CSP theorems for communicating B machines by Schneider, S & Treharne, H
CSP Theorems for
Communicating B Machines
Steve Schneider and Helen Treharne
Technical Report
CSDTR
August  
 
	


Department of Computer Science
Egham Surrey TW EX England

Introduction 
Abstract Recent work on combining CSP and B has provided ways of describing sys
tems comprised of components described in both B to express requirements on state
and CSP to express interactive and controller behaviour This approach is driven by
the desire to exploit existing tool support for both CSP and B and by the need for
compositional proof techniques This paper is concerned with the theory underpinning
the approach and proves a number of results for the development and verication of
systems described using a combination of CSP and B In particular new results are ob
tained for the use of the hiding operator which is essential for abstraction The paper
provides theorems which enable results obtained possibly with tools on the CSP part
of the description to be lifted to the combination Also a better understanding of the
interaction between CSP controllers and B machines in terms of nondiscriminating and
open behaviour on channels is introduced and applied to the deadlockfreedom theorem
The results are illustrated with a toy lift controller running example
  Introduction
Morgans failuresdivergences semantics for event systems Mor	 enables the
various CSP semantics to be given to B machines
 These CSP semantics allow
machines to be treated as CSP components within a concurrent system and we
can combine them with other CSP components using architectural operators such
as parallel composition and abstraction

Recent work Tre	 has considered the interaction between a particular kind of
B machine and a controller written as a recursive sequential CSP process
 An
important requirement of a controller for a machine is that it should invoke ma
chine operations only within their preconditions
 Previous results Tre	 have
identied conditions sucient to guarantee P k M to be divergencefree for a
controller P and machine M  which ensures this important property
 These re
sults require identication of a control loop invariant CLI on the state of the
B machine M  which must be true on every recursive call
 This is established by
considering the semantics of the B operations as they are called within the con
troller and essentially computing the weakest precondition required to establish
the CLI

In combining communicating B machines we use a particular architecture ST	
to restrict the interaction between components by ensuring that each B machine
interacts only with its own controller
 A system will be structured as a collection
of B machines M
 
   M
n
 each with its own CSP controller process P
 
   P
n

 A
controlled component is the parallel combination of a controller and its B machine
of the form P kM 

Each M
i
is under the control of the corresponding P
i
 and the P
i
s can also
interact with each other
 This architecture is illustrated in Figure 
 Interaction
across the system can occur only between the CSP processes
 This approach
enables compositional verication whereby we are able to verify properties of the
entire system by obtaining results about smaller structures within the system
 In
CSP
B
P
 
P

M
 
M
      
     
Figure  A CSP and B combined system architecture
particular both CSP and B already have mature tool support which can be used
to verify the components

The modelchecker FDR For	 performs modelchecking on systems described
in CSP and is therefore suitable for analysing the controllers individually and in
combination
 The paper provides theorems which enable results obtained possi
bly with tools on the CSP part of the description to be lifted to the combination
 


We obtain a number of theorems in the various CSP semantic models

In practice we nd that it is often the case that a property holds in a combined
system for reasons associated with the state within the B components
 In this
case the CSP controller descriptions need to be augmented with the relevant
state information
 This paper also provides theorems which support the required
manipulations of CSP controllers

 Background
  CSP Events
CSP processes are dened in terms of the events that they can and cannot do

Processes interact by synchronising on events and the occurrence of events is
atomic
 The set of all events is denoted by 

Events may be compound in structure consisting of a channel name and some
possibly none data values
 Thus events have the form cv
 
v
n
 where c is the
channel name associated with the event and the v
i
are data values
 The type of
the channel c is the set of values that can be associated with c to produce events

For example if trans is a channel name and N  Z is its type then events
associated with trans will be of the form transnz  where n  N and z Z
 For
example trans is one such event

 
The FDR checks discussed in this paper are available at
httpwwwcsrhulacukresearchformalstevecodeliftsfdr
Background 
A partial event or following Sca	 partially completed datatype value is a chan
nel name together with some values but not necessarily all
 For example trans
is a partial event
 Any channel is a special case of a partial event

Given a set of partial events PE  we can dene the set of events fj PE jg which
are the completions of events in PE  as follows
fj PE jg fpw j p  PE  pw  g
We use alphabetised CSP so every process has an alphabet which is the set of
events whose occurrence requires its participation
 The alphabet of a process P
is denoted P
 For the purposes of this paper we will require that the alphabet
of any process is given by a set of channels C  so that P  fj C jg

 CSP controllers
A controller for a B machine is a particular kind of CSP process
 To interact
with the B machine it makes use of control channels which have both input and
output and provide the means for controllers to synchronise with B machines

For each operation w  ev of a controlled machine with v of type T
in
e
and w of type T
out
e there will be a channel e of type T
in
e  T
out
e so
communications on e are of the form ev w 

Controller descriptions may also include assertions about the values of variables
they are using
 These are incorporated in CSP either as blocking assertions which
block if the assertion is false or as diverging assertions which diverge if the
assertion is false depending on the role they play in verication

When we talk about a CSP controller P we mean a process which has a given
set of control channels C 
 The controlled B machine will have exactly fj C jg as
its alphabet it can communicate only on channels in C 

Controller syntax
Controllers are generated from the following subset of the CSP syntax as dis
cussed in ST	

P  a  P jcx  P jd v  P jevxfE x g  P jevx hE x i  P j
P
 
  P

jP
 
u P

j
u
x jEx
P j if b then P
 
else P

jS p
where a and is a synchronisation event c is a communication channel accepting
inputs d is a communication channel sending output values e is a control chan
nel x is a data variable v is a data value E x  is a predicate on x it may be
elided in which case it is considered to be true b is a boolean expression and
S p is a process expression

The process a  P is initially prepared to engage in an a event after which
it behaves as P 
 The input cx  P is prepared to accept any value x along
channel c and then behave as P whose behaviour can be dependent on x 
 The
output d v  P provides v as output
 The operation call evxfE x g  P
is an interaction with an underlying B machine the value v is passed from the
process as input to the B operation and the value x is accepted as output from
the B operation
 If x meets the condition E x  then the process behaves as P 

If x does not meet the condition then the process diverges
 On the other hand
evx hE x i  P only allows ev x if E x  otherwise the event is blocked

Behaviour subsequent to ev x is that of P 

The external choice process P
 
  P

is initially prepared to behave either as P
 
or as P

 and the choice is resolved on occurrence of the rst event
 Binary and
general internal choice are possible though not used in the example presented
here
 The conditional choice if b then P
 
else P

behaves as P
 
or P

depending
on the evaluation of the condition b
 The process expression S p expresses a
recursive call
 Finally processes can be dened using recursive denitions of
the form S p b P 

 CSP semantic models
There are three semantic models used in this paper the Traces model the Stable
Failures model and the FailuresDivergences model
 We introduce the relevant
features of them here
 Full details of these models can be found in RosSch	

Traces A trace is a nite sequence of events
 A sequence tr is a trace of a
process P if there is some execution of P in which exactly that sequence of
events is performed
 The set tracesP is the set of all possible traces of process
P 
 The traces model for CSP associates a set of traces with every CSP process

If tracesP  tracesQ then P and Q are equivalent in the traces model and
we write P 
T
Q 

Stable Failures A stable failure is a pair tr  X  consisting of a trace tr and a
set of events X 
 Such a pair is a stable failure of a process P if there is some
execution of P on which tr is the sequence of events performed reaching a state
in which all events in X can be refused and also no internal progress is possible

The set SF P 		 is the set of stable failures of P 
 The stable failures model for CSP
associates a set of stable failures and a set of traces with every CSP process
 If
SF P 		  SF Q 		 and also tracesP  tracesQ then P and Q are equivalent
in the stable failures model and we write P 
SF
Q 

Background 
Failures and Divergences A divergence is a nite sequence of events tr 
 Such
a sequence is a divergence of a process P if it is possible for P to perform an
innite sequence of internal events such as a livelock loop on some prex of tr 

The set of divergences of a process P is written D P 		

A failure is a pair tr  X  consisting of a trace tr and a set of events X 
 It is a
failure of a process P if either tr is a divergence of P in which case X can be
any set or tr  X  is a stable failure of P 
 The set of all possible failures of a
process P is written F P 		
 If D P 		  D Q 		 and F P 		  F Q 		 then P and
Q are equivalent in the failuresdivergences model written P 
FD
Q 

The dierent models are used to analyse CSP systems with respect to dierent
properties
 This paper is concerned with the failuresdivergences model which
is used to check for liveness properties such as divergencefreedom
 If a system
description includes the possibility of divergence for example if it includes in
ternal events then it is necessary to use the failuresdivergences model to check
for divergencefreedom

An important relationship between the stable failures model and the failures
divergences model is that if a process is divergencefree i
e
 its set of divergences
is empty then its failures are the same as its stable failures
 This is captured in
the following theorem
Theorem  If D P 		  fg then F P 		  SF P 		
This theorem is useful because it allows us to carry out analysis in the stable
failures model which is generally easier and more ecient and to establish re
sults which remain valid in the failuresdivergences model
 For example once it
has been established that a process P is divergencefree then to check that it is
deadlockfree i
e
 that tr   P cannot be a failure of P for any tr it is su
cient to check this in the stable failures model that tr   P cannot be a stable
failure
 The modelchecker FDR For	 can carry out divergencefreedom and
deadlockfreedom checks mechanically
 There are also CSP theorems for exam
ple Theorem  in this paper for establishing that a process P is divergencefree

