A refinement checking based strategy for component-based systems
  evolution by Dihego, José et al.
A refinement checking based strategy for
component-based systems evolution
Jose´ Dihegoa,∗, Augusto Sampaiob, Marcel Oliveirac
aCoordenac¸a˜o de Informa´tica, IFBA, Feira de Santana-BA, Brazil
bCentro de Informa´tica, Universidade Federal de Pernambuco, Recife-PE, Brazil
cDepartamento de Informa´tica e Matema´tica Aplicada, UFRN, Natal-RN, Brazil
Abstract
We propose inheritance and refinement relations for a CSP-based component
model (BRIC), which supports a constructive design based on composition
rules that preserve classical concurrency properties such as deadlock freedom.
The proposed relations allow extension of functionality, whilst preserving be-
havioural properties. A notion of extensibility is defined on top of a behavioural
relation called convergence, which distinguishes inputs from outputs and the
context where they are communicated, allowing extensions to reuse existing
events with different purposes. We mechanise the strategy for extensibility ver-
ification using the FDR4 tool, and illustrate our results with an autonomous
healthcare robot case study.
Keywords: component extensibility, correctness by construction, behavioural
specification, CSP, FDR4
1. Introduction
Designing and reasoning about computational systems that interoperate in het-
erogeneous environments, and are expected to cope with a variety of applica-
tion domains, is a challenge of increasing importance. Modelling and analysis
∗Corresponding author
Email addresses: jose.dihego@ifba.edu.br; josedihego@gmail.com (Jose´ Dihego),
acas@cin.ufpe.br (Augusto Sampaio), marcel@dimap.ufrn.br (Marcel Oliveira)
Preprint submitted to Journal of Systems and Software May 22, 2020
ar
X
iv
:2
00
5.
10
29
5v
1 
 [c
s.S
E]
  2
0 M
ay
 20
20
techniques become manageable, and possibly scalable, when systems can be un-
derstood and developed by smaller (less complex) units. This is the core idea of
component-based model driven development (CB-MDD) [1], by which a system
is defined as a set of components and their connections. This has become an
essential infrastructure to the emergence of some other important development
paradigms like Service Oriented Computing [2] and Systems of Systems [3].
There are several component models for MDD such as, for instance, those
presented in [4, 5, 6, 7], and a variety of approaches to analyse and refine
component-based systems as, for example, the ones reported in[8, 9, 10]. Nev-
ertheless, formal support to component evolution, possibly involving an incre-
ment of interface via the addition of new functionality, has not been properly
addressed. Component inheritance arises as a natural aspect to be provided by
a CB-MDD approach, as a way to support evolution. It has been a successful
feature present in object oriented languages from the beginning [11, 12, 13];
however, differently from object-orientation, our focus is not on defining sub-
typing, but extension relations that preserve some notions of conformance, a
safe way to evolve component systems considering structure and behaviour.
To achieve this goal in a controlled manner, component inheritance must
obey the substitutability principle [14, 12]: an instance of the subcomponent
should be usable wherever an instance of the supercomponent was expected,
without a component, playing the role of a client, being able to observe any
difference.
Some works have proposed inheritance relations for behavioural specifica-
tions [11, 13, 15, 16, 17, 18]. The first four define behaviour in terms of pre-
and postconditions, and structure by method signatures (covariance and con-
travariance), but do not address reactive behaviour. Although the approaches
in [17, 18] consider active objects, they do not focus on structure. Further-
more, none of the mentioned works differentiate the nature of input and out-
put events nor the context in which they are communicated. This differentia-
tion is relevant for a large class of specifications (such as Enterprise JavaBeans
(EJB) [19], client-server protocols and Model-View-Controller (MVC) compo-
2
nents [20]) where components control outputs, while the environment controls
inputs. Finally, these works do not consider the impact of these relations over
behavioural properties, such as preservation of deadlock freedom. Therefore,
although these approaches deal with substitutability, the proposed inheritance
relations do not guarantee deadlock free evolutions, in some cases because it is
not an explicit concern [11] or just because it admits, implicitly, the introduction
of deadlock through weaker inheritance relations [17].
In the current work, we propose component extension relations that address
how components behave, how they are structured (channels and interfaces),
distinguish the nature of inputs and outputs and, moreover, guarantee safe
evolution by means of classical properties preservation.
