B annotations in critical control systems development. by Ifill, Wilson.
@)
8643203
UNIVERSITY OF SURREY LIBRARY
ProQuest Number: 10130542
All rights reserved
INFORMATION TO ALL USERS 
The quality of this reproduction is dependent upon the quality of the copy submitted.
In the unlikely event that the author did not send a com p le te  manuscript 
and there are missing pages, these will be noted. Also, if material had to be removed,
a note will indicate the deletion.
uesL
ProQuest 10130542
Published by ProQuest LLO (2017). Copyright of the Dissertation is held by the Author.
All rights reserved.
This work is protected against unauthorized copying under Title 17, United States C ode
Microform Edition © ProQuest LLO.
ProQuest LLO.
789 East Eisenhower Parkway 
P.Q. Box 1346 
Ann Arbor, Ml 48106- 1346
B Annotations in Critical 
Control Systems 
Development
0 0 1 1 0  1 1
Submitted in fulfilment of the degree of Doctor of Philosophy
Department of Computing 
July 6, 2008
-C  UNIVERSITY OFm SURREY
B Annotations in Critical 
Control Systems 
Development
Wilson Ifill
Subm itted  in  fu lfilm en t o f the degree o f D octor o f Philosophy
UNIVERSITY OFSURREY
University of Surrey
D epartm ent of C om puting
J uly 6, 2008
To
Kim,
Luke, Aaron, Ross, Alice and 
Dexter.
B Annotations in Critical Control System s 
Developm ent
Wilson Ifill
D epartm ent of Com puting University of Surrey Guildford England 
w.ifill@surrey-ac.uk 
July 6, 2008 
A b s tra c t
The design and implementation of critical controllers benefit from development 
in a formal method such as B. However, B does not support execution specification 
directly, which is a requirement in controller design. The aim here is to develop a 
set of annotations so that they can be used by a B design engineer to capture exe­
cution requirements, while creating the B model. The annotations, once shown to 
be machine-annotation consistent with the B machine, can be used independently 
from the machine to assess the correctness of CSP controllers developed to detail 
the control behaviour. CSP||B is a formal method integration that can be used 
to develop critical controller with both state and event behaviour. The advan­
tages of using annotations is that the execution requirements can be captured and 
shown to be machine-annotation consistent during state operation development, 
and that a control loop invariant does not have to be independently developed. 
Handel-C is used on route to hardware synthesis as it supports the implementa­
tion of concurrency and the manipulation of state. Annotations are utilised again 
to guide the translation of the B and control annotations into Handel-C.
This PhD. work has three main aims. Firstly, to introduce a set of annotations 
to describe control directives to permit controller development in B. The anno­
tations capture execution requirements. They give rise to proof obligations that 
when discharged prove that the annotations are machine-annotation consistent 
with the machine they are written in, and therefore will not cause the machine to 
diverge. Secondly, we have proven that CSP controllers that are consistent with 
the annotations will preserve the non-divergence property established between 
the machine and the annotations. Thirdly, we show how annotation refinement is 
possible, and show a range of mappings from the annotated B and the consistent 
controller to Handel-C. The development of mappings demonstrates the feasibility 
of automatic translation of annotated B to Handel-C.
K eyw ords
B, CSP, B annotation, critical state machine development, Handel-C, and BVHDL
J uly  6 , 2 008
Acknowledgements
Thank you to my wife Kim and my children Luke, Aaron, Ross, Alice, and Dexter for sup­
porting this endeavour. Thanks to Steve Schneider, my supervisor, for constantly testing my 
ideas and for his patience. Thanks to my managers along the way who supported my case 
to fund this part-time PhD.: Dave Thomas, Digby Knight and John Eves. Thank you to 
Helen Treharne and Roger Peel for advice and support. Thank you to Ib Sorensen and Dave 
Neilson for their help and guidance on the use of the BToolkit.
Published Papers, Book Chapters and Posters
Published works:
• The use of B to specify, design and verify hardware, book chapter [ISSOl]
• Augmenting B with Control Annotations, conference paper at B2007 [IST07]
• A Step Towards Refining and Translating B Control Annotations to Handel — C, 
conference paper at CPA2007 [IS07]
• Towards a Demonstrably Correct Ada Compiler, conference paper at SIGAda 2007 
[NIM07]
• Achieving B state Machine Designs with Annotations, prize winning poster at ZB2005 
Unpublished works:
• B specifications and Proof of the AEP Pipelined Processor [Ifi02]
• Combining B, CSP and Handel — C to Specify, Design and Verify Hardware [Ifi03]
J u ly  6 , 2 0 0 8
J uly  6 , 2 008
Contents
Table of Contents iii
1. Background Motivation and Notation 1
1.1. Introduction to Chapters ........................................................................................  2
1.2. Technical B ack g ro u n d ..............................................................................................  4
1.3. typographic convention  ...........................................................................................  19
2. The NEXT Annotation 21
2.1. Introduction................................................................................................................  21
2.2. The General F ram ew ork ..........................................................................................  21
2.3. The A pproach.............................................................................................................  23
2.4. The NEXT Annotation of a Consistent B M achine..............................................  25
2.5. Controller Syntax and Auxiliary Functions for NEXT A nnotations..................  26
2.6. Annotation Consistency with A ction -P refix ........................................................ 28
2.7. Proving Termination of Controlled Machines with NEXT A nnotations............. 30
2.8. Picturing of NEXT A nnotation.................................................................................  36
2.9. Examples Utilising N E X T ........................................................................................... 37
3. The FROM and q u e r y  Annotations 41
3.1. The FROM annota tions..............................................................................................  41
3.2. The QUERY A nnotations...........................................................................................  64
4. Adding I/O and n e x t  in v a r ia n t  to Annotations 75
4.1. Communication Between B Operations, Controller and E nv ironm en t.............. 75
4.2. I/O  NEXT Annotations and the NEXT i n v a r i a n t ............................................... 78
4.3. Examples o f  the Use o f  I/O  N E X T ...........................................................................  81
J uly  6, 2 0 0 8  v
Contents
4.4. I/O  NEXT Annotation Listing F u n c tio n s..............................................................  84
4.5. I/O  FROM A n n o ta tio n s ............................................................................................ 86
4.6. I/O  NEXT and f r o m  Annotation Consistency......................................................  92
4.7. Proving Termination of Controlled Machines with I /O  Annotations .............  94
4.8. Picturing I/O  Annotations.......................................................................................  97
4.9. I/O  NEXT E x a m p le s ................................................................................................. 97
4.10. NEXT INVARIANT Annotations E x a m p le ...............................................................  100
5. Extending the n e x t  Annotation 107
5.1. The NEXT Extensions .............................................................................................. 107
5.2. The SELECT NEXT A nnota tions..............................................................................  107
5.3. The CONDITION n e x t  A nnotations........................................................................ 110
5.4. Controller Syntax and Auxiliary Functions with CONDITION n e x t  Annotations 111
5.5. SELECT NEXT and CONDITION NEXT Annotation Consistency............................ 113
5.6. Proving Termination of Controlled Machines with c o n d it io n  n e x t  Annotations 115
5.7. Examples Utilising SELECT NEXT and CONDITION N E X T .................................  121
6. Translating and Refining Annotations 129
6.1. The INTERLEAVED NEXT A nnota tion ..................................................................... 132
6.2. Annotation Consistency with In terleav ing ...........................................................  140
6.3. Refinement and Translation to H andel-C ............................................................... 157
6.4. Example: Safe Control S y s te m ..............................................................................  163
7. Comparisons with Other Work 177
7.1. Associated Technologies...........................................................................................  177
7.2. Hardware Verification and Hardware Description Languages.............................  179
7.3. Hardware Development in B ..................................................................................... 183
7.4. State Machine Modelling...........................................................................................  197
7.5. CSP and Z .................................................................................................................  198
7.6. E v e n t-B .......................................................................................................................  201
7.7. Dynamic Constraints in B ........................................................................................  210
7.8. P ro B .............................................................................................................................. 212
vi J u ly  6, 2 008
Contents
7.9. Translation of CSP to Handel-C ............................................................................ 215
8. Future Work and Conclusion 217
8.1. Future Work .............................................................................................................. 217
8.2. Conclusion .................................................................................................................  220
A. The Comparison Between CSPjjB’s Translations and B Annotations 225
B. Glossary 227
B.l. Annotations Syntax ..............................................................................    227
vilJuly 6, 2008
Contents
J uly  6 , 2 008
List of Figures
1.1. BVHDL Development M ethodology........................................................................ 6
1.2. Future Annotated B Handel-C Development M ethodology..............................  7
1.3. Illustration of a Handel-C F unction ........................................................................ 12
2.1. The Process Flow in the Approach..........................................................................  22
2.2. A B Machine.................................................................................................................. 23
2.3. Picturing the {opj,..., o;?j|.}next Annotation oî o p i ............................................  37
2.4. Traffic M ach ine ............................................................................................................ 38
2.5. Traffic C ontro ller........................................................................................................  38
2.6. Traffic Machine P C s ..................................................................................................  39
2.7. Traffic Controller Consistency..................................................................................  40
3.1. Picturing the FROM-ANY Annotation oi o p j ........................................................  62
3.2. Picturing the FROM-SET{opj,..., opfe} Annotation oi o p j ..................................  63
3.3. Picturing the f r o m - s e t - in it  Annotation oi o p j ................................................... 63
3.4. Global Interrupting Traffic Machine - Part 1 ......................................................... 64
3.5. Global Interrupting Traffic Machine - Part 2 ......................................................... 65
3.6. Global Interrupting Traffic Controller ..................................................................  66
3.7. Defined Traffic M a c h in e ............................................................................................ 66
3.8. Defined Traffic C o n tro lle r ......................................................................................... 67
3.9. Carrying Through n e x t  Annotation Expectations Through Query Operation 69
3.10. Picturing the opi q u e r y  A n n o ta tio n ...................................................................... 73
3.11. Querying Traffic M a c h in e ......................................................................................... 74
3.12. Querying Traffic C o n tro lle r .....................................................................................  74
4.1. A B machine with Operations with I /O ..................................................................  76
J u ly  6 , 2 008
List of Figures
4.2. The Controller Initiates Action that Reads Environment S ta tu s ......................  77
4.3. The B Operation Outputs to the Environment and C ontroller.........................  77
4.4. Evens M a c h in e ...........................................................................................................  82
4.5. Example of a NEXT Annotation with I/O  ............................................................  83
4.6. Controller B Operation In te rac tio n ......................................................................... 84
4.7. SetDifferent M achine.................................................................................................. 98
4.8. SetDifferent C ontroller..............................................................................................  98
4.9. Heater Machine H e a d e r ...........................................................................................  100
4.10. Heater Machine O p e ra tio n s .....................................................................................  101
4.11. Heater Controller O p e ra tio n s ..................................................................................  102
5.1. Safety Switch Machine - H eader............................................................................... 123
5.2. Safety Switch Machine - Environmental O perations............................................  124
5.3. Safety Switch Machine - Controller O p e ra tio n s ..................................................  125
5.4. Safety Switch Machine Controller O p era tio n s ...................................................... 126
5.5. Annotated B to CSP Synthesis G u i d e ..................................................................  127
6.1. Different Views of the Same Action..........................................................................  130
6.2. A B Refinement with Operations and I /O ..............................................................  132
6.3. NEXT Refinements - Reduction of Non-determinism.............................................. 158
6.4. Picturing s e q u e n c e  n e x t  Refined O p e ra tio n s ..................................................  159
6.5. NEXT Refinements - Structural Refinements...........................................................  160
6.6. n e x t  Annotation Translation Guide Part 1............................................................ 161
6.7. NEXT Annotation Translation Guide Part 2............................................................ 162
6.8. Safe Machine - Part 1 ..............................................................................................  167
6.9. Safe Machine - Part 2 ...........................................    168
6.10. Safe Machine Controller..............................................................................................  169
6.11. Safe Refinement - Part 1............................................................................................. 170
6.12. Safe Refinement Part 2 ..............................................................................................  171
6.13. Refined Safe Controller..............................................................................................  172
6.14. SafeR Translation Part 1............................................................................................  172
6.15. SafeR Translation Part 2............................................................................................  173
X J u ly  6, 200 8
List of Figures
6.16. SafeR Translation Part 3.............................................................................................  174
6.17. B to Handel-C Translation Guide..............................................................................  175
6.18. CSP to Handel-C Translation Guide.........................................................................  176
7.1. AEP Example Essentials  ................................................................................... 184
7.2. AEP Entity Architecture Simple Machine Plus Packages...................................  185
7.3. AEP Sequencer Process M a c h in e ............................................................................  187
7.4. AEP Read Process M achine.....................................................................................  187
7.5. AEP Write Process M achine.....................................................................................  188
7.6. AEP Read Process M achine.....................................................................................  188
7.7. AEP VHDL - Part 1: D eclara tions......................................................................... 189
7.8. AEP VHDL - Part 2: Processes............................................................................... 190
7.9. BHDL Description of a M ultiplexer.........................................................................  192
7.10. The Multiplexer Im p lem en ta tion ............................................................................  192
7.11. Nine Valued Logic BHDL M o d e l ............................................................................  193
7.12. Bluespec Interrupting Traffic Controller O perations............................................. 195
7.13. Distributed Model Checlc Synchronisation............................................................  197
7.14. Example of a CSP Controller for CSP-Z specification.........................................  199
7.15. BVHDL-CSP Preliminary F u n c tio n s ...................................................................... 202
7.16. BVHDL-CSP Main Section (Effect).........................................................................  203
7.17. BVHDL-CSP; Semantic F u nc tion ............................................................................  204
7.18. PULSERl Circuit with C lo c k in g ............................................................................  206
7.19. Legal Signal T ran sitio n s ............................................................................................  208
7.20. Track and Signal Arrangement  ...................................................................... 208
7.21. Distributed Model Check Synchronisation............................................................  209
7.22. Traffic Controller Machine for ProB ...................................................................... 214
8.1. Interrupting Traffic Controller Machine with the Variant A n n o ta tio n ............. 219
8.2. Interrupting Traffic Controller CSP with V a r ia n t ................................................ 220
8.3. Future Annotated B Handel-C development M ethodology ................................ 221
J uly  6, 2 008
List of Figures
J uly  6, 2 0 0 8
List of Tables
1.1. B Mappings to C S P ..................................................................................................  19
1.2. Typographical conventions........................................................................................  20
6.1. Existing CSP to Handel-C Translation Guide........................................................  163
7.1. The Temporal Logic Operators Used in P r o B .....................................................  215
7.2. CTL Temporal Logic Connectives............................................................................ 216
8.1. Annotations and Related Control O p e ra tio n s ...................................................... 223
A.I. The Relationship of B Translations of CSP Fragments to Annotations . . . .  226
J u ly  6 , 2 0 0 8
List of Tables
J uly  6 , 200 8
1. Background Motivation and Notation
The contribution of this thesis proposes the use of annotations to allow B designers to capture 
control aspects of the design during the development of the B operations for critical control 
systems. The annotations, when entered to capture control aspects, represent a specification 
of control flow, which have to be met by the final control system implementation. The 
annotations can be refined along with the machines and they are also used to record the design 
decisions about implementation choices in hardware. An annotation to support interrupts is 
included. The contribution of this thesis also includes translating the annotated B and CSP 
controllers to Handel-C (Handel-C is the choice of implementations language).
The thesis aims were set by the context surrounding the work. Critical control systems need 
to be developed for analysability. Concurrency and multi-processor based implementations 
are only resorted to if necessary. Control systems implemented with a single thread on a single 
processor (back up processors may be necessary) are preferred and control systems implemen­
tation in hardware is preferred where possible to avoid operating systems use. Development 
methodology mandated for the most critical systems include simple analysable source code 
subsets, formal specification and support of proof, static analysis, configuration management 
of code and verification records. The B methodology and associated toolkits support some 
of these aspects. Some of the more challenging requirements of the standards such as formal 
verification of the toolkits may never be met by any vendor. This thesis shows that control 
systems development, refinement, proof and code generation to a simple language subset can 
all supported by annotations. The BToolkit provides the documentation and configuration |
support for this methodology. Code generation is used to remove coding errors and reduce :
coding costs in development. Code generation supported by libraries in B allows reusability 
and permits refinement to specified library components. In the B Methodology all source 1
code is developed from configurable library components. In this thesis translation to a source I
language is utilised. Unproven translatipn is not as good as refinement to proven source !
language libraries, but it is a step towards such rigour. j
In light of the above context the goals of the research were as follows:
accommodate controller state machine design 
opt for simplicity to accommodate analysis
provide multiple views of a development for checking fiom different point of views 
• work with existing tools 
support code generation
J uly  6 , 2 0 0 8
Chapter 1. Background Motivation and Notation
have one design entry tool and language - accommodated B centred development process 
permit hardware or software implementation
abstract away from the development of explicit clocks in single clock systems where 
hardware implementation is selected
take advantage of parallel/ interleaved processing capabilities if hardware target selected 
avoid operating system in implementation
1.1. Introduction to Chapters
Chapter 1.2 is the technical background to the work. It introduces the notation of B, VHDL, 
CSP, Handel-C and CSP||B. It reviews how specifications are captured in B and translated or 
refined to implementations. The introduction of CSP allows concurrency and event behaviour 
to be specified. Handel-C is an implementation route for CSP. CSP||B is an existing integrated 
formalism.
The technical chapters’ (chapter 2 to 6.3) layout reflects the framework by which new anno­
tations are introduced. Other annotations developed in future work would follow the same 
framework. An overview of the general framework is given in Section 2.2, W hat that leads 
to in terms of sections in each chapters is itemised as follows;
• Discussion of the purpose of the annotation
• Definition of syntax of annotation and possible abbreviations
• Definition of the Proof Obligations (PCs) that guarantee machine-annotation consis­
tency
• Definition of the controller syntax that the annotations are associated with
• Definition of functions to extract information from CSP controller fragments
• Definition of annotation consistency
• Proving correctness of machine-controller pairs
• Picturing the annotations using diagrams
• Examples utilising the introduced annotation
• Demonstrations of machine-annotation consistency
• Demonstration of annotation-controller consistency
2 J uly  6 , 2 008
1.1. Introduction to Chapters
In chapter 2 the annotation approach and the basic n e x t  annotation is introduced, which is 
applicable to both classical B and Event-B. The annotation framework is about defining an­
notations, showing them consistent with the machine they are attached to and the controller 
that implements them. The approach to establishing that annotations are consistent with 
the machine is termed m ach ine-annotation  consistency (the various uses of the term consis­
tency are defined in Section 2.3.2). The approach to showing that annotations are consistent 
with a controller is termed a n n o ta tio n -co n sis ten cy . A proof showing that given machine- 
annotation consistency and annotation-controller consistency then m ac h in e-co n tro lle r  con­
sistency follows, is given for each annotation that is introduced in the technical section where 
appropriate. This proof guarantees non- divergence : a machine and controller that are con­
sistent will not diverge when they run together. The NEXT annotation is associated with the 
prefix and choice controller fragments. A short example using the NEXT annotation is given. 
In chapter 3 two more annotations are introduced: FROM and QUERY. The FROM annotation 
is like the NEXT annotation, but it introduces interrupt behaviour. The FROM annotation 
comes in three different varieties. The operational definition of the associated controller CSP 
interrupt definition is defined. A definition of the traces model for the interrupt is given. It 
differs from the standard trace model of CSP interrupt operators, because the concept of an 
interrupt set has been added. The QUERY annotation is used to mark operations that do not 
cause a state change, but just return information to the environment. The guarantees that 
the NEXT and f r o m  annotations set up must be carried across q u e r y  annotated operations. 
The introduction of the q u e r y  annotation leads to the associated hiding CSP operator. As 
in chapter 2 the machine-annotations PCs are introduced. Then the consistency rules for 
annotation-controller consistency are stated, followed by proofs of non-divergence and exam­
ples. There are no worked examples of consistency in this case as was the case in the last 
chapter. This waits until the next chapter where I/O  is introduced. Chapter 4 introduces I/O  
into the NEXT and FROM annotations. The model of communications is introduced, which 
has aspects of interactions between the environment, the controller and the B operations. 
This chapter and proceeding chapters follow the same chapter framework as the previous 
ones, apart from there being no section on the pictorial representation of the annotations. A 
NEXT INVARIANT is introduced in Chapter 1. They are unlike normal annotations as they 
are static predicates associated with operations. Chapter 5 follows the standard framework. 
It introduces the SELECT n e x t  and CONDITIONAL n e x t  annotations. These annotations 
allow branching. A table is included that details the systematic translations of the anno­
tations in the chapter example to the CSP of the controller fragments. This demonstrates 
the possibility of automatic synthesis of controllers from annotations. Chapter 6 introduces 
the INTERLEAVED NEXT and SELECT NEXT annotations. These annotations are helpful for 
annotation refinement and structuring specifications for implementations in hardware. Al­
though this chapter follows the normal framework additional information is given in the form 
of tables outlining translations of annotations to Handel-C and the refinement of annotations. 
This chapter highlights some areas for future work.
A comparison with other related work is given in chapter 7. In the development of hardware 
and software there is much diversity and the approaches to development range from for­
mal through semi-formal to informal. Semi-formal approaches involve property or assertion 
checking, or utilise a formal notation somewhere in the development cycle. No fully formal 
commercial hardware or software development route that harnesses full refinement exists. A 
sample of relevant methodologies, formalisms and tools aie reviewed that compare with the
J uly  6, 2 0 0 8
Chapter 1. Background Motivation and Notation
annotation approach.
1.2. Technical Background
In early work at MSc level investigated the use of a B Hardware Description Language (HDL) 
(which was reported on in the MSc dissertation [1899]). The BVHDL language was used to 
capture the specification of a pipeline processor, Another Example Processor (AEP), and that 
specification is discussed in the related work chapter 7. The work on the AEP highlighted two 
issues associated with obtaining a translation: the need to specify a clock and the requirement 
for specialised hardware data types at the VHDL Register Transfer Level (RTL). The need 
for the detail is reflected in the need to develop implementations that are synthesisable. 
Research then began into a higher level approach from specification to Field Programmable 
Gate Array (FPGA) implementation for critical control systems. The technical background 
section reviews the other essential elements necessary to embark on the research, such as an 
understanding of VHDL, Handel-C, a simple subset of CSP, and CSP||B [TreOO]. The review 
of VHDL highlights the differences between B and VHDL. Besides the clock there is the use of 
sensitivity lists and time delays in the VHDL language that distinguishes it from B. However, 
such language constructs are not essential for the development of critical controller circuits. 
In this thesis the interrupt operator is defined as it differs from the CSP operator in some 
respects. The Handel-C language is introduced which has many similarities to CSP. One 
notable difference is the principles of communication detailed in the review.
Annotations research is closely related to the research into CSP||B. Both approaches use CSP 
controllers to sequence the actions of B machines. Annotations are given a B Proof Obligations 
(POs) semantics and CSP consistency to allow them to be viewed as, (1) part of the B; or, (2) 
as a CSP controller. The CSP and B in CSP||B are brought together by giving the B a CSP 
action systems semantics. Action systems have an initialisation and set of guarded actions. 
Actions systems like B can be represented in CSP by considering their weakest precondition 
(wp) semantics. Treharne [TSOO] defines the wps of B operations guarded with true. The wp 
of a sequence of actions can be calculated thereby giving meaning to a B execution in terms of 
CSP traces. Controllers can therefore be translated into B specifications, and tested to see if 
execution loops preserve Control Loop Invariants (CLI). CLI are used to show the correctness 
of loops within the controller. The use of annotations prevents the need to convert the CSP 
of the controller to B or develop a CLI,
Research translating between formal notations and Hardware Description Languages (HDL) 
is well established and is discussed in detail in section 1.2.1. Research exists on B [Abr96] to 
VHDL [VAS05] translation [ABD+03] [ISSOl]. VHDL is a widely used HDL and is reviewed 
in section 1.2.3. It is a simulation language that has a subset that when written with a 
synchronous reset and synthesisable RTL constructs can be directly synthesised into a netlist 
of basic gates. A netlist can be laid out on a logic device such as a FPGA. The VHDL must 
be at a sufficiently low level to be able to be synthesised into a netlist representation. In 
this thesis designs are refined to a level above RTL. This is possible because a different HDL 
language is utilised for synthesis. The higher level of abstraction possible from which netlist 
can be synthesised means less detailed hardware oriented refinement, but means less efficient 
circuits. In this thesis less efficient circuits are acceptable. The paramount concern is to
4 J uly 6, 200 8
1.2. Technical Background
maintain safety and security properties proven during development. Handel-C is an example 
of a higher level HDL that can support synthesis into hardware, but abstracts away from 
details of the hardware such as clocks.
This related work chapter firstly discusses, in section 1.2.1, the methodological approach taken 
previously by the author using BVHDL [ISSOl](B hardware description language based on 
VHDL), and the new proposed approach in the technical section of this thesis. The technical 
background of the B method utilised by the BToolkit are reviewed in section 1.2.2. A detailed 
discussion of BVHDL that reveals the unnecessary detail that must be reflected in the B 
specifications, and understand how previously implicit control was coded into the guards or 
preconditions of the operations of the models is given in section 7.3.1. The interesting aspects 
of VHDL are reviewed in section 1.2.3. The aspects of CSP that are utilised in this thesis 
are reviewed in section 1.2.4. Handel-C the target language used in this thesis is reviewed in 
section 1.2.5. Lastly, we review the work on CSP||B (an approach to controlling B machines 
with CSP). The ability to express control flow in the CSP||B formalism has its advantages, 
certainly BVHDL does not have this capability. However, a criticism is tha t the control 
flow specification is not developed at the same time as the state models are, and there is no 
established hardware/ software implementation route from CSP[|B.
1.2.1. Hardware D evelopm ent and Analysis in B
B has been used to capture and verify static properties of a hardware design at RTL. By 
keeping to a prescriptive entity-architecture structure familiar to hardware designers, it is 
possible to translate directly to VHDL from B. By assuming a single clock and being more 
abstract about data structures, we can save the effort otherwise spent detailing clock and 
data refinements in B and still achieve a translation to hardware, but this time via Handel-C.
This section outlines background work concerning trusted formal development techniques in 
the production of digital hardware. The BToolkit has been used to develop formal soft­
ware [NSOl]. Hardware development traditionally has involved coding VHDL [Asli96] from 
English requirements, simulation and synthesis to PPG As or custom ASICs. Validation is 
undertaken in the later stages. One of the problems with this approach is that requirements, 
particularly high level requirements, are not tested early enough and the lade of a design 
other than the VHDL model makes maintenance diflScult.
The approach to the development of hardware using BVHDL is more flexible. A hardware 
engineer more accustomed to developing low-level RTL, can develop B in a style closely resem­
bling VHDL using B Abstract Machine Notation (AMN) [Abr96] and generate synthesisable 
VHDL from within the BToolkit. This approach to hardware design using BVHDL can be 
viewed as a substitute methodology to VHDL, which does allow proofs to be obtained in 
the BVHDL model. However, the methodology could be extended to do much more. The 
BToolkit provides an environment in which higher level specifications may be written in ad­
vance of low level VHDL code generation. The environment allows the animation of abstract 
specifications to investigate requirements and generate validation test cases. It generates and 
assists in the discharging of formal POs thereby formally linking abstract designs and lower 
level refinements. A VHDL generator has been developed by B-CORE (UK) Ltd., so VHDL 
may be obtained from the proven AMN refinements, but the constraints on the form of the
J uly  6 , 2 0 0 8  5
Chapter 1. Background Motivation and Notation
REFINEPROCESSMACHINES
GENERATEVHDL
DEFINE BVHDL MACHINES (fixed architecure)
Figure 1.1.: BVHDL Development Methodology
BVHDL means unnecessary design detail must be included in the model right from the start. 
This restricts the extent that abstraction can be utilised. The BVHDL methodology involving 
design and VHDL generation is given in Figure 1.1.
There is a wider uptake of C and C ++  hardware design languages and hardware designers 
are becoming more accustomed to developing behavioural hardware descriptions of circuits 
and compiling to logic using Handel-C like languages. This thesis has a more advanced 
development framework which proposes incorporating control directives in B specifications to 
guide the development of control in CSP and translation to Handel-C. This allows hardware 
to be development from a higher-level of abstraction. The resultant methodology is given in 
Figure 1.2
Breuer and Kloos [BKLM97] proposed a formal semantics and a refinement calculus for 
VHDL. They have demonstrated that ’’the programming logic and the associated refinement 
calculus can be shown to be complete”. Breuer et. al. make no excuses for the ’’difficulties of 
the working of the formalisms” . However, the difficulty of a formalism will have an impact on 
its use in the wider community. Ideally, the semantics and refinement calculus should be intu­
itive. B Guarded Substitution Language (GSL) is intuitive to programmers, when presented 
as AMN {sugared GSL). The proof obligation of AMN’s machine and refinements are given in 
[Abr96] and in section 2.3.1 and section 6.0.1. The B interface for hardware development is 
given in detail in [ISSOl]. It provides an excellent interface for the development of hardware 
models and hardware component libraries.
An unproven translation process may introduce errors into the design model. Handel-C uses 
OCCAM (OCCAM is an implementation of CSP) for its underlining semantics. Handel-C 
and OCCAM lie comfortably together, because Handel-C was built from OCCAM in the first 
instance. This thesis does not provide a proof for the translation from B to CSP or from 
B to Handel-C. However, the task of verifying a translation from B to a subset of CSP or 
Handel-C is a much easier task that of verifying a translation from B to VHDL. The work on 
CSP||B suggests a relationship between the two languages. There are fundamental differences 
between B and VHDL. VHDL includes the following that have no natural equivalent in B:
J uly 6 , 2 0 0 8
1.2. Technical Background
REFINED 
ANNOTATED 
B MACHINE
ANNOTATED 
B MACHINE
HANDELC
CSP
c o n t r o l l e r
Figure 1.2.: Future Annotated B Handel-C Development Methodology
1. the concept of a clock that synchronises register updates
2. sensitivity lists
3. entity architectures
4. processes
To overcome the difference between VHDL and B the style of BVHDL designs are carefully 
managed, and re-usable libraries are utilised. So instead of giving meaning to the whole of 
VHDL, meaning is given just to the subset of VHDL that is needed using AMN.
1.2.2. The B M ethod
A B specification is partitioned hierarchically into MACHINES, each of which is a module en­
capsulating both constant and variable data, and operations on the data. However, machines 
cannot be used as data types. A machine describes a number of services that it provides 
to the system called operations. Operations are introduced in a B machine after the key 
word OPERATIONS. They specify behaviour using Abstract Machine Notation (AMN) con­
structs. AMN provides a description of dynamic behaviour within the operations in the form 
of set theoretic notation and substitutions. The substitutions capture state transformation, 
and resemble assignments in programming languages. The set theoretic notation describes 
predicates. The AMN syntax, more commonly known as B, is introduced in the following 
sections. The focus is on the specification of preconditioned operations and their associated 
predicate transformers. In section 7.3.1 more technical background of the B method is given 
with respect to the construction of hierarchical specifications and the specification of hardware
J u ly  6, 2008
Chapter 1, Background Motivation and Notation
components. In section 2.3.1 the syntax of a B machine and consistency proof obligations are 
introduced. In section 6.0.1 details of the refinement proof obligations are given. The ASCII 
syntax of B is introduced in this section. In subsequent sections (section 1.2.6, page 15) and 
the following chapters the latex version of the notation is introduced.
As mentioned, operations specify the state transformations and therefore capture the dy­
namic behaviour of the system. The AMN substitutions capture the effect of carrying out an 
operation on a particular variable. Within an operation only one assignment may be made 
to any particular variable of a machine, but several substitutions can be made within one 
operation. In classical B the operations are preconditioned in the following way:
o p  =  PRE P ç p  THEN Bop END;
The precondition Pop is the predicate that must hold in order to establish that the substitu­
tions in Bop will terminate.
The invariant is introduced in the B machine after the keyword INVARIANT. It is a predicate 
that captures important properties that the machine must maintain. It characterises the per­
mitted states of the system: the safe states. The expectation is that every possible execution 
of each operation must take the system from a valid state to a valid state: every operation exe­
cution must re-establish the invariant. This is an important aspect of m achine-consistency. 
Predicate transformers are introduced to reason about machine-consistency. On one hand we 
have the specification of operations in terms of substitutions that change the state, and on 
the other invariant predicates that must be maintained. Machine-consistency is calculated by 
transforming the invariant with the operation’s substitutions to create a new predicate, that 
characterises the final states that the operations can produce assuming the invariant held 
before the operation was invoked. A predicate transformer is written as follows:
In the above Bop is the substitutions that transform the predicate I.
The preconditioned operation in Generalised Substitution Language (GSL) is written Pop | 
Bop (Pop pre Bop)-
In this case the predicate, if true, guarantees that the operations re-establishes the machine 
invariant, 7:
7  = >  [Pop  I P o p ]7
Abrial [Abr96] introduced rules to reduce the predicate transformers. The rule for the reduc­
tion of preconditioned GSL is used in the proofs in this thesis and is defined as follows:
[P op  I P op ] 7  =  P o p  f \  [P o p ]7  
The consistency condition reduces to;
8 J uly  6, 2 008
1.2. Technical Badîground
I  => Pop A [Pop]7
which reduces to:
I  A Pop [Pop]/
The above states that given that the invariant and the precondition hold then the predicate 
formed by transforming the invariant with the body of the operation holds.
The machine has to be brought into a state that is consistent with the invariant initially. 
The initialisation substitutions follows the INITIALISATION key word in the machine. They 
represent the initial assignments that the machine makes before the operations are invoked. 
The predicate that must hold to initially establish the invariant is as follows:
[ T] I
In the above T  represents the initialisation substitutions and I  the invariant. The above 
predicate must be true to ensure that the machine state is initially established. Section 1.2.6 
gives more technical background on AMN, GSL and associated predicate transformers.
1.2.3. VHDL Hardware Description Language
The core of the VHDL language has the imperative flavour of Pascal or C. It supports pro­
cedures, functions and concurrency. Hardware is modelled as a set of concurrently executing 
process. Signals and variables provide local state in the process. Variables are updated at 
the point an assignment is made within the sequence of events (var_a := l). Signals are 
updated at the end of a process description in accordance with a specified delay (delta). 
Communication between processes is achieved by signals. Processes do not contain other pro­
cesses, so parallelism is only one layer deep. Processes can contain while loops, if branches, 
case statements, etc. The code within a process loops continuously. VHDL introduces two 
conceptually new statements not available in B:
1. Delayed Signal assignment: s ig n a l_ a  <= s igna l_b  a f t e r  delay_x This statement 
schedules an assignment in delay time delay_x of s ig n a l_ a  updated with signal_b . 
If the delay time were missing then a default delay delta_jx would be assumed, which is 
a non zero infinitesimal delay time. Delay are taken into account during simulation.
2. In the implied wait statement: p rocess_n (sig_a) = . . .  The signal s ig _ a  is the 
only signal in the sensitivity list of process p ro cèss_n. This process is blocked until a 
level transition occurs on the sig_a. (A transition is a change in voltage at a point in 
a circuit from logic level 1 to logic level 0 or vice-versa.) Other signals could be added 
to the sensitivity list.
A standard VHDL simulation executes each process until it becomes blocked by a wait state­
ment (wait delay_x ; ). Each process must contain a wait. Some waits are implicit. A
J uly  6, 2 0 0 8  9
Chapter 1. Background Motivation and Notation
wait state is maintained until the next scheduled assignment time or until the wait delay has 
expired, at which time the process is re-executed from the point of the last wait. Other signals 
could be added to the sensitivity list.
VHDL is a wide spectrum hardware description language used for modelling, simulation and 
synthesis of digital logic circuits. It is wise to focus on a synthesisable subset of VHDL and 
avoid the use of unregistered feedback (logic inputs that are feed directly from the circuit 
outputs without a register holding that logic state to a value obtained during the previous 
clock cycle). A stable state may not occur in circuits with unregistered feedback.
The VHDL generated from the B specification of a pipelined processor in section 7.3.1 is given 
in Figure 7.7, which illustrates the language constructs discussed in this section,
1.2.4. CSP Notation
CSP is a language for describing concurrently executing processes that interact through com­
munication. A detailed definition of CSP can be found in [Ros98] or [SchOO]. CSP is a 
process algebra defined by Hoare [Hoa85] who introduced CSP denotational semantics in 
terms of traces, failures, and failures and divergence. Refinement in these denotational se­
mantics is an important notion, and we write P [T= Q to denotes P is trace refined by Q. 
Ti’ace refinement can be thought of as language containment, and means that all traces of 
Q must be included in the traces of P. The subset of CSP used in this thesis is described 
in the following section. CSP models behaviour with events and processes. Events may be 
associated with a channel of communication. In the following brief BNF of CSP we use the 
convention that events and channels are denoted with lower case letters and processes with 
upper case (in the examples both processes and events are lowercase). Events are drawn 
from the universal alphabet Sigma, (a) Process P is defined in machine readable ASCII form 
(CSPM) as follows (the accompanying text below which explains the BNF incorporates the 
latex version of the CSP operators):
P ::=
1. SKIP (successful termination) I
2. a -> P (prefix) I
3. P [] P (external choice) |
4. P I " 1 P (internal choice) |
5. P III Q (interleaving) I
6. P [ ISj] q (interface parallel) I
7. c iv  -> P (output) I
8. c?x -> P(x) (input) I
9. P \{x} (hide x events) I
10. f (P)  (renaming) I
10 J uly  6 , 2 0 0 8
1 .2 . Technical Background
11. DIV (divergence) I
12. [ ] i  ; T @ (index external choice) I
13. I ~ I i  ;T @ (index internal choice) |
14. / \  (interrupt) I
15. P =  Q (recursive definition) I
16. STOP (deadlock)
SKIP {SKIP) is the process that terminates successfully. The action prefix (2) (o —> P) is 
the process that performs action a then acts like process P. Processes can be combined using 
choice. External choice (3) (P  □ P) is a combinator that lets the environment chose between 
the processes on offer, whereas with internal choice (4) (P  H P )  the decision is made by 
the process itself. Composition of processes can be done using interleaving(P ||| P), which 
interleaves the actions of each process arbitrarily. The interface parallel (6) (P  ||g P) process 
can make progress when the processes combined agree on the actioifs in set S. When S =  {} 
(the empty set) the process traces (visible behaviour) are equivalent to that of an interleaved 
process. When S is non-empty the processes P and Q are forced to agree on events that are in 
the set S (a subset of the alphabet). Events are channels and can either be read (8) or written 
to (7). (8) illustrates also parameterised process P(x). Several processes may synchronise on 
a single communication channel. The channels in the Handel-C are point-to-point. Hiding 
(9) obscures events from observable behaviour. Hiding, as a programming structure, is used 
to abstract away unwanted channels. However, hiding is only used in this thesis in proof. 
The renaming (/(P ))  function renames the actions of P (10). The divergent process (DIV)  
immediately divergence and therefore provides no guarantees about it behaviour (11). The 
internal and external choice operators are generalised in (12). and (13). An interrupt operator 
is shown in (14). The interrupt operator can be used to pass control from a process P  to a 
processes Q. P A  Q states that the process Q can interrupt the process P  at any time during 
the execution of P or not at all. To support the annotations alternate interrupt operators 
are introduced in chapter 3, which are operationally different from the normal CSP interrupt 
operator. The recursive definition allows a process to be defined in terms of itself. In (15) 
the process P is defined by the process Q where Q is itself defined in terms of P. The STOP  
(16) process acts like deadlock. It will not engage in any subsequent events.
The above BNP details the CSP used in this thesis. W hat follows is the subset of CSP used 
in the controllers associated with the annotations. We present them this time in their latex 
form:
P ::=
1. SKIP  (successful termination) 1
2. c?y\v\x -4 P  (input/output) I
3. P  □ P  (external choice) I
4. P  III Q (interleaving) |
Ju l y  6 , 2 0 0 8
Chapter 1. Background Motivation and Notation
chan struct DATA aa_chan ; 
chan struct DATA ww_chan ; 
void aa_port(){ 
struct DATA aa_vEir ; 
aa_var.oO = 0 ; ... 
while(1){ 
seq{
par{aa_chan!aa_var ; ww_chan!aa_var ; / * other comms * /  
}
par{ /* Code */}
}
}
}
Figure 1.3.: Illustration of a Handel-C Function
5. P(x) I
6. P \  X (hide x events) I
7. A (interrupt) I
8. P(y) =  Q(y) (recursive definition with a process variable)
1.2.5. Handel-C Hardware Description Language
Handel-C is a hardware description language^ that has evolved from parallel software lan­
guages. Support for parallelism comes from OCCAM, which is a programming language that 
implements CSP. Only the subset of Handel-C used is described. The par and p r i a i t  oper­
ators provide parallel composition ( p r i a i t  has a pre-determined service order). Sequential 
composition is provided by the seq operator. Communication in Handel-C is point-to-point 
and occurs on a rising edge of the clock. External communication on special channels (chanin) 
may take an indeterminate number of clock cycles to become ready. As with C assignment, 
for loop, while loop, c o n d itio n a l and sw itch  statements are allowed. As with CSP com­
munication channels are annotated with the ? and the ! symbols. To permit a direct 
mapping to hardware variables are declared with a size in bits. Variables may be arrays. The 
example in Figure 1.3 illustrates a number of Handel-C language features. In it channels are 
declared to pass structures (defined elsewhere) of type DATA. A function executes a  loop. 
The loop executes a sequence repeatedly. Firstly, it carries out a number of communications 
simultaneously, and then runs a parallel block of code (code not defined).
1.2.6. Previous CSP||B  Research
Combining model based formalisms like B [Abr96] and Z [Spi92] with event based formalisms 
like CSP [SchOO] is an active research area. This thesis is concerned with annotated B,
Svw^v.celoxica.com
12 • J u ly  6 , 2008
1 .2 . Technical Background
CSP controllers and the Handel-C implementation language. Some space is devoted to 
CSP||B in this section as way of motivation. Some space has been devoted to the review 
of CSP/Z [Fis97] in this thesis, in chapter 7. This is as much CSP and Z consideration that 
is given. Advances are being made developing the theory for tools to support the Circus ap­
proach [Fre05] [SWC02] [CSP03]. Circus is another unification of CSP and Z. Although it is 
an important development in formal methods it does not have a direct impact on this thesis. 
Comparisons between the annotated B approach, and CSP combined with Z approaches are 
made when considering CSP/Z.
The motivation for a closer integration is to obtain a formalism that is as powerful at de­
scribing state predicates as it is at describing event behaviour. The CSP||B [TreOO] approach 
combines CSP and B so that CSP captures, primarily, the event aspect of the design, whereas 
the B captures the state evolution. Each CSP controller directs a single B machine via 
communication channels. Controllers may interact with other controllers.
In CSP||B consistency between the pre-conditioned B machine and the CSP controllers is 
established in two ways. Firstly, by showing that operations are always called within their 
preconditions, which establishes divergence freedom. Secondly, consistency condition estab­
lishes that controllers are deadlock free. Consistency is investigated using the wps of guarded 
actions [Dij76]. An action system is a pair (m it, A), where init is a system initialisation and 
A is a set of actions.
Morgan’s failure divergence semantics captures both state based and event base properties 
of Action Systems [MorQO], and it is ideal for capturing the evolving state of action systems. 
Using wp semantics action system can be represented in CSP. A guarded command, G S, 
consist of a guard G which controls the execution of a statement S. When the guard does 
not hold the statement is blocked. Morgan describes the wp of the semantics for the guard 
command in the following way:
D efin ition  1 (M o rg an ’s w p  S em antics for G u ard ed  C om m ands).
wp{G S ,Q ) = G => wp{S, Q)
If G is false in definition 1 then the wp is trivially true, otherwise it is wp{Sy Q) (the weakest 
precondition such that Q is satisfied when S is executed).
The wp of a preconditioned abstract system operation (P R E  P T H E N  T  EN D ) is given in 
Treharne [TreOO] and restated here:
D efin ition  2 (w p of O p e ra tio n  G u ard ed  w ith  t ru e ) .
wp{true -4 P R E  P  T H E N  T  E N D , Q) = P  A wp{T, Q)
Preconditioned abstract system operations can be considered to have a guard of true. The wp 
of the B preconditioned statement is the precondition P  conjoined with the wp of the state­
ment T  as described in definition 2. Treharne [TreOO] and this thesis assume that systems are 
developed under the assumption that operations are always called within their preconditions. 
The controller for the system must be carefully designed to ensure this. The generation of a 
consistent controller from annotations is one of the subjects of this thesis. In Treharne’s initial
J u ly  6, 2 0 0 8  13
Chapter 1. Background Motivation and Notation
work, B SELECT statements are avoided to prevent the introduction of blocking statements 
introduced by them. To understand this consider the wp of a statement S that establishes 
false {wp{Syfalse)). In B that wp is written [S]false. B statements are monotonie hence it 
can be deduced from false P  that:
[S]false => [5]P
The initial condition of S that establishes false establishes everything. The B select statement 
in Generalised Substitution Language (GSL) is G S, “C? guards <5” . The wp of the select 
statement that establishes P  is written [G = >  i9]P, and is equivalent to G =>• [S]P. The B 
select statement that has a false guard establishes false, i.e. [false =>■ S]false. When the 
guard is false the select statement miraculously establishes false. The guard is defined as 
follows: grd{S) =  -• ([iS]/a/se).
The guards for a select statement are defined differently to that of the preconditioned state­
ment [Abr96] (Q|S).
grd{G ==k S) — G A grd{S) 
grd{Q \ S) = Q grd{S)
The select statement blocks execution if the guard is false, whereas the precondition statement 
aborts (it is not guaranteed to terminate). Select statements are not implementable and 
are avoided in Treharne’s [TreOO] approach. The approach in this thesis is to guarantee 
execution paths provided proof obligations associated with the annotated path are discharged. 
The annotations ensure that operations are called within their precondition or guard if that 
replaces the outer most precondition. Even when there is a choice between to alternative 
paths the annotations ensure that both are available. This approach ensure the absence of 
divergence and deadlock regardless of whether precondition or guarded operations are used. 
However, there is no example of the use of annotations with select in this thesis. The use of 
annotations in Event-B is considered in chapter 7.
Understanding how to calculate the wp of a statement is an important step in calculating 
the wp of a sequence of statements. The wp semantics of a sequence of actions is developed 
inductively. Firstly, the empty sequence of actions does not change the state of the system, 
as it has no commands. To establish Q with an empty sequence of commands Q must be 
true before the execution of the empty sequence: wp{{), Q)) = Q. This constitutes the base 
case. For a sequence of guarded commands tr, where tr G A* and tr is not empty, the wp of 
the sequence is developed inductively as follows:
wp{a-y tvay Q) = wp{a,wp{tra, Q))
Working back from the base case each action must establish the wp of the following action. 
Treharne uses Morgan [MorQO] approach that involves giving the B action systems a CSP 
semantics, which means defining the traces, failures and divergences of the action system.
14  J u ly  6 , 2 008
1.2. Technical Background
In our approach the annotations will explicitly state the allowable execution steps. Then two 
consistency checks must be performed. It must be shown that the annotations are consistent 
with the operations of the machine (they allow non-divergent next steps) and that the con­
troller operates within the annotation guidelines. It is then not necessary to translate the 
controller into B and prove that the Control Loop Invariant (CLI) holds. The annotations 
create proof obligation (PC) requirements that have to be met to guarantee a non-divergence 
execution. Discharging annotation PCs guarantees that the associated preconditions of op­
erations next in the sequence of execution control will be satisfied allowing it to executed 
without diverging. The NEXT annotation is core to the avoidance of divergence. Discharg­
ing a NEXT annotation ensures that an associated execution sequence will always have its 
precondition satisfied.
Control Loop invariants
In Treharne [TreOO] a CLI is explicitly defined to reason about non-divergence of looping 
paths within the controller. B operations are represented as atomic action prefixes in CSP 
processes. The operations communicate with the outside world and their controlling CSP 
processes via the input and output of CSP channels. The prefixed action f?x!w —> R, reads 
X  into the operation f and outputs w then acts like R. Output of one operation can be 
tunnelled into another operation, by fixing the input of one process or action with the output 
of another in the CSP. T eharne uses wp to investigate safety constraints captured in the CLI. 
Cyclic behaviour is represented using mutually recursive processes that pass specific control 
information as process parameters. The loops may be terminating or non-terminating. The 
communication between the controller and the B machine is handled using channels. The 
CSP controller can accept inputs from either the B machine or the environment, whereas the 
B machine accepts inputs from the CSP and output to the CSP. The I/O  set up is different 
in this thesis and defined in chapters 4 and chapter 6. The controllers are captured in a 
subset of CSP that translates to B. An early B subset and associated translation to CSP 
is given in [TSOOj. The translation mappings are restated in appendix A. The relationship 
to the annotations has been stated showing how the CSP||B translation framework and the 
annotation framework compare.
The select statement is avoided because it is impossible to implement its miraculous behaviour. 
The CSP process that models blocking behaviour is given as follows:
p =  block STOP
The absences of process p demonstrates the absence of deadlock. The above process p issues 
a block then halts.
The B operation:
op — PRE false THEN skip END
J u ly  6, 2 0 0 8  15
Chapter 1 . Background Motivation and Notation
is divergent if called because if the precondition of an operation is false any behaviour may 
occur. The process that models this behaviour in the CSP is:
DIV
As mentioned previously, mutually recursive LOOPS are used to control the sequencing of 
operations. It is essential that control LOOPS call operators within their preconditions. The 
CLI establishes that the LOOP will not call any operation outside its precondition and hence 
will not diverge. Treharne states non-divergence in the following way:
traces{LOOP) D divergences{M) = {}
In order to establish the CLI the LOOP has to be translated to B. Treharne’s translation 
rules include ways of representing LOOP and the loop control variables in B. The translation 
rules are given in table 1.1. In the table the B translation of the equivalent fragment of CSP 
is given. We write {En -4 P}p to mean the translation of the CSP fragment E„ P 
in the context of the mapping environment p. In this case the translation is n; {P}p, which 
means the translation of the process P in the environment p is composed sequentially after 
operation n. The action En in CSP is mapped to the operation n in B.
The translation environment p contains the mappings from B variables to the controller 
variables. The translation environment is a collection of the mappings between the variables 
of the B and the variables of the CSP (in the following example Xc *4 X}f). The control loop 
variable (cf,) is used in the CLI and is key in the determination of consistency. The control 
loop variable, is equated to one of the CSP variable (ie. x^ ~  cif).
p{s{p')) = Cb := p[p'] where Cb is a control variable.
The CSP process parameter p' in the LOOP s is represented as a variable cj in the B. The
value of the parameter is derived from the translation environment p.
We note that in addition to non-divergences the traces of the LOOP must not block. Treharne
state that the traces of a correct controller will not contain a block;
- 1 3 ( G traces{LOOP) • block G ran{t)
Developing a controller in CSP allows trace behaviour to be analysed independently. Transla­
tion from CSP to B permits implementation of the controller within B. On the CSP analysis 
side the control variables introduce state into the CSP model, which needs to be dealt with 
carefully in the CSP analysis tools. The approach of this thesis keeps the state in the B 
machine by modelling the input and output in a slightly different way (chapter 6). Thus, 
derived controllers can be analysed without reference to a CLI.
i 6  J u ly  6 , 2 008
1 ,2 . Technical Background
In general there are two ways of dealing with I/O . When the temporal organisation of the I
operations is well established in the designer’s mind, chaining I/O  can be achieved by writing j
to, and reading from, global variables. In this way the B invariant checks that the consistency I
is maintained. This is a very constraining approach. A more flexible approach is achieved by j
linking consecutive operations output and input explicitly in the annotation, in-line with the j
philosophy adopted by Treharne. The main difference with the annotation approach is that ;
the output that is passed to an intended following operation is not represented as a control I
variable in a CSP controller. ;
The proof obligations that arise after executing the sequence of operations in the controller 
is given as follows: '
D efinition 3 (CLI P roof O bligation).
[CLI A I  A Cb ~  p[p]) [BBODYr ]CLI
The CLI must hold at all the points of recursion within the loops of the controller. We 
reproduce the example used to illustrate the CLI, below, and extend the B to illustrate the 
annotations that would avoid introducing a CLI.
The CLI is constructed from engineering judgement, A control variable is searched for that 
both captures what the looping action is trying to achieve and ensures the loop does not 
diverge. In this case we spot that a value is being passed between operations. The value must 
be in a defined range to avoid loop divergence.
VARIABLES V*»
IN V A R IA N T  V i n  G N  
IN ITIA LISA TIO N nn : =  0 
O PER ATIO N
in{xx) = PR E  XX G 2..10 T H E N  nn := xx E N D / * test{nn) N E X T  * /; 
test{xx) =  PR E  nn =  XX A xx  £  2..10 TH EN  skip E N D / * in N E X T  * /
EN D
The controller for the above machine is given below. Operations (op) in the B machine become 
actions (Eop) in the CSP controller. The relationship between operation and action is made 
explicit by subscripting the CSP action with the name of the B machine it calls (Hop). The 
controller is given as follows:
LOOP =  ^(1)
S { 1 )  =  E i n ^ X c  G 2..10 4  S { X c )
S { X c )  — EtesÛS^c S { 1 )
The CLI is stated as follows: [cb > 1 A Cb < 10) nn = Cb
J u ly  6, 2 0 0 8  1 7
Chapter 1 . Background Motivation and Notation
A cut down version of the table in Figure A .l, page 226 without the relationships to an­
notations is given in Figure 1.1. The translation of the controller fragments to predicate 
transformers is given. There are three proof obligations that need to be discharged to show 
that the CLI is maintained by the controller, because the machine is initialised and there are 
two points of recursion in the controller. The first shows that the CLI can be established 
by the initial conditions. The second establishes that the first recursive call S{1) establishes 
the CLI, Inputs from the environment are treated differently to the inputs given in table 1,1, 
Here the B A N Y  W H E R E  T H E N  clauses is used to get a fresh input. The third proof 
obligation results from the last mutually recursive process <S'(xc)-
The proof seeks to establish that the CLI is maintained by the loop at the point of the recursive 
call. In the cases that consider the execution of the loop and not the initialisation, the CSP 
actions are translated to B and the B is substituted into the CLI. To ensure a meaningful 
substitution the value of the CSP variables are retrieved from the environment.
The translation environment p contains the mappings from B variables to the controller 
variables. The proof seeks to establish that the CLI is maintained by the loop at the point of 
the recursive call. In the cases that consider the execution of the loop and not the initialisation, 
the CSP actions are translated to B and the B is substituted into the CLI, To ensure a 
meaningful substitution the value of the CSP variables are retrieved from the environment,
1,Correct initialisation {[Initialisation\ Cb •= p\jp\\CLI)\
[nn := 0; cj := 1] CLI
which holds.
2.The other case is S{x) which has two sub-cases S{xc) and 5(1)
2a. Correctness of 5(1):
CLI A I  A (cj =  1) 4
[ANY Xb WHERE Xb G 2..10 THEN  m(%);
Cb p ® {xc 4  Xb}[xc] END]CLI
which holds.
2b. Correctness of 5(rcc):
CLI A I  A {cb = p[xc]) [test{p[xc])\ Cb := 1]CLI
Which simplifies (false implication leaves the precondition of test):
((cjj 1 A C(, ^  10) =7^ nn — Cb) A I  A (cj, — [^®c]))
{p[xc\ = nn A p[xc\ G 2.. 10)
i 8  J u ly  6 , 200 8
1.3. typ ograp h ie  convention
whidi holds.
CSP Translation
{En  ^  P} / ,  n;
4  P}p ^(/2[®c])î {7*}/?
{£?n!wc 4  P }p  Wb <— ' n;
{En}.Wc^,Xc 4  P } p  Wb ^
4  P  □ Q}p C H O IC E  P O R  Q E N D
{Pnîw c 4  i f  Wc then P  else Q Wb i—  n;
IF
Wb
T H E N
ELSE
{^}p©{u;c4tui,}
E N D
{<5(p')}p Cb :=  p[p‘]
Table 1.1.: B Mappings to CSP
The third proof obligation ensures that the in operation supplies a parameter satisfying the
precondition of test  This we do directly with annotations saving the need to state and
discharge the CLI. The annotation of in states that test{nn') is next. In the annotations 
approach input/output piping is verified directly in the B. In this thesis the aim is to develop 
controllers from the annotated B and keep the state in the B model.
1.3. typographic convention
The typographic convention in this thesis is as given tables 1.2.
J u ly  6 , 2 0 0 8  1 9
Chapter 1. Background Motivation and Notation
Convention
Table 1.2.: Typographical conventions
type/symbol example/meaning
First time B key 
word introduced 
in text, or
reference made directly 
to the clause it 
introduces
Names of machines 
or operations
Annotation names
First time a concept 
introduced in text or 
used for a while
Executable code extracts 
in text
Example B machine 
operations fragments
B proof obligations
notation introduced 
in BNF
program code fragments 
PC
Definitions
B Key words in 
program fragments 
except BVHDL
BVHDL and BHDL 
specifications
CSP scripts
Change of emphasis 
of a word
CAPITALISE MACHINE
latexed Traffic
SMALL CAPITALS NEXT
typewriter type machine-consistency
typewriter type chan struct DATA aa_chan ;
latexed
latexed
op = PRE Pop THEN Bop END]
[Bop]I
latexed or 1. SKIP  or
typewriter type 1. SKIP
typewriter type signal_a <= signal_b
latexed [T]{Pj) A ...A [T]{Pk)
latexed wp{G 4 ,  Q) =  G 4  wp{Sy Q)
BOLD VARIABLE V i n
CAPITALISED
typewriter type MACHINE aa_SM
typewriter type datatype OPCODE
bold good
J uly  6 , 2 008
2. The N E X T  Annotation
2 .1 . Introduction
This chapter’s contribution is the introduction of the general framework and first fundamental 
annotation NEXT which defines the control flow between two operations. The annotation is 
defined along with the proof obligation to show that it is machine-annotation consistent with 
the machine. Functions are introduced to help elicit information from the annotated machine 
to use in the consistency checking and proof. The CSP control fragments associated with 
the next annotation are introduced along with a set of functions to extract information. In 
Section 2.2, the general framework is introduced. In Section 2.3 a B machine is introduced 
along with the NEXT annotation. The proof obligations and control language fragments 
associated with the annotations are given in subsequent sections.
