Abstract. Recent work on combining CSP and B has provided ways of describing systems comprised of components described in both B (to express requirements on state) and CSP (to express interactive and controller behaviour). This approach is driven by the desire to exploit existing tool support for both CSP and B, and by the need for compositional proof techniques. This paper is concerned with the theory underpinning the approach, and proves a number of results for the development and verification of systems described using a combination of CSP and B. In particular, new results are obtained for the use of the hiding operator, which is essential for abstraction. The paper provides theorems which enable results obtained (possibly with tools) on the CSP part of the description to be lifted to the combination. Also, a better understanding of the interaction between CSP controllers and B machines in terms of non-discriminating and open behaviour on channels is introduced, and applied to the deadlock-freedom theorem. The results are illustrated with a toy lift controller running example.
Introduction
Morgan's failures/divergences semantics for event systems [Mor90] enables the various CSP semantics to be given to B machines. These CSP semantics allow machines to be treated as CSP components within a concurrent system, and we can combine them with other CSP components using architectural operators such as parallel composition and abstraction.
Recent work [Tre00] has considered the interaction between a particular kind of B machine and a controller written as a (recursive) sequential CSP process. An important requirement of a controller for a machine is that it should invoke machine operations only within their preconditions. Previous results [Tre00] have identified conditions sufficient to guarantee P M to be divergence-free for a controller P and machine M, which ensures this important property. These results require identification of a control loop invariant (CLI) on the state of the B machine M, which must be true on every recursive call. This is established by considering the semantics of the B operations as they are called within the controller, and essentially computing the weakest precondition required to establish the CLI.
In combining communicating B machines, we use a particular architecture [ST02] to restrict the interaction between components, by ensuring that each B machine interacts only with its own controller. A system will be structured as a collection of B machines M 1 , ..., M n , each with its own CSP controller process P 1 , ..., P n . A controlled component is the parallel combination of a controller and its B machine, of the form P M.
Each M i is under the control of the corresponding P i , and the P i 's can also interact with each other. This architecture is illustrated in Fig. 1 . Interaction across the system can occur only between the CSP processes. This approach enables compositional verification, whereby we are able to verify properties of the entire system by obtaining results about smaller structures within the system. In particular, both CSP and B already have mature tool support which can be used to verify the components. The model-checker FDR [For97] performs model-checking on systems described in CSP, and is therefore suitable for analysing the controllers, individually and in combination. The paper provides theorems which enable results obtained (possibly with tools) on the CSP part of the description to be lifted to the combination 1 . We obtain a number of theorems in the various CSP semantic models.
In practice, we find that it is often the case that a property holds in a combined system for reasons associated with the state within the B components. In this case, the CSP controller descriptions need to be augmented with the relevant state information. This paper also provides theorems which support the required manipulations of CSP controllers.
Background

CSP events
CSP processes are defined in terms of the events that they can and cannot do. Processes interact by synchronising on events, and the occurrence of events is atomic. The set of all events is denoted by .
Events may be compound in structure, consisting of a channel name and some (possibly none) data values. Thus, events have the form c.v 1 , . . . , v n , where c is the channel name associated with the event, and the v i are data values. The type of the channel c is the set of values that can be associated with c to produce events.
For example, if trans is a channel name, and N × Z is its type, then events associated with trans will be of the form trans.n.z, where n ∈ N and z ∈ Z. For example, trans.3.8 is one such event.
A partial event, or (following [Sca98] ) partially completed datatype value is a channel name together with some values, but not necessarily all. For example, trans.3 is a partial event. Any channel is a special case of a partial event.
Given a set of partial events PE, we can define the set of events {| PE |} which are the completions of events in PE, as follows:
We use alphabetised CSP, so every process has an alphabet, which is the set of events whose occurrence requires its participation. The alphabet of a process P is denoted α(P). For the purposes of this paper we will require that the alphabet of any process is given by a set of channels C, so that α(P) {| C |}.
CSP controllers
A controller for a B machine is a particular kind of CSP process. To interact with the B machine, it makes use of control channels which have both input and output, and provide the means for controllers to synchronise with B machines. For each operation w ←− e(v) of a controlled machine with v of type T in (e) and w of type T out (e) there will be a channel e of type T in (e) × T out (e), so communications on e are of the form e.v.w.
S. Schneider and H. Treharne
Controller descriptions may also include assertions about the values of variables they are using. These are incorporated in CSP either as blocking assertions (which block if the assertion is false) or as diverging assertions (which diverge if the assertion is false), depending on the role they play in verification.
When we talk about a CSP controller P we mean a process which has a given set of control channels C. The controlled B machine will have exactly {| C |} as its alphabet: it can communicate only on channels in C.
Controller syntax
Controllers are generated from the following subset of the CSP syntax, as discussed in [ST02] .
P :: a → P|c?x → P|d!v → P|e!v?x{E(x)} → P|e!v?x E(x) → P| P 1 2 P 2 |P 1 P 2 | x|E(x) P| if b then P 1 else P 2 |S(p)
where a is a synchronisation event, c is a communication channel accepting inputs, d is a communication channel sending output values, e is a control channel, x is a data variable, v is a data value, E(x) is a predicate on x (it may be elided, in which case it is considered to be true), b is a boolean expression, and S(p) is a process expression.
The process a → P is initially prepared to engage in an a event, after which it behaves as P. The input c?x → P is prepared to accept any value x along channel c, and then behave as P (whose behaviour can be dependent on x). The output d!v → P provides v as output. The operation call e!v?x{E(x)} → P is an interaction with an underlying B machine: the value v is passed from the process as input to the B operation, and the value x is accepted as output from the B operation. If x meets the condition E(x) then the process behaves as P. If x does not meet the condition then the process diverges. On the other hand, e!v?x E(x) → P only allows e.v.x if E(x), otherwise the event is blocked. Behaviour subsequent to e.v.x is that of P.
The external choice process P 1 2 P 2 is initially prepared to behave either as P 1 or as P 2 , and the choice is resolved on occurrence of the first event. Binary and general internal choice are possible, though not used in the example presented here. The conditional choice if b then P 1 else P 2 behaves as P 1 or P 2 depending on the evaluation of the condition b. The process expression S(p) expresses a recursive call. Finally, processes can be defined using (recursive) definitions of the form S(p) P.
CSP semantic models
There are three semantic models used in this paper: the Traces model, the Stable Failures model, and the Failures/Divergences model. We introduce the relevant features of them here. Full details of these models can be found in [Ros97, Sch99] .
Traces
A trace is a finite sequence of events. A sequence tr is a trace of a process P if there is some execution of P in which exactly that sequence of events is performed. The set T [ [P] ] is the set of all possible traces of process P. The traces model for CSP associates a set of traces with every CSP process. If
] then P and Q are equivalent in the traces model, and we write P T Q.
The empty trace, containing no events, is written . More generally, a trace may be written as a sequence of events e 1 , e 2 , . . . , e n . The concatenation tr 1 tr 2 of two traces tr 1 and tr 2 is the sequence tr 1 followed by the sequence tr 2 . A trace tr may be restricted to a set of events A: this is written tr A and consists of the subsequence of tr's events that are in A. A trace tr may also have a set of events A hidden: this is written tr \ A, and corresponds to the subsequence of tr's events that are not in A.