We develop a fully formal and mechanised approach to component based
model driven development. Particularly, our work is in the context of BRIC
[21], which formalises the core CB-MDD concepts [1] (components, interfaces,
channels and behaviour) and, moreover, supports compositions, where dead-
lock freedom is ensured by construction. This approach covers not only tree
topologies, but also cyclic ones.
In previous work [22], we defined BRIC component refinement and inheri-
tance notions based on the concept of behavioural convergence. Here, we sig-
nificantly extend our previous work with the following contributions.
• Detailed proofs of lemmas that relate the proposed notions of inheritance,
as well as the proofs of theorems that relate inheritance with refinement,
and the fact that inheritance preserves deadlock freedom.
• A strategy, based on refinement checking, using the FDR4 tool [23], to
mechanically verify whether two given component models are related by
the proposed inheritance notions.
• An elaborate case study, an autonomous healthcare robot, used to illus-
trate the overall approach.
• A more detailed account of related work.
3
It is important to emphasise that the focus of this paper is on an infras-
tructure we have devised to formally and mechanically check model evolution
based on a notion of convergence. Nevertheless, an approach to design model
extensions that ensure convergence, in a constructive way, is out of the scope
of this paper. This important, complementary contribution, is considered as
one of our major topics for future work, and is discussed in more detail in the
concluding section.
We structure the paper as follows. Section 2 introduces the BRIC compo-
nent model. Section 3 presents a congruent semantics for BRIC, a refinement
notion and two inheritance relations, based on a concept called behavioural
convergence, which allows extensions but preserves conformance. A strategy
to mechanically verify conformance with respect to the proposed relations is
the subject of Section 4. Our results are illustrated by a case study of an au-
tonomous healthcare robot in Section 5. We conclude with related work in
Section 6 and summarise our contributions and future work in Section 7.
2. The BRIC component model
In the BRIC component model, one specifies components, connectors and
their behaviour in the Communicating Sequential Processes (CSP) language
[24]; BRIC provides a set of rules to assemble components. The behavioural
properties (particularly, deadlock freedom) of compositions using the BRIC rules
are guaranteed by construction, verified by local analyses [25], which include
cyclic networks [26]. More recently, some additional rules were proposed to
ensure livelock freedom [27, 28] and to avoid nondeterminism [29].
2.1. CSP
A process algebra like CSP can be used to describe systems composed of
interacting components, which are independent self-contained processes with
interfaces used to interact with the environment. Such formalisms provide
mechanisms to specify and reason about interaction between components. Fur-
thermore, phenomena that are exclusive to the concurrent world, that arise
4
from the combination of components rather than from individual components,
like deadlock and livelock, can be more easily understood and controlled using
such formalisms. Tool support is another reason for the success of CSP in in-
dustrial applications. For instance, FDR4 [23] provides an automatic analysis
of model refinement and of properties like deadlock, livelock and determinism.
Each of these classical properties is very complex to verify in a behavioural
model. In this context, we contribute to BRIC by developing a strategy to
evolve component specifications without introducing deadlock. More recently,
some additional rules were proposed [27] to also ensure livelock freedom.
Here we use the machine-readable version of CSP (CSPM [24]). The two
basic CSP processes are STOP (deadlock) and SKIP (successful termination).
The prefixing c -> P is initially able to perform only the event c; afterwards
it behaves like process P. A boolean guard may be associated with a process:
given a predicate g, if it holds, the process g & c?x -> A inputs a value through
channel c and assigns it to the variable x, and then behaves like A, which has
the variable x in scope; the process deadlocks otherwise. It can also be defined
as if g then c?x -> A else STOP. Multiple inputs and outputs are also pos-
sible. For instance, c?x?y!z inputs two values that are assigned to x and y and
outputs the value resulting from the evaluation of expression z.
The external choice P1 [] P2 initially offers events of both processes. The
engagement of the process in an event resolves the choice in favor of the process
that performs it. On the other hand, the environment has no control over the
internal choice P1 |~| P2. The sequence operator P1;P2 combines processes
P1 and P2 in sequence. The synchronised parallel composition P1 [| cs |] P2
synchronises P1 and P2 on the channels in the set cs; events that are not in cs
occur independently. Processes composed in interleaving, as in P1 ||| P2, run
independently. The event hiding operator P \ cs encapsulates (internalises) in
P the events that are in the channel set cs, which become no longer visible to
the environment.