We restrict our attention in this thesis to correct B machines: those for which all proof 
obligations (PCs) have already been discharged. We use I  to refer to the invariant of the 
machine, T to refer to the machine’s initialisation, Pj to refer to the precondition of the 
operation Opi, and to refer to the body of that operation. The PCs for a consistent 
machine (m ach ine-consisten t) are given in section 2.3.1.
Controllers will be written in a simple subset of the CSP process algebraic language [Hoa85, 
SchOO], and this language will be explained as it is introduced. Controllers are considered as 
p ro cesses  performing events, which correspond to operations in the controlled B machine. 
Thus operation names will appear in the controller descriptions as well as the B machine 
definitions.
2.2 . The General Framework
The framework proposed in this thesis introduces an n o ta tio n s  on B operations as a mech­
anism for bridging the gap between B machines and CSP controllers, while maintaining the 
separation of concerns. The approach consists of the following components:
M achine  D efinition: the controlled component must first be defined and shown to be 
machine consistent.
• A n n o ta te  M achine: the initialisation and the operations in the machine definition 
are annotated with fragments of the requirements for control flow.
J u ly  6 , 2008
Chapter 2 . The n e x t  Annotation
• E stab lish  M ach in e -A n n o ta tio n  C onsistency  Discharge POs between definitions 
and establish consistency of the annotations with the controlled machine. This means 
that the fragments of control flow captured by the annotations really are appropriate 
for the machine.
• Define contro ller: this is a process that describes the overall flow of control for the B 
machine.
• E stab lish  A n n o ta tio n -C o n tro lle r  C onsistency: establishing that the controller is 
consistent with the annotations by showing that every part of the controller is supported 
by some annotation. Annotation-controller consistency is developed in two phases: 
firstly initial-consistency and secondly step-consistency
• R efine an d  tra n s la te : refinement may be needed before a translation to Handel-C 
can be achieved. The translation is the final step and requires additional annotation 
directives to set type sizes and I/O  ports characteristics.
Checking a CSP controller against a machine is thus reduced to checking it against the anno­
tations and verifying that the annotations are appropriate for the machine. The relationship 
between the different parts of the approach are given in Figure 2.1.
ControllerDefinition
MachineDefinition
AnnotatedMachineDefinition
Handel-C
Implementatioi
EstablishMachine-AnnotationConsistency
AnnotateMachine
Establish Annotation- Contr oiler Consistency
DefineController
Refine and Translate
Figure 2.1.: The Process Flow in the Approach.
The framework presented here is quite general, in that it may be applied to both Event-B and 
classical B. Additional annotations may be added along with supporting control operations as
J uly  6 , 2 0 0 8
2.3. The Approach
required, provided that a consistency argument can be developed. The first step to be taken 
is therefore to fix on the control language and the associated annotations to be incorporated 
into the B machine descriptions.
2.3 . The Approach
The approach is demonstrated with a simple model. The annotation considered in this chapter 
is the NEXT annotation. An extremely simple controller language consisting only of prefixing, 
choice, and recursion is used to develop the example.
2.3.1. A B M achine
The B-Method [Abr96] has evolved two major approaches: classical B and Event-B. Annota­
tions can be used in either classical B machines, or Event-B systems. Classical B approaches 
specification in a state-oriented fashion. It focuses on the services that a system might provide, 
whereas Event-B focuses on the events that occur within the system. The generic classical B 
machine M, given in Figure 2.2, has variables, invariant, initialisation, and a set of operations 
OPi through to OPn • The fundermental principles are introduced without 1/O for simplicity. 
I/O  is introduced in chapter 4.
M A C H IN E  M  
V A R IA B L E S u 
IN V A R IA N T  V : t 
IN IT IA L IS A T IO N  v :e u 
O P E R A T IO N S  
O P i =  P i I Pi;
O P 2  =  P 2 ;
O Pn = P n \B n  
E N D
Figure 2.2.: A B Machine.
Classical B is used in this thesis. However, a guarded operation {OP2 ) has been illustrated 
in Figure 2.2 to show the Event-B stylistic approach. In Figure 2.2 the machine operations 
are defined in Guarded Substitution Language (GSL). In classical B all operations must 
be preconditioned (P). Annotated B is derived by taking a B specification and adding the 
annotations (the annotations are not shown in Figure 2.2) introduced in the following chapters. 
The machine operations must be shown to be machine-consistent.
J u ly  6 , 2 0 0 8  23
Chapter 2. The n e x t  Annotation
In classical B machine-consistency with respect to a particular operation is established by 
discharging a number of PO. We will assume for this thesis that machines have had these 
proof obligations discharged. Predicate (1) states that there exists values for the variables (v) 
of the machine that make the machine invariant I  true. Central to the proofe in this thesis 
are predicates (2) and (3) in definition 4. Predicate (2) states that the initialisation T  of 
the B machine establishes the invariant I  of the B machine. The predicate transformer [B]I 
produces a new predicate in which the substitutions of B are made in I. PO (3) is read as 
follows; given a state in which the invariant I  and the precondition P  hold it follows that 
the invariant transformed with B holds. The POs in Definition 4 do not include the POs 
associated with machine constraints, constants or properties as they are not used in examples 
with annotations in this thesis. More details on these can be found in B texts [Abr96] [SchOl].
2.3.2. The Use of th e  term  Consistency
In the following chapters the following consistency terms are used:
• m achine consistency refers to B machines, and means that all the consistency proofs 
given in definition 4 have been discharged.
• refinement consistency refers to B machine refinements, and means that all the 
consistency proofs given in definition 6.0.1 have been discharged.
• m achine-annotation consistency refers to the consistency between machines and 
their annotations, and is established by discharging the PO associated with each anno­
tation in the machine.
• annotation-controller consistency refers to the consistency between the annotations 
and the controller, and is established by showing annotation consistency.
• annotation consistency is the term used for a controller for which initial-consistency 
and step-consistency has been demonstrated.
• in itial-consistency exists if the initial actions of the controller are enabled by the 
annotations of the initialisation of the B machine.
• step-consistency exists when all actions of the controller are enabled by the B machine
• m achine-controller consistency refers to the consistency between the machine and 
its controller, it is established by showing machine consistency, machine-annotation 
consistency and annotation consistency.
Definition 4 (M achine Consistency).
1 3v  • I
2 [T]I
3 P A /  =^[B]/
2 4  J u ly  6 , 2 008
2.4. The NEXT Annotation of a Consistent B Machine
In Event-B, unlike classical B, new operations can be added during refinement. In the exam­
ples in chapter 6 the need for operations in the later stages of refinement are anticipated by 
introducing the signature of the operation with a body defined by the skip operator. The POs 
for Event-B refinement are not adapted. The refinement process may involve adding detail 
to the specification in a consistent way to realise an implementation, which is a key notion in 
B. After introducing the annotations it is shown how annotations can be refined. Refinement 
involves removing non-determinism and adopting concrete types. We add to the concept of B 
refinement with the annotations, by adding the notion of annotation control fiow refinement.
2.4 . The N EX T Annotation of a Consistent B Machine
The NEXT annotation is written in B comments as follows: /* {  list of operations } N E X T * /  
(the short hand form of the annotation is /  * { list of operations }! * /). They are used to 
make the intended execution of a machine’s operations explicit to a reviewer; or user of the 
machine; or synthesis tool. An annotation is associated with an operation in the same way 
that a precondition is. This contrasts with global predicates like the invariant. Annotations 
capture which operation the designer intends to be enabled after the current operation has 
terminated. To ensure that there is no deadlock in the machine every operation must have 
a NEXT annotation^ including the INITIALISATION clause. An example of its use in an 
arbitrary operation OPi is:
D efin ition 5 (NEXT A nnotation Syntax for O perations).
OPi =  {Pi I Bi) i  * { OPj, ..., OPk} N E X T  * j
In definition 5 we state that after the execution of OPi has completed OPj, through to OP}. 
are available to execute. The proof of this claim can be verified by discharging the proof 
obligation in definition 6:
D efinition 6  (NEXT P roof O bligation for O perations). The o p e r a tio n
OPi ~  {Pi \B i)  i *  { OPj, ..., OPk] N E X T  * i  
has the following PO:
{I ^P i=^[Bi]{Pj))  A
A
D efinition 7 ( n e x t  A nnotation Syntax for Initialisations).
INITIALISATION T / *  {OPj , ..., OPk} N E X T  * /
^The range of next annotations aie expanded in chapter 9 to include n e x t  s e q u e n c e  and i n t e r l e a v e d  n e x t  
at which point an operation must have either a n e x t , n e x t  s e q u e n c e  or in t e r l e a v e d  n e x t  annotation.
J u ly  6 , 2 0 0 8  25
Chapter 2. The n e x t  Annotation
D efin ition  8 (P ro o f O bligation  for In itia lisa tio n ). The initialisation 
INITIALISATION T f *  {O P j, ..., OPk} N E X T  * /
has the following PO:
[r](Py) A
A
[P)(Pl:)
where T  represents the body of the initialisation
The NEXT annotation for the initialisation and POs are given in definitions 7 and definition 8, 
respectively.
2.5. Controller Syntax and Auxiliary Functions for n e x t  
Annotations
We start with a simple control syntax in order to develop the framework.
D efin ition  9 (C on tro lle r S yn tax ). Syntactically a basic controller R is given in the fol­
lowing:
R  ::= a —^ R  |
R □ R I 
S{p)
Recursive definitions with a process variable has the following syntax:
S{p) s  R(p)
where S if the process name and p is the process variable. R  is the recursive definition of S  
that is itself defined as above.
In definition 9 event o represents a machine-consistent operation execution (a CSP action 
represents a B machine operation). The prefix a followed by R is valid controller syntax, that 
means after a has occurred the controller is prepared to act like R. The choice between two 
well formed controller fragments R\ and R2 is written Ri D R 2 . A  recursive definition with 
a process variable is written S{p). All basic controllers can be composed with this syntax.
The meaning of annotation consistency is developed using the functions guarded and init 
defined on CSP processes. The functions are used in this and subsequent sections to calculate 
consistency. The guard function checks that control loops are built up from action prefixes. 
This ensures that every operation has a next operation it can legally flow to next, init is always 
non-empty for guarded controller fragments, which is essential as a basis for non-divergence.
2 6  J u ly  6 , 200 8
_______________________________2.5. Controller Syntax and Auxiliary Functions for n e x t  Annotations
D efinition 10 {guarded on CSP Controller Process).
guarded {a R l)  — true 
guarded{Rl □ R2) =  guarded{Rl) A guarded{R2)
guarded{S{p)) — false
We only consider recursive definitions whose definition is guarded, ie.:
S{p) = R{p) where guarded{R{p)) =  true
The set of initial actions of a controller fragment are extracted with the init function which 
is given in definition 11.
D efinition 11 {init on CSP Controller Process).
init{a -)• R l) =  {a} 
init{Rl  □ R2) = init{Rl)  U init{R2)
init{S{p)) =  init{R{p))
where recursive definitions with a process variable has the following form:
S { p )  =  R { p )
For example : init{LOOP) =  a
if LOOP â  a 6 LOOP
The init function plays a key role in the proof that a machine-controller combination does not 
diverge. The init function returns a set that represents the first elements of a given controller 
fragment. The init function is used to develop a relationship between the controller fi'agments 
and NEXT annotations of operations.
We introduce a function to extract the set of operations associated with a NEXT annotations 
in an operation comments to help define consistency.
D efinition 1 2  ( n e x t  A nnotation Listing).
next{OPi) — {OPj,..., OPk} if OPi =  {Pi | Bi)/  * {O P j, ..., OPk} N E X T  * /;
undefined otherwise
J u l y  6 , 2 0 0 8  2 7
Chapter 2. The n e x t  Annotation
The next listing function defined in 12 lists the operations that are enabled by the current 
operation. The init and guard functions are applied to fragments of controllers or operations. 
The dual nature of the next function arises because operations and actions are the same thing 
in the different models. Hence, next{a) and next{a =  {Pa | Ho)/ * A  N E X T  + /)  produce the 
same result. If the next function is applied to an action then the action is unconditionally 
converted into its equivalent B operation. This holds true of all the listing functions defined 
in future chapters.
2.6. Annotation Consistency with Action-Prefix
Establishing annotation consistency is the second step in the development process (see Fig­
ure 2.1) after establishing machine-annotation consistency. Annotation consistency requires 
establishing initial-consistency and step-consistency. Initial consistency is concerned with the 
first step, and step-consistency with subsequent steps.
The notion of initial-consistency is developed over the first action of the controller fragment. 
It must be shown that the first action of the controller {init{M-CTRL))  is enabled by the B 
machine. The machine M  has an initialisation clause that has to execute initially to get the 
machine into a state that satisfies the invariant of the machine. The first action of M -C T R L  
must be enabled by the initialisation of M. Annotation consistency for controllers that con­
tain the basic control elements is defied in two parts; definition 13 (initial-consistency) and 
definition 14 (step consistency).
Definition 13 (A nnotation C onsistency w ith  A ction-Prefix).
1. a —y R
is annotation consistent with Machine M if a 22 is initially consistent with M  and 
a ^  22 is step-consistent with M.
where a ^  22 is initially consistent if a € next{INITIALISATION)
2 . 2210222
is annotation consistent with Machine 212 if 221 and 222 are annotation consistent with 
212.
3. S{p)
2 8  J u ly  6 , 2 0 0 8
2.6. Annotation Consistency with Action-Prefix
is annotation consistent with Machine M  iî R{p) is annotations consistent.
where S  if the process name and p is the process variable. R is the recursive definition 
of S  that is defined as above.
5'(p) is a family of recursive definitions S{p) =  R{p)-
In definition 13 case 1 the fragment a R is  initially-consistent if a is enabled by the machine 
initialisation (a G next(INITIALISATION)), and step-consistency is check with definition 14. 
In case 2 both choices offered must be annotation consistency. In case 3 recursive calls are 
annotation consistent if their recursive definition is annotation consistent.
Annotation consistency is evaluated by testing the cmrent fragment for consistency and break­
ing down the current fragment and evaluating the parts. The S(p) operator is the last operator 
in a control branch. If the evaluation reaches this point in a branch then the evaluation be­
yond this point is assumed to be annotation consistent (as it is recursively defined), and the 
actual annotation consistency of that branch is then only dependent on the fragments that 
make up that branch.
D efinition 14 (Step-C onsistency w ith  A ction Prefix),
1. h ~ ^ R
is step-consistent with Machine M  if init(R) Ç next{b) and R is step-consistent with 
M.
2. R1HR2
is step-consistent with M  if R1 and 222 are step-consistent with M.
3. S{p)
is step-consistent with Machine M,
if R{p) is step-consistent where S{p) = R{p).
J uly  6 , 2008 29
Chapter 2. The n e x t  Annotation
2.7. Proving Termination of Controlled M achines with n e x t  
Annotations
In this section demonstrating annotation-controller consistency is discussed. The proofs in 
this section establish that given machine-annotation consistency and annotation consistency 
it can be shown that every step of the machine-controller pair terminates, which implies non­
divergence: every operation is called within its precondition. The proofs in this section relate 
to NEXT annotations and controllers with prefix actions. The notation of g o o d  traces are 
introduced to assist with proof. A g o o d  trace is a CSP trace that executes operations that 
at each step terminates, passing control successfully to the next operation in the trace as the 
trace evolves. A g o o d  trace is a trace that is not a divergence of M.
D efin ition  15 ( G ood  Traces t r  of C onsisten t C on tro llers  T e rm in a te ), tr  is a good 
trace with respect to machine M if the following holds:
[initialisation; tr] true 
where initialisation is the initialisation of the B machine.
T h eo rem  1 ( NEXT A n n o ta te d  M achine C on tro ller C om binations th a t  a re  M a­
ch in e -A n n o ta tio n  C onsis ten t an d  A n n o ta tio n  C onsis ten t a re  D ivergence F ree).
I f  a NEXT annotated B machine M  is machine-annotation consistent and the controller 
M -C T R L  is annotation consistent with the annotations of machine M  then M \\M -C TRL  
is divergence free.
To prove Theorem 1 we show that only good traces are produced by M -C TRL,  We will 
prove by induction on the length of tr that if the annotations of M  (that include NEXT) are 
machine-annotation consistent and M -C T R L  is annotation consistent and tr is a trace of 
M -C T R L  then tr is good. Hence M  || M -C T R L  it is divergence free as the controller can 
never drive an operation of M outside its precondition. We prove this by induction over cases 
of traces of M -C TRL.
Case (A) (): Initialisation
1 [T]I by consistency of M
2 [Tjirue by[T]I => [T]true
Case (B) (a) G traces{M-CRTL): A single operation occurs.
30 J uly  6 , 2008
2.7. Proving Termination of Controlled Machines with n e x t  Annotations
1 (a) G traces{M-CTRL) and 
M -C T R L  annotation consistent
initial assumptions
2 a G next{INITIALISATION) by 1 and def. of Lemma 1 below
3 [T]Pa by 2 and consistency of annotations 8
4 [T]I by def. of machine-consistency 4
5 [T]{P„AI) by 3 and 4
6 [ r ] (P a A /A [B .] / ) by def. of machine-consistency 4: Pq A 7 =^> [Ba]I
7 (r](P a  A [Ba]<rue) by 7 => true
8 [T]([Po 1 flo]i™e) by definition of P  | H
9 [init', a]true by definition of sequencing in B ;
10 (a) * 5  good
The proof of theorem 1, case B, starts by restating initial-consistency, which implies that 
the singleton event is an element of the B initialisation NEXT annotation. The rules of con­
sistency are used to build up a sequence of operations ( init; a ) that establish true, which 
signifies that the sequence terminates and therefor does not diverge. The empty trace and the 
trace containing one action are special cases. In general traces contain arbitrary number of 
actions (case C), and it is necessary to prove that an arbitrary consistent trace terminates (is 
non-divergent). We need to prove that an arbitrary trace of a consistent machine controller 
pair M \\M -C TR L  is non-divergent. We can assume that t r ' ^ { a ,  b ) € traces{M-CTRL) 
and that M -C T R L  is consistent (controller consistent) and M  is machine consistent.
J u ly  6 , 200 8 31
Chapter 2. The n e x t  Annotation
Case (C) tr ^  (a, 6) E traces{M-CRTL) where tr E traces(M-CRTL)
1 tr ^  (a) is a trace of M -C T R L by prefix closure of traces
2 tr ^  (a) is good by 1 and inductive hypothesis
3 b G next(a) Lemma 2 below
4 Pa A I  ^  [Ba]Pb def. of annotations 6
5 [init\ tr; {Pq | Ba)]true by 1 and def. of good 15
6 [init\ tr]{Pa A [Ba]true) by 5 and def. of | and wp semantics of ;
7 [init] tr]I by def. of machine consistency
8 [init\ tr]I A Pa by 6 and 7
9 [init; tr][Ba]Pb by 8 and 4
10 [init\ tr]Pa A [Ba]Pb by 9 and 6
11 [init\ tr; (Po I Ba)]Pb by 10 and def. of | and wp semantics of ;
12 [init\ tr; {Pa | Ba)]I by def. of machine consistency
13 Pb A I  ^  [Bb]I by def. of machine consistency
14 [init] tr; {Pa \ Ba)]I A Pb by 11 and 12
15 [init] tr; (Pa i Ba)][Bb]I by 13 and 14
16 [init] tr; {Pa | Ba)]{Pb A [Bb]I) by 15 and 11
17 [init] tr; (Pq | Pg); {Pb I Bb)]I by 16 and def. of | and wp semantics of ;
18 [init] tr; {Pa | Ba)] {Pb | Bb)]true by 17 and def. of machine consistency
19 tr ^  (a) ^  (&) zs good by 18 and def. of machine consistency
In the proof of theorem 1, case C, we start with the inductive hypothesis that the sub-trace 
tr '^  { a) is good, lemma 2 allows us to relate good controller traces to machine annotations, 
which gives access to the associated proof obligations. The PO predicates are used to show 
that the arbitrary trace is good.
32 J uly  6 , 2008
2.7. Proving Termination of Controlled Machines with n e x t  Annotations
Singleton Traces are Enabled by Initialisation Annotations
L em m a 1 (S ing le ton  T races a re  E n ab led  by In itia lisa tio n  A n n o ta tio n s). Any action 
of a singleton trace of annotation consistent controller R is also an initialisation annotation:
R initially-consistent A (a) G traces{R) => a G next(INITIALISATION)
Proof of Lemma 1 by structural induction over case of controller fragments: 
case 1 c —> iî
(a) G traces{c -> R)
{c R) initially — consistent 
c G next{INITIALISATION) 
a = c
a G next{TNITIALISATION)
initial assumption
initial assumption
2, annotation consistency def. 13
1 and def. of CSP traces
3,4
QED
case 2
1
2
3
P 10P 2
(a) G traces{{Rl)n{R2))
{R1UR2) initially — consistent 
{a) G traces(Rl) or (a) G traces{R2)
4 sub-case: (a) G traces(Rl)
(P I) initially — consistent 
a G next{INITIALISATION)
7 sub-case: (a) G traces{R2)
8 (P2) initially — consistent
9 a G next{INITIALISATION)
initial assumption 
initial assumption 
by def. of CSP traces
2, def. initial consistency 13 
sub-case 4,5, ind. hypothesis on P I
2, def. annotation consistency 
sub-case 7,8, ind. hypothesis on P2
QED
case 3 S{p)
1 S{p) initially — consistent
2 (a) G traces{S{p))
3 P(p) initially — consistent
4 (a) G traces{R{p))
5 (a) G next{INITIALISATION)
initial assumption 
initial assumption
1, def. annotation consistency
2, S{p) = R{p)
3,4, ind. hypothesis on P (P )
QED
J u ly  6 , 2008 33
Chapter 2. The n e x t  Annotation
In the proof of lemma 1 it is assumed that a controller fragment R is initially-consistent and 
that the singleton trace emanates from R. In the case of the prefixed firagment the initial 
assumption states that the prefix is a member of the INITIALISATION NEXT annotation. 
In the case of the fragment offering a choice both choices are analysed. The proof takes 
advantage of the fact that a sub-fragment is initially consistent.
Arbitrary Traces are Enabled by Annotations
Lemma 2 (Arbitrary length traces o f annotation consistent controllers are enabled  
by annotations). The actions of arbitrary length traces of annotation consistent controllers 
are enabled by operation annotations:
{R annotation consistent consistent A tr (a) ^  (6) G traces{R)) =>■ h G next{a)
Proof of Lemma 2 by Cases of controllers:
case A
c P  step-consistent with M
sub-case: tr =  ()
tr ^  (a) ^  {b) G traces{c -4 P)
(a) ^ (&) G traces{c —> P) 
a = c and (b) G traces{R) 
b G init{R) 
b G next{c) 
b G next{a)
initial assumption
initial assumption 
tr = 0
def. of traces 
4, lemma 3
1, 5, step-consistency def. 14 
4, 6
QED
sub-case: tr ^  ()
9 t r '^  (a) ^  (6) G traces{c -> P)
10 let tr = (e) tr'
11 (e) ^  tr' ^  (a) {b) G traces{c -4 P)
12 e = c A tr' ^  (a) ^  (&) G traces{R)
13 tr' (a) (6) G traces{R)
14 P  step-consistent with M
15 & G next{a)
initial assumption
initial assumption 
11, def. traces 
12 
1
13, 14, inductive hypothesis on R 
QED
34 J uly  6 , 2 0 0 8
2.7. Proving Termination of Controlled Machines with n e x t  Annotations
case B
1
2
3
4
5
P1DP2
t r { a )  (h) E. traces {RID R2) initial assumption
P1DP2 step consistent with M  initial assumption
P I  step-consistent with M  2, consistency def. 14
P2 step-consistent with M  2, consistency def. 14
tr ^  (a) ^  (6) G iraces(Pl) or 
tr ^  {a) {b) E traces{R2) 1, def. trace
sub-case: tr (a) (6) G traces{Rl)
6 b E next{a)
sub-case: t r ^  {a) ^  {b) E traces{R2)
7 b E next{a)
case C S{p)
1 t r ' ^  {a) (6) G traces{S{p))
2 S{p) step-consistent with M
3 t r ' ^  {a) ^  (6) G traces{R{p))
4 P(p) step-consistent with M
5 h E next{a)
3, inductive hypothesis on R1
4, inductive hypothesis on R2 
QED
initial assumption 
initial assumption
S( v )  =  R( r )
2, def. consistency 14
3, 4, inductive hypothesis on R{p)
QED
The Initial Action of a Consistent Controllers
Lem m a 3 (Elem ents o f m achine-controller consistent singleton traces are in in it(R )).
An element of the singleton trace of an annotation consistent controller fragment R which 
controls a machine-annotation consistent machine is contained in the init of R:
R annotation consistent and {b) E traces{R) => 5 G init{R)
Proof of Lemma 3 by cases of controllers:
J u ly  6 , 2 0 0 8 35
Chapter 2. The NEXT Annotation
case A c -> R
1 (&) e traces{c - 4  R)
2 h — c
3 c G init{c -)  R)
4 6 G mP(c - 4  R)
case B P10P2
1 (6) G traces{R\DR2)
2 {b) G traces{Rl) or
(6) G traces[R2)
3 sub-case: (6) G traces{R\)
b G init{Rl) 
h G init{RinR2)
6 sub-case: (6 ) G traces{R2)
7 6 G init{R2)
8 6 G mP(PlDP2)
case C i5(p)
1 (6) G traces{S{p))
2 (6) G traces{{R{p))
3 6 G init{R{p))
4 6 G init{S{p))
initial assumption
1, def. CSP traces 
def. of init 11
2, and 3 
QED
initial assumption 
1, def. of CSP traces
3, inductive hypothesis on P I
6, inductive hypothesis on P2
QED
initial assumption 
S{p) A R{p)
2, inductive hypothesis R{p) 
S{p) = R{p)
QED
2.8. Picturing of n e x t  Annotation
A NEXT annotation of an operation (definition 5) considered in isolation, is pictured as in 
Figure 2.3. Any transition by the current operation will lead to a state that can execute any 
of the operations from opj through to opk.
36 J u ly  6 , 200 8
2.9. Examples Utilising n e x t
opi
OPk
Figure 2.3.: Picturing the {opj,opifc}NEXT Annotation of opi
2.9. Examples Utilising n e x t
The NEXT annotation will be used commonly when developing operations in B machines. 
This annotation captures execution sequences. The next step or choices between several next 
steps can be captured.
A simple traffic control system for the main street of the walled City of Carcassonne is 
specified. The main street is narrow and is heavily used by tourists and some motor vehicles 
brave enough to edge through the crowds. The system must allow traffic up into the city 
market square from the moat or down from the square to the moat gate along the same single 
width road. Ideally the system should allow time for motor vehicles to clear the road before 
changing direction and give the tourist time to wander on the road without traffic, but the 
details of timing have been abstracted away. One of the traffic lights is set to go (Aller) 
at a time then turn to stop (Arret), A choice is offered as to which light goes next. The 
Traffic machine has a SETS clause that describes the set COMMAND that can command 
Arret or Aller, The state VARIABLES are Moat and Square, which represent traffic lights. 
The INVARIANT types the state variables asserts that either Moat or Square must be set 
to Arret, The INITIALISATION sets Moat and Square to Arret. The INITIALISATION 
annotations requires that the first command to be executed shall be Arret-All, The Arret-All 
operation sets the traffic lights to Arret. The Aller^Moat sets the Moat traffic light to go 
when both lights are Arret, The AllerSquare  sets the Square traffic light to go when both 
lights are Arret. The machine fulfils the requirement that traffic only travels in one direction. 
A B machine that allows an external party to choose between the traffic flows is given in 
Figure 2.4. Its derived controller is given in Figure 2.5.
The consistency PO of the Traffic machine 2.4 and controller 2.5 is calculated by first showing 
the POs hold then showing the annotations enable the controller sets. The Traffic machine 
POs are discharged in Figure 2.6, which shows that the machine is machine-annotation con­
sistent. The consistency check is undertaken by stepping through each annotation path until 
each annotation jump has been checked for consistency once. The consistency of the con­
troller with respect to the annotations is given in the proof detailed in Figure 2.7. The proof
J uly  6 , 2008 37
Chapter 2. The n e x t  Annotation
M AC H INE Traffic
SETS COMMAND =  {Arret, Aller)
VARIABLES Moat, Square 
IN V A R IA N T
Moat : COMMAND A Square : COMMAND A {Moat — Arret V Square = Arret) 
INITIALISATIO N Moat, Square := Arret, Arret /  * {Arret-A ll)NEXT  * /
O PERATIO NS
Arret-All = PR E  True T H EN  Moat := Arret A Square := Arret EN D
/  * {Aller-Moat, A llerSquare)N EXT  * /; 
Aller-Moat = PR E  Moat =  Arret A Square =  Arret T H EN  Moat := After END
/  * {Arret_Aff}NE%T * /;
AllerSquare  =  P R E  Moat =  Arret A Square =  Arret TH EN  Square := After EN D
/  * {Arret-AffjiVEXr * /
EN D
Figure 2.4.: Traffic Machine
Traffic-CTRL =  S-C TR L
S-C TR L  =  Arret_Aff -■> {{Aller-Moat -4 S-CTRL)  □
{AllerSquare —> S-CTRL))
Figure 2.5.: Traffic Controller 
is built up from the process variables that are initially- and step- consistent by definition.
3 8  J uly  6 , 2 0 0 8
2.9. Examples Utilising n e x t
1 INITIALISATION PO : [T]PArret-AH
=  [Moat, Square := Arret, Arret] True 
=  True
2 Arret—All operation PO : I  A P A r r e t — A l l  [ ^ A r r e t — A l l \ T A l l e r — M o a t
= {Moat : COMMAND A
Square : COMMAND A {Moat =  Arret V Square = Arret)) =»
[Moot := Arret A Square := Arret]{Moat =  Arret A Square = Arret)
=  ÎVoe
3 Arret-All operation PO l /A  p  A r r e t — A l l  ^
=  (Moot : COMMAND A
Square : COMMAND A {Moat = Arret V Square = Arret))
[Moot := Arret A Square := Arret](Moot =  Arret A Square — Arret)
=  !Z>we
4 Aller—Moat operation PO i Z A Paiicv M o a t  [-^ Aiier AïTct A l l
= {Moat : COMMAND A
Square : COMMAND A {Moat =  Arret V Square = Arret)) A 
(Moot =  Arret A Square = Arret) [Moot := After] True 
=  [Moot := After] T^oe 
=  ÎVoe
5 AllerSquare operation PO l I  f\ PA l l e r S q u a r e  ^  A l l e r S q u a r e ] ^ A r r e t — A l l
=  {Moat : (70MMAJVD A
Square : COMMAfVD A {Moat — Arret V Square = Arret)) A 
{Moat = Arret A Square =  Arret) =*- [^goore := After] Zboe 
=  [5goore := Arret] TVoe 
=  Th-ue
Figure 2.6.: Traffic Machine POs
J u ly  6 , 2 0 0 8  3 9
Chapter 2 . The n e x t  Annotation
The goal is to show that the Traffic-GTRL is annotation-controller consistent
1 S-C T R L  step-consistent
2 init{S—CTRL) Ç next{ Aller Square)  
{AllerSquare —> S-CTRL)  step-consistent 
init{S-CTRL)  Ç next{Aller-Moat) 
{Aller-Moat S-CTRL)  step-consistent
{Aller-Moat —> S-CTRL)  □
{AllerSquare —> S-CTRL)  step-consistent
init {{Aller-Moat —> S-CTRL)  □
{AllerSquare —> S-CTRL)) Ç next{Arret-All)
8 Arret-All
{{Aller-Moat S-CTRL)  □ 
{AllerSquare S-CTRL))
by definition 14
by inspection
by 1,2 and definition 14
by inspection
by 1,4 and definition 14
by 3, 5 and def 14
by inspection
by 6, 7 and definition 14
9 Traffic-CTRL step-consistent
step-consistent
by 1 and definition 14 
QED
Figure 2.7.: TVaflfic Controller Consistency
40 J u ly  6 , 200 8
3. The F R O M  and q u e r y  Annotations
The contribution of this chapter is adding an interrupt and query annotation, and the in­
terrupt CSP operator to the control language. The query annotation indicates that the 
operation it annotates does not change the state of the machine. Adding new annotations 
to the framework follows the same definitional process set out in chapter 2, The three inter­
rupt annotations will be introduced in the following sections: the PROM-ANY, PROM-SET, and 
PROM-SET-INIT. These annotations are used with the NEXT annotation in defined combina­
tions. We do not rely on the from annotations to establish initial-consistency. There must be 
a NEXT annotation in the INITIALISATION and in every operation. In this thesis we restrict 
the annotations in operations to, at most, one from annotation accompanied with, at least, 
one next type annotation. The FROM-ANY and NEXT annotations produce very similar POs. 
In fact the fi:om annotations can be expressed in terms of the n e x t  annotation. This is not 
done for the following reasons:
• It is clearer when the annotation is put in as few places as necessary.
• The FROM I/O  annotation is implemented in a different way to the n e x t  annotation.
• FROM s ign ifies  a  d ifferen ce  to  n orm a l lo o p in g  b eh a v io u r  d efin ed  b y  th e  n e x t  a n n o ta ­
t io n s .
3.1. The FROM  annotations
3.1.1. The PR O M -A N Y  A nnotation of a C onsistent B M achine
The PROM-ANY annotation (the short form of the annotation is /* ! {*} * /) is added to an
operation to indicate the use of interrupting B operations that can follow any operation of the
machine or INITIALISATION. An example of its use in an arbitrary operation OPi without 
the required NEXT annotation is:
D efinition 16.
OPi = {Pi I B i ) /  * F R O M  -  A N Y  * /;
In the above we state that after the execution of any operation of the machine, OPi will always 
be available for execution. The annotation gives rise to the proof obligation in definition 17 
and definition 18:
J u ly  6 , 2 0 0 8  4^
Chapter 3. The fr o m  and q u e r y  Annotations
Definition 17 ( fr o m -A N Y  P roof Obligations for O perations).
Vop e  OPERATIONS  • {Pop A /)  [Bop]Pi
Definition 18 ( f r o m - a n y  P roof O bligations for Initialisations).
[T]Pi
An operation annotated with a FROM-ANY annotation can be executed after any other op­
eration of the machine. In definition 17 we investigate whether the interrupting operation 
is enabled after the execution of each of the other operations. If the invariant were strong 
enough it would already capture the notion of a state that holds after any operation has 
executed. Consider an invariant that insists the following: ææ G N. If every operation and 
the initialisation of the machine makes xx even the invariant could have been strengthened 
to zz € N  A XX mod 2 =  0. Another approach to developing the PO for the FROM-ANY 
annotation is given in definition 19.
Definition 19 (A lternative f r o m - a n y  P roof O bligations for O perations).
I P i
If the PO in definition 19 can not be discharged there are two choices: (1) strengthen the 
invariant to Z A P,-, or if that is not permitted; (2) use the POs defined in 17 instead. The 
FROM-ANY annotation can be used in the same operation as the NEXT annotation.
3.1.2. The PRO M -SET A nnotation of a Consistent B M achine
The FROM-SET annotation extends the notion of interrupt by restricting the operations of a 
particular machine to a defined subset. The FROM-SET annotation is written /  * FROM -  
SET{OPj , . . . ,  OPf;} * /  (the short form of the annotation is /* \ x { O P j , ..., OPk]  * /)• This 
annotation is added to indicate the use of interrupting B operation that can follow any 
operations listed in the annotation. The set can not contain the initialisation.
A special annotation is introduced in the next section ( f r o m -SET-INIt ) to capture the pos­
sibility of interrupting after a given set of operations or the initialisation. The reason that 
a special annotation is required is to do with the status of the initial action of the machine 
as compared to operation actions of the machine. The initialisation is not in the set of 
operations and therefore can not be invoked by the controller. The initialisation is not a 
language element of the controller nor the annotations. However, knowing if an operation 
can interrupt directly after the initialisation of the machine will have structural consequence
^ 2  JULY 6 , 2 0 0 8
3.1. The PROM annotations
for the construction of the controller. Because the initialisation action can not be added to, 
or left out of, the set of operations associated with the p r o m - s e t  annotation in a straight 
forward way, a separate annotation is introduce: FROM-SET-INIT. The POs associated with 
the FROM-SET-INIT annotation prove that the operation it is associated with can follow any 
of the operations in the associated set or the initialisation.
An example of its use in an arbitrary operation OPi is:
D efinition 20.
OPi = {Pi I Bf) / * F R O M  -  S E T { O P j , OPjt} * /;
In the above we state that after the execution of any of the operations in the given set 
(O Pj,..., OPk)} OPi will always be available to execute. The annotation gives rise to the 
following proof obligation in definition 21:
D efinition 21 ( FROM-SET P roof O bligation for O perations).
Vop G {OPj,..., OPk) ’ {Pop A /) => [Bop]Pi
The FROM-SET annotation can be used in the same operation as the NEXT annotation, but 
not with FROM-ANY.
3.1.3. T he F R O M -SE T -IN IT  A nnotation of a Consistent B M achine
This annotation has the initialisation implicitly added to the set of allowable operations to 
interrupt. The f r o m -SET-i n i t  annotation is written FROM-SET-INIT {O P j,..., OPk} * /  (the 
short form of the annotation is /*  l^ { O P j,..., OPjt} * /) . This annotation is added to indicate 
the use of interrupting B operations that can follow any operations listed in the annotation 
plus the initialisation. An example of its use in an arbitrary operation OPi is:
D efinition 22.
OPi =  {Pi I Bi) /  * F R O M  -  S E T  -  INIT{OPj , . , . ,  0P&} * /;
In the above we state that after the execution of any of the operations in the given set or 
the initialisation, OPi will always be available to execpte. The annotation gives rise to the 
following proof obligations in definition 23:
J u ly  6 , 2008 43
Chapter 3. The FROM and QUERY Annotations
Definition 23 ( f r o m - s e t - i n i t  Proof Obligation).
(V op € { O P j , O P k ]  • [Pop A Z) => [Bçp]Pi) A
[T]Pi
The FROM-SET-INIT annotation can be used with the same operation as the n e x t  annotation, 
but not with FROM-ANY.
3.1.4. Controller Syntax and Auxiliary Functions with f r o m  A nnotations
The addition of the FROM annotation permits the extension of the controller syntax to include 
a global interrupt operator and conditional interrupts. The syntax of the controller, Z2, 
extended with the defined interrupt is given in definition 24.
Definition 24 (Controller Syntax).
R ::= a —> Z2 |
R O  R \
R A R \
R A x R \  
RA^ x R\
S{p)
Recursive definitions with a process variable has the following syntax:
S ( p )  =  R { p )
where R is defined as above.
The operators added to definition 9 are discussed. The global interrupt operator. A, permits 
the second controller fragment R  to interrupt the former at any point including before the 
first action of the former has been performed. The defined interrupt operator A% permits the 
controller fragment to the right of the operator to interrupt the former controller fragment 
stated to the left of the interrupt, immediately after the execution of any operation in the set 
X .  The set X  of A x  may contain all the operators of the machine, but this does not make 
it operationally equivalent to the A operator. The difference is maintain by properties of the 
A operator, which permits the interrupting control fragment to cut in after the initialisation. 
The interrupting control fragment of the A% operator may not cut in directly after the 
initialisation, what is more the X  set may not contain the initialisation. The A ^  operator 
overcomes this limitation. This operator has all the functionality of the A% operator plus 
the interrupting fragment of the A ^  operator may cut in directly after the initialisation. 
Effectively, the A)^ operator is like the A ^  operator with the initialisation included m  X .  K 
possible use of an FROM-ANY annotation is exampled below.
4 4  J u ly  6 , 2 008
3.1. The PROM an n o ta tio n s
OPi = {Pi I Bi)/ ♦ F R O M  -  A N Y  *//* { O P j } N E X T  * /;
The meaning of consistency is extended by updating the guarded and init functions. 
D efin ition  25 {init on  C S P C o n tro lle r  P ro cess).
init{a -> R l)  =  {a}
init{Rl  □ R2) =  init{Rl)  U init{R2)
init{Rl A B2) =  init{Rl)  U init{R2)
init{Rl A x  R2) =  init{Rl)
init{Rl A x  B2) =  init{Rl)  U init{R2)
init{S{p)) = init{R{p))
Note that the recursive definition of S{p) is given as follows: S{p) =  R{p)
For example : init{LOOP) =  a
if LOOP ~ a ^ b - ^  LOOP
D efin ition  26 {guarded on  C S P  co n tro lle r p rocess w ith  g lobal in te r ru p t) .
guarded{a -> B l) =  true 
guarded{Rl □ R2) =  guarded{Rl) A guarded{R2) 
guarded{Rl A  R2) = guarded{Rl) A guarded{R2) 
guarded{Rl A% R2) = guarded{Rl) A guarded{R2) 
guarded{Rl A ^  R2) = guarded{Rl) A guarded{R2)
guarded{S{p)) ~  false
eg, guarded{a -> P A x  S{p)) = true
Only recursive definitions {S{p) =  R{p)) which have definitions R{p) that are guarded are 
considered, as in the previous chapter: guarded{R{p)) =  true must be true
Hence S{p) =  R{p)  defined if guarded{R{p)) = true
The listing function is extended to support the new annotation and introduce new functions 
to deal with the from annotations. The functions defined apply equally to the short form.
J u ly  6 , 2 0 0 8  45
Chapter 3. The p rom  and q u e r y  Annotations
Definition 27 (f r o m -ANY Annotation Listing).
from — any(OPi) = true if OPi =  (Pj | B i ) /  * F R O M  -  A N Y  * /; 
from — any {OP i) = false otherwise
Definition 28 (f r o m -set Annotation Listing).
from -  set{OPi) =  % if OPi =  {Pi | B ,)/ * FROM  -  SET X  * /;
from — set{OPi) =  undefined otherwise
Definition 29 (f r o m -set-init Annotation Listing).
from -  set -  init{OPi) = X  if OPi = {Pi | Bj)/ * FROM -  SE T  -  IN IT  % * /;
from — set — inii{OPi) =  undefined otherwise
The denotational definitions of interrupt given in definitions 30, 31 and 32 extends the CSP 
definition of interrupt to take account of the conditional nature of the definitions.
Definition 30 (Trace Definition of A).
traces{Rl A R2) = { tr l  tr2 | t r l  G (races(Bl) A tr2 G traces{R2)}
Definition 31 (Trace Definition o f A%).
(races(Bl A% B2) =  { (rl (r2 | ( r l  G (roces(Bl) A
last{trl) G X  A (rg G traces{R2)} U traces{Rl)
D efinition 32 (Trace Definition o f A-,^).
traces{Rl B2) =  traces{Rl A% B2) U traces{R2)
In definition 30 the case when B l is not interrupted is captured by (rg =  (). In definition 31 
the case when B l is not interrupted is captured by traces{Rl). Hence traces{Rl) is unionned 
with { (rl (r2 | ( r l  G traces{Rl) A last{trl) G X A (rg G traces{R2)), The function last 
returns the last element of the trace. If B l is interrupted then the last action of B l must be 
in the set A. In definition 32 the case when B l is not interrupted is captured by definition 31. 
The interrupt may happen before B l starts so traces{R2) is unionned in.
3.1.5. A nnotation Consistency with Interrupts
M  is machine-controller consistent with M —GTRL if guarded{M —CTRL) is true, M  is machine- 
annotation consistent and M -C T R L  is annotation consistent (initially-consistent and step- 
consistent - initial-consistency is considered for init{M —CTRL)). In short, an action of a
46 J u ly  6 , 2008
3.1. The PROM a n n ota tion s
controller is consistent if the B machine M enables it. The machine M has an initialisation 
clause that has to execute initially to get the machine into a state that satisfies the invariant 
of the machine. The first action of M -C T R L  must be the initialisation of M.
D efinition 33 (A nnotation C onsistency w ith  Interrupts).
!.. a R
is annotation consistent with Machine M if a —> B is initially consistent and 
a R is step-consistent with M
a -> B is initially-consistent if a € next{INITIALISATION)
2. B l □ B2
is annotation consistent with Machine M if B l and B2 are annotation consistent with 
M.
3. B l A B2
is annotation consistent with Machine M if B l is annotation consistent and 
V op G init{R2) • from — any{op) =  true and B2 is step-consistent with M
4. B l A x  B2
is annotation consistent with Machine M  if B l annotation consistent with M and 
if Vop e init{R2) ' X  Ç /rom — se((op), and B2 is step-consistent with M
5. B l A ^  B2
is annotation consistent with Machine M  if B l is annotation consistent with M  and 
if V op G init{R2) • X  Ç from set- i{op ) ,  and B2 is step-consistent with M
6. S{p)
is annotation consistent with Machine M
A family of recursive definitions S{p) = B(p) is annotation consistent with M ’s an­
notations if each B(p) is annotation consistent with M ’s annotations.
J u ly  6 , 2008 47
Chapter 3. The p rom  and QUERY Annotations
When an interrupt occurs there is a break in the normal looping control behaviour. Normal 
control flow behaviour is captured with n e x t  annotations in the B machine. Interrupt be­
haviour is capture in the machine with FROM annotations. The FROM annotation in machines 
relates to interrupts in the control language, whereas NEXT annotations relate to pre-fixes and 
external choices in the control language. Both normal and interrupt behaviour are justified 
with POs.
Annotation consistency of B l AB2 is developed with respect to three types of execution. There 
are two extreme behaviours. If B2 never interrupts B l then B l must be annotation consistent. 
At the other extreme B2 interrupts before B l starts hence B2 must be annotation consistent. 
However, this must be established by reference to the POs (V op € OPERATION  • Pop A 
Z ) => [Bop]Pi (all operations are enabled by the initialisation action of the machine)), 
which follow from V op G init{R2) • from — any{op) =  true (all the initial actions in 
B2 are FROM-a n  y  annotated). Annotation consistency can not be established recursively 
by calling on the definition for Annotation Consistency, definition 33, as was the case for 
B l which may establishes initial consistency with the n e x t  annotations in clause 1. An 
interrupt control fragment like B2 would not be part of the normal flow of the machine so 
would not be supported with NEXT annotations. In the case of B2 if the PO is discharged 
then it has been shown that it can follow an initial action of a machine. All that is left 
to do is establish it continues on correctly, hence B2 must be step-consistent. In summary 
B IA  B2 is annotation consistent if B l is annotation consistent and B2 is step-consistent. 
There are different considerations to be taken into account when considering B l A ^  B2. 
B l must engage in some events before B2 can interrupt. Not allowing B2 to interrupt the 
initialisation means that B2 only need be step-consistent. B l R2 follows the same pattern 
as B l A B2.
Definition 34 (Step-C onsistency w ith Interrupts).
The step — consistency of the controller fragment B is defined as follows:
1. 6 -> B l
is step — consistent with Machine M  if init{Rl)  Ç next{b)) and 
B l is step-consistent with M
2. B l □ B2
is step-consistent with Machine M if B l and B2 are step-consistent with M.
3. B l A B2
is step-consistent with Machine M if R l is step-consistent with M  and 
if Vop G init{R2) • from — any{op) =  true and B2 is step-consistent
48  J u ly  6 , 2008
3.1. The FROM an n ota tio n s
4. B l A;f B2
is step-consistent with Machine M if B l is step-consistent with M  and 
V op e init{R2) • X  Ç from — set(op) and B2 is step-consistent with M
5, B l A ^  B2
is step-consistent with Machine M  if B l is step-consistent and B2 is step-consistent 
with M  and V op G init(R2) • X  Ç from — set — init {op) X
6. S (p )
is step-consistent with Machine M
A family of recursive definitions 6" =  B is step-consistent with M ’s annotations if each 
B is step-consistent with M ’s annotations.
The treatment of the interrupt operators in terms of step-consistency is similar to the treat­
ment given in the case of annotation-cqnsistency. The step-consistency of the interrupting 
operators is established by considering the two possible behaviours that the operator might 
give rise to: the option to interrupt may or may not be taken where it is offered. The an­
notations in the B machine are shown, by discharging all the associated proof obligations, to 
support either outcome. The definition of the consistency for the from annotations includes 
a check to examine if the from annotation is present. In the case of the global (f r o m - a n y ) 
interrupt as the interrupt can occur after any operation we simple test both possible paths: 
the interrupt is taken (consider the interrupt path B2) or the interrupt is not taken (consider 
the normal path B l).
3.1.6. Proving Term ination of Controlled M achines with f r o m  A nnotations
The proofs in this section establish that it is enough to demonstrate annotation-consistency 
(given machine-annotation consistency) to show that the every step of the machine-controller 
pair terminates, which implies non-divergence: every operation is called within its precondi­
tion. The proofs in this section extend section 2.7 by introducing new proofs for machines 
with FROM annotations and controllers with interrupt operations.
We repeat the proof of theorem 1 in light of the new operators and new step-consistency def­
initions. We show that only good traces are produced by M -C TRL.  Hence M |j M -C T R L  
is divergence free. We reason over the lengths of the traces in the proof.
The theorem is restated as follows:
T h eo rem  2 (M ach in e-A n n o ta tio n  C o n sis ten t M achines a n d  A n n o ta tio n  C onsis­
te n t  C o n tro lle r  C om binations  a re  D ivergence F ree). I f  a from annotated machine M
J u ly  6 , 2 0 0 8  4 9
Chapter 3. The fr o m  and q u e r y  Annotations
is machine-annotation consistent and its controller M —CTRL is annotation consistent then 
M \\M -GTRL is divergence free.
We prove by induction over length of traces that traces of M -G TR L  are non-divergent.
The proof that arbitrary length traces are non-divergent:
Case (A) ()
Entirely similar to  the proof of 
theorem  1, page 30, Case A.
Case (B) (a) G traces{M-CRTL)
1 (a) G traces{M-CTRL) and
M -C T R L  annotation consistent
2 a G next{INITIALISATION) V 
from-any(a)V 
from-set-init(a) {}
3 [T]Po
4 [T]I
5 [ r l (P „ A /)
Entirely similar to  the proof of 
theorem  1, page 30, Case B lines 6 to end
initial assumption 
1, Lemma 4 below
by def. of PO of 
annotations in all cases
by of machine-consistency def. 4
by 3 and 4
50 J u ly  6 , 2 008
3.1. The FROM a n n ota tion s
Case (C) tr (a, b) € traces{M-GRTL) where tr G traces(M-CRTL)
1 {tr '^  a) is good by inductive hypothesis
2 & G next{a) V 1 and Lemma 5 below
from — any{b) V
a G from — set{b) V 
a G from — set — init{b)
3 Pa A I  => [Ba]Pb def. of annotations in all case
Entirely similar to  th e  proof of
theorem  1, page 30, Case (C) lines 5 to  end.
Singleton Traces are Enabled by Initialisation Annotations
Lem m a 4 (Singleton Traces are Enabled by Initialisation A nnotations). The actions 
of singleton traces from the annotated consistent controller R are enabled by initialisation 
annotation or from annotation in the associated machine-annotation consistent machine:
{machine — controller consistency A
(a) G traces{R)) (a G next{INITIALISATION)  V
from — any {a) y  from ~ set — init {a) ^  {})
Proof of Lemma 4 by structured induction over cases of controller fragments: 
case 1 {c R)
1 (a) G traces{c -4 R) initial assumption
2 {c ^  R) annotation consistent initial assumption
3 c G next{INITIALISATION)  2, def. of annotation consistency 33
4 a =  c 1 and def. of traces
5 a G next{INITIALISATION)  3,4
6 a G next{INITIALISATION)  V 5 and V
from — set — init{a) 7  ^ {} V 
from — any {a)
QED
The annotation consistency of (c —^ R) infers that c G next{INITIALISATION).  Although 
the initial action of a controller can be provided by an interrupting control fragment intro­
duced with a FROM-ANY or FROM-SET-INIT annotation, the interrupt is not introduced in the 
control fragment being considered. Hence line 3 of the proof uses only the n e x t  annotation.
J u ly  6 , 2 0 0 8  51
Chapter 3. The PROM and q u e r y  Annotations
case 2 B l □ B2
1 (a) e traces{{R1)0{R2))
2 (B10B2) annotation consistent
3 (a) G traces{Rl) or (a) G traces{R2)
4 sub-case: (a) G (mces(Bl)
5 B l annotation consistent
6 a G next{JNITIALISATION) V 
from -  set -  init{a) V 
from -  any (a)
7 sub-case: (a) G traces{R2)
8 B2 annotation consistent
9 (a) G next{INITIALISATION)  V 
/rom — set — init{a) ^  {} V 
from — any {a)
initial assumption 
initial assumption 
by 1 and def. of CSP traces
by 2 and
def. annotation consistency 33 
sub-case 4,5, inductive hypothesis 
on B l
by 2 and
def. annotation consistency 33 
sub-case 7,8, inductive hypothesis 
on B2
QED
Case 2 (B l O B2) considers the two controller fragments B l and B2 separately. Line 6 and 
9 use the inductive principle that allows the assumption of the conclusion of the lemma to 
apply to the sub-cases. The work of the proof is focused only on showing that the combination 
of B l and B2 maintains the inductive assumptions, which is trivially true as a consequence 
of the or connective introduced in line 3. Cases 4, 5 and 6 use the inductive principle in a 
similar way.