For 
Stable failures
A stable failure is a pair (tr, X ) consisting of a trace tr and a set of events X . Such a pair is a stable failure of a process P if there is some execution of P on which tr is the sequence of events performed, reaching a state in which all events in X can be refused, and also no internal progress is possible. 
Failures and divergences
A divergence is a finite sequence of events tr. Such a sequence is a divergence of a process P if it is possible for P to perform an infinite sequence of internal events (such as a livelock loop) on some prefix of tr. The set of divergences of a process P is written
A failure is a pair (tr, X ) consisting of a trace tr and a set of events X . It is a failure of a process P if either tr is a divergence of P (in which case X can be any set), or (tr, X ) is a stable failure of P. The set of all possible failures of a process P is written
] then P and Q are equivalent in the failures-divergences model, written P FD Q.
The different models are used to analyse CSP systems with respect to different properties. This paper is concerned with the failures-divergences model, which is used to check for liveness properties such as divergencefreedom. If a system description includes the possibility of divergence (for example, if it includes internal events), then it is necessary to use the failures-divergences model to check for divergence-freedom.
An important relationship between the stable failures model and the failures divergences model is that if a process is divergence-free (i.e. its set of divergences is empty), then its failures are the same as its stable failures. This is captured in the following theorem:
This theorem is useful because it allows us to carry out analysis in the stable failures model, which is generally easier and more efficient, and to establish results which remain valid in the failures-divergences model. For example, once it has been established that a process P is divergence-free, then to check that it is deadlock-free (i.e. that (tr, α(P)) cannot be a failure of P for any tr), it is sufficient to check this in the stable failures model (that (tr, α(P)) cannot be a stable failure). The model-checker FDR [For97] can carry out divergence-freedom and deadlock-freedom checks mechanically. There are also CSP theorems (for example, Theorem 6.1 in this paper) for establishing that a process P is divergence-free.
B machines
The B-Method [Abr96a] develops systems in terms of machines, which are components containing state and supporting operations on that state. They are described in a language called Abstract Machine Notation. The most important aspect of B to understand for this paper is that B operations are associated with preconditions, and if called outside their preconditions then they diverge. A full description of the B-method can be found in [Abr96a, Sch01] . In this paper we will introduce the language through the example in Fig. 2 .
As exemplified in Fig. 2 , a machine is defined using a number of clauses which each describe a different aspect of the machine. The machine clause declares the abstract machine and gives its name. The variables clause declares the state variables that are used to carry the state information within the machine. The invariant clause gives the type of the state variables, and more generally it also contains any other constraints on the allowable machine states. The initialisation clause determines the initial state of the machine. In general this can be nondeterministic, but in our example the lift begins at floor 0. The operations clause contains the operations that the machine provides: these include query and update operations on the state. Operations are given in the format oo ←− op(ii) pre P then S end.
The declaration oo ←− op(ii) introduces the operation: it has name op, a (possibly empty) output list of variables oo, and a (possibly empty) input list of variables ii. The precondition of the operation is predicate P. This must give the type of any input variables, and can also give conditions on when the operation can be called. If it is called outside its precondition then divergence results. Finally, the body of the operation is S. This is a generalised substitution, which can consist of one or more assignment statements (in parallel) to update the state or assign to the output variables. Conditional statements and nondeterministic choice statements are also permitted in the body of the operation. Other clauses are also allowed (for example regarding machine parameters, sets and constants), but we are not concerned with them in this paper.
CSP semantics for B machines
Morgan's CSP-style semantics [Mor90] 
Observe that with this definition, Theorem 2.1 also holds for B machines M. We have a technique [Tre00, ST02] , based on control loop invariants, for establishing that a combination P M is divergence-free. In other words, previous results provide a means to establish that
{}. This paper is not concerned with that technique. Rather we are concerned with composing together a number of
{} for each pair. Hence a number of the theorems in this paper will include an assumption that
The assumption in particular cases can be discharged using the control loop invariant technique. Thus in this paper we are not concerned with looking at divergences, since we are working in the context that they have already been taken care of.
To summarise: in order to combine CSP process controller and B machines, we require a common semantic framework for these two formalisms. This commonality is provided by Morgan's CSP semantics for B machines, allowing us to associate a CSP semantics with a B machine written in the Abstract Machine Notation. This enables such machines to be treated as CSP processes in the sense that they can be composed (using CSP operators) with other CSP processes such as controllers. It is difficult to reason about such combinations, since in general the semantics of a B machine would have to be calculated explicitly in order to obtain the semantics of the combination. However, we do have some previous results [Tre00, ST02] which give techniques for proving divergence-freedom of combinations of the form P M. This paper is concerned with developing theorems underpinned by the theory of CSP which are applicable to such divergence-free combinations. 
A motivating toy example: a lift controller
As motivation for the results presented in this paper, and to introduce the relevant aspects of the Abstract Machine Notation, we consider a toy example of a collection of lift machines described in B, controlled by CSP controller processes. We will indicate the use of the theorems presented later in this paper. An individual lift is given in Fig. 2 . It describes a particular lift, indexed by i. We will then go on to define a system consisting of a collection of such lifts. The approach taken in this paper is motivated by the desire to model-check the system within FDR.
Individual lifts
The Lift machine provides three operations: i inc(nn) which moves the lift up nn floors, i dec which moves the lift down one floor, and a query operation i isZero which indicates whether or not the lift is on the ground floor. The CSP controller is also given in Fig. 2 . It interacts with a user through the events i up, i down, and i ground, and controls the lift accordingly:
• on i up.y, it calls i inc and moves the lift up y floors.
• on i down.y, it calls i dec y times or until it reaches the ground if this is sooner.
• on i ground, it is required to move the lift to the ground floor. To do this, it repeatedly checks (using i isZero)
whether the lift is on the ground floor, and if not then it moves the lift down a floor with i dec.
We are firstly interested in each controlled lift combination
which is pictured in Fig. 3 . We require as a minimum that this combination is deadlock-free and divergence-free. These properties are apparent in this simple example. Deadlock-freedom is immediate because the B machine is always willing to engage in any event required by the controller, and the controller itself is either waiting for an interaction from its environment or else ready to call a controller operation. Divergence could arise either (a) from a B operation being called outside its precondition, or (b) from an infinite sequence of internal events. In the case of (a), the only operation with a non-trivial precondition is i dec, and the controller is constructed so that i dec is only ever called when the lift is not at floor 0. In the case of (b), the lift will eventually reach the ground floor and so an infinite sequence of calls of i dec cannot occur.
