The block concept is a fundamental modelling construct in the Systems Modeling Language (SysML), a visual modelling language for systems engineering applications. In a top-down systems engineering approach, an abstract block is decomposed into concrete communicating sub-blocks. However, the classifier behaviour of the abstract block must be exhibited by the composition of the concrete sub-blocks. We show how the process algebra Communicating Sequential Processes (CSP) and its associated refinement checker, Failures Divergence Refinement (FDR), may be used to ensure that such decompositions are valid. We introduce a small case study in order to validate the approach.
I. INTRODUCTION
The demand for aggregate systems -compositions of complex interconnected components -increases constantly; consequently, much research has been aimed at modelling approaches where the emphasis lies on treating a system as part of a larger composition. The Systems Modeling Language (SysML) [1] , proposed by the Object Management Group (OMG) 1 , is a graphical modelling notation suited to specify and design systems comprised of various components.
Modelling a system with SysML relies on the concept of blocks -each with an associated set of states -that communicate via events, possibly resulting in a change of state for one or more of the communicating blocks. The architecture of these systems allows a top-down design, starting from an abstract level with high level concepts, down to levels with increasingly more details. These successive transformations allow replacing an abstract block with a composition of concrete sub-blocks. A major drawback of this decomposition, however, is that it is at best semiformal and cannot guarantee consistency between a an abstract block and its composing sub-blocks. In this paper, we propose a formal approach based upon Communicating Sequential Processes (CSP) [2] , a well-established process algebra. In addition, the existence of Failures Divergence Refinement (FDR) [3] , the associated refinement checker for CSP, makes translating SysML into CSP even more appealing: the translation provides us with a formal context in which we can evaluate and reason about behaviour without a detailed knowledge of the underlying mathematics of refinement.
The structure of the remainder of this paper is as follows. In Section II we provide brief introductions to CSP and SysML. Section III outlines our process algebraic approach to test for the validity of a decomposition. Then, in Section IV, we employ a small case study to validate our contribution. Section V draws comparisons with related work in this area. Finally, in Section VI, we conclude with a summary of the contribution of this paper, and identify potential areas of future research.
II. BACKGROUND
In this section we provide a necessarily brief introduction to CSP and SysML.
A. Communicating Sequential Processes
Events are at the heart of CSP descriptions: the set of all possible events within the context of a particular specification is denoted Σ.
The process descriptions used in this paper can be characterised by the following grammar:
The alphabet of a CSP process P, denoted α P, is the set of events that it is willing to communicate.
Stop is the simplest process: it is the process refuses to communicate anything at all.
The prefixing operator, →, allows us to prefix an event a ∈ Σ to a process P.
b & P is a guarded expression, where b is a Boolean condition that must be satisfied in order for a process to behave like P. P 1 2 P 2 models the deterministic choice between processes P 1 and P 2 , where the choice is resolved by the environment. Conversely P 1 P 2 represents non-deterministic choice where the choice is resolved internally by the process.
The hiding operator, \, internalises or hides a set of events H from the alphabet of the process P.
Generalised parallel composition, of the form P 1 [| I |] P 2 , requires synchronisation on the events of I. Alphabetised parallel composition, where we specify a synchronisation interface I P ⊆ α P for a process P, as in P 1 [ I P1 I P2 ] P 2 , requires synchronisation on the events of I P1 ∩ I P2 .
It is often useful to consider a trace of the events which a process can communicate: the set of all such possible finite paths of events which a process P can take is written traces [[ P ]]. However, it is well understood that traces on their own are not enough to fully describe the behaviour of a process. For a broader description of process behaviour, we might consider what a process can refuse to do: the refusals set of a process -the set of events which it can initially choose not to communicate -is given by refusals [[ P ]]. By comparing the refusals set with the traces of a process, we can see which events the process may perform: the failures of a process P -written failures
(where P/t represents the process P after the trace t).
The FDR tool enables us to compare processes in terms of refinement. We write P 1 M P 2 when P 2 refines P 1 under the model M. If we were only to consider traces, then
Similarly, we can define failures refinement as
B. Systems Modelling Language
The diagrams currently present in SysML can broadly be classified as: those that enable the modeller to describe behavioural aspects of a design (use case, activity, sequence and state machine); and those that allow for the specification of structure (package, block definition, internal block and parametric). In addition, the requirement diagram is used to capture requirements that a design must adhere to.
The block definition diagram allows us to model the composition of a block: this can be an abstract block that is composed of concrete sub-blocks; alternatively, this can be a concrete block composed of other concrete blocks.
The focus of this paper is on modelling the behavioural aspects (and interactions) of blocks using state machines. Each block has an associated classifier behaviour, in our case described using a state machine. Each state machine has a set of states, and transitions between those states. The blocks communicate via events that act as stimuli for the associated state machines, causing the transitions to fire and resulting in a change of state. For the purposes of this paper, we assume that these events correspond to synchronous call events, as these allow us to demonstrate the relevant concepts more clearly.
III. FORMAL APPROACH TO DECOMPOSITION
Due to limitations of space, we consider only a subset of the available state machine constructs. However, the fundamental principles presented extends equally well to more complex descriptions.
A. Modelling State Machines
, which consists of:
• the finite set of transitions T M , and • the finite set of events E M . In addition, we define the following functions to return for a transition: For example, effect M (t) returns the behaviour that executes on the transition t. An effect is optional; in the case where it is omitted, we define the function to return the empty effect effect M (t) = for a transition t.
Intuitively, the formalisation maps every block's classifier behaviour -described by a state machine, M -to a CSP process, by mirroring the syntactical structure of the corresponding state machine diagram.