 CSP semantics for B machines
Morgans CSPstyle semantics Mor	 for event systems enables us to dene
such semantics for B machines
 A machine M thus has a set of traces T M 		 a
set of failures F M 		 and a set of divergences D M 		
 A sequence of operations
he
 
  e

   e
n
i is a trace of M if it can possibly occur
 This is true precisely when
it is not guaranteed to be blocked or in other words it is not guaranteed to
achieve false
 In wp notation we write wpe
 
 e

     e
n
  false or in Abstract
Machine Notation e
 
 e     e
n
	false
 The empty trace is treated as skip

MACHINE iLift
VARIABLES ifloor
INVARIANT ifloor  NAT
INITIALISATION ifloor  
OPERATIONS
iinc	nn
 
PRE nn  NAT
THEN ifloor  ifloor  nn
END
idec 
PRE ifloor  
THEN ifloor  ifloor  
END
bb  iisZero 
IF ifloor  
THEN bb  TRUE
ELSE bb  FALSE
END
END
i LiftCtrl b
i up	y   i inc
y   i LiftCtrl
  i down	y   i DOWN y
  i ground   i LOWER
i DOWN n b
if n  
then i LiftCtrl
else i isZero	bb  
if bb  TRUE
then i LiftCtrl
else i dec   i DOWN n  
i LOWER b
i isZero	bb 
if bb  TRUE
then i LiftCtrl
else i dec   i LOWER
Figure  A Lift machine i Lift and its controller i LiftCtrl
A sequence does not diverge if it is guaranteed to terminate i
e
 establish true

Thus a sequence is a divergence if it is not guaranteed to establish true i
e

e
 
 e     e
n
	true
 Finally given a set of events X  each event e  X is
associated with a guard g
e

 A sequence with a set of events is a failure of M if
the sequence is not guaranteed to establish the disjunction of the guards
 Thus
e
 
 e     e
n
 X  is a failure of M if e
 
 e     e
n
	
W
eX
g
e

 More details
of the semantics of B machines can be found in Tre	
Morgan does not give a stable failures semantics for action systems
We will dene
the stable failures SF M 		 for a machine M in terms of its failures divergences
semantics as follows
Denition  The stable failures of a B machine are dened as follows
SF M 		  ftr  X  j tr  X   F M 		  tr 	 D M 		g
Observe that with this denition Theorem  also holds for B machines M 

We have a technique TreST	 based on control loop invariants for establish
ing that a combination P k M is divergencefree
 In other words previous results
provide a means to establish that D P k M 		  fg
 This paper is not concerned
with that technique
 Rather we are concerned with composing together a number
of P
i
k M
i
pairs once we have established that D P
i
k M
i
		  fg for each pair

Hence a number of the theorems in this paper will include an assumption that
D P
i
k M
i
		  fg
 The assumption in particular cases can be discharged using
the control loop invariant technique

A motivating toy example a lift controller 	
i up
i down
i ground
i inc i dec i isZero
i LiftCtrl
i Lift
Figure  The controlled lift system
 A motivating toy example a lift controller
As motivation for the results presented in this paper we consider a toy example
of a collection of lift machines described in B controlled by CSP controller pro
cesses
 We will indicate the use of the theorems presented later in the paper
 An
individual lift is given in Figure 
 It describes a particular lift indexed by i 
 We
will then go on to dene a system consisting of a collection of such lifts

  Individual lifts
The Lift machine provides three operations i incnn which moves the lift up
nn oors i dec which moves the lift down one oor and a query operation
i isZero which indicates whether or not the lift is on the ground oor

The CSP controller is also given in Figure 
 It interacts with a user through the
events i up i down and i ground  and controls the lift accordingly

 on i upy it calls i inc and moves the lift up y oors


 on i downy it calls i dec y times or until it reaches the ground if this is
sooner


 on i ground  it is required to move the lift to the ground oor
 To do this
it repeatedly checks using i isZero whether the lift is on the ground oor
and if not then it moves the lift down a oor with i dec

We are rstly interested in each controlled lift combination
i LiftSys b i Lift k i LiftCtrl n fj i inc  i dec  i isZero jg
which is pictured in Figure 
 We require as a minimum that this combination is
deadlockfree and divergencefree


These properties are apparent in this simple example
 Deadlockfreedom is im
mediate because the B machine is always willing to engage in any event required
by the controller and the controller itself is either waiting for an interaction from
its environment or else ready to call a controller operation
 Divergence could arise
either i from a B operation being called outside its precondition or ii from an
innite sequence of internal events
 In the case of i the only operation with a
nontrivial precondition is i dec and the controller is constructed so that i dec
is only ever called when the lift is not at oor 
 In the case of ii the lift will
eventually reach the ground oor and so an innite sequence of calls of i dec
cannot occur

In more complex examples the properties may not be so apparent and it would be
useful to be able to apply analysis tools to carry out modelchecking on the com
bined system
 However no tools currently exist which can analyse a combination
of B and CSP descriptions so instead we analyse the descriptions separately and
combine results
 In particular for considering properties such as deadlock and
livelock we would aim to apply a tool such as FDR For	 to the CSP part of the
description and deduce results about the controlled combination
 In particular
once it has been established that the controller does not call operations outside
their precondition then the aim is that all deadlocking and divergent behaviour
is essentially contained in the controller and can be identied without further
reference to the B machine

It has previously been established ST	 that under appropriate conditions the
deadlockfreedom of a controller P implies the deadlockfreedom of a controlled
combination P kM 
 This result appears in this paper as Theorem  in Section 

We also establish in this paper Theorem  in Section  that under appropriate
conditions if P n E is divergencefree then so too is P kM  n E 

These two theorems are exactly what is required
 We have only to check that
i LiftCtrl is deadlockfree to deduce the same for i LiftSys
 And we have only
to check that i LiftCtrl n fj i inc  i dec  i isZero jg is divergencefree to deduce
this for i LiftSys
 These are both checks that are easily done using FDR

However the second check turns out not to be correct
 The description of i LiftCtrl n
fj i inc  i dec  i isZero jg in fact contains a divergence arising from the innite
sequence hi ground   i isZerofalse  i dec  i isZerofalse  i dec    i of i LiftCtrl 

It is the machine i Lift that ensures that this cannot occur  but that machine
was not included in the FDR analysis

The problem is that some of the control ow is dependent on the state information
maintained in the B machine and so the useful theorems we have available are
not directly applicable
 We need to include the relevant state information in
the description of the CSP controller
 we do this by introducing a new variable
f  and also introducing the expectation that the value true will be received on
channel i isZero exactly when f  
 This is included as an assertion as shown
A motivating toy example a lift controller 
i LiftCtrlf  b
i up	y   i inc
y   i LiftCtrlf  y
  i down	y   i DOWN f  y
  i ground   i LOWERf 
i LOWERf  b
i isZero	bb
 



fbb  TRUE  f  g  
if bb  TRUE
then i LiftCtrlf 
else i dec   i LOWERf  
i DOWN f n b
if n  
then i LiftCtrlf 
else i isZero	bb
 



fbb  TRUE  f  g  
if bb  TRUE
then i LiftCtrlf 
else i dec  
i DOWN f   n  
Figure  The controller with diverging assertions
i LiftCtrlf  b
i up	y   i inc
y   i LiftCtrlf  y
  i down	y   i DOWN f  y
  i ground   i LOWERf 
i LOWERf  b
i isZero	bb
 



hbb  TRUE  f  i  
if bb  TRUE
then i LiftCtrlf 
else i dec   i LOWERf  
i DOWN f n b
if n  
then i LiftCtrlf 
else i isZero	bb
 



hbb  TRUE  f  i  
if bb  TRUE
then i LiftCtrlf 
else i dec  
i DOWN f   n  
Figure  The controller with blocking assertions
in Figure 
 It is straightforward to show that i LiftCtrl is an appropriate
driver for i Lift using control loop invariant f  i oor which relates the CSP
state to the state of the B machine
 The proof that i LiftCtrl k i Lift has
no divergences involves establishing the truth of the assertion for the input bb on
i isZero

Introducing a diverging assertion means that i LiftCtrl trivially has a diver
gence i
e
 the behaviour when the assertion is not met so it is not appropriate to
check i LiftCtrl n fj i inc  i dec  i isZero jg for divergencefreedom
 How
ever in the context of i Lift we know the assertion will always be true so we may
replace the diverging assertion by a blocking one and yield a controller with the
same behaviour in the context of i Lift 
 The only dierence is that this controller
blocks rather than diverges when the assertion is false and since the assertion
is never false in the context of i Lift  the resulting behaviour is the same
 This
transformation is justied by Corollary  given at the end of Section 
 Thus
we obtain a variant i LiftCtrl of the controller given in Figure  such that
i LiftCtrl k i Lift 
FD
i LiftCtrl k i Lift 


i LiftCtrlf  b
i up	y   i inc
y   i LiftCtrlf  y
  i down	y   i DOWN f  y
  i ground   i LOWERf 
i LOWERf  b
i isZero	bb 
if bb  TRUE
then i LiftCtrlf 
else i dec   i LOWERf  
i DOWN f n b
if n  
then i LiftCtrlf 
else i isZero	bb  
if bb  TRUE
then i LiftCtrlf 
else i dec  
i DOWN f   n  
Figure  The controller with all assertions dropped
Now we have a transformation of the controller which is divergencefree when
the internal events are hidden i LiftCtrl n fj i inc  i dec  i isZero jg is
divergencefree and this can be checked using FDR given a bound on the number
of possible consecutive i up events
 So we can conclude that i LiftCtrl k
i Lift n fj i inc  i dec  i isZero jg is divergencefree

Now Corollary  also allows the assertions of i LiftCtrl to be dropped com
pletely resulting in a controller i LiftCtrl whose behaviour does not depend
on the value of the parameter f at all
 This controller is given in Figure 
 The
orem  in Section  yields that i LiftCtrl is equivalent to i LiftCtrl 
 We
have therefore nally established divergencefreedom of the original combination
i LiftCtrl k i Lift n fj i inc  i dec  i isZero jg