In more complex examples the properties may not be so apparent, and it would be useful to be able to apply analysis tools to carry out model-checking on the combined system. However, no tools currently exist which can analyse a combination of B and CSP descriptions, so instead we analyse the descriptions separately and combine results. In particular, for considering properties such as deadlock and livelock we would aim to apply a tool such as FDR [For97] to the CSP part of the description, and deduce results about the controlled combination. In particular, once it has been established that the controller does not call operations outside their precondition, then the aim is that all deadlocking and divergent behaviour is essentially contained in the controller and can be identified without further reference to the B machine. It has previously been established [ST02] that, under appropriate conditions, the deadlock-freedom of a controller P implies the deadlock-freedom of a controlled combination P M. This result appears in this paper as Theorem 5.9 in Sect. 5.
We also establish in this paper (Theorem 6.1 in Sect. 6) that, under appropriate conditions, if P \ E is divergence-free, then so too is (P M) \ E.
These two theorems are exactly what is required. We have only to check that i LiftCtrl is deadlock-free to deduce the same for i LiftSys; and we have only to check that i LiftCtrl \ {| i inc, i dec, i isZero |} is divergence-free to deduce this for i LiftSys. These are both checks that are easily done using FDR.
However, the second check fails. The description of i LiftCtrl \ {| i inc, i dec, i isZero |} in fact contains a divergence arising from the infinite sequence i ground, i isZero.false, i dec, i isZero.false, i dec, . . . of i LiftCtrl. It is the machine i Lift that ensures that this cannot occur -but that machine was not included in the FDR analysis.
The problem is that some of the control flow is dependent on the state information maintained in the B machine, and so the useful theorems we have available are not directly applicable. We need to include the relevant state information in the description of the CSP controller. We do this by introducing a new variable f , and also introducing the expectation that the value true will be received on channel i isZero exactly when f 0. This is included as an assertion, as shown in Fig. 4 . It is straightforward to show that i LiftCtrl2(0) is an appropriate driver for i Lift (using control loop invariant f i floor which relates the CSP state to the state of the B machine). The proof that i LiftCtrl2(0) i Lift has no divergences involves establishing the truth of the assertion for the input bb on i isZero.
Introducing a diverging assertion means that i LiftCtrl2(0) trivially has a divergence (i.e. the behaviour when the assertion is not met), so it is not appropriate to check i LiftCtrl2(0) \ {| i inc, i dec, i isZero |} for divergence-freedom. However, in the context of i Lift we know the assertion will always be true, so we may replace the diverging assertion by a blocking one, and yield a controller with the same behaviour in the context of i Lift. The only difference is that this controller blocks rather than diverges when the assertion is false, and since the assertion is never false in the context of i Lift, the resulting behaviour is the same. This transformation is justified by Corollary 6.7 (given at the end of Section 6). Thus, we obtain a variant i LiftCtrl3(0) of the controller, such that i LiftCtrl3(0) i Lift FD i LiftCtrl2(0) i Lift. This is given in Fig. 5 . Now we have a transformation of the controller which is divergence-free when the internal events are hidden: i LiftCtrl3(0) \ {| i inc, i dec, i isZero |} is divergence-free, and this can be checked using FDR (given a bound on the number of possible consecutive i up events). So we are in a position to conclude that (i LiftCtrl3(0) i Lift) \ {| i inc, i dec, i isZero |} is divergence-free. Now Corollary 6.7 also allows the assertions of i LiftCtrl2(0) to be dropped completely, resulting in a controller i LiftCtrl4(0), whose behaviour does not depend on the value of the parameter f at all. This controller is given in Fig. 6 . Theorem B.5 in Appendix B yields that i LiftCtrl(0) is equivalent to i LiftCtrl. This establishes divergence-freedom of the original combination (i LiftCtrl i Lift) • The combination i LiftCtrl2(0) i Lift can be shown to be divergence-free using techniques from [ST02] .
• i LiftCtrl3(0) \ {| i inc, i dec, i isZero |} is divergence-free, and so
• And i LiftCtrl4(0) i Lift is equivalent to the original i LiftCtrl i Lift.
These results together establish the required result, i.e., the original combination of the lift and its controller, (i LiftCtrl i Lift) \ {| i inc, i dec, i isZero |}, is divergence-free. The state information was introduced into the controller purely to enable the verification to take place, and can be removed once the result has been established. The steps are shown in Fig. 7 .
We also deduce that (i LiftCtrl i Lift) \ {| i inc, i dec, i isZero |} is deadlock-free. This follows from deadlock-freedom of i LiftCtrl i Lift.
A collection of lifts
We will now combine the lifts into a single system together with a Dispatch and DispatchCtrl component which manages requests for lifts from buttons on the various floors. When a request for a lift is made from a particular floor, only one of the lifts needs to be sent. An example architecture made up of four lifts is pictured in Fig. 8 .
The Dispatch machine contains some algorithm for deciding which lift should be sent to a particular floor. It has an operation ii, nn, dd ←− send(ff ). On input of the floor ff to send a lift to, it provides as output the lift ii to be sent, the number of floors nn and the direction dd that lift ii will need to travel (as computed by Dispatch). Dispatch has another operation reset, which is called when all lifts return to the ground floor. The particular details of Dispatch are not relevant to this example and will not be given here.
The DispatchCtrl controller accepts requests along channel req: an input req?x is a request for a lift to go to floor x. It makes use of the Dispatch machine to decide which lift to allocate, and then sends the appropriate instruction to the relevant lift. The controller can also accept an instruction bottom to return all lifts to the ground floor. It is defined as follows:
Our overall system is then composed of the controlled lift components Lifts i 1..4
(i LiftCtrl i Lift) interacting with the DispatchCtrl Dispatch component, and with all events apart from req and bottom internal:
We will see in Section 8 that this system is deadlock-free and divergence-free.
Deadlock-freedom
This section introduces two new properties concerning process behaviour on channels: open on possible inputs, and non-discriminating. These are the key properties exhibited by B machines and CSP controllers respectively. As we shall see, considering components in terms of these properties enables many of the results from Sects. 5 and 6 concerning individual controlled components to be lifted to interacting collections of controlled components in Sect. 8. They also enable easier proofs of previously established results such as Theorem 5.9 in this section.
An essential requirement for controlled components is deadlock-freedom. This is easily checked in FDR, but only for processes that are expressed in CSP. Thus, we aim to establish a theorem that allows the deadlock-freedom of P M to be deduced from deadlock-freedom of P (which can then be checked using FDR).
In general, parallel composition does not preserve deadlock-freedom. Fortunately, in the case of CSP controllers and B machines, we are able to identify conditions which ensure that the processes involved interact on their common channels in a particular way, ensuring that introducing a B machine cannot introduce any new deadlocks. In other words, any deadlocks possible for the controlled component P M must already have been possible in P.
Open on possible inputs
The required property of the B machine is that it should always be able to accept any input for any operation, and be able to provide some output. The need for this property is precisely why only machines with non-blocking operations are permitted. If a machine meets this property then we will say it is open on the particular operations and inputs.
In CSP terms, this is defined formally for CSP processes Q as follows.
] and e ∈ PE, there is some w such that e.w ∈ X .
This will apply to B machines as follows: given any machine operation w ←− e(v), we would expect the machine to be open on any partial event of the form e.v 0 , which corresponds to passing the input v 0 to operation e. In other words, there should be some output w 0 which is made available by the machine (and hence does not appear in the refusal set X ).