52 J uly  6 , 2008
3.1. The PROM a n n ota tion s
case 3 B l A B2
(a) G (races(BIA B2) initial assumption
(B l A B2) annotation consistent initial assumption
(a) G (races(Bl) or
(a) G traces{R2) by 1 and def. of CSP traces
4 sub-case: (a) G (races(Bl)
B l annotation consistent 2, def. annotation consistency
0  G next{INITIALISATION) V sub-case 4,5 inductive hypothesis on B l
from — any {a) V
from — set — any {a) ^  {}
7 sub-case:
9
10 
11 
12
(a) G traces{R2) 
y  op e init{R2) • 
from — any {op) =  true 
from — any{c) 
a=c
from — any {a)
a G next{INITIALISATION) V
/rom -  any {a) V
/rom — se( — any(a) {}
by 2
by 8,c G init{R2) 
by def. traces 
by 10, 9 
by V and by 11
case 4 B l A x  B2
1 (a) G (races(Bl A% B2)
2 (B l A% B2) annotation consistent
3 (a) G (races(Bl)
4 B l annotation consistent
5 a G next{INITIALISATION)  V
from — any {a) V
/rom — se( — any {a) ^  {}
QED
initial assumption 
initial assumption 
by 1 and def. of CSP traces
by 2, and def. annotation consistency 33 
sub-case 3,4 inductive hypothesis on B l
QED
J uly  6 , 2 0 0 8 53
Chapter 3. The pr o m  and q u e r y  Annotations
case 5 B l AL B2
(a) G (races(Bl A ^  B2)
(B l A ^  B2) annotation consistent
(a) G (races(Bl) or (a) G (races(B2)
4 sub-case: (a) G (races(Bl)
B l annotation consistent
a G next{INITIALISATION) V
from — any {a) V
from -  set -  any {a) i=^ {}
initial assumption 
initial assumption 
def. of CSP traces
by 2 and def. of 
annotation consistency 33 
sub-case 4, 5 and 
inductive hypothesis on R l
sub-case 4,5, inductive hypothesis on B l
7 sub-case: (a) G traces{R2)
8 V op G init{R2) • from — set — any{op) =  true
9 from — set — any{c) ^  {}
10 a=c
11 from -  set -  any{a) ^  {}
12 a G next{INITIALISATION)  A 
from — any {a) A
from — set — any{a) {}
by 2
by 8,c G init{R2) 
by def. traces 
by 10, 9 
by V and by 11
QED
case 6 S{p)
1 S{p) annotation consistent
2 (a) G traces{'S{p))
3 R{p) annotation consistent
4 (a) G traces{R{p))
5 (a) G next{INITIALISATION) V
from -  any (a) V
from — set -  init{a) ^  {}
initial assumption 
initial assumption 
1, def. annotation consistency 
inductive hyp. on B(p) 
def. annotation consistency
QED
54 J uly  6 , 2 0 0 8
3.1. The PROM a n n ota tion s
Arbitrary Traces are Enabled by Annotations
L em m a 5 (A rb itra ry  len g th  tra c e s  o f a n n o ta tio n  consis ten t con tro lle rs  a re  enab led  
by a n n o ta tio n s ) . The actions of arbitrary length traces of annotation consistent interrupt- 
ible controller fragments are enabled by operation annotations in the associated machine- 
annotation consistent machine:
{R annotation consistent A t r ' ^  (a) (6) G traces{R)) b G next{a) V 
from — any{b) V 
a G from — set{b) V 
a G from — set — init{b)
Proof of Lemma 5 by Cases of controllers; 
case A c -> B
c R  annotation consistent with M  initial assumption
sub-case: tr = ()
2 t r ^  {a) ^  {b) G traces{c —)• B)
3 (o) (&) G traces{c -> B)
4 o = c and (&) G traces{R)
5 & G init{R)
6 ft G next{c)
7 ft G next{a)
8 ft G next{a) V
from — any{b) V
a G /rom — set{b) V 
a G /rom — set — init{b)
sub-case: tr ^  ()
9 tr {a) ^  (ft) G traces{c —> B)
10 (r =  (e) tr'
11 (e) ^  tr' (a) ^  (ft) G traces{c -> B)
12 e = c A tr' (a) (ft) G traces{R)
13 (r' (a) (ft) G (races(B)
14 B annotation consistent wBft, M
15 ft G next{a) V 
/rom — any{b) V
a G /rom — se((ft) V 
a G /rom — se( — init{b)
initial assumption 
tr =  0
def. of traces 
4, lemma 6 below 
by 1, and 5 
by 6, and 4 
by 7 and V
QED
initial assumption
initial assumption 
11, def. traces 
12
by inductive hypothesis
from def. annotation consistency 34 
QED
J u ly  6 , 2008 55
Chapter 3. The pr o m  and q u e r y  Annotations
The proofs have exactly the same form as the proofs in lemma 2. They have been reproduced 
because they point to different lemmas. When considering the first two elements of the 
traces of the fragment c ^  B, in the first sub-case, it must be remembered that the event c 
must occur first. Here c is introduced using the prefixed control element, which can only be 
introduced in turn, using the n e x t  annotation. It can not be assumed that from annotations 
relates a and b as there is no explicit mention of a interrupt operator in the control fragment.
case B B l □ B2
tr ^  (a) ^  (6) € traces{R10R2)
B l □ B2 annotation consistent with M  
R l  annotation consistent with M  
R2 annotation consistent with M  
tr ^  (a) ^  (6) G traces{Rl) or 
(r ^  (a) (6) G traces{R2)
initial assumption 
initial assumption 
2, def. consistency 34 
2, def. consistency 34
1, def. trace
sub-case: tr (a) {b) E traces{Rl)
6 ft G next{a)y
from — any{b)y 
a G from — set{b)
a G from — set — init{b)
3, inductive hyp. on B l
sub-case: tr ^  (a) ^  (ft) G traces{R2)
7 ft G next{a)y
from -  any{b)y 
a G from — set{b)
a G from — set — init{b)
4, inductive hyp. on B2
QED
56 J u ly  6 , 2008
3.1. The FROM an n otation s
case C R1 A R2
tr ^  (a) {b) € traces{Rl A R2)
R1 A  R2 annotation consistent with M  
i î l  annotation consistent with M  
R2 annotation consistent with M  
tr (o) (6) = tvi '^  tv2
(in =  t r ^  (a) (6) A = () ) V
(in = tr '^  {a) A tr2 =  (6) ) V 
(in = ira (a) (6) A
tri = {))
initial assumption 
initial assumption 
2, def. consistency 34 
2, def. consistency 34 
by traces def. 30 
where iri G traces(Rl)A 
tr2 € traces{R2)
by 5
sub-case: tri = tr (a) ^  (6)
7 tri ^  (®) (6) E traces{Rl)
8 6 G next{a) V 
/row — any{b) V
a G /rom — set(6) V 
a G jrom — act — init{b)
sub-case: tri = tr^ (a) A trg = (&)
9 tr ^  (a) G traces{Rl) A (6) G traces{R2)
10 6 G init{R2)
11 from -  any{b)
12 6 G neæt(a) V 
/rom — any{b) V
a G /rom — set(&) V 
a G from — set — init{b)
sub-case: trg = trg ^  (a) (6)
13 tra (a) (6) G traces{R2)
14 6 G next{a) V 
/rom — any{b) V
a G /rom — set(&) V 
a G /rom — set — init{b)
by 5 and 6
3,7, inductive hypothesis on R1
by 5 and 6 
def. of init 25 
2, 4 and def. of 
annotation consistency 34 
by 11 and def. of V
by 5 and 6 
by 4,13 and
inductive hypothesis on R2
QED
J u ly  6 , 2008 57
Chapter 3. The prom  and q u e r y  Annotations
case D {R1 A %  R2)
tr {a) (b) e  traces{Rl A% R2)
R1 A x  R2 annotation consistent with M  
R1 annotation consistent with M  
R2 annotation consistent with M  
tr ^ (a) ^  (6) = tri t^’2
((tri =  t r ^  { a )  ^(6) A tra - () ) V
(tri — t r '^  {a) A trg =  (6) A a G X  ) \J
(tr2 = tra (a) (6) A last{tri) G %)) A
tri is a proper prefix of tr
initial assumption 
initial assumption 
2, def. consistency 34 
2, def. consistency 34 
define of traces model 31 
where tri G traces(Rl) A 
tr2 G traces{R2) A 
tr2 7  ^0 =>• last{tri) G X
from 5
sub-case; tri =  t r '^ (a) (6) A tra = ()
tr (a) ^  (6) G traces(Rl) 
h G neæt(a) V 
/rom — any{h) V 
a G /rom — set(6) V 
a G /rom — set — init{b)
by 5 and sub-case
by 7 and inductive hypothesis
sub-case: tri =  t r '^  {a) A tr2 = (&) A last(tri) G X
9 t r '^  (a) G traces (Al) A (&) G traces{R2)
10 a G /rom — set(6)
11 6 G next{a) V
/rom — any{b) V
a G /rom -  set(6) V
a G /rom — set — init{b)
by 5 and sub-case
4,9,and def. consistency 34
by 10, and def. of V
sub-case: t?^ = tra (a) (6) A last{tri) G X
12 tra ^  (a) (6) G traces{R2)
13 b G next{a) V 
from — any{b) V
a G /rom — set(6) V 
a G /rom — set — init{b)
by 5 and sub-case
by 4, 12 and inductive hypothesis
QED
58 J uly  6 , 2 008
3.1. The FROM an n ota tion s
case E {R1 R2)
tr ^  (a) (6) G traces (Al A ^  A2)
A1 A ^  A2 annotation consistent with M  
A1 annotation consistent with M  
A 2 annotation consistent with M  
tr (a) (6) =  tri tr2
6 (tri =  tr (a) (6) A tr^ =  ()) V
(tr2  =  tr  ^  (a) ^  (b) A tn  =  ()) V
(tri = t r '^  (a) A tr2  =  (b)A 
last{tri) G X) V
(tr2  =  tra (a) (b) A tast(tri) G X)
sub-case 1: tri = tr (a) (b)
initial assumption 
initial assumption 
2, def. consistency 34 
2, def. consistency 34 
definition of traces model 32 
where tri E traces(Al) A 
tr2 G traces(R2) A 
tr2 7  ^0 => last{tri) G X 
by 5 the semantics of A ^  gives
tr ^  (a) (b) G traces(Al)
b G next{a) V /rom — any{b) V 
a G /rom - set(b) V 
a G /rom — set — init{h)
sub-case 2: tr2  — tr ^  (a) ^  (b)
9
10
tr ^  (a) (b) G traces{R2)
b G next{a) V /rom - any{b) V 
a G /rom — set(b) V 
a G from — set — init{b)
by 5 and sub-case 
7, inductive hypothesis on R1
by 5 and sub-case 
9, inductive hypothesis on A2
sub-case 3: tri = tr'~^ («) A tr2  = (b) A last{tn) G X
11
12
13
tr ^  (a) G traces (Al) A (b) G traces (A2) by 5 and sub-case 
a G /rom — set — init{b) 
b G 7%eæt(a) V /rom - any{b) V 
a G /rom - set(b) V 
a G /rom — set — init{b)
by 11 and 2 
12 and def. of or
sub-case 4: tr2  =  tra (a) (b) A lo,st{tri) G X
14
15
{a) ^  {b) G traces{R2) 
b G next{a) V
/rom — any{b)ya G /rom — set(b) V 
a G /rom — set — init{b)
by 5 and sub-case
14, inductive hypothesis on R2
QED
J u ly  6 , 2008 59
Chapter 3. The fr o m  and q u e r y  Annotations
case G S{p)
1 tr (a) (6) E traces{S{p)) initial assumption
2 S{p) annotation consistent with M  initial assumption
3 tr ^  {a) {b) e  traces{R{p)) S{p) =  R{p)
4 R{p) annotation consistent with M  2, 3 and def. consistency 34
5 6 G next{a) 3, 4, inductive hypothesis on R(p)
QED
The Initial Action of a Consistent Controller
Lemma 6 (Elem ents o f annotation consistent singleton traces are elem ents of 
in it(R )). An element of the singleton trace of an annotation consistent controller fragment 
R is contained in the init of R:
R annotation consistent and ((6 ) G traces{R)) => 6 G init{R)
Proof of Lemma 6 by cases of controllers: 
case A (c -> A)
1 ( b ) G  traces{c —> A) initial assumption
2 b = c 1, def. of CSP traces
3 6 G init{c - 7  A) definition of init 25
QED
case B (A1GA2)
1 (6) G traces{R10R2) initial assumption
2 (6) G traces{R\) or
(b) G traces{R2) 1, def. of CSP traces
3 sub-case: (b) G traces{Rl)
4 6 G init{Rl)  3 sub-case and inductive hypothesis on R l
5 sub-case: (b) G traces{R2)
6 b G init{R2) 5 sub-case and inductive hypothesis on R2
QED
6o J uly  6 , 2 008
3.1. The FROM a n n ota tion s
case C (A l A A2)
1 (b) E traces{Rl A A2) initial assumption
2 (b) E <races(Al) or 
(b) e  traces (A 2)
sub-case: (b) € traces (Al)
3 b €  im t(A l)
sub-case: (b) G traces(A2)
4 b G im t  (A2)
case D (A l A x  A2)
1, def. of CSP traces
2, inductive hypothesis on R l
2, inductive hypothesis on R2
hence in both cases b G init{Rl  A A2)
QED
(b) G traces(Al A% A2) initial assumption
(b) G traces (Al) def. of CSP traces
b G tm t(A l) 2, inductive hypothesis
QED
case E (A l A ^  A2)
(b) G troces(Al A]^ A2) initial assumption
(b) G traces (A 1) or
(b) G traces (A2)
sub-case: (b) G traces(A 1)
3 b G zmt(Al)
sub-case: (b) G traces{R2)
4 b G init{R2)
1, def. CSP traces
2, inductive hypothesis on R l
2, inductive hypothesis on R2
hence in both cases b G im t(A l A^^ A2)
QED
J u ly  6 , 2 0 0 8 6 i
Chapter 3. The fr o m  and q u e r y  Annotations
case F {S{p))
1 (6) G traces{S{p))
2 (6) G traces((B(p))
3 6 G init{R{p))
4 b e  init{S{p))
initial assumption
S{p) = R{p)
2, inductive hypothesis on R(p) 
2 and S{p) =  R{p)
QED
3.1.7. Picturing the  f r o m - a n y  A nnotation
The generic FROM -ANY annotation given in definition 16, can be pictured as in Figure 3.1. 
Any transition of any of the operations that range from opa to in the machine into the 
state may occur. The exiting operation opj may follow any operation of the machine even 
the initialisation of the machine.
initialisation OPj
Figure 3.1.: Picturing the F R O M -a n y  Annotation of opj
3.1.8. Picturing th e  f r o m - s e t  A nnotation
The generic FROM -SET annotation given in definition 20, on its own, is pictured as in Fig­
ure 3.2. Any transition in the X set ({opi,..., opk}) may lead to a state that can execute the 
current operation opj. Let the operations in the machine range from op a to opg.
3.1.9. Picturing th e  f r o m - s e t - i n i t  Annotation
The generic f r o m - s e t - i n i t  annotation 22, on its own, is pictured as in Figure 3.3. Any 
transition in the X set ({opi,..., op&}) or transition from initialisation may lead to a state
6 2 J u ly  6 , 2 0 0 8
3.1. The PROM an n ota tion s
Figure 3.2.: Picturing the FROM -SET{o^?j,
that can execute the current operation opj. Let the operations in the machine range from 
opa to opz.
initialisation
opi
The set X
Figure 3,3.: Picturing the FRO M -SET-INIT Annotation of opj
3.1.10. Examples Utilising f r o m - a n y
The requirement for the traffic control system for the main street of the walled City of 
Carcassonne is specified in section 2.9. The Aller-pedestrian operation of the B machine 
depicted in Figure 3.4 and Figure 3.5 stops all traffic and holds all lights on red in both 
directions to allow pedestrians to walk on the road. The other operations cycle interleaving 
access to the road for the car users travelling up from the moat or down from the square. 
The B machine given in Figure 3.4 and Figure 3.5 includes the addition of a set of lights to 
control the flow of pedestrians when the lights controlling the vehicle traffic are halted. In the
J u ly  6 , 2 008 6 3
Chapter 3. The fr o m  and q u e r y  Annotations
M A C H IN E  Global-Traffic 
SETS COMMAND = {Arret, Aller}
V A R IA B LES Moat, Square, Pedestrian
IN V A R IA N T  Moat : COMMAND A Square : COMMAND A
Pedestrian : COMMAND A {Moat =  Arret V Square =  Arret) A 
{Pedestrian — Aller Moat = Arret A Square = Arret) 
IN IT IA L IS A T IO N  Moat, Square, Pedestrian := Arret, Arret, Arret /  * {Aller-Moat}] * /
Figure 3.4.: Global Interrupting Traffic Machine - Part 1
machine the pedestrian lights are added as another variable of type COMMAND. The Moat 
and Square traffic lights are given their own Arret operation Arret-Moat and ArretSquare. 
The Aller-Pedestrian operation is added. It can be (Aller) when both the Moat and Square 
traffic lights are set to Arret. The machine’s consistent controller is given in Figure 3.6. All 
the operations in the example have NEXT annotations added to them. The abbreviation for 
the NEXT annotation is used ({...}!). The Arret-All operation has a f r o m  ANY annotation 
as well as a n e x t  annotation. The abbreviation for the FROM ANY is used (!{*}).
3.1.11. Examples Utilising f r o m - s e t
Like the FROM -ANY annotation, the FROM-SET annotation will be used more sparingly in B 
machines. We redo the Traffic machine to interrupt only after halt operations.
The B machine depicted in Figure 3.7, on page 66 priorities traffic travelling out of the city 
by interrupting the traffic travelling into the city from the moat when ever necessary. The 
machine consistent controller is given in Figure 3.8 on page 67. An example trace is given 
below:
( Arret-All, Aller-Moat, Arret-All, AllerSquare, Arret-All, Aller-Moat, Arre t-A ll, ...)
3.2. The QUERY Annotations
Query operations return values to the environment to allow the environment to understand 
the current state of the system. Some actions may occur at any time. Query operations 
are an example of such actions. This creates a new challenge for the definition and proof of 
consistency. Any consistency predicate formulated before the occurrence of a query must be 
maintained during the execution of the query. The occurrence of a query operation does not 
change the state of the system. Therefore a consistent controller cannot be made inconsistent 
by adding query operations to it. A new annotation will be introduced in this section: the 
QUERY. An operation annotated with QUERY occurs when required by the environment. 
The query operations must have no efiect on the state of the machine which they are in. 
We provide a theorem that demonstrates that because they cannot change the state of the
64  J u ly  6 , 2 0 0 8
3.2. The QUERY Annotations
O PER ATIO NS
Aller_Moat =  P R E  Square =  Arret A Pedestrian =  Arret
T H E N  Moat := Aller E N D  /  * {Arret-Moat}\ * /; 
Arret—Moat =  P R E  Moat =  Aller A Pedestrian =  Arrei
T H E N  Moai := Arrei E N D / * {AllerSquare}\  * /; 
AllerSquare  =  PR E  Moai = Arrei A Pedestrian = Arret
T H E N  Square := Aller E N D / * {ArretSquare}] * /; 
ArretSquare  =  P R E  Square = Aller A Pedestrian = Arret
T H E N  Square := Arret E N D / * * /;
Arret-All =  PR E  2>we T H E N  Square := Arrei A Moat := Arret E N D
/ *\{^}{Aller-Pedestrian}\ * /; 
Aller-Pedestrian =  P R E  Square =  Arrei A Moat =  Arrei
T H E N  Pedestrian := AZfer E N D / * {Arrei_Pedestna7i}! * /; 
Arret-Pedestrian = PR E  Square =  Arrei A Muai =  Arrei A Pedestrian = Aller
T H E N  Pedestrian := Arret E N D / * {Aller-Moat}\ * /
EN D
Figure 3.5.: Global Interrupting Traffic Machine - Part 2
machine they can be dropped in anywhere in the controller sequence. So consistency can be 
determined after the asynchronous query occurrences have been hidden.
3.2.1. The QUERY A nnotation of a C onsistent B Machine
The QUERY annotation is written /  * Q U ER Y  * /  (the short form of the annotation is /* ? * /). 
This annotation is added to indicate the use of query B operations which can follow any 
operation of the machine or the initialisation.
An example of its use in an arbitrary operation ( n e x t  annotations can not be mixed with 
QUERY annotations) OPi is:
Definition 35 (Query A nnotation).
OPi = { P i \ B i ) / ^  Q U ER Y  */;
In the above we state that OPi, the query operation, is always ready for execution. All 
operations enabled before query execution remain enabled on completion of the query oper­
ation. The proof of this claim can be verified by discharging the proof obligation given in 
definition 36.
J u l y  6 , 2008 65
Chapter 3. The pr o m  and q u e r y  Annotations
Traffic-CTRL — Aller-Moat —^ Arret-Moat ->
AllerSquare  —> ArretSquare  -> Traffic-CTRL
Global-Traffic-CTRL = Traffic-GTRL
A{Arret-All  -4 Aller-Pedestrian -> 
Arret-Pedestrian -4 Global-Traffic-CTRL)
Figure 3.6.: Global Interrupting Traffic Controller
M A C H IN E Defined-Traffic 
SETS COMMAND =  {Arret, Aller]
VARIABLES Moat, Square 
IN V A R IA N T
Moat : COMMAND A Square : COMMAND A {Moat = Arret V Square — Arret) 
IN ITIA LISA TIO N Moat, Square := Arret, Arret /  * {Arret-All}\ * /  
O PERATIO NS
Arrei_A?/ =  PR E  THie TH E N  Moat := Arret A Square := Arret EN D
/  * {Aller-Moaty. * /; 
Aller-Moat =  PR E  Moat =  Arret A Square = Arret T H EN  Moat := A/îer EN D
/  * {A7Tet_A/t}! * /;
AllerSquare  =  PR E  Moat =  Arret A Square = Arret TH EN  Square := Aller EN D
/  *l{ Aller-A ll}  { Arret-All}\ * /
EN D
Figure 3.7.: Defined Traffic Machine
QUERY operations {OPq) maintains all predicates P on the B state as a consequence of not 
altering the machine state. The B construct skip has no effect on state and is guaranteed 
to terminate, skip has all the properties that are required of Bq. Hence we say that Bq 
refines skip (see definition of machine refinement 6.0.1, page 131). As a refinement Bq can 
not behaviours different from skip. Formally we write skip Ç Bq {skip is refined by Bq). 
The context of the refinement is kept simple: the variables of the machine and its refinement 
are the same {xx = X X  etc.). Hence the linking invariant J  relates machine variable with 
refinement variables J  =  {xx =  X X  A yy = Y Y  A ... A zz — ZZ).  The proof obligation to 
show that opq is a query operation and therefor has no effect on state is as follows:
66 J uly  6 , 2 0 0 8
3.2. The QUERY Annotations
Moat-CTRL = Arret-All  - 4  Aller-Moat - 4  Moat-GTRL  
Defined-Traffic-CTRL =
Moat—CTRL
-> Defined-Traffic-CTRL)
Figure 3.8.: Defined Traffic Controller 
D efin ition  36 ( q u e r y  P ro o f  O b ligation ).
(1) skip Ç Bq in the context of J
J  => [Bq] -1  [skip] - iJ  by (1) and definition of refinement 6.0.1
J  [Bq]J by J  =  - iJ
where the refinement invariant J
maps all the variable of the machine
back to versions of themselves in the refinement,
i.e: J = (xx — X X  A yy = Y Y  A ... A zz ~  ZZ)
QUERY Operations are always enabled:
(2) /  Pq
Note that [T]Pq  follows from (2) for consistent machines as [T]I 
D efin ition  37 (Q uery  A n n o ta tio n  S h o rth a n d ).
OPi =  (Pi I Bi)/* ? * /;
The annotation short hand is given in definition 37.
3.2,2. Controller Syntax and Auxiliary Functions with q u e r y  A nnotations
The addition of the QUERY annotation does not extend the syntax of the controller given 
in definition 24. The definition of init (definition 25) and guarded (definition 26) are not
J u ly  6 , 2 0 0 8  6 7
Chapter 3, The fr o m  and q u e r y  Annotations
changed. We extend the new listing function to support the new annotation and introduce a 
new function to deal with the QUERY annotations.
D efin ition  38 (QUERY A n n o ta tio n  L isting  o f O p era tio n s).
query{OPi) = true if 0P{ =  (Pj | P ,) /  * QUERY * /;
query(OPi) =  false otherwise
3.2.3. A nnotation Consistency of Controllers with q u e r y  Action
M -C T R L  is annotation consistent with M  if guarded(M_C!TPf/) is true and if M -G TR L  is 
initially-consistent with M  and in all subsequent actions of M -C T R L  it is step-consistent with 
M. In short, an action of a controller is annotation consistent if the B machine (M)  enables it, 
including the initial action. Previously it has been proven that if the controller is annotation 
consistent with the machine it controls then the pair are non-divergent. Theorem 3 is given 
which states that a query controller set in parallel with a consistent machine is non-divergent 
if the query controller is annotation consistent with the query actions hidden. Removing the 
queries means that consistency is determined as in section 2.6 or section 3.1.5. Accordingly 
we give definitions of the hiding operator used on controllers to assist in the proof.
D efin ition  39 (H ide o p e ra to r  in  th e  tra c e  m odel).
(a -4 P ) \S  = P \S  if  a e S
a -> ( P\S)  if a ^  S
(P □ Q )\S  = [P \  S U Q \  S) only true in the traces model
D efin ition  40 (A n n o ta tio n  consistency  of a C on tro ller w ith  Q uery  A ction ). R is
annotation consistent if R \S  is annotation consistent. (It is determined in the same way as 
in definition 33).
D efin ition  41 (S tep -consistency  of a  C on tro ller w ith  Q uery  A ctions). Step-consistency 
of the controller fragment R, which may contain queries, is determined in the usual way but 
with the queries hidden. The consistency of R is the consistency of R', where R' = R \Q  and 
Q is the set that contains all of the operations annotated with a QUERY annotation. (It is 
determined in the same way as in definition 34)
J uly  6 , 2 0 0 8
3.2. The QUERY Annotations
QUERY annotated operations do not interfere with the development of consistency. Their 
proof obligations, when discharged, demonstrate that the operation can be executed from 
any state that the machine can be put in by the initialisation or operations. In addition 
query operations do not alter the state of a machine. Hence, expectations set up by next 
operations carry through query actions in controllers. Figure 3.9 demonstrates this principle, 
where R  is consistent with the operation annotations.
opa =  ... /  * {opi,}! * /;
opb =  ... /  * {op®}! * /;
opc =  . . . / * ? * / ;
opx —
R  =  OPa - 4  opc - 4  Opb - 4  opc - 4  opx - 4  ...
Figure 3.9.: Carrying Through NEXT Annotation Expectations Through Query Operation
It is necessary to show that the controller and the machine when put in parallel do not diverge. 
Under the assumption that the controller with query operations is step-consistent, and that 
the machine is machine-consistent, theorem 3 states that the pair in parallel are divergence 
free.
T h eo rem  3 ( QUERY A n n o ta te d  M achine C on tro ller C om binations th a t  a re  M a­
ch in e -A n n o ta tio n  C onsisten t a n d  A n n o ta tio n  C onsisten t a re  D ivergence F ree).
I f  a QUERY annotated B machine M  is machine-annotation consistent and the controller 
M -G TR L is annotation consistent with the annotations of machine M  then M \\M -GTRL is 
divergence free.
The proof of Theorem 3 is not undertaken directly by showing only that good traces are 
produced by M -G TRL  as was the case of the previous theorems. The query annotation has 
no effect on the state of a machine. It is this property that is used to obtain a proof of 
non-divergence. We use lemma 7 which states that if a annotation consistent controller is 
good with its query actions hidden then it is good with them visible.
M Machine Annotation Consistent and
M -G TR L  \  Q Annotation Consistent
=> trace(M-GTRL) good
The proof of Theorem 3 is as follows:
J u ly  6 , 2 0 0 8  6 9
Chapter 3. The fr o m  and q u e r y  Annotations
1 M  machine annotation consistent initial assumption
2 [M -CTRL \  Q) annotation consistent initial assumption
3 traces[M-CTRL) good 2, lemma 7 below
4 traces (M -C TR L  ||M) good 1,3 and theorem 2
Hence M -C T R L  \\M divergent free
This proof of theorem 3 is rudimentary because we reuse the earlier work undertaken to show 
that controller-machine pairs are machine-controller consistent without query operations. The 
proof of lemma 7 remains to do. In previous chapters annotation consistency was established 
by following the rules stated for annotation consistency of any controller element with relation 
to the machine it controlled. This chapter is no different except that query operations in the 
controllers are hidden. It must be shown that all the traces of a machine with query operations 
are good. In order to establish that traces with query operation are good, it is necessary 
to show that the traces are good with the queries hidden (lemma 7). In turn it is necessary 
to show that a trace terminates when it has query operations hidden (lemma 8). The proof 
of lemma 8 uses another lemma. It is shown, in lemma 9, that adding a query action to an 
existing sequence of actions that terminates produces a sequence that still terminates. The 
facts about termination are used to prove step-consistency of the controller and then to show 
that the machine in parallel with the controller is non-divergent.
L em m a 7 (C on tro lle rs  w ith  Q ueries ac tions a re  good if th e y  a re  a n n o ta tio n  con­
sis ten t w ith  th e  Q ueries h idden ). Traces of controllers with query operation in them are 
good if they are annotation consistent with the query operations hidden.
M -C T R L \Q  annotation consistent => traces(M-CTRL) good
7 0  J u ly  6 , 2 0 0 8
3.2. The QUERY Annotations
The proof of lemma 7
1 M -C T R L \  Q Annotation Consistency assumption: where M -C T R L  has
queries actions and Q is the set 
of all query actions in M -C T R L
2 traces{M-CTRL\Q)  good
S tr E traces (M -CTRL)
4 t r \  Q good
5 tr good
6 traces (M -C TR L)  good
by 1, def. of annotation-consistency 33 
(Every event is enabled by an annotation 
which implies divergence freedom.)
assume any trace tr
by 2 and 3
by lemma 8 below
by 5 and generalisation
QED
Lem m a 8 (A Trace w ill Term inate if  it Term inates w ith  the Queries H idden).
Removing all query operations from a good trace produces good trace.
Proof of lemma 8
Proof by induction on n = (tr \ Q) Case 1: n=0 (for traces tr that have no operations in 
the sequence)
1 [tr]true initial assumption
2 # ( ( r  \Q )  = 0 from induction step
3 tr' = t r \  Q define t r ’
4 tr = tr' 2 and 3
5 [ÿr'] true 1 and 4
true for n = 0
Case 2: n = k + l (traces tr that have k+1 <
J u ly  6 , 2 0 0 8 71
Chapter 3. The fr o m  and q u e r y  Annotations
1 #(<r f Q) = k + 1 consider
2 # ( i r l  (q) ^  tr2 \ Q) = k 1 from tr = tr i  ^  {q) ^  tr2
3 # ( i r l  tr2 \ Q) = k by 2 and #((g)) =  1
4 {tri ^  tr2)\ Q is good by inductive hypothesis as # ( i r l  ^  tr2) — k
5 ((r l {q) ^  tr2)\ Q is good by g E Q and lemma 9
Hence tr good if (r \  Q is good for any number of queries in tr.
L em m a 9 (if tri ^  tr2 is good and  g is a  query  th e n  in  is good). Adding a
single query operation to a terminating sequence does not cause divergence.
Proof
1
of lemma 9
tr\ tr2 E traces{M-CTRL\{q}) assume
2 tri ^  tr2  is good assume
3 [init] trr, tr2 ]true by 3 and definition 15, page 30
4 [init] (ri]([tr2 ](rwe) by wp of ; (semicolon)
5 [init; tri]{I) by machine consistency
6 [init; tri]{I A [(7-2 ](me) from 4 and 5
7 [init; tri][skip]{[tr2 ]true) by 4 and definition of skip
8 [init; tri][Bq]{[tr2 ]true) by 7 and def. 36 (1) since q is a query
9 [init; tri]Pq by 5 and def. 36 (2)
1 0 [init; tri]{Pq A [Bq]{[tr2 ]true)) by 8  and 9
1 1 [init; (ri][(P, | Sg)]([(7^](me) by 10 and def.. of P|B
1 2 [init; tri; q; tr2 ]true by 1 1  and def. of ; (semicolon)
13 tri ^  {q) ^  tr2 good by 1 2
72 J u ly  6 , 2 008
3.2. The QUERY Annotations
3.2.4. Picturing th e  q u e r y  A nnotation
The generic QUERY annotation given in definition 35, on page 65 on its own, is pictured as in 
Figure 3.10. Any transition can precede the current operation opi including itself where opi 
is a query operation.
initialisation opi
O P i
Figure 3.10.: Picturing the opi QUERY Annotation
3.2.5. Examples Utilising q u e r y
The QUERY is used to communicate the internal state to the environment. We illustrate the 
use of query operations in the running Carcassonne traffic light example. The requirement for 
the traffic control system for the main street of the walled City of Carcassonne is specified in 
section 2.9. The B machine depicted in Figure 3.11 offers query operations to determine the 
current state of the moat light, with this information the environment can make an informed 
decision about the next state of the traffic lights. The machines consistent controller is given 
in Figure 3.12. Although the state of the traffic lights would be obvious to an observer, 
it needs to be relayed to the controller using query operations. It is not obvious from the 
controller which set of lights will be go next. This must be decided elsewhere. The choice of 
which traffic light set is turned on next is resolved by the environment.
J u ly  6 , 2 0 0 8 73
Chapter 3. The fr o m  and q u e r y  Annotations
M AC H INE Querying-Traffic 
SETS COMMAND — {Arret, Aller}
VARIABLES Moat, Square 
IN V A R IA N T Moat ; COMMAND A
Square : COMMAND A 
{Moat =  Arret V Square = Arret)
INITIALISATIO N Moat, Square := Arret, Arret /  * {Arret-AU}\ * /
OPERATIO NS
Arret—All = PR E  True TH EN  Moat := A rret||/S'çwore := Arret EN D
/  * {Aller-Moat, Aller-Square}\ * /; 
Aller-Moat =  PR E Moat =  Arret A Square = Arret T H EN  Moat := Aller EN D
/  * [Arret-Aliy. * /;
Out i—  Moat-Query =  PR E  True TH EN  Out := Moat E N D /* ? * /; 
AllerSquare  =  PR E  Moat =  Arret A Square =  Arret TH EN  Square Aller EN D
/  * {Arret_A//}! * /
EN D
Figure 3.11,: Querying Traffic Machine
Querying-CTRL = Arret-All
(
{Aller-Moat -> Moat-Query'lout —> Querying-CTRL) □ 
{AllerSquare Moat-Query7out —^ Querying-CTRL)
)
Figure 3.12.: Querying Traffic Controller
74 J uly  6 , 2008
4. Adding I/O and n e x t  i n v a r i a n t  to 
Annotations
4.1. Communication Between B Operations, Controller and 
Environment
The contribution of this chapter is to introduce operation input and output (I/O) into the 
annotations. The annotation can be used to constrain the values that operation input can 
take. Operation I/O  is represented in the controller channels as values. Additional syntax 
would be required to constraint the values on the channels. This is not done instead the I/O  
constraints are dealt with only in the annotations.
The generic B machine M depicted in Figure 2.2, on page 23 is extended for I/O  in Figure 4.1, 
on page 76. The definition has variables, invariant, initialisation, and a set of operations OPj 
through to OPn- However the operation are given inputs and outputs in this instance. The 
operations are defined in GSL. In the definitions that follow it is assumed that the precondition 
operations and machine ai’e consistent in the B sense.
There are three sources from which information may emanate: the environment, the controller, 
or the B operations. The B operations can receive input from the environment and/or the 
controller. A single action may contain input from both the environment and controller 
simultaneously. The environment and controller can receive input from the B operations. 
In CSP||B the B is subordinate to the controller, and consequently all communication with 
the environment, by the B, must be made via the CSP controller. Our approach is not so 
controller centred. Inputs are permitted to flow into the B operations from the controller 
or from the environment. The input from the environment is an input to the B and the 
controller. Input is asynchronously read from the environment into the controller and the B 
machine. This is instead of latching values into the controller in one step then outputting the 
same values to the B machine in a subsequent step.
The first operation of the generic machine given in Figure 4.1 has an output list yi and input 
parameter lists Vi and ej. The reason for separating out the input into two different lists is to 
differentiate between the different sources of input the operation may receive. The input Vi 
(little v) is incident from the environment, whereas the e, input is incident from the controller. 
The list V (big V) is used in the annotations. The V list is a list of B machine variables that 
are used as actual parameters. E  is the list of expressions used as actual parameters for 
the input to the operation identified in the annotation. Li is the n e x t  in v a r ia n t  which is
J u ly  6 , 2 0 0 8  75
Chapter 4. Adding I/O  and NEXT in v a r ia n t  to Annotations
M AC H INE M 
VARIABLES T  
IN V A R IA N T r  : T y  
INITIALISATION Y  T y  
O PERATIONS
Vi <— Opi(vi, e.) £ (Pi I B.)/ » {Opj(? V \ E ) ) N E X T  * /
/ * I N V A R I A N T  Lj » /;
Vj  ^ — {Pj \ j^)'i
Vn  ^ n^) ~
EN D
where
'^ j — % )%)•••) %
6j =  Cji, ej^  vj and Cj are free in Bi
Ty =  T l ,  T g, Tg
Te ~  ^ g + 1 ,  ^ s + 2 i  • • • »  Tgyh
Pj = 6 Tl A ... A Vjg E Tg A
^  ^ 5 + 1  ^  • • •  ^  ^ i p  ^  "^g+h
v  =  ? r i , ? r 2 ? . . . ? r ^ ,
T y  =  Tt^ j, T y ^ , . . . ,  T y ^
E  = E i ,E2, ..., Efi
T a b  — T ^ i Q  T i A ... A Ç  T g  A  E i  £  T g y i  A  . .. A £?n+p G T g+ /, 
Figure 4.1.: A B machine with Operations with I/O .
discussed in more detail in chapter 4. The I/O  of the operations are list that are typed in 
the precondition. The types associated with Vj and ej are given as illustration. They are 
typed with Ty and Tg, respectively. T a b  is declared as a short-hand that collects together 
the type relationships set up by the annotation. The first part of Tab states that the types 
of the variables used in the list of variables in the annotation must be a subset or equal to the 
type of the actual parameter. The second half of the Tab definition states that the types of 
the expressions used in the annotations have to be subset or equal to the type of the actual 
parameter.
The information flow between the environment, B and controller are illustrated by the di­
agrams given in figures 4,2, on page 77 and 4.3, on page 77. The diagrams illustrate the 
sources of I/O . The annotation of Opi is illustrated. The operation has a variable list of both 
environmental and controller inputs; V  and E, respectively. The typing in the precondition 
sub-predicates is shown. The form of a next invariant ( n e x t  i n v a r ia n t ) is given in Opi. 
The predicate associated with the annotation is Z-j.
76 J uly  6 , 2008
4.1. Communication Between B Operations, Controller and Environment
EnvironmentInterface
Data Flow from the Environment
ControllerInterfaceControllerSchedulesOperation!
Figure 4.2.: The Controller Initiates Action that Reads Environment Status
In Figure 4.2 the controller schedules an action Opi and gets the associated input required 
by the environment from the environment. In Figure 4.3 the operation Opi outputs to the 
environment and controller in response to initiation by the controller. In the figures all possible 
signals vectors are illustrated through in practise they may not all be used. The scheduled 
operation may read from either the environment or controller, or from neither. Similarly, the 
B operation may output to either the environment or the controller, or neither. From the 
B operation’s point of view the y  list represents the outputs of the machine operation. The 
V represents the operation’s inputs supplied from the environment, whereas the e  represents 
the inputs supplied by the controller. In the definition of annotations the B operation output 
parameters depicted by y  are not utilised. All the annotation up to and including this chapter 
use annotations to reason about the invocation of operations, which makes the output of the 
operations being invoked not appropriate for inclusion.
EnvironmentInterface
Data Flow from the B
ControllerInterface
Figure 4,3,: The B Operation Outputs to the Environment and Controller
July  6 , 2 0 0 8 77
Chapter 4. Adding I/O  and n e x t  in v a r ia n t  to Annotations
4.2. I/O NEXT Annotations and the n e x t  i n v a r i a n t
In the controller a prefixed action may be used to introduce operations with I/O . Prom 
the perspective of the controller, output variables can be drawn from process variables or 
previously instantiated inputs in the control flow. As defined in chapter 2 the n e x t  annotation 
of an operation Opi introduces another operation Opj, or set of operations Opj,...^ Opk, 
which should be enabled after Opi has been executed. The updated annotation is shown in 
definition 42.
Definition 42 ( n e x t  A nnotation Syntax w ith I /O  for O perations).
Vi Opi{vi,ei) = PRE Pi THEN END /* { Opj'^VjlEj } NEXT */',
A controller action will have a corresponding B operation,
VARIABLE VI
Vi Opi{vi,ei) = PR E Pi THEN 5^ END
/* { Opj (7 Vl!yd{3}) } NEXT */ ;
Vj <—  Opj{vj,ej) = PR E Pj THEN Rj END ;
In the above text the annotation /*{Opj ? V l\y i\{3}}N EXT*/  has the first actual parameters 
set to a B variable which has a fixed type declared in the INVARIANT clause. It matches 
with the Vj list, which is the environmental input. Marking the variable in the annotation 
with a ? means that the variable is supplying input from the environment. In chapter 6 
the consequence of being an environmental variable will be explained. The second actual 
parameter is it is the output of the current operation. The third actual parameter, 3, is 
not fixed by the context and therefore is not set by the current operation. The second and 
third parameters match with the ej list as they are outputs of the annotations,
4 .2 .1 . NEXT INVARIANT
Adding variables (flags) to the specifications whose only purpose is to direct the follow of 
control of the machine has been avoided where possible. The execution of a machine is
78  J u ly  6 , 2 0 0 8
4.2. I/O  NEXT Annotations and the n e x t  in v a r ia n t
the sequential execution of its operation. The controller captures the intended execution 
behaviour. The consistency of the machine-controller pair is dependent on the consistency of 
the machine itself, the machine-annotations pairing, and the annotations-controller pairing. 
The policy to-date ensures that each operation in a sequence is enabled by the operation 
before it. This restriction is now relaxed to allow an operation opi to partially satisfy the 
precondition of opj. In way of compensation however a local NEXT in v a r ia n t  is introduced in 
comments in the operation it effects, to ensure that any next operation is fully enabled. The 
NEXT INVARIANT is a local predicate that must be true before and after the current operation, 
opi, is executed. Together, the body of the current operation and its NEXT INVARIANT must 
establish the precondition of the next operation opj. Rather than augment the precondition 
with control flow flags we capture this information in a special predicate. An example of the 
use of a NEXT INVARIANT is given in definition 43.
D efin ition  43 (NEXT INVARIANT A n n o ta tio n  S yn tax  for O p era tio n s).
OPi =  {Pi I Bi) /  * { predicate } N E XT INVARIANT  * /
The view of the world at this level of abstraction is of atomic action for both controller 
actions and B operations. That is tp say, that a B operation is initiated and the output is 
made available in the same atomic action. In implementation a time delay will separate the 
invocation of the actions that may be supplied with inputs and the resulting output result. 
The time separating the input and output is likely to be at least one clock period if the logic 
is made synchronous to a clock waveform. Hence a goal of refinement is to separate out the 
input and output phase to reflect actual implementation constraints.
The operations depicted in definition 44 and definition 45 have a number of parameters. The 
Pi input parameter corresponds to the list i/i,..., ÿ;. It is noted that the annotation does not 
have output parameters. The annotation does have an input list Vj which corresponds to 
the list ?Vi?.,.?Vg. When it describes type T^ is generally subscripted. The V parameters 
are set by the environment so all that can be guaranteed is their type. The annotation 
parameters correspond to the types of the v inputs of an operation. They are defined in Fig­
ure 4.1 introduced through The Vi actual parameters correspond to the îiîi> •••> input 
parameters list in the operation. Similarly, the Fi,...,jE?/, parameters listed {E) correspond 
to an operation input list æ. The ej input corresponds to the list Tg is the type
in the precondition Pj associated with ej. V is used to signify value. E signifies expression. 
The V  annotation parameters are variables typed in the machine, v are input operation 
parameters typed by the precondition of the operation. Although, E  stands for expression, 
each expression must evaluate to a specific value, otherwise the B operation could not be 
called. Note that in examples of B machines with annotated operations a particular group of 
parameters may not be supplied. This corresponds to the list of variables being empty.
4.2.2. I/O  NEX T and n e x t  i n v a r i a n t  Proof Obligations
D efin ition  44 (P ro o f  O bligations o f IN IT IA L IS A T IO N  A n n o ta te d  w ith  I /O  n e x t ) .  
Given the following B initialisation and B operation with next invariant Lj:
^T is overloaded it is used to signify type or initialisation
J u ly  6 , 2008 79
Chapter 4. Adding I/O  and n e x t  in v a r ia n t  to Annotations
VARIABLES , ... Vg 
INVARIANT Vi G T y ,  A ... A Vg e  T y ,
INITIALISATION T /* { Opj I Vl E } NEXT */
Vj i—  Opj{vj, ej) = PR E Pj THEN Bj END /*NEXT INVARIANT Lj*/  
The following PO arises:
(:r.4 ;?A [T]{{Pj A Lj ) [V,E/v j , e j ] ) )
where
~  ® i i )  ® J 2 '  • • •» ^ih‘>
Vj = Uj2 , V j g  are free in T, where Tab  is defined in Figure 4.1 
The proof obligation states that the following holds:
1. Ta b ', the type of the formal parameters specified in the annotations for the initialisation 
is a subset or equal to the type of the actual parameter of the next operation actual 
parameter. This is a type check. It is included in the PO because it is not carried out 
by the BToolkit.
2. ([T]((Pj A Lj)[V^E/vj ^  ej\)\ In this part of the PO there are two things to consider. 
Firstly, the annotation parameter values are substituted into the precondition and the 
next invariant of the next operations. Secondly, the initialisation of the machine estab­
lishes the predicate {Pj A Lj) updated with the actual parameters.
D efin ition  45 (P ro o f O bligations of O p era tio n s  A n n o ta te d  w ith  I /O  n e x t ) .  We give 
the form of the B operation and its related PO (where lÿand Sj are the formal parameters of 
Opj)'.
Pi <— Opi(uf, e,) =  P R E  Pi T H E N  Bi E N D
/* { Opj{7V\E) } NEXT */ /* { NEXT INVARIANT L i } * /  ]
The following PO arises:
I  A  Pi A  Li { T a b  [Bi]{{Pj A  e^ ])) A
(7 A Pi A  Li) [Bi]{Li)
8o J uly  6 , 2 008
4.3. Examples o f  th e  Use o f I/O  NEXT
where
— Gjl* 6j2) ” •>
Vj = Vjj^ , Vj2 , Vj^ are free in B{, where T a b  is defined in Figure 4.1
The proof obligation states that given that the machine invariant, current precondition and 
next invariant of the current operation hold, then it implies that the following holds:
1. T a b ' the types of the formal parameters specified in the annotations for the current 
operation are a subset or equal to the types of the actual parameters of the next opera­
tion actual parameters. This is a type check. It is included in the PO because it is not 
carried out by the BToolkit.
2. [Bj]{{Pj A L j ) [ V , E / v j ,  Cj]): In this part of the PO there are two things to consider. 
Firstly, the annotation parameter values are substituted into the precondition and the 
next invariant of the next operations. Secondly, the body of the current operation 
establishes the predicate {Pj A Lj) updated with the actual parameters.
It also must be established that the current local invariant NEXT INVARIANT is re-established 
by the current operation:
1. /  A Pj A Li) [Pj]((I-j)
4.3. Examples of the Use of I/O  n e x t
In the example given in Figure 4.4 the parameter in the annotation is an expression type pa­
rameter, which means it obtains its value from some action of the next operation it annotates. 
In this case it can be evaluated as 2. Setting the input parameter of the next operation OPj  
to 2 establishes its precondition.
The body of the current operation fixes the value of the nn variable of the next operation’s 
precondition. By definition 45 the annotation POs for operation OP, in Figure 4.4 is given 
as follows (Note that the invariant / ,  the precondition Pj, and the next invariant Pj have 
note been defined in this example and therefore are not in the PO below. Also note that the 
portion of the PQ relating to type correctness { T a b ) has not been included (assuming that 
nn G N  then = N  Ç N , which is trivially true)):
[nn := 2]{xx mod 2 =  0 A n n  2)[nn /  ææ]
which reduces to: 
true
To construct a controller based on the annotations the expressions used as actual parameter 
like nn *2  have to evaluate to a constant value. Hence a valid controller fragment to drive 
the operations in the Evens machine is as follows:
... -> OPilp 0P^!2 ...
J uly  6 , 2 008  8 i
Chapter 4. Adding I/O  and n e x t  in v a r ia n t  to Annotations
M A C H IN E  Evens
O P E R A T IO N S
O P i( 2/ÿ) =  PR E ... THEN nn := 2 END
/* { OPj (!(nn)) } NEXT */ ; 
OPj(a3a;) =  PR E ææ 6  N  A ææ mod 2 = 0 A nn = 2 THEN ... END ;
E N D
Figure 4.4.: Evens Machine
where p is defined earlier in the controller. In this case the controller, like in the CSP||B 
approach, is driving the B operations.
In Figure 4.5 the variable out-mm  is available to the annotation, because it is an output of 
the current operation. All inputs and outputs of the current operation are available to the 
annotations of current operations. Writing mm  — 1 in the annotation would lead to state being 
carried in the CSP controller. Using out-mm  avoids this. By definition 45 the annotation 
POs for operation OPi in Figure 4.5 is (type correctness of annotation not included):
[out-mm mm — l\{zz G N A x x e N A a : a : <  mm)[Ml^ out-mm f  zz^xx]
(M l G N  A mm  — 1 G N  A mm  — 1 < mm) 
true
A valid controller fragment for the Channelling machine could have the following form:
... —> OPj7Ml\out-mm  ...
The value denoted by M l is provided by the environment. It is an input to the controller and 
the B operation, whereas out-mm  is issued by the controller and received by the operation. 
The arrangement of controller and operations is given in Figure 4.6. Arrows with labels signify 
information flow. The arrow without an label from OPilout-mm\xx  to OPj7Ml\out-mm  
signifies control flow in the CSP. The boxes at the bottom of the figure contain B operations. 
The arrangement is similar in CSP||B, except that the environment can feed directly into the 
B operations. In chapter 6 a complete break from the CSP||B approach is made.
8 2  J u ly  6, 2 008
4,3. Examples o f the Use o f  I/O  n e x t
M A C H IN E  Channelling 
V A R IA B LES mm  , M l
IN V A R IA N T  mm G N  A mm G {0...10} A Mi G N
IN IT IA L IS A T IO N  M l :G N  || mm := g /* { ... } NEXT */
O P E R A T IO N S
o u t —m m  i—  OPi(oîa3) •=
PR E ... THEN ... II out-mm  mm - 1 END
/ *  {OPj{?Ml \out-mm)} N E X T  * /  ;
OPj(zz,axe) =  PR E zz G N  A xæG N  A xx < mm THEN ... END 
/ *  {...} N E X T  */  ;
E N D
Figure 4.5.: Example of a n e x t  Annotation with I/O
J uly  6 , 2008 83
Chapter 4. Adding I/O  and n e x t  in v a r ia n t  to Annotations
M l
OP M l\ou t-m m
out-mm out-mmXX
OPi{xx) OPj{Ml, out-mm)out-mm
Figure 4.6.: Controller B Operation Interaction
4.4. I/O NEXT Annotation Listing Functions
The listing functions are extended to support the annotation with I/O . The functions return 
particular aspects of the associated annotation. The operation — name function returns the 
operation set of the annotation. The operation—env—in function returns the input parameters 
set by the environment of an operation from the annotation set. The operation — ctrl — in 
function returns the set of annotation input parameters incident from the controller for a 
given operation in the annotation set. The operation — env — type function returns the set of 
types associated with the environment input parameters of an operation in the annotation. 
The operation — ctrl — type returns the list of types associated with the control data in an 
annotation. The context where it is not given by the functions is given in Figure 4,1,
4.4.1. A nnotation O peration Listing Functions
Definition 46 (A nnotation O peration Listing for Operation N am es).
operation — name{Y i—  OPi { V, E)  = {Pi | B,)/ * E  N E X T  * /; ) =  OPi  
operation -  name{INITIALISATION ... /  * X  N E X T  * /  ) = INITIALISATION
84 J u ly  6 , 2 008
4.4. I/O  NEXT Annotation Listing Functions
Définition 47 (A nnotation O peration Listing for Operation O utputs).
operation — output{OPj{V ^ E)) = {%}
where OPj is an arbitrary operations : yj i—  OPj(V,jS) =  ...
Definition 48 (A nnotation O peration Listing for Operation Environm ental In­
puts).
operation — env — in{OPiÇlV\E)) = V
D efinition 49 (A nnotation O peration Listing for Operation Controller Inputs).
operation — ctrl — in{OPi{'l V\E)) = E
D efinition 50 (A nnotation O peration Listing for Operation Environm ent Types).
operation — env — type{OPi{lV\E)) =
where the context is given in Figure é.l  
Definition 51 (A nnotation O peration Listing for Operation Controller Types).
operation — ctrl — type{OPi{l V\E)) =  Tq
where the context is given in Figure 4:.!
4.4.2. INITIALISATION I/O  n e x t  A nnotation Listing Functions
The listing functions are used to extract the actions for the proof work. The direction of the 
I/O  is not important. Hence, op^.y.V.E  is constructed instead of op^'ly'l V\E. The listing 
functions given in definitions 46, 47, 48, 49, 50 and 51 are used to assemble the parts of the 
actions that can be used in the definition of annotation controller consistency. The original 
next function definitions have been overloaded for I/O .
J u ly  6 , 2 0 0 8  85
Chapter 4. Adding I/O  and n e x t  in v a r ia n t  to Annotations
Definition 52 ( n e x t  w ith I /O  A nnotation Listing for Initialisation).
next{INITIALISATION  ... / *  % * /  ) =
{ o p x - y - V I opx 6  operation — name{X) A
operation — output(opx) =  y A 
operation — env — in{opx) = V f\
operation — ctrl — in{opx) =  E
}
Note however that as V  and E  are used to introduce types then the NEXT listing function 
should strictly return a family of operations invoke all with a different value of the type.
For brevity we do not enumerate the types. So for example in Figure 4.7, on page 98,
next{INITIALISATION) =  5ef({7..10}), because store-env-in G 7..10. Strictly, the for­
mulation should be next{INITIALISATION) = {Set{7)^ Set{S), Set{9), <S'ei(10)}
4.4.3. Operation I/O  n e x t  Annotation Listing Function
When the operations were solitary operations they were indistinguishable from an action. 
Here we treat actions with inputs and output the same as operations with inputs and out­
puts. Strictly we should restate the functions for both actions and operations {next{yx <—  
OPx{vx^ e i).../ * X N E X T  * /)  =  next{opx7yx'lvx\cx)). This will not however added anything 
new.
Definition 53 ( n e x t  A nnotation Listing).
next{yx <—  Ofg(%, e^) ... /  * X  N E X T  * /)  =
{opx-y-V.E I opx E operation — name{X) A 
operation -  output{opx) = y A 
operation — env — in{opx) — V A  
operation — ctrl — in{opx) = E
}
Definition 53 illustrates hoW the actions are constructed from operation n e x t  annotations 
with the listing functions.
4.5. I/O FROM  Annotations
In this section the three annotations are re-introduced with I/O: the FROM-ANY, PROM-SET, 
and PROM-SET. These annotations are used with NEXT annotations. In this chapter we 
restrict the annotations in operation to one from annotation, which should be accompanied 
with one next annotation.
86 J uly  6 , 2 0 0 8
4.5. I/O  FROM Annotations
4.5.1. I/O  PRO M -A NY  A nnotation
The introduction of I/O  changes the form of the FROM-ANY annotation. It is augmented with 
a set of input constraints: /* FROM — A N Y  {7 V \E }* /.  The input from the environment (? V) 
is separately introduced from the input from the controller {IE). Expanding the vectors out 
gives the following signature for the annotation: / *FROM —A N Y {? Vjj ... ? Vjg lEj^ ...
(the short form of the annotation is /* ! {? Vj  ^ ... ? lEj^ ... iÆÿ;,} * /). The definition of the 
use of the annotation is given in definition 16, which we restate here:
D efinition 54 (from-ANY w ith  I /O  A nnotation Syntax for O perations).
yj 4— OPj{vj,  ej) ^  {Pj I Bj) / * F R O M  -  A N Y { 7  V I E ]  */;
The annotation states that the interrupting operation can be called with the given parame­
ters. The previous PC definition 17 is updated to include the I/O .
D efin ition  55 ( I /O  FROM-ANY P ro o f  O b ligations). We give the form of the B operation 
and its related PO (the n e x t  in v a r ia n t  introduced in definition 43 has been included to 
show the most general form of the PO):
Vj <—  Opj{vj,6j) = PRE Pj THEN Bj END
/* FROM-ANY { 'fVjWj } */
/*  NEXT INVARIANT Lj */
The following PO arises:
(V æ G OPERATI ONS  • / A Pj, A 
{ T a b  a [Bx]{{Pj A Lj)[Vj ,Ej / vj , e j ] ) ) )  A 
{ T a b  a  ([T](P,- A Lj)[Vj ,Ej / v j ,  ej]))
where
T  with no subscript is the initialisation of the machine 
“  ^3v ®J2’ •••»
'^ 3 ~  “^ 3 g free in P*, where T a b  is defined in Figure 4.1
Definition 55 takes into account the variabilities of the inputs that can be taken by the current 
operation OPj and its predecessor operation OPi. Every possible input of the previous
J u ly  6 , 2 0 0 8  8 7
Chapter 4. Adding I/O and n e x t  in v a r ia n t  to Annotations
operation OPi must enable the precondition of OPj. The FROM-ANY annotation can be used 
in the same operation as the NEXT annotation.
4.5.2. The I/O  f r o m - s e t  A nnotation
The FROM-SET annotation is given in definition 56 below.
Definition 56 ( f r o m - s e t  w ith I /O  A nnotation Syntax for O perations).
/  * FROM -  SET{  OPk, . . . ,OPi} { ? V  I E } * /
The vector lists are inputs from the environment and controller, respectively.
The short form of the annotation is:
A  h i  OPt,- .OPi} { 7 V \ E } * /
This annotation is added to indicate the use of interrupting B operations that can follow 
any operations listed in the operation annotation. It may not follow the initialisation action. 
The input parameter lists V and E supply the input for the interrupting operation, not the 
operations that are interrupted.
Definition 57 (FROM-SET P roof O bligation), We give the form of the B operation and 
its related PO:
yj <—  Opj{vj ,ej)  =  PRE Pj  THEN Bj END
/* FROM-SET { OPi} {7Vj\Ej } */
/* NEXT INVARIANT Lj */
The following PO arises:
(V æ € { OPki--’i OPi } ■  I  A Px A Lx =>
{ T a b  a [Bx]{{Pj A Lj)[Vj ,Ej /vj ,ej ] )))
where
~  '•'» 3^h'>
Uj =  Vj^ are free in R,-, where Tab is defined in Figure 4.1
4.5.3. The I/O  f r o m - s e t - i n i t  A nnotation
The FROM-SET-INIT annotation is given in definition 58 below.
88 J u ly  6 , 2 008
4.5. I/O  FROM Annotations
D efin ition 58 ( f r o m - s e t - I N I T  w ith  I /O  A nnotation Syntax for O perations).
/  * FROM ~ SE T  -  IAr/T{OPfc,..., OPi]{lV j,\E j]  * /
The vector lists are inputs from the environment and controller, respectively. The short form 
of the annotation is
A  '-‘x lO P k  O P i}{?V j\E j}* /
This annotation is added to indicate the use of interrupting B operations that can follow any 
operations listed in the annotation or the initialisation action of the machine. An example of 
its use in an arbitrary operation OPj is:
Typically the FROM-SET-INIT annotation will be used in the following way:
OPjivj, Cj) s Pi I Si)/* '.‘x  { OPt , .... OP,} {?y,!S ,} * /;
In the above we state that after the execution of any of the operations in the given set or the 
execution of the initialisation OPi will always be available to execute. The annotation gives 
rise to the following proof obligation:
D efin ition  59 ( f r o m - s e t - I N I T  P ro o f  O b ligation ). We give the form of the B operation 
and its related PO including a predicate Lj arising from the NEXT INVARIANT:
yj i—  Opj{vj,6j) = PR E  Pj TH EN Bj END
/* FROM-SET-INIT X { IVjlEj } */
/* NEXT INVARIANT Lj */
where X =  {OPjt,..., OPi}
{V X e  X  > I  A Px => {Ta b  A [Bx]({Pj A Lj ) [V,E/ v j , e j ] ) ) )  A 
( T a b  A{ [T]{Pj [V, E/ v j , e i ] ) ) )
where 
3^ ~  ^3v
Vj =  Wj'j, Ujg} •••) Vjg are free in Bi, where Tab is defined in Figure 4.1 
J u l y  6 , 2008 89
Chapter 4. Adding I/O  and n e x t  in v a r ia n t  to Annotations
4.5.4. PRO M  with I/O  Listing Functions
The listing functions are extended to support the new annotations.