In this work we use two denotational models of CSP: traces (T) and stable
failures, or just failures (F). A trace of a process P is a sequence of events that
5
it can perform and we define T(P) to be the set of all its finite traces. For
example T(e1 -> e2 -> STOP) = {〈〉, 〈e1〉, 〈e1, e2〉}. The set F(P) consists of
all stable failures (s,X), where s is a trace of P (s ∈ T(P)) and X is a set of
events P can refuse in some stable state after s. A stable state is one in which
a process can only engage in a visible event (registered in the process trace).
The invisible event is represented in CSP as τ ; it can happen, for example, in
the internal choice P |~| Q, which will be implemented as a process that can
take an invisible τ event to each of P and Q. We summarise this discussion in
Appendix A.
2.2. BRIC
A component is defined as a contract (Definition 1) that specifies its be-
haviour, communication points (or channels) and their types.
Definition 1 (Component contract). A component contract Ctr:〈B,R, I,C〉
comprises an observational behaviour B specified as a CSP process, a set of com-
munication channels C, a set of interfaces I, and a total function R : C 7→ I
between channels and interfaces of the contract, such that B is an I/O process.
We require the CSP process B to be an I/O process, which is a non-divergent
processes with infinite traces. Moreover, it offers to the environment the choice
over its inputs (external choice) but reserves the right to choose among its
outputs (internal choice). It represents a wide range of specifications, including
the server-client protocol, where the client sends requests (inputs) to the server,
which decides the outputs to be returned to the client.
Definition 2 (I/O process). We say that a CSP process P is an I/O pro-
cess if it satisfies the following five conditions, which are formally presented
in [25, 21]:
(1) I/O channels: Every channel in P has its events partitioned into inputs
and outputs.
(2) infinite traces: P has an infinite set of traces (but finite state-space).
6
PQ
P Q P
Interleave
Communication Feedback/
Reflexive
Figure 1: Composition rules
(3) divergence-freedom: P is divergence-free.
(4) input determinism: If a set of input events in P are offered to the envi-
ronment, none of them are refused.
(5) strong output decisive: All choices (if any) among output events on a
given channel in P are internal; the process, however, must offer at least one
output on that channel.
Contracts can be composed using any of the four rules available in the model:
interleaving, communication, feedback, or reflexive composition. Each of these
rules impose associated side conditions, which must be satisfied by the contracts
and channels involved in the composition in order to guarantee deadlock freedom
by construction.
The rules provide asynchronous pairwise compositions, mediated by buffers,
and focus on the preservation of deadlock freedom in the resulting component.
Using the rules, developers may connect channels of two components, or even of
the same component. The four rules are illustrated in Figure 1. Two of them,
feedback and reflexive, are merged (see the rightmost scheme in the figure) as
both entail connection of channels of a same component; more explanation is
presented in the sequel for the composition rule and the detailed formalisation
in Appendix B for the rest of the rules.
The interleave composition rule is the simplest form of composition. It
aggregates two independent entities such that, after composition, these entities
still do not communicate between themselves. They communicate directly with
the environment as before, with no interference from each other.
The communication composition (Definition 3) states the most common way
7
for linking channels [21] of two different entities. It is given in terms of asyn-
chronous binary composition of channels from P and Q (Definition 4).
Definition 3 (Communication composition). Let P and Q be two compo-
nent contracts, and ic and oc two communication channels. The communication
composition of P and Q (namely P [ic↔ oc]Q) via ic and oc is defined as follows:
P [ic↔ oc]Q = P 〈ic〉  〈oc〉Q
This rule assumes the components behaviours on channels ic and oc are
I/O confluent, strong compatible and satisfy the finite output property (FOP).
These properties are detailed in [30, 31, 25]: I/O confluence means that choosing
between inputs (deterministically) or outputs (non-deterministically) does not
prevents other inputs/outputs offered alongside from being communicated af-
terwards; two processes are strong compatible if all outputs produced by one are
consumed by the other, and vice versa; finally, FOP guarantees that a process
cannot output forever, so eventually it inputs after a finite sequence of outputs.