The set of possible inputs for a machine will be all those partial events which correspond to operations being called with some input. The events are partial because they do not include the output values. 
Observe that in the cases of i inc and i dec there are no outputs, so the partial events are in fact complete events. Being open on these events means that they cannot be refused (since their output field is empty). There are two completions of the partial event i isZero: i isZero.true and i isZero.false. i Lift being open on this partial event means that at any stage at least one of these completions cannot be refused by i Lift.
The key property of non-blocking machines is that they will always be open on their possible inputs:
Lemma 5.4 Any (non-blocking) B machine M is open on pi(M).
This states in CSP semantics terms that any operation call with any input should always produce some result. Our approach is restricted to non-blocking B machines. In other words, operations w ←− e(v) must always be enabled (though they might be called outside their preconditions, which leads to divergence) and on any input they must provide some output.
Non-discriminating controllers
The condition on a controller P is that, whenever it calls an operation of the controlled B machine M, it should be able to accept any output provided by M. We call this property non-discriminating, and it can be expressed formally in CSP terms with the following definition.
Definition 5.5 A CSP process P is non-discriminating on a set of partial events PE if, for any failure (tr, X ) ∈ SF [[P]] and subset CV ⊆ PE, we have that
This definition states that if any event c.v.w can be refused (i.e. appears in the refusal set X ), then all the inputs on channel c.v (i.e. outputs from the B machine) could be refused: thus the refusal X can be augmented with {| c.v |}.
Example 5.6 The control process i LiftCtrl is non-discriminating on i isZero: at any stage, i LiftCtrl can either refuse all of {| i isZero |}, or else none of it. In terms of the definition, whenever some event from {i isZero.true, i isZero.false} can be refused, then all can be refused.
Observe that i LiftCtrl is also non-discriminating on {i inc.i | i ∈ Z} and on i dec. In fact a process will trivially be non-discriminating on complete events.
Controllers which do not include blocking assertions on the control channels are able to accept any output from the associated B machine whenever they call an operation with any particular inputs. Thus, they will be non-discriminating on the possible inputs to the machine. This is expressed by the following lemma:
Lemma 5.7 If P is a controller for machine M with no blocking assertions on any channels of M, then P is non-discriminating on the set pi(M) of M's possible inputs.
Proof. By structural induction on P.
Observe that this lemma is illustrated by i LiftCtrl in Example 5.6 above.
Establishing deadlock-freedom
We now have ingredients which are sufficient to deduce deadlock-freedom of P Q from deadlock-freedom of P. The idea is that the interface between P and Q is defined by a set of partial events PE: P should be non-discriminating on these partial events, and Q should be open on them. We can show that if P Q can deadlock, then so can P.
If P Q does have a deadlock state, then all events can be simultaneously refused in that state. For any partial event e, Q is open on e so Q cannot refuse all of {| e |}. Hence P must be refusing some event in {| e |}, and so because P is non-discriminating, P can refuse all of {| e |}. Thus, we find that all events in the interface can be refused by P in this state, and P cannot perform any other events either. Hence P is in a deadlocked state.
Consider this reasoning in the context of a controlled component. Consider a state of P M. If P in this state is not deadlocked, then either 1. P is ready to perform an event outside α(M). In this case, M cannot prevent that event, and the combination P M is ready to perform the event, and hence is not deadlocked; or 2. P is ready to perform an interaction with M. In this case, it is an operation call c with some input v. P is ready to accept any output from this operation call, since it is non-discriminating on c. 
Then there must be refusal sets X P and X Q such that X P ∪ X Q , with (tr α(P),
Now Q is open on PE so for each e ∈ PE there is some w such that e.w ∈ X Q . Since e.w ∈ X Q ∪ X P , it follows that e.w ∈ X P . But then (tr α(P),
. Thus P has a deadlocking trace, contradicting the assumption that P is deadlock-free. Finally, we obtain the following theorem for controlled components.
Theorem 5.9 If P is a CSP controller for M with no blocking assertions on any channels of M, and P is deadlock-free in the stable failures model, then P M is deadlock-free in the stable failures model.
Proof. This follows from Lemmas 5.4, 5.7, and 5.8, earlier in this section, by observing that P is non-discriminating on pi
(M) and M is open on pi(M).
This theorem is exactly what is required to establish deadlock-freedom of P M from deadlock-freedom of P. In fact a direct proof of this theorem in terms of the CSP semantics has previously been presented, in [ST02] . However, we find the identification of the properties non-discriminating and open yields more understanding as to why the theorem works and allows an easier proof of Theorem 5.9 and others.
Example 5.10 For example, consider the combination i LiftCtrl i Lift, in a state after some trace tr, in which {i isZero.true, i isZero.false} is refused. We know that i Lift is open on {| i isZero |}, so it cannot refuse the whole set {i isZero.true, i isZero.false}. Since the parallel combination does refuse that whole set, it must be that i LiftCtrl is refusing at least one of i isZero.true, i isZero.false. But i LiftCtrl is non-discriminating on i isZero, so this means that it can itself refuse the whole set {| i isZero |}.
The same reasoning applies to all partial events in the interface between i LiftCtrl and i Lift. Thus, if i LiftCtrl i Lift could reach a deadlock state, then all events in the interface would be refused by i LiftCtrl i Lift, and so they could also be refused purely by i LiftCtrl. Thus, i LiftCtrl would also have a deadlock state.
As observed previously, i LiftCtrl is deadlock-free. Hence Theorem 5.9 yields that i LiftCtrl i Lift is deadlock-free.
Restricting events to prevent divergence
The use of abstraction is essential in the compositional development of large systems. We will therefore generally need to hide control channels within controlled components. In the lift component example in Sect. 4, the channels i inc, i dec, and i isZero are hidden, leaving i up, i down, and i ground as the only external channels.
Since hiding has the potential to introduce divergence, we need to be able to establish when this does not occur. In particular, it would be useful to be able to check divergence-freedom of a controller P \ C using FDR, and to be able to deduce divergence-freedom of the controlled component (P M) \ C.
The following theorem on CSP processes P and Q gives such a condition.
Theorem 6.1 If P Q is divergence-free, and C ⊆ α(P), and P \ C is divergence-free, then (P Q) \ C is divergence-free.
Proof. Assume for a contradiction that tr
. From the semantics of hiding (given in Appendix A) there are two ways in which such a divergence can arise, either from a divergence of P Q, or from the introduction of the hiding operator. We consider each of these possibilities in turn.
1. If tr 0 arises from a divergence of P Q, then tr 0 tr 1 \ C where
. This contradicts the fact that P Q is divergence-free. 2. If the introduction of hiding introduces a divergence, then from the semantics of hiding we have
. This means that
, contradicting the fact that P \ C is divergence-free.
In both cases we obtain a contradiction, thus establishing the theorem. This is immediately applicable to controlled components (where the machine M is considered as the process Q) since C ⊆ α(P) as a consequence of our architecture. Thus, divergence-freedom of (P M) \ C follows directly from divergence-freedom of P \ C.