Definition 60 (I/O  FROM-ANY Operation A nnotation Listing).
from — any — op{yj i—  OPj{vj, ej)) = true
i f  Vj <—  O P j ( v j ,  e j )  =  ( P j  I B j ) / *  ! X  { ? V j , l B j }  * / ;  
from — any — op(yj <—  OPj{vj, ej)) =  false otherwise
Definition 61 (A nnotation O peration Listing for I/O f r o m - s e t  O peration N am es).
operation — from — set — name{yj <—  OPi{vj, ej) =  (Pj | R*)
/  * FRO M -SET X  {? Vj, \Ej} * / ; )  =  %
Definition 62 (I/O  FROM-SET A nnotation Listing).
from -  set -  op(y, <—  OPi{vi, Cj)) =  { op^.yi.Vi.ei 
I Vopx G operation — from — set — name{OP) • 
operation — output{opx) = Vi A 
operation — env — in{opx) = A
operation — ctrl — in{opx) =  e* A
operation — env — type{opx) = V{ A
operation — ctrl — type{opx) =  R* A
Ui G A 
e, G Te
}
where OP =  OP,(u„ e,)(Pi | R ,-)/* F R O M S E T - I N I T  X  {?7j,!Ri} * /;
and T„ and Tg are defined in figure 4.1
The from — ae( — op function returns an action in which the events channels are not given 
type or direction. The typing is checked in the machine-annotation consistency PO checking.
go J uly  6 , 2 0 0 8
4.5. I/O  FROM Annotations
D efinition 63 (A nnotation O peration Listing for I/O f r o m - s e t - i n i t  O peration  
N am es).
operation — from — set — init — name{ Yi i—  0 P ,(  V, X) =  (Pj j Rj)
/  * F R O M -SE T -IN IT  X  {?F,-, !R J * / ; )  =  %
where X  is an arbitrary set of operations
D efinition 64 (I/O  FROM-SET-INIT A nnotation Listing).
from — set — init — op{yi i—  OP%{vi, e,) =
{opx-Vi-Vi.ei
I V opx G operation — from — set — init — name{OP) • 
operation — output{opx) ~  y% A 
operation — env — in{opx) — Vi A  
operation — ciW — in{opx) =  e* A 
operation — enu — type{opx) = Vi A  
operation — cW — type{opx) =  R* A 
Vj G Tt, A 
e Tg
}
wAere OP =  y, G— OPi{vi, e<) =  (P, | R J /  * F R O M S E T - I N I T  X  { Vf.R,} * /;
and r„ and Tg are defined in figure 4.1
4.5.5. Controller language
Definition 65 (Controller Syntax w ith  I /O  Extensions).
R
a?ylv\e  -4 R{y)
R O  R 
R A R  
R A x  R 
R R 
S{p)
The controller language defined in definition 65 extends the language given in definition 24 
with I/O . The link between operation and action is maintained. A operation with I/O  is
J u ly  6 , 2 0 0 8  g i
Chapter 4. Adding I/O  and n e x t  in v a r ia n t  to Annotations
represented in the controller syntax as an action with I/O . The meaning of consistency is 
extended by updating the init functions.
Definition 66 {init on CSP Controller Process w ith I /O  E xtensions).
init{a?y?v\e - 4  R l) =  {a.y.v.e}
init{Rl  □ R2) =  init{Rl)  U init{R2)
init{Rl  A R2) =  init{Rl)  U init{R2)
init{Rl A x  R2) =  init{Rl)
init{Rl  A ^  R2) =  init{Rl)  U init{R2)
init{S{p)) = init{R{p))
An action prefix must appear with output preceding input, from left to right, with the input 
from the environment proceeding the input from the controller. In definition 66 the init 
function extracts the action of the action prefix. The outputs and inputs of the action marry 
with the outputs and inputs of the B operation the action represents: the controller action 
outputs to the inputs of the B machine and the output of the B operation is input to the 
action.
The guard function is unchanged by the introduction of I/O  (definition 67)
Definition 67 {guarded on CSP controller process w ith  I /O ).
guarded{a7ylv\e - 4  R l) =  true
guarded{Rl □ R2) =  guarded{Rl) A guarded{R2)
guarded{Rl A  R2) =  guarded{Rl) A guarded{R2)
guarded{Rl A% R2) =  guarded{Rl) A guarded{R2)
guarded{Rl A \  R2) =  guarded{Rl) A guarded{R2)
guarded{S{p)) =  false 
guarded{S{p) =  R{p)) =  true if guarded{R{p))
4.6. I/O  NEXT and f r o m  Annotation Consistency
As before, consistency is broken down into annotation consistency and step-consistency. Defi­
nitions 68 and definition 69 expands on the previous definition 13 and definition 14. The three 
interrupt operators are modelled in control constructs. In case 3 of definition 68 the control 
fragment with the interrupt operator is used. It is initially-consistent if the first process is 
initially-consistent and all the initial actions of R2 are initially consistent. Initial-consistency 
in definition 68 is determined directly using the properties of the associated annotations. 
Annotation consistency requires that there is both initial-consistency and step-consistency.
D efinition  68 (A n no ta tion -C onsis tency  w ith  I /O ) .  Where M is a machine and M -CTRL 
is its controller.
9 2  J u ly  6 , 2 008
4.6. I/O  NEXT and PROM Annotation Consistency
1. a?y?u!e -4  R
is annotation consistent with Machine M if a ? y ? u !e  -4  R is initially consistent and 
a ? y ? u !e  —Y R is step-consistent with M
a?y?u!e -4 R is initially-consistent if a?y?u!e G next(INITIALISATION)
2. R l □ R2
is annotation consistent with Machine M  if R l and R2 are annotation consistent with 
M.
3. R l A R2
is annotation consistent with Machine M if R l is annotation consistent and 
Vop G init{R2) ' from — any{op) = true and R2 is step-consistent with M
4. R l A% R2
is annotation consistent with Machine M  if R l annotation consistent with M and 
if V op G init{R2) • X  Ç from — set{op), and R2 is step-consistent with M
5. R l A ^  R2
is annotation consistent with Machine M if R l is annotation consistent with M  and 
if V op G init{R2) • X  Ç. from set- i{op),  and R2 is step-consistent with M
6. S{p)
is annotation consistent with Machine M
A family of recursive definitions S{p) = R(p) is annotation consistent with M ’s an­
notations if each R(p) is annotation consistent with M ’s annotations.
D efin ition  69 (S tep -C onsistency  w ith  I /O ) .  The
step-consistency of the controller fragment R is defined as follows:
1. a7y\v\e -)  R l
is step-consistent with Machine M if init{Rl)  Ç next{a7y\v\e)) and
J u ly  6 , 2 0 0 8  9 3
Chapter 4. Adding I/O  and n e x t  in v a r ia n t  to Annotations
R l  is step-consistent with M
2. R l □ R2
is step-consistent with Machine M  if R l and R2 are step-consistent with M.
3. R l A R2
is step-consistent with Machine M  if R l is step-consistent with M  and 
if Vop G init{R2) • from — any {op) = true and R2 is step-consistent
4. R l A% R2
is step-consistent with Machine M if R l is step-consistent with M  and 
V op G init{R2) - X  Ç from — set{op) and R2 is step-consistent with M
5. R l A ^  R2
is step-consistent with Machine M  if R l is step-consistent and R2 is step-consistent 
with M and V op Ç. init{R2) • X  Ç from — set — init {op)
6. S{p)
is step-consistent with Machine M
A family of recursive definitions R =  R is step-consistent with M ’s annotations if each 
R is step-consistent with M ’s annotations.
4.7. Proving Termination of Controlled Machines with I /O  
Annotations
The proofs in this section establish that it is enough to demonstrate annotation-consistency 
(given machine-annotation consistency) to show that the every step of the machine-controller 
pair terminates, which implies non-divergence: every operation is called within its precondi­
tion. The proofs in this section extend section 3.1.6 by introducing new proofs for machines 
with I /O  annotations and controllers with 1 /0  operations.
Demonstration termination of the controller by proof does not involve the annotation I/O . 
This is the case because the POs for the annotation I/O  are checked when the consistency is 
established between the operations and the annotations. At this time it is proven that the
94 J u ly  6 , 2008
4.7. Proving Termination of Controlled Machines with I/O  Annotations
I/O  sources for the annotations are type correct with the constraints of the preconditions. 
Hence the proofs to demonstrate termination of consistent controller paired with controlled 
machine are the same as in chapter 3.
The approach to the proof of operations with I/O  is to ignore the outputs and substitute in 
the input into the precondition that is being established, and reuse the existing proofs for 
non-I/0  actions. The substitution can be made because type correctness of the substitution 
has been proven in definitions 44, 55, 57, 59, when the POs are discharged. In the proof of 
mixed I/O  and non-I/0  operation traces the operation actions with I/O  would be converted 
into operations without I/O  by substituting in the input as above. Then the proof would 
proceed as thought all the actions had non-I/0 .
We restate the theorem for controllers with I/O :
T h eo rem  4 (A n n o ta te d  C o n sis ten t C o n tro lle r  a re  D ivergence F ree). I f  an I /O  anno­
tated B Machine M  is consistent with a controller M -C T R L  then M \\M -C TRL is divergence 
free.
The proof that arbitrary length traces are non-divergent:
Case (A) ()
1 [T]I by consistency of M
2 [T]tf«e by[T]I [T]true
Case (B) {a.ya^Va-Ca) € traces{M-CRTL)
J u ly  6 , 2008 95
Chapter 4. Adding I/O  and n e x t  in v a r ia n t  to Annotations
1 {a.ya.VQ.ea) G traces{M-GRTL) 
and M -C T R L  annotation consistent
Initial assumption
2 a.ya.Va-Ca G next{INITIALISATION) V 
from -  any -  op{y i—  a{va, Co)) V
from — set — init — op{y G— a{va, Cq)) ^  {} definition of Lemma 10 below
3 [T]Pa[Va.EalVa,ea]
4 [T]P',
5 [T]I
6 [ r l ( P i  A / )
Entirely similar to the proof of 
th eo rem  1, C ase (B ), 6 to  end
by 2 and de l 44, 55, 57, 59
by 3 and after substitution
and as machine-annotation consistent
Machine-Annotation consistency 4
by 3 and 4 when I/O  dropped
Case (C) {tr ^  (a.yq.Uq.eq, G traces(M-CRTL) where tr G traces(M-CRTL)
1 { t r  ^  a . y a . V a - € a )  i s  good
2 h.yi^.vif.ei)  G
n e x t { y a  <—  a(va, Cq)) V 
a . y ^ . V Q . C a  G
f r o m  -  s e t  -  op{yb <—  b { v b ,  e&)) V 
a . y Q . V a . C a  G
f r o m  -  s e t  — i n i t  — o p { p b  <—  b { v b ,  e&)) V 
f r o m  — a n y  — o p { b )
3 I  A Pa [Ba]{Pb[Vb,Eb/vb,eb])
4 Î A Pa [^a]P'b
Entirely similar to the proof of 
th eo rem  2, C ase (C ), 3 to  19
by inductive hypothesis
Lemma 11 below
by 2 and del 55 and typing correct
Machine-Annotation consistency 
hence I/O  dropped
Singleton Traces are Enabled by Initialisation Annotations
L em m a 10 (S ingleton  traces  o f consisten t I /O  a n n o ta te d  C T R L  are  enab led  by 
a n n o ta tio n s). The actions of singleton traces of consistent controller R is also an initiali-
96 J u ly  6 , 2008
4.8. Picturing I/O  Annotations
sation annotation or an I/O  annotation:
{a.y.v.x) G traces{M-CRTL) =>
a.y.v.x G next(INITIALISATION)  V 
from -  any — op{y i—  o(u, x)) V 
from — set — init — op(y i—  a{v, x)) /  {}
The proof of lemma 10 follows exactly the format as the proof of lemma 4. The only difference 
in form is that the proof of lemma 10 has I/O . The I/O  does not effect the outcome of the,
proof. The type correctness of the inputs used in the annotations is guaranteed during the
determination of machine-annotation consistency.
Arbitrary Traces are Enabled by Annotations
L em m a 11 (A rb itra ry  L en g th  T races o f A n n o ta tio n -C o n s is ten t In te r ru p tib le  C on­
tro lle rs  a re  E n ab led  by  A n n o ta tio n s). The actions of arbitrary length traces of a anno­
tation consistent I /O  controller fragments are enabled by operation annotations:
R annotation consistent A tr ^  {a.y.v.x) ^  {b.y.v.x) G traces{R) =>
b.y.v.x G next{ya  ^a{va, Cq)) V 
from -  any -  op(y& ^ —  6(u&, e^ )) V 
a.y.v.x  G from -  set -  op{yb i—  b{vb, x^)) V
a.y.v.x  G from — set -  init — op{yi, i—  b{v, e^))
The proof of lemma 11 as with lemma 10 follows exactly the same form as lemma 5. This is 
because the I/O  plays no part in the proof.
4.8. Picturing I/O  Annotations
Adding I/O  to the existing f r o m  and NEXT annotations does not alter the drawings of the 
annotations without I/O , which is defined in chapters 2 and 3.
4.9. I/O  N EXT Examples
An example that uses the NEXT annotation with I/O  is given in Figure 4.7. The figure serves 
to illustrate how the annotations specify the way in which output from one operation feeds 
in to the next. The Store-in variable is the interface to the environment, and is required in 
the implementation. More details about implementing external ports are given in cliapter 6. 
The example is of a simple specification that has an operation that can sets a memory store
J u ly  6 , 2008 97
Chapter 4. Adding I/O  and n e x t  in v a r ia n t  to Annotations
M A C H IN E  SetDifferent 
V A R IA B LES Store, Store-in
IN V A R IA N T  Store G N  A Store-in G N  A Store-in  G 7.. 10
IN IT IA L IS A T IO N  Store-in  :G 7..10 || Store i= 6 /* { Set(!Store_in) } NEXT */ 
O P E R A T IO N S
S et(xx ) = PR E XX G 1..10 A xx /=  Store THEN Store := xx END 
/*  { Different } NEXT */ ;
m m  <—  D ifferent =  PR E true THEN mm  :G {{1..10) - {Store }) END 
/* { Set(!mm) } NEXT */
EN D
Figure 4.7.: SetDifferent Machine
CTRL = SetDifferent-CTRL{7)
SetDifferent-CTRL{u) = Set\u -4 Differently -4 SetDifferent-CTRL{v)
Figure 4.8.: SetDifferent Controller
to a value and creates a value with the other operation. The value offered must not be the 
last one accepted.
The example is analysed step-by-step to demonstrate that the NEXT I/O  annotations are 
consistent (step-consistent and initially-consistent) in the B machine.
Establishing Machine-annotation consistency for the SetDifference Example
1. In itia lisa tion : the initialisation clause must establish the precondition of all the oper­
ations identified in its annotation; in this case this is Set (S to re —in), with precondition
9 8  J u ly  6 , 200 8
4.9. I/O  NEXT Examples
(7..10 Ç 1 . . 1 0 A [Store := 6]((ææ G 1..10 A xx /  Store )[Store-in / ææ]))
(Store-in  G 1..10 A Store-in /  6 )
(7 G 1..10 A 7/ = 6) A ( 8 G 1..10 A 8 / = 6 ) A
(9 G 1..10 A 9/ = 6) A (10 e 1..10 A 10/ = 6 )
=  true
2. Set(xx): the Set operation must satisfy the precondition of the operations identified 
in its annotation; in this case Different, with precondition true, which is obviously 
satisfied
3. m m  4—  Different: the operation must satisfy the precondition of the operations 
identified in its annotation; in this case Set (m m ), with precondition xx G 1..10 A xx 
/ =  Store. Prom definition 45, we must prove:
^ A  P D ifference  ^  (P D ifferen ce  G P se t  G  [P D iffe re n c e ]P se t[B D iffe re n c e / ^Difference])
= [mm :G (1..10) — {Riore}](a;æ G 1..10 A  xx /  — Store)[mmj a;:c]
=  [mm :G (1..10) — {Riore}]( mm  G 1..10 A mm  /  — Store)
=  true
Establishing Annotation-Controller Consistency for the SetDifference Example
Secondly, we demonstrate annotation-controller consistency. To show that the controller 
CTRL is consistent with SetDifferent machine we apply the definitions of step-consistent and 
annotation consistent from definitions 68 and 69.
Step-consistency is established by considering the parts of the definition of R -C T R L
• SetDifferent-CTRL(p): The process variable SetDifferent-CTRL(p) is step-consistent, 
by the definition of step-consistençy for process variables.
• Differently -> SetDifferent-CTRL{v):. This is first sub-process working back from the 
step-consistent definition SetDifferent-CTRL(v). The prefix rule for step-consistency 
from definition 69 requires that:
init[SetDifference-GTRL{v)) Ç next{Differentlv)
=  Ret(u)[u/w] Ç {Ret('y)}
=  true
• Setlv  - 4  Differently -4  S-C TRL{v)  : Differently  -> S-C TR L(v)  is  s te p -c o n s is te n t an d  
th e  p refix  ru le  req u ires th a t:
J u ly  6 , 2008 99
Chapter 4. Adding I/O  and n e x t  in v a r ia n t  to Annotations
init{DifferentlV -4 S-C TR L(v)) Ç next{Setlv) 
= Differently C { Different.e | e G 1..10 } 
=  true
initial-consistency is also established since:
init(CTRL) C next{INITIALISATION) 
= {Set.7}C  { Set.7,Set.S,Set.9,Set.lO } 
=  true
4.10. NEXT INVARIANT Annotations Example
To illustrate the use of the NEXT INVARIANT an example of a heating system is introduced in 
Figure 4.9 and Figure 4.10. Variables that describes the state of the system are captured in 
the NEXT INVARIANT. The difference with the annotation approach is that the state of the 
variables can be carried around in the annotations and not in the CSP code. The operation 
invariants are only established when necessary. If the next invariants where promoted up 
to the machine invariant level then they would have to be established for every operation 
execution.
4.10.1. Establishing M achine-controller Consistency of th e  H eater Example
M A C H IN E  Heater
SETS STATE  =  { Stopped , Running }
V A R IA B LES Status, TargetTemp, CurrentTemp,
TargetTempIn, CurrentTemp In
IN V A R IA N T  Status G STATE  A TargetTemp G N A CurrentTemp G N A 
TargetTempIn G N A TargetTempIn G 14--28 A CurrentTempIn G N
IN IT IA L IS A T IO N  Status := Stopped || TargetTemp :G 0..37\\
CurrentTemp :G N || TargetTempIn :G 14"28 |
CurrentTempIn :G N /* { Start, Halt } NEXT */
Figure 4.9.: Heater Machine Header 
100 J u l y  6 , 2008
4.10. NEXT INVARIANT Annotations Example
O PER ATIO NS
Start =  PRE Status = Stopped THEN Status := Running END 
/* { SetTargetTemp(?TargetTempIn) } NEXT */ ;
H alt = PRE true THEN Status := Stopped END
/* FROM-ANY */
/* { Start } NEXT */ ;
S et Target Temp (xx) =  PRE xx € 0..37 THEN TargetTemp := xx END
/* NEXT INVARIANT { Status = Running } */
/*  { ReadCurrentTemp(?CurrentTempIn) } NEXT */ ;
ReadC ur rent Temp (y y ) =  PRE yy G N THEN CurrentTemp := yy END
/* NEXT INVARIANT { Status =  Running } */
/* { SwitchHeater } NEXT */ ;
m m  i—  Sw itchH eater =  PRE Status = Running THEN mm  :G {0,1} END 
/* { ReadCurrentTemp(?CurrentTempIn) } NEXT */
EN D
Figure 4.10.: Heater Machine Operations
The machine-controller consistency (machine-annotation consistency and annotation-controller 
consistency) of the Heater examples in figures 4.10 and figures 4.11 is established in what fol­
lows. Firstly, the machine-annotation consistency of Figure 4.9 and Figure 4.10 is established. 
Secondly, the annotation-controller consistency of Figure 4.11 is established.
Establishing Machine-annotation Consistency
• Initialisation: the initialisation clause must establish the precondition of all the oper­
ations identified in its annotation; in this case this is Start with precondition Status — 
stopped, and H alt with precondition which is,true.
[T in itia lisa tio n ]P s ta r t A
=  [Status := Stopped]Status =  Stopped 
=  true
J u ly  6 , 2008 l o i
Chapter 4. Adding I/O  and n e x t  in v a r ia n t  to Annotations
#
S-C T R L  = Start - 4  SetTargetTemplTargetTempIn - 4  R
R ~  ReadCurrentTempl CurrentTempIn - 4  SwitchHeaterlxx —> R  
CTRL = S -C T R L  A halt - 4  S-C TR L
Figure 4.11.: Heater Controller Operations
S ta rt: the Start operation must establish the precondition of the operations identi­
fied in its annotation; in this case S e tT arg e tT em p (T arg e tT em p In ), with precon­
dition: XX € 0..37. The S e tT arge tT em p  operation also has an next invariant:
Status =  running. The resulting PO to establish satisfaction of the precondition and 
the annotation operation next invariant is:
I  A P s i a r t  ^  { T e s ta r t  G T SetTargetTem p A
\P S tar^ i.P S etT argetT em p A  L se tT a r g e tT e m p )\T e s ta r t!  ^SetTargetTem p^
= [Status = Running\{xx G 0..37 A Status = Running)[TargetTempInj xx] 
=  true
H alt: the halt operation must be able to follow any operation as a virtue of the FROM- 
ANY, and it must establish the precondition of S ta r t  due to the NEXT annotation. The 
precondition of H a lt is true which ensures that it is possible to execute H a lt after any 
operation. The H a lt operation must establish the precondition of the S ta r t  operation 
with precondition Status — stopped. It has to be proven that:
/  => [Status := Stopped]{Status := Stopped) 
= true
S etT arge tT em p(xx ): The two main predicates that have to be proven are that the 
NEXT INVARIANT re-establishes itself and that the precondition and next invariant of 
the next operation are established by the current operation. The NEXT INVARIANT is 
re-established as /  A P S e t T a r g e t T e m p  A LS a i 'P a r g e tT e m p  ^  PS e t T a r g e t T e m p  i® trivially true. 
The S e tT arge tT em p  operation must establish the precondition of R e a d C u rren t-  
Tem p as a result of the NEXT annotation. The precondition of R e a d C u rren tT e m p  
is yy G N, The S e tT arge tT em p  operation must also establish the annotated next 
invariant of R e a d C u rren tT em p (y y ) LReadCurrentTemp which is: Status = Running. 
However, we have at our disposal the next invariant L S e t T a r g e t T e m p  which is the same 
as LReadCurrentTemp- The variable used in the annotation to invoke ReadCurrentTemp 
replaces yy in the precondition of ReadCurrentTemp. It has to be proven that:
102 J uly  6 , 2 0 0 8
4.10. NEXT INVARIANT Annotations Example
{ I A P SetTargetTemp A  L SetTargetTemp A
TEsetTargetTempin — TReadCurrentTemp) ^
{[PsetTargetTem p]{PReadCurrentTem p A  LReadCurrentTemp)
[ESetTargetTemp/  ^ReadCurrentTemp])
=  ( /  A XX G 0..37 A Status — Running A N  Ç N ) =>
[TargetTemp := xx ]{{yy G N  A Status = Running)
[CurrentTempIn /  yy])
= {I A  XX E 0..37 A Status =  Running) =>
[CurrentTempIn G N  A Status = Running)
=  irwe
The global Invariant /  and next invariant LsatTargetTemp were instrumental in dis­
charging the POs above. Passing the operation invariant on through the operations 
SetTargetTemp and ReadCurrentTemp save setting up explicit flags in the state.
• R e a d C u rren tT e m p (y y ) : The two main predicates that have to be proven are that 
the NEXT INVARIANT re-establishes itself and that the precondition and next invariant 
of the next operation are established by the current operation. The n e x t  i n v a r i a n t  
is re-established as J A PReadCurrentTemp A  LReadCurrentTemp ^  PReadCurrentTemp Î8 
trivially true. The R e a d C u rre n tT e m p  operation must establish the precondition of 
S w itch H ea te r courtesy of the n e x t  annotation. The precondition of S w itch H ea te r 
is Status = Running
[7  A  PReadCurrentTemp A  LReadCurrentTemp) ^  [PReadCurrentTemp]PSwitchHeater
= (7 A yy G N  A Status — Running ) =>
[CurrentTemp yy ]{Status = Running )
=  true
• S w itchH eater: the switch heater operation has a precondition Status — Running 
which is set by Start and maintain by all subsequent operations following on from it 
to this operation. The operation outputs a 1 or a 0 to signify either success or failure, 
respectively. The annotation sends the flow of control back to ReadTargetTemp. A 
refinement of the operation would turn  the heater on or off according to the temperature 
read into CurrentTemp.
(7 A PSwitchHeater ) ^  [PswitchHeater][PReadCurrentTemp A  LReadCurrentTemp)
=  (7 A Status = Running )
[CurrentTemp := yy ](Status = Running )
=  true
J u ly  6 , 2 0 0 8  1 0 3
Chapter 4. Adding I/O  and n e x t  in v a r ia n t  to Annotations
Establishing Annotation-controller Consistency
Secondly, we demonstrate step-consistency.
Step-consistency is established by considering the parts of the definition of CTRL:
• The process variable R is step-consistent, by the definition of step-consistency for process 
variables.
— SetTargetTemp. TargetTempIn —> R: the prefix rule for step-consistency from Def­
inition 69 requires that:
init{R) Ç next {SetTargetTemp. TargetTemp In) =
{ReadCurrentTemp. CurrentTempIn} Ç {ReadCurrentTemp. CurrentTempIn}, which 
is true, since this predicate is true and the process variable R is step-consistent
— Start -> SetTargetTemp.TargetTempIn -4  R: the prefix rule for step-consistency 
from Definition 69 requires that:
init{SetTargetTemp. TargetTempIn -4  R) Ç next(Start) =
{SetTargetTemp} Ç {SetTargetTemp}, w h ich  is  tru e , s in ce  th e  th is  p red ica te  is 
tru e
— S-C T R L  =  Start -4  SetTargetTemp. TargetTempIn - 4  R: the recursive definitions 
rule for step-consistency from Definition 69 requires that
Start -4  SetTargetTemp .TargetTempIn -4  R be step-consistent which it is true.
• The process variable R is step-consistent, by the definition of step-consistency for process 
variables.
— SwitchHeater. XX -4 R: the prefix rule for step-consistency from Definition 69 re­
quires that init{R) Ç  next(SwitchHeater.xx) =
{ReadCurrentTemp. CurrentTemp In} Ç {ReadCurrentTemp. CurrentTemp In}, which 
is true, since this predicate is true and the process variable R is step-consistent
— ReadCurrentTemp. CurrentTempIn -4  SwitchHeater .xx -4  R: the prefix rule for 
step-consistency from Definition 69 requires that
init{SwichHeater -4  R) Ç next{ReadCurrentTemp) =
{SwitchHeater.xx} Ç {SwitchHeater.xx}, w h ich  is tru e , s in ce  th e  th is  p red ica te  is  
tru e
— R = ReadCurrentTemp. CurrentTempIn -4  SwitchHeater .xx -> R: the recursive 
definitions rule for step-consistency from Definition 69 requires that 
ReadCurrentTemp. Current Temp In SwitchHeater .xx -4  R be step-consistent 
which it is true.
— Halt -> S-CTRL'. the prefix rule for step-consistency from Definition 69 requires 
that init{S-C TRL) Ç next(Halt) = {Start} Ç {Start}, which is true, since the 
this predicate is true and the process variable S-C T R L  is step-consistent
• The process variable CTRL is step-consistent, by the definition of step-consistency for 
process variables.
— S-C T R L  A halt -4 S-CTRL'. the prefix rule for step-consistency from Defini­
tion 69 requires that S-C T R L  is initially consistent and halt -4  S-C T R L  is
104 JULY 6 , 2008
4.10. NEXT INVARIANT Annotations Example
step-consistent and from — any — op{halt) — true, which is all true, since 
init{S-C TRL) Ç next{INITIALISATION) and from — any — op{halt) is true.
— CTRL =  S-C T R L  A halt -4  S -C T R L  the recursive definitions rule for step- 
consistency from Definition 69 requires that S-C TR L  A halt - 4  S -C T R L  be step- 
consistent which it is true.
The three recursive definitions of the step controller (CTRL, R, S-CTRL) have been shown 
to be step-consistent, hence the complete controller is step-consistent.
initial-consistency is also established since:
• next{INITIALISATION) Ç init{CTRL): is initially-consistent as 
{start, halt} Ç {start, halt}
J uly  6 , 2008 105
Chapter 4. Adding I/O  and n e x t  in v a r ia n t  to Annotations
106 J uly  6 , 2008
5. Extending the n e x t  Annotation
5.1. The NEXT Extensions
The motivation for extending the annotations at this point is to introduce branching be­
haviour, The first new annotation, the SELECT NEXT, is introduced to direct the flow of 
control in an implementation of the B and a controller. The annotation constrains the choices 
between different execution options. Like the NEXT annotation all options must be enabled, 
but unlike the next annotation the options are guarded by conditions that constrain whether 
they can be chosen or not in the implementation. The options of a n e x t  annotation can be 
reduced by refinement, but the options of a s e l e c t  n e x t  annotation may not. The second 
annotation, the c o n d i t i o n a l  n e x t  annotation requires additional controller language oper­
ators. The annotation constrains the way that choices are made in the controller as in the 
normal if-then-else approach. The SELECT NEXT resolves the choice using the values of B 
variables. The c o n d i t i o n a l  n e x t  resolves the choices based on the output of B variables. 
In this chapter the shorthand used for sets of operations is given in definition 70.
D efinition 70 (The A bbreviations for O peration N am es).
The singleton operation OPi{vi, e,) is shortened to OP,-
The set of operations { OPj^ ,..., OPj^ } is shortened to OPJ
similarly { OPjti,OP* }^ is shortened to OPK
where q;, and e,- are detailed in Figure 4.1, page 76.
5.2. The SELECT n e x t  Annotations
The SELEC T N EXT annotation is written:
/  * {condji : O P j^ , co n d j ^ _ . ^  : OPj^_yELSE OPj„,} S E L E C T  N E X T  * /
Ignoring the conditions, the annotation is fundamentally a NEXT annotation. The conditions 
have no affect on the PCs. They serve as directives to be utilised at implementation. The 
condition condj^ is a predicate expression which uses B variables. The condition action pairs 
should be consulted in order from left to right to decide which action is to be executed
J u ly  6 , 2008 107
Chapter 5. Extending the n e x t  Annotation
next when coming to implement the specification. However, any action can be selected for 
execution next as they are all enabled as is the case with the NEXT annotation. If all the 
conditions are false then the final unconditional action is executed when implemented. No 
new controller syntax is introduced. However, unlike the pure n e x t  annotation all the choices 
in the s e l e c t  n e x t  have to be reproduced in the controller. By basing the choice on variables 
in the B machine we avoid carrying around addition state in the controller CSP. Although it 
would be possible in terms of POs to have sets of operations paired with conditions we limit 
the pairing to one conditions and one operation. If sets were used it would not be possible to 
indicate which of the operations has the highest priority during implementation. The SELECT 
NEXT annotation is associated with a choice in the controller. In the implementation the B 
guards would be utilised to decide which option is taken (conditional choice is introduced in 
the implementation).
Definition 71 ( s e l e c t  n e x t  A nnotation for Initialisation ).
INITIALISATIO N T  
!*{condj, : OPj„...,condj^_, : OPj^_, ELSE O P jJ  SELECT N E X T  * /  
Definition 72 ( s e l e c t  n e x t  A nnotation for O perations). 
OPi =  {Pi 1 Bi) 
/  * {condj, : OPj,,..., condj^_, : OPj^_, ELSE O P jJ  SELECT N E X T  * /;
In definition 71 the initialisation enables a number of operations that could be executed next. 
All the options are enabled. A choice between the options is added in the implementation. 
The first in the list is the preferred option. It is stated in definition 72 that after the execution 
of OPi has completed, OPj^, through to OPj^ are always available to execute, even if their 
associated condition prevents them from being actually selected. The proof of this claim can 
be verified by discharging the proof obligations in definitions 73 and 74.
D efinition 73 ( s e l e c t  n e x t  P roof Obligation for Initialisation).
VARIABLES V i  , ... Vg
IN V A R IA N T  Pi 6 Ty, A ... A Vg e  Ty ,
INITIA LISA TIO N T
/ *  {condj, : O P i , { V j „ E j , ) ) , . . . , E L S E  O P a V i ^ . E j J ) }  SELECT NEXT ♦/
% THEN B,-, END
io 8  J uly 6 , 2 008
5.2. The SELECT NEXT Annotations
The following PO arises:
V æ G { O p j ^ ^ O p j ^  } • {Tab  A [T]((Pj; A Zrg;)[P;g, P,,/-Ug, e%])) 
where
6x and Vx are free in T, and 
Tab  is defined in Figure 4.1
D efinition 74 ( s e l e c t  n e x t  P roof O bligation for O perations).
Vj ^  Opi{vi,6i) = P R E  Pi TH EN Bi END
/*  {condj, ; O Pj,{'!V j,\E ji),...,ELSE O P jJ - !V jJ E jJ ]  SELECT NEXT */ ;
S P R E  Pj^ THEN Bji END ;
O p j J y j ^ , e j J  = P R B  P j^  THEN B j^  END ;
The following PO arises:
V z G { Opj^, Op j^  } - {I A Pi A Li {Tab A [Bi]{{Px A Lx)[Vx,Ex/yx,ex])))  
where
6x and Vx are free in B, and Tab  is defined in Figure 4,1
The proof obligations are the same as with the NEXT annotation. The PO generated from 
NEXT annotations in operations (definition 6, page 25) and in the initialisation (definition 8, 
page 26) ensure that all the operations listed in the annotation are enabled.
D efin ition  75 ( s e l e c t  n e x t  A n n o ta tio n  L isting ).
select{OPi) = OPJ  
if OPi... / * {condj, : OPj,,. ..  ELSE OPj„} S E L E C T  N E X T  * / ;
=  undefined otherwise 
J u ly  6 , 2008 109
Chapter 5. Extending the NEXT Annotation
select{INITIALISATION) = OPJ
if INITIALISATIO N...
/  * {condj^ : O P .. .E L S E  OPj^}
SELECT N E X T  * /
=  undefined otherwise
5.3. The CONDITION n e x t  Annotations
In some situations the next operation in the execution may be in some way related to the 
outcome of the current operation: one operation selects another. The c o n d it io n  NEXT an­
notation is an extension to the NEXT annotation that supports conditional next path selection 
based on the output of the current operation, written:
/  * OPJ OPK CONDITION N E XT  * /
The annotation has two comma separated sets of operations: OPJ and OPK. The annotation 
sets do not have to be the same size. The first set is a set of operations that can be executed 
if output of the current operation is true or any natural number except 0. The second set is a 
set of operations that can be executed if the output of the current operation is false or 0. The 
operation that carries this annotation must have a single boolean or a single natural number 
output. The actual execution, if the output of the current operation represents true, is to 
select an operation from the first set of operations, otherwise an operation from the second 
set is selected. This annotation is the basis for conditional behaviour. Unlike the SELECT 
NEXT annotation it is not necessary to have a catch-all operation at the end of the annotation. 
The initialisation can not be annotated with the CONDITION n e x t  annotation, because the 
initialisation has no output.
Definition 76 (CONDITION NEXT A nnotation).
Vi OPi ~  {Pi I Bi)- /  * OPJ OPK CONDITION N E X T  * /
In definition 76 above, if the output of the current operation represents true then all the 
operations OPj^ through to OPj„ must be available for execute after the current operation 
has terminated. If however the current operation returns false then the operations OPki 
through to OPk„ are always available to execute. The proof of this claim can be verified by 
discharging the following proof obligation:
J uly  6 , 2008
5.4. Controller Syntax and Auxiliary Functions with c o n d it io n  n e x t  Annotations
D efinition 77 ( c o n d i t i o n  n e x t  P roof O bligation for O perations).
{I A Pi => {Tab  a  [Bi]{{yi =  true ) Pji['^,E /vj^, e^-J))) A ...
A {I A Pi { T a b  a  [B,•]((!/,• =  true ) ^jm])))
A {I A Pi => {Tab  a  [B,]((?/i =  false ) =4> % J))) A ...
A (7 A Pi =» {Tab  A [Bi]((yi =  false ) =4^  Pk^[V,E/vk^, e^J)))
The controller is constrained in how to resolve the choice by the output of the current op­
eration. In Figure 77 the PO applies B,, to assigned to ÿ,. The proof obligations differs to 
NEXT version in that an extra conditional element is added. We introduce a new controller 
operator to handle the requirements of the CONDITION n e x t  annotation.
5.4 . Controller Syntax and Auxiliary Functions with c o n d i t i o n  
N EX T Annotations
We extend the new listing function to support the new annotation and introduce a new 
function to deal with the CONDITION  annotations.
D efin ition 78 (C ondition A nnotation Listing).
condition{yi 4—  OPi.../ * OPJ OPK CONDITION N E X T  * / )  = yi
if yi e  BOOL or 
2/i e  N
undefined otherwise
D efinition 79 (condition-true A nnotation Listing).
condition — true{yi i—  0P{ =  ... /  * OPJ OPK CONDITION N E X T  * /)
=  OPJ
if Vi G BOOL or 
2/i G N
undefined otherwise
J u l y  6 , 2 0 0 8  i i i
Chapter 5. Extending the NEXT Annotation
Definition 80 (condition_false A nnotation Listing).
condition -  false{yi ir— OPi = ... j  ^ OPJ OPK CONDITION N E X T  * /)
OPK
if yi € BOOL or 
Vi e  N
undefined otherwise
Definition 81 (Trace Definition of traces{if condition then R1 else R2)),
traces{if b then R1 else R2) = ^[traces{R2] if -nb
Definition 82 (Controller Syntax w ith Conditional Extension).
R  ::= aly'lzlx  -4 R{v) |
R D R  I 
R A R  I 
R A x R  \
R A )c  R \
if y then R else R |
The controller language definition of 65 on page 91 is extended in definition 82 to take 
account of the addition of the if-then-else operator. The new operator introduced above is: 
if y then R else R.
Definition 83 {init on CSP Controller Process w ith Conditional Choice).
init{a?ylv\x  -4  R l) = {a .y.v.x}
in it{R l □ R2) = init{R l) U init{R2)
init{R l A  R2) =  init{R l) U init{R2)
in it{R l A x  R2) =  init{R l)
in it{R l A \  B 2 ) =  init{R \) U init{R2)
init{if y then R l else R2) = init{R l) U init{R2)
init{S{p)) = init{R{p)) where S{p) = R{p)
J uly  6 , 2008
5.5. SELECT NEXT and CONDITION NEXT Annotation Consistency
Definition 83 extends definition 66, on page 92 with an init definition of the conditional CSP 
operator. The guard function is extended in a similar way.
D efin ition  84 {guarded on  C S P  C o n tro lle r  P ro cess  w ith  G lobal In te r ru p t) .
guarded{alx\y - 4  R l)  =  true
guarded{Rl □ R2) = guarded{Rl) A guarded{R2) 
guarded{Rl A R2) =  guarded{Rl) A guarded{R2)
guarded{Rl A% R2) =  guarded{Rl) A guarded{R2)
guarded{Rl R2) = guarded{Rl) A guarded{R2) 
guarded{if y then B I else R2) =  guarded{Rl) A guarded{R2)
guarded{S {p)) =  false
guarded{S{p) =  R{p)) =  true if guarded{R{p)) — true
5.5. SELECT N EX T and CO ND ITIO N N EX T Annotation Consistency
As before the derivation of annotation consistency is broken down into annotation and step- 
consistency. The revised definitions of annotation consistency and step-consistency are stated 
in definition 85 and definition 86, respectively. The SELECT NEXT annotation does not intro­
duce a new CSP operator into the controller language hence the definitions do not changes 
as a result of that (the choice operator implements the SELECT n e x t  annotation). The 
CONDITION NEXT is not permitted as an annotation in the initialisation: controllers with 
initial if-then-else operators are not initially-consistent. However designers will want to use 
the if-then-else operator in controllers regardless of whether the operator is supported by an 
annotation or not. An example is:
R{y) = if {y mod 2) =  0 then c lz  - 4  R{z) else d lz  -> R{z) ...
M ^G TRL  =  B(0)
At initialisation the consistency of the if-then-else operator can be deduced directly from the 
context of the control fragment quite easily. In general the annotations make the deduction 
of consistency easier by guaranteeing different consistency requirements.
D efin ition  85 (A n n o ta tio n  C o n sis ten t w ith  B ranch ing).
1. a ly lv le  - 4  R
is annotation consistent with Machine M  ii a ly l  vie - 4  B is initially consistent and 
J u ly  6, 2008 113
Chapter 5. Extending the n e x t  Annotation
a ly l  vie -> R is step-consistent with M
a ly lv le  -> R is initially-consistent if a ly lv le  E next{INITIALISATION)
2. BI □ B2
is annotation consistent with Machine M if BI and B2 are annotation consistent with 
M.
3. BI A B2
is annotation consistent with Machine M if BI is annotation consistent and 
V op G init{R2) - from  — any{op) = true and B2 is step-consistent with M
4. BI A% B2
is annotation consistent with Machine M if B I annotation consistent with M  and 
if V op G init{R2) • X  Ç from — set(op), and B2 is step-consistent with M
5. BI A ^  B2
is annotation consistent with Machine M if BI is annotation consistent with M  and 
if Vop G init{R2) - X  Ç from set-i{op ), and B2 is step-consistent with M
6. i f  b then BI else R2
is annotation consistent with Machine M  if it is step-consistent
7. S { p )
is annotation consistent with Machine M
A family of recursive definitions S{p) = B(p) is annotation consistent with M ’s an­
notations if each B(p) is annotation consistent with M ’s annotations.
D efinition 86 (Annotation-controller Step-consistency w ith Branching). The step- 
consistency of the controller fragment B is defined as follows:
1. alylvle  -4 BI
is step — consistent with Machine M if init{R l) C next(alylvle)) and 
B I is step-consistent with M
114 J u ly  6 , 2008
5.6. Proving Termination of Controlled Machines with c o n d it io n  n e x t  Annotations
2. B I □ B2
is step-consistent with Machine M  if B I and B2 are step-consistent with M.
3. B I A B2
is step-consistent with Machine M  if R l is step-consistent with M and 
if V op G init{R2) • from  — any{op) =  true and B2 is step-consistent
4. B I A% B2
is step-consistent with Machine M if B I is step-consistent with M  and 
V op G init{R2) • X  Ç from  — set (op) and B2 is step-consistent with M
5. B I A ^  B2
is step-consistent with Machine M  if B I is step-consistent and B2 is initially-consistent 
with M  and V op G init{R2) • X  C from — set — init{op) T
6. i f  y then R l  else R2
is step-consistent with Machine M if p G BOOL or y G N  and BI and B2 are step- 
consistent with M  and
V 6 G init (BI) 6 G condition-true{a.y.v.x) and
V c G init (B2) => c G condition-false{a.y.v.x)
7. S{p)
A family of recursive definitions «S' =  B is step-consistent with Machine M ’s annotations 
if each B is step-consistent with M ’s annotations. In the above step-consistent definition 
the action a.y.v.x  is used in the condition-true and condition-false functions. A one- 
to-one translation between action and operation is assumed.
5.6 . Proving Termination of Controlled Machines with c o n d i t i o n  
NEXT Annotations
The proofs in this section establish that it is enough to demonstrate annotation-consistency 
(given machine-annotation consistency) to show that the every step of the machine-controller 
pair terminates, which implies non-divergence; every operation is called within its precondi­
tion. The proofs in this section extend section 4.7 by introducing new proofs for machines
J u ly  6 , 2 0 0 8  1 1 5
Chapter 5. Extending the n e x t  Annotation
with CONDITION NEXT annotations and controllers with branching operations. There are no 
proofs associated with the SELECT NEXT annotation as it has the same POs as the NEXT 
annotation and is associated with the same controller fragments as the NEXT annotations.
The proof of theorem 2 is repeated, but this time with i f —then—else in the controller language.
It must be shown that only good traces are produced by M -C TRL, Hence M  || M -C T R L
is divergence free. The reasoning is done over the lengths of the traces in the proof.
We restate the theorem for controllers for CONDITION NEXT :
Theorem  5 (A nnotated M achine Controller Com binations that are M achine-A nnotation  
Consistent and A nnotation C onsistent are Divergence Free). I f a c o n d i t i o n  n e x t  
annotated B Machine M  is annotation consistent with a controller M -C T R L  is annotation 
consistent then M \\M -C TRL is divergence free.
The proof that arbitrary length traces are non-divergent (I/O  not considered when referenc­
ing existing proof work):
Case (A) () The empty trace
1 [T]I by consistency of M
2 [T]true by [T]I => [T]true
Case (B) (a.po-Uo-So) G traces{M-CRTL) The singleton trace
1 {a.ya.Va.Xa) ^  traces{M-GTRL) unà initial assumption
is annotation consistent
2 a.ya-Va-Xa G next{INITIALISATION) V
from-any-op(po A—  a(ua,ea)) V
from-set-init(pa —^  a{Va  ^Ga)) ^  {} def. of Lemma 4, on page 51
3 [T]Pa by def. of PO of annotations in all cases
4 [T]7 by def. of machine-consistency 4
5 [T]{Pa A I) by 3 and 4
Entirely similar to the proof of 
theorem  1, page 30, Case B lines 6 to  end.
Case (C) tr {a.ya.Va.ea, b.y^.v^.eb) G traces{M-GRTL) where tr G traces(M-GRTL)
The arbitrary trace
i i 6  J u ly  6 , 200 8
5.6. Proving Termination of Controlled Machines with CONDITION NEXT Annotations
1 {tr a.ya-Va-Ga) is good
Case (01) The existing annotations
2 b.yij.Vb.eb € next{a.ya.Va.ea) V
from-any-op(6 .ÿ6.t;{,.eb) V 
a.ya-Va-Ga G from-set-op(&.pi,.'ü{,.e{,) V 
a.ya-Va-Ga G ftom-set-init-op(6 .p&. . e;,) V
E n tire ly  sim ilar to  th e  p ro o f of
th eo re m  4, page 95, C ase (C) lines 3 to  end .
by inductive hypothesis
def. of lemma 12, on page 118
case (C2) condition-true{a.ya-Va-ea) ^  {} or 
condition-false{a.ya.Va.ea) ^  {}
case (C2a) The true condition 
condition ( a. pa • Uo • Uo )
Po -  true
true
Pa A I  [Bo](po ^  Be) A 
Pa A I  => [Ba](-ipa Bj) 
Pa A I  =>■ [Ba](Bc)
Entirely Similar to
the proof of theorem 1, page 30,
case C lines 5 -1 8 .
The new condition annotations
def, of condition annotation listing 78
case 2 and def. 77 condition next 
POs with I/O  dropped, on page 110
2 and 3
c = b
{tr a '^  b) is good
let arbitrary c equal b 
by 18, 19 and
def. of machine consistency
J u ly  6 , 2008 117
Chapter 5. Extending the n e x t  Annotation
case (C2b) The false condition -
1 condition{a.ya.Va.ea) =  false
2 -ipo =  false
3 Pa A I  ^  [PaliVa ^  Pc) A
Pa A l  ^  [Ba]{-^ya Pd) case 2 and def. of PO 77
4 Pa A I  [Ba]{Pd) 2 and 3
Entirely Similar to
the proof of theorem 1, page 30,
case C lines 5 - 18.
5 d — b let arbitrary d equal b
6 {tr a"^ b) is good by 18 and 19 and
def. of machine consistency
Case C is a new case that introduces the conditional operator, which has a true and false 
branch.
Arbitrary Traces are Enabled by Annotations
Lemma 12 (Arbitrary Length Traces o f A nnotation Consistent Controllers are 
Enabled by A nnotations). The actions of arbitrary length traces of annotation-controller 
consistent controllers with branching fragments are enabled by operation annotations:
annotation — controller consistent A  t r '^  { a . y a - V a - G a )  ^  {b.yh-%.eb) G traces{R) => 
h.yb-Vb-Cb G next{ya <—  a(va, e^ )) V 
from -  any -  op{yb i—  h{vb, e&)) V 
a.y.v.x  G from — set — op{yb <—  6 (u&, e&)) V 
a.y.v.x  G from — set — init - op{yb <—  &(u, e&)) V 
{condition{ya <—  a(î^oj ^a)) A 
blyblvbleb G condition-true {y a <—  a{va,ea))) V 
{condition{ya <—  a{va, Ca)) A 
blyblvbleb G condition-false{ya <—  &(ug, eg)))
Proof of Lemma 12 by cases of controllers ignoring I/O  which has been established to be type 
correct by machine-annotation consistency.
case A clyclvclcç -> R
Entirely similar to  the proof of Lem ma 5, page 55, case A , using lem m a 13, 
page 120, instead of lem m a 6, page 60
i i 8  J uly  6 , 2 008
5.6. Proving Termination of Controlled Machines with CONDITION NEXT Annotations
case B B I □ B2 
E n tire ly  sim ilar to  th e  p ro o f o f L em m a 5, case B,
case C BI A B2 
E n tire ly  sim ilar to  th e  p ro o f o f L em m a 5, case C.
case D (BI A% B2)
E n tire ly  sim ilar to  th e  p ro o f o f L em m a 5, case D.
case E (BI A ^  B2)
E n tire ly  sim ilar to  th e  p ro o f  o f L em m a 5, case E.
case F S{p)
E n tire ly  s im ila r to  th e  p ro o f o f L em m a 5, case F.
J u ly  6 , 2 0 0 8  1 1 9
Chapter 5. Extending the n e x t  Annotation
case G if condition then B I else B2
1 {a. ya.Va.ea)  ^  {h.yb.Vb.eb)  G
traces{if y then BI else B2)
2 if y then R l else R2 step — consistent with M
3 BI step-consistent with M
4 B2 step-consistent with M
case 1 y = true or p 0
5 t r ^  {a.ya-Va-Ga) ^  {h.yb.Vb.eb) G traces{Rl)
6 hlyblvbleb  G next{ya i—  a{va ,ea ) )  V
f rom -  any  -  op{yb —^ - h{vb, e^)) V 
a . y . v .x  G f rom -  se t  — op{yb i—  b{vb,  e^)) V 
a . y . v .x  G f rom — set  — ini t  — op{yb <—  ej)) V
{condit ion{ya <—  a{va ,ea ) )  A
condition-true{ya i—  a(uo,ea)) 7  ^ {}) V 
{condition{ya <—  «(«0 » ^a)) A
condition-false{ya <—  a(uo, Gq)) ^  {})
case 2 p =  /oke or p =  0
7 (r ^  {a.ya.Va.Ga) ^  {h.yb.Vb.eb) G traces(B2)
8 &?pfc?t/6!e6 G next{ya <— e^ )) V 
f rom -  any -  op{yb i—  6 (^ 5, ej)) V 
a . y . v .x G /rom - set - op(pf, <—  b{vb, Gb)) V 
a . y . v .x G /rom — set - ini t — op(p^ 4—  &(u, e^)) V 
{condit ion{ya <—  a(uo, Ca)) A
condi t ion- t rue{ya  <—  o(uo, Co)) 7  ^{})V 
{condit ion{ya <—  «(uq, Cq)) A
condi t ion- fal se{ya <—  a(ua, Cq)) {})
initial assumption 
initial assumption 
2, def. consistency 86 
2, def. consistency 86
by 3 and (y^O or y=true)
3, 5, and ind. hyp. on BI 
QED
by 4 and (0 or y =  false)
4, 7, and ind. hyp. on B2 
QED
The Initial Action of a Consistent Controller
L em m a 13 (E lem ents o f in itia lly -consisten t s ing le ton  tra c es  a re  in  in it(R )) . An
element of the singleton trace of an annotation-controller consistent controller fragment R is 
contained in the init of R:
{h.yb.Vb.eb) G traces{R) => h.yb.Vb.eb G init{R)
J uly  6 , 2 0 0 8
5.7. Examples Utilising s e l e c t  n e x t  and c o n d it io n  NEXT
Proof of Lemma 13 follows the same pattern as the proof in Lemma 6, on page 60, by cases of 
controllers ignoring I/O  which has already been proven to be machine-annotation consistent:
case A (c?yc?Vclec -) B)
Entirely sim ilar to  the proof o f Lem m a 6, case A , page 60.
case B (B1ÜB2)
Entirely similar to the proof o f Lem m a 6, case B.
case C (BI A B2)
E ntirely sim ilar to  the proof o f Lem m a 6, case C.
case D (BI A% B2)
Entirely sim ilar to the proof o f Lem m a 6, case D .
case E (BI A ^  B2)
Entirely similar to  the proof o f Lem m a 6, case E.
case F (S(p))
Entirely sim ilar to  the proof o f Lem m a 6, case F.
case G (if y then R l  else B2)
1 (6) € trace{if y then R l  else B2)
Entirely similar to the proof o f Lem m a 6, case B , lines 2 to  6.
5.7. Examples Utilising s e l e c t  n e x t  and c o n d i t i o n  n e x t
The examples in Figures 5.1, 5.2, 5.3, and 5.4 illustrate the use of the s e l e c t  n e x t  annotation 
and CONDITIONAL NEXT annotation. The machine is introduced in Figures 5.1, Figures 5.2
J u ly  6 , 2 0 0 8  1 2 1
Chapter 5. Extending the n e x t  Annotation
and 5.3. The first of the three figures introduces the declarative parts and the second figure 
introduces operations: c r e a t e s t o r e - o k ,  e n t e r - c o d e - o k ,  r e a d s t o r e - o k . ,  d r i v e s w i t c h - o k  and 
s a f e s t o r e .  The second part depicts mostly state manipulating operations. The s a f e s t o r e  
operation is a state modifying operation as is e n te v - c o d e ^  r e a d s t o r e  and d r i v e s w i t c h .  The 
annotations of the figures use the M  ( s k e y )  definition, which represents a set of operations 
parameterised with the current s k e y .  Very little detail is given in the operations. Generally, 
the operation bodies produce new values for state non-deterministically or the bodies are just 
sk ip .  The machine just gives a flavour of the use of the annotations. A controller for the 
machine is given in Figure 5.4.
The safety switch may be associated with several sets of saved codes. Each set is referred to 
by a unique key. Codes are driven through the safety switch to open it. The codes are loaded 
one-by-one into a memory with the e n t e r - c o d e  command to an appropriate set associated 
with the current key. The codes can be driven through the switch by outputting them one at 
a time from the store referenced by a key using the d r i v e s w i t c h  command. The saved stored 
codes can be overridden with a predefined safe pattern using the s a f e  command. The codes 
can be inspected by driving them out through a port other than the drive port one-by-one 
with the r e a d - s t o r e  command. New storage is allocated with the c r e a t e s t o r e  command. 
State querying actions are available to test the state before committing to a state modifying 
action. Type preconditions are defined in the operations signatures.
The B machine introduces, through the machine interface, three unique codes and a C O D E  
set type. The length of a code store is set by the machine parameter s to r e - l e U y  which must 
be greater than 0. The number of codes in the given C O D E  set must be greater than 3. 
The set S K E Y  is set to contain three elements: ugsl, u q s 2 ,  and uq sS .  A number of variables 
are introduced in the VARIABLES clause. The variables s k e y  s e t  and s to rey  are a  power 
set of S K E Y s  and a sequence of codes index by an element from the S K E Y  type. The 
variables v S K E Y y  v C O D E  and v P O S  are used by the annotations to get new values from 
the environment. There are other variables but they are used for internal storage. The idea 
here is to introduce variables that will act as ports to the outside world when translation to 
a hardware description language.
The first four operations are query type operations. They are not marked with query anno­
tations, because they are used as part of an annotation branch. Hence they are marked with 
condition next annotations. The bodies of the operations do not give any details of how the 
operations are implemented. The detail would be introduced during refinement. The condi­
tional next annotation of the crea tes toresk  branches to either the createstore  operation 
next or the collection of operations defined by M{skey). The definition short hand M{skey) 
is introduced as a short hand to describe the collection of operations: c rea tes toresk  y 
enter-Codesk[skey)y readstoresk{skey)y dr ivesw itch sk  and safeskey{skey).
The e n t e r s o d e s k  operation has a possible branch to the e n t e r s o d e  operations conditional 
on whether the argument s k e y  is a member of the s k e y s e t .  The other v C O D E  is not known 
at this point in the specification, and is introduced by allowing it to take any value that 
the variable of the same name can accept. In Figure 5.4 a controller for the machine is 
given. The controller is developed systematically from the B annotations. Each operation be­
comes a process with an initial action of the same name. Like e n t e r s o d e s k ,  the operations 
r e a d s t o r e s k  and d r i v e s w i t c h s k  have annotations that are conditional and take input 
from the environment. The s a f e s t o r e  sets the store of the s k e y  passed in to a predefined
J u ly  6 , 2 008
5.7. Examples Utilising SELECT NEXT and c o n d it io n  n e x t
pattern. The createstore operation creates a new skey and code store. A select annotation is 
used to control the branching after the createstore, readstore  and drivesw itch  operations. 
The readstore  operation creates a code and a position to store the code at. The operation 
design suggests that a loop could be used to read out all the values from a particular store. 
The drivesw itch-op  annotation like the readstore  operation is suggestive of a possible loop 
implementation as well.
M A C H IN E  SSM {aa,bb,xx, GODE,store-len)
C O N S T R A IN T S
CODE G P(N) A card[CODE) > 3 A oa G CODE A 66 G CODE A 
XX G CODE A store-len G N  A store-len > 0 A carrf({aa, 66, æx}) =  3 
SETS SK E Y  =  {ugsl, uqs2, uqs3 }
V A R IA B L E S sk ey se t, store, vSK EY, vCODE, vPOS 
IN V A R IA N T  sk e y se t e  Y [SK EY) A  store G f> {S K E Y se q {C O D E ))  A  
vSK E Y  G SK E Y  A vCODE G CODE A vPOS G 1..store-len 
IN IT IA L IS A T IO N
sk e y se t = {} || store = {}|| vSK E Y  :G SK E Y  || vCODE :G CODE || 
vPOS :G 1..store-len /  * {createstore} N E X T  * /
Figure 5.1.: Safety Switch Machine - Header
The controller in Figure 5.4 is derived directly from the B specification in Figure 5.3. An effort 
has been made to synthesise that CSP from the annotations to illustrate standard translation 
templates. The synthesis guide lines are captured in the table in Figure 5.5, page 127.