To sum up we identied two new controllers which are equivalent in the presence
of i Lift to the original controller i LiftCtrl  and which are each used in a dierent
part of the proof

i LiftCtrl k i Lift 
FD
i LiftCtrl k i Lift 
FD
i LiftCtrl k i Lift

 The combination i LiftCtrl k i Lift can be shown to be divergencefree
using techniques from ST	


 i LiftCtrl n fj i inc  i dec  i isZero jg is divergencefree and so
i LiftCtrl k i Lift n fj i inc  i dec  i isZero jg is divergencefree


 And i LiftCtrl k i Lift is equivalent to the original i LiftCtrl k i Lift 

These results together establish the required result that the original combination
i LiftCtrl k i Lift n fj i inc  i dec  i isZero jg is divergencefree
 The state
information was introduced into the controller purely to enable the verication
to take place and can be removed once the result has been established

We also deduce that i LiftCtrl k i Lift n fj i inc  i dec  i isZero jg is deadlock
free
 This follows from deadlockfreedom of i LiftCtrl k i Lift 

A motivating toy example a lift controller 
 LiftCtrl
 Lift
 LiftCtrl
 Lift
 LiftCtrl
 Lift
 LiftCtrl
 Lift
req
bottom
 up
 down
 ground
 inc
 dec
 isZero
send
reset
DispatchCtrl
Dispatch
Figure  The complete system Lifts
 A collection of lifts
We will now combine the lifts into a single system together with a Dispatch and
DispatchCtrl component which manages requests for lifts from buttons on the
various oors
 When a request for a lift is made from a particular oor only one
of the lifts needs to be sent
 An example architecture made up of four lifts is
pictured in Figure 

The Dispatch machine contains some algorithm for deciding which lift should be
sent to a particular oor
 It has an operation ii  nn  dd  send	 
 On input of
the oor 	 to send a lift to it provides as output the lift ii to be sent the number
of oors nn and the direction dd that lift ii will need to travel as computed by
Dispatch
 Dispatch has another operation reset  which is called when all lifts
return to the ground oor
 The particular details of Dispatch are not relevant to
this example and will not be given here

The DispatchCtrl controller accepts requests along channel req an input reqx
is a request for a lift to go to oor x 
 It makes use of the Dispatch machine to
decide which lift to allocate and then sends the appropriate instruction to the
relevant lift
 The controller can also accept an instruction bottom to return all
lifts to the ground oor
 It is dened as follows
DispatchCtrl b reqx  send xind  if d  ascend
then i upn  DispatchCtrl
else i downn  DispatchCtrl
  bottom   ground   ground   ground
  ground  reset  DispatchCtrl
Our overall system is then composed of the controlled lift components Lifts b
k
i   
i LiftCtrl k i Lift interacting with the DispatchCtrl k Dispatch compo

nent and with all events apart from req and bottom internal

k
i   
i LiftCtrl k i Lift k DispatchCtrl k Dispatch n Int
Int 
S
i
fj i inc  i dec  i isZero  i up  i down  i groundg  fj send   reset jg
We will see in Section  that this system is deadlockfree and divergencefree

 Deadlockfreedom
This section introduces two new properties concerning process behaviour on chan
nels open on possible inputs and nondiscriminating
 These are the key proper
ties exhibited by B machines and CSP controllers respectively
 As we shall see
considering components in terms of these properties enables many of the results
from Sections  and  concerning individual controlled components to be lifted
to interacting collections of controlled components in Section 
 They also enable
easier proofs of previously established results such as Theorem  in this section

An essential requirement for controlled components is deadlockfreedom
 This is
easily checked in FDR but only for processes that are expressed in CSP
 Thus
we aim to establish a theorem that allows the deadlockfreedom of P k M to be
deduced from deadlockfreedom of P which can then be checked using FDR

In general parallel composition does not preserve deadlockfreedom
 Fortunately
in the case of CSP controllers and B machines we are able to identify conditions
which ensure that the processes involved interact on their common channels in a
particular way ensuring that introducing a B machine cannot introduce any new
deadlocks
 In other words any deadlocks possible for the controlled component
P k M must already have been possible in P 

Open on possible inputs
The required property of the B machine is that it should always be able to accept
any input for any operation and be able to provide some output
 The need for
this property is precisely why only machines with nonblocking operations are
permitted
 If a machine meets this property then we will say it is open on the
particular operations and inputs

In CSP terms this is dened formally for CSP processes Q as follows
Denition  A process Q is open on a set of partial events PE if given any
tr  X   SF Q 		 and e  PE there is some w such that ew 	 X 
Deadlockfreedom 
This will apply to Bmachines as follows given any machine operation w  ev
we would expect the machine to be open on any partial event of the form ev


which corresponds to passing the input v

to operation e
 In other words there
should be some output w

which is made available by the machine and hence
does not appear in the refusal set X 

The set of possible inputs for a machine will be all those partial events which
correspond to operations being called with some input
 The events are partial
because they do not include the output values

Denition  Given a B machine M with operations w
i
 e
i
v
i
 the set
piM  of possible inputs for M is dened by
piM  
S
i
fe
i
v
i
j v
i
 T
in
e
i
g
Example 
 The set of possible inputs for the machine i Lift is given in terms of
the three operations as follows
pii Lift  fj i inci j i Zjg  fj i dec jg  fj i isZero jg
Observe that in the cases of i inc and i dec there are no outputs so the partial
events are in fact complete events
 Being open on these events means that they
cannot be refused since their output eld is empty
 There are two completions
of the partial event i isZero i isZerotrue and i isZerofalse
 i Lift being open
on this partial event means that at any stage at least one of these completions
cannot be refused by i Lift 

The key property of nonblocking machines is that they will always be open on
their possible inputs
Lemma  Any nonblocking B machine M is open on piM 
This states in CSP semantics terms that any operation call with any input should
always produce some result

Our approach is restricted to nonblocking B machines
 In other words operations
w  ev must always be enabled though they might be called outside their
preconditions which leads to divergence and on any input they must provide
some output

Nondiscriminating controllers
The condition on a controller P is that whenever it calls an operation of the
controlled B machineM  it should be able to accept any output provided by M 

We call this property nondiscriminating and it can be expressed formally in
CSP terms with the following denition

Denition  A CSP process P is nondiscriminating on a set of partial events
PE if for any failure tr  X   SF P 		 and subset CV  PE we have that
 cv  CV  w  cv w  X  tr  X  fj CV jg  SF P 		
This denition states that if any event cv w can be refused i
e
 appears in
the refusal set X  then all the inputs on channel cv i
e
 outputs from the B
machine could be refused thus the refusal X can be augmented with fj cv jg

Example  The control process i LiftCtrl is nondiscriminating on i isZero at
any stage i LiftCtrl can either refuse all of fj i isZero jg or else none of it
 In
terms of the denition whenever some event from fi isZerotrue  i isZerofalseg
can be refused then all can be refused

Observe that i LiftCtrl is also nondiscriminating on fi inci j i  Zg and on
i dec
 In fact a process will trivially be nondiscriminating on complete events

Controllers which do not include blocking assertions on the control channels are
able to accept any output from the associated B machine whenever they call an
operation with any particular inputs
 Thus they will be nondiscriminating on
the possible inputs to the machine
 This is expressed by the following lemma
Lemma  If P is a controller for machine M with no blocking assertions on any
channels of M  then P is nondiscriminating on the set piM  of M s possible
inputs
Proof By structural induction on P 

Observe that this lemma is illustrated by i LiftCtrl in Example  above

Establishing Deadlockfreedom
We now have ingredients which are sucient to deduce deadlockfreedom of P k
Q from deadlockfreedom of P 
 The idea is that the interface between P and Q
is dened by a set of partial events PE  P should be nondiscriminating on these
partial events and Q should be open on them
 We can show that if P k Q can
deadlock then so can P 

If P k Q does have a deadlock state then all events can be simultaneously refused
in that state
 For any partial event e Q is open on e so Q cannot refuse all of
fj e jg
 Hence P must be refusing some event in fj e jg and so because P is
nondiscriminating P can refuse all of fj e jg
 Thus we nd that all events in
the interface can be refused by P in this state and P cannot perform any other
events either
 Hence P is in a deadlocked state

Consider this reasoning in the context of a controlled component
 Consider a
state of P k M 
 If P in this state is not deadlocked then either
Deadlockfreedom 

 P is ready to perform an event outside M 
 In this case M cannot prevent
that event and the combination P k M is ready to perform the event and
hence is not deadlocked or

 P is ready to perform an interaction with M 
 In this case it is an operation
call c with some input v 
 P is ready to accept any output from this operation
call since it is nondiscriminating on cv 
 M is ready to provide an output w
in response to cv  since it is open on cv 
 Hence the combination P k M is
ready to perform cv w  and so is not in a deadlocked state

The lemma that this reasoning establishes is the following
Lemma  If

 P is nondiscriminating on a set of partial events PE and
 Q is open on PE and
 Q  fj PE jg
then if P is deadlockfree in the stable failures model then so too is P k Q
Proof We prove this result by contradiction

Assume that there is some deadlock tr     SF P k Q 		 where   P 
Q
 Then there must be refusal sets X
P
and X
Q
such that X
P
X
Q
  with
tr   P X
P
  SF P 		 and tr   Q X
Q
  SF Q 		
 Then  n Q 
 n X
Q
 X
P
 and so   X
P
 Q

Now Q is open on PE so for each e  PE there is some w such that ew 	 X
Q


Since ew    X
Q
X
P
 it follows that ew  X
P

 Since P is nondiscriminating
on PE it follows that tr   P X
P
fj PE jg  SF P 		
 But fj PE jg  Q
and so tr   P    SF P 		 since   X
P
Q
 Thus P has a deadlocking
trace contradicting the assumption that P is deadlockfree