However, in practice it will often be the case that P \ C turns out not to be divergence-free, even if (P M) \ C is. For instance, in the lift example we found that i LiftCtrl \ {| inc, dec, isZero |} was not divergence-free, and instead we had to transform the controller description to i LiftCtrl3(0) in order to obtain a controller such that i LiftCtrl3(0) \ {| inc, dec, isZero |} is divergence-free. So it is necessary to identify theorems which justify such transformations.
Our approach is to identify behaviours of controller P which cannot occur in the context of the machine M under control. We then aim to find P such that 1. P is the same as P except (possibly) on the behaviours that have been identified, and 2. P \ C is divergence-free Thus, P M will be the same as P M. We are assuming that P M has previously been shown to be divergence-free: that P is an appropriate controller for M. Theorem 6.1 applied to P yields that (P M) \ C is divergence-free, and hence (P M) \ C is divergence-free. This is the approach that was taken in the lift example. The relevant behaviour that cannot occur in the context of i Lift is the output of false from isZero when the lift is at the ground floor. This behaviour is blocked in i LiftCtrl3(0). However, i LiftCtrl3(0) is the same as i LiftCtrl for all behaviours that are possible in parallel with i Lift.
The way we identify traces that cannot occur is to require divergence whenever they do occur, and then look for divergences. Given an upwards-closed set T ⊆ A * of traces (i.e. tr ∈ T ⇒ tr tr ∈ T ), we can express this by defining a new process DIV A (T ) which can perform any trace, can diverge on any trace in T , and cannot refuse any event before divergence.
The process DIV A (T ) can be used to mask behaviour in a process P. The process P DIV A (T ) behaves exactly as P, except that whenever a trace in T is performed then it diverges. Thus if we have the equivalence P DIV A (T ) FD P DIV A (T ), then P and P have the same behaviour except possibly with regard to traces in T , which are masked by the introduction of divergence.
Lemma 6.2 For any process P:
). We will prove that P R has the same divergences and failures as P. By the semantics of parallel composition (given in Appendix A) we have that
Lemma 6.3 If A ⊆ α(P) and P DIV A (T ) is divergence-free for some arbitrary upward-closed set of traces T , then P P DIV A (T ).
Proof. We are given that
{semantics of parallel}
Since the union of the two sets is empty, it follows that 
Hence P DIV A (T ) and P agree on their failures and divergences, establishing the result.
The following theorem allows a process P to be replaced by an alternative process P in the context of another process Q. In particular, if P does not diverge in the context of Q (i.e. P Q is divergence-free), and P is the same as P except on divergent traces of P, then P and P have the same executions when executed in parallel with Q (since none of P's divergent traces will be performed).
Theorem 6.4 If P, P and Q are such that
Proof. Let D DIV α(P) (D [[P]]).
P Q FD P DIV α(P) (D [[P]]) Q FD P Q The last step follows from Lemma 6.3 because P DIV α(P) (D [[P]]) Q is divergence-free.
This states that if P is different to P only with respect to where P diverges, and P Q does not diverge, then P and P behave the same in the context of Q. This follows because if P Q does not diverge, then none of the traces of P which lead to divergence are possible when executing in parallel with Q. Since P is exactly the same as P except for these traces, and Q prevents such traces from occurring, it follows that P Q is the same as P Q. Example 6.5 As an example to illustrate Theorem 6.4, consider the following processes. P and P have alphabet A {a, b, c}, and Q has alphabet {a, b}.
• Firstly, we see that P Q can only ever perform a and c events, and is deadlock-free. In particular, the process Q prevents P from performing the b event, the only event that can lead to divergence, since there is no point at which P and Q can agree to perform b.
• The behaviour of P after b occurs is different to that of P (which is divergent), but if b does not occur then P and P behave the same. Thus, P and P are the same except on the divergences of P.
• Finally, note that P and P have the same alphabet.
Thus, we can conclude that P Q FD P Q.
The reason this result is useful is because it supports the introduction and manipulation of assertions on the control channels. If we introduce a divergent assertion on a control channel between P and M, and we then establish that P M is divergence-free (using CLI techniques), then we can alter the behaviour of P when the assertion is false (in which case P diverges) and obtain a related controller P which matches P outside P's divergences, and for which P M FD P M. The aim is to obtain a controller P in this way for which P \ C is divergence-free.
The next lemma lists some ways in which diverging assertions within a controller can be transformed.
Lemma 6.6 If a controller P is obtained from controller P by replacing clauses of the form e!v?x{E(x)} → R(x)
with one of:
Proof. By structural induction on the form of P.
Thus, we obtain the following corollary for controlled components:
Corollary 6.7 If P M is divergence-free, then behaviour in P following an input which fails a diverging assertion can be changed in accordance with Lemma 6.6 without affecting the behaviour of the parallel combination.
This means that diverging assertions in P, once they have been discharged in a context M, can be replaced with blocking assertions, or else removed completely. This is precisely the justification for the transformation of i LiftCtrl2(i) to i LiftCtrl3(i): in the context of i Lift, i LiftCtrl2(0) does not diverge.
Abstraction and refinement
In this section we consider the verification of controlled components with respect to refinement specifications. We will begin by considering traces refinement, where the results are straightforward. We will then consider stable failures refinement.
In the case of traces refinement, we immediately have the following result.
Lemma 7.1 For any controller P and any B machine M we have that:
Proof. This follows immediately from the trace semantics of parallel composition, since α(M) ⊆ α(P):
This yields the following corollary.
Corollary 7.2
If S T P then S T (P M).
If S T P \ A then S T (P M) \ A
These follow from transitivity of refinement, and the second also uses monotonicity of the CSP operators (in this case hiding) with respect to refinement.
These results mean that it is sufficient to demonstrate a trace refinement S T P or S T P \ A purely on the CSP part of a controlled component, in order to deduce that it holds for the overall controlled component: S T P M or S T (P M) \ A respectively. In this way we can establish trace properties of controlled components.
When we consider stable failures, the situation is not so straightforward. In particular, a stable failures refinement of the form S SF P on a controller P can place liveness requirements on the interactions between P and its controlled machine. However, the introduction of the machine might violate the requirement even if P meets it. For example, if S c?x → S and P c?x → P, then S SF P. Yet if M is only prepared to perform c.1, and will block on c.0, then we find that S SF (P M).
Fortunately, we are able to obtain results in the case where the specification S is only concerned with the external events of P, and not the internal channels that P uses to interact with M. In this case we obtain the following theorem: 
Theorem 7.3 If
• P is non-discriminating on a set of partial events PE,
Proof. We aim to prove that
T [[(P Q) \ {| PE |}]] ⊆ T [[P \ {| PE |}]]; and 2. SF [[(P Q) \ {| PE |}]] ⊆ SF [[P \ {| PE |}]]
1. This is a case of Corollary 7.2 above.
Consider (tr, X ) ∈ SF [[(P Q) \ {| PE |}]]. We aim to prove that (tr, X ) ∈ SF [[P \ {| PE |}]].