Annotations must refer to operation I/O  in a consistent way. If one annotation refers to oper­
ation opi with input fixed by the environment then all annotations must refer to that opera­
tion in the same way. The B initialisation is translated into C R E A T E ST O R E  process. The 
C R E A T E S T O R E  initialisation is invoked from a process called CTRL. The c rea te s to re sk  
operation translates to a CSP if-then-else, as does the entersode-ok, the readstore-ok  and 
the drivesw itch-ok  operations. Most of the operations have skey as a parameter. The need 
to retain the skey value means it is a process variable. The driveswitch—ok B operation in­
puts vPOS and vSK EY  values and passed on as process variables. The createstore  operation 
has a select annotation, therefore translates with an external choice next.
J u ly  6 , 2 0 0 8  1 2 3
Chapter 5. Extending the n e x t  Annotation
O P E R A T IO N S  /  * See defs. clause at the end of machine for details of M{skey). * /
* The checking operations used by the environment are defined first : create—ok,
* enter-code-ok,read-store-ok,driveswitch-ok. The safestore operation is not a * /
* checking operation. All these operations can called by the environment at any time * /
* when they are enabled by the controller. * /
* CREATE-O K  — The creation of a store for the next stream of codes * /
* On failure the annotations restrict the alternative to driving * /
)b <—  createstorc-ok  =  P R E  true T H E N  bb := bool{skeyset ^  SK E Y)  E N D
* {createstore} M{\skey) CONDITION N E X T  * /;
* EN TER-C O D E-O K  -  /
* Establishes if  a code can be entered into a specific code store * /
* On failure the annotations permit any operation to * /
* be carried out on the current store * /
>b i—  enter-code-ok(skey) =
*RE skey € SK E Y  T H E N  bb := bool{skey G sk ey se t ) E N D
* {enter-code{lvCODE\skey)} MQ.skey) CONDITION N E X T  * /;
* RE A D -STO R E -O K  -  */
* Tests that store can be read. * /
>6 <—  readstore-ok{skey) =  P R E  skey G SK E Y  T H E N  bb :G BOOL E N D
* { readstore{flvPOS\skey)} Mif.skey) CONDITION N E X T  * /;
* D R IV E S W IT C H -O K - * /
* Tests whether it is safe to output the contents of the stores * /
* A failure to drive does not prevent current store operations being carried out * /  
fb i—  drivesw itch-ok  =
!*RE true T H E N  bb :G BOOL || vPOS :G 1..store-len || vSK E Y  :G sk ey se t  E N D
* {drivesw itch{lvSK E YlvP O S)} MQ.skey) CONDITION N E X T  * /;
* S A F E S T O R E ^ /
* Overwrites the contents of a store with a safe pattern * /  
safestore(skey) =
P R E  skey G SK E Y  T H E N  store(skey) := ((!..store-len) * { aa} )EN D
/  * M(\skey) N E X T  * /;
Figure 5.2.: Safety Switch Machine - Environmental Operations 
124 J u ly  6, 2008
5.7. Examples Utilising se l e c t  n e x t  and c o n d it io n  n e x t
/  * The controller can call create, enter—code, driveswitch, only when their * /
/  * preconditions are met and there are next in the control sequence * /
/  * Create safe key and safe pattern * /  
skey <—  createstore = P R E  SK E Y  — sk e y se t ^  {}
T H E N
A N Y  ss ,pp W H E R E
$s : SK E Y  — sk ey se t  A 
pp : seq{CODE) A size{pp) — store-len 
T H E N
skey := ss|| vSK E Y  := 5s||
skeyse t  := skeyse t  U  { s s } | |  s io re  : =  s to re  U  { s s  pp}
EN D
E N D  /  * {true-. sa festore{\skey),^l
/  *  true: enter-Code—ok(lskey),*/ 
f  * ELSE createstore-ok } SELECT N E X T  * /;
/  * No operation body defined in abstraction * /
enter-code{code,skey) = PRE code € CODE A sftey G sAei/_set T H E N  sAizp E N D
/  * M  if skey) N E X T  * /;
/  * Vdtwe gzuen, to vPOS to exercise annotation. * /  
code 4—  read-store(skey) =
P R E  sfceÿ G SK E Y  T H E N  code :G { aa,bb,xx } || vPOS :G l..store_te?t E N D  * /
/  * { code =  XX : safestoreQ.skey), */
/  * vBOiS'+  1 < store_te7i : readstore{\skey), */
/  * ELSE createstore-ok} SELECT N E X T  * /;
code <—  driveswitch{pp, skey) =
P R E  pp G N  A sfeey G SK E Y  A sfcep G sk ey se t  A pp G l..store_ten T H E N  
code :G (CODE — xx) || vPOS :G l..store_te?% || vSK EY  :G sk e y se t  
E N D  /  * { vPOS < store-len : drivesw itchÇlvPO SlvSKY), * / |
/  * ELSE createstore-ok} SELECT N E X T  * /
D E F IN IT IO N S
M{\skey) = =  {creote_store_oA, enter-code-ok{\skey),
readstore-ok{\skey), drivesw itch-ok, safestore{\skey)}
E N D
Figure 5.3.: Safety Switch Machine - Controller Operations 
J u ly  6 , 2008 125
Chapter 5. Extending the n e x t  Annotation
C T R L  =  C R E A T E S T O R E
C R E A T E S T O R E - O K  ( s k e y )  =  c r e a t e s t o r e - o k l b b  —>
i f  bb th e n  C R E A T E S T O R E  e lse  M { s k e y )  - - / *  C O N D I T I O N  N E X T  * /
E N T E R - C O D E - O K  ( s k e y )  =  e n t e r - C o d e - o k l b b \ s k e y  —>
i f  bb th e n  E N T E R - C O D E ( s k e y )  e ls e  M { s k e y )  -  - / *  C O N D I T I O N  N E X T  * /
R E A D  S T O R E - O K  ( s k e y )  =  r e a d s t o r e - o k l b b l s k e y  - 4
i f  bb th e n  R E A D S T O R E  ( s k e y )  e ls e  M ( s k e y )  - - / *  C O N D I T I O N  N E X T  * /
D R I V E S W I T C H - O K  ( s k e y )  =  d r i v e s w i t c h - o k l  bb - 4  
i f  bb th e n  D R I V E S W I T C H  e ls e  M ( s k e y ) ------
S A F E S T O R E ( s k e y )  =  s a f e s t o r e l s k e y  - 4  M ( s k e y )
C R E A T E S T O R E  — c r e a t e s t o r e l s k e y  - 4
( S A F E S T O R E ( s k e y )  -  -  S E L E C T  t r u e
□  E N T E R - C O D E - O K  ( s k e y )  -  -  S E L E C T  t r u e
□  C R E A T E S T O R E - O K )  -  -  S E L E C T  E L S E
E N T E R - C O D E  ( s k e y )  =  e n t e r - c o d e l v C O D E l s k e y  - 4  M ( s k e y )  N E X T
R E A D S T O R E ( s k e y )  =  r e a d s t o r e l c o d e l s k e y  - 4
( S A F E S T O R E ( s k e y )  ------ S E L E C T  co d e  =  xx
□  R E A D S T O R E ( s k e y )  ------ S E L E C T  v P O S  4 - 1  <  s t o r e - l e n
□  C R E A T E S T O R E - O K )  -  -  S E L E C T  E L S E
D R I V E S W I T C H  =  d n v e s w i t c h l v C O D E l v P O S l v S K E Y  - 4  
D R I V E S W I T C H  -  -  S E L E C T  v P O S  <  s t o r e - l e n
M ( s k e y )  =  ( C R E A T E S T O R E - O K
□  E N T E R - C O D E - O K  ( s k e y )
□  R E A D S T O R E - O K  ( s k e y )
□  D R I V E S W I T C H - O K  ( s k e y )
□  S A F E S T O R E ( s k e y ) )
Figure 5.4.: Safety Switch Machine Controller Operations 
126 J u ly  6, 2008
5.7. Examples Utilising se l e c t  n e x t  and c o n d it io n  n e x t
B CSP
Operation name 
Operation I/O
Annotation operation parameters 
set in previous operation
Annotation operation parameters 
not set in previous operation
Operation parameters set by 
environment
Operation output
CONDITION NEXT a n n o ta tio n s
NEXT a n n o ta tio n s
SELECT NEXT a n n o ta tio n s
A process with the same name in capitals 
A channel with the same name in lower case 
Process variable and channel output
channel input
channel input
channel input
if-then-else branch to other processes
Prefixed action the process representing 
the next operation
Prefixed action to external choice
branch of other processes
(the guards are not utilised in the CSP)
Figure 5.5.: Annotated B to CSP Synthesis Guide
J u ly  6 , 2 008 127
Chapter 5. Extending the n e x t  Annotation
1 2 8  J u ly  6 , 2 008
6. Translating and Refining Annotations
The motivation for this chapter is to discuss how the annotations can be extended to deal with 
implementation and refinement of critical controller specifications. This chapter examines the 
refinement and translation of B annotated machines and their controllers, and follows a similar 
pattern to a other technical chapters. The new annotations are introduced. A definition of 
consistency is offered along with proof that shows that annotation-consistent controllers axe 
divergent free. At the end of the chapter the refinements and translations to hardware are 
introduced.
Only translations to Handel-C are considered. To talce advantage of the Handel-C hardware 
description language a new annotation is introduce, INTERLEAVED n e x t . It generates proof 
obligations that test whether stated operations can be executed concurrently. This annotation 
allows a developer to take advantage of the parallelism available in hardware. The SEQUENCE 
NEXT annotation is introduced to assist refinement. This annotation allows a developer to 
state control refinements. In general annotations are added to suit the different application 
being model and source languages targeted. Importantly, the underlying B is not changed.
The chapter introduces one approach to annotated interleaved execution. It is termed weak 
annotation interleaving: all of the operations available for interleaving might not occur before 
the interleaved operation is said to be complete (some actions in the interleaved annotation 
set might not be executed). The strength of the annotation interleaving is dictated by the 
precondition of the operation following the interleaving. The measure of strength of the 
interleaving relates to how the operation following the interleaved operations is enabled. 
Weak annotation interleaving has a next operation that any one of the operations of the 
interleaving can enable individually (any of the interleaved operations are sufficient to enable 
the next operation). In strong interleaving each operation of the interleaving must add towards 
the enablement of the next operation (all the interleaved operations are necessary to enable 
the following operation). Strong annotation interleaving is not considered in-depth in this 
thesis. However, the goal is to construct specifications that utilise annotations that use strong 
interleaving in the future. Weak interleaving is considered here first as a basis for strong 
interleaving. Strong interleaving has the same basic requirements as weak interleaving. The 
only difference is that each interleaved operations adds towards establishing the precondition 
of the next operation. Like weak interleaving strong interleaving requires that the interleaved 
operations have independent variables. Similarly, the next operation is the point at which 
the interleaving converges.
When considering the proof of the termination of traces of operations with interleaved anno­
tations, later in the chapter, it will be necessary to identify which operation two consecutive 
interleaved operations relate to. The FROM in t e r l e a v e d  annotation is introduced to keep 
a track of where interleaved operations flow from. Two consecutive operations a and 6 in a
J u ly  6 , 2 0 0 8  1 2 9
Chapter 6 . Translating and Refining Annotations
trace tr are generated by a consistent machine-controller pair if a enables 6 or if a and b are 
enabled by another operation z and a does not disable 6. We only consider the simplest form 
of interleaving in this chapter. To keep things at their most basic the interleaved behaviour 
is brought to an end quickly.
A different 1/O model is utilised to that of chapter 4, where 1/O is produced by three separate 
interacting subsystems: the environment, the B model and the CSP controller. The I/O  model 
is now simplified to ease implementation for the purposes of this chapter. The control elements 
of examples given in this thesis are primarily sequential. Parallelism is only introduced to 
aid data processing, and only considers a subset of the I/O  detailed in chapter 4. The 
new view of the interaction between environment and the execution of the annotated B 
specification is given in diagram 6.1. The system can be viewed in two ways: as a CSP model 
or as an annotated B model. The CSP controller can be thought of as a view of the final 
implementation that details only control aspects, whereas the pure B is a view of the system 
that details data manipulations. The annotated B contains both views. In this chapter the 
focus is on the implementation aspects of the research. Simple controllers are considered, and 
as no data is transfered between controller and B annotations the I/O  signature is restricted 
to the following: y, <—  Opi{vi). The Cj input from the controller has been dropped in this 
chapter.
op(v)
B view of system
Environment
B Operation
CSP view of system
Environment
CSP event
Figure 6.1.: Different Views of the Same Action.
Let us re-cap the definition of the basic annotations. We annotate operations of a B machine 
with a NEXT annotation that supports operations with I/O . If the conjunction of PO ’s for 
all the annotations are discharged then we say that the annotations are consistent with the 
machine: machine-annotation consistent. A consistent controller that evolves in accordance 
with the next annotations steps will not diverge or deadlock. Stepping through the controller 
showing that annotations support the controller execution demonstrates annotation-controller 
consistency. If a machine-controller pair is both machine-annotation and annotation-controller 
consistent then the pair when executed together will not diverge. Consider the NEXT anno-
130 J uly  6 , 2 0 0 8
tation of definition 5 restated below:
OPi = {Pi I Bj) /  * OPJ NEXT  * /;
A NEXT annotation on the current operation OPi (where OPi represents yi i—  Opi(vi) and 
Pi is the output vector, y i . . . y n ,  and Vi is the input parameter vector, v i . . .  Vm ) introduces 
another operation OPj, or set of operations { OPj ,^ . . , ,  OPj„} , which will be enabled after 
OPi is executed (where an operation in the annotation OPj represents Opj{vj) and Vj is the 
input expression vector, v i . . . V j n ) .  In the NEXT annotation v j  is a list of expressions which 
serves as inputs on which OPj can be called next. In this chapter annotation input expression 
list will be restricted to variables v defined in the B machines, which will supply inputs in 
the hardware implementation.
6.0.1. A Refined B M achine
A refinement of the B machine introduced in Section 4.1 in Figure 4.1 is given in Figure 6.2. 
This refinement produces a subset of the refinement POs defined in [Abr96] and [SchOl]. 
The MACHINE key word is replaced with REFINEMENT, but the machine that is refined 
is given in the REFINES  clause. New variables, invariant and initialisations are added. 
The invariant property J  plays a key role in defining the correctness of the refinement. It 
introduces a predicate that relates the state of the machine and the state of the refinement. 
The refinement proof obligations considered in this thesis are detailed in definition 87. The 
first PO (PO 1) states that:
the transitions of the refined initialisation T' establishes 
that it is not the case that the transitions of the machine 
initialisation T  do not establish the gluing invariant J.
In short PO 1 means that for every refined initialisation that establishes the linking invariant 
there is a machine initialisation that establishes it. PO 2 is similar but it is the bodies that are 
used to establish the state, with the addition that the outputs of the machine operation and the 
refined operation are the same each time. Hence PO 2 states that for every refined operation 
transition that establishes the linking invariant there is a machine operation transition that 
establishes it.
The examples used in this chapter have straight forward refinement relations so the refinement 
PO are discharge automatically by the development tool.
Definition 87 (Refinem ent P roof O bligations).
PO 1 [T']-^[T]-nJ
PO 2 /  A J  A P  ^  [^'[yi/yi]]~'[F]~'{J A out' = out)
J u ly  6 , 200 8  1 3 1
Chapter 6 . Translating and Refining Annotations
REFINEMENT R  
REFINES M  
VARIABLES V'  
INVARIANT J  
INITIALISATION T' 
OPERATIONS
y [^ O Pi {v ue i )  = {P\ \B‘i)
END
Figure 6.2.: A B Refinement with Operations and I/O .
The refinement proof obligations in definition 87 formally connects the machine and refine­
ment specifications.
6.1. The INTERLEAVED NEXT Annotation
Data processing routines in some instances are able to process several objects in parallel to 
increase throughput. The applications that have independent objects that do not rely on each 
other in anyway are the easiest to apply parallel execution to. The target implementation 
language that is introduced later in this chapter allows parallel execution of independent 
objects. Hence the aim of future work is to introduce several annotations that extend the 
capabilities of B an permit parallel execution where it is safe. In this chapter a intermediate 
step to full parallel execution is taken: interleaved execution. The proof obligations that 
are introduced in this chapter are strong enough to support parallel execution. However, 
opting for interleaved behaviour means that synchronised action is not factored into the 
proof obligations.
Operations can be annotated to indicate interleaved execution with the INTERLEAVED NEXT 
annotation. Two or more operations are introduced (only two illustrated in definition 88). 
It would be possible to extend the annotation to introduce sets of operations in place of the 
single operations. Then any one of the operations from a set could be run in parallel with the 
operations from any of the other sets. This idea is returned to briefly in the tables discussing 
translations and refinements. Interleaved behaviour is not supported from the initialisation 
by annotations. There is no technical reason why this can not be added in future work, but 
for now no PO for this is given. The first PO given is for interleaved behaviour after the 
current operation OP,-. The previous work on next invariants is not used in this chapter for 
brevity. However, there is no practical reason why they can not be added. To include the 
NEXT INVARIANTS the PO must be extended as in chapter 4.
1 3 2  J uly  6 , 2 008
6.1. The INTERLEAVED NEXT Annotation
6.1.1. INTERLEAVED N EX T Proof Obligations
D efin ition  8 8  (P ro o f O bligations o f in t e r l e a v e d  n e x t ) .  The a n n o ta t io n  an d  PO are 
g iven  as follow s:
Vi Ovi {v i ,  6i) =  PRE Pi  THEN Bi  END
/* OPJ INTERLEAVED NEXT */ ;
The following PO arises:
(/ A Pi =4> {Ta b  a [B*](Pji[V/%]))) A ... A
(/ A Pi ^  { T a b  A [Bi](Pj„[V/u.v/J))) A
(Vœ,t/ e  OPJ ‘ X ^  y ^  (variable-used(x) n  variable-used(y) =  {})) A
(Væ,y G OPJ ' {next{x) = next{y)))
where
Vj =  •••) Vjg are free in Bi, where Tab  is defined in Figure 4.1, page 76
The interleaved annotation offers the option to execute two or more operations interleaved 
after the current operation, provided they do not set or read any variables in common. The 
proof obligation ensures that all the operations in the annotations are enabled after the current 
operation. To avoid interleaved execution continuing on after the stated next interleaved 
action each operation that can be interleaved must have the same next annotation (as stated 
in the PO). It ensures that a specific target operation is enabled after every branch of the 
interleaved execution has completed. In future work the full version of the annotation can 
be used which uses sets of next operations instead of individual next operations. Refinement
reduces the set of possible alternative operations (possibly to the one). The form of this
annotation is given in definition 89. The PO must take account of the other operations in 
the set, but the details of the PO are not given.
D efin ition  89 (T he IN T E R L E A V E D  N E X T  a n n o ta tio n  over se ts).
yi i—  Opi{v i)  =  PRE Pi  THEN Bi END
/* OPJ OPK INTERLEAVED NEXT */ ;
In the proof work to show that annotation-controller consistent machine-controller pairs do 
not diverge, lemma 14 is helpful. Because showing that the operations that the machines 
use do not overlap, in terms of state, which means that the operations are independent. In 
undertaking the proofs to establish the lemma it was shown that preconditions can not be 
used within the bodies of preconditioned operators.
J uly  6 , 2008 i33
Chapter 6 . Translating and Refining Annotations
6.1.2. S ta te  Independent O perations Have Disjoint Executions
Lemma 14 (Operations that do not m odify each other’s state  are disjoint).
Væ, y € OPERATION ■ {variable — used{x) n  
variable — used{y) — {})
(Pa; A P y  A  I  \ B x \ P y )
The proof of lemma 14 is derived of the substitutions in AMN:
1 variabIe-used({C?Pa;}) n Initial assumption
variable-used({Opy}) =  {}
2 Px A  Py A l  Initial assumption
Case A: Bx — [a := E\
3 a ^ variable-used(Py) by 1 and Case A
4 Py by 2
5 [a := E]Py by 3 and 4
6 [Bx]Py 5 and case A
7 Px A  Py A  I  [Bx]Py 6 and 2
QED
Case B: Bx = [skip]
S Py  by 2
9 [skip]Py 8 and def. wp of skip
10 [^x]Py 9 and case B
11 Px A  Py A  I  ^  \Bx\Py 10 and 2
QED
1 3 4  J u ly  6 , 200 8
6.1. The INTERLEAVED NEXT Annotation
Case G: P,, =
12 Px A Py A I  => [S]Py Inductive hypothesis
13 Px A Py A I  ^  [T]Py Inductive hypothesis
14 P x A P y A l = ^  [5]Py A [T]Py by 12 and 13
15 Px A Py A I  => [aS'O T]Py 14 and def. wp
QED
Case D: Bx = [Q = >  5*]
16 Px A Py A I  => [6']Py Inductive hypothesis
17 Px A Py A I  => (-' Q V [iS']Py) by 14 and def. of V
18 Px A Py A I  {Q ^  ['5'æ]Fy) by 15 and def. =>
19 Px A Py A I  ([Q S]Py) 16 and def. wp
QED
Case E: Bx = [IF Q THEN S ELSE U END]
20 Px A Py A I  => [S]Py Inductive hypothesis
21 Px A Py A I  [U]Py Inductive hypothesis
22 Pg A Py A 7 => (-1Q V [6"]Py) by 20 and def. V
23 Px A Py A I  {Q y  [C/]Py) by 21 and def. V
24 P x A P y A l ^  {{Q => [S]Py) A (-.<3 => [(7]Py)) by 22 and 23
25 P x A P y A l = ^  {[IF Q THEN S ELSE U END]Py) by def. of GSL.
QED
J u ly  6 , 2 008  1 3 5
Chapter 6 . Translating and Refining Annotations
Case F: — [ANY z where z £ Z THEN S END]
26 Px A Py A I  [6"]Py Inductive hypothesis
27 V z • z € Z  {Px A Py  A I  [S]Py)  by 26 and Generalisation of S
28 Px A Py A I  => {y z E Z (['S'j-Py)) by 27 and by x free
in Px, Py, and I
29 Px A Py A I  => by 28 and def. of ANY
[ANY z where z E Z THEN S END]
QED
6.1.3. The FROM INTERLEAVED A nnotation
The PROM INTERLEAVED annotations is added to allow backward reasoning to the operation 
that started the interleaving. In this chapter the FROM INTERLEAVING may not refer back to 
the initialisation. It may not follow the INITIALISATION.
Definition 90 (The f r o m  i n t e r l e a v i n g  A nnotation and P roof O bligation).
yj i—  Opj{vj) = PR E  Pj THEN Bj END
/*FROM INTERLEAVED{OP i}{VjY /-,
The following PO arises:
( I  A P i  =» (Tab  a  [ B i ] ( P j [ V j l v j ] ) ) )  
where Tab is defined in Figure 4.1, page 76.
The FROM INTERLEAVED annotation can be used in the same operation as the NEXT anno­
tation, but not with FROM -ANY, PROM-SET or PROM -ANY-INIT. Disallowing PROM INTER­
LEAVING being used with interrupting annotations prevents any confusion arising from not 
knowing if the current operation was enabled by an interrupting annotated operation or an 
interleaved operation. The FROM INTERLEAVED annotation identifies which operation the 
current operation can be invoked from as part of an interleaving. It also identifies the input 
variable list {Vj) used with the invocation.
6.1.4. The SEQUENCE n e x t  A nnotation
In previous chapters annotation reasoning has been limited to adjacent operations. There are 
cases when this reasoning needs to be extended over a sequence of operations. For example
1 3 6  J u ly  6 , 2 008
6.1. The INTERLEAVED NEXT Annotation
there may be a requirement to execute a specific sequence of operations once the first operation 
has started. The SEQUENCE NEXT annotation is used in this chapter to introduce refinements. 
Under refinement one operation can be replaced by a sequence of operations. To maintain any 
annotation relationships that existed before the refinement the new sequence of instructions 
must maintain a single continuous flow of enabled operations from beginning to end. The 
initialisation cannot be annotated with SEQUENCE NEXT annotations, because it is not allowed 
in this chapter for INITIALISATIONS to be control refined. The definition of the annotation 
and its PCs has been restricted to a sequence of single operations rather than a sets of 
operations. The arrangement of sets of operations is useful when refinement can be used to 
reduce the sets. This situation is alluded to in the tables that follow.
D efinition 91 (P roof Obligations of SEQ U EN C E N E X T ).
Vi <r— Opiivi) = PR E  Pi THEN B,- END
/* { Opj, ... , Opk } SEQUENCE NEXT */ ;
The following PO arises:
(/ A Pi  { T a b A [B i ] {P j [ V /v j ] ) ) ) A
{ I A Pj A =4» { T a b a [Bj](Pj+i[P/uj+i]))) A ... A
{ I A Pft- 2  A => { T a b A [Bfc_2](Pit-i[U/u^ -i]))) A
(7 A Pjfc-i A => { T a b a [B&-i](P&[I'/%])))
where T a b  is defined in Figure 4.1, page 76
The SEQUENCE NEXT annotation is conceptually different from the NEXT annotation, because 
it captmes specific paths of executions that must exist in the controller. The current operation 
Opi must enable the operation Opj{v j ) , and in turn that operation must enable Opjj^i{vj+\) ,  
etc.
D efinition 92 (INTERLEAVED NEXT A nnotation Listing).
next — interleaved{pi i—  OPi{v i ) / * O P J  I N T E R L E A V E D  N E X T  * /; ) =
{  oPji ■ Vji *%!>•••> P^jn • y in ' %  }
where reference is mad e  to Figure 4:.l, page 7Q
Definition 93 ( f r o m  i n t e r l e a v e d  A nnotation Listing).
interleaved — from{yi — OPi{vi) /  * OPJ FROM INTERLEAVED  * / ;  ) =
{  ^ P j l  •  V j l  •  > "  •  I ^ P jn  ' V jn  •  }
where reference is made to Figure 4:.!
J u ly  6 , 2 0 0 8  i3 7
Chapter 6 . Translating and Refining Annotations
6.1.5. A Simple Controller Language
Together all the annotations in a machine specify the controller design requirements/constraints. 
The CSP controller represents a refined view of the annotated B system.
To support translation a distinction is needed between operations that respond to external 
commands and those that are driven internally. A development will begin with a description 
of a number of operations: things that the system must do when commanded. During the 
development refinements will introduce internal operations. We distinguish between external
and internal operations by marking the external operations with /  * ext * /  annotations, which
are discussed in more detail in the refinement and translation section 6.3.
Definition 94 details the CSP subset of control fragments used in this chapter: event prefix, 
choice, interleaving, if-then-else, and recursion control.
D efin ition  94 (C on tro lle r S yn tax  w ith  in terleav ing ).
R  ::= □ a\ylv  -> R{v) j
R U R  I 
R / \ R  I 
R A x  R I 
P  A V  B  I
if y then R else S  |
(  I I I  O  aihajvai  - 4  skip)]R I i=i y
In this chapter the CSP controller is a different view of the annotated B specification. A 
more complex arrangement arises if the CSP controller is permitted to carry around local 
state. The simplified view is pictorially represented in Figure 6.1, page 130. An annotated 
B machine output is the same as a CSP controller output. In definition 94 the channel a, in 
the controller fragment Oy a\y7v —> R, is an operation name with a choice over all possible 
outputs y (from the controller’s point of view, if a is called then any output y within the 
bounds of y’s type should be allowed). The outputs are fresh and modelled as a distributed 
external choice ranging over the type given in the B (the type is not always given in the 
controller definition). The channel has an input vector v. To accommodate analysis, finite 
types are used in the CSP. The same restriction does not exist in the B. Hence the CSP 
representation of the B operation may not be a true representation in terms of input and 
output ranges. The interleave operator executes the two or more processes concurrently that 
do not synchronise on any events. The remaining operators are described in definition 82, 
page 112. In a controller definition, all process variables used are bound by some recursive 
definition.
A major constraint is enforced on the way controllers can be written, which facilitates trans­
lations, but turns out not to be so troublesome as it first appears. Definition 95 gives the 
constrained arrangement. Controllers must start with an initial loop (R l), then enter a main
1 3 8  J u ly  6 , 2 008
6.1. The INTERLEAVED NEXT Annotation
loop {S = R2). A controller CTRL has a definition, Rl,  given in definition process variables 
are the same, S. The definition of 5 is i?2 which is given in definition 94. The only recursive 
calls allowed are to S.
D efin ition  95 (C on tro lle r S yn tax  w ith  I /O ) .
CTRL = R l  
S = R2
where R l  and R2 are terms from definition 94 and 
S is the only recursive variable allowed and 
R2 is guarded as defined in definition 98
The results presented in this chapter require that all recursive definitions are guarded, which 
means that at least one event must occur before a recursive call. The meaning of consistency 
between the controller and the annotations is given in terms of the init functions. The init 
function returns a set of operations available next and is developed in definition 96.
D efin ition  96 {init for C SP  C o n tro lle r P ro cess  F ragm en ts w ith  In te rleav in g ).
init { 0  a\y7v -> R l)
init{Rl  □ R2) 
inU{Rl A R2) 
init{Rl A x  R2) 
init{Rl  A5f R2)
init{{ 111 p  ->■ skip)', R)1=1 y
init {if y then R l  else R2) 
init{S{p))
An action prefix must appear with output on the left. In the first case of the init definition 96 
the head of the control fragment is extracted. The outputs and inputs of the action are the 
same as the outputs and inputs of the B operation. The init of a prefixed action is the action. 
The init of a choice between two processes is the union of the init of the individual processes. 
The init of the interleaving is empty. The initial actions of interleaved control fragments 
is obtained using the init — par. Annotations clearly show an ordering of operations: an 
initial operation and a set of next operations. The guard function is defined in definition 84. 
Prefixed operations are guarded. A fragment with an external choice separating the two 
processes is prefixed if the individual processes are guarded. Similarly with the if-then-else. 
The parameterised process variable is not guarded, whereas the recursive definition is guarded 
if the body is guarded.
In this chapter the requirement for a special init operation, init — par, arise as a result of the 
need to ensure that an action prefix to an interleaving is correctly annotated.
J u ly  6 , 2 0 0 8  1 3 9
{a.y.v}
init{Rl) U init{R2)
init{Rl) U init{R2)
init{Rl)
init{Rl) U init{R2)
{}
init{Rl) U init{R2)
init{R{p))
Chapter 6 . Translating and Refining Annotations
D efin ition  97 {init for C SP C on tro ller P ro cess  F ragm en ts w ith  In te rleav in g ).
init — par{U a\y7v -4 R l)  =  {}
init — par{Rl □ R2) = init — par{Rl) U init — par{R2)
init — par{R\ A  R2) — init — par {Rl)  U init — par {R2)
init — par{Rl A x  R2) =  init — par{Rl)
init — par{Rl R2) = init — par{Rl) U init — par{R2)
n
in i t -p a r { {  ||| □ atîÿa.-îi^a,-^  skip)\R) = {ai \ i = l...n} t=i y
init — par{if y then R l else R2) =  init — par{Rl) U init — par{R2) 
init — par {S{p)) = init — par {R{p))
D efin ition  98 {guarded on  C SP C on tro ller P ro cess  w ith  In te rleav ing ).
guarded{E^ a\ylv  —> BI) =  true
guarded{Rl □ R2) =  guarded{Rl) A guarded{R2)
guarded{Rl A  R2) =  guarded{Rl) A guarded{R2)
guarded{Rl A x  B2) =  guarded{Rl) A guarded{R2)
guarded{Rl A ^  R2) =  guarded{Rl) A guarded{R2)
nguarded{{ ||| ^  skip)\R) =  true1=1 y
guarded{if true then R l  else R2) = guarded{Rl) A guarded{R2) 
guarded{if false then R l  else R2) =  guarded{Rl) A guarded{R2) 
guarded{S{p)) = false 
guarded{S{p) = R{p)) =  true if guarded{R{p)) =  true
6.2. Annotation Consistency with Interleaving
Annotation consistency between a guarded controller and the annotated B machine is broken 
down into annotation consistency (definition 99) and step-consistency (definition 100).
D efin ition  99 (A n n o ta tio n  C onsistency  w ith  In te rleav in g ). The annotation consis­
tency of the controller fragment R  is defined as follows:
1. a\y1v —> R
is annotation consistent with Machine M  iî aly7v R is initially consistent and 
a\y7v —> R is step-consistent with M
a\y7v -4 B is initially-consistent if alylv  € next{INITIALISATION)
1 4 0  J u ly  6 , 2 008
6 .2 . Annotation Consistency with Interleaving
2. B I □ B2
is annotation consistent with Machine M if B I and B2 are annotation consistent with 
M.
3. B I A B2
is annotation consistent with Machine M  if B I is annotation consistent and 
y  op E init{R2) • from — any {op) =  true and B2 is step-consistent with M
4. BI A x B2
is annotation consistent with Machine M if BI annotation consistent with M  and 
if V op E init{R2) • X  Ç from — set{op), and B2 is step-consistent with M
5. BI A ^  B2
is annotation consistent with Machine M if B I is annotation consistent with M  and 
if V op E init{R2) • X  Ç from^set-i{op), and B2 is step-consistent with M
6. if  b then B I else R2
is annotation consistent with Machine M  if it is step-consistent
7. ( IIISLi^y ailyajva; -4- skip)] R
is annotation consistent with Machine M  if it is step-consistent
8. S { p )
is annotation consistent with Machine M
A family of recursive definitions S{p) =  R{p) is annotation consistent with M ’s an­
notations if each R{p) is annotation consistent with M ’s annotations.
An initialisation can not have an output which rules out the use of an if  — then — else 
annotation on the initialisation. The interleaving operator given in definition 100 is generic. 
The examples are restricted to two interleaved operations to demonstrate the principle.
D efin ition  100 (S tep -C onsistency  w ith  in terleav ing ). The step-consistency of the con­
troller fragment B is defined as follows:
J u ly  6 , 200 8  14 1
Chapter 6 . Translating and Refining Annotations
1. Oy a\y7v -> R
is step-consistent with Machine M if (V 6 € init{R) • h € next{y i—  a(u))) or 
(V 6 G init — par{R) • b G next — interleaved{y <—  a(u))), and R  is step-consistent 
with M.
2. B I □ B2
is step-consistent with Machine M  if BI and B2 are step-consistent with M.
3. BI A B2
is step-consistent with Machine M if BI is step-consistent with M  and 
y  x E init{R2) • from — any — op{yx <—  æ(%)) =  true and B2 is step-consistent
4. BI A x  B2
is step-consistent with Machine M if B I is step-consistent with M  and
V 6 G init{R2) • X  Ç from — set — op{yb <—  biv^)), and B2 is step-consistent with M
5. BI A ^  B2
is step-consistent with Machine M if B I is step-consistent with M  and
V 6 G init{R2) • X  Ç from — set — init — op{yb <—  b{vb)) and B2 is step-consistent 
with M
6. if  y then BI else R2
is step-consistent with Machine M  iî y E BOOL or E N  and BI and B2 are 
step-consistent with M  and
y  b E init (BI) ^  b E condition-true{a\y7v) and
V c E init (B2) => c E condition-false{a\ylv)
7. ( | | | ”= i° y  ^  skip)\R
is step-consistent with Machine M  if 
3 u ■ V X : l ..n  ' V =  from — interleaved{ax) and
142 J u ly  6 , 2008
6.2. Annotation Consistency with Interleaving
y  op E {&!,..., An} * init{R) Ç next{op) and R  is step-consistent with M
8. S{p) is step-consistent with Machine M
A family of recursive definitions S = R is step-consistent with M ’s annotations if each 
R is step-consistent with M ’s annotations.
The interleaving operator can only be shown to be consistent in a very limited sense. Actions 
are allowed to occur interleaved provided they do not attempt to change the variables used 
by the other actions.
We re-cap on the main proof in this thesis which is that if R is annotation consistent with 
the annotations of a machine M, and the annotations of M are consistent with machine M, 
then operations of M called in accordance with the control flow of R will never be called 
outside their preconditions. The key feature of the proof of this main result is an argument 
that no trace of R leads to an operation of M called outside its precondition or guard. This is 
established by building up the traces of R  and showing that at each step an operation called 
outside its precondition cannot be introduced, by appealing to the relevant annotation and 
applying its proof obligation. The benefit of this result is that the details of the operations of 
M are required only for checking the consistency of the annotations, and are not considered 
directly in conjunction with the controller. The annotations are then checked against the 
controller using the definition of consistency above. This enables a separation of concerns, 
treating the annotations as an abstraction of the B machine.
6.2.1. Proving Term ination of Controlled Machines with interleaved next
The proofs in this section establish that it is enough to demonstrate annotation-consistency 
(given machine-annotation consistency) to show that the every step of the machine-controller 
pair terminates, which implies non-divergence: every operation is called within its precondi­
tion. The proofs in this section extend section 5.6 by introducing new proofs for machines 
with interleaved next annotations and controllers with interleaved operations.
The proof of theorem 5, page 116 , is repeated with interleaving in the controller language to 
show that only good traces are produced by M-^CTRIj. Hence M || M -G TR L  is divergence 
free. The length of the traces are reasoned over in the proof.
The theorem for controllers for NEXT INTERLEAVED is restated:
T h eo rem  6 (next interleaved A n n o ta te d  C onsisten t C o n tro lle r a re  D ivergence 
F ree). I f  a NEXT INTERLEAVED annotated B Machine M is consistent with a controller 
M ^C TR L then M \\M -CTRL is divergent free. The inductive hypothesis is that any sub-trace 
of M -G TR L  is good.
When the trace is initially-consistent:
J u ly  6 , 2008 ^43
Chapter 6 . Translating and Refining Annotations
Case (A) () The empty trace
E n tire ly  sim ilar to  th e  p ro o f of 
th eo re m  1, page 30, C ase A
Case (B) {a.y.v) G traces{M-CRTL) The singleton trace
No new annotation added for INITIALISATION.
E n tire ly  sim ilar to  th e  p ro o f of
th eo rem  5, C ase B . Case (C) When the trace is step-consistent:
(tr) ^  {a.ya-Va, b.yt-Vi,) € traces{M-CRTL) where tr G traces{M-CRTL)
1 4 4  J u ly  6 , 2 008
6.2. Annotation Consistency with Interleaving
1 t r ^  {a-Va-Va) is good by inductive hypothesis
There are 3 major cases C l - C3
(Cl) The case of the existing PO structure -
b.yt.Vb e next{ya i—  a{va)) V
from -  any -  op{yb i—  b{vb)) V
a^Va-Va E from -  set -  op{yb <—  6(u(,))V
a.pa^Va G from -  set -  init -  op{yb i—  b{vb)) V 
{condition{ya <—  a{va))A
h.yb.Vb G condition-true{ya <—  «(fg))) V 
{-^condition{ya <—  a{va))A
b.yb'Vb E condi t ion- fal se{ya <—  «(ug))) V 
{b.yb’Vb E next — in ter leaved{a ,y . v)  A 
a.yo.Ug G f rom — interleaved{b.yb.Vb))
V
(C2) Two interleaved operations
(3 % ' (V % G { ti,...,tn,a.ya.Va,b.yb.Vb}
' {v G f ro m — inter îeaved{x)  
t r  ^  ( a.ya^Va, b.yb.Vb ) =
{ tro^  { v )  ^  {ti , . . , , tn )  ^  { a.ya.Va, b.yb.Vb))))) consistency rules
V
(C3) At the end of interleaving
(3 % ' (V % G { ti,...,tn,a.ya.Va}
• {v E from — interleaved {x) A 
b G next{X) =>
{tr ^  { a.y^.Va, b.yb.Vb ) =
tr o ^  { v )  ^  ( il,..., in) ^  ( a.ya.Va, b.yb.Vb ))))) consistency rules
There are three cases to consider to complete this proof. The annotations that are associated 
with the Pa A I  => [Ba]Pb PO are dealt with first in proof section case C l. They include 
the NEXT, FROM, NEXT INTERLEAVED and FROM INTERLEAVED. The NEXT INTERLEAVED 
and FROM interleaved are associated and are used to mark the beginning of a interleaved 
sequence. The second case is concerned with the situation when an interleaving is underway, 
which is the case in which two consecutive operations are are interleaved. (In case C2 both 
operations will be annotated with FROM INTERLEAVED.) Finally there is the case when the 
final operation of an interleaving has occurred, C3. In case C3, a.ya.Va is the final interleaved 
operation and h.yb.Vb is the operation (which has been removed from the set of interleaved 
operations previously given in C2) that can follow any of the interleaved operations, be­
cause each interleave operation enables it (weak annotation interleaving). The parameters
J u ly  6 , 2 0 0 8  1 4 5
Chapter 6 . Translating and Refining Annotations
are dropped, in all case but the conditional case, because machine-annotation consistency 
ensures that they are type consistent. The parameters are left in for the conditional cases 
because the output is used to decide on the exact case.
Case C l, NEXT, f r o m , n e x t  INTERLEAVED an d  FROM INTERLEAVED a t th e  Start leaving:
2 b e  nex t{a) V
f rom — any — op{b) V 
a e  f rom -  se t — op{b)S/  
a e  f rom — set  — ini t — op{h) V 
{condit ion{ya <—  Q'{va,ea))A 
b e  cond i t ion- t rue{ya i—  o(uoi ^ a))) V 
{->condition{ya <—  a{va, Ca)) A 
b E condi t ion- fal se{ya <—  eg))) V
( 6 E next — interleaved{a) A 
a E f rom — interleaved{b))
E n tire ly  sim ilar to  th e  p ro o f of th eo rem  5, page 116,
Case (C ), from  line 2, rep lacing  references to  lem m a 6, page 60 w ith  
lem m a 17, page 150
Case C2, interleaved elements
3 3 z ' (V æ E { t i , . . . , t n , a , b }  =>
{z  E f rom — interleaved{x) A
t r  '  ^ { a, b ) =
t r o ^  { z )  ( (i,..., tn) { a, b )))
4 [init] tro] z ] true by Case C2 and inductive hypothesis
5 3 z  ' {y X E { <1 ,..., a, 6} =>
{z  E f rom — inter leaved{x))) by 3 and Case C2
6 t ro'^ { z  ) is good by 4
7 tro { z  ) ^  { t\,..., tn )'~  ^ { a, b ) is good by lemma 15 (below), 5 and 6
146 J uly  6 , 2008
6.2. Annotation Consistency with Interleaving
Case 3, interleaving completed
8 3 V ’ {y X E { a.ya.Va}
• V E f r om — inter leaved{x) A
h E next {x )
{ tr  ^  ( a.ya.Va, h.y^.Vb ) = 
iro ^  { v )  ^ ( t i , . . . ,  tn) ^
{  a4lü‘Va, b.yb.Vb )) )
9 [init] tro', z ] true by Case C3 and inductive hypothesis
10 3 z  > {y X E { ti,...,tn , a.ya.Va] =>-
{z  E f r om  — inter leaved{x) ) by Case C3
11 y  y  E {  ti,...,tn, a.ya.Va} '
{b.ya.Va G nex t {y ) ) by Case C3
12 tro'^ { z  ) is good by 9
13 tro { z  )'~  ^{ k , ..., tn by lemma 16 (below), 10, 11 and 12
( a.ya.Va, b.yb.Vb ) is good
Next-par Annotation Lemma
L em m a 15 (C onsecu tive ac tions refe renced  by a  com m on n e x t-p a r  a re  good). Two
actions or more in a sequence of actions that all have a common from-par root will terminate:
3 z ' {{ t i , ..., tn, a, b} Ç next — interleaved{z) ) A 
tro'^ { z ) is good
t r o ^  { z )  ^  { t i , . . . , t n , a , b )  is good
The proof of lemma 15 is developed by constructing a good trace from the action that has 
the INTERLEAVED NEXT annotation. ,
J u ly  6 , 2008 i47
Chapter 6 . Translating and Refining Annotations
1 t r o ^  { z ) is good
2 3 z > { a, b)
Ç next — interleaved{z))
3 V x , ÿ  G next — par{z) ' X ^  y
Px A Py A I  => [Bx]Py
4 V ; G { t i , . . . , t n , a , b  } ■
{P, A I  ^  m { P j ) )
5 [init] tro] {Ps I Bz)]true
6 [init] tro]{Pz A [Bz]true)
7 [init] tro]I
8 [init] tro]{Pz A I)
N e w  g o a l:  t r o ^  { z ) ( )
{ a, b )  is good
(Base case)
9
10 
11 
12
13
14
15
16
17
18
19
20 
21 
22
23
24
init
init
init
init
init
init
init
fro](Bz [^ z ]B a )
tro] {Pz  I  Bz)]Pa
tro]{[Bz]Pb)
troMPz A [Bz]Pb)
tro
tro
init] tro 
init] tro
init] tro
init] tro
init] tro
init] tro
init] tro
init] tro
init] tro
(Pz
(Pz
{Pz
{Pz
{Pz
{Pz
{Pz
{Pz
{Pz
{Pz
{Pz
B,)]Pb
Bz)] {Pa A Pb A I)
BMBa]Pb  
B, ) ] { Pa  A  [Ba]Pb)
Bz)]  {Pa  I Ba)]Pb
B, ) ]  {Pa  
B, ) ]  {Pa  
Bz)\  {Pa 
Bz)\  {Pa 
Bz)]  {Pa  
Bz)\
Ba) ] I  
Ba) ] I  A  Pb 
Ba)][Bb]I  
Ba)]{Pb  A [Bb]I)  
Ba)', {Pb  I Bb)]I
• • • ;  {Pa  I  Ba)] {Pb I  Bb)]true
initial assumption 
initial assumption 
by PO 88
by PO 88 ignoring parameters 
and by 3 
by 1
by def. of pre and 5 
by consistency of machine and 1 
by 6 and 7
Proof by induction is good 
on the length of traces.
by 4 and 8 
by 8 and 9
by 10 and def. of pre 
by 4 and 8 
by 6 and 12 
by 13 and def. of pre 
by 7, 11 and 14
by 3 and 15 
by 11 and 16
by 17 and def. pre
by machine consistency
by 18 and 19
by 20 and machine consistency 
by 18, 21 and machine consistency 
by 22 and def. pre
by 23 and machine consistency 
In d u c tio n  base case
1 4 8 J u ly  6 , 2 008
6 .2 , Annotation Consistency with Interleaving
New goal i tro ^  ( z ) ^  ( i i , ..., ijt) ^  {a , b )  is good 
Inductive case
25
26
27
28
[init; tro; {Pz I B^ ); {Pt  ^ |
• • • ' )  {Bth I A  Pb
[init; tro; {Pz I Bz); {Ptx |• • • i  {Pik I Btf^ )]I
[ m i ;  tro] {Pz | Bz); {Pt  ^ | B * J ;  
{ P t , \ B t , ) ] { l A P a  A P b )
[init; tro; {Pz \ Bz); {Pti | B f J ;
. . . ;  {Pt, I B ,^)]([Ba]n)
E n tire ly  s im ilar to  lines 17-24 above
by consistency of 
interleaving actions 100
by machine consistency
by 25 and 26
from new goal 
by 27 and lemma 14
QED
From interleaved Annotation Lemma
L em m a 16 (T races w ith  C onsecu tive  A ctions w ith  O verlapp ing  F rom  In te rleav ed  
A n n o ta tio n s  a re  good). Two actions in a sequence of actions that :
3 u - (V X € { ti,..., in?»} • E from — interleaved{x) A b e  next{y) => 
{tr { a, b ) = tro ^  { V ) ^  { ti, - ,  tn,a) ^  {b  )))
The proof of lemma 16 is developed by constructing a good trace from the action that has 
the INTERLEAVED NEXT annotation.
J u ly  6 , 2 0 0 8 149
Chapter 6 . Translating and Refining Annotations
1 3 u • (V X G { i i , tn, a) •
V G from — interleaved{x) =>(V y G { A
b G next{y)))
2  [ î T t t i ,  ( B f c i  I Bkii  •••
; (P,„ I B,)]Pa
3 P„A/=»[Ba](P6)
4 [tmi; (Pf, | ...
; (f&m I
5 [imi; ...; (P(, | Bf^ ; ...
6 [imi; ...; (Pf, | Bf^ ; ...
; (P&m I
E n tire ly  sim ilar to  lines 17-24, lem m a 15
Initial assumption
where ki to k„ are drawn 
from t i  to tn line 1.
by 1 and pod of next
by 2 and machine consistency
by 3 and 4
by 3 and 5
QED
Arbitrary Traces are Enabled by Annotations
Lem ma 17 (Arbitrary Length Traces o f A nnotation C onsistent Interleaved Con­
trollers are Enabled by A nnotations). The actions of arbitrary length traces of annotation- 
controller consistent controllers that include interleaved operators are enabled by annotations:
R annotation consistent A ir  (a) (6) G traces{R) =>
b G next(a) V
from — any — op(b) V
a G from — set — op(b) V
a G from — set — init — op{b) V
{condition{ya <—  »(t^ o)) A
b G condition-true{ya <—  »(^ a))) V
{-^condition{ya <—  a(va)) A
b G condition-false{ya <—  a(va))) V
{b G next — interleaved{a) A
a G from — interleaved{b) )
150 J uly 6 , 2008
6.2. Annotation Consistency with Interleaving
Proof of Lemma 17 is as follows (dropping,arguments for non-conditional operators): 
Cases of controllers:
case A  c -y R
1 c R step-consistent with M  initial assumption
sub-case: tr =  ()
2 t r ' ^  {a) ^  {b) e  traces{c -4 R) initial assumption
3 (a) ^  (6) e traces{c - 4  B) tr = {)
4 a = c and (6) € traces{R) def. of traces
Either init-par =  {} (an interleaved operator) or init =  {} (a non-interleaved operator)
sub-sub-case init-par (R) =  {}
5 b e  init{R) by 4, lemma 6, page 60
6 b e  next{c) by 1, and 5
7 b e  next(a) by 6, and 4
8 b e  next(a) V
from — any{b) V
a e from — set{b) V
a e  from — set — init{b)
{condition{ya <—  a{va)) A 
h e conditio7i-true{ya 4— »(ua))) V 
{-\condition{ya <—  a(va)) A 
b e  conditio7i-false(ya <—  »(t^o))) V 
(6 e next — interleaved(a) A
a e from — interleaved{h))
QED
J u ly  6, 2 0 0 8  1 5 1
Chapter 6 . Translating and Refining Annotations
sub-sub-case init(R) =  {}
9 b e  init — interleaved(R) 4, lemma 18 below
10 b e  next — interleaved{c) by 1 and 9
11 b e  next — interleaved {a) by 10 and 4
12 b e  next{a) V
from -  any{b) V
a e from — set{h) V
a e from — set — init{b)
{condition{ya e— a{va)) A 
b e condition-true{ya i—  a(%))) V 
(~iCondition{ya <—  o,{va)) A 
b e condition-false{ya <—  »(^o))) V 
(b e next — interleaved{a) A
a e from — interleaved(b))
ÇED
sub-case: tr ^  ()
13 tr {a) ^  {b) e traces{c —> R) initial assumption
14 let tr = {e) tr'
15 (e) tr' {a) (b) e traces{c —> B) initial assumption
16 e = c A tr' (a) ^  (6) € traces{R) 15, def. traces
17 tr' ^  {a) ^  (6) e  traces(R) by 16
18 b e  next{a) V by inductive hypothesis on R
from — any{b) V
a e from — set{b) V
a e from — set — init{b) V
{condition{ya <—  o(%)) A
b e condition-true{ya <—  »(^a))) V
{->condition{ya <—  »(uo)) A
b e condition-false{ya i—  »(^a))) V
(6 e  next — interleaved{a) A
a e from — interleaved{b))
QED
1 5 2  J u ly  6 , 2 0 0 8
6.2. Annotation Consistency with Interleaving
case B R l  O R2
E ntirely sim ilar to the proof o f  
Lem m a 5, page 55, case B .
Substituting for the inductive hypothesis on lines 6 and 7 of the proof of lemma 5 with 
the following:
b € next{a) V 
from — qny{b) V 
a G from — set{b) V 
a G from — set — init{b)
{condition{ya <—  »(t^a)) A 
b G conditio7i-true{ya <— • a,{va))) V 
{-^condition{ya <—  o,{va)) A 
b G condition-false{ya i—  a{va))) V 
{b G next — interleav.ed{a) A
a G from — interleaved{b)) V 
{b G next — interleaved {a) A
a G from — interleaved{b))
case C R l  A  R2
Entirely similar to  the proof of 
Lem m a 5, case C.
Substituting for the inductive hypothesis on lines 8, 10 and 14 as in Case B above.
case D (BI A% B2)
Entirely similar to the proof of 
Lem m a 5, case D .
Substituting for the inductive hypothesis on lines 8, 11, and 13 as in Case B above.
case E (BI A-^ B2)
Entirely similar to the proof of 
Lem m a 5, case E.
Substituting for the inductive hypothesis on lines 8, 10, 18 and 21 as in Case B above.
case F S{p)
Entirely sim ilar to  the proof o f  
Lem m a 5, case F.
Substituting for the inductive hypothesis on lines 5 as in Case B above.
J u ly  6 , 2 0 0 8  1 5 3
Chapter 6 . Translating and Refining Annotations
case G if condition then B I else B2 
1 tr ^  {a) ^  (6) G
traces{if y then R l  else B2) initial assumption
if y then R l  else B2 step-consistent with M  initial assumption
B I step-consistent with M  
B2 step-consistent with M  
case 1 y = true
5 tr' ^  (a) {b) G traces{Rl)
6 b e  next{a) V 
from — any{b) V
a e from — set{b) V 
a e from — set — init(b) 
{condition{ya <—  a(va)) A 
b e condition-true(ya <—  a(va))) V 
(~icondition(ya <—  a(va)) A 
b e condition-false(ya <—  »(^o))) V 
(b G next — interleaved(a) A
a G from -  interleaved(b))
case 2 y — false
7 tr ^  (a) (&) =  traces{R2)
8 b e  next{a) V
from — any{b) V
a e from — set{b) V
a G from — set — init{b) V
{condition{ya <— - a(ua)) A
b e condition-true{ya <—  a{va))) V
{~icondition{ya <—  o(uo))A
b e condition-false{ya <—  a{va))) V
{b G next — interleaved(a) A
a e from — interleaved{b))
2, def. step-consistency 100 
2; def. step-consistency 100
by 1 and y =  true 
by inductive hypothesis on R l
QED
by 4 and y =  false 
by inductive hypothesis on R2
QED
The case of interleaving is not included in the proof of lemma 17 as it is relevant only when
154 J uly  6 , 2008
6 .2 . Annotation Consistency with Interleaving
interleaving has started which is dealt with in cases C2 and C3, lemmas 15 and lemma 16, 
respectively.
L em m a 18 (E lem en ts o f In itia lly -C o n sis ten t S ingleton  Traces a re  in  zm t(R )). An
element of the singleton trace of controller fragment R is contained in the init of R:
{b) e  traces{R) =>• (& G init{R) V 6 G init — par{R))
case A (c - 4  B)
1 (6) G traces{c - 4  B) initial assumption
2 b = c 1, def. traces
3 init — par{c -4 B) =  {} by def 97
4 c G init{c -4  B) def. of init 96
5 b e  init{c -4  B) by 2 and 3
QED
, case B: (B10B2)
1 (5) G traces{R10R2) initial assumption
2 (b) e  traces{Rl) or
(6) G traces{R2) 1, def. trace
sub-case BI: (6) e traces{Rl)
3 init — par{Rl) = {}
4 ' (6) G traces{Rl) initial assumption
5 b e  init{Rl)  3 and inductive hypothesis
sub-case B2: As sub-case BI substituting R2 for R l
J u ly  6 , 2 0 0 8  1 5 5
Chapter 6 . Translating and Refining Annotations
case C (BI A B2)
1 (6) E traces {Rl  A B2) initial assumption
2 (6) G traces{Rl) or
(6) G traces{R2) 1, def. trace
Entirely similar to  the proof of 
Lem m a 18, case B I  and B2 above.
case D (BI A% B2)
1 (6) G traces{Rl A x  B2) initial assumption
2 (6) G traces{Rl)
Entirely similar to the proof of 
Lem m a 18, case B I  above.
case E (BI A ^  B2)
1 (6) G traces{Rl A ^  B2) initial assumption
2 (6) G traces{Rl) or
(6) G traces(B2) 1, def. trace
Entirely similar to  the proof of  
Lem m a 18, case B I  and B2 above.
case P (if y then BI else B2)
1 {b.yb.Vfj.eb) e  traces{if y then R l else R2) initial assumption
case y =  true
Entirely similar to  the proof of  
Lem m a 18, case B I  above.
case y =  false
Entirely similar to  the proof of 
Lem m a 18, case B2 above.
1 5 6  J u ly  6 , 2 008
6.3. Refinement and Translation to Handel-C
case G (||lSLi(ei -4 skip)\ R)
1 (6) E -> skip); R) initial assumption
2 b = ei or ... or b = e„
3 Vi • i G { 1, n } => 6i E init — - 4  skip)] R) def. of init 97
4 b e  init — p a r( |||”_i(ei -4 skip)] R) by 2 and 3
QED
case F (S{p))
1 (&) E traces{S{p)) initial assumption
2 (6) E traces{{R{p)) S{p) =  R{p)
3 b E init{R{p)) 2, inductive hypothesis
4 b E init{S{p)) S{p) = R{p)
6.3 . Refinem ent and Translation to  Handel-C
Refining should be considered where an otherwise cumbersome translation would result. Nar­
rowing down the choice of the next operation reduces the size of the implementation, and 
avoids the translation process making an arbitrary choice to resolve the choice in the anno­
tations. The first set of refinements, given in the table in Figure 6.3 replaces annotated sets 
with their subsets: non-determinism is reduced. Operations, like OPj, quoted in the table 
are all sets. In the tables in the figures 6.3, 6.5, 6.6 and 6.7, the B comment braces are left 
off. The annotations are in some cases extended to deal with sets of operations even though 
in general they have been defined with individual operations. Extending the annotations 
will change the way they are translated. Sometimes a choice must be made if a set is to be 
translated. A choice must be made as to which set to use in the translation. In the tables 
the environment makes the choice by selecting an option on the command bus. In the tables 
the INTERLEAVED NEXT annotation is shortened to |||, the sequence annotation is shortened 
to ; (semicolon), and the condition next annotation is shortened to <
NEXT external choice refinement reduces the non-determinism in the choices that are offered 
in the next step. The i n t e r l e a v e d  n e x t  refinement reduces the non-determinism in one 
or more branches o f  the interleaved execution. The NEXT sequential refinement reduces the 
non-determinism in  one or more sections of the sequence. The NEXT conditional refinement 
reduces choice in a similar way.