For a particular controlled component P k M  we already have the conditions
for Lemma  P is nondiscriminating on piM  from Lemma  M is open on
piM  from Lemma  and M   fj piM  jg

Finally we obtain the following theorem for controlled components
Theorem  If P is a CSP controller for M with no blocking assertions on any
channels of M  and P is deadlockfree in the stable failures model then P k M
is deadlockfree in the stable failures model
Proof This follows from Lemma  Lemma and Lemma earlier in this section
by observing that P is nondiscriminating on piM  and M is open on piM 


This theorem is exactly what is required to establish deadlockfreedom of P kM
from deadlockfreedom of P 
 In fact a direct proof of this theorem in terms of the
CSP semantics has previously been presented in ST	
 However we nd the
identication of the properties nondiscriminating and open yields more under
standing as to why the theorem works and allows an easier proof of Theorem 
and others

Example  For example consider the combination i LiftCtrl k i Lift  in a
state after some trace tr  in which fi isZerotrue  i isZerofalseg is refused
 We
know that i Lift is open on fj i isZero jg so it cannot refuse the whole set
fi isZerotrue  i isZerofalseg
 Since the parallel combination does refuse that
whole set it must be that i LiftCtrl is refusing at least one of i isZerotrue
i isZerofalse
 But i LiftCtrl is nondiscriminating on i isZero so this means
that it can itself refuse the whole set fj i isZero jg

The same reasoning applies to all partial events in the interface between i LiftCtrl
and i Lift 
 Thus if i LiftCtrl k i Lift could reach a deadlock state then all
events in the interface would be refused by i LiftCtrl k i Lift  and so they could
also be refused purely by i LiftCtrl 
 Thus i LiftCtrl would also have a deadlock
state

As observed previously i LiftCtrl is deadlockfree
 Hence Theorem  allows us
to deduce that i LiftCtrl k i Lift is deadlockfree

 Restricting events to prevent divergence
The use of abstraction is essential in the compositional development of large sys
tems
 We will therefore generally need to hide control channels within controlled
components
 In the lift component example in Section  the channels i inc
i dec and i isZero are hidden leaving i up i down and i ground as the only
external channels

Since hiding has the potential to introduce divergence we need to be able to
establish when this does not occur
 In particular it would be useful to be able
to check divergencefreedom of a controller P n C using FDR and to be able to
deduce divergencefreedom of the controlled component P kM  n C 

The following theorem on CSP processes P and Q gives such a condition
Theorem  If P k Q is divergencefree and C  P and P n C is
divergencefree then P k Q n C is divergencefree
Proof Assume for a contradiction that tr

 D P k Q n C 		

Restricting events to prevent divergence 	
Then either tr

 tr
 
n C where tr
 
 D P k Q 		 contradicting the fact that
P k Q is divergencefree or  tr
 
  tr

 tr

 tr
 
n C
a
tr

 n   tr

 C


tr

 n  tr
 
a
tr

 T P k Q		g
 In this case we have that n   tr

 C


tr

 n  tr
 
  P
a
tr

 T P 		
 But this means that tr
 
  P  D P n C 		
contradicting the fact that P n C is divergencefree

This is immediately applicable to controlled components where the machine
M is considered as the process Q since C  P as a consequence of our
architecture
 Thus divergencefreedom of P k M  n C follows directly from
divergencefreedom of P n C 

However in practice it will often be the case that P n C turns out not to be
divergencefree even if P k M  n C is
 For instance in the lift example we
found that i LiftCtrl n fj inc  dec  isZero jg was not divergencefree and instead
we had to transform the controller description to i LiftCtrl in order to obtain
a controller such that i LiftCtrl n fj inc  dec  isZero jg is divergencefree
 So
it is necessary to identify theorems which justify such transformations

Our approach is to identify behaviours of controller P which cannot occur in the
context of the machine M under control
 We then aim to nd P

such that

 P

is the same as P except possibly on the behaviours that have been iden
tied and

 P

n C is divergencefree
Thus P

k M will be the same as P k M 
 We are assuming that P k M has
previously been shown to be divergencefree that P is an appropriate controller
for M 
 Theorem  applied to P

yields that P

kM  n C is divergencefree and
hence P k M  n C is divergencefree

This is the approach that was taken in the lift example
 The relevant behaviour
that cannot occur in the context of i Lift is the output of false from isZero
when the lift is at the ground oor
 This behaviour is blocked in i LiftCtrl

However i LiftCtrl is the same as i LiftCtrl for all behaviours that are
possible in parallel with i Lift 

The way we identify traces that cannot occur is to require divergence whenever
they do occur and then look for divergences
 If we are concerned with a set of
traces T  A

 then we can express this by dening a new process DIV
A
T 
which behaves as RUN
A
except that it diverges on any trace in T 
F DIV
A
T 		  ftr   fg j tr  A

g  ftr
a
tr

 X  j tr  T  tr

 A

 X  Ag
D DIV
A
T 		  ftr
a
tr

j tr  T  tr

 A

g
Observe that DIV
A
fg 
FD
RUN
A
and DIV
A
A

 
FD
DIV
A




The process DIV
A
T  can then be used to mask behaviour in a process P 
 The
process P k DIV
A
T  behaves exactly as P  except that whenever a trace in T
is performed then it diverges
 Thus if P k DIV
A
T  
FD
P

k DIV
A
T  then
P and P

have the same behaviour except possibly with regard to traces in T 
which are masked by the introduction of divergence

  Equivalence on nondivergent behaviour
Given an upwardsclosed set T  A

of traces i
e
 tr  T  tr
a
tr

 T  we
can dene a process DIV
A
T  which behaves as RUN
A
except that it diverges on
any trace in T 
F DIV
A
T 		  ftr   fg j tr  A

g  T P
D DIV
A
T 		  T
Observe that DIV
A
fg  RUN
A
and DIV



  DIV 

The process DIV
A
T  can be used to mask behaviour in a process P 
 The pro
cess P k DIV
A
T  behaves exactly as P  except that whenever a trace in T is
performed then it diverges
 Thus if P k DIV
A
T   P

k DIV
A
T  then P and
P

have the same behaviour except possibly with regard to traces in T  which
are masked by the introduction of divergence

Lemma  For any process P
P 
FD
P k DIV
P
D P 		
Proof Let R  DIV
P
D P 		
 We will prove that P k R has the same diver
gences and failures as P 

D P k R		  ftr
a
tr

j tr  T P 		  tr  D R		g
 ftr
a
tr

j tr  D P 		  tr  T R		g
 ftr
a
tr

j tr  D R		g
 ftr
a
tr

j tr  D P 		g
D P 		
F P k R		  ftr  X
 
 X

 j tr  X
 
  F P 		  tr  X

  F R		g
 ftr  X  j tr  D P k R		g
 ftr  X  j tr  X   F P 		g
 ftr  X  j tr  D P 		g
 F P 		
Restricting events to prevent divergence 
Lemma  If A  P and P k DIV
A
T  is divergencefree for some arbitrary
upwardclosed set of traces T  then P  P k DIV
A
T 
Proof We are given that D P k DIV
A
T 		  fg
D P k DIV
A
T 		  ftr
a
tr

j tr  T P 		  tr   A  D DIV
A
T 		g
 ftr
a
tr

j tr  D P 		  tr   A  T DIV
A
T 		g
 ftr j tr  T P 		  tr   A  Tg  D P 		
 fg
Hence D P 		  fg
 Observe also that ftr j tr  T P 		  tr   A  Tg  fg

F P k DIV
A
T 		  ftr  X
 
 X

 j tr  X
 
  F P 		  tr   A X

  F DIV
A
T 		g
 ftr  X  j tr  D P k DIV
A
T 		g
 ftr  X  j tr  X   F P 		  tr   A 	 Tg
 ftr  X  j tr  T P 		  tr   A  Tg
 fg
 F P 		
Hence P k DIV
A
T  and P agree on their failures and divergences establishing
the result

The following theorem allows a process P to be replaced by an alternative process
P

in the context of another process Q 
 In particular if P does not diverge in the
context of Q i
e
 P k Q is divergencefree and P

is the same as P except on
divergent traces of P  then P and P

have the same executions when executed in
parallel with Q since none of P s divergent traces will be performed

Theorem  If P P

and Q are such that

 P k Q is divergencefree
 P 
FD
P

k DIV
P
D P 		
 P  P


then P k Q 
FD
P

k Q
Proof Let D  DIV
P
D P 		

P k Q 
FD
P

k DIV
P
D P 		 k Q

FD
P

k Q
The last step follows from Lemma  because P

k DIV
P
D P 		 k Q is
divergencefree


This states that if P

is dierent to P only with respect to where P diverges
and P k Q does not diverge then P and P

behave the same in the context of
Q 
 This follows because if P k Q does not diverge then none of the traces of P
which lead to divergence are possible when executing in parallel with Q 
 Since
P

is exactly the same as P except for these traces and Q prevents such traces
from occurring it follows that P

k Q is the same as P k Q 

Example  As an example to illustrate Theorem  consider the following pro
cesses
 P and P

have alphabet A  fa  b  cg and Q has alphabet fa  bg

P b a  b  DIV
A
  a  c  P
P

b a  b  c  P

  a  c  P


Q b a  a  Q   b  STOP

 Firstly we see that P k Q can only ever perform a and c events and is
deadlockfree
 In particular the process Q prevents P from performing the b
event the only event that can lead to divergence since there is no point at
which P and Q can agree to perform b


 The behaviour of P

after b occurs is dierent to that of P which is divergent
but if b does not occur then P and P

behave the same
 Thus P and P

are
the same except on the divergences of P 


 Finally note that P and P

have the same alphabet

Thus we can conclude that P k Q 
FD
P

k Q 

The reason this result is useful is because it supports the introduction and manip
ulation of assertions on the control channels
 If we introduce a divergent assertion
on a control channel between P and M  and we then establish that P k M is
divergencefree using CLI techniques then we can alter the behaviour of P when
the assertion is false in which case P diverges and obtain a related controller P

which matches P outside P s divergences and for which P k M 
FD
P

k M 
 The
aim is to obtain a controller P

in this way for which P

n C is divergencefree

The next lemma lists some ways in which diverging assertions within a controller
can be transformed