From the semantics of hiding there is some tr such that tr \ {| PE |} tr and (tr ,
So there are X P and X Q such that:
Now X Q ⊆ {| PE |}, and X ∩ {| PE |} {}, so X ∩ X Q {}, and so X ⊆ X P . Now consider some e ∈ PE. There is some w such that e.w ∈ X Q , because Q is open on PE. However, e.w ∈ {| PE |}, and so e.w ∈ X P .
Since this is true for each e ∈ PE, we obtain that (tr , X P ∪ {| PE |}) ∈ SF [[P]] since P is non-discriminating on PE. It follows that (tr \ {| PE |}, X P \ {| PE |}) ∈ SF [[P \ {| PE |}]]
Finally observe that tr \ {| PE |} tr and X P \ {| PE |} X , since
Corollary 7.4 If P is a CSP controller for M, and P has no guards on any channels of M, then we obtain
The following corollary of Theorem 7.3 means that it is sufficient to establish a stable failures refinement on P \ α(M) in order to deduce it for the controlled component (P M) \ α(M).
Corollary 7.5 If P M is a controlled component, then S SF P \ α(M) and P has no guards on any channels of M then S SF (P M) \ α(M)
Observe that all the above results require that the CSP controllers are non-blocking on the channels they use to communicate with their controlled components. Without this property, the result fails to hold. For example, if M is a machine that is always prepared to output the value 0 on channel com, expressed in CSP as:
and P is a controller that requires the value 1 on com (to pass on to external channel out) and blocks other values:
Also observe that P is deadlock-free, but P M can deadlock.
Parallel combinations of controlled components
All the results of the previous sections have been presented as applying to a single CSP controller process P in parallel with a single B machine M. However, systems we are generally concerned with (such as the combination of lifts) have the form i (P i M i ), as illustrated in Fig. 1 . Many of the results we have obtained for a single controlled component can be lifted to combinations of components, and we will consider some of these in this section.
Divergence-freedom
Firstly, we consider divergence-freedom. It is straightforward to establish divergence-freedom of a combined system, using the following theorem from [ST02] .
This follows immediately from the semantics for parallel composition, which preserves divergence-freedom. Thus, we need only establish divergence-freedom for the component pairs, and the result follows.
Example 8.2
In the parallel lift system, since each of the controlled lift components is divergence-free, and since we are given that the controlled dispatcher component is divergence-free, it follows that the overall parallel combination of all the components of the multiple lift system is divergence-free.
Establishing deadlock-freedom
Associativity and commutativity of the parallel operator means that we can group the controller processes together and the machines together, rearranging the parallel composition as follows:
Now we can consider ( i P i ) as a CSP process, and ( i M i ) as another CSP process; and we are concerned with the parallel combination of these two processes.
The reason for grouping the components in this way is that the properties 'non-discriminating' and 'open' are preserved by parallel composition in CSP.
We can obtain results concerning the non-discriminating nature of a parallel combination of CSP processes:
If PE is a set of partial events such that each P i is non-discriminating on PE ∩ α(P i ) then i P i is non-discriminating on PE ∩ i α(P i ).
. Then there are refusal sets X i such that X i X i , and where (tr
, and P i is non-discriminating on PE ∩ α(P i ). It therefore follows, for each i, that (tr
, which completes the proof.
We obtain the following corollary.
Corollary 8.4
If P i is a collection of controllers for machines M i respectively, where each P i has no blocking assertions on any channels of its associated M i , then i P i is non-discriminating on the set i (pi(M i )).
Proof. This follows from Lemma 5.7 and Theorem 8.3.
Lemma 8.5 Any collection of (non-blocking) B machines M i has that
Lemma 8.5 states that if each machine is able to engage in any of its operations, then the parallel combination of all the machines is able to engage in any of the operations of any of its machines.
These two lemmas mean that the conditions for Lemma 5.8 are met for controllers with no blocking assertions:
This means that Lemma 5.8 is directly applicable to a collection of parallel controlled components, in which deadlock-freedom of the overall parallel combination follows from deadlock-freedom of the combination of controllers.
Theorem 8.6 Given a collection of CSP controllers P i and corresponding controlled machines M i , such that no controller has any blocking assertions on the control channels: then if i P i is deadlock-free in the stable failures model, then so too is i (P i M i ).
Proof. This follows from Corollary 8.4, Lemmas 8.5 and 5.8, by observing that i P i is non-discriminating on
In the example lift system, we have therefore only to check that
is deadlock-free (which is easily shown) to deduce this for the complete system. Observe that Theorem 8.6 applies to architectures in which machine operations can synchronise with a number of controllers. In other words, controllers can overlap on operations that they call. The theorem still requires that each machine M i has its own controller P i which is required to ensure consistency, but it allows other controllers P j also to synchronise on such operation calls.
We are also able to lift the results from Sect. 7 to parallel combinations.
Corollary 8.7
Given a collection of CSP controllers P i and corresponding controlled machines M i , such that no controller has any guards on the control channels: then
This is a corollary of Theorem 7.3 together with Lemma 8.5 and Corollary 8.4.
Divergence-freedom of lift system
We are really concerned with divergence-freedom of
Theorem 6.1 is the appropriate theorem to apply here. We need to split the system into P and Q such that P Q is divergence-free, and P \ C is divergence-free. The natural approach would take P as the combination of CSP controllers, and Q as the combination of B machines; verification could indeed be established by introducing assertions into the controllers along the lines of Sect. 4.
However, we have already established the individual lifts are divergence-free, so we can re-use this result by splitting the system differently, as pictured in Fig. 9 . P is DispatchCtrl, Q is the rest of the system, and C is the interface between P and Q: P DispatchCtrl Thus Lifts (P Q) \ C is divergence-free.
Guards and assumptions: a toy example
Our approach is dependent on the ability to verify that individual controlled components P i M i are divergence-free, and as mentioned previously this is done using the control loop invariant technique [Tre00, ST02] . This approach requires analysis of the controlled component in isolation.
However, when we consider the case of multiple concurrent controlled components, then correctness of any particular component might depend on the behaviour of the rest of the system. It is important to be able to incorporate relevant information about interactions between controllers into the analysis of individual controlled components. This is the reason for allowing guards and assumptions on the channels between controllers.
We will consider a toy example to illustrate the issues. Consider the machines Odd and Even of Fig. 10 . Observe that the possible inputs of these machines are given by:
Notice that oddget and evenget are partial events, which can be completed with an output value in each case. The oddput.n and evenput.n events are complete events corresponding to the input of a value.
These two machines are controlled by OddCtrl and EvenCtrl (Fig. 11) , respectively, where The machine Odd will accept and maintain only odd numbers, and Even will accept and maintain only even numbers. Now if we consider OddCtrl Odd in isolation, as illustrated in Fig. 12 , we see that OddCtrl accepts any value y along channel evenpass, and then provides y + 1 as input to oddput. Checking consistency will reveal that if y is odd, then oddput will be called outside its precondition, indicating that OddCtrl is not an appropriate controller for Odd.
However, we can see that the context of OddCtrl Odd, i.e., the rest of the system EvenCtrl Even, will ensure that the value provided for y will always be even. In fact, OddCtrl is a suitable controller for Odd in such a context.