The resulting component P 〈ic〉  〈oc〉Q is the binary composition of P and Q
on channels ic and oc (Definition 4).
The asynchronous binary composition hooks two components, say P and
Q, with disjoint communication points, by their respective channels c and z.
Instead of communicating directly, their communications are buffered.
Definition 4 (Asynchronous binary composition). Let P and Q be two
distinct component contracts, and c ∈ CP and z ∈ CQ two channels, such that
CP and CQ are disjoint. Then, the asynchronous binary composition of P and
Q, P 〈c〉 〈z〉 Q, is given by:
P 〈c〉 〈z〉 Q = 〈BP ‖
{|c|}
BUFFnIO(R
c→z
IO , R
z→c
IO ) ‖
{|z|}
BQ,R
′, I′,C′〉
where C′ = (CP ∪ CQ)8{c, z}, R′ = C′  (RP ∪ RQ),
I′ = ranR′ and R a→bIO = {a.out.x 7→ b.in.x}.
In this composition, the channels c and z are combined such that output
events from one channel are consumed by input events of the other, and vice
8
versa. This correspondence is made by two mapping relations, R c→zIO and R
z→c
IO ,
which are used to input/output from the buffer BUFFnIO. The resulting compo-
nent behaviour is that of P synchronised with the buffer BUFFnIO(R
c→z
IO , R
z→c
IO )
on c and with Q on z. The interface, C′, of the resulting component, P 〈c〉 〈z〉 Q,
contains channels of both P and Q except for the hooked channels c and z
((CP ∪ CQ)8{c, z}). Therefore, only channels in C′ appear in the resulting rela-
tion R′ (S R restricts the domain of R to S) and in the resulting interface I′
(ranR′).
There are more complex systems that present cycles of dependencies in the
topology of their structure. The next two compositions, depicted together in
Figure 1, allow the link of two channels of a same entity without introducing
deadlock (it is proved by Theorem 1 from [21, 25]). The feedback composition
can only be used to assemble channels that are decoupled: ch1 and ch2 are
decoupled if the interleaving of the projected component behaviour on ch1 and
on ch2 is equivalent to the projected behaviour of the component on the set
formed of these two channels. This means that there is no interference between
these two channels (see Appendix B for a formal account). Reflexive compo-
sition is more general than the feedback rule, as it does not require channels
to be decoupled; however, it is also more costly regarding verification, since, in
general, it requires a global analysis to ensure deadlock freedom. These rules
ensure that systems developed in BRIC are deadlock-free. Theorem 1 is proved
in [21].
Theorem 1 (Deadlock-free Component Systems). Consider P a deadlock-
free component and c1 and c2 channels. Any system S in normal form, as defined
below, built from deadlock-free components, is deadlock-free.
S ::= P | S [9]S (interleave) | S[c1 ↔ c2]S (communication)
| S[c1 ↪→ c2] (feedback) | S[c1 ¯↪→ c2] (reflexive)
9
3. BRIC extensibility
In this section we present the main contributions of this work: the devel-
opment of inheritance relations for behavioural specifications that distinguish
inputs from outputs, in the context of rigorous trustworthy component devel-
opment, where structural aspects are also considered. Our relations rely on a
behavioural relation called convergence. It captures the idea that components
can evolve by accepting new inputs or establishing a communication session
after these inputs but the components are able to converge to the behaviour
exhibited by their abstractions. This is a concept that cannot be captured only
by the hiding operator as in the case of other inheritance relations [17]. The
reason is that, when hiding an event, it is removed from the traces a behaviour
exhibits but, in our inheritance relations, an event can have different meanings
based on the context it appears and, in some of these contexts we want to hide
them, in others we do not. This is exemplified by our motivating example.
Additionally, we propose a denotational semantics and a refinement notion
for BRIC components, which, alongside the proposed inheritance notions, make
it a fully formal approach to CB-MDD. In the sequel we present a motivating
example that illustrates the purpose and intuition behind this new behavioural
relation.