Lemma 	 If a controller P

is obtained from controller P by replacing clauses
of the form evxfE x g  Rx  with one of

 evxfE

x g  Rx  where  x E x  E

x 
 evx  if E x  then Rx  else Qx 
 evx  Rx 
 evx hE x i  Rx 
Abstraction and renement 
then P 
FD
P

k DIV
P
D P 		
Proof By structural induction on the form of P 

Thus we obtain the following corollary for controlled components
Corollary  If P k M is divergencefree then behaviour in P following an input
which fails a diverging assertion can be changed in accordance with Lemma 
without a	ecting the behaviour of the parallel combination
This means that diverging assertions in P  once they have been discharged in
a context M  can be replaced with blocking assertions or else removed com
pletely
 This is precisely the justication for the transformation of i LiftCtrli
to i LiftCtrli in the context of i Lift  i LiftCtrl does not diverge

	 Abstraction and re
nement
In this section we consider the verication of controlled components with respect
to renement specications
 We will begin by considering traces renementwhere
the results are straightforward
 We will then consider stable failures renement

In the case of traces renement we immediately have the following result
Lemma 
 For any controller P and any B machine M we have that
P v
T
P k M 
Proof This follows immediately from the trace semantics of parallel composition
T P k M 		  T P 		  T M 		
 T P 		
This yields the following corollary

Corollary 

 If S v
T
P then S v
T
P k M 
 If S v
T
P n A then S v
T
P k M  n A

These follow from transitivity of renement and the second also uses monotonic
ity of the CSP operators in this case hiding with respect to renement

These results mean that it is sucient to demonstrate a trace renement S v
T
P
or S v
T
P n A purely on the CSP part of a controlled component in order to
deduce that it holds for the overall controlled component S v
T
P k M or
S v
T
P k M  n A respectively
 In this way we can establish trace properties of
controlled components

When we consider stable failures the situation is not so straightforward
 In par
ticular a stable failures renement of the form S v
SF
P on a controller P can
place liveness requirements on the interactions between P and its controlled ma
chine
 However the introduction of the machine might violate the requirement
even if P meets it
 For example if S b cx  S and P b cx  P  then
S v
SF
P 
 Yet if M is only prepared to perform c and will block on c then
we nd that S 	v
SF
P kM 

Fortunately we are able to obtain results in the case where the specication S is
only concerned with the external events of P  and not the internal channels that
P uses to interact with M 
 In this case we obtain the following theorem
Theorem  If

 P is nondiscriminating on a set of partial events PE and

 Q is open on PE and

 fj PE jg  P and

 Q  fj PE jg
then
P n fj PE jg v
SF
P k Q n fj PE jg
Proof We aim to prove that

 T P k Q n fj PE jg		  T P n fj PE jg		 and

 SF P k Q n fj PE jg		  SF P n fj PE jg		

 This is a case of Corollary  above


 Consider tr  X   SF P k Q n fj PE jg		
 We aim to prove that tr  X  
SF P n fj PE jg		

From the semantics of hiding there is some tr

such that tr

n fj PE jg  tr and
tr

 X  fj PE jg  SF P k Q 		
 So there are X
P
and X
Q
such that

 tr

  P X
P
  SF P 		

 tr

  Q X
Q
  SF Q 		 and
Abstraction and renement 

 X
P
 X
Q
 X  fj PE jg

Now X
Q
 fj PE jg and X  fj PE jg  fg so X  X
Q
 fg and so X  X
P


Now consider some e  PE 
 There is some w such that ew 	 X
Q
 because Q is
open on PE 
 However ew  fj PE jg and so ew  X
P


Since this is true for each e  PE  we obtain that tr

 X
P
 fj PE jg  SF P 		
since P is nondiscriminating on PE 
 It follows that
tr

n fj PE jg X
P
n fj PE jg  SF P n fj PE jg		
Finally observe that tr

n fj PE jg  tr and X
P
n fj PE jg  X  since
X
P
n fj PE jg  X
P
 X
Q
 n fj PE jg
 X  fj PE jg n fj PE jg
 X n fj PE jg
 X
establishing the result that tr  X   SF P n fj PE jg		 as required

Corollary  If P is a CSP controller for M  and P has no guards on any
channels of M  then P n M  v
SF
P k M  n M 
The following corollary of Theorem  means that it is sucient to establish a
stable failures renement on P n M  in order to deduce it for the controlled
component P k M  n M 
Corollary  If P k M is a controlled component then S v
SF
P n M  and P
has no guards on any channels of M then S v
SF
P k M  n M 
Observe that all the above results require that the CSP controllers are non
blocking on the channels they use to communicate with their controlled com
ponents
 Without this property the result fails to hold
 For example if M is a
machine that is always prepared to output the value  on channel com expressed
in CSP as
M  com M
and P is a controller that requires the value  on com to pass on to external
channel out and blocks other values
P  comx hx  i  out x  P
Then SPEC 
u
x
out x  SPEC has SPEC v
SF
P n fj com jg but SPEC 	v
SF
P k M  n fj com jg because it can deadlock

Also observe that P is deadlockfree but P k M can deadlock


 Parallel combinations of controlled components
All the results of the previous sections have been presented as applying to a single
CSP controller process P in parallel with a single B machineM 
 However systems
we are generally concerned with such as the combination of lifts have the form
k
i
P
i
k M
i
 as illustrated in Figure 
 Many of the results we have obtained for
a single controlled component can be lifted to combinations of components and
we will consider some of these in this section

Divergencefreedom
Firstly we consider divergencefreedom
 It is straightforward to establish divergence
freedom of a combined system using the following theorem from ST	
Theorem 	 If P
i
k M
i
are divergencefree for each i then
k
i
P
i
k M
i
 is
divergencefree
This follows immediately from the semantics for parallel composition which pre
serves divergencefreedom
 Thus we need only establish divergencefreedom for
the component pairs and the result follows

Example  In the parallel lift system since each of the controlled lift compo
nents is divergencefree and since we are given that the controlled dispatcher
component is divergencefree it follows that the overall parallel combination of
all the components of the multiple lift system is divergencefree

Establishing deadlockfreedom
Associativity and commutativity of the parallel operator means that we can group
the controller processes together and the machines together rearranging the par
allel composition as follows
k
i
P
i
k M
i
 
FD

k
i
P
i
 k 
k
i
M
i

Now we can consider 
k
i
P
i
 as a CSP process and 
k
i
M
i
 as another CSP pro
cess and we are concerned with the parallel combination of these two processes

The reason for grouping the components in this way is that the properties  non
discriminating and  open are preserved by parallel composition in CSP

We can obtain results concerning the nondiscriminating nature of a parallel
combination of CSP processes
Parallel combinations of controlled components 
Theorem 
 If PE is a set of partial events such that each P
i
is nondiscriminating
on PE  P
i
 then
k
i
P
i
is nondiscriminating on PE 
S
i
P
i

Proof Consider tr  X   SF 
k
i
P
i
		
 Then there are refusal sets X
i
such that
X 
S
i
X
i
 and tr   P
i
 X
i
  SF P
i
		 for each i 

Now consider CV  PE such that  cv  CV  w  cv w  X 
 For each i 
let CV
i
 fcv j  cv w  X
i
g
 Then CV 
S
i
CV
i


Now since CV
i
 PE  P
i
 and P
i
is nondiscriminating on PE  P
i
 we
have that tr   P
i
 X
i
 fj CV
i
jg  SF P
i
		 for each i  and hence that
tr  
S
i
X
i
 fj CV
i
jg  SF 
k
i
P
i
		 i
e
 that tr  X  fj CV jg  SF 
k
i
P
i
		
which completes the proof

We obtain the following corollary
Corollary  If P
i
is a collection of controllers for machines M
i
respectively
where each P
i
has no blocking assertions on any channels of its associated M
i

then
k
i
P
i
is nondiscriminating on the set
S
i
piM
i

Proof This follows from Lemma  and Theorem 

Lemma  Any collection of nonblocking B machines M
i
has that
k
i
M
i
is
open on
S
i
piM
i

Lemma  states that if each machine is able to engage in any of its operations
then the parallel combination of all the machines is able to engage in any of the
operations of any of its machines

These two lemmas mean that the conditions for Lemma  are met for controllers
with no blocking assertions


k
i
P
i
is nondiscriminating on the set
S
i
piM
i




k
i
M
i
is open on
S
i
piM
i



 
k
i
M
i
  fj
S
i
piM
i
 jg

This means that Lemma  is directly applicable to a collection of parallel con
trolled components in which deadlockfreedom of the overall parallel combination
follows from deadlockfreedom of the combination of controllers

Theorem  Given a collection of CSP controllers P
i
and corresponding con
trolled machines M
i
 such that no controller has any blocking assertions on the
control channels then if
k
i
P
i
is deadlockfree in the stable failures model then
so too is k
i
P
i
kM
i


Proof This follows from Corollary  Lemma  and Lemma  by observing that
k
i
P
i
is nondiscriminating on pi
k
i
M
i
 and
k
i
M
i
is open on pi
k
i
M
i


In the example lift system we have therefore only to check that

k
i   
i LiftCtrl k DispatchCtrl
is deadlockfree which is easily shown to deduce this for the complete system

Observe that Theorem  applies to architectures in which machine operations can
synchronise with a number of controllers
 In other words controllers can overlap
on operations that they call
 The theorem still requires that each machineM
i
has
its own controller P
i
which is required to ensure consistency but it allows other
controllers P
j
also to synchronise on such operation calls