We can include information about the guarantees provided by the context as guards on the input channels. In this case, we know that y will always be even, so we include this as a guard, adjusting OddCtrl to OddCtrl2. This is illustrated in Fig. 13 . There are similar requirements on the input to EvenCtrl (in this case, that the input z is odd), so we also include a suitable guard in EvenCtrl:
However, introducing the guards themselves is not sufficient -it is necessary to establish that the context of each controller really does ensure that the guards introduced on the input channels are met. This is expressed by including the guard conditions as assumptions at the points in the context controllers where they are provided as input. This addition results in the following controllers:
It is now possible to prove (using the standard control loop invariant technique) that OddCtrl3 Odd is divergence-free. This establishes that it will only ever provide odd outputs on oddpass, and will always correctly invoke its operations, provided it only ever accepts even numbers along evenpass. Similarly, divergence-freedom of EvenCtrl3 Even ensures that even numbers will only ever be passed along evenpass provided only odd numbers are accepted along oddpass. Each controller provides the correct context for the other.
The guards and assumptions were introduced to enable compositional verification: each controlled component can now be verified individually, with the necessary contextual information included in the controller description. When the components are combined, the guards and assumptions will have played their role in the verification and can be dropped. Thus we will be able to establish that
The technical justification for dropping the assumptions and guards is given by Theorem 8.14 below. Establishing this theorem is our next concern.
Manipulating guards and assumptions
Definition 8.8 For a controller P, we say that predicate E(x) is a uniform guard for input channel c if every appearance of c in P is of the form c?x E(x) → P , with E(x) as the guard.
For a controller P, we say that predicate E(v) is a uniform assumption for output channel c if every appearance of c in P is of the form c!v{E(v)} → P with E(v) as the assumption.
Definition 8.9
We define the following translations on controller descriptions: These translations can all be defined by structural induction over the syntax of controller descriptions in the standard way. Observe that the result of applying G a C is not a process controller (since it has guards on outputs), and hence will not be used to define a CSP controller. However, it is still a well-defined CSP process.
Example 8.10
The three translations on OddCtrl3 are as follows:
The following two lemmas are useful in the technicalities of the proof of Theorem 8.14. The first states that if each channel in a set of channels C is associated with a guard and matching assumption, then dropping the guards on the channels, and transforming the assumptions into guards, does not change the overall behaviour.
Lemma 8.11
Consider a family of process controllers P i , and set of channels C, such that for each channel c ∈ C there is some unique predicate E c (x) associated with c such that:
• E c (x) is a uniform guard on c for some P j ;
• every guard on c in any P j is either E c (x) or true;
• E c (v) is a uniform assumption on c for some P k ;
• every assumption on c in any P k is either E c (v) or true;
where for each c ∈ C, E c is the unique predicate characterised in the statement of the lemma. The alphabet of INV C is given by α(INV C ) {| C |}. Then INV C allows only communications on channels in C which meet the corresponding E c . Thus we have that
These steps are all justified by the semantics of parallel composition and of guards on channels. Essentially, the transformations are all possible because each channel c is blocked on ¬E c in the parallel combination.
The second lemma states that if each channel in a set of channels C is associated with a guard and matching assumption, and each controlled component is divergence-free, then the guards in their parallel combination can be dropped without introducing divergent behaviour.
Lemma 8.12
Consider a family of controlled components P i M i , and set of channels C, such that for each channel c ∈ C there is some unique predicate E c (x) associated with c such that:
• P i M i is divergence-free for each i.
Then it follows that
Proof. Using INV C as defined in the Proof of Lemma 8.11, we have that
Now assume that there is a divergence tr of ( i (N g C (P i ) M i ). We aim to obtain a contradiction.
•
, contradicting the fact that this process is divergence-free.
, then there is some event c · v in tr such that E c (v) does not hold. Let c 0 · v 0 be the first such event in tr. Then we can define tr 0 c 0 · v 0 to be the prefix of tr for which tr 0 ∈ traces(INV C ) and E c 0 (v 0 ) does not hold. Now E c 0 (v) is a uniform assumption on c 0 for some P k , so we obtain that the trace
But every event c · v in tr 0 has that E c (v) holds, and hence the trace is possible even in the presence of the guards in P k (since none of the events in tr 0 are blocked by the guards). Thus tr 0 c 0 · v 0 α(P k M k ) is a divergence of P k M k . But this contradicts the fact that P k M k is divergence-free.
Hence it follows that (
We also make use of a lemma following from Lemma 6.6, enabling assumptions to be dropped or replaced by guards as follows:
This follows from Corollary 6.7, and the fact that the translations G Finally, we obtain the following theorem, which enables matching guards and assumptions to be dropped if all the controlled components are divergence-free.
Theorem 8.14 If P i M i is divergence-free for each i, and for each channel c ∈ C there is an associated predicate E c such that
is the process P i with all assumptions and guards on channels in C removed. An informal picture of the proof in the case of two controlled components is given in Fig. 14 .
The following corollary describes the special case where each channel in C connects only two processes: Corollary 8.15 If P i M i is divergence-free for each i, and each channel c ∈ C is in the alphabet of exactly two of the P i , and for each channel c ∈ C there is an associated predicate E c such that
Weakening assumptions
Theorem 8.14 is applicable where the assumptions and guards on a channel exactly match. In general, we require only that the assumption on a channel is stronger than the guard. This is expressed by the following theorem.
Theorem 8.16 If P i
M i is divergence-free for each i, and for each channel c ∈ C there are two associated predicates E c and F c such that
• F c (v) is a uniform assumption on c for some P k ;
• every assumption on c in any P k is either F c (v) or true;
Proof. By Lemma 6.6 we can replace each assumption F c on channels c ∈ C in each P i by the weaker predicate E c . In each case let the resulting process be P i . Then by Lemma 6.7 we have that
Now the collection P i have matching uniform guards on the channels c ∈ C, and so Theorem 8.14 is applicable. Thus
as required.
Discussion
This paper has been concerned with providing the CSP underpinnings for developing controlled components consisting of B machines controlled by CSP controllers under a particular architecture. The work builds on the control loop invariant method for verifying individual controlled components in the context of the B Method, and develops results for combining such verified components.
All of the results presented in this paper have been developed using the CSP semantics of all the component processes. The emphasis has been on obtaining compositional results which enable existing CSP verification methods and tools to apply to our combined systems. These results enable a particular strategy for verification: transform system descriptions to equivalent forms which are amenable to CSP checking. In the simplest case, if the combination P M is equivalent to P M, and properties of P M can be established by analysing P (with CSP tools), then those same properties can be deduced for P M. So our approach is to transform a controller P to a process P which behaves the same way in the context of M.
Transforming system descriptions to enable pure CSP analysis may involve the introduction of state information within the CSP controller descriptions, so that the behaviour in the context of the underlying B machine is not affected. In this paper we have illustrated the use of this technique. This paper has obtained further results for this framework. It is often the case that controlled components are only correct in the context of the rest of the system. In this situation we will need to introduce assertions on the channels between CSP controllers, in order to establish divergence-freedom of the individual controlled components. Treating assertions as blocking or diverging in particular cases is a delicate issue and depends on the particular verification under consideration. We have developed theorems which justify the use of particular kinds of assertions. This paper has also provided results (whose proofs use the notions of non-discriminating and open) concerning refinement in the stable failures model:
under the appropriate conditions. This enables specified properties to be verified of combined systems. These results have been applied to a bounded retransmission protocol [EST03] for buffer-style properties, and in the Bank case study [TSB03] .
The toy examples and the case studies carried out to date have provided some experience in the way in which state, and conditions on it, are introduced into the CSP controllers. The necessary state emerges during the verification process in response to FDR checks that fail. Often it is some part of the B state that is simply duplicated in the CSP (as in our toy lift example) in order to enable verification. However, it is too early to identify patterns that may arise in this process (let alone automate it), and more case studies are being pursued.
Scalability of the approach is also a significant issue. Compositionality is a key ingredient of scalability, and it will be important to continue to identify ways in which both requirements and components can each be decomposed to minimise the amount of state required in each verification. This is the subject of ongoing research. In particular, the verification of a controlled component P M against a collection of requirements might require different state to be introduced into P for each requirement, as was found in the bounded retransmission protocol case study [EST03] . This is more efficient than including all the required state for all of the required properties at once, which could result in duplicating all of the B state in the CSP controller.
There are several other approaches to combining a process-style controller with a state-based system description (e.g., [But00, FL03, WC01, OW05]). The approach closest to ours is Butler's csp2B approach [But00] , which allows a CSP process to be conjoined to a B machine in a way which corresponds to a controller for an B machine. Recently [BL05] this has developed and been integrated into the ProB model-checker [LB03] . Their approach adopts the same semantic view as we have taken, matching CSP events with B operations.
The ProB approach allows a variety of CSP processes to be composed using parallel and interleaving operators, and then associates the resulting CSP description with a single B machine. Their verification of properties involves an analysis of the whole specification at once. Requirements that particular traces should be possible, and that others should not be possible (safety specifications) are encoded as CSP specification processes, and can be automatically checked using the ProB tool.
In our approach, we require a sequential CSP process to be associated with a B machine, and then allow a number of these to be composed, resulting in a collection of CSP controllers and B machines. This enables a compositional approach to verification, whereby CSP B components can be independently verified and then combined. Existing CSP model-checking technology such as FDR is applicable at the combination stage. To date verifying the CSP B components has been done by hand, but current research is investigating the use of ProB for this aspect.
Circus [WC01, WC02] and Event-B [Abr96b, ACM05] are two other approaches that are concerned with both state and behaviour. Both approaches integrate the state and behaviour descriptions into a single model where all parts of the model are visible to other parts. A key difference is that Circus makes use of two notations, a CSP-like language for behaviours, and a Z-like substitution language for state; whereas Event-B comprises of state descriptions of events, with behavioural aspects encoded into the event guards which dictate when they are enabled.
In both cases, this means that state information is directly available to the event-oriented parts of the description, in contrast to CSP B where the state in the B machines is strictly separated from the CSP processes, and has to be accessed via explicit operations. The Circus and Event-B approaches lead to very elegant and readable top-level descriptions, which can be more abstract in style. The CSP B approach is more explicit at the beginning about the system architecture, whereas in Circus and Event-B the architecture is evolved during the development process. Both approaches have emerging tools, but these are not yet (July 2005) industrial strength.
EB3 [FL03] has been specifically developed to address the needs of information systems and focuses on the specification level. It provides a state and behavioural description of a system. The behavioural model is processalgebra like. However, it is defined from a user's point of view where events are always enabled and they do not communicate outputs. The successful and erroneous execution of events is captured by another part of an EB3 model (I/O relations). A system trace must be examined using a recursive function to understand how the state changes. It is not straightforward to simply query the state to extract its value at any particular point in time. At present no tools exist for this method.
Another method which combines state and behaviour is CSP-OZ [Fis97] . Its style involves the use of process definitions within classes and resonates with the mixture of process descriptions and Z schemas in Circus. CSP-OZ has examined how to verify safety and liveness properties [OW05] , and this is achieved by behavioural subtyping relations between classes. New tools are also being built to support this method.
The key feature that distinguishes the CSP B approach from those discussed above is the ability to develop theory and at the same time explicitly make use of existing tool support on both the concurrency side and the state-based side. This is an important driver of the approach presented in this paper, and originally motivated the choices of CSP and B as the methods we chose to integrate.
A. Selected CSP semantics
In this appendix we give the semantic definitions of hiding and of parallel composition, used in the main body of the paper. 
A.1. Hiding
B. CSP state
State is captured in CSP by the use of parameters in processes which track the appropriate values. Such processes are generally defined using mutual recursion to specify how the state might be changed during execution. For example, a process CELL(x) which holds a single value x of type T for output, but which may also accept another value to hold, might be defined as follows:
This definition constitutes a family of definitions for a family of processes, one for each x, which are all defined in terms of each other. It may also be understood as a vector of process definitions indexed by T , the set of all the possible values that x can take. In general, for a CSP semantic model S, a vector of processes X indexed by I can be thought of as a member of S I , and is declared as follows: X : S I . Then X i is the ith element of the vector X . The vector can also be thought of as a function I → S. Thus X λ i : I • X i .
Then a family of functions F defining a mutually recursive set of processes is a function from one vector of processes to another: F : S I → S I . Each F i is a function S I → S. For example, the CELL definition above corresponds to a family of functions F indexed by T , in which each function is defined on a family of processes X also indexed by T . In this case, a particular function F x is the function 
B.2. Reducing the state
The following theorem allows recursively defined families of processes to be collapsed to equivalent forms. Theorem B.5 yields that COUNT (i) NEWCOUNT (c(i)) for all i, and so we obtain that COUNT (0) NEWCOUNT (0), and COUNT (i) NEWCOUNT (1) for any i > 0.
Theorem B.5 means that if the definition of a recursive process is independent of one of the parameters in its definition, then that parameter can be dropped from the definition without affecting the behaviour of the process.
For example, the behaviour of the process MOVE(i) of Example B.3 is independent of the value of i. This means that this parameter can be removed from the definition of MOVE without affecting its behaviour. In other words, each MOVE(i) process is equivalent to the process
Formally, this is justified by Theorem B.5 with the collapsing function given in Example B.3, which yields that
MOVE(i) M(c(i))
where c(i) 0, and M is defined by M(0) (up → M(0)) 2 (down → M(0)). The single index of M is redundant, and M(0) is equivalent to the version of MOVE given in Line (2).
Theorem B.5 also justifies the collapse of the process family LiftCtrl4(f ) from Sect. 4 to LiftCtrl. Conversely, state parameters can be introduced into a recursive definition without affecting the behaviour of the process. This is achieved by introducing parameters j to a family of processes P(i) in such a way that the resulting P(i, j) can be collapsed to the original P(i). For example, the parameter f can be introduced into LiftCtrl to obtain LiftCtrl4(f ). This can then be used as a basis for further transformations.
