach because the prover lacks rules for the operators needed in bit 
manipulation and therefore we attempted to minimise their use. 
From the proofs we managed to achieve our impression was that the process is more difficult 
than it should be. This is mainly due to limitations of the current version of tools for performing the 
proofs. For many proofs a strategy was fairly easy to envisage but very tedious to perform and to a 
significant degree this was due to the lack of user friendliness in the interface of the interactive 
prover. Many proofs were very similar and it would be useful to have a means to ‘program’ the 
prover to enable the ‘try everywhere’ facility to be used more effectively or for sequences of proof 
commands to be used at stages within a proof. A further or consequent problem was that any attempt 
to obtain generic components makes the proof obligations significantly more difficult to prove. With 
the current tools we think it unlikely that formal proof would be practical for use in industry for 
verifying the design of electronic components but we envisage improvements that may one day 
make this possible. 
Due to the dualistic semantic of integer and bit, the refinement contains some B expressions that 
are valid for both the integer based abstract specification and the bit based refinement. The 
expressions are 
 validOutput(od_,oc_)== 
  od_ = (inputA.data + inputB.data + inp_carry) mod(2**sz) & 
  oc_ = (inputA.data + inputB.data + inp_carry) / 2**sz 
(where sz, the number of bits, is 4 in the abstract specification and 1 in the refinement). 
We wished to base our specification and refinement upon a generic definition independent of 
vector length (i.e. a bit is a vector of length one). However, due to the lack of prover rules we found 
that the operators necessary to introduce this genericity (e.g. 2**sz) made the proof significantly 
more difficult. 
Although, this example doesn’t make extensive use of UML features, the B-UML specification 
still provides a useful visualisation of the structure and of the state variable. It was particularly 
useful in discussing and trying different structures. 
4 Further  work 
We will attempt alternative strategies to the refinement and its invariant in an attempt to discover 
guidance in how to tackle such problems. Further still, we envisage a second refinement to obtain 
the final implementation in terms of implementable gates. 
5 Acknowledgements 
Michael Butler (University of Southampton) provided re-assurance that the final 2 proofs were 
difficult and suggested that a more generic approach may well be easier to prove. Thierry Lecomte 
and Laurent Voisin of ClearSy answered questions about using AtelierB. 
6 References 
1.  Abrial, J.R.: The B Book - Assigning programs to meanings. Cambridge University Press. (1996) 
2 Ashenden,  P.J.:  The designers guide to VHDL, ISBN 1-55860-270-4 
3.  Cansell, D. & Méry, D.: Integration of the proof process in the system development through 
refinement steps. 5th Forum on Specification & Design Language - Workshop SFP in FDL'02. 
(Marseille, France). 2002. 12 p. 
4. ClearSy:  AtelierB User Manual, V3. ClearSy System Engineering, Aix-en-Provence (F). 
5. ClearSy:  Event B Reference Manual, V1. ClearSy, (2001). 
6. Gries,  D:  The Science of Programming. Springer Verlag (1981) 7. LeComte,  T.:  Abstract System Modelling. Draft http://www.keesda.com/pussee/ (2003) 
8.  Meyer, E. & Souquières, J.: A systematic approach to transform OMT diagrams to a B 
specification. In J. Wing, J. Woodcock, J.Davies, editors, World Congress on Formal Methods in 
the Development of Computing Systems, FM’99, Vol. I, LNCS 1708, Springer-Verlag, pp.875-
895. (1999) 
9.  PUSSEE project web site: http://www.keesda.com/pussee/ 
10.  Rumbaugh, J., Jacobson, I. & Booch, G.: The Unified Modelling Language Reference Manual. 
Addison-Wesley. (1998) 
11.  Snook, C. and Butler, M.: Using a graphical design tool for formal specification. In G.Kadoda, 
editor, Proceedings of the 13
th Annual Workshop of the Psychology of Programming Interest 
Group, pp. 311-321. (2001) 
12.  Snook, C. and Butler, M.: U2B - UML to B translation tool and Manual V4.4 available at 
http://www.ecs.soton.ac.uk/~cfs/U2Bdownloads/U2Bdownloads.htm 
13.  Abrial, J-R.: B
#: Toward a Synthesis between Z and B. In D.Bert, J.Bowen, S.King, M.Waldén, 
editors, ZB 2003:Formal Specification and Development in Z and B, LNCS 2651, Springer-
Verlag, pp. 168-177. (2003). 
 