We are also able to lift the results from Section  to parallel combinations

Corollary 	 Given a collection of CSP controllers P
i
and corresponding con
trolled machines M
i
 such that no controller has any guards on the control chan
nels then
k
i
P
i
n 
S
i
M
i
 v
SF
k
i
P
i
kM
i
 n 
S
i
M
i

This is a corollary of Theorem  together with Lemma  and Corollary 

Divergencefreedom of Lift System
We are really concerned with divergencefreedom of

k
i   
i LiftCtrl k i Lift k DispatchCtrl k Dispatch n Int
Theorem  is the appropriate theorem to apply here
 We need to split the system
into P and Q such that P k Q is divergencefree and P n C is divergencefree

The natural approach would take P as the combination of CSP controllers and
Q as the combination of B machines verication could indeed be established by
introducing assertions into the controllers along the lines of Section 

However we have already established the individual lifts are divergencefree so
we can reuse this result by splitting the system dierently as pictured in Figure 

P is DispatchCtrl  Q is the rest of the system and C is the interface between P
and Q 
P b DispatchCtrl
Q b
k
i
i LiftSys k Dispatch
C 

i
fj i up  i down  i ground jg  fj send   reset jg
We can check the conditions for Theorem 
Parallel combinations of controlled components 	
P
Q
 LiftCtrl
 Lift
 LiftCtrl
 Lift
 LiftCtrl
 Lift
 LiftCtrl
 Lift
req
bottom
DispatchCtrl
Dispatch
Figure 	 Splitting the system into P and Q to verify divergencefreedom

 Each i LiftSys is divergencefree as established earlier and alsoDispatchCtrl k
Dispatch is divergencefree so the parallel combination P k Q b
k
i
i LiftSys k
Dispatch k DispatchCtrl is divergencefree since divergencefreedom is pre
served by parallel composition


 C  P

 P n C is divergencefree
 This is easily checked with FDR

Thus Lifts b P k Q n C is divergencefree

  Guards and assumptions a toy example
Our approach is dependent on the ability to verify that individual controlled
components P
i
k M
i
are divergencefree and as mentioned previously this is done
using the control loop invariant technique TreST	
 This approach requires
analysis of the controlled component in isolation

However when we consider the case of multiple concurrent controlled compo
nents then correctness of any particular component might depend on the be
haviour of the rest of the system
 It is important to be able to incorporate relevant
information about interactions between controllers into the analysis of individual
controlled components
 This is the reason for allowing guards and assumptions
on the channels between controllers

We will consider a toy example to illustrate the issues
 Consider the machines
Odd and Even of Figure 
 Observe that the possible inputs of these machines
are given by
piOdd  foddgetg  foddput n j n  Ng
piEven  fevengetg  fevenput n j n  Ng


MACHINE Odd
VARIABLES odd
INVARIANT odd  NAT  odd mod   
INITIALISATION odd  
OPERATIONS
oddput	nn
  PRE nn  NAT  nn mod   
THEN odd  nn END
nn  oddget  nn  odd
END
MACHINE Even
VARIABLES even
INVARIANT even  NAT  even mod   
INITIALISATION even  
OPERATIONS
evenput	nn
  PRE nn  NAT  nn mod   
THEN even  nn END
nn  evenget  nn  even
END
Figure 
 The machines Odd and Even
Notice that oddget and evenget are partial events which can be completed with
an output value in each case
 The oddput n and evenput n events are complete
events corresponding to the input of a value

These two machines are controlled by OddCtrl and EvenCtrl respectively where
OddCtrl  oddgetx  oddpassx  evenpassy  oddput y !  OddCtrl
EvenCtrl  oddpassz  evenput z !  evenpassz !  EvenCtrl
The machine Odd will accept and maintain only odd numbers and Even will
accept and maintain only even numbers

Now if we consider OddCtrl k Odd in isolation we see that OddCtrl accepts
any value y along channel evenpass and then provides y ! as input to oddput 

Checking consistency will reveal that if y is odd then oddput will be called outside
its precondition indicating that OddCtrl is not an appropriate controller for Odd 

However we can see that the context of OddCtrl k Odd  i
e
 the rest of the
system EvenCtrl k Even will ensure that the value provided for y will always be
even
 In fact OddCtrl is a suitable controller for Odd in such a context

We can include information about the guarantees provided by the context as
guards on the input channels
 In this case we know that y will always be even
so we include this as a guard adjusting OddCtrl to OddCtrl
 There are similar
requirements on the input to EvenCtrl in this case that the input z is odd so
we also include a suitable guard in EvenCtrl 
OddCtrl  oddgetx  oddpassx  evenpassyhevenyi
Parallel combinations of controlled components 
 oddput y !  OddCtrl
EvenCtrl  oddpassz hoddz i  evenput z ! 
 evenpassz !  EvenCtrl
However introducing the guards themselves is not sucient  it is necessary to
establish that the context of each controller really does ensure that the guards
introduced on the input channels are met
 This is expressed by including the
guard conditions as assumptions at the points in the context controllers where
they are provided as input
 This addition results in the following controllers
OddCtrl  oddgetx  oddpassxfoddx g  evenpassyhevenyi
 oddput y !   OddCtrl
EvenCtrl  oddpassz hoddz i  evenput z ! 
 evenpassz ! fevenz ! g  EvenCtrl
It is now possible to prove using the standard control loop invariant technique
that OddCtrl k Odd is divergencefree
 This establishes that it will only ever
provide odd outputs on oddpass and will always correctly invoke its operations
provided it only ever accepts even numbers along evenpass

Similarly divergencefreedom of EvenCtrl k Even ensures that even numbers
will only ever be passed along evenpass provided only odd numbers are accepted
along oddpass
 Each controller provides the correct context for the other

The guards and assumptions were introduced to enable compositional verication
each controlled component can now be veried individually with the necessary
contextual information included in the controller description
 When the compo
nents are combined the guards and assumptions will have played their role in
the verication and can be dropped
 Thus we will be able to establish that
OddCtrl k Odd k EvenCtrl k Even  OddCtrl k Odd k EvenCtrl k Even
The technical justication for dropping the assumptions and guards is given by
Theorem  below
 Establishing this theorem is our next concern

 Manipulating guards and assumptions
Denition  For a controller P we say that predicate E x  is a uniform guard
for input channel c if every appearance of c in P is of the form cx hE x i  P


with E x  as the guard
For a controller P we say that predicate E v is a uniform assumption for output
channel c if every appearance of c in P is of the form cvfE vg  P

with E v
as the assumption

Denition 	 We dene the following translations on controller descriptions
N
a
C
removes or neutralises all assumptions from all channels c  C
N
g
C
removes or neutralises all guards from all channels c  C
G
a
C
transforms all assumptions on all channels c  C into guards
These translations can all be dened by structural induction over the syntax of
controller descriptions in the standard way
 Observe that the result of applying
G
a
C
is not a process controller since it has guards on outputs and hence will
not be used to dene a CSP controller
 However it is still a welldened CSP
process

Example  The three translations on OddCtrl are as follows
N
a
C
OddCtrl  oddgetx  oddpassx  evenpassyhevenyi
 oddput y !   OddCtrl
N
g
C
OddCtrl  oddgetx  oddpassxfoddx g  evenpassy
 oddput y !   OddCtrl
G
a
C
OddCtrl  oddgetx  oddpassx hoddx i  evenpassyhevenyi
 oddput y !   OddCtrl
The following two lemmas are useful in the technicalities of the proof of Theo
rem 
 The rst states that if each channel in a set of channels C is associated
with a guard and matching assumption then dropping the guards on the chan
nels and transforming the assumptions into guards does not change the overall
behaviour

Lemma  Consider a family of process controllers P
i
 and set of channels C 
such that for each channel c  C there is some unique predicate E
c
x  associated
with c such that

 E
c
x  is a uniform guard on c for some P
j


 every guard on c in any P
j
is either E
c
x  or true

 E
c
v is a uniform assumption on c for some P
k


 every assumption on c in any P
k
is either E
c
v or true
Then it follows that
k
i
G
a
C
P
i
 
k
i
G
a
C
N
g
C
P
i

Proof Dene RUN
cE
 cx hE x i  RUN
cE
 with RUN
cE
  fj c jg
 Then
dene INV
C

jjj
cC
RUN
cE
c
where for each c  C  E
c
is the unique predicate
Parallel combinations of controlled components 
characterised in the statement of the lemma
 The alphabet of INV
C
is given by
INV
C
  fj C jg
 Then INV
C
allows only communications on channels in C
which meet the corresponding E
c

 Thus we have that
k
i
G
a
C
P
i
  
k
i
P
i
 k INV
C
N
g
C

k
i
P
i
 k INV
C
 
k
i
N
g
C
P
i
 k INV
C
 G
a
C

k
i
N
g
C
P
i
 k INV
C

k
i
G
a
C
N
g
C
P
i
 k INV
C

k
i
G
a
C
N
g
C
P
i

These steps are all justied by the semantics of parallel composition and of guards
on channels
 Essentially the transformations are all possible because each channel
c is blocked on E
c
in the parallel combination

The second lemma states that if each channel in a set of channels C is asso
ciated with a guard and matching assumption and each controlled component
is divergencefree then the guards in their parallel combination can be dropped
without introducing divergent behaviour

Lemma  Consider a family of controlled components P
i
k M
i
 and set of
channels C  such that for each channel c  C there is some unique predicate
E
c
x  associated with c such that