For a state machine, M, each state q M ∈ Q M \ {q M 0 , f M } is mapped to a local state in the corresponding CSP process, say q. A guarded expression is then used to make the events corresponding to the outgoing transitions of the current state available to the environment. For example, assume that the current state is q M j , and we have two transitions {t 1 , t 2 } emanating from that state, with effect M (t 2 ) = . We can then model the behaviour using the following process
) . . . 2 In this paper we assume that every effect is also a trigger. The CSP process is initialised to the initial state of the corresponding state machine by appropriately setting the state variable. The finial state has no outgoing transitions and is modelled by the process Stop.
B. Proposed Approach
Assume that the SysML model is comprised of a set Ω of N communicating blocks, say Ω = {C 0 . . C N−2 } ∪ {A N−1 }, where the blocks C 0 . . C N−2 are concrete, and A N−1 is abstract. Provided A N−1 is decomposed into K concrete sub-blocks, B 0 . . B K−1 , the problem description can be stated thus: is the suggested decomposition valid, such that B 0 . . B K−1 can be substituted for A N−1 in Ω?
A top-down systems engineering approach allows for an abstract block, modelling behaviour at a higher level, to be refined and decomposed into concrete realisations that are closer to the implementation. However, the behavioural aspects of the abstract block needs to be preserved if we are to replace it with the concrete sub-blocks: the behaviour of the composition should not be able to perform a sequence of events not permitted by the higher level abstraction (block A N−1 ). Clearly, we are excluding events introduced at the lower level (blocks B 0 . . B K−1 ) from this observation.
Assuming we have a CSP process (with an appropriate synchronisation set) for each sub-block B 0 . . B K−1 , we can form the composition using the alphabetised parallel operator. We define the process CONCRETE as
If we consider all the possible sequences of events that A N−1 communicate as valid, then as long as the process CONCRETE does not communicate a sequence outside of these valid sequences, we can use CONCRETE in the place of A N−1 . The more refined process, CONCRETE, is at least as good as A N−1 .
Stated formally, we require
The notion of refinement chosen will depend on our purposes: if we wish the composition to not only communicate within the valid sequences of events, but also, for a given trace, not to refuse an event that the abstract block would allow, we require a failures refinement. Otherwise, if we only wish for the composition to communicate sequences that the abstract block would, a traces refinement would suffice.
IV. CASE STUDY
The case study is based on a passenger safety system of a vehicle, inspired by the contribution of Carrillo et al. [4] . The passenger safety system consists of an AccelerationSensor, a SeatbeltLock, and an AirbagControl block. The AccelerationSensor and SeatbeltLock are concrete; the AirbagControl block is abstract. We propose to decompose AirbagControl into concrete Airbag and OccupantDetectionSensor sub-blocks, in order to perform its function. This decomposition is natural, as the an airbag and occupant detection sensor would conceivably be two separate entities in a vehicle. The occupant detection sensor detects whether there is an occupant present in the vehicle, and, if this is the case, whether it is an adult or infant. If an infant is detected, the passenger is given the option to either enable or disable the passenger's airbag (in case of a flawed detection).
The state machine diagrams for the AirbagControl, Airbag and OccupantDetectionSensor blocks are shown in Figures 2, 3, and 4 , respectively. Figure 5 shows the state machine diagram for the AccelerationSensor. The sensor is responsible for monitoring the acceleration of the vehicle. If a hard deceleration is detected, it activates the seatbelt lock; conversely, if a deceleration consistent with impact is detected, the airbag is deployed. The concrete sub-blocks of AirbagControl needs to be a refinement if they are to replace the higher level block and function correctly in the complete system.
The description of the Airbag process is shown below. The disable and enable signals toggle the state of the airbag. Once the airbag is deployed, its state machine does not respond to any other events. 
(q = deployed) & Stop
The process AirbagControl models the higher level behaviour of the airbag, depending on whether there is an infant, an adult, or no occupant detected in the passenger seat.
The processes of our case study are initialised in accordance with their initial state:
We combine the sub-block processes (using generalised parallel composition to aid readability) and define CONCRETE thus: The set of events are given by:
getEnable, getDisable, activate}
In the above, we hide all events but those of αAirbagControl. Using FDR and the hiding operator, we test if the decomposition is valid:
Depending on the model of refinement: [6] .
The application of formal methods to SysML in particular is extremely topical: Graves et al. [7] focussed on the integration of SysML with type theory, within the context of aerospace engineering; CML [8] is a formal modelling language specifically targeted at the specification and design of systems of systems.
Moisan et al. [9] introduced an approach based on the formalisation and subsequent verification of component protocols using the NuSMV [10] model checker.
In recent component-based verification work, Carillo et al. [4] defined an approach using interface automata to check whether a proposed decomposition of an abstract block into concrete sub-blocks is valid.
VI. CONCLUSION
In this paper we have presented an approach to formalising and verifying the decomposition of communicating SysML blocks, in a refinement-based setting, utilising the process algebra CSP, along with its refinement checker FDR. In addition, we have illustrated the concepts using a small, but realistic, case study. Using FDR, we identified several inconsistencies between the abstract block and the proposed concrete decompositions.
The benefit of our approach is that there is already existing tool support available to assist in the refinement process (with FDR being a prime example). The automated translation from SysML diagrams to CSP is practically achievable through the use of a model-driven engineering framework.
Planned future work includes the development of a modelbased framework to automate the process. The focus of the framework will be primarily the consistency checking between diagrams of the same kind, termed intra-diagram consistency; however, consistency checking between different diagram kinds, termed inter-diagram consistency, will also be a concern.
Ultimately, the fusion of formal and semi-formal methods -where the modelling activity is largely undertaken in the semi-formal domain, but with some underlying recourse to formal methods -will instil more confidence in the validity of the resulting design.