The second refinement table given in Figure 6.5 outlines some algorithmic refinements. Sets of 
J u l y  6 , 2008 157
Chapter 6 . Translating and Refining Annotations
Annotation Refinement type
1 OPi = . ..OPj N E X T OPi = ...OP'j N E X T next external choice refinement
2 OPi = . ..OPj \ \ \O P k
OPji = . . .OPx N E X T - ‘- 
OPj^ = ...OPx n e x t
OPki = ...OPx N E X T - ’ > 
OPkn = ...OPx n e x t
OPi = , OP'r 111 OP'k interleaved next refinement
3 OPi = . ..OPj ; OPp
OPj^ = ...OPp N E X T . . .  
OPj^ = ...OPp N E X T
OPi = ...OP'j ] OP'p sequential next refinement
4 OPi ~ . . .O P j  < OPp
OPj^ = ...OPp N E X T . . .  
OPj^ = ...OPp N E X T
OPi = ...OP'j < OP'p condition next refinement
where OP'j Ç O Pj and 
OP'k Ç OPk  
OP'p Ç OPp
Figure 6.3.; n e x t  Refinements - Reduction of Non-determinism.
158 J u ly  6 , 2 008
6.3. Refinement and Translation to Handel-C
operators are again used in the annotations. When two sets of operations are put in sequence 
the annotations allow one from each set to be sequenced, but any of the operations in a 
particular set are equally able to be chosen. In case 1 a new set of operations are introduced 
O P j , New operations can be introduced into Event-B in subsequent refinements. In classical 
B new operations must be, introduced beforehand as operations that implement skip. Case 
1 refines a simple NEXT operation into a sequence of detailed operations. The refinement 
sequence must end in the original operation, which signifies the end of the refinement chain.
OPi O Px
(a) Original annotated operations
O P jOPi OPx
(b) SEQUENCE NEXT refined operations
Figure 6.4.: Picturing SEQUENCE NEXT Refined Operations
In case 2, a SEQUENCE NEXT to INTERLEAVED NEXT refinement is depicted. This refinement 
is possible if the operations that makes up the sequence are independent: they neither read 
nor write to similar variables. The function V A R IA B LE  — USED is introduced. It operations 
on sets of operators instead of a set of operations like variable — used. The annotation allows 
any of the operations in any of the sets to be executed in parallel.
A translations guide for annotations is given in the table in Figure 6.6. This is a guide 
because without the knowledge of the control structure, in particular the points of recursion, a 
translation can not be automated. However, the annotations do differentiate between internal 
and external B operations, which has an impact on the final structure of the code. The CSP 
controller is required to get a full picture for translation and the table in Figure 6.18 and to 
some extent the table in Figure 6.1 illustrates how translation of the control can proceed. As 
mentioned, the translation of a particular annotated operator is dependent on whether the 
operation is an internal or external operation. Internal operations can execute immediately 
after invocation. The execution of an external operation must wait for external stimulus: a 
change in the command input bus. A wait loop is introduced to poll the appropriate input bus
until an external operation invocation is detected: wait — on — Some annotated operators
have restrictions on their I/O  mode. External operators are marked with /  * eæt * /. The 
INTERLEAVED NEXT annotation can only be associated with internal operations next. The 
SEQUENCE NEXT must have an external operator at the head of the sequence and internal
J u ly  6 , 2008 159
Chapter 6 . Translating and Refining Annotations
Annotation Refinement type
1 OPi =  . . .OPx n e x t OPi = . . .O P j]  OPx  
OPi ^ . . . O P j  n e x t ---  
OPj^ =  .. .OPx N E X T ---  
o P j ^ = .. .OPx n e x t
introduction of 
new operation 
(See Figure 6.4)
2 OPi =  . . . OP j ; O P k
OPj^ = . . . O P k  n e x t ---  
OPj^ = . . . OP k  n e x t
VARIABLE-USED(OPj )D 
VARIABLE-USED(OP/f)= {}
OPi =  . . . O P j III O P k next sequence 
to interleaved 
refinement
Figure 6.5.: NEXT Refinements - Structural Refinements.
operations following. This restriction relates to the way this annotation is used in refinement. 
The CSP controller does not differentiate between internal and external operations. Hence 
the tables in figures 6.1, 6.6, 6.7, 6.17 and 6.18 may be required to obtain a translation.
In the table in Figure 6.6 a NEXT annotation with one next operation translates to a sequence 
of two operations. If the second operation is an internal operation then it is case 1: all its 
inputs are not ported. If the second operation is an external operation (all inputs are ported) 
then case 2 is the translation template. In the second case the controller will wait until a new 
command arrives then execute the external operation if it was requested. Case 3, sequential 
arrangement of external operations, is restricted to external operations only. A translation of 
a sequence that starts with one operation then has a choice of several external operations will 
test each input set and execute the first operation for which the input has change since its last 
execution. (The new input values must be latched in.) Interleaved action is only permitted 
between internal operations (case 4): those that take their input from internal variables. The 
Handel-C par statement ensures that all the branches when complete wait until the longest 
(in terms of clock cycles) has completed. The conditional operator can be used for internal or 
external action. In the table in Figure 6.7 case 5 is the translation of the s e q u e n c e  n e x t .  In 
the previous section the SEQUENCE n e x t  was introduced to support refinement: a basic n e x t  
is refined into a sequence of SEQUENCE NEXT annotated operations. To refine an operation 
that has both inputs and outputs, into a sequence of operations the first operation of the 
sequence must input at the beginning of the sequence and the last operation must output at 
the end of the sequence. Case 5 does»not reflect this requirement because it has been made 
general: the first operation in the sequence should be an external operation that inputs and 
the final operation is an internal operation that outputs. In the tables all the annotations 
are defined with sets. Strictly, the SEQUENCE NEXT annotation should be restricted to single 
operations as additional controller operators need to be defined to support the synthesis and 
translation of sets of operations (for example the CSP sequence ;). However, the sequence 
next annotation is synthesised with CSP sequencing in the tables for illustration purposes.
i 6 o J u ly  6 , 2 008
6.3. Refinement and Translation to Handel-C
Annotation /  Control fragment Handel-C Translation Fragment Comment
1 OPi = ...OPj^NEXT  
opilyi'lvi
yi =  OPi{vi) ; yjj^  =  OPjj(ujj) internal 
single next 
translation
2 OPi =  ...{OPj^]NEXT  
/  * ext * f  OPj^ = ...
opihilvi  .
y,- =  OPi{vi) ; 
m =  wait — on — OPj^ ; 
t/ m = =  OPji 
then yj^ ^  OPjj(ujj^) 
else delay ;
external 
single next 
translation
3 /  * ext * /  OPi =  . . .  
O P jN E X T
opilyi'tvi
□
yj =  OPi(vi) ;
m =  wait — on — OPj ;
if in = =  OPj]^
t/ien =  OPji(uyi)
eke . . .
if in = OPj^
then yj„ =  O Pj^{vjJ
else skip
external
multiple
next
choice
translation
4 OPi = ...OPj III OPk 
OPj =  ...OPx n e x t  
OPk =  ...OPx iVEXT
opilyi'lvi -> {opjtyj?Vj - > . . . )  |||
seq{yi = OPi(ui), 
par{yj = OPj{vj), 
yk — OPk{vk)
}
}
internal
next
interleave
translation
Figure 6.6.: n e x t  Annotation Translation Guide Part 1.
J u ly  6 , 2 0 0 8 i 6 i
Chapter 6 . Translating and Refining Annotations
Annotation/ Control fragment Handel-C Translation Comment
OPi = . . .O P j;  OPk
f * e x t * /O P j^  = ...OPk  N E XT  
/ * e x t *  /OPj^ = ...OPk  N E XT  
OPki =  . . .
OPkn  =  . . .
O p i \ y i ? V i  -4  -4
yi =  OPi{vi),
in = wait — on — O P j
if in =  OPj^
then
else . . .
if in = OPj^ 
then = O P jJ v j J  
else skip 
}
Vkl =  OPkl{Vkl )y  
in = wait — on — OPk
next
sequential
translation
j  * ext ^ j  OPi =  .. .  
O P j  <  O P k
/* ezt* /OPji = . . . O P x  n e x t
f  * ext ^ fOPj^  =  ...OPY N E XT  
j * e x t *  fOPki  =  ...OPz N E X T
/ * e x t *  /OPkn =  -O P A  n e x t
opi\yi‘lvi
{if y then (opj -4 . . .  O
. . .□
else (opjki?yjti?Vfci
. . . □
^Vkn' -^ykn’^ '^ kn “ 4  . . .))
y = OPi{vi),
if y
{wait -  on — O P j  ; 
if in = OPj 2  
then yji =  O P ji(u jJ  
else . . .
if in = OPj^ 
then =  O P j^ iv jJ  
else skip 
} else
[wait — on — 0P%, 
if in = OPki 
then Vkl = OPki(vki) 
else . . .
if in = OPkn
then Vkn = OPkninn)
else skip
}
external
next
condition
translation
Figure 6.7.: NEXT Annotation Translation Guide Part 2,
1 6 2 J u ly  6 , 2 008
6.4. Example: Safe Control System
In the translation a command bus is added to make the appropriate choices. The external 
environment will make the choice.
The translations of Stepney [Ste03], and Phillips and Stilles [PS04] are given in table 6.1. 
Only the translation of integer declaration, parametrisable functions, and recursion are used. 
This is because our source is not CSP (it is annotated B and CSP) as such channels are not 
being used to synchronise events. In the table the CSP language construct and translation 
are mapped. A tick indicates if they are supported by Stepney (SS) or by Phillips and Stilles 
(PS). When an operation is invoked it takes its input from the environment from the port. 
Internal synchronisation of operations within machines is not dealt with in this cliapter. To 
guide the B translation the table in Figure 6.17, on page 175, has been developed. A discus­
sion of the example is given in section 6.4.
Table 6.1.: Existing CSP to Handel-C Translation Guide.
Feature CSPM Handel-C PS SS
Channel Declarations 
(from use)
channel chan, chanin, chanout /
Channel Declarations channel c chan SYNC c; /
Typed Structured 
Channel Declarations
channel d: T.T chan struct d-DATA d /
Input Channel 
Operations
in?x in?x; / /
Output Channel 
Operations
out!x out'.x; / /
Integer Declarations int 8 x; / /
Parametrisable
functions
p(n) =  ... void(n).,. / /
External Choice [] priait ... / /
Synchronous Parallel 0 {1 ... 1} 11 ' par ... / /
Replicated Sharing 
Parallel
[| Event j] n: { i..j }#P(n) par (n=i; ni=j;+-t-n)P(n); /
Recursion P =  ... -4 P while(1) ... / /
Conditional Choice if b then P else Q if (B) then P(); else Q(); /
Macros {" " -} • • « /
6 .4 . Example; Safe Control System
We use the example of a safe locking system to illustrate the ideas introduced in this chapter. 
The specification outlines the operations offered to the environment. The operations that can 
be invoked by the environment are indicated with /  * çxt * /  annotations. Both the operation
J u ly  6, 2 0 0 8 163
Chapter 6 . Translating and Refining Annotations
and the output can be marked with a / * e w ( * / .  All /  * ext ^ j  annotation outputs are ported 
and become part of the Handel-C output interface. All /  * ext * /  operations are associated 
with a bus port that has a state of the same name as the operation. Variables intended as 
input are marked with / * IN * / .  It is possible to mark the variables as / * IN* /  or /*  OUT*/. 
Along with the mode the width of the type is given in bits. Operations are invoked in two 
ways. The first way is via the command bus, which when set to the operator name will invoke 
the operation when it is enabled by the control flow. Operations not labelled with /  * ext * /  
are internal and are invoked immediately when enabled by the control flow.
6.4.1. The Example’s S ta te  and Control Flow
In Figure 6.8 and Figure 6.9 the B Abstract Machine for a safe cabinet design is given. There 
are three command states Locked, Unlocked^ and BrokenOpen which are represented in two 
bits. The variable Door is drawn from the COMMAND type and initialised to Unlocked. 
The Lock operation is enabled after initialisation. It is an external operation with externally 
ported output. After setting the Door state variable to Locked both Unlocked and BreakOpen 
are enabled. For completeness we introduce two operations that will be used later to develop 
the detailed functionality of the machine during refinement. These operations are UnlockRl 
and UnlockR2. Their bodies are not expanded. The Unlock is an external operation and has 
externally ported output. It represents an attem pt to unlock the safe. It non-deterministically 
decides to set the Door variable to Unlocked or Locked. The next operator to be enabled 
depends on the outcome of the Unlock operation. If the door became Unlocked then the 
next enabled operation would be Lock, otherwise Unlocked or BreakOpen will be offered. The 
BreakOpen operation sets the Door state to BrokenOpen and offers itself as the next operation 
available.
The controller CTRL  given in Figure 6.10 first performs a Lock and then jumps to the S 
process where it can perform either an Unlock or BreakOpen. The Unlock event has a single 
output that is used as the conditional test in the if-then-else following the Unlock event. If 
the output of the Unlock operation is true then a Lock event occurs and the flow of control 
is repeated starting again at 6", if it is false then control is repeated with S.
6.4.2. A Refined Example
A refinement of the Safe machine, called SafeR, is given in Figure 6.11 and Figure 6.12. The 
example mimics refinement in Event-B. The operation UnlockRl and UnlockR2 are introduced 
to refine Unlock. The laws of refinement of Event-B are not fully justified in this thesis. 
The Safe refinement, SafeR, breaks down the unlocking process into two stages. Firstly, 
two new operations are slotted into the control interleaved: UnlockRl{Combla, Comblb) 
and UnlockR2{Comb2a, Comb2b), Both have a combination parameter which is compared 
against a stored master code and a second parameter that is used to create a new master 
key. The UnlockR commands update the master combination if a successful comparison 
occurs. New input variables are added: Cxla, Cx2a, Cxlb, and Cx2b. These represent the 
interface with the environment on which new values are input. These are used to input the 
combination values and are not used by the B Operations. Checkedl, Checked2, Masterl and 
Master2 are new variables used by the operations. The annotations of the Lock operation
164 J u ly  6, 2 0 0 8
6.4. Example: Safe Control System
are refined. Two operation are added before the Unlock. The extra proof obligations are 
discharged automatically. The bodies of the UnlockRl and UnlockR2 are completed at this 
level. The body of the Unlock operation is refined to set the output and the Door variable. 
The annotations of the Unlock are refined: the BreakOpen operation is removed from the next 
annotation as an option, which means it can not be reached. W hat was one unlock operation 
has been expanded into tlnree (two interleaved). Before refinement the Unlock operation has 
both input and output. The refined version has the input occurring on the first operations 
in the refined sequence of operations ( UnlockRl and UnlockR2), and the output occurring on 
the final operation of the sequence (the original Unlock operation).
The controller given in Figure 6.13 begins like the abstract controller with a Lock event 
then a jump to S. There is, in this refined process, no choice to breakOpen only UnlockRl 
and UnlockR2 are offered with Cxla  and Cxlb, and Cx2a and Cx2b as an input to them, 
respectively. The Unlock process is refined. The refined sequence starts with a interleaved 
combination of UnlockRl and UnlockR2 events then the original Unlock event. As before the 
outcome of Unlock determines what happens next. If the Unlock is successful the process 
will be restarted from the beginning. If the current attem pt at unlocking fails then another 
attem pt at Unlock will occur. It is noted that the Lock -> S  could have been replaced by 
CTRL, but the current approach separates it from the main CTRL. The former is easier to 
translate. The types of the outputs are not illustrated, for example the CTRL  process would 
be:
CTRL = Oy ' {Lockedf) @ Lockly —> S
6.4.3. A Hand Translation using th e  Guidance
A summary of the hand translations from the refined B specification is given in the table 
in Figure 6.17. The B provides the details of the types, variables, and functions. The 
CSP controller provides the executions details that are use later to construct the Handle- 
C main section. A summary of the hand translation of the controller is given in the table in 
Figure 6.18.
The SETS clause is translated into an enumerated type. The INVARIANT section is used 
to create the declarations. Variables annotated with a mode are created as buses of the 
appropriate I/O  type and size. Other variables are created. In the tables only translation 
of N  (or subset of N) or enumerated types are considered. Variables bound to ports are 
created. To permit external operation calls a bus is created and given the same name as the 
machine. The width of the bus must be sufficient to handle the number of external operations 
of the machine. The mechanism for requesting an external operation to execute is to change 
the data on the command input bus to the same name as the operation required. The last 
requested operation is latched into variable of the same name as the machine with a -var  
post fix. Variables are declared for operation outputs. The name of an output bus variable 
is the concatenation of the operation output name and the operation name. This avoids 
clashes. Buses are defined for each /  * IN  * /  and /  * OUT * /  annotation, external operation 
/  * ext * /  and operation output. Operations are translated into functions. If an operation has 
an output the function will return a value. Functions with outputs will have an assignment 
in them that assigns to the bus output function variable. The function will also return that
J u ly  6, 2 0 0 8  165
Chapter 6 . Translating and Refining Annotations
output in the final statement of the function. Assigning to the function output variable 
allows results to be chained (feed into other functions). The details of the translation of the 
B operators is only given for assignment and if  — then — else. There are existing mappings to 
C from a subset of BO in the B Method. It is therefore assumed that a translation of atleast a 
subset of B to Handel-C is possible. The bodies are translated in a straightforward manner. 
Assignments in the operations are put together in a par Handel-C statement. Assignment and 
the if — then — else B constructs have straightforward translations. The INITIALISATION is 
translated into a function called Initialisation-fnc. The «  B »  represents the translation 
of B fragment.
The CSP controller is used to construct the main Handel-C body. A summary of the hand 
translations made on the CSP controller is given in the table in Figure 6.18. The controller de­
sign was structurally limited to facilitate translation: initialisation and setting up operations 
are performed before a main loop is entered. Hence, the first process definition CTRL^fnc is 
not recursive; it is an open process. It translates to a function call CTRL-fnc, which invokes 
the Initialisation-fnc and lock-fnc functions. On returning to the main program the next 
function called is the S-fnc, which implements the main loop. S—fnc  is tail recursive and is 
implemented with a continuously looping while loop; it is a closed process. The first event in 
the main loop is the UnlockR commands. In the translation the UnlockR-fncs are preceded 
by wait-UnlockR-fncs as they are external operation. The UnlockR-fnc functions inputs 
from the Cxla, Cxlb, Cx2, and Cx2 input buses. The Unlock-fnc call follows. Unlock-fnc 
returns a  value that is assigned to a variable that is output ported. The value is also used to 
decide the course of the following if  — then — else. Either a Lock-fnc or an UnlockR-fnc is 
performed after a wait. Then the process recurses. The < P > represents translation or CSP 
fragments. The translation of the CSP choice operator is also a refinement.
166 J u ly  6, 2 0 0 8
6.4. Example; Safe Control System
M A C H IN E  Safe
SE T S COMMAND = { Locked , Unlocked , BrokenOpen }/*2*/ 
V A R IA B L E S Door
IN V A R IA N T  Door e  COMMAND /*0U T 2*/ 
IN IT IA L IS A T IO N  Door := Unlocked /* { Lode } NEXT */ 
O P E R A T IO N S
/*ext*/ Status i—  /*ext*/Lock =
PR E
Door =  Unlocked 
THEN
Door := Locked^Status\= Locked 
END
/* { Unlock, BreakOpen } NEXT */ ;
U n lo c k R l (C o m b la ,C o m b lb )  =
PR E
Combla e  NAT A Comblb G NAT 
THEN 
skip 
END ;
U nlockR 2(C om b2a,C om b2b) =  
PR E
Comb2a € NAT A Comb2b G NAT 
THEN 
skip 
END ;
Figure 6.8.: Safe Machine - Part 1
J u ly  6, 2 0 0 8  167
Chapter 6 . Translating and Refining Annotations
/*ext*/ Status i—  /*ext*/ U nlock =
PRE
Door =  Locked 
THEN  
ANY  
dd
WHERE
dd: COMMAND - { BrokenOpen }
THEN
IP
{dd = Unlocked)
THEN
Status := 1 
ELSE
Status := 0 || Door := dd 
END  
END  
END
/♦{Lock } {UnLock,BreakOpen } CONDITIONAL NEXT */ ;
/*ext*/Alarm<—  /*ex t* /B reakO pen  =
PRE
Door e  COMMAND 
THEN
Door := BrokenOpen j| Alarm := 1 
END
/♦{BreakOpen } NEXT ♦/
E N D
Figure 6.9.: Safe Machine - Part 2
i6 8  J u ly  6, 2 0 0 8
6.4. Example: Safe Control System
CTRL  =  □ Lock\y -> S  y
jÿ =  (□ Unlock\y —^ (if y = =  1 then O Lock\y -> S else S ) )0  V ' y
{n BreakOpen\y —> B-CTRL)  y
B -C T R L  — U BreakOpen\y - 4  B -C T R L
Figure 6.10.: Safe Machine Controller.
y
J u ly  6 , 2008 169
Chapter 6 . Translating and Refining Annotations
REFIN EM ENT SafeR 
REFINES Safe
VARIABLES Door, Cxla, Cx2a, Cxlb, Cx2b,
Masterl, Checkedl, Master2, Checked2
INVARIANT
Cxla G NAT/*IN16*/ A Cx2a G NAT/*IN16*/ A 
Cxlb G NAT/*IN16*/ A Cx2b G NAT/*IN16*/ A 
Masterl G NAT/*16*/ A Checkedl G NAT/*1*/ A 
Master2 G NAT/* 16*/ A Checked2 G NAT/*1*/
INITIALISATION
Door: =Unlocked || Cxla:—0 || Cx2a:=0 || Cxlb:=0 || Cx2b:=0 ||
Masterl :=67 ]| Checkedl :=0 || Master2:=7Q || Checked2:=0 /*  { Lock } NEXT */
O P E R A T IO N S  
/*ext2*/S tatus^— /*extl* /L ock G 
PRE
Door =  Unlocked 
THEN
Door := Locked || Status := Locked || Checkedl := 0 || Checked2 := 0 
END
/* { UnlockRl(?Cxla?Cxlb),UnlockR2(?Cx2a?Cx2b) } { Unlock } SEQUENCE NEXT*/ 
/* { UnlockRl(?Cxla?Cxlb) } { UnlockR2(?Cx2a?Cx2b) } INTERLEAVED NEXT */ ;
/* e x tl* /U n lo c k R l( /* 1 6 * /C o m b la ,/* 1 6 * /C o m b lb )  =
PR E
Door =  Locked 
THEN 
IF
(Combla — Masterl)
THEN
Checkedl := 1 || Masterl := Comblb 
ELSE
Checkedl :== 0
END
END /* { Unlock } NEXT */ ;
Figure 6.11.: Safe Refinement - Part 1.
1 7 0  J u ly  6 , 2 008
6.4. Example: Safe Control System
/* ex tl* /U n lo c k R 2 (/* 1 6 * /C o m b 2 a ,/* 1 6 * /C o m b 2 b ) =
PR E
Door =  Locked 
THEN 
IF
(Comb2a =  Master2)
THEN
Checked2 1 || Master2 Comb2b 
ELSE
Checked2 := 0
END
END /* { Unlock } NEXT */ ;
/*ex t2* /S ta tu s <—  U nlock  =
PR E
Door = Locked 
THEN
Status := Ghecked2 ||
IF
{Checkedl = 1) f\ {Checked2 = 1)
THEN
Door := Unlocked 
ELSE
Door := Locked 
END
END /* { Lock } { UnlockR } NEXT CONDITION */ ;
/*ext*/ A la rm  <—  /*ext*/ B rea k O p e n  =
PR E Door G COMMAND THEN Door := BrokenOpen || Alarm := 1 END 
/*  { BreakOpen } NEXT */
E N D
Figure 6.12.: Safe Refinement Part 2
J uly  6 , 2008 171
Chapter 6 . Translating and Refining Annotations
CTRL = □ Lockly -> Sy
S  =  { U n l o c k R l l C x i a 7 C x l b sfcip |j| UnlockR27Cx2a7Cx2bskip)]
□ Unlockly —> (if y then O Lockly -4 S else S)y ' ' y
Figure 6.13.: Refined Safe Controller
/ / s e t  c lock  = e x te rn a l "Clock";
#define PAL_TARGET_CLOCK_RATE 25175000 
# include "pal_m aster.hch" / / / / / / / / / / / / / / /
/ /  BreakOpen removed in  t r a n s la t io n  as 
/ /  not used and no command d e fa u lt  added 
typedef enum {Not_Commanded =
(unsigned 2) 0, Locked, Unlocked} COMMAND; / /  
typedef enum {No_Command =
(unsigned 2) 0, Lock, UnlockRl, UnlockR2} SafeR; 
unsigned 2 Door; / /  B v a ria b le s
unsigned 1 Checkedl; / /
unsigned 16 M asterl; / /
unsigned 1 Cheeked2; / /
unsigned 16 M aster2; / /
SafeR SafeR_Bus_var; / /  la tc h  inpu t bus values to
/ /  req u e s t o p e ra tio n  execu tion  
unsigned 1 S ta tu s .U n lo ck ; / /  o p e ra tio n  output values
unsigned 2 Status_Lock; / /
/ /  IN anno ta tions  
/ /
/ /  IN an n o ta tio n s  
/ /
in te r fa c e  bus_in(unsigned  16 inp) CxlaO 
in te r fa c e  bus_in(unsigned  16 inp) Cx2a() 
in te r fa c e  bus_in(unsigned 16 inp) CxlbO 
in te r fa c e  bus_in(unsigned  16 inp) Cx2b() 
in te r fa c e  bus_in(SafeR  2 inp) SafeR_Bus(); / /  ex t o p era tio n s  
in te r fa c e  bus_ou t() Doorl (unsigned 2 OutPort=Door); / /  OUT an n o ta tio n s
in te r fa c e  bus_out() / /
Status_U nlockl (unsigned 1 O utPort=Status_U nlock); / /
in te r fa c e  bus_out() / /
S ta tu s_ lo ck l (unsigned 2 O utPort=Status_Lock); / /
Figure 6.14,: SafeR Translation Part 1.
172 J u ly  6 , 2008
6.4. Example: Safe Control System
void  wait_on_Lock_fnc (void){
w hile (SafeR_Bus. inp != Lock){delay ;}
SafeR_Bus_var = Lock;
}
unsigned 2 Lock_fnc(void){ 
par{
Door = Locked,
Status_Lock = Locked 
};
r e tu rn  Locked;
}
void  w ait_on_U nlockR l_fnc(void){
w hile (SafeR_Bus.inp != U nlockR l){delay;}
SafeR_Bus_var = UnlockRl;
}
void  UnlockRl_fnc(unsigned 16 Combla; unsigned 16 Comblb){ 
i f  (Combla == M asterl) { 
par{Checkedl = 1,
M asterl = Comblb 
>;}
e ls e
{Checkedl = 0 ; }
}
void  wait_on_UnlockR2_fnc(void){
while (SafeR_Bus.inp != UnlockR2){delay;}
SafeR_Bus_var = UnlockR2;
}
void  UnlockR2_fnc(unsigned 16 Comb2a; unsigned 16 Comb2b;){ 
i f  (Comb2a == M aster2) { 
par{
Checked2 = 1,
M aster2 = Comb2b
};}
e ls e
{Checked2 = 0;}
Figure 6.15.: SafeR Translation Part 2.
J u ly  6 , 2008 173
Chapter 6 . Translating and Refining Annotations
unsigned 1 U nlock_fnc(void){ 
par{
i f  (Checked2 == 1 )  {Door = Unlocked;} e ls e  {Door = Locked;}, 
S tatus.U nlock  = Checked
};
r e tu rn  Checked;
};
void I n i t i a l i s a t i o n . f n c ( v o id ) {
Checked = 0 ;M aster = 67 ;Door = Unlocked; / /  INITIALISATION 
S ta tus.L ock  = 0 ;S tatus.U nlock  = 0 ;  / /  SET OUTPUT DEFAULT
}
void CTRL.fnc(void){
I n i t i a l i s a t i o n . f n c O  ; w a it.o n .L o ck .fn cO  ;
i f  (SafeR .B us.var == Lock){Status.Lock = L o c k .fn cO ;} e lse { d e lay ;}
}
void S .fn c (v o id ){  
w h ile ( l){ p a r{
seq{wait_on_UnlockRl_fnc 0  ;
i f  (SafeR_Bus_var==UnlockRl){
U n iockR l.fnc(C x la .inp , Cxlb. in p ) ;} 
e ls e
{delay ;}
} / /  seq
seq{wait_on_UnlockR2_fnc();
i f  (SafeR_Bus_var==UnlockR2){
U nlockR2_fnc(Cx2a.inp,Cx2b.inp);} 
e ls e
{delay ;}
} / /  seq 
} / /  par
St a t  us .Unlock = U nlock.fncO  ; 
i f  (S ta tu s .U n lock ){ 
w a it.o n .L o ck .fn cO  ; 
i f  (SafeR.Bus.var==Lock){
Lock.fncO  ;}
e lse
{delay ;}}
e lse
{delay ;}
} //w h ile
}
void  m ain(void){
CTRL.f ncO  ; S .fnc  0  ;
}
Figure 6.16.: SafeR Translation Part 3.
1 7 4  J u ly  6 , 2 008
6.4. Example: Safe Control System
Feature B Handel-C
set
declaration
SETS SS=
AA,...,XX/*n*/
typedef enum { AA =  
(unsigned n) 0, XX } SS;
B variable 
declaration
INVARIANT
Vv € TT /*OUTn*/
unsigned n Vv; 
interface bus_out()
Vvl (unsigned 2 OutPort=Vv);
INVARIANT
Vv G TT /*INn*/
unsigned n Vv;
interface bus-in(unsigned n inp) Vv();
INVARIANT
Vv G TT /*n*/
unsigned n Vv;
Command
Bus
Declaration 
with k 
operations
MACHINE mname typedef enum
{No_Command=(Unsigned k) 0
,..,op_k} mname; 
mname mname_Bus_var; 
interface bus_Jn
(mname k inp)mname_Bus();
Function
Declaration
/*ext N*/ Oo
f — /*ext*/ C c(/*  M */Zz) interface bus_out ()
Oo_Ccl (unsigned N Outport=Oo_Cc);
void wait_on_Cc_fnc() { 
while (mname_Bus.inp !—Cc) { delay; } 
(mname—Bus-var =  Cc;
}unsigned N Cc_fnc(unsigned M Zz){ 
pa r{ .. .;};return exp;
}
Function
Body
« P R E  P  THEN B  E N D » par{<<  B » }
« I F  h THEN c
ELSE d E N D »
if «  6 »  { < <  c »  } 
else { < <  d »  } ;
< <6 := c> > «  6 »  =  «  c »  ;
initialisation «IN ITIA LISA TIO N  . . . » void Initialisation(void){ < <  • • • >> ; }
main <<OPERATION >> see table 6.18
Figure 6.17.: B to Handel-C Translation Guide.
J uly  6 , 2008 175
Chapter 6 . Translating and Refining Annotations
Feature CSP Handel-C
initialisation
processes
P =  . . .  S void Initialisation_fnc(void)... ;
void CTRL_fnc(void){InitialisatiorLJnc();... ;}
main loop 
processes
s = . . .  s void S_fnc(void){while(l){,.. ;}} 
void main(void){CTRLJEnc();S_fhc();}
prefix (internal) < e-> P > e_fnc ; < P >
prefix (external) < e-4 P > wait-on_e; e_fnc ; < P >
choice (external) < P I  □ P2 > <P1>
interleaved < e l ^  skip
III--111e„ -4 skip] P >
par{< ei -> skip >;
. . .  ; < e„ skip >}; < P >
if-then-else <if y then P else Q> if y {<P>} else {<Q>}
Figure 6.18.: CSP to Handel-C Translation Guide.
176 J u ly  6 , 200 8
7. Comparisons with Other Work
7.1 . Associated Technologies
The design and implementation of critical systems benefit from development in a formal 
method such as B. However, B does not support execution specification directly. Event- 
B [MAV05] and CSP||B have been proposed as a means to create a formal specification 
notation that incorporates action specification and B. Each of these approach has particular 
benefits. Core to the Event-B approach is refinement, whereas CSP||B offers a  clean separation 
of control and data manipulations.
Combining model based formalisms like B [Abr96] and Z [Spi92] with event based formalisms 
like CSP [SchOO] is an active research area. The motivation for a closer integration is to 
obtain a formalism that is as powerful at describing state predicates as it is at describing 
event behaviour. The CSP||B [TreOO] approach combines CSP and B so that CSP captures, 
primarily, the event aspect of the design, whereas the B captures the state evolution. Each 
CSP controller directs a single B machine via communication channels. Controllers may 
interact with other controllers. In Treharne [TreOO] consistency between the pre-conditioned 
B machine and the CSP controllers is established in two ways. Firstly, by showing that 
operations are always called within their preconditions, which establishes divergence freedom. 
Guarded controllers present the possibility of controller deadlock. The secondly, consistency 
condition establishes that controllers are deadlock free. Consistency is investigated using the 
wps of guarded action [Dij76j.
A number of tools focus on capturing the designs of safety critical systems using state ma­
chines [AndOSj. State machines designs are in a form amenable to formal reasoning and 
simulation. They can readily be translated into both software and hardware languages. The 
EstereP tool produces C, System-C^ and VHDL [Ash96]. Object orientation and complex 
concurrent behaviour are avoided in high integrity designs [MoD99] to ease the burden of 
verification.
Bridging the semantic gap between software and hardware is important to ensure proven spec­
ifications are implemented correctly. Research into formalising Hardware Description Lan­
guages (HDL), like VHDL [BKLM97] and Handel-C [BW03] has provided semantic models 
of HDLs. The translation mappings between FDR2 and Handel-C[Ste03] illustrated the com­
mon ground that exists between process algebras and HDLs. Research translating BVHDL 
to VHDL [ISSOl] provided evidence of the commonality of specification languages and HDLs. 
Event-B has been used to describe hardware circuits [AbrOlj. Recent work on using BHDL
h^ttp://www.esterel-technologies.com/
h^ttp://www.systemc.org/
J u ly  6 , 2 0 0 8  1 7 7
Chapter 7. Comparisons with Other Work
to model VHDL [ABD+03] supports the belief that direct compilation to hardware from a 
formal notation is possible. The "Future Technology” project involves collaborative research 
into the use of CSP||B to specify co-designs [MS06] [MS07] and to formally investigate systems 
designs of large scale developments captured in xUML [TSG+07]. The HDL for this work is 
Handel-C.
Boulanger’s et. al. [ABD'*'03] work modelling VHDL in B builds from the bottom up. They 
develop systems on top of multi valued logic of the IEEE libraries of standard logic vectors 
specified in B. The problem with this approach is that large circuits are difficult to analyse. 
Abrial approaches the problem from a higher level, than that of Boulanger et. al. Refinement 
is used to achieve the development of larger components from logic gates. However, no 
details of mappings to synthesisable logic are given. The work by B-Core and Ifill [ISSOl] 
was aimed at developing larger circuits for industrial applications, so it focused on modelling 
the structure of the design at the expense of providing a semantic under pinning for BVHDL. 
Recently, more abstract HDLs have entered the market. SystemC and Handel-C ® allow the 
capture of circuit descriptions at a higher level than VHDL. Stepney’s work defines a set 
of mappings to Handel-C from FDR2, but the mappings are not supported by a common 
semantics. The work highlights the difficulties of representing state, a very import aspect of 
hardware designs, in CSP. The aim of this thesis is to extend B with annotations to allow 
it to capture temporal properties, then to translate directly into Handel-C, but to support 
the translation process with a common semantics. For simplicity thé designs are restricted 
to finite state machine designs. We note the criticism of Hilton [Hil04] that Handel-C being 
based on C is fundamentally unsafe. However, work on developing an operational semantics 
for Handel-C [BW03] may allow it to be used safely. It should also be noted that a safe subset 
of C [Hat95] have been reported on and used, particularly in the motor industry [Mot04]. So 
initially, Handel-C for a HDL appears to be a good choice.
From the discussion above it is evident that there are a number of other works that warrant 
comparison to the findings of this thesis, because of the large span that the thesis covers. 
In this chapter approaches to hardware verification are considered. These range from semi- 
formal to fully formal verification. In Section 7.2 the methodologies are outlined and notable 
verifications are cited, along with a discussion about the limitations associated with the 
approaches. The research undertaken at the start of the thesis in to the use of BVHDL as 
a HDL is reviewed in section 7.3. Formal state machine development is considered, namely 
the approach based on Esterel in section 7.4. Although, this approach is fully formal it does 
not deal with data processing as well. There are other formal method integrations apart 
from CSP||B. CSP-Z is an approaches based on Z and CSP, and it has been compared to the 
approach using annotations in section 7.5. Event-B is a mature technology although on its 
own it has some of the disadvantages that classical-B has when compared to CSP||B. However, 
Event-B research has covered many areas that can be compared to the work of the thesis, 
for example there has been work on hardware modelling, variant termination, modalities and 
state machine modelling, which is discussed in sections 7.6 to 7.7. Annotations are strongly 
related to temporal logic. B model checking and more recently CSP model checking has moved 
forward in a similar direction as has the annotations research. A major limitation with the 
model checking approach is the state space explosion problem. Work on model checking B 
and CSP using ProB is considered in section 7.8. There have been other approaches to the
*http://www.celoxica.com/methodology/handelc.asp
178 J uly  6 , 2008
7.2. Hardware Verification and Hardware Description Languages
translation of CSP to Handel-C that are reviewed and compared to the annotation translation 
approach in section 7.9. Approaches when targeted at software obtain regulator acceptance; 
namely those based around Spark Ada An approach that incorporates both software 
(SPARK Ada) and hardware that there is not space to detail in full, but deserves a mention, 
was proposed by Hilton [Hil04]. On the hardware side Hilton proposes that PPG A design 
should be captured in Synchronous Receptive Process Theory [Joe92] (SRPT). SRPT has 
a denotational semantics defined in failures-divergence of process and distinguishes between 
input and output events unlike Hoare’s CSP semantics. Their proof of requirement is in terms 
of verifying the sequence of events of a FPGA cell (specified in SRPT) against higher-level 
behavioural requirement sequences. A netlist cannot be obtained directly from SRPT. The 
SRPT model has to be translated into Pebble [LM98] to obtain a netlist.
7.2 . Hardware Verification and Hardware Description Languages
In this thesis a formal approach to hardware development is taken. Although formal ap­
proaches to hardware development is not new, they remain rare in new developments. In­
formal approaches are characterised by the development of various models that culminate in 
an implementation, where the models of the system are not related by mathematical reason­
ing. Equivalence between high and low level models is demonstrated by testing. Semi-formal 
methods may employ formal verification between some key levels of abstraction, or may use 
formal model checking to establish key model properties at some levels of the development. 
W hat actually exist today is a large number of approaches across the spectrum that covers 
fully formal hardware development in research to informal development in industry. No fully 
formal commercial development approaches exist. All approaches can be augmented with 
some form of model checking to make them semi-formal.
Hardware development approaches are categorised by their language. Choosing an approach 
is a m atter of a choice of hardware description language, simulation tools and synthesis tools. 
The tools are generally multi-language. Principle Hardware Description Languages (HDL) 
included VHDL, Verilog [IEE03] SystemVerilog®, System-C [IEE05a], C-f-1-, G, Handel-C®. 
VHDL (Very high speed integrated circuit Hardware Description Language) has several active 
standards in use for different VHDL language variants. The IEEE Standard VHDL Language 
Reference Manuals IEEE Std 1076 have had issues in 1987, 1993, 2000, 2002 [IEE02]. Ashen- 
den [Ash96] offers guidance on how to construct VHDL circuits for synthesis. Mentor Graphics ™  
 ^ are one of the many EDA suppliers of tools that support the development, debugging, and 
synthesis of VHDL. One particular tool of note is Modelsim™ which supports develop­
ments using the major HDLs: Verilog, System Verilog, VHDL and SystemC.
An informal approach requires the development of a system and a test bench. The test bench 
is used to exercise the design to demonstrate conformity to requirements under simulation by 
tools like Modelsim. The coverage effectiveness of the test bench can be evaluated with tools
h^ttp://www.praxis-his.com/
h^ ttp ://www.eda-stds.org/sv-ieeel800
®http://w w w .celoxica.com/ 
^http : /  /  WWW. mentor. com /  
®http://www.m odel.com /
J uly  6 , 2008 i79
Chapter 7. Comparisons with Other Work
like VN-Cover™ developed by Transeda™  Testing is complete when a target coverage is 
met. MentorGraphics™ support semi-formal design approaches with assertion based verifi­
cation. Assertion base verification tools dynamically monitor simulations and check property 
conformance. Large EDA suppliers tool’s target the major languages. Generally, if the tool 
can input VHDL it can handle Verilog, and System-C.
A step up in terms of formality is model checking, or as normally referred to in the EDA mar­
ket property checking. This entails developing a finite model of the HDL circuit and checking 
the model exhaustively for properties. Property checking is transformed into a problem search 
that uses both property and circuit reduction techniques to speed up the search. Either the 
property is established or a counter example is found and displayed. Termination of the 
checking search is not guaranteed in models that are difficult to reduce or are large. Averant 
have developed a static functional verification tool called Solidify™ [SS06] that performs 
property checking on VHDL and Verilog clocked designs. Properties can be written in a 
variety of languages like PSL [lEEOSb] (Property Specification Language), or HPL (Hard­
ware Property Language) their own proprietary language. The tool supports a number of 
automatic checks for dead code, deadlock states (from a non-reset state). Properties may be 
formulated over a finite clock period to reduce the size of the search space. It is unrealistic 
to expect properties to be check over a clock period exceeding 80 clock cycles. Property ver­
ification is more limited than simulation and the Solidify tool is limited to several thousands 
of gates [RawOl]. Formal equivalence checking, offered by the Prover eCheck tooP^, between 
RTL designs and FPGA layout ensures that there is no logical difference between the RTL 
and FPGAs netlist. Demonstrating the equivalence is a way of showing that the translation 
from RTL to FPGA netlist is correct.
The success of property checking is probably based on the automatic nature of the proof ef­
fort. Property checking and more generally model checking is an approach that augments an 
informal approach to create a semi-formal approach. Modern property checkers like Solidify 
and the pioneering model checker like FormalCheck [BGOl] analyses the source language di­
rectly saving effort translating to an intermediate language to undertake the analysis. In the 
same way that property checking augments the development process so does formal equiva­
lence checking. Non-commercial model checkers and model checking algorithms are described 
in a number of texts. The SMV^^ [McM92] model checker was the first incarnation of For­
malCheck. The SMV model checker does not take VHDL as input instead it takes a C like 
bespoke input language. Model checking algorithms utilised by SMV and examples SMV 
programs are available [HROO] [BBF+Ol] (in depth treatment of algorithms supporting model 
checking are reported on by Clark [Cla]). The texts introduce temporal logic properties like 
liveness, safety, deadlock freedom, reachability and fairness; and reasoning frameworks like Bi­
nary Decision Diagrams (BDD) [Bry85]. The BDD reduce the state space testing for specified 
properties. BDD and in particular OBDD [Bry92] (Ordered BDD) were extensively used in 
symbolic model checking to handle large designs [BCM"^90]. If the property is disproved then 
a counter example is given. NuSMV^^ appeared in 2002 as an open source re-implementation 
of SMV that included SAT [BCC^99] (Boolean satisfiability) solving. We have dwelled on
®http://www.transeda.com/ 
°^http://www.averant.com/ 
http://www.prover.com/ 
*^ http://www.cs.cmu.edu/ modelcheck/ 
^^ http://nusm v.irst.itc.it/
i 8 o J u ly  6 , 200 8
7.2. Hardware Verification and Hardware Description Languages
SMV for some time now but Berbard et. al. [BBF*^01](page 131) explain that it was the 
first model checker to use BDD and hence handle large state spaces, and examples of its 
use are published [CYLROl]. The use of BDDs has its limitations as the representation of 
reachability in BDD’s is PSPACE complete [CGJ'^01]. Clark argues that more research into 
model abstraction is required to combat the state explosion problem. There are other popular 
model checkers such as SPIN [Hol03], However, SPIN targets software verification. ProB, the 
B and CSP model checker, is discussed in section 7.8.
In the remainder of this literature review we concentrate on research that has focused on 
formalising the hardware development process by utilising theorem proving and formal no­
tations. Historically hardware has been modelled in functional languages and higher order 
logic languages like HOL [GM93]. Surveys of hardware verification techniques in the ’90s 
were dominated with PVS HOL and model checking approaches [KG99] [Sta94] [Gup92]. 
There were some notable successes with the used of algebraic functional specification lan­
guages, like the A AMP 5 verification [MS95]. The verification was undertaken in PVS for the 
NASA space agency. The success of the A AMP 5 project in the long term contrasts with the 
problems encountered by Charter Technologies Ltd., who licensed the VIPER processor, as 
reported in [Mac05]. The MoD had advertised the VIPER [Coh89] as a formally verified pro­
cessor. However after typing errors were discovered in the design questions about the context 
of the VIPER proof of correctness were raised. The question of what constitutes a proof was 
about to be debated in court as Charter Technologies had taken the MoD to court over the 
matter, after disappointing sales of the VIPER licences. However, Charter Technologies went 
bankrupt before the hearing. Model checking and theorem proving has been used successfully 
to verify the Pentium 4 fioating-point multiplier unit and floating-point adder. The model 
checking for this was undertaken in Forte, which has FL as the interface language. FL is 
strongly typed and from the same family as ML. Temporal aspects of the specification were 
specified as Hoare triples. Model checking was carried out via Symbolic Trajectory Evaluation 
(STE). Kaivola and Narasimhan [KN02] successfully proved that the Pentium4 floating point 
multiplier booth-encode procedure was correct to the IEEE floating-point multiplication spec­
ification. They believed that the success of the proof was due to the most part to organising 
the proof steps and the teams decomposition skills. Jones et. al. [JOS'^Ol] viewed their work 
verifying the adders as only a first step that awaits industrial strength tools. ACL2 theorem 
prover, an industrial strength version of the Boyer-Moore theorem prover [SawOO], has been 
successfully used to demonstrate that pipelined processors can be verified against equivalent 
sequential machines. Zimmermann and Toma [YZ05] demonstrated that ACL2 can be used 
to verify that BHDL interface specifications are equivalent to VHDL IP blocks. One limita­
tion of the BHDL approach discussed in section 7.3 is it does not make full use of IP blocks 
and reuse. Zimmermann and Toma demonstrate that BHDL interface specifications can be 
flattened and translated into ACL2 and compared with a ACL translation of the VHDL IP 
blocks. Srivas et. al. [SRC97] in their work formally verifying microprocessors and various 
logic circuits highlighted the importance of mechanising the proofs. They made the proof 
scripts short and concise and developed hardware components that support modular proof. 
Larch/VHDL^® is a theorem proving base approach to formal modelling and verification of 
HDLs. Models are developed in the Larch/VHDL environment, developed by Odyssey Re­
search Associates Inc. Formal verification is carried out by Penelope the interactive theorem
^^ http://pvs.cls.sri.com/
®^http://w w w .atcorp.com/reliablecomputing/liardwareverification.html
J u ly  6 , 2 0 0 8  i 8 i
Chapter 7. Comparisons with Other Work
prover. Examples of small digital components have been demonstrated. Barbour and Nassif 
comment that all but the simplest simplifications are require guidance in Penelope [BN97]. 
Although model checking and theorem proving are powerful approaches few tools have ap­
peared in the mass EDA market to-date. Some possible reasons for the lack of uptake my be 
due to:
• limits on design size that can be analysed
• expert knowledge required to formulate properties\proofs
• the safety critical market is still a small market
The approach in this thesis, of using a formal notation during design, seeks to incorporate 
the generation of functionally correct circuits as part of the development process (correct-by- 
construction) rather than relying on formulating correctness after the components have been 
constructed. This does not preclude the use of model checking or theorem proving at the end 
of the development process to added to the assurance. The remainder of the literature review 
focuses on approaches that incorporate formal notations in the design process.
Research into formalising Hardware Description Languages (HDL), like VHDL [BKLM97] 
and Handel-C [BW03] has provided semantic models of HDLs. The translation mappings be­
tween FDR2 and Handel-C[Ste03] illustrated the common ground that exists between process 
algebras and HDLs. Work translating B to BVHDL [ISSOl] provided evidence of the com­
monality of specification languages and HDLs. Event-B has been used to describe hardware 
circuits [AbrOl]. Work on using B to model VHDL [ABD'*'03] supports the belief that direct 
compilation to hardware from a formal notation is possible. Lava^® has been proposed as a 
HDL for safety related hardware implementation [Hil04], and Synchronous Receptive Process 
Theory (SRPT) [Joe92] has been proposed to under-pin the semantics of the mappings. Lava 
can be used to describe circuits at a netlist level, before synthesis to Xilinx’s Virtex family 
of FPGAs. It attempts to formalise the step from netlist to FPGA device. To do so requires 
focusing on a particular FPGA device family.
Co-design is an approach that delays assigning the choice of technology (hardware/software) 
for the implementation of components until as late as possible in the development cycle, and 
base that choice on system performance requirements rather that custom practice. Work us­
ing GSP||B to formalise the modelling of co-designs is under way at Surrey University. There 
has been some success modelling hardware components [MS06] using CSPj|B. SystemC is a 
language intended for co-design. It is not formal. However, work proving the operational 
semantics of the SystemC scheduler in Event-B using refinement has been carried out suc­
cessfully [DC05]. By providing a formal operational semantics for SystemC Cansell et. al. 
where able to give an operational meaning to every simulation. They claim it is possible using 
their approach to validate the correctness of a B models translated into SystemC.
The use of state based and event based formalisms is a deviation from the recent historical 
approach dominated with algebraic specification hardware notations. Functional languages 
have the advantage of utilising property preserving transformations and easy of theorem 
proving. State and algebraic specification languages offer a way to develop co-designs. System
’http://raintowii.org/lava/
182 J u l y  6 , 2008
7.3. Hardware Development in B
on a chip (SoC) developments are becoming common. They encompass a wide range of services 
including hardware and software support. B is traditional used for software development. 
Adapting it for hardware development extends its capability and opens up the possibility 
of using it for co-designs, like SystemC. The annotation approach incorporates the ideas of 
checking temporal properties directly by starting with temporal properties as a core part of 
the abstraction.
Hardware modelling in classical B is outlined in section 7.3. In section 7.4 a commercial 
approach to formal state machine development is reviewed. In section 7.5 an alternative inte­
gration of two formal notations is considered to give contrast on the CSP||B integrations. In 
section 7.6 Event-B approaches modelling are considered, and in section 7.7 Event-B modali­
ties are introduced. A B model checker is evaluated in light of the annotations in section 7.8. 
Approaches to translation CSP to Handel-C are considered in section 7.9.
7 .3 . Hardware Developm ent in B
7.3.1. BVHDL Hardware Description Language
We begin with the review of approaches to specifying hardware, which was the starting point 
of this thesis. It was discovered during the initial research phases that what was required 
was a higher level of abstraction that RTL. The motivation for discussing this work is to 
show how optimised formal hardware logic can be developed, and to show the limitations of 
this approach. The term BVHDL is employed to describe a collection of specialised library 
machines and machine templates, used to construct B descriptions that are structured like 
VHDL. The major strength of BVHDL is its fixed architecture that mirrors VHDL. Hardware 
engineers are presented with familiar building blocks, for which they have an intuitive feel. 
This strength can also be viewed as a weakness in that a design abstract must be introduced 
within the confines of a VHDL architecture. Annotations do not apply the same level of 
structural rigidity which allows more abstract formulations of the problem in the initial stages 
of design. The structural constraint in BVHDL aids translation to VHDL.
A simple example is used to illustrate the BVHDL language features. It is derived from 
a larger example called Another Example Processor [Ifi02] (AEP), which was developed at 
the commencement of this research. The example given in this section concerns the access 
control to the register bank of the AEP pipelined processor (BVHDL is well suited to the 
description of low level examples). To keep it small it has been rationalised. The essences of 
the example design is given in Figure 7.2. Two sub-modules (read and sequence) share access 
to the register bank, hank. The system invariant asserts that different pipeline states cannot 
access the register bank at the same time.
Machines can be included (INCLUDES) into other machines to structure a specification. An 
example of inclusion is given in Figure 7.2, where ww_PR, S8_PR, rr_PR, tt_PK and ooJPK are 
included. Inclusion is a strong form of ownership. Machines can only be included into another 
machine once. Included machines may have their OPERATIONS used by the operations of 
the including machine. Machines may see but not modify another machine’s state using the 
SEES relationship. This a weak form of sharing.
J u ly  6 , 2 0 0 8  1 8 3
Chapter 7. Comparisons with Other Work
ar;=bank(sO) (reading bank)
sequencer 
Process Machine
write 
Process Machine
read 
Process Machine
AEP 
Simple Machine
Figure 7.1.: AEP Example Essentials
Figure 7.1 introduces a Simple Machine (SM) at the top of the AEP hierarchy. The SM 
includes the Process machines (PR) that makes up the simple pipeline. SM compose PR 
machines. Process machines detail substitutions like VHDL processes. Inclusion in B gives 
access to another machines invariant, and state via the included machine’s operations. Shared 
type information is provided by tt_PK and oo_PK, shown in Figure 7.2 along with the AEP 
SM, aa_SM. Package machine (_PK postfix) translate into VHDL packages, and they are 
used to contain shared type information. The SM represents a VHDL entity, a basic VHDL 
building block. The SM machine VARIABLES represent entity signals. The machine variables 
su, du and ou represent outputs, whereas oO, sO and dO are input signals. The inputs are 
latched in by the port operation, aa_port. The architecture operation, a a _ a rc h ite c tu re , 
concurrently executes the pipeline processes producing new output assignment statements. 
Variables from the included Process Machines (PRs) are used in the architecture operation to 
connect up the processes. An invariant is introduced in the SM which states that a structural 
hazard can never exits. Such a hazard occurs when the different pipeline stages attempt to 
read and write the same register simultaneously. Hence, s i  (the variable that refers to the 
source register) and d l (the variable that refers to the destination register) must never be 
equal during reading and writing. The PR  machines are architecturally a level below the SM 
machines. There is a higher level BVHDL machine hierarchically superior to SM machines, 
which is analogues to the VHDL MAP called the Compound Machine (CM). A MAP is where 
instances of component entities are wired together with signals to form new components. The 
simple nature of the running example has meant that a CM has not been needed.
The Sequencer PR  (ss_PR) provides a behavioural description of the main actions of the 
AEP pipeline. It is one of three PRs that model the pipeline action. A BVHDL PR may only 
contain one operation. The ssJPR operation has a main case statement, which selects on 
the value of the opcode parameter. If a Id r  (load the register) opcode is detected the source 
register data (loaded in the last pipeline phase) is loaded into the destination register, ready 
for saving in the next cycle of the pipeline.
The remaining two PRs describe the parts of the pipeline that either: (a) read the source 
register, from which inputs are taken; or, (b) writes to the destination register, where results 
are saved. To simplify the example the rr_PR machine owns all the pipeline registers. Every 
time the process is invoked the pipeline registers contents are shifted along: the data in xdO
184 J u ly  6 , 2 0 0 8
7.3. Hardwai’e Development in B
MACHINE aa_SM 
SEES Bool_TYPE
INCLUDES ww.PR, ss_PR,rr_PR, tt_PK , oo_PK 
VARIABLES oO,sO,dO,su,du,ou
INVARIANT
oO: OPCODE & ou: OPCODE & sO: 0 . .reg_num & su: 0..reg_num f 
dO: 0..reg_num & du: 0 . .reg_num &
( ( re g _ w r it te n  =TRUE & reg_read  =TRUE) => (s l /= d3 ))
INITIALISATION
oO:= nop I I ou:nop I| sO:= 0 II su:= 0 II dO:= 1 II du:= 1
OPERATIONS
aa_port(xo , xs , xd) =
PRE
x o : OPCODE & x s : 0 . . reg_num & x d : 0 . . reg_num 
THEN
oO:=xo I I sO:=xs I I dO:=xd 
END;
a a _ a rc h i te c tu re  =
BEGIN
rr(oO,sO,dO) I I s s ( o l , s r )  I I ww(d2,dr,o2) I I 
s u , du , ou :=sO, dO, oO 
END 
END
MACHINE tt_PK
CONSTANTS da ta_pa th ,  reg_num
PROPERTIES data_path;NAT & reg_num;NAT & data_path=3 & reg_num=2 
END
MACHINE oo_PK
SETS OPCODE = {Idr,nop}
END
Figure 7.2.: AEP Entity Architecture Simple Machine Plus Packages
J u ly  6 , 2008 185
Chapter 7. Comparisons with Other Work
is read into d l in the first stage of the pipeline, d l is read into d2 in the second stage of the 
pipeline, and d2 is read into d3 in the third stage. The rr_PR machine, depicted in Figure 7.4, 
SEES the registers owned by the ww_PR machine, and therefore has read-only access to them. 
The contents of the source registers are read from ww. On detecting a hazard (read and 
write of the same register at the same time) a no-operation (nop) is inserted into the pipeline 
instead of the fetched opcode, and the register bank is not read; otherwise the values it was 
called with are latched in.