 E
c
x  is a uniform guard on c for some P
j


 every guard on c in any P
j
is either E
c
x  or true

 E
c
v is a uniform assumption on c for some P
k


 every assumption on c in any P
k
is either E
c
v or true

 P
i
kM
i
is divergencefree for each i
Then it follows that
k
i
N
g
C
P
i
 k M
i
 is divergencefree
Proof Using INV
C
as dened in the proof of Lemma  we have that
k
i
P
i
kM
i
  
k
i
N
g
C
P
i
 kM
i
 k INV
C
Now
k
i
P
i
k M
i
 is divergencefree and so 
k
i
N
g
C
P
i
 k M
i
 k INV
C
is
divergencefree
 Recall INV
C

jjj
cC
RUN
cE
c


Now assume that there is a divergence tr of 
k
i
N
g
C
P
i
 k M
i

 We aim to obtain
a contradiction



 If tr  tracesINV
C
 then tr is a divergence of 
k
i
N
g
C
P
i
 k M
i
 k INV
C

contradicting the fact that this process is divergencefree


 If tr 	 tracesINV
C
 then there is some event cv in tr such that E
c
v
does not hold
 Let c

v

be the rst such event in tr 
 Then we can dene
tr

a
hc

v

i to be the prex of tr for which tr

 tracesINV
C
 and E
c

v


does not hold
 Now E
c

v is a uniform assumption on c

for some P
k
 so
tr

a
hc

v

i   N
g
C
P
k
 k M
k
 is a divergence of N
g
C
P
k
 k M
k

 But every
event cv in tr

has that E
c
v holds and hence the trace is possible even in
the presence of the guards in P
k
since none of the events in tr

are blocked
by the guards
 Thus tr

a
hc

v

i   P
k
k M
k
 is a divergence of P
k
k M
k


But this contradicts the fact that P
k
k M
k
is divergencefree

Hence it follows that 
k
i
N
g
C
P
i
 k M
i
 is divergencefree as required

We also make use of a lemma following from Lemma  enabling assumptions to
be dropped or replaced by guards as follows
Lemma  If P kM is divergencefree then
P k M  G
a
C
P k M  N
a
C
P k M
Proof This follows from Corollary  and the fact that the translations G
a
C
and
N
a
C
both meet the condition of Lemma 

Finally we obtain the following theorem which enables matching guards and
assumptions to be dropped if all the controlled components are divergencefree

Theorem  If P
i
kM
i
is divergencefree for each i and for each channel c  C
there is an associated predicate E
c
such that

 E
c
x  is a uniform guard on c for some P
j


 every guard on c in any P
j
is either E
c
x  or true

 E
c
v is a uniform assumption on c for some P
k


 every assumption on c in any P
k
is either E
c
v or true
then
k
i
P
i
k M
i
 
k
i
N
a
C
N
g
C
P
i
 kM
i

Proof
k
i
P
i
k M
i

 fgeneralised Lemma g
Parallel combinations of controlled components 
The composition we start with each
component is divergencefree
The channels are blocked on E and F
So blocking at only one end of each channel is enough
Divergencefree by Lemma  on combination 
hence equivalent to combination  above by
Lemma 
Equivalent to combination  by Lemma 
fFg
fFg
P
 
P
 
P
 
P
 
P
 
P

P

P

P

P

hF i
hF ihF i
hF i
fEg
fEg hEi
hEi
hEihEi









Figure  Illustration of the proof of Theorem  with two components B machines elided
k
i
G
a
C
P
i
 k M
i

 fgeneralised Lemma g
k
i
G
a
C
N
g
C
P
i
 k M
i

 fG
a
C
distributes over parallel compositiong
G
a
C

k
i
N
g
C
P
i
 k 
k
i
M
i

 fgeneralised Lemma 
since 
k
i
N
g
C
P
i
 k 
k
i
M
i
 divergencefree Lemma g

k
i
N
g
C
P
i
 k 
k
i
M
i

 fgeneralised Lemma g
N
a
C

k
i
N
g
C
P
i
 k 
k
i
M
i

 fN
a
C
distributes over parallel compositiong
k
i
N
a
C
N
g
C
P
i
 kM
i

Observe that N
a
C
N
g
C
P
i
 is the process P
i
with all assumptions and guards
on channels in C removed
 An informal picture of the proof in the case of two
controlled components is given in Figure 


The following corollary describes the special case where each channel in C con
nects only two processes
Corollary 
 If P
i
k M
i
is divergencefree for each i and each channel c  C
is in the alphabet of exactly two of the P
i
 and for each channel c  C there is
an associated predicate E
c
such that

 E
c
x  is a uniform guard on c for some P
j


 E
c
v is a uniform assumption on c for some P
k

then
k
i
P
i
k M
i
 
k
i
N
a
C
N
g
C
P
i
 kM
i

 Weakening assumptions
Theorem  is applicable where the assumptions and guards on a channel exactly
match
 In general we require only that the assumption on a channel is stronger
than the guard
 This is expressed by the following theorem
Theorem  If P
i
k M
i
is divergencefree for each i and for each channel
c  C there is are two associated predicate E
c
and F
c
such that

 E
c
x  is a uniform guard on c for some P
j


 every guard on c in any P
j
is either E
c
x  or true

 F
c
v is a uniform assumption on c for some P
k


 every assumption on c in any P
k
is either F
c
v or true

  x F
c
x  E
c
x 
then
k
i
P
i
k M
i
 
k
i
N
a
C
N
g
C
P
i
 kM
i

Proof By Lemma  we can replace each assumption F
c
on channels c  C in
each P
i
by the weaker predicate E
c

 In each case let the resulting process be P

i


Then by Lemma  we have that
k
i
P
i
k M
i
 
k
i
P

i
k M
i

Now the collection P

i
have matching uniform guards on the channels c  C  and
so Theorem  is applicable
 Thus
k
i
P

i
kM
i
 
k
i
N
a
C
N
g
C
P

i
 k M
i

Finally observe that N
a
C
N
g
C
P

i
  N
a
C
N
g
C
P
i

 Thus we obtain
k
i
P
i
k M
i
 
k
i
N
a
C
N
g
C
P
i
 kM
i

as required

CSP State 
 CSP State
State is captured in CSP by the use of parameters in processes which track the
appropriate values
 Such processes are generally dened using mutual recursion
to specify how the state might be changed during execution

For example a process CELLx  which holds a single value x of type T for
output but which may also accept another value to hold might be dened as
follows
CELLx   out x  CELLx    iny  T  CELLy 
This denition constitutes a family of denitions for a family of processes one for
each x  which are all dened in terms of each other
 It may also be understood
as a vector of process denitions indexed by T  the set of all the possible values
that x can take

In general for a CSP semantic model S  a vector of processes X indexed by I
can be thought of as a member of S
I
 and is declared as follows X  S
I

 Then
X
i
is the ith element of the vector X 
 The vector can also be thought of as a
function I  S 
 Thus X   i  I  X
i


Then a family of functions F dening a mutually recursive set of processes is
a function from one vector of processes to another F  S
I
 S
I

 Each F
i
is a
function S
I
 S 

For example the CELL denition above corresponds to a family of functions F
indexed by T  in which each function is dened on a family of processes X also
indexed by T 
 In this case a particular function F
x
is the function
F
x
X   out x  X
x
   iny  T  X
y

Thus we have that
F
x
CELL  out x  CELLx    iny  T  CELLy
The family of processes CELL are dened to be the least xed point of the
function F 
 Thus for each x we have CELLx   F
x
CELL which matches 
above

Mutually recursive process denitions might involve a nite number of dier
ent process denitions which relate to each other and which may have dierent
indexing sets
 For example
POS x   y  acrossz  POS x ! z   y
  upz  POS x   y ! z 
   if x   then done  TOTALy else Stop
TOTALy 





inc  TOTALy !  if y  
dec  TOTALy   if y  
nish  POS    if y  

In this case POS is indexed by ZZand TOTAL is indexed by Z

It is always possible to consider collections of indexed process denitions as a
single vector of process denitions
 Each denition is of the form N
i
p
i
 b P
i
where p
i
ranges over the indexing set I
i
associated with N
i

 For each N
i
we dene
a tag "N
i
#
 The overall indexing set I is dened as follows
I 

i
f"N
i
#g  I
i
and then dene a single vector of denitions indexed by I as follows
N p  P
i
where p  "N
i
#  p
i
 and N
i
p
i
 b P
i
Thus the results we develop below are also applicable to mutually recursive col
lections of indexed process denitions

  Collapsing functions
Manipulation of recursively dened processes are part of the CSP folklore RosDS	

In this paper we are concerned with the introduction and removal of state infor
mation into recursive denitions so it will be useful to restate and reprove the
relevant theorems here
 We will construct a formal framework around the notion
of collapsing functions

In the following section we use relational composition    to combine mappings

Relational composition is dened as follows
Denition 
 If R
 
 S  T and R

 T  U then
R
 
 R

 fs  u j  t s  t  R
 
 t   u  R

g
Here R
 
is a relation between S and T  in other words R
 
is a subset of the
cartesian product S T 
 Similarly R

is a relation between T and U 

Note that functions can also be considered as relations
 Below we will also com
pose functions with relations and with other functions using relational composi
tion

Denition  Given a function F  S
I
 S
I
and a set of indices J  a function
c  I  J is a collapsing function for F if

 c is surjective and
 whenever ci
 
  ci

 then for any Y  S
J
 we have F
i
 
c  Y   F
i

c  Y 
CSP State 	
i
 
i
 
i

i

i

i

i

i

j
 
j

s
 
s
 
s
 
s

s

s

II
Y
c  Y
c
J SS










Figure  Transforming a vector with a collapsing function
Here c  Y   i  I  Y
ci

 Thus if Y  S
J
then c  Y  S
I


A collapsing function is one which identies dierent components of the family
of functions F 
 Essentially c induces an equivalence on the set of indices I  if
ci
 
  ci

 then i
 
and i

are equivalent
 The function is a collapsing function
if whenever F is applied to a vector which has the same process at all equivalent
indices then the result is the same at equivalent indices
 A vector Y indexed by
J can be transformed to a vector indexed by I using relational composition with
c as follows c  Y   I  S 
 In this case equivalent indices will map to the
same process
 This idea is illustrated in Figure 