3.1. Motivating example
Consider a TV remote control that offers the options for controlling the TV
audio volume and switching between channels. It is represented by the device
TV_RC in Figure 2; the user presses the button C , then he can go forward or
backward on the channel list by pressing + or − , respectively. The same
applies when Grandpa wants to increase/decrease the TV volume by pressing
V . The user Boy wants to do more by having the option to adjust the TV
brightness and contrast by pressing the buttons ∗ and | , respectively. The
user Boy is aware of a lid on the device TV_RC’ (Figure 2), by which he can
access these new functionalities, which are unknown by Grandpa.
10
Grandpa Boy
C V
+
TV RC
−
C V
+ −
∗
TV RC’
Figure 2: TV remote control extension
We specify the behaviours of TV_RC and TV_RC’ in the LTSs (Labelled Transi-
tion System) depicted in Figures 3 and 4, respectively. The process TV_RC(c,v)
represents a state where channel c and volume v are the last values sent to the
TV. The user provides the input event vol to increase (up) or decrease (down)
the TV volume or ch to navigate forward (up) or backward (down) on TV chan-
nels. Status output events (st) acknowledge the user of its commands. Updates
in the volume or channel are captured by modular arithmetic; for instance,
(c+1)%Lc is addition modulo a maximum allowed value Lc for channels. Modu-
lar arithmetic avoids results outside the range between zero and the maximum
value Lc.
The process TV_RC’(c,v,b,cn) in Figure 4 extends TV_RC(c,v) by adding
the new input event sett, which occurs when the user opens the remote con-
trol lid; it gives access to the TV settings menu, in which the user can adjust
brightness (brig) or contrast (cont), whose values are registered by the state
variables b and cn, respectively. After providing brig or cont as input, it can
use the regular input events up and down to make the image adjustments, which
are echoed by output events through the channel st’.
If we consider TV_RC’(c,v,b,cn) as a valid extension to TV_RC(c,v) (in the
sense that it preserves convergence) we must decide which relation captures this
11
TV_RC(c,v)
ch vol
up down up down
TV_RC((c+1) 
 %Lc,v)
st.((c+1)%Lc).v
TV_RC((c-1) 
 %Lc,v)
st.((c-1)%Lc).v
TV_RC(c, 
 (v+1)%Lv)
st.c.((v+1)%Lv)
TV_RC(c, 
 (v-1)%Lv)
st.c.((v-1)%Lv)
Figure 3: Labelled transition system of the TV RC(c,v) process
kind of extension. Such a relation must allow new-in-context input events (those
that are not necessarily new in the process alphabet, but that are not among
the events offered by the process in a particular context), as sett, followed by
a finite number of new-in-context input/output events, as brig, up, and st’.
Furthermore, the extension must converge (offering what was expected before
the new-in-context event happened) to the original behaviour. For instance, this
is what TV_RC’(c,v,((b+1)%Lb),cn) does after the trace 〈sett, brig, up〉, see
Figure 4: it offers ch and vol, with the variables c and v unchanged by what
happened after sett. In summary, Grandpa can share the new TV remote
control with Boy, without being stuck with, or even perceiving, the new features.
One can recognise the CSP failures refinement as a candidate to capture the
relationship between TV_RC and TV_RC’, provided the new events are hidden in
the extension, but a closer investigation shows this is not the case. This happens
because the events up and down are also used in new contexts in TV_RC’ to adjust
brightness and contrast. This kind of relationship in which we use existing events
in a different context cannot be captured by failures refinement.
In [17] four subtyping relations are defined for behaviour specifications,
which allow functionality extension. The first issue with these candidate rela-
tions is that they do not differentiate inputs from outputs (as further discussed
12
TV_RC'(c, 
 v,b,cn)
ch
sett
vol
up down
brig cont
up down
TV_RC'((c+1)%Lc , 
 v, b, cn)
st.((c+1)%Lc).v
TV_RC'((c-1)%Lc, 
 v, b, cn)
st.((c-1)%Lc).v
TV_RC'(c, 
 (v+1)%Lv,b, cn)
st.c.((v+1)%Lv)
TV_RC'(c, 
 (v-1)%Lv, b, cn)
st.c.((v-1)%Lv)
up down up down
TV_RC'(c,v, 
 ((b+1)%Lb),cn)
st'.c.v.((b+1)%Lb).cn
TV_RC'(c,v, 
 ((b-1)%Lb),cn)
st'.c.v.((b-1)%Lb).cn
TV_RC'(c,v,b, 
 ((cn+1)%Lcn)
st'.c.v.b.((cn+1)%Lcn)
TV_RC'(c,v,b, 
 ((cn-1)%Lcn)
st'.c.v.b.((cn-1)%Lcn)
Figure 4: Labelled transition system of the TV RC’(c,v) process
in the next section) and, moreover, extensions can only be defined in terms of:
new events, which can be concealed (they may not be communicated but are
not made internal [17]), hidden (made internal), explained (in terms of existing
events) or restricted (completely forbids them). Except for hiding, the other
extensions are not directly supported by CSP, and none of them can capture
the intended relationship between TV_RC and TV_RC’.