The ww_PR machine (Figure 7.5) loads the data xdr into the register bank at xd2 if xo2 is not 
a nop. The ww_PR machine owns the register bank, which is describe in the invariant as a total 
function that maps register locations to contents. The initialisation is non-deterministic. The 
pipeline functionality is very low level. The register is written to by the ww operation if the 
input opcode is not a nop. A register flag reg _ w ritte n  is used to record when the register 
has been written to. The ss_PR, .rr_PR, and ww_PR specifications detail the mechanics of the 
pipeline.
Low-level specifications are arrived at by a process of formal refinement from a higher level, 
more abstract, specification. To allow automatic translation to synchronous VHDL we must 
introduce a clock and this is done using refinement. Figure 7.6 depicts a timing and data 
refinement. The BToolkit generates the POs that require discharging to ensure that the 
system refinements holds. These specific hardware refinements can be avoided if they were 
implemented on translation, which is the subject of chapter 6.
In the refinement rO_nuin_SG is included into the wwR_PR refinement. rO_num_SG is a BVHDL 
library machine that provides operations to set and get an encapsulated signal value. This 
library machines has a corresponding VHDL fragment. The B tool has been extended to 
allow users to create BVHDL library components with the associated equivalent VHDL to 
replace it on translation. The philosophy behind allowing library machines is to make use 
of the VHDL of trusted components. The same approach is used successful in B software 
development, with the library of implementation data objects. The invariant is used to link 
the refinement wwR_PR to the more abstract ww_PR. It links the register bank array, reg O , 
with the individual registers r*_num. This permits the data refinement POs to be discharged. 
The timing refinement is the introduction of a clock. The refinement satisfies the abstraction 
when there is a clock event (clock_EVENT=true) which is when the clock is high (clock= ’! ’).
To prevent circular references machines can only be included once, but this prevents the shar­
ing of the individual registers. Although the individual registers can be seen by a refinement 
of rr_PR (rrR_PR) a linking invariant cannot be constructed to discharge the refinement POs 
(seen state may not be used in the invariant). The abstract specification could be rewrit­
ten with registers as a separate machine. A more sensible approach would be to translate 
to Handel-C (see chapter 6). The VHDL obtained 6om  the translation can be found in 
Figure 7.7 and Figure 7.8.
There is no proof of equivalence between the semantics of BVHDL and the semantics of VHDL. 
An informal correctness argument relating the BVHDL PR and the VHDL process is given as 
follows. BVHDL assignments are made in parallel. The generated VHDL signal assignments 
all have a fixed delay so like the BVHDL assignments they all happen simultaneously. The 
VHDL assignments occur in a process when a signal in the sensitivity list changes, equally 
all BVHDL PR  refinements must be guarded by an appropriate clock and reset signals in
i 8 6  J u ly  6 , 2008
7.3. Hardware Development in B
MACHINE
SEES
VARIABLES
INVARIANT
ss_PR
oo_PK,tt_PK
dr
d r :0 .  .da ta_pa th
INITIALISATION dr:=0 
OPERATIONS
s s (x o l ,  xsr)  =
PRE
x o l ; OPCODE & 
x s r : 0 . . data_path  
THEN
CASE xol OF
EITHER Id r  THEN 
dr := xsr  
OR nop THEN 
dr := dr 
ELSE 
skip 
END 
END 
END 
END
Figure 7.3.: AEP Sequencer Process Ma­
chine
MACHINE rr_PR 
SEES
ww_PR, oo_PK, tt_PK, Bool_TYPE 
VARIABLES
o1 ,o2, s i ,d l ,d 2 ,d3 , s r , reg_read 
INVARIANT
ol:OPCODE & o2:OPCODE& 
s 1:0. . reg_nuin& dl : 0. . reg_num& 
d2: 0 . , reg_num& d 3 : 0 . . reg_num& 
sr :0 . .da ta_pa th&  reg_read:BOOL 
INITIALISATION
ol:=  nop I I o2:=nop|I s l : = 0  I I 
d l :=  1 11 d2:= 1 I| d3:= 1 I I
s r :=  0 II reg_read:=  FALSE 
OPERATIONS
rr(xoO, xsO, xdO) =
PRE
xoO:OPCODE & xs0:0..reg_num  & 
xdO: 0 . . reg.num 
THEN
/*  pipe l in e  Stage 1 ------ */
s i  := xsO II d l  := xdO I I 
IF (xsO /= d2) & /*hazard* / 
(xoO /= nop) /*nop d e t .* /  
THEN
ol := xoO I I 
s r  := reg(xsO)I 1 
reg_read := TRUE 
ELSE /^ I n s e r t  bubble*/ 
ol := nop I I 
reg_read := FALSE 
END I 1
/*  pipe l in e  Stage 2 -------*/
o2 := ol II d2 := d l  II
/ *  pipe l in e  Stage 3 -------*/
d3 := d2
END 
END
Figure 7.4.: AEP Read Process Ma- 
diine
J u ly  6 , 2008 1 8 7
Chapter 7. Comparisons with Other Work
MACHINE ww_PR 
SEES tt_PK, oo_PK, Bool_TYPE 
VARIABLES reg ,  reg_w rit ten  
INVARIANT
reg: ( 0 . . reg_niim)—>(0, .data_path)& 
reg_w rit ten  : BOOL 
INITIALISATION 
reg : : (0. .reg_nxim)—>(0. .data_path) I I 
reg _ w ri t ten  := FALSE 
OPERATIONS 
ww(xd2,xdr,xo2) =
PRE
xd2:0. . reg_nim& xdr:0 . .da ta_path  & 
xo2: OPCODE 
THEN
IF xo2 /= nop THEN
reg_w rit ten  := TRUE I I 
reg(xd2) := xdr 
ELSE
reg_w rit ten  := FALSE 
END
END
END
Figure 7.5.: AEP Write Process Machine
REFINEMENT wwR.PR 
REFINES ww_PR 
INCLUDES
clock_EV, rO_num_SG(data_path), 
rl_num_SG(data_path), 
r2_num_SG(data_path)
SEES tt_PK, oo_PK, VHDL_PK
INVARIANT
reg(0)=  rO_num& /*a:{b}  => a = b*/ 
r e g ( l )=  rl_num& 
reg(2)=  r2_num& 
clock_EVENT& clock= ' 1 ’
OPERATIONS
ww(xd2 , xdr , xo2)=
IF clock_EVENT& 
clock=
THEN
IF xo2 /«  nop THEN 
CASE xd2 OF 
EITHER 0 THEN 
rO_num_STO(xdr)
OR 1 THEN
rl_num_8T0(xdr)
OR 2 THEN
r2_nura_ST0(xdr)
END
END
END
END
END
Figure 7.6.: AEP Read Process Ma­
chine
i 88 J u ly  6 , 2008
7.3. Hardware Development in B
l i b r a r y  ieee ;
use i e e e .s td _ lo g ic _ 1 1 6 4 .a i l ;
package asp_def i s  — D e f in i t io n  of da ta  types
constan t reg_num ; in te g e r  := 2 ; constan t data^path ; in te g e r  := 3 ; —
type OPCODE i s  ( Id r ,n o p ) ;  type BOOL i s  (FALSE,TRUE);
end asp_def;
l i b r a r y  work, i e e e ;
use work. asp_def. a l l  ;
use ie e e .s td _ lo g ic _ 1 1 6 4 .a l l ;
e n t i t y  aa i s
p o r t  (oO: in  OPCODE; sO, dO; i n  in te g e r  range 0 to  reg_num; 
su, du; out in te g e r  range 0 to  reg_num; ou: out OPCODE);
end aa;
a r c h i te c tu r e  vhdl of aa i s
s ig n a l  rO_nura: in te g e r ;  s ig n a l  rl_num: in te g e r  ; s ig n a l  r2_num: in te g e r ;
s ig n a l  o l ,  o2: OPCODE ;
s ig n a l  s i ,  d l ,  d2, d3: in te g e r  range 0 to  reg_num;
s ig n a l  d r ,  s r :  in te g e r  range 0 to  data_path ;
Figure 7.7.: AEP VHDL - Part 1: Declarations
the SM (adding a reset is a minor amendment to the example). Appropriate guards could 
be constructed to restrict the B correctness condition to a rising clock edge as discussed 
above. The resulting VHDL process would be sensitive to the clock variable of the correctness 
condition, and therefore activate on it. Hence a valid state change in the BVHDL PR  equates 
to a valid state change in the VHDL process. The SM architectures operations connect PRs, 
which does not interfere with the concurrent nature of the assignments within the PRs. The 
translation of the SM architecture has the individual processes arranged concurrently with 
connecting signals. Hence, the VHDL preserves the concurrent semantics of BVHDL.
The VHDL generated from the BVHDL specifications is given in Figure 7.7. Standard libraries 
and custom packages concerning the VHDL data types are referenced and made visible by 
the l ib r a ry ,  use and package clauses. The information in the user defined packages tt_PK 
and 0 0  JPK are translated into constant clauses, and enumerated types contained in the asp 
package. The entity port and architecture aa are translated from the aa_SM machine. The 
port names are derived from the assignments in the aa_port operation. The signals associ­
ated with all the process specifications are introduced into the architecture in the declaration 
part. The process sensitivity lists are constructed from the actual parameters and the signal 
on the right-hand side of an expression in the processes. Processes are label with their equiv­
alent B operation name. In the first process r r  the if-then-else structure of the B operation is 
mimicked. The function override assignment is translated into a case statement. All assign­
ment time delays are 1 ns. The parallel assignments in the B are translated into sequential 
statements in the VHDL. The semantics of the B assignment statements are preserved if the 
VHDL assignment statements are scheduled to occur at the same time. The ss  process uses 
an o th e r  catch all clause in the case statement. Only the ww machine is refined and clock
J u ly  6 , 2 0 0 8  1 8 9
Chapter 7. Comparisons with Other Work
begin
r r  ; process (o l ,  o2, d l ,  d2, oO, sO, dO) 
begin
s i  <= sO a f t e r  1 ns; d l <= dO a f t e r  1 ns;
i f  sO /*  d2 and oO /= nop then  o l <= oO a f t e r  1 ns;
case sO i s
when 0 => s r  <= rO_nim a f t e r  1 ns; when 1 => s r  <= rl_num a f t e r  1 ns;
when 2 => s r  <= r2_num a f t e r  1 ns;
end case; 
e ls e  ol <= nop a f t e r  1 ns; 
end i f ;
o2 <= ol a f t e r  1 ns; d2 <= d l  a f t e r  1 ns; d3 <= d2 a f t e r  1 ns; 
end process r r ;
ss  : process (o l ,  d r ,  s r)  
begin
case o l i s
when Id r  => dr <= s r  a f t e r  1 ns; when nop => dr <= dr a f t e r  1 ns; 
when o the rs  => n u l l ;  
end case; 
end p rocess ss;
ww ; process (o2, d2, dr) 
begin
i f  clock = ^1' and clock_event = ’ 1’ then
i f  o2 /= nop then  case d2 i s
when 0=> rO_num<= dr a f t e r  1 ns; when 1=> rl_num<= dr a f t e r  1 ns;
when 2=> r2_num<= dr a f t e r  1 ns;
end case ; end i f  ; end i f  ; 
end process ww;
su <= sO a f t e r  1 ns; du <= dO a f t e r  1 ns; ou <= oO a f t e r  1 ns; 
end vhdl;
Figure 7.8.: AEP VHDL - Part 2: Processes
1 9 0  . J u ly  6 , 2 0 0 8
7.3. Hardware Development in B
introduced in this example. To make this code synthesisable the clock would need to be in 
the sensitivity list of all processes, and there would need to be an asynchronous reset in each 
process.
7.3.2. Hardware modelling in BHDL
Boulanger et. al. outlines a methodology for developing functional B models of hardware 
circuits implemented with components corresponding to VHDL low level libraries [ABM02], 
called BHDL. In the Boulanger approach low level logic components (multiplexers) are built 
up from logic gates, which are themselves described by the standard logic libraries represented 
in B. This approach has a richer hardware data type model than the BVHDL approach, but 
completing the proofs with the extended types was not possible with the level of tool support 
when the work was reported [ABM02].
Modelling of circuits
Figure 7.9 is a description of a multiplexer gate (B_Mux_0) in BHDL. It switches one of 
the inputs to the output depending qn the value of the select input. Each gate input pin 
is modelled independently in a different operation to allow them to change asynchronously. 
Calling a pin operation recalculates the gate function. The output is applied to the output 
port when the output operation is called. Boulanger et. al [ABM02] introduce the non- 
deterministic assignment in the form var-list G (predicate-list) were the variables in var-list 
are constrained by the predicate-list. In contrast a BVHDL model has two distinct parts; 
a part that latches inputs and a part that recalculates the output signals. Each part is 
captured in a different operation. The BHDL approach allows inputs to change independently 
as asynchronous changes occur. At the higher level in BHDL a function description is used 
to represent the circuit (the Compute- function in Figure 7.9).
The multiplexer can be modelled directly in BVHDL:
IF Se lec t  =  FALSE THEN out := in_ l ELSE out :=r in_2 END;
In Figure 7.9 the input pin in _ l gets a new value when in _ l(v a l)  is called. The value 
of the output pin out is selected from the valid states that result from changing the input. 
The B operations specify the constraints on the outputs. The BHDL approach refines the 
components, like the multiplexer, by importing lower level models of component using basic 
gates like the ’not’ and ’and’ gates. Theoretically if the refinement steps are small enough then 
they should be provable. The formalised method does assume that the functional model of the 
gates is a correct representation of the gates. In the example provided by [ABD+03], reworked 
in Figure 7.10, the implementation of the multiplexer is the lowest level of abstraction. The 
basic gates are imported. The link between the basic gates is made by the invariant. Local 
variables are created in the implementation to tie the internal signals together. Each operation 
has similar .logic. The VHDL 8td_logic_.1164 Library is defined although the logic model is 
not been used in the definition of the library gates.
When a port operation is called the value supplied in the parameter is saved in a global 
J u l y  6 , 2008 191
Chapter 7. Comparisons with Other Work
MACHINE B_Mux_0 
DEFINITIONS
Compute.(xx, yy , z z ,res)==bool( ( (xx=FALSE)=>(res=yy))& ( (xx=TRUE)=>(re s= zz ))) 
VARIABLES 
S e le c t , i n . l , i n . 2 , out 
INVARIANT
Select:B00L6 in_l:BOOL& in .2 ;  BOOL& Com pute.(Select, i n _ l , in _ 2 , out) 
INITIALISATION 
OPERTIGNS
i n . l ( v a l ) = i n . l , o u t  : (in_l:BOOL & in . l= v a l  & out :BOOL &
Com pute.(Select, i n . l , i n . 2 ,o u t ) ) ;
i n . 2 ( v a l ) = . . . ;
G a te (v a l)= S e le c t ,out : (Se lec t  :BOOL & Selec t=val & out;BOOL &
Com pute.(Select, i n . l , i n . 2 , o u t ) );
va l  <— Out = v a l :=out END
Figure 7.9.: BHDL Description of a Multiplexer
IMPLEMENTATION B.Mux.n 
REFINES B_Mux_l
IMPORTS Al.B.And.O, A2.B_And_0, 03.B.0r_0, NN.B.Not.O 
INVARIANT
select=A 2.in2 & select=NN.in & NN.out=Al. in2 & in . l= A l . in i  
in .2=A 2.in l & A1. ou t=03 .in i  & A2. out=03. in2 & out=03. out 
INITIALISATION 
VAR xx,yy ,zz  IN
NN.In(FALSE) ; xx<—NN.Out; Al. I n . l  (TRUE) ;
A l.In .2 (x x ) ;  yy<—A l.Out ; A2.In.l(TRUE);
A2.In.2(FALSE); zz<—A2.0ut; 03.1n_l(yy) ;
0 3 .In _ 2 (z z ) ; out<—0 3 .Out
END
OPERATION
END
Figure 7.10.: The Multiplexer Implementation
192 J u ly  6 , 2008
7.3. Hardware Development in B
SETS STD_ULOGIC={UU, XX,0 0 ,I I , ZZ,WW,LL,HH,DD}
CONSTANT STD_LOGIC, XOI, UIOX, NOT_STD
PROPERTIES STD.LOGIC <; STD.LOGIC & STD_LOGIC = STD.ULOGIC -  {DD} & 
XOI <: STD.ULOGIC & {XX,0 0 ,I I}  &
UIOX = {UU,XX,00 ,I I}  &
NOT.STD; STD.ULOGIC -> STD.ULOGIC &
STD.ULOGIC :
{UUI->UU,XXI->XX,0 0 1~>II, I I I ->00,
ZZI->XX,WWI->XX,LL t - > I I ,HHI->00,DD|->UU
}
OPERATION
out <— Not(in) = PRE in;STD.ULOGIC THEN out ;= N0T_STD(in) END; 
END
Figure 7.11.: Nine Valued Logic BHDL Model
variable, as well as being used along with the other global variables to recalculate the new 
output. In BHDL no distinction is made between synthesisable and non-synthesisable VHDL.
The extended bit VHDL Library
The library depicted in Figme 7.11 is a portion of the model of the VHDL exteneded bit 
standard logic type. There are nine elements in the extendedbit type. The main problem is 
that B does not allow operator over-loading. Consequently, many more operations are defined 
in the B than in the VHDL to cover the complete type mapping space. The operations are 
selected by finding an operation with an enabled precondition. There is no information on 
how this is applied in practice. In contrast the BVHDL approach obtains realistic models by 
utilising basic two valued standard logic, which is synthesisable. In BVHDL library machines 
can be introduced that have the standard logic data type. The typing rules were extended to 
allow sub-range typing checks. The BHDL approach includes much more of the capabilities 
of VHDL than the BVHDL approach, but no example of the use of the STD—LOGIC_1164 
library has been given in BHDL, and it is not synthesisable to netlist form.
Summary of BHDL Approach
The use of the functional description of circuits is not a standard part of the BVHDL. It is 
necessary in the BHDL approach because the functionality is repeated in every operation that 
supports an input pin. The BVHDL approach begins from the assumption that the circuit 
will receive synchronised input from a clock edge, and a port operation feeds all the inputs 
into the circuits description on the clock edge synchronously.
The treatment of the STD-L0GIC-11Q4: Library is much more thought out in BHDL, but in 
doing so the approacli creates descriptions that are not directly synthesisable. BVHDL deals 
only with synthesisable logic. The key question is how far down is it necessary to model to
J u ly  6 , 2 0 0 8  i9 3
Chapter 7. Comparisons with Other Work
guarantee a circuit will be synthesised correctly in silicon. The BHDL approach advocates 
using refinement to basic gates as a form of secure development. However, even basic gates 
are optimised to a lower level netlist representation before the actual device is produced by 
the synthesis tools. BVHDL stops at RTL a level above the gate netlist level. The approach 
introduced in the technical section builds on the BVHDL research. The thesis work includes a 
hardware description language target that is not VHDL, but drops the requirement to specify 
a specific clock.
7.3.3. Hardware Design in B
Stefan Hallerstede [Hal03] addressed the development of signal convolution in hardware im­
plementation. The idea was to takes space and time trade-offs of hardware design into account 
when producing a model. Event-B was used to model both hardware and its environment. 
Hallerstede modelled the input/output as streams in Event-B. In the latter stages of refine­
ment pipelining is used to calculate the sum of the convolution. Pipelining involves introduc­
ing several independent stages in the processing stream. Because they are independent they 
can be performed in parallel. The results of one stage must be registered and fed into the 
next stage synchronously on each clock cycle. The extra registers introduced in the pipeline 
increase the size of the final design, but allow the clock speed to increase speeding up the 
final circuit. Hallerstede makes no real quantitative comparison between the trade off. The 
abstract convolution algorithm is used to demonstrate the correctness of the refined pipeline 
design.
Grant and Evans [GE07] reported the approach taken developing hardware. That built on 
work using Classical B and refinement to generate VHDL code for a microprocessor [ISSOl]. 
Ifill produced a classical B model of the pipelined AEP [Ifi02] [Ifi03] processor to demonstrate 
how classical B could be used for pipe-line processor development. Fragments of this code 
are illustrated in section 1.2.2. Grant and Evans later used a similar approach to show how 
refinement could be used to show the equivalence between the different levels of refinement 
in the Score processor reference.
7.3.4. Specifying and Synthesising Hardware in B and Bluespec
Research specifying hardware has been under taken as part of the RODIN project. Ian 
Oliver [Oli06] reported on the use of B and Bluespec to specify and synthesis hardware. 
In particular the interest is in constructing a declarative specification of the problem not 
polluted with implementation details like BHDL. Bluespec is a  rule based declarative hardware 
specification language based on term rewriting, which comes with a compiler that can schedule 
sets of rules and synthesis SystemVerilog. Bluespec specifications, like BVHDL, have a two 
part description: interface (port) and module (entity). Models contain the implementation of 
methods introduced in the interface. Rules are used to describe behaviour. Rules are urgent: 
they must fire when their guards are true. They are atomic and complete in a clock cycle. 
All enabled rules execute in parallel on the rising edge of the clock. If two or more rules 
are not mutually exclusive then only one will be scheduled. A model of the traffic controller 
in Bluespec is given in Figure 7.12. Four of the five operations are rules that update the 
system, but do not communicate with the outside world, and do not therefore appear in the
1 9 4  J u ly  6 , 2 008
7.3. Hardware Development in B
interface. The pedestrian operation has output so it is translated into a ActionValue method 
and appears in the interface.
typedef enum {Aller ^ Arret] COMMAND deriving {Bits, Eq)
I1{C0M M AND) Moat f -  M l{Arret)
I2{C0M M AND) Square i -  M2{Arret)
interface I I  ;
method ActionValuei^{Intij^{^)) Aller-pedestrian ; 
endinterface
modules Interrupting- C - T -  C -S  (Interrupting- C~ T_ C S  ) 
rule Aller-Moat{ Square Arret ); Moat <= Aller endrule 
rule Arret-Moat{ Moat = Aller ); Moat <= Arret ; pu <= 5 endrule 
rule Aller-Square{ Moat =? Arret ); Square <= Aller endrule 
rule Arret-Square{ Square =  Aller ); Square <= Arret ; pu 4= 10 endrule 
method ActionValuejj^{Intif{d>)) Aller-pedestrian if (pu > 0 ); 
begin
pv 4= pv ~ 1 ] 
return pu ; 
end 
endmethod 
endmodule
Figure 7.12,; Bluespec Interrupting Traffic Controller Operations
Oliver notes that Bluespec is based on action semantics like B. Bluespec uses atomic inter­
leaving of actions with clock scheduling and rule priority, and the Bluespec compiler schedules 
the rules so only a subset of the possible state are visited (scheduling puts them in a deter­
ministic order). Although, any given B program can be mapped into Bluespec additional 
guarding of rules and methods is required to maintain semantic equivalence. A translation of 
the traffic controller is given in Figure 7.12. The annotations have not been translated over. 
The consequence is that there are no constraints. Hence, the Aller-pedestrian operation can 
be scheduled interleaved with either AllerSquare  or Aller-Moat rules. Extra guards are 
required that represent the annotations control. The guard pu =  0 needs to be added to 
AllerSquare  and Aller-Moat rules. B annotations could be used to add these additional 
guards to guide the translation. The purpose of the annotations is to guide the execution 
sequence, which is similar in conception to rule/method firing.
J u ly  6 , 2008 195
Chapter 7. Comparisons with Other Work
7.3.5. VHDL translation to  B
It is very unlikely that hardware design engineerings will adopt B as a development entry 
language. Hence, Aljer and Devienne have developed a translator from VHDL to B. Once in 
B the modules can be formally verified. Aljer and Devienne highlight three important facts. 
Firstly, the majority of digital circuits have at least one processor on them, which means 
that the majority of new designs are co-designs. Secondly, increasing chip density and clock 
speeds means higher random failure rates. Thirdly, the greatest concern to hardware design 
engineers is the burden functional verification has on projects. This implies that the majority 
of new designs should be fault tolerant co-designs. In addition more formal verification 
based around refinement could be used to help alleviate the problems surrounding functional 
verification. Aljer and Devienne propose a stronger emphasis on architectural design as a 
co-design entry point. ACME is a Architecture Design Language developed by the ABLE 
group at Carnegie Mellon University, and Dave Wile at USC’s Information Sciences Institute. 
It contains the majority of important feature required to support component development and 
interconnection, with the power to map architecture to other architecture. The supporting 
tool, AcmeStudio, has a constraint language to assist in property evaluation. On the hardware 
side the main advantages for VHDL is that it supports structuring, strong typing, and has 
an unambiguous semantics. The generation of B from VHDL can be achieved using VGUI a 
free graphical interface. VHDL outline entities and architectures are generated from VGUI, 
which can be further refined into VHDL. The outline entities and architecture are derived 
during architectural design in ACME. During refinement pre-existing library components can 
be added to facilitate component re-use. ANTLR (ANother Tool for Language Recognition 
is used to generate the B code from the VHDL.
We do not explore in any great depth fault tolerance in the thesis work. However, the anno­
tation framework could be extended with fault tolerance. The n e x t  e x c e p t i o n  annotation 
is like a n e x t  annotation with an additional exception clause.
OPi = PRE. . .THEN. . .END  /* { O P j } N E X T  
{O P f]E X C E P TIO N \  */
If a random error occurs in the implemented system during the execution of the current 
operation (OP,) the preconditions of the n e x t  operation (OPj) may not be satisfied. The 
failure to establish Pj implies that Pf is established.
The Pf must be a disjunction of the negation of the conjuncts of Pj. This means that the 
failure of OP, does not have to be catastrophic, as it may failed to establish a single conjuncts 
of Pj.
http://www.cs.cnm.edu/ acme/docs/language_overview.html 
®^http://www.antlr.org/
1 9 6  J u ly  6 , 2 008
7.4. State Machine Modelling
r i
A?
O
B?
O
O!
R?
Figure 7.13.: Distributed Model Check Synchronisation
7.4, State  Machine Modelling
We review a state machine approach which adds a level of abstraction to the HDL approaches. 
The following approach characterises a model using transitions and synchronisations, but does 
not afford the specification of invariants. The Esterel language [EstOS] addresses the need in 
state machine control specifications to write things once. In particular it provides a notation 
and semantics to describe synchronisity and interrupt handling in reactive programs. Ignoring 
the initialisation a mealy machine would require eight arcs and 4 states to describe the state 
machine below described in Esterel. It generates an output O when both A and B are received, 
and resets on R. The code fragment is represented diagrammatically in Figure 7.13.
module ABRO : 
inputs A, B, R] 
output 0 \ 
loop
[ àwaü A II await B ]; 
emit 0 ; 
each R 
end module
The code fragment represents the parallel combination of the two statements A and B that 
terminate when both statements within them terminate. The synchronised statement occurs
July  G, 2 0 0 8 197
Chapter 7. Comparisons with Other Work
when all the actions have terminated. The time taken for synchronisation is 0 seconds. The 
example shows the interrupt action i2?, called the preemption operator, which takes the state 
machine back to the initialisation states. This is strong preemption indicated by the full 
terminator (•) in Figure 7.13 and “loop ... each” in the text. This means that A and B are 
suppressed if they occurs during the initialising preemption action. In way of comparison 
CSP II B can be used to synchronise event from different machine controllers. Event-B has 
no direct mechanism to hold up control flow until a synchronisation occurs. The modelling of 
reactivity with preemption is a key concept in Esterel programming. Esterel has a data flow 
capability, which will not be detailed here. It is useful to allude to the behavioural semantics of 
synchronisation. The synchronisation of p and q{p\ q) occurs when p terminates (termination 
indicates by 0) and the context environment for q includes the output event of p.
E', 0, , E', /, ,
E'uF ', I p; q ----- — 4 - y
In the above the context event E  determines which signals are delivered to cause p to evolve 
to p', E ' is the event caused by p in the context environment E. Berry states that signal 
information flows from p to g, because the broadcast invariant implies that E' \J F' C E, 
which implies E ‘ C E, ie. q receives signal emitted by p. The behavioural semantics for 
parallel execution has a similar premise, except that the return codes are denoted as k and I. 
The output event consists of E' U F' and the maximum of A: or /. The continuation program 
is the parallel combination of the pair.
E__________ E
E'uF', max(k,l) [parallel)
p \q ------------     >p'\q'E
The approach taken by annotated B is to utilise the n e x t  in t e r l e a v in g  annotation to obtain 
interleaved behaviour between operations of the same machine, in which all the interleaved 
threads must terminate before the control continues. In the future work an annotation that 
permits the synchronisation of operation needs to be considered. The sequential specification 
is obtained with the SEQUENCE NEXT annotation.
7.5. CSP and Z
Mota and Sampaio[MS01] researched the model checking of specifications developed in CSP 
and Z (CSP-Z). Their contribution was to present an approach to model-checking complex 
specification for deadlock freedom in a compositional way. By reviewing their work the merits 
of the CSP-Z approach can be presented. CSP-OZ is a semantic integration of CSP and OZ 
(object Z). It is noted that work has been undertaken on this integrated by Fischer [Fis97],
i g 8  J u ly  6 , 2008
7.5. CSP and Z
The control systems that are the intended domain for the application of this thesis do not 
require object creation.
A CSP-Z specification may have external and local channel interface declarations. The totality 
of the interfaces constitute the alphabet (S). Z schemas are used to type the channels and 
provide the constraints for the event. Event channels have an empty schema type. The main 
equation details the concurrent behaviour of the specification. Processes are synchronised 
within the main section, using alphabetised parallel.
Annotated B achieves a form of concurrent behaviour using the INTERLEAVING NEXT annota­
tion as mentioned above. Concurrency and communication between annotated B operations 
is a future goal. This annotation highlights the synchronisations between different machines 
operations and is discussed in the future work section 8.
Consider the code fragment in Figure 7.14 adapted from Mota and Sampaio. The beginning 
of that spec is given as follows:
spec WDT
channel clockWDT : [elk : CLK] 
channel reset, recover : []
local-channel timeOut, noTimeOut,failFTR, offW DT  : j]
The interface of the WDT specification is made up of clockWDT (which can carry CLK data 
in the variable elk), reset and recover are just events signified by the empty type set. The 
remaining events are not visible to the outside world.
main = Signal \\offWDT
Signal ~  {reset —> Signal QoffWDT  -4 skip)
Verify = {clockWDTIelk {noTimeOut —>■ Verify
OtimeOut {recover -> Verify
QfaüFTR ^  offW DT  -4 skip)))
Figure 7.14.: Example of a CSP Controller for CSP-Z specification
The schema for the reset event is prefixed with com—, as are all schema definitions that related 
to a specific event. The schema details the state constraints as follows:
com-reset =  [ùiState | cycles' — 0]
In Figure 7.14 the Signal and the Verify processes share the off W DT  event. The Signal 
process may reset and restart over, or accept the off Watch Dog Timer (WDT) event and 
shut-down. The Verify process initially accepts a clock event. Then times out or doesn’t 
timeout and restarts. If it times out then a choice is made between recovery and failure. If 
recovery is successful then Verify restarts otherwise the Fault Tolerant Recovery (FTR) fail 
event failFRT  is signalled and the WDT is turned off before the Verify process terminates. In
J u ly  6 , 2008 199
Chapter 7. Comparisons with Other Work
way of contrast we observe that currently it is possible to have two control loops within one 
machine, which share operations. (Only one main loop is permitted currently in annotation 
B controllers. This restriction was imposed to facilitate the ease of translation.)
The CSP-Z approach associates the Z schemas with CSP events. CSP events that have no 
corresponding schemas are permitted, which is not the case with annotations currently. The 
Z part is given a CSP failures-divergence semantics so that they can be put in parallel with 
the CSP controllers like CSP||B. The final state of a non-empty trace of events described by 
a CSP-Z process is the composed of the schemas events (provided the preconditions of the 
schemas are satisfied). If a schema precondition is not satisfied then the process behaviour is 
STOP  (a process that will not engage in any more events). The influence of the state over 
the process is expressed in guards in the CSP. Functions in CSP are used to model the Z 
schemas. The schema comm function types the schema state, tests the precondition function, 
and produces a set of possible new states with a postcondition function:
com{{vl,...,vn),{Ch.In.O ut)) =
{ i v l ' , . . . , v n ' ) \ { v V < r -  state,
pre{{vl, ..., vn), In), 
post{{vl, ..., vn), {v l ' , ..., vn'), In, Out)
}
The conversion of the Z part is achieved with the Z-C SP  and other Z  functions, where the 
Interface is the set of internal and external channels:
Z-C SP  = let
Z {State) =
□ {States, Comm) : {{com{State, c), c) | c <- Interface} • 
States ! =  {}&:
n state' : States • Comm Z{State') 
within n iState : Init • Z{iState')
The pair {States, Comm) is the sets of new states and associated communication offered to the 
environment. A new state {state') is internally selected which will recursively generate more 
communications from the Z function in the sequence of communications. The Z  function 
begins with a new valid initial state {iState') drawn from Init. The states generated can not 
be empty. The CSP process
n State' : States • Comm -4 Z{State')
is recursively unwound.
The translation function is extended by Kassel and Smith [KSOl] to permit divergence {DIV) 
when there is no new state. They developed their approach for OZ-CSP. Note however, in 
this comparison, we do not use any object modelling. A hand translation of the BVHDL 
pipelined processor described in Section 7.3 in line with the Kassel and Smith approach is
2 0 0  JULY 6 , 2 0 0 8
7.6. Event-B
given in Figure 7.15, Figure 7.16 and Figure 7.17. The translation is from B to CSP. In the 
supporting function section of the model given in Figure 7.15 the channels identify the system 
inputs and outputs. The state is a global typed set. The Init set is the state constrained with 
the desired initial state settings. An event occurs on one of the defined channels. The values 
on the channels are draw from four types of sets: s ta te ,  in , out or Ops. The Ops set in this 
example has elements that corresponded to the B operations read (r), write (w) and sequence 
(s). The input and the outputs sets have different definitions depending on the operation: 
the in  and out functions generate the appropriate set depending on the operation parameter 
supplied. The r  operation event produces a r  channel event made up from the elements of 
the r  in  set and two parts of the present state ( s i  ' and d3’). The s event passes no data. 
The w event puts the w out set on the w channel. In the main section of the model, given in 
Figure 7.16 the e f f e c t  is a function that produces outputs and new states.
In the semantic model given in Figure 7.17 it is possible to have dependencies between events. 
In this model all events are enabled regardless. The semantic function develops the meaning 
of the B model by producing all possible valid traces that the e f f e c t  and event functions can 
concurrently participate in. Possible operations and inputs are drawn non-deterministically 
from their respective sets. Both an e f f e c t  and an event function call will occur in the 
trace provided the operation is enabled from the present state, and the effect for the inputs 
and present state is not empty for the selected operation. This differs from the Mota and 
Sampaio approach which has a trace of the communications. The trace is begun from the 
initial state. The Kassel and Smith CSP organisation is a sequential representation of the B 
and all possible sequences are tried. The CSP version of the B model is checked for hazards 
in the assertions part.
It is slightly easier in the Kassel and Smith model to see the intended control flow paths than 
it is in the BVHDL model. In the BVHDL model all the operations execute on every visit to 
the machine. The current state determines when they modify the state. Coding up the CSP 
model from Z is quite involved. Using annotations is a better approach if the state model 
is in B. The B model does not need modifying during the development of the CSP model in 
annotated B. Execution of the joint model (annotated B and CSP controller) is not necessary 
to show non-divergence in the annotation approach.
7.6. Event-B
7.6.1. Introduction
The machine-annotation consistency of guarded actions can be treated in the same way as the 
machine-annotation consistency of preconditioned operations. Hence, annotations approaches 
apply in Event-B. In the following both hardware modelling and approaches that add control 
aspects to Event-B are detailed.
J u ly  6 , 2 008
Chapter 7. Comparisons with Other Work
data type  OPCODE = nop I Id r  
nametype Nats = {0 ,1 ,2 ,3}  
channel r  : OPCODE.Nats,Nats.Nats.Nats 
channel s
channel w : Nats .Nats .N ats
s t a t e  = { ( s i , o i , o 2 , d l , d 2 , d 3 , s r , d r , r 0 , r l , r 2 ) 1 
s i< -N a ts ,o i< -N a ts , o2<-Nats, 
d l<-Nats,d2<-Nats,d3<-Nats, 
sr<-Nats,dr<-N ats ,rO<“Nats, 
r l< -N ats ,r2<-N ats>
i n i t  = { ( s i , o l , o 2 , d l , d 2 , d 3 , s r , d r , r 0 , r l , r 2 ) I  
( s i , o l , o 2 , d l , d 2 , d 3 , s r , d r , r 0 , r l , r 2 ) < - s t a t e ,  
s1==0, o1==0, o2==0,d l= = l , d2==l,d3==l, 
s r ==0,dr==0,r0==0, r1==0, r2==0}
e v e n t ( r , ( s l \ o l '  , o 2 \ d l '  , d 2 \ d 3 \  s r  \ d r \ r O \ r l  ' , r 2 '  ) ,
( r _ a , r _ b , r _ c ) , out) = r . r _ a . r _ b , r _ c . s l ’ .d3 ’ 
e v e n t( s ,  s t ’ , i n ,  out) = s 
even t(w ,S t ' ,in,(w_l,w_2,w_3))= w.w_l.w_2.w_3 
in ( r )  ={(o_r,d_r,s_r)to_r<-OPCODE,d_r<-Nats,s_r<-Nats} 
in ( s )  ={{}} 
in(w) ={{}} 
o u t ( r )={{}} 
out(s)={{}}
out(w)={(wl,w2,w3) IwK-Nats,w2<-Nats,w3<-Nats>
Ops = {r ,s ,w }
e n a b l e ( r ) ( ( s l , o l , o 2 ,d l , d 2 ,d 3 , s r , d r , r O , r l , r 2 ) )  = t ru e  
e n a b l e ( s ) ( ( s l , o l , o 2 ,d l , d 2 ,d 3 , s r , d r , r O , r l , r 2 ) )  = t ru e  
e n a b le ( w ) ( ( s l , o l , o 2 ,d l ,d 2 ,d 3 , s r ,d r , r O , r l , r 2 ) )  = t ru e
Figure 7.15.: BVHDL-CSP Preliminary Functions
J u ly  6 , 2008
7.6. Event-B
e f f e c t ( r ) ( ( s l , o l , o 2 , d l , d 2 , d 3 , s r , d r , r 0 , r l , r 2 ) , (oO,sO,dO))= {({},
( 8 l \ o l \ o 2 \ d l \ d 2 \ d 3 \ s r \  dr ’ , r 0 ^ r l ’ , r 2 0 )  I 
( s i ’ , o l ’ ,o 2 ’ , d l ’ ,d 2 ’ ,d 3 ’ , s r ’ , d r ’ ,rO’ , r l ’ , r 2 ’ ) < - s t a t e ,
( (s0!=d2 and
( ((s0==0) and ( s r ’==rO)) or
((sO==l) and ( s r ’= = rl))  or 
((s0==2) and ( s r ’==r2))
) and
s l ’==sO and o l ’==oO and d3’==d2
) or
(s0==d2 and
s r ’==sr and s l ’==sl and 
01’==nop and d2’==d2 
o2’=-o2 and d l ’==dl and 
d3’==d3 and d r ’==dr and rO’==rO and 
r l ’==rl and r 2 ’==r2
)
)
e f f e c t ( s ) ( ( s l , o l , o 2 , d l , d 2 , d 3 , s r , d r , r 0 , r l , r 2 ) ,_)=
{({},
( s l ’ , o l ’ ,o 2 ’ , d l ’ ,d 2 ’ ,d 3 ’ , s r ’ , d r ’ ,rO’ , r l ’ , r 2 ’) ) l  
( s i ’ , o l ’ ,o 2 ’ , d l ’ ,d 2 ’ ,d3 ’ , s r ’ , d r ’ ,rO’ , r l ’ , r 2 ’) < - s t a t e ,
o l ’==ol and ( i f  (o l==ldr) then  ( d r ’==sr) e ls e  ( d r ’==dr)) 
and s l ’==sl and o2’==o2 and 
d l ’==dl and d2’==d2 and
)==d3 and s r ’==sr and rO’==rO and 
r l ’==rl and r 2 ’==r2
e f f e c t ( w ) ( ( s l , o l , o 2 , d l , d 2 , d 3 , s r , d r , r 0 , r l , r 2 ) ,_)= 
{ ( ( r 0 , r l , r 2 ) ,
( s l ’ , o l ’ ,o 2 ’ , d l ’ ,d 2 ’ ,d 3 ’ , s r ’ , d r ’ ,rO’ , r l ’ , r 2 ’ ))I  
( s l ’ , o l ’ ,o 2 ’ , d l ’ ,d 2 ’ ,d 3 ’ , s r ’ , d r ’ ,rO’ , r l ’ , r 2 ’) < - s t a t e ,
( i f  (d2==0)then(rO’==dr and r l ’==rl and r 2 ’==r2 ) e ls e  
i f  (d2==l) then (rO ’==rO and r l ’==dr and r 2 ’==r2 ) e ls e  
i f  (d2==2)then(rO’==rO and r l ’==rl and r 2 ’==dr ) e ls e  
SKIP
) and s l ’==sl and o l ’==ol and o2’==o2 and d l ’==dl and 
d 2 ’==d2 and d3 ’==d3 and s r ’==sr and d r ’==dr
}
DIV = DIV
Figure 7.16.: BVHDL-CSP Main Section (Effect)
J u ly  6 , 2 0 0 8  2 0 3
Chapter 7. Comparisons with Other Work
semanti c s ( O p s , in ,o u t , enable,
e f f e c t , i n i t , even t) -
l e t
Z_PART(ss) =
[]op : Ops 0 enable (op) (ss)  &
[ ] i  : in  (op) 0
i f  e m p ty (e f fe c t (o p ) (s8 , i ) )  
then
(I"1 00 ; out(op) 0
e v e n t (o p ,s s , i ,o o )  -> DIV)
e lse
( I “ I (o o ,ssO  :
e f f e c t ( o p ) ( s s , i )  0 
e v e n t(o p ,s s ’ , i ,o o )  ->
Z_PART(ss’)) 
Z.MAIN = r i s s ;  i n i t  0 Z_PART(ss) 
w ith in  Z_MAIN
Aep =
semantics(Ops, i n , o u t , enab le ,
e f f e c t , i n i t , even t)
RUN2(A,B)= []a : d iff(A ,B) 0 a -> RUN2(A,B)
r_no_hazard =
{ ( r , b , c , d , e , f ) I
b<-OPCODE, c<-Nats,d<-Nats,
e<-Nats,f<-Nats,e==f
>
a s s e r t  RUN2({|r,s,w |},r_no_hazard) [T= Aep
Figure 7.17,: BVHDL-CSP: Semantic Function
204 JULY 6 , 2008
7.6. Event-B
7.6.2. Hardware Developm ent in Event-B
Abrial’s approach to hardware modelling captures the notion of a clock as an alternation 
of control between the environment and the circuit [AbrOl]. The switch from one state to 
another is accompanied by a period of instability when changes within the system are rippling 
through. Eventually, a stable state will be reached. Only the stable states are modelled.
{mode — env) C{{state, input), {box, output))
{mode =  cir) D{{state, input), {box, output))
When the environment is in control {env=mode) the environment state and the input it 
supplies to the circuit produces a stable circuit state box, and stable output. A similar relation 
holds for the case when control is with the circuit {mode=cir). The system evolves as the 
mode alternates between environment and circuit, which models the toggling of a system 
clock. Consistency conditions exist between the static states relations C and D across adjacent
clock periods. The annotation examples given in this thesis do not included a model of the
environment. Abrial’s approach is stylistic and can be accommodated in the annotated B 
approaches. C is the predicate that relates the {state, input) tuple to the {box, output) when 
the mode is set to the environment {env), and D is the predicate that relates the tuples when 
the mode is set to circuit {cir).
C{{state, input), {box, output)) A P\{output, state) ^  D{Fi{output, state), {box, output)) 
D{{state, input), {box, output)) A Qi{input, box) => C{{state, input), G\{input, box))
The first consistency predicate introduces Pi, a query predicate, and the next state generating 
function F i. When Pi holds in C it is implied that Pi generates a new environment that hold 
in D. A similar argument applies to the second consistency formula, but Qi is a predicate 
over the circuit configuration, and Gi is a function that produces a new circuit and output 
state.
This approach supports refinement. At the highest levels of abstraction the actions of the 
environment and reactions of the circuit are specified to preserve invariant conditions. The 
guards of the circuit are refined such that the refined guards are implied by the more abstract 
guards. (Refinement is not considered directly in the approach adopted by Treharne [TreOO].) 
Event-B permits the introduction of operations during refinement and typically the final 
circuit will be a single machine incorporating the reactive components of the more abstract 
circuit event machines, B select statements are refined into if — then — else constructs. 
Logic components have a set relationship to the B- Variables may represent inputs from 
the environment, outputs to the environment, or internally registered out-reg signals. The 
example of the PULSERl circuit is extended with output registering and clock synchronisation 
clock-reg in Figure 7.18. Deadlock freedom is guaranteed if it is possible to satisfy at least 
one guard. Figure 7.18 is given without showing the actual B. It is possible to see from 
the diagram of the specification that the actual gate logic and clock plays an important role 
in Abrial’s approach. Modelling approaches that encompass a low-level approach have been
J u ly  6 , 2 0 0 8  2 0 5
Chapter 7. Comparisons with Other Work
reg
and out—reg
clock_not
Clock
Out
Figure 7.18.: PULSERl Circuit with Clocking
considered in section 1.2.1 and will not be discussed further here. The annotation approach 
does not define an explicit clock.
7.6.3. Event-B Manual and VARIANT clause
The Event-B Reference Manual [MAV05] introduces various clauses to prevent divergence 
not available in the B-Method [Abr96]. The POST construct appears in specifications and 
refinements. It permits predicates to be formulated using both the current and next values 
of variables. This could be used to describe a local variant (local to the particular event it 
is associated with). A variant is employed in classical B to demonstrate that a loop in an 
implementations will terminate. The global VARIANT clause in Event-B is permitted to 
appear in refinements and applies globally. Every new event introduced by refinement must 
reduce the variant. In the future work chapter 8, it is proposed that a variant should be purely 
localised to the particular execution sequences open to the current operation. The variant 
detailed in section 8 guards against the execution becoming stuck in a particular circuit.
The RODIN project focuses on the development of large complex fault tolerant systems. 
The aims of RODIN is to provide a tool set and approach to allow clear modelling of large 
systems. The project has produced an open source tool set that can be used to develop and 
verify Event-B specifications. The development of plug-ins was encouraged throughout the 
project.
One advantage of Event-B is that modalities and a variant clause are supported by extensions
’http://rodin.cs.ncl.ac.uk/mdex.htm
2 0 6 J u ly  6 , 2008
7.6. Event-B
to it. However, a disadvantage is that the RODIN tool, developed around Event-B, does not 
support INCLUDES structuring. Two modalities are illustrated in the reference manual: 
MAINTAIN and ESTABLISH. The MAINTAIN has the following form:
B E G IN  E  M A IN T A IN  P  U N T IL  Q V A R IA N T  V  E N D
In the above E  is an event list. Any event from the list must maintain the predicate P  until 
such time as the Q predicate is established. The inevitability of Q is established by the 
variant V  which is decreased by each events in E.
7.6.4. D istributed S ta te  M achine Models in Event-B
In this section two approaches to modelling railways systems will be considered. Both describe 
the same signalling system.
Papatsaras and Stoddart [PS02] incorporate state machine modelling in their approach in 
Event-B. They deliver their method as an example of modelling a railway system. A set of 
functions describing the mappings between railway sections, signal, trains and train speeds 
are used in machines describing the global system. The refinement separates out the train, 
section and signal entities into different machines. Operations distributed across several 
machines have the same name. In a distributed description an event occurs when all the 
similarly named events are enabled. Papatsaras et al. permit multiple access to the same 
data structure, providing the access is to different parts of the structure. The interleaved 
annotation introduces a framework of variable testing to show no interface occurs between 
variables of a machine.
||i:iF’î/iVC'T/o/ 7  Operation-.Label{i).Operation{parameter^List)
In the above the parallel application of the set of dot prefixed events of the same name are 
executed. The distributed parts of the event are synchronised.
In the global model two events were defined: clear and start, clear, depicted in Figure 7.19 
moves a train forward if possible and then adjusts the network. Unusually, for Event-B, 
the events are parameterised. This creates a collection of events for all possible trains in all 
possible sections. The abstract event is a generic template for each possible combination of 
train or section. Figure 7.19 shows the legal transitions of the state machine that captures 
the clearing of trains through sections with respect to the i*^  track, with the signal states: 
red (R), amber (A) and green (G). The signal of the i^ *^ track protects the next section (see 
Figure 7.20). The signal machine takes one of the listed actions when the clear event given 
in Figure 7.19 occurs.
The parameter next{i) and next{next{i)) presumes the existence of the related signal ma­
chines. The clear operation detects the legal transitions that change state with guards. The 
rest are moped up with a skip action. The final distributed system is composed of the signal 
machines, train machines and controller machines. The train machines record the position 
of trains, while the controller machines modify the speed of the trains. It is not possible to 
model the interaction of the labelled signal machines in annotations at present.
J u ly  6 , 2008 207
Chapter 7. Comparisons with Other Work
c l e a r ( t r a i n ,  n e x t ( i ) , s ig n a l ) :  
c l e a r ( t r a i n ,  i ,  s ig n a l ) :
R{i} -> A{i>
A-Ci> -> R{i> 
G{i} -> R{i}
c l e a r ( t r a i n ,  n e x t ( n e x t ( i ) ) ,  s ig n a l ) :  A{i} -> G{i>
Figure 7.19.: Legal Signal Transitions
Signal i Signal i+1Signal i-1
track i+2
track i+1
• track i
Figure 7.20.: Track and Signal Arrangement
2o8 J u ly  6 , 2008
7.6. E vent-B
COMMl
AcceptMsg DeliverMsg
TRACK
SendTrainMsg Check
TRAINS
Figure 7.21.: Distributed Model Check Synchronisation
Butler reported on a systems approach to specification that involved refinement and Event- 
B [But02]. We refer to it here because it addresses the problem of action synchronisation. 
The work was under taken as part of the MATISSE project (IST-1999-11435). A railway 
example is used to introduce the approach. The system model introduces the sets SECTION 
and TRAIN. The derived controller automatically breaks the trains, which removes the need 
for signals like in the Papatsaras and Stoddart model. The Butler model describes a static 
network of track sections, and a dynamic switch configuration. In the global system model a 
check function applies the breaks if the front of the train has no next section to traverse to, 
or the next section is occupied.
Figure 7.21 portrays the arrangement of a first refinement of Butlers model pictorially. No 
code is given. In the first refinement the SendTrainMsg event is introduced. To reflect the 
final system a communication process is modelled. The information needed to perform the 
Check is transmitted to the train using the SendTrianMsg. This event was introduced in the 
refinement, a common practice in Event-B. The arrangement of the guards effectively order 
the execution sequence (an approach avoided by annotations).
The decomposition into parallel interacting machines follows the data refinement. In Butler’s 
model three machines naturally emerge: TRAIN , TRACK  and COMMS. Figure 7.21 has 
the concept of message passing in a communication channel. Synchronisation is achieved 
via value-passing. The Check operation of the TR A IN  machine is synchronised with the 
DeliverMsg of the COMMS machine.
The Check operation is illustrated below:
J u ly  6 , 200 8 2 0 9
Chapter 7. Comparisons with Other Work
Check{t : TRAIN ) =
VAR b € BOOL WHERE 
h <—  comms.DeliverMsg{t)\ 
trains. Check {t,h)
END
In Papatsaras and Stoddart’s approach synchronisation was achieved by parallel execution of 
similarly name events when every guard condition across all events were enabled. Data was 
not passed between synchronised events. In Treharne data is passed via CSP channels. In 
Butler’s approach synchronisation is achieved by message passing. The annotation approach 
has yet to consider synchronisation.
7.7. Dynamic Constraints in B
Event-B allows a system to be viewed as a set of events that may spontaneously occur. No 
explicit dynamic claim outside the use of the invariant could be made globally about Event- 
B specification, prior to the work of Abrial and Mussat who researched adding dynamic 
constraints to Event-B [AM98]. Importantly, their framework maintains the strong notion 
of B refinement. They insist “refinement must not restrict the external non-determinism 
that is ofiered by the abstract system at the top level” . Abrial and Mussat proposed a 
number of new clauses for Event-B to support, amongst other things, the temporal notion 
that every execution firom any point in an execution of an Event-B system eventually reaches 
a state, where a certain property is true/false {leadsto). Temporal clauses such as these are 
handled in the same way as static constraints. The framework to allow temporal reasoning 
is discussed. Particular attention is applied to the leadsto temporal assertion which is not 
directly implementable in the annotation framework, but we demonstrate how the annotation 
framework can be extended to capture temporal assertion in chapter 8.
In Event-B new events can be introduced during refinement. Such events refine skip. To avoid 
a new event being introduced during refinement taking control forever POs are introduced 
that ensures that the new event decreases a global VARIANT V.
V € N
[v := V][Bjjf]{V < v)
In the above the new operation B^p must reduce the integer variant V  after it has been 
executed. In our framework we do not insist that individual operations cannot take control 
forever. In fact interrupts are used to break into possible infinite execution cycles that could 
involve a self looping operation.
Abrial and Mussat introduce the DYNAMICS clause to allow expression of predicates con­
cerning the evolution of certain variables in all executions of the system. It has global range 
and can use the pre and post versions of a variable the system as following:
210 J uly  6 , 2008
7.7. Dynamic Constraints in B
DYNAM ICS X < x  A y  < y
The example above illustrates the generation of POs that ensures that every event increases 
both X and y. The POs are constructed by using before-after predicate associated with an 
event The background to before-after predicate construction for B operations is given in 
the B Book [Abr96]. The PO associated with the x variable is reproduced below:
DYNAM ICS prdxiS’) ^  ^ { x ,  x )
In the above prdx returns the before and after predicate of S’. The above predicate says 
that if a before-after predicate relates the variable x and x then it implies that the dynamic 
invariant ^ { x , x ' )  must hold (stated in the DYNAMICS clause above). In our framework 
annotations are used to capture before-after predicates. After the current operation OP,-, 
with a precondition of P*, has completed executing the next operation OPj  will be enabled, 
if the following annotation exists in the current operation:
OPi = (Pi 1 Pi)/ * {OP,-} N E X T  * /;
In the above there is an implied DYNAMICS clause in which the predicate in Pi.x hold before 
execution for the variable x and the predicates in Pj.x^, which hold after execution for the 
variable x:
pr dx ( OPc )  => ^ { P i . x , P j . x )
A particular modality of interest is P  LEADSTO S: once P  holds then eventually Q will 
hold. It is captured in a system with the following clauses:
A N Y  y WHERE 
P 
LEADSTO
Q
WHILE 
OP . . .  OP 
IN VARIAN T  
J  
VARIANT  
V 
END
J u ly  6 , 200 8
Chapter 7. Comparisons with Other Work
In the above y sets up the initial conditions that enables P. There after the loop guarded 
by ~>Q chooses an enabled event from OR . . .  OR ^ n -  The looping action repeats until 
Q is enabled. All the events c^i OR . . .  OR maintain the next invariant J  and reduce 
the variant V. So can only guarantee Q is reached if and only if OR . . .  OR are 
executed, and nothing else before Q is reached.
The POs for the leadsto modality is:
1 V y . ( P = > y )
2 V i / . ( P ^ V z . ( Z  A V g N) )
3 y y.{P => y z.{I A J  A-<Q i : { l..n }  • [^i]J))
4 V y.{P  V z,{I A J  A-yQ i : {l..n} • [v := V][^i]( V < v)))
5 Vy.(P  => Vz ,(I  A J  A -^Q =4> grd{^i)  V • • ♦ V grd{^n)))
All the above POs have an initial non-deterministic choice given to them by the quantification 
of y, and all hold under the assumption that the P  holds. The z quantification ranges over the 
variables that change. The first PO insists that the next invariant J  holds, and because P  is an 
assumption the local conditions are set up for the search for the final leadsto predicate Q . The 
second PO states that under the assumption that the global invariant and next invariant hold 
the variant must be a natural number. This is necessary as the variant is decremented after 
each event from the event list has occurred. The third PO states that under the assumption 
that the local and global invariant hold and the future predicate has not been reached, then 
each event in the list establishes the next invariant J. The forth PO states that the variant 
is reduced by each event listed. The same assumptions that applied in the third PO apply in 
the fourth and fifth PO. The fifth PO states that at least one event guard is enabled during 
the search for the future state Q, to prevent deadlock. What is missing is a PO that when 
V =  0 the search will be complete. This can not be stated as Q may be achieved earlier than 
when P  =  0. It is implicit from the realisation of the leadsto modality as a loop that the 
loop is continued if -iQ, and when Q holds the loop has terminated achieving the goal of the 
leadsto operator. In the future work Chapter 8 the CONDITION NEXT annotation is modified 
to produce a variant annotation c o n d i t i o n  v a r i a n t .
7.8. ProB
ProB^® is a model chedcer [LB03] for B. It can be used to analyse B specifications in two 
ways. Firstly, it can check consistency, and secondly, as an animator, it can be used to debug 
B scripts. To obtain an exhaustive state space exploration the variables in the B specification 
must be given an appropriately small range. There are two forms of consistency checking. To 
find problems in the specification ProB can either navigate a sequence of operations from the 
initial condition to achieve a state that invalidates the invariant, or search for a valid state 
that can be followed legally (precondition satisfied) by an operations with a set of valid inputs 
that creates a new state that invalidates the invariant. The former check is model checking
h^ttp://users.ecs.soton.ac.uk/maI/systems/prob.html
212 J uly  6 , 2008
_______________________________________________________________________________________7.8. ProB
and a trace that leads to an invalid state will be returned. The later analysis is constraint 
checking and may return unreachable states. Leuschel insists that proof is not enough^^ 
ProB can be used most effectively to highlight incorrect proof obligations, thus saving time 
otherwise spent trying to discharge them. The animator can be used to explore the state 
space to look for unspecified behaviour.