Example  Consider a family of functions indexed by the integers Zas follows
F
i
Y   up  Y
i 
  down  Y
i 
This is the family of functions used in the following recursive denition
MOVE i  up  MOVE i ! 
  down  MOVE i  
Now we consider a singleton indexing set J  fg
 The function c  Z J
dened by ci   is a collapsing function
 To see this consider i
 
and i

such
that ci
 
  ci


 In fact this is true for any i
 
  i

Z
 Now consider a vector
Y  J  S 
 This will consist of a single process Y


 For c to be a collapsing
function we require that F
i
 
c  Y   F
i

c  Y 
 Firstly we observe that c  Y is


of type S
Z
such that c  Y 
i
 Y

for every i 
 In other words it is a vector of
processes in which every process is Y



Now
F
i
 
c  Y   up  c  Y 
i 
   down  c  Y 
i 

 up  Y

   down  Y


Similar reasoning establishes that
F
i

c  Y   up  Y

   down  Y


which shows that c is a collapsing function

Example  Consider a family of functions indexed by the natural numbers N as
follows
F
i
Y   up  Y
i 
  reset  Y

   if i   then shutdown  Stop else Stop
This is the family of functions used in the following recursive denition
COUNT i  up  COUNT i ! 
  reset  COUNT 
   if i   then shutdown  Stop else Stop
The following function c Z f  g is a collapsing function for F 
ci 

 if i  
 if i  
To see this consider a vector Y indexed by f  g and consider i
 
and i

such
that ci
 
  ci



F
i
 
c  Y   up  c  Y 
i
 
 
  reset  c  Y 

   if i
 
  then shutdown  Stop else Stop
 up  Y
ci
 
 
  reset  Y
c
   if i
 
  then shutdown  Stop else Stop
 up  Y
 
  reset  Y

   if i

  then shutdown  Stop else Stop
 F
i

c  Y 
The penultimate line follows because i
 
  if and only if i

 

CSP State 
 Reducing the state
The following theorem allows recursively dened families of processes to be col
lapsed to equivalent forms

Theorem  Let c be a collapsing function for a vector of functions F with a
unique xed point There is some function d  J  I such that d  c is the identity
function on J  Let d be such a function and dene G  S
J
 S
J
componentwise
as follows
G
j
Y   F
dj 
c  Y 
Then it follows that
F  c  G
Proof We can make the following observations for a collapsing function c

 The choice of d makes no dierence to the denition of G


 For any Y  J  S  the vector c  d  F c  Y   F c  Y 
Let G be the least xed point of G
 Then
G  GG  d  F c  G
and so
c  G  c  d  F c  G
 F c  G
And hence c  G is the unique xed point of F  establishing the theorem

Example  In Example  we have a recursively dened innite set of processes
COUNT i  up  COUNT i ! 
  reset  COUNT 
   if i   then shutdown  Stop else Stop
dened as the xed point of the family of functions
F
i
Y   up  Y
i 
  reset  Y

   if i   then shutdown  Stop else Stop

The vector F has a collapsing function
ci 

 if i  
 if i  
The vector G dened by
GY   c
 
 F c  Y 
is as follows
G
i
Y   up  Y
 
  reset  Y

   if i   then shutdown  Stop else Stop
which corresponds to the following recursive denition of just two processes
NEWCOUNT i  up  NEWCOUNT 
  reset  NEWCOUNT 
   if i   then shutdown  Stop else Stop
Theorem  yields that COUNT i  NEWCOUNT ci for all i  and so we ob
tain that COUNT   NEWCOUNT  and COUNT i  NEWCOUNT 
for any i  

Theorem  means that if the denition of a recursive process is independent of
one of the parameters in its denition then that parameter can be dropped from
the denition without aecting the behaviour of the process

For example the behaviour of the process MOVE i of Example  is independent
of the value of i 
 This means that this parameter can be removed from the de
nition of MOVE without aecting its behaviour
 In other words each MOVE i
process is equivalent to the process
MOVE  up  MOVE    down  MOVE  
Formally this is justied by Theorem  with the collapsing function given in
Example  which yields that
MOVE i M ci
where ci   and M is dened by M   up  M    down  M 

The single index of M is redundant and M  is equivalent to the version of
MOVE given in Line 

Theorem  also justies the collapse of the process family LiftCtrlf  from
Section  to LiftCtrl 

Discussion 
Conversely state parameters can be introduced into a recursive denition without
aecting the behaviour of the process
 This is achieved by introducing parameters
j to a family of processes Pi in such a way that the resulting Pi   j  can be
collapsed to the original Pi
 For example the parameter f can be introduced
into LiftCtrl to obtain LiftCtrlf 
 This can then be used as a basis for further
transformations

 Discussion
This paper has been concerned with providing the CSP underpinnings for develop
ing controlled components consisting of B machines controlled by CSP controllers
under a particular architecture
 The work builds on the control loop invariant
method for verifying individual controlled components in the context of the B
Method and develops results for combining such veried components

All of the results presented in this paper have been developed using the CSP
semantics of all the component processes
 The emphasis has been on obtaining
compositional results which enable existing CSP verication methods and tools to
apply to our combined systems
 These results enable a particular strategy for ver
ication transform system descriptions to equivalent forms which are amenable
to CSP checking
 In the simplest case if the combination P k M is equivalent to
P

kM  and properties of P

kM can be established by analysing P

with CSP
tools then those same properties can be deduced for P k M 
 So our approach is
to transform a controller P to a process P

which behaves the same way in the
context of M 

Transforming system descriptions to enable pure CSP analysis may involve the
introduction of state information within the CSP controller descriptions so that
the behaviour in the context of the underlying B machine is not aected
 In this
paper we have illustrated the use of this technique

This paper has obtained further results for this framework
 It is often the case that
controlled components are only correct in the context of the rest of the system
 In
this situation we will need to introduce assertions on the channels between CSP
controllers in order to establish divergencefreedom of the individual controlled
components
 Treating assertions as blocking or diverging in particular cases is a
delicate issue and depends on the particular verication under consideration
 We
have developed theorems which justify the use of particular kinds of assertions

This paper has also provided results whose proofs use the notions of non
discriminating and open concerning renement in the stable failures model if
SPEC v P n M  then SPEC v P k M  n M  under the appropriate
conditions
 This enables specied properties to be veried of combined systems


These results have been applied to a Bounded Retransmission Protocol EST	
for buerstyle properties and in the Bank case studyTSB	

The toy examples and the case studies carried out to date have provided some
experience in the way in which state and conditions on it are introduced into
the CSP controllers
 The necessary state emerges during the verication process
in response to FDR checks that fail
 Often it is some part of the B state that
is simply duplicated in the CSP as in our toy lift example in order to enable
verication
 However it is too early to identify patterns that may arise in this
process let alone automate it and more case studies are being pursued

Scalability of the approach is also a signicant issue
 Compositionality is a key
ingredient of scalability and it will be important to continue to identify ways in
which both requirements and components can each be decomposed to minimise
the amount of state required in each verication
 This is the subject of ongoing
research
 In particular the verication of a controlled component P k M against
a collection of requirements might require dierent state to be introduced into P
for each requirement as was found in the Bounded Retransmission Protocol case
study EST	
 This is better than including all the required state for all of the
required properties at once which could result in duplicating all of the B state
in the CSP controller

There are several other approaches to combining a processstyle controller with
a statebased system description e
g
 ButFLWCSD	
 The approach
closest to ours is Butlers cspB tool But	 which allows a CSP process to
be conjoined to a B machine in a way which corresponds to a controller for an
underlying machine
 However none of the other approaches exploit the semantic
models for CSP in the way presented here
 The ability to develop theory and tap
into existing tool support on both the concurrency side and the statebased side
is an important driver of the approach presented in this paper and originally
motivated the choices of CSP and B as the methods we chose to integrate

Acknowledgements
Thanks are due to Neil Evans Susan Stepney Fiona Polack and R$egine Laleau for
discussions on this work and also to Neil Evans and to the anonymous reviewers
for their useful comments

References
But M Butler cspB A practical approach to combining CSP and B Formal Aspects of Com
puting  
DS J W Davies and S A Schneider Recursion induction for realtime processes Formal Aspects
of Computing  
Discussion 
EST N Evans S A Schneider and H E Treharne Investigating a le transmission protocol
using CSP and B In proceedings of STEVE workshop 
FL M Frappier and R Laleau Proving event ordering properties for information systems In
ZB 
For Formal Systems Europe Ltd FailuresDivergences Renement	 FDR Manual 
Mor C C Morgan Of wp and CSP In WHJ Feijen A J M van Gesteren D Gries and
J Misra editors Beauty is our Business	 a birthday salute to Edsger J Dijkstra Springer
Verlag 
Ros A W Roscoe A Mathematical Theory of Communicating Processes D Phil thesis Oxford
University 
Ros A W Roscoe The Theory and Practice of Concurrency PrenticeHall 
Sca B Scattergood The Semantics and Implementation of MachineReadable CSP D Phil thesis
Oxford University 
Sch SA Schneider Concurrent and Realtime Systems	 The CSP approach Wiley 
SD G Smith and J Derrick Specication renement and verication of concurrent systems 
an integration of ObjectZ and CSP Formal Methods in System Design  
ST SA Schneider and HE Treharne Communicating B machines In ZB volume LNCS
 
Tre H E Treharne Combining control executives and software specications PhD thesis Royal
Holloway University of London 
TSB HE Treharne SA Schneider and M Bramble Combining specications using communi
cation In ZB 
WC J C P Woodcock and A L C Cavalcanti A concurrent language for renement In 
th
Irish Workshop on Formal Methods 