The ioco (input-output conformance) relation [32] allows extensions to admit
new inputs (more functionalities) and to restrict outputs (more deterministic),
but it does not obligate extensions, after a new input, to adhere (converge) to
the original behaviour. Taking our example into account, ioco would admit
TV_RC’ to engage in sett and then behave as STOP (or anything else, including
a divergent process). Therefore, the user Boy would not be able to navigate
on the TV channel list, if he tried to adjust the image settings. Although ioco
is a relation adopted in the context of conformance testing, whereas we are
concerned with model evolution, we considered it here because it also allows
13
extension of functionality, but in a more restrictive manner than we need.
This discussion highlights the fact that the current behaviour relations can-
not cope with functionality extension in a scenario where we need to add new
events, to use existing events in different contexts and to distinguish input from
output events.
Before formalising convergence we need to say that TV_RC’ process, and in-
heritance behaviours in general, can be achieved by a variety of mechanisms,
including design patters. Nevertheless, this work does not address the mecha-
nisms to achieve convergent behaviours. In fact, our focus is on the definition of
convergence and how it can be mechanically verified to ensure deadlock freedom
in the evolution of behaviour component specifications.
3.2. Convergence
Inheritance in the object-oriented paradigm is a well known concept with
a comprehensive literature [11]. More recently, efforts have been made to ex-
tend this concept to process algebras as CSP. Notably, in [17] the author pro-
poses four types of behavioural inheritance relations for Labelled Transition
Systems (LTS). Although very promising, as already discussed, these relations
do not consider specifications that distinguish inputs from outputs, as required
in BRIC, in which a component behaviour is modelled as a CSP I/O process.
Since I/O processes must satisfy behaviour restrictions such as input determin-
ism and strong output decisiveness, we need relations that can capture these
restrictions. We base our approach on a concept of convergence: a convergent
process is allowed to do the same as or more inputs than its parent process, but
is restricted to do the same or less outputs in convergent points. A convergent
point represents a state reachable by both the original and the convergent pro-
cess when doing two convergent sequences of events; these sequences differ only
because the convergent process is allowed to do extra inputs (inputs not allowed
by the original process) in converging points. First, we formalise the concept of
convergent traces as follows.
In Definition 5 and others that follow, Σ stands for the alphabet of all
14
possible events, Σ∗ is the set of possible sequences of events from Σ, the input
events are contained in Σ (inputs ⊆ Σ) and in(T, t) is a function that yields the
set of input events that can be communicated by the I/O process T after some
trace t ∈ T(T ); therefore in has type I/OProcess × Σ∗ → P(inputs), where P
stands for the powerset. Additionally t1 ≤ t2 means that t1 is a prefix of t2.
A trace t′ (of a process T ′) is I/O convergent to a trace t (of a process T ) if
they are equal or if t = t1 ˆt3 and t
′ = t1ˆ〈ne〉ˆt′3 such that ne ∈ in(T ′, t1) but
ne /∈ in(T, t1) and t is I/O convergent to t1ˆt′3. This recursive definition means
that t′ and t might differ because T ′ can do new-in-context inputs (inputs not
allowed by T ) where T cannot, but, in spite of that, the trace t′ of T ′ has always
a counterpart t of T . In other words, a trace t′ is I/O convergent to a trace t if
they differ only by certain inputs allowed by T ′ but not by T . Also, because the
CSP hiding operator renames visible events (events that can appear in traces) to
the invisible event τ , it is not an alternative to define convergence, where events
have different meanings depending on the context they are communicated.
Definition