The ProB Animator, unlike the BToolkit animator, will offer concrete values where one of 
a number of values would be valid. The tool offers a set of operations with valid inputs to 
cover the range of possibilities when stepping through a sequence of operations, provided the 
argument state space is bounded. This applies to the non-deterministic choice offered by the 
ANY statement. Like the B toolkit backtracking is possible.
The temporal model checker checks for invariant violation or dead-code. Although BToolkit 
can prove that every operation when called within its precondition will maintain the invariant 
the ProB tool automatically checks this. If an violation is found then the shortest trace to 
that state is indicated to the users. In our approach we ensure that the intended control 
sequence at all points in the execution maintains the invariant, and we do not have to limit 
ourselves to finite state. We also insist that every operation has at least one next operation 
in a B machine to prevent deadlock.
Work to extend the ProB tool to accept the full CSPM, has been carried out by Leuschel, 
it will enable ÇSPM to be model checked by ProB directly. Eventually the aim is to model 
check CSP[|B. At present CSP controllers can be used to direct the operations and therefore 
restricts the space of possible executions to a manageable state space size. Model checking 
the CSPIIB will reduce the reliance on the CLI as a means of checking the consistency of 
control loops in the CSP script. One advantage of using annotated B is that there is less 
reliance on CLI generation and analysis. One advantage that annotations have over CSP||B 
is that annotations do not need to generate or discharge CLI. The introduction of CSP||B 
model checking will erode this advantage where the development model uses a small finite set 
of values.
In other research on model checking of Event-B systems Bellegarde et. al. [BCJ02] notes 
that that model checking is PSPACE-complete. They suggest undertaking model checking by 
executing the model in synchronous with the buchi automaton of the negation of the property 
P  for verification. The checking amounts to searching for accepting cycles, which involves 
the overhead of memorising previous states. The overhead is the production of the negated 
property buchi automaton. To check TS with P  under n fairness hypothesis the complexity 
is:
0 ((| S  I +
The model checking complexity is linear in the number of states and transitions, but polyno­
mial in the number of verification predicates and number of hypotheses raised to the power 
of the hypothesises. So care has to be taken when developing the properties. We note that 
the worst case complexity of Computational Tree Logic (CTL) is
0C( | 5|  +  H ) » l ^ l )
RODIN Industry day - 10/09/07 - Paris 
J u l y  6 , 2008 2 1 3
Chapter 7. Comparisons with Other Work
[BBF+01] [HROO]. CTL is not as expressive as LTL and can not express strong fairness 
properties.
An advantage of annotations is that they enables an engineer to capture the execution re­
quirements of a family of controllers during B development, and because it is based on proof 
it can tackle infinite types during abstract specification. Additionally, annotated B permits 
the separate refinement of the state operation from the controller.
M A C H IN E  In terrup ting-C -T -C -S  
SE T S COMMAND = {Arret, Aller]
V A R IA B L E S Moat, Square, pv
IN V A R IA N T  Moat : COMMAND A Square : COMMAND A 
[Moat =  Arret V Square =  Arret) A pv ; 0..10 A 
{pv > 0 =4> Square = Arret A Moat =  Arret)
IN IT IA L ISA T IO N  Moat, Square := Arret, Arret || pv ;; 1..10 /  * {Aller-Moat}\ * /  
O P E R A T IO N S
Aller—Moat =  P R E  Square — Arret T H E N  Moat Aller \\pv  := 0 E N D
/  * {Arret-Moat]\ * /;
Arret-Moat =  P R E  Moat =  Aller T H E N  Moat := Arret || pv :: 1..5 E N D
/  * {Aller-Square)] * /;
Aller-Square =  P R E  Moat = Arret T H E N  Square := Aller \\pv  := 0 E N D
/  * {Arret-Square}] * /;
Arret-Square =  P R E  Square =  Aller T H E N  Square := Arret || pv ;; 5,.10 E N D
/  * {Allev-Moaty. * /;
pvl i—  Aller—pedestrian =  P R E  pv > 0 T H E N  pv := pv — 1 || pv l pv — 1 E N D  
/  * N E X T INVARIAN T {Moat = Arret, Square = Arret] * /
/  * FROM SET{Arret-M oat, Arret-Square] * /
/  * {Aller-Pedestrian]’, {Aller-Moat] CONDITION N E X T  * /
E N D /
Figure 7.22.: Traffic Controller Machine for ProB
The ProB analysis of the Interrupting Traffic Controller was undertaken. The necessary 
changes to the variable ranges are depicted in Figure 7.22 in bold. The original model is 
given in Figure 8.1. There are no substantial differences between the controller generated 
from the annotated B, detailed in Figure 8.2 and a controller that would otherwise be de­
veloped for a CSP||B specification in this example. The restriction on the types makes little 
difference in this example. We would like to check that while the CONDITION n e x t  opera­
tion, Aller-Pedestrian, is active the traffic is halted. Hence an extra next invariant has been 
added. This annotation would be checked statically within the annotation framework. The 
next invariant is discharged by ProB. We expect that an updated ProB tool will be able to 
check all of the annotations POs if it where modified to accept them as either invariants or
2 1 4  J u ly  6 , 2 0 0 8
7.9. Translation of CSP to Handel-C
assertions. In general we see our annotation approach as a way of capturing initial execution 
concepts. Annotation become assertions in a FDR check or a ProB check. Recently, ProB 
has been extended to undertake Linear Temporal Logic (LTL) checking [LP07]. Temporal 
logic assertions are added to the machine and they are checked in turn. If an assertion is false 
then a trace that shows that the assertion is false is shown. The temporal logic operators are 
given in table 7.1.
Operator Meaning
G0 0 always true in the future execution
X0 0 true next
F0 0 true at some point in the future
0U6> 0 until 9 true
0R0 0 true when 9 false
H0 0 true for the entire past
Y0 0 true in the previous step
Ocj> 0 true at least once in the past
Where 0 and 9 are temporal formulas
Table 7.1.: The Temporal Logic Operators Used in ProB
Leuschel has experimented with discharging annotations by creating formulas that do the 
checks of annotations. The NEXT annotation can b e  coded up as follows:
G[AUerSquare] => X{e{ArretSquare))
The above states that always when AllerSquare  is enabled and executed it is implied that 
next Arret-Square will be enabled {e(Arret-Square)). The FROM annotation can not be 
modelled directly. It has to be converted into n e x t  annotations before it çan be modelled in 
temporal logic.
LTL is not the only kind of temporal logic. CTL, as introduced above, is another kind of 
temporal logic, which has a branching time logic meaning as opposed to the linear logic 
meaning of LTL. For completeness the temporal connectives of CTL are informal introduced 
in table 7.2.
7.9 . Translation o f CSP to  Handel-C
Papatsaras and Stoddart (PS), have constructed CSP to Handel-C [PS04] translation map­
pings. We compare their findings to the work of S. Stepney [Ste03] (SS). The subset (not 
including informative comments) of CSPM (machine readable CSP) handled by the transla­
tors is reproduced in table 6.1 on page 163.
J u ly  6 , 2 0 0 8  2 1 5
Chapter 7. Comparisons with Other Work
Operator Meaning
AG0 along all paths in all future states 0
EG0 along at least one path in all future states 0
AX0 along all paths next 0
EX0 along at least one path next 0
AF0 along all paths at some point in the future 0
EF0 along at least one path at some point in the future
A[0U^] along all paths 0 until 0 true
E[0U0] along at least one path 0 until 9 true
Where 0 and 9 are CTL temporal logic formulas 
Table 7.2.: CTL Temporal Logic Connectives
The key differences between Papatsaras and Stoddart’s (PS), and Stepney’s (SS) approaches 
is that the former introduced macros into the Handel-C from CSP comments. The macros 
are translations of CSP actions which perform data processing. The motivation to move the 
data processing code into CSP comments and then into macros is to prevent them being 
analysised in the CSP. Tools like FDR2 and ProB do not manage large state space effectively. 
Another important distinction is that PS’s approach does not have the capability for the 
declaration of local variables in functions: no functions are generated in the translation. In 
the SS approach the process parameters can be used to create an index of processes. In the 
PS approach channel types are calculated from use. However, having to type the channels, 
as is the case with the SS approach, provides a richer specification and double check on the 
use of the channels.
A Handel-C restriction to point-to-point communication restricts the nature of CSP sharing 
parallel. If in the CSP two events share the same alphabet then they must in the Handel-C be 
the processes that communicate with one another. The SS approach forces the synchronisation 
to be over the entire alphabet of the specification. No examples of synchronised parallel are 
given in the PS approach.
2 i 6  J u ly  6 , 2 008
8. Future Work and Conclusion
8.1 . Future Work
The main focus of the future work is to demonstrate through example that annotations can 
be applied to Event-B and develop a plug in to generate either properties for discharging by 
ProB or proof obligations for discharging with a proof tool. This is by no means not the only 
thing left to do.
8.1.1. Variant Extensions
In future research the Event-B variant concept could be introduced into annotated B in 
two ways. Either by introducing a new annotation that mimics the MAINTAIN UNTIL VARI­
ANT modality (section 7.6.3), or alternatively the current CONDITION n e x t  annotation (sec­
tion 5.3) could be modified.
8.1.2. E V E N T U A L L Y  F U T U R E  A nnotation
The work by Abrial and Mussat introduced dynamic constraints to Event-B, which were 
discussed in Section 7.6.2. The form of the dynamic constraint is given below:
B E G IN  E  M A IN T A IN  P  U N T IL  Q V A R IA N T  V  E N D
The variant decreases on every operation call maintaining P  until Q is asserted. Annotations 
have the ability to model modalities on an operation by operation basis. Only preconditions 
are consider here, whereas the Event-B approach considers more general predicates. The 
operation to be executed when exiting a loop is considered in the annotations approach. In 
the example below OPf follows OPc until OP^ is enabled.
OPc = P R E  Pc t h e n  Be END  
/* E V E N T U A L L Y  FUTURE{OPf ,  OPg, v, OPr) * /
In the above OPr is on every execution sequence from QP^ back to OPc, where OPr reduces 
the variant v which ensures that OPg is eventually executable from OPf.  No operation on
J u ly  6 , 2 0 0 8  2 1 7
Chapter 8 . Future Work and Conclusion
this path can increase the invariant. (The operations that make up the loop are detailed in 
the annotations and controller.) This new annotation would extend the previous work by 
Abrial and Mussat. The looping action is not restricted to include only one event, but extend 
to include complete execution cycles of events. In future work the POs for this needs to be 
deduced.
8.1.3. C O N D IT IO N  V A R IA N T  Annotation
A self looping operation that reduces a variant until it exits from the self loop is a much simpler 
proposition to reason about than an EVENTUALLY FUTURE annotation. The CONDITION NEXT 
annotations could be extended to capture the notion of variants and alternative action when 
the variant is zero. The extended annotation is called CONDITION VARIANT. In this section 
the necessary proof to show that the annotation and step- consistency controllers are non­
divergence are not undertaken. The framework is illustrated only. The proof obligations must 
check the following:
1. The output must be a positive integer and each time when invoked the value must be 
reduced by exactly 1 (in this simplified version of the variant annotations the variant 
operation would have to output the variant value)
2. The precondition of the operations must be of the form v > 0 where v is the variant
3. The output must be the operation variant value reduced by exactly 1
The above framework needs some refinement but serves to illustrate the annotation approach. 
However, given the above POs structure it should be possible to prove that an operation 
annotated with CONDITION VARIANT cannot be continuously called without breaking the 
precondition. The following changes are needed to the current version of the annotation 
given in chapter 5.
The definition of step consistency changes to:
if b ^  0 then R1 else R2
is step — consistent with M  if b £ N  and R1 and R2 are step — consistent with M and
V c G in it(R l) => c G condition-true(a7y?zlx) and
V d G init{R2) ^  d £ condition-false(a7y7z\x)
The controller if — then — else fragment decides on which path to traverse next by testing the 
b value. The b output is updated in the operation with the CONDITION NEXT annotation, b 
is the value of the variant. Effectively our approach distributes the checking of the leadsto 
modality to individual operations events. The advantage with this approach is that not all 
operations need to reduce the variant. Also the operation executed on exiting the looping
2 i 8  J u ly  6 , 2008
8.1. Future Work
M A C H IN E  In terrup ting -G -T -C -S  
SETS COMMAND =  {Arret, Aller}
V A R IA B LES Moat, Square, pv
IN V A R IA N T  Moat : COMMAND A Square : COMMAND A 
{Moat = Arret V Square =  Arret) A pu : N  A 
(pu > 0 {Square — Arret A Moat = Arret))
IN IT IA L IS A T IO N  Moat := Arret || Square := Arret || pu :: N /  * {Aller-Moat}\ * j  
O P E R A T IO N S
Aller—Moat =  P R E  Square — Arret T H E N  Moat := Aller || pu := 0 E N D
/  * {Arret-Moat}\ * /;
Arret—Moat = P R E  Moat = Aller T H E N  Moat := Arret || pu :: N i EN D
/  * {Aller-Square}] * /;
AllerSquare  =  P R E  Moat ~  Arret T H E N  Square := Aller || pu := 0 E N D
/  * {Arret-iS'guare}! * /; 
Arret-Square =  P R E  Square =  AZ/er T H E N  Square Arret || pu :: N i E N D
/  * {A//er_Moai}! * /;
pul i—  Aller-pedestrian =
P R E  pu > 0 T H E N  pu := pu — 1 j| pul =  pu — 1 E N D  
/  * N E X T IN VAR IAN T {Moat = Arret A Square =  Arret} * f  
J * FROM SE T {Arret-Moat, Arret-Square} * /
/ *  {Aller-Pedestrian}] {Aller-M oat} CONDITION V A R IA N T ^!
E N D F
Figure 8.1.: Interrupting Traffic Controller Machine with the Variant Annotation
behaviour is defined. The example given in Figure 7.22 on page 214 is rewritten in Figure 8.1, 
page 219 with the condition variant annotation.
In Figure 8.1 the fair traffic controller machine is reproduced with the addition of the variant 
variable pu, which limits the number of times the pedestrian operation can be called consec­
utively. The pedestrian operation is extended with the CONDITION VARIANT annotation for 
illustration. In Figure 8.2, for completeness, the controller for the modified traffic light con­
troller is illustrated. It has been made ProB compatible. Although the number of invocations 
made during the looping of a pedestrian crossing is limited by the CONDITION VARIANT, the 
pedestrian loop could infinitely interrupt everything else, making it unfair.
8.1.4. Event-B A nnotation Plug-In
Bringing the different strands of the work together is a goal for the future. The BVHDL 
route should not be disguarded in favour of the newer development route with Handel-C.
J u ly  6 , 2 0 0 8  2 1 9
Chapter 8 . Future Work and Conclusion
M AIN — Traffic-CTRL A Pedestrian-CTRL
Traffic-CTRL =  Aller-Moat —> Arret-Moat —^
AllerSquare  -4  ArretSquare  - 4  Traffic-CTRL 
Pedestrian-CTRL =  Aller-Pedestrian?X -4
if  {X  7  ^0) then Pedestrian-CTRL else M AIN
Figure 8.2.: Interrupting Traffic Controller CSP with Variant
Instead the routes should be brought together so that there are diverse route to hardware. 
The future route is illustrated in Figure 8.3. In the future tools support will have to be 
more centralised on the open source RODIN tool set, because the B-Core BToolkit has not 
had any significant development work in several years. This will mean developing BVHDL 
and Handel-C generator plug-ins. A plug-in for annotations could be developed that would 
generate the POs associated with the annotations or call the ProB tool to discharge them. 
POs would be generated in the cases where ProB could not handle the data type under 
analysis or I/O  was being used in the annotations.
8.1.5. Extension of th e  i n t e r l e a v i n g  n e x t  Annotation
An extension is required to include full synchronised parallel as suggested in Section 7.4
8.2. Conclusion
This PhD. research had three main aims, which were stated in the abstract and are reproduced 
in the following discussion. They are the introduction of control directives, proving the 
approach will guarantee non-divergence, and show that refinement and translation is possible.
The first aim was to introduce a set of annotations to describing control directives to per­
mit controller development in B. However, before launching into annotations some space in 
this thesis is dedicated in the chapter 1 and chapter 7 to the technical background and the 
motivation for annotations. BVHDL and CSP||B were introduced. BVHDL is, as explained 
in chapter 7, a specialisation of the BToolkit. Templates to support hardware design and a 
VHDL generation are described. However, the templates and requirements for VHDL code 
generation are prescriptive. For example the introduction of a clock is necessary to obtain 
a translation. The thread of execution is controlled by adding control flags to the processes 
obscuring the control flow specification. Abstraction in BVHDL is difficult because of the 
templates. The methodology needed to be extended in two areas. The introduction of a more 
abstract language was required to capture abstract specifications with control specifications, 
and a HDL that was free of clock details was required. Similar criticisms can be levelled at 
BHDL. However, the great draw back with the BHDL approach in particular is the reliance 
on very low libraries. Change from using B to CSPjjB as the formal notation has its lim-
2 2 0  J u ly  6 , 2 008
8 .2 . Conclusion
Optimised
ANNOTATED 
B MACHINE
HANDELCBVHDL
REFINED 
ANNOTATED 
B MACHINE
CSP
CONTROLLER
Equivalence Check 
Figure 8.3.: Future Annotated B Handel-C development Methodology
Rations as well. CSP||B currently has no implementation route. However, currently the is
research at the University of Surrey investigating routes from CSP- B to hardware that
may incorporates some aspects of this thesis. Three solutions are presented in this thesis to 
the above difficulties. One is the development of the annotations, which allows specifications 
of designs that incorporate control specifications and abstractions that are not presented in 
a HDL style. The second is the ability to refine both the data and control flow aspects of 
the annotated specifications. The third is the translation into a HDL that does not require 
specific definition of a clock or low level hardware libraries to obtain a translation.
In the future when more research on annotations has been completed development with 
annotations may form part of a diverse development route for high consequence systems. A 
possible methodology is given in Figure 8.3. The annotated B specifications capture execution 
aspects of the design and can be used to produce Handel-C. The VHDL route provides 
a diverse route to implementation. The use of diversity can be leveraged in safety case 
arguments. This argument is particularly helpful where there is no evidence supporting wide 
industrial use of any one of the diverse approaches. Equivalence between the two different 
implementations can be investigated.
The approach annotation adopt to capturing specifications is detailed in chapters 2 to chap­
ter 6. They capture the execution requirement by capturing the requirement that the indi­
cated operations are required to be enabled next. We generate POs that when discharged 
established that the execution path will not cause divergence. The recent advances with the 
ProB tool mean that model checking can be used to discharge POs that the n e x t  annotation 
give rise to. Model checlcing is some times quicker than proving. However, model checking
J u l y  6 , 2 008
Chapter 8 . Future Work and Conclusion
is limited when the model or properties become large. In the related work chapter, in sec­
tion 7.8, ProB the LTL model checker is investigated. Whether temporal logic requirements 
captured in annotations or LTL formulae can be viewed as a difference in the choice of syntax, 
ProB is based on LTL, which has a worst case complexity of 0 (( | S  | |—>^|) * 21^1), where S
is the size of the state,]—>| is the number of transitions and | P  | is the number of the property 
to be checked. The annotations are introduced to capture general execution requirements not 
execution path specifications. Hence, CTL is adequate to capture their requirements, worst 
case complexity 0 (( | S | |-^|) + | P |). LTL is more expressive and is used to verify systems
whereas CTL is used to specify systems. The expressiveness and use of annotations is likened 
to CTL. We also note that CTL can not express fairness properties. However, in the current 
annotations there is no provision for fairness, which again leads to the conclusion that the 
expressiveness of the current annotations is correct. In fact with the current annotations it 
is possible to model interrupts (FROM annotations), and an annotated B model is viewed as 
open reactive system. The fairness of an open system is dependent on the choices that are 
made by the external environment.
The query annotations was introduced to allow the guarantees set up by NEXT annotations 
to carry over operations that do not change the state. For example if opi is proven to enable 
opjf but opx is inserted in the control flow between opi and opj provided opa, is a QUERY 
operation (chapters) then the arrangement is still machine-annotation consistent. This idea 
was generalised with the introduction of the n e x t  i n v a r i a n t ,  which allows state predicates to 
flow across operations. An example of its use is given in chapter 4. The idea of next invariants 
that apply on particular execution path is new. They are used to discharge annotations POs 
that involve several operations applications. Normally, extra preconditions or state variables 
would be added to the operations during the discharging of the PO in the proof environment. 
We record the requirements of execution associated with annotations separately from the 
static precondition of predicates.
The annotations can deal with I/O , Event-B specification generally introduce I/O  into events 
using the ANY clause. CSPjjB introduces I/O  using the CSP as an interface between the 
environment and the B machine operations. In annotated B the model of I/O , introduced in 
chapter 4, is more sophisticated than the current CSPjjB model. This assists with implemen­
tation, because it is possible to differentiate between internal and external communication. 
The model of communication was simplified in chapter 6 to allow the introduction of refine­
ment and translation. Future work is necessary to develop the model of I/O . The underlying 
model of communication makes annotated B distinctively different to CSPjjB as the B and 
CSP models are different views of the specified system. The CSP does not control the B. The 
B and CSP are different views of the same system. Both views are required for an efficient 
translation. The remaining sections built on the basic annotations. The complete set of 
annotations are given in table 8.1 and the glossary B.
Adding conditional annotations like c o n d it io n  n e x t  and the generalisation of it in the 
SELECT NEXT annotation, allows execution branching based on either the returns of the 
operation or some B state. The current set of annotations are enough to be able to begin 
development. Importantly the framework for the annotations has shown to be extendible.
Secondly, we have proven that CSP controllers that are consistent with the annotations will 
preserve the non-divergence property established between the machine and the annotations.
J u ly  6 , 2 008
8.2. Conclusion
Table 8.1.: Annotations and Related Control Operations 
Name Control Operation
NEXT a n d  □
FROM-ANY A
FROM-SET A%
PROM-SET
QUERY none
NEXT INVARIANT none
SELECT NEXT i f  -  t h e  -  clsC
c o n d i t i o n  n e x t  i f  — t h e n  — e ls e
SEQUENCE NEXT 
in t e r l e a v e d  NEXT j 11
FROM INTERLEAVED III
The idea of demonstrating non-divergence comes from the CSP||B work. It is important 
to that community because the CSP controller drives the B specifications. Proving non­
divergence demonstrates that the CSP controller will not drive the B to diverge. In the 
annotated B approach the CSP and B models are different view, but it is just as important to 
show non-divergence to show the to views are compatible. The proof work also covers showing 
that operations with distinct state space can be safely interleaved, and that operations that 
do not modify the state space will carry across the guarantees set up by NEXT annotations. In 
future work we need to show that the translations preserve the annotated B and CSP model 
semantics.
Thirdly, we show how annotation refinement is possible, and show a range of mappings 
from the annotated B and the consistent controller to Handel-C. Refinement within the B 
specification is always possible. We have additionally shown that the annotations support 
refinement, and that operations can be introduced providing they met the rules of annotations 
refinement. More work on refinement can be undertaken in the future. The refinement 
introduced in chapter 6 is not formally justified in terms of either Classical B, Event-B or 
CSP refinement. In relations to the translation work the current translation to Handel- 
C needs justification as mentioned above. Also other languages need to be considered as 
possible candates for target languages.
There were some specific points that were reported in the introduction that at the start of the 
research were considered aims of the research. These and additional aims that arose during 
the research are visited below.
• To work with existing tools - This is true to a certain extent, but in order to automati­
cally generate the PO associated with the annotations the BToolkit or Rodin tool will 
need to be extended. This point has been discussed above in relation to plug-ins.
• To have one design entry tool and language - B is the central design language and 
JULY 6 , 2008 223
Chapter 8 . Future Work and Conclusion
the ultimate aim is to synthesis at least the framework for the controllers from the 
annotations. Having B as the front-end tool allows the state specification and the 
control framework requirements to be captured in one place.
Simplify the development of correctness arguments - The annotations, once shown to 
be machine-annotation consistent with the B machine, can be used independently from 
the machine to assess the correctness of CSP controllers developed to detail the control 
behaviour.
Opt for simplicity to accommodate analysability - The structured way the annotations 
are introduced allows others to be introduced in a straight forward and robust fashion. 
In the future different sets of annotations developed for different purposes should be 
merged provided they follow the same framework.
Support code generation - Code generation has been supported and the introduction of 
clocks for state machine designs has been eliminated in hardware development.
Permit hardware or software implementation - We have demonstrated that hardware 
can be translated from annotated B. Producing software should not be any harder. It 
is possible to generate software already from B implementations.
Avoid operating system - Operating systems have been avoided with the hardware im­
plementation route. However, it may not be possible to avoid operating systems if a 
software route is selected.
2 2 4  J uly 6 , 2 008
A. The Comparison Between CSP||B's 
Translations and B Annotations
Here we restate the CSP translation mappings established in [TSOO] and show the relationship 
to the annotation in table A .l (in the table the next annotation (chapter 2) is shortened to X 
and the CONDITION NEXT annotations (chapter 5) is shortened to the in fixed <). A summary 
of this table without the relationships to annotations is given in Figure 1.1, page 19. The first 
column gives the CSP fragment to be translated. The second column gives the translation of 
the fragment to B. The third column presents the annotations that are associated with the 
particular fragment, p signifies the translation with respect to the translation environment 
mappings.
The details of the B translations are given in [TSOO]. The first four CSP fragments involve 
action prefix, which associate with the n e x t  annotations. Discharging the n e x t  POs es­
tablishes that transition are non-divergent for all paths. The CSP choice operator is again 
represented with the NEXT annotation. The CSP if  — then — else is represented with the 
CONDITION NEXT annotation. There is no equivalent annotation syntax for the recursive call, 
but in chapter 5, Figure 5.3, page 125 recursive calls are represented by B definitions.
J u ly  6 , 2 0 0 8  2 2 5
Appendix A. The Comparison Between CSP||B’s Translations and B Annotations
CSP Translation Annotation
{En -> P]p Ji] {P}p n /  * X. init{P) * /
{Enlxc -4 P}p n{p[xc])] n{xc) /  * X  init{P) * /
{ P } p
[En\wc -> P}p Wb <—  n\ w i—  n /  * X  init(P) * /
{Enlwc?Xc -4 P}p Wb <—  n{p[xc])] W <—  n(xc) /  * X  init{P) * /
{En P  □ Q}p n\ n /  * X  init{P) U init{Q) * j
CHOICE
P
OR
Q
EN D
{En .^Wc -4
if Wc then P else Q Wb i—  n\ Wq <—  n /  * init{P) < init{Q) * /
IF
Wb
TH EN
{P} p®{Wct-^ Wb}ELSE
{Q} P®{Wc^ -^ Wb}
fEND
p[p]
where; P  and Q are processes 
n is the operation
En is the action relating to the operation 
Xc is an input 
Wc is an output 
p[xc\ returns the value of Xc 
in the environment 
p ® { w c ^ W b )  overwrites Wc 
with Wb in p
Table A.I.: The Relationship of B Translations of CSP Fragments to Annotations
2 2 6  JULY 6 , 2 008
B. Glossary
B .l .  Annotations Syntax
NEXT - A defined set of operations enabled by the current operation.
OPi =  [Pi I /  * { OPj, OPk} NEXT * /
page 25
FROM-ANY - The initialisation and any operation may precede the current operation.
OPi = [Pi I Bi)/  * FROM  -  A N Y  * /;
page 41
FROM-SET A defined set of operations that may precede the current operation.
OPi = [Pi I P<) /  * FROM -  S E T { O P j , O P k }  * /;
page 43
FROM-SET-INIT - The initialisation and the defined set of operations may precede the current 
operation.
OPi =  [Pi I PO / * p r o m  -  SET -  INIT{OPj , ..., OPk} * /;
page 43
QUERY - The current operation gives an output, but does not change the state of the machine.
O P i ~ [ P i \ B i ) / *  QUERY */;
page 65
J u ly  6 , 2 0 0 8  2 2 7
Appendix B. Glossary
NEXT with I/O  - A defined set of operations with or without I/O  enabled by the current 
operation.
Vi f -  O v i i v u  ei)  =  {P i  1 B i ) l  * { O v 3 ' l V j \ E j ] N E X T  * /;
page 78
NEXT INVARIANT - A predicate that holds before and after the current operation com­
pletes that is used to establish the next operation precondition hold.
OPi = (P,- I PO /  * { predicate } N E X T IN VARIAN T  * /
page 79
FROM-ANY WITH I /O  - The initialisation and all operations enable the current oper­
ation with or without I/O .
yj OPj{vj, 6j) = {Pj I Bj) /  * FROM -  A N Y { I V  \E } * /;
page 87
FROM-SET WITH I /O  - All defined operations enable the current operation with or 
without I/O .
/  + FROM  -  SE T{  O Pt,..., OPi) { ? 7  !P} * /
page 88
PROM-SET-INIT WITH I /O  - The initialisation and all defined operations enable the 
current operation with or without I/O .
/  * FROM -  SE T -  I N I T { O P k , O P i } {  Vj .Ej )  * /
page 89
SELECT NEXT - The given operations are enabled by the current operation. There 
selection in the implementation will depend on the criteria specified in the anno­
tation.
OPi = {Pi I Bi) 
/♦{condji : OPj^, condj^_^ : OPj^_^ ELSE OPjJ} SELECT N E X T  * /;
2 2 8  JULY 6 , 2 0 0 8
B .l. Annotations Syntax
page 109
CONDITION NEXT - All defined operations are enable by the current operation. The 
first set of operations are enabled when the current operation output is true (not 
0). Conversely, the second set of operations are enabled when the current opera­
tion is false (0).
Vi OPi =  {Pi I Pi); /  * OPJ OPK CONDITION NEXT * /
page 111
INTERLEAVED NEXT - The defined set of operations are all enable by the current 
operation and may execute next interleaved.
yi f —  Opi{vi,  ei) ~  {Pi  I P i)  /  * O P J  INTERLEAVED N E X T  * /;
page 133
SEQUENCE NEXT - The first operation from the defend sequence of operations is enable 
by the current operation, and in turn  each operation in the sequence enables its 
right neighbour.
Vi 4—  Opi{vi)  =  {Pi  1 P i ) /  * {Opj ,  ... , Opk} SEQU ENCE N E X T  * /;
page 137
J u ly  6 , 2 0 0 8  2 2 9
Appendix B, Glossary
2 3 0  J uly  6 , 2 0 0 8
Bibliography
[ABD‘*‘03] A. Aljer, J. L. Boulanger, P. Devienne, S, Tison, and G. Mariano. BHDL: 
Circuit design in B. In Applications of Concurrency to System Design, pages 
241-242. IEEE Computer Society, Elsevier, unknown 2003.
[ABM02] A. Aljer, J. L. Boulanger, and G. Mariano. Formalization of digital cir­
cuits using the B method. In Computers in Railways. Eight International 
Conference, pages 691-700, Lemnos, Greece, June 2002.
[Abr96] J-R. Abrial. The B-Book: Assigning Programs to Meaning, Cambridge 
University Press, 1996,
[AbrOl] J-R. Abrial, Event driven circuit construction version 5, MATISSE project, 
August 2001.
[AM98] J-R. Abrial and L. Mussat. Introducing dynamic constraints in B. In Didier 
Bert, editor, B ’98: Recent Advances in the Development and use of the B 
Method, LNCS 1393, Montpellier, France, April 1998. B Conference Steering 
Committe, Springer.
[And03] C. Andre, Semantics of S.S.M. (safe state machine). Technical report, 
University Nice, IS3, CNRS, Esterel Technologies, 2003.
[Ash96] P. T. Ashenden. The Designer’s Guide tp VHDL. Morgan Kaufmann, 1996.
[BBF+01] B. Berard, Michel Bidoit, A. Finkel, F. Laroussinie, A. PeYtit, Ph. Schnoe- 
belen, and P. McKenzie. Systems and Software Verification: Model-checking 
Techniques and Tools. Springer, 2001.
[BCC+99] Armin Biere, Alessandro Cimatti, Edmund M. Clarke, M. Fujita, and 
Y. Zhu. Symbolic model checking using SAT procedures instead of BDDs. 
In Proceedings of Design Automation Conference (DAC’99), 1999.
[BCJ02] F. Bellegarde, S. Chouali, and J. Julliand. Verification of dynamic con­
straints for B Event systems under fairness assumptions. In ZB 2002, pages 
477-A96, 2002.
[BCM'*'90] J. R. Burch, E. M. Clarke, K. L. McMillan, D. L. Dill, and J. Hwang. 
Symbolic model checking: 10^ ® states and beyond. June 1990.
[BGOl] A. Bunker and G. Gopalakrishnan. Verifying a virtual component interface- 
based PCI bus wrapper using formalcheck. Technical report. University of 
Utah, June 2001.
J u ly  6 , 2 0 0 8  2 3 1
Bibliography
[BKLM97] P. Breuer, C. Kloos, A. Lopez, and N. Madrid. A refinement calculus for the 
synthesis of verified hardware descriptions in VHDL. ACM  Transactions on 
Programming Languages and Systems^ 19(4):586-616, July 1997.
[BN97] Ahmed E. Barbour and Mike P. Nassif. Basic concepts of hardware veri­
fication using ORA Larch/VHDL. In Hamid R. Arabnia, editor, PDPTA. 
CSREA Press, 1997.
[Bry85] R. E. Bryant. Symbolic manipulation of boolean functions using a graphical 
representation. In Hillel Ofek and Lawrence A. O’Neill, editors, Proceedings 
of the 22nd AC M /IEEE conference on Design automation DAC 1985, Las 
Vegas, Nevada, USA, pages 688 -  694. ACM, 1985.
[Bry92] Randal E. Bryant. Symbolic boolean manipulation with ordered binary- 
decision diagrams. ACM Comput. Surv., 24(3):293-318, 1992.
[But02] M. Butler. A system-based approach to the formal development of embed­
ded controllers for a railway. Design Automation for Embedded Systems, 
6(4):355-366, July 2002.
[BW03] A. Butterfield and J. Woodcock. An operational semantics for Handel-C.
In FMICS workshop on Formal Methods for Industrial Critical Systems. 
Electronic Notes in Theoretical Computer Science, Elsevier, unknown 2003.
[CGJ'^Ol] Edmund Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith.
Progress on the state explosion problem in model checking. In Riehnhard 
Wilhelm, editor, Dagstuhl 10th Anniversary Conference: Informatics - 1 0  
Years Back, 10 Years Ahead, volume LNCS 2000 of Lecture Notes in Com­
puter Science, pages 176-194. Springer verlag, 2001.
[Cla] E.M. Clarke. Model Checking. The MIT Press.
[CohS9] Avra Cohn. The notion of proof in hardware verification. Journal of Auto­
mated Reasoning, 1989.
[CSP03] A. L. C. Cavalcanti, A. C. A. Sampaio, and J. C. P.Woodcock. A Refinement 
Strategy for Circus. Formal Aspects of Computing, 15(2-3):146-181, 2003.
[CYLROl] Hoon Choi, Byeongwhee Yun, Yuntae Lee, and Hyunglae Roh. Model check­
ing of s3c2400x industrial embedded SoC product. In Design Automation 
Conference Proceedings, pages 611-616. ACM, 2001.
[DC05] C. Proch D. Cansell, D. Mery. Modelling SystemC scheduler by refinement. 
In IEEE ISoLA Workshop on Leveraging Applications of Formal Methods, 
Verification, and Validation - ISOLA ’05, Loyola, College Graduate Center, 
Columbia, Maryland, September 2005.
[Dij76] E.W. Dijkstra. A Discipline of Programming. Prentice-Hall, 1976.
[Est05] Esterel Technologies, Esterel Technologgies 679 av. Dr. J. Lefebvre, 06270 
Villeneuve-Loubet, France. The Esterel v7 Reference Manual Version
232 J u ly  6 , 2 008
rBibliography
7.30 Initial IEEE standardization Proposal, November 2005. www.esterel- 
technologies.com.
[Fis97] C. Fischer. CSP-OZ: a combination of Object-Z and CSP. In H. Bowman
and J. Derrick, editors, Proc. 2nd IFIP Workshop on Formal Methods for 
Open Object-Based Distributed Systems (FMOODS), pages 423-438, Can­
terbury, UK, 1997. Chapman and Hall, London.
[Fre05] Leonardo Freitas. Model Checking Circus. PhD thesis. University of York,
2005.
[GE07] N. Grant and N. Evans. Towards the formal verification of a Java processor
in Event-B. In McEwan et al. [MSIW07], pages 425 -  442.
[GM93] M. J. C. Gordon and T. F. Melham. HOL a theorem proving environment
for higher order logic. University Press Cambridge, 1993.
[Gup92] A. Gupta. Formal hardware verification methods: A survey. Formal Methods
in System Design, 1, October 1992.
[Hal03] S. Hallerstede. Parallel hardware design in B. In Didier Bert, Jonathan P.
Bowen, Steve King, and Marina Walden, editors, ZB 2003: Formal Speci­
fication and Development in Z and B: Third International Conference of B 
and Z Users, Lecture Notes in Computer Science. Springer, June 2003.
[Hat95] L. Hatton. Safer C: Developing software in high integrity and safety-critical
systems. McGraw-Hill, 1995.
[Hil04] A. Hilton. High Integrity Hardware-Software Codesign. Computer science.
Open University, 2004.
[Hoa85] C. A. Hoare. Communicating Sequential Processes. Prentice-Hall Interna­
tional, Englewood Cliffs, New Jersey, 1985.
[Hol03] Gerard J. Holzmann. The SPIN Model Checker: Primer and Reference
Manual. Addison -  Wesley Professional, 2003.
[HROO] Michael R. A. Huth and Mark D Ryan. Logic in Computer Science Modelling
and reasoning about systems. Cambridge University Press, 2000.
[IEE02] IEEE. 1076 IEEE Standard VHDL Language Reference Manual, 2002.
[IEE03] IEEE. 1364-2001 IEEE Standard Verilog Language Reference Manual Re­
vision C, 2003.
[IEE05a] IEEE. 1666-2005 IEEE Standard System C Language Reference Manual,
2005.
[IEE05b] IEEE. 1850 IEEE Standard for Property Specification Language, 2005.
[Ifi99] W. Ifill. Formal development of an example processor (AEP) in AMN, C
and VHDL. Computer science. University of London, Computer Science 
Department, Royal Holloway, University of London, Egham, Surrey TW20 
QEX, Sept 1999.
J u ly  6 , 2 0 0 8  2 3 3
Bibliography
[Ifi02] W. Ifill. B specifications and proof of the AEP pipelined processor. 2002.
[Ifi03] W. Ifill. Combining B, CSP and Handel-C to Specify, Design and Verify
Hardware. Nov 2003.
[IS07] W. Ifill and S. Schneider. A Step Towards Refining and Translating B
Control Annotations to Handel-C. In McEwan et al. [MSIW07], pages 399 
-  424.
(ISSOI] W. Ifill, I. Sorensen, and S. Schneider. High Integrity Software, chapter
The Use of B to Specify, Design and Verify Hardware. Kluwer Academic 
Publishers, 2001.
[IST07] W. Ifill, S. Schneider, and H. Treharne. Augmenting B with control anno­
tations. In J. Julliand and O. Kouchnaxenko, editors, B2007:Formal Spec­
ification and Development in B, volume 4355 of LNCS, pages 399 -  424. 
Springer, January 2007.
[Joe92] M. B. Joesphs. Receptive process theory. Acta Informatica, 29(1):17 -  31,
February 1992.
[JOS' '^Ol] R. Jones, J. O’Leary, C. Seger, M. Aagaard, and T. Melham. Practical
formal verification in microprocessor design. IEEE Design & Test of Com­
puters, 18(4):16-25, July/August 2001.
(KG99] C. Kern and M. Greenstreet. Formal verification in hardware design: A
survey, 1999.
(KN02] R. Kaivola and N. Narasimhan. Formal verification of the pentium4 floating­
point multiplier. Technical report, Intel Corporation, JF4-451,2111 NE 25th 
Avenue, Hillsboro, OR 97124, USA, 2002.
[KSOl] Geofif Kassel and Graeme Smith. Model Checking Object-Z Classes: Some
Experiments with FDR. pages 445-452, University of Macau, Macau SAR, 
China, December 2001.
(LB03] Michael Leuschel and Michael Butler. ProB: A model checker for B. In Kei-
jiro Araki, Stefania Gnesi, and Dino Mandrioli, editors, FME 2003: Formal 
Methods, LNCS 2805, pages 855-874. Springer-Verlag, 2003.
[LM98] W. Luk and S. McKeever. Pebble: A language for parametrised and recon­
figurable hardware design. In Field-Programmable Logic and Applications 
From FPGAs to Computing Paradigm, volume 1482/1998, Springer Berlin 
/  Heidelberg, August/September 1998.
(LP07] M. Leuschel and D. Plagge. Seven at one stroke: LTL model checking for
high-level specification in B, Z, CSP and more, submitted to conference, 
2007.
(Mac05] Donald MacKenzie. Computing and the cultures of proving. Philosophical
Transactions of the Royal Society A: Mathematical, Physical and Engineer­
ing Sciences, 363(1835):2335 -  2350, October 2005.
2 3 4  J uly  6 , 2008
Bibliography
[MAV05] C. Metayer, J-R. Abrial, and L, Voisin. Event B  Language. RODIN, 2005.
[McM92] K. L. McMillan. Symbolic Model Checking: an approach to the state explo­
sion problem. PhD thesis, Caregie Mellon University, 1992.
[MoD99] MoD. Defence Standard: 00-54 (P<^ Tt 1) Requirements for Safety Related
Electronic Hardware in Defence Equipment. Part 1: Requirements. Issue 1 
edition, March 1999.
[Mor90] C. 0 . Morgan. Of wp and CSP. In A.J.M. van Gasteren, W.H.J. Feijen,
D. Gries, and J. Misra, editors. Beauty Is Our Business: A Birthday Salute
to Edsger W. Dijkstra, Monographs in Computer Science. Springer-Verlag,
April 1990,
[Mot04] Motor Industry Software Reliability Association. MISRA-C: 2004 Guide­
lines for use of the C language in critical systems, October 2004.
[MS95] Steven P. Miller and M. Srivas. Applications of formal methods, chapter
Formal Verification of the AAMP5 Microprocessor, pages 125-180. Prenice 
Hall International, 1995.
[MSOl] Alexandre Mota and Augusto Sampaio. Model-checking CSP-Z: Strategy,
tool support and industrial application. Science of Computer Programming, 
40(l);59-96, May 2001.
[MS06] A. McEwan and S. Schneider. A verified hardware development using
CSP|[B. In The Fourth ACM /IEEE International Conference on Formal 
Methods and Models for Co-Design. ACM/IEEE, July 2006.
[MS07] A. McEwan and S. Schneider. Modelling and analysis of the AMBA bus
using CSP and B. In McEwan et al. [MSIW07].
[MSIW07] Alistair A. McEwan, Steve Schneider, Wilson Ifill, and Peter Welch, editors.
volume 65 of Concurrent Systems Engineering Series. ISO Press, July 2007.
[NIM07] Chris Nettleton, Wilson Ifill, and Colin Marsh. Towards a demonstrably
correct Ada compiler. In Ada Letters, Hyatt Fair Lakes Hotel, Virgina, USA, 
November 2007. ACM SIGAda, Association for Computing Machinery.
[NSOl] D. Neilson and I. Sorensen. High Integrity Software, chapter Towards Zero
Defect Software, pages 23-42. Kluwer Academic Publishers, 2001.
[01106] I. Oliver. A Demonstration of Specifying and Synthesising Hardware using
B and Bluespec. Technical report, Nokia Research Centre, Itamerenkatu 
11-13 00180 Helsinki Finland, 2006.
[PS02] A. Papatsaras and B. Stoddart. Global and communicating state machine
models in event driven b: A ,simple railway case study. In ZB2002, pages
rn 458-476, 2002.
[PS04] J. D. Phillips and G. S. Stilles, An automatic translation of CSP to Handel- 
C. In I. East, J. Martin, P. Welch, D. Duce, and M. Green, editors, Com­
municating Process Architecures 2004. 108 Press, 2004, 2004.
J u ly  6 , 2 0 0 8  2 3 5
Bibliography
[RawOl] Paul Rawlins. Solidify verifies design’s behavior, online EETIMES, June 
2001, www.eetimes.com.
[Ros98] A. W. Roscoe. The Theory and Practice of Concurrency. Prentice-Hall,
1998.
[SawOO] Jun Sawada. Computer-Aided Reasoning: ACL2 Case Studies, chapter Ver­
ification of a Simple Pipeline Machine Model. Kluwer Academic Publishers, 
June 2000.
[SchOO] S. Schneider. Concurrent and Real-time Systems: The CSP Approach. John
Wiley and Sons, 2000.
[SchOl] S. Schneider. The B-Method: An introduction. Palgrave, 2001.
[Spi92] J. M. Spivey. The Z Notation. A Reference Manual. Prentice Hall Interna­
tional, 1992.
[SRC97] Mandayam K. Srivas, Harald Ruefi, and David Cyrluk. Hardware Verifica­
tion -  Methods and Systems in Comparison, volume 1287 of Lecture Notes 
In Computer Science, chapter Hardware Verification Using PVS, pages 156 
-  205. Springer-Verlag, 1997.
[SS06] Carey Sayer and Jeremy Sonander. Formal Verification of the AMBA 3 AXI
Bus System, online I. Q. Information Quarterly Magazine, 2006.
[Sta94] V. Stavridou. Formal Methods and VLSI Engineering Practice. The Com­
puter Journal, 37(2):96-113, 1994.
[Ste03] S. Stepney. CSP/FDR2 to Handel-C Translation. Technical report. Univer­
sity of York, June 2003.
[SWC02] A. C. A. Sampaio, J. C. P. Woodcock, and A. L. C. Cavalcanti. Refinement
in Circus. In L. Eriksson and P. A. Lindsay, editors, FME 2002: Formal 
Methods ~ Getting IT  Right, volume 2391 of Lecture Notes in Computer Sci­
ence, Copenhagen, Denmark, July 2002. Formal Methods Europe, Springer 
Berlin /  Heidelberg.
[TreOO] H. Treharne. Combining Control Executives and Software Specifications.
PhD thesis. Royal Holloway, University of London, 2000.
[TSOOj H. Treharne and S. Schneider. How to Drive a B Machine. In ZB2000, pages
188-208, 2000.
[TSG‘*'07] H. Treharne, S. Schneider, N. Grant, N. Evans, and W. Ifill. A Step Towards
Merging xUML and CSP||B. 2007.
[VAS05] VASG: VHDL Analysis and Standardization Group,
http://www.vhdl.org/vasg/. 1076.6-2004: VHDL Register Transfer
Level (RTL) Synthesis, 2005.
2 3 6  JULY 6 , 2 0 0 8
Bibliography
[YZ05] D. Toma Y. Zimmermann. Component Reuse in B Using ACL2. In H. Tre­
harne, S. King, M. Henson, and S. Schneider, editors, ZB 2005: Formal 
Specification and Development in Z and B, pages 279 — 298, Guildford, 
UK, April 2005. Springer.
J uly  6 , 2 0 0 8  2 3 7
Index
grd, 14
EVENTUALLY FUTURE, 218 
VARIANT, 217 
good TRACES, 30 
FROM-SET-INIT
PICTURING, 62 CONDITION NEXT
ANNOTATION LISTING, 111 
FALSE, 112 
TRUE, 111 
EXAMPLE CONTROLLER, 121 
EXAMPLE MACHINE, 121 
INITIAL-CONSISTENCY, 113 
OPERATION
PO , 110 
SYNTAX, 110 
CONDITIONAL NEXT 
CONTROLLER, 112 
FROM ANY
EXAMPLE CONTROLLER, 64 
EXAMPLE MACHINE, 63 
FROM ANY
CONTROLLER, 44 
FROM INTERLEAVED
ANNOTATION LISTING, 137 
PO , 136
FROM-ANY
INITIALISATION 
PO , 42 
LISTING FUNCTION, 46 
OPERATION
PO , 42 SYNTAX, 41 
PICTURING, 62 
FROM-ANY WITH I /O
LISTING FUNCTION, 90 
OPERATION
PO , 87 
SYNTAX, 87 
FROM-SET-INIT
LISTING FUNCTION, 46 
OPERATION
PO , 44 
SYNTAX, 43 
FROM-SET-INIT WITH I /O  LISTING FUNCTION 
OPERATION NAME, 91 
OPERATION SET, 91 
OPERATION
PO , 89 SYNTAX, 89 
FROM-SET
EXAMPLE CONTROLLER, 64 
EXAMPLE MACHINE, 64 LISTING FUNCTION, 46 
OPERATION
PO , 43SYNTAX,43 
PICTURING, 62 FROM-SET WITH I /O  
LISTING FUNCTION 
OPERATION NAME, 90 
OPERATION SET, 90 
OPERATION
PO , 88SYNTAX, 88
i/o iCONTROLLER, 91 
INTERLEAVED NEXT
ANNOTATION LISTING, 137 CONTROLLER, 138 
PO , 133 
SYNTAX, 133 
NEXT INVARIANT
ANNOTATION-CONTROLLER CONSISTENCY, 1C 
EXAMPLE MACHINE, 100 
MACHINE-ANNOTATION CONSISTENCY, 101 
OPERATION 
SYNTAX, 79
NEXT
2 3 8 J uly 6 , 2 008
Index
ACTION PREFIX, 26 CONSISTENCY CALCULATION, 38 
CONTROLLER, 26 
EXAMPLE CONTROLLER, 37 EXAMPLE MACHINE, 37 
INITIALISATION
PO , 26 
SYNTAX, 25 
LISTING FUNCTION, 28 OPERATION
PO , 25 SYNTAX, 25 
OPERATION WITH I /O  SYNTAX, 78 
PICTURING, 36 
PO  CALCULATION, 37 NEXT WITH I /O
CONSISTENCY CALCULATION, 99 EXAMPLE CONTROLLER, 98 EXAMPLE MACHINE, 97 
INITIALISATION
PO , 79LISTING FUNCTION
CONTROLLER INPUTS, 85 ENVIRONMENT INPUT TYPES, 85 
ENVIRONMENTAL INPUTS, 85 
FOR INITIALISATION, 85 
FOR OPERATIONS, 86 
OPERATION NAMES, 84 
OPERATION
PO , 80 
PO  CALCULATION, 98 SYNTAX, 81 
QUERY
LISTING FUNCTION OPERATION, 68 
OPERATION
PO , 66 
SYNTAX, 65 PICTURE, 73 
SELECT NEXT
EXAMPLE CONTROLLER, 121 EXAMPLE MACHINE, 121 
INITIAL-CONSISTENCY, 113 
INITIALISATION
PO , 108 SYNTAX, 108
LISTING FUNCTION, 1 0 9  OPERATION 
PO , 1 0 9  
SYNTAX, 10 8  SEQUENCE NEXT 
PO , 1 3 7
ACTION PREFIX 
NEXT, 2 6CONSISTENCY CALCULATION, 37 
GUARDED FUNCTION, 27 
INIT FUNCTION, 27 
INITIAL-CONSISTENCY, 28 STEP-CONSISTENCY, 29 
SYNTAX, 26 
A EP, 4, 183EXAMPLE MACHINE, 183 
EXAMPLE VHDL, 189, 190 
PIPELINED PROCESSOR, 183
AMN, 5, 7 
GUARDS, 1 4  PRECONDITION, 14 SELECT,14 
ANNOTATE MACHINE, 21  ANNOTATION CONSISTENT, 2 4  
ANNOTATION-CONTROLLER CONSISTENCY, 22  ANNOTATION-CONTROLLER CONSISTENT, 2 4
B, 1 7 7 , 1 8 4  
BDD, 181
BEFORE AFTER PREDICATE, 211 
BHDL, 4, 191STANDARD LOGIC VECTOR, 1 9 3  
B l u e s p e c , 19 5  
B T o o l k i t , 5 , 2 1 3  
BVHDL, 1 8 3
architecture, 184 
clock-EVENT, 186 
EXAMPLE, 201 
VHDL GENERATION, 186
Computational Tree Logic (CTL), 2 1 3  
CONSISTENCY FRAMEWORK, 21  Control Loop Invariant (CLI), 4 , 15  
PO , 1 7  
CONTROLLER FORM, 13 9  
HIDE
J u ly  6 , 200 8 239
Index
ANNOTATION CONSISTENT, 68 STEP-CONSISTENCY, 68 
SYNTAX, 68
I /OSYNTAX, 91 
IF-THEN-ELSE 
TRACE, 112 
CSP, 10, 177 
DIV,  200 ACTION PREFIX, 11 
CHANNELS, 11 
CSPM , 10, 213 
DIV, 11, 16
EXTERNAL CHOICE, 11 
FAILURES-DIVERGENCE, 2 0 0  
H a n d e l - C  t r a n s l a t i o n , 16 0  HIDING, 11
INDEX EXTERNAL CHOICE, 11 
INTERLEAVING, 11 INTERNAL CHOICE, 11 INTERRUPT, 11 
RECURSIVE DEFINITION, 11 
RENAMING, 11 
SK IP, 16 
SKIP, 11 
STO P, 15 TRACES, 10 
CSP, 4,13,177,225 
CSP-Z, 178, 198, 200
Esterel, 177, 197 
Event-B, 177
DYNAMICS, 210 
ESTABLISH, 207 
HARDWARE MODELLING, 201 
MAINTAIN, 207 
refinement, 205 
VARIANT, 206, 210
FDR2, 177 
FPG A , 4, 179
Guarded Substitution Language (GSL), 
6, 23
H andbl-C , 5, 177 CHANNELS, 216 SYNTAX, 12
HDL, 4 
I /O
guarded function, 92 
INIT function, 92 
INITIAL-CONSISTENCY, 92 
STEP-CONSISTENCY, 93 IF-THEN-ELSE
guarded function, 113 
INIT function, 112 INITIAL-CONSISTENCY, 113 
STEP-CONSISTENCY, 114 
SYNTAX, 112 
INDEX INTERNAL CHOICE, 11 
INITIAL-CONSISTENCY, 22 INITIALLY-CONSISTENT, 24 
INTERLEAVING
ANNOTATION CONSISTENCY, 140 
INIT FUNCTION, 139 
INIT-PAR FUNCTION, 139 STEP- CONSISTENCY, 141 
INTERRUPT
GUARDED FUNCTION, 45 
INIT FUNCTION, 45 INITIAL-CONSISTENCY, 47 
STEP-CONSISTENCY, 48 
SYNTAX, 44 
TRACE DEFINITION 
ANY, 46 SET, 46 SET-INIT, 46
LEMMACONDITION NEXT
ANNOTATION ENABLED TRACES, 118 
INITIAL ACTION, 120 
FROM .
ANNOTATION ENABLED TRACES, 55 
INITIAL ACTION, 60 
SINGLETON TRACES, 51 
INTERLEAVED NEXT
ANNOTATION ENABLED TRACES, 150 
DISJOINT OPERATIONS, 134 
ENDING INTERLEAVING, 147 
INTERLEAVING, 149 SINGLETON TRACE, 155 
NEXT
2 4 0 J u ly  6 , 200 8
Index
ANNOTATION ENABLED TRACES, 34 
INITIAL ACTION, 35 ’SINGLETON TRACE, 33 QUERY 
good, 70 
TERMINATION, 71 
I/O
ANNOTATIONS ENABLED TRACES, 97 
LTL, 215
M ACHINE, 7 
ANY, 213
C o m p o u n d  M a c h i n e , 184 
INCLUDES, 183, 207 
INITIA LISAT ION 
P O ,  9 INVARIANT, 184 
P r o c e s s  M a c h i n e  ( P R ) ,  184 
REFINEMENT, 186 
SEES. 183 
SELECT, 14
S i m p l e  M a c h i n e  ( S M ) ,  184 SYNTAX, 23 
VARIABLES, 184 
MACHINE CONSISTENT, 24 
MACHINE DEFINITION, 21 
MACHINE-ANNOTATION CONSISTENCY, 22 
m a c h in e - a n n o t a t io n  c o n s i s t e n t , 24MACHINE-CONSISTENCY, 8, 24 
MACHINE-CONTROLLER CONSISTENT, 24 
MODEL CHECKING
SMV, 180MODEL CHECKING, 181  
S o l i d i f y , 18 0
OBDD, 180 
OCCAM, 6, 12
P r o B , 2 1 2  
PROCESSOR
AAM P5, 181  
P e n t i u m 4 , 18 1  
PIPELINED, 1 9 4  
V IPE R , 18 1  
PROPERTY CHECKING, 18 0
REFINEMENT
ANNOTATION, 157
ALGORITHMIC, 157 EXAMPLE CONTROLLER, 165 
EXAMPLE MACHINE, 164 MACHINE PO , 131REFINEMENT CONSISTENT, 24
STEP-CONSISTENCY, 22STEP-CONSISTENT, 24
Synchronous Receptive Process The­
ory, 179
System-C, 177
theorem
CONDITION NEXT NON-DIVERGENCE, 116
FROM NON-DIVERGENCE, 50
NEXT INTERLEAVED NON-DIVERGENCE,
143NEXT NON-DIVERGENCE, 30 
QUERY NON-DIVERGENCE, 69 
I /O  NON-DIVERGENCE, 95
THEOREM PROVING, 181 
ACL2, 181 
HOL, 181 
Penelope, 181 
PVS, 181TRANSLATION
EXAMPLE HANDEL-C, 174 GUIDE, 176
Verilog, 179
VHDL, 179 
map, 184 
PACKAGES, 184 
PROCESSES, 9 
SENSITIVITY LIST, 9 SIGNAL ASSIGNMENT, 9 
SIMULATION, 9 
TESTING, 179
WATCH DOG TIMER, 199
WEAKEST PRECONDITION (WP), 13
Z, 177
SCHEMA, 199
July  6 , 2 008 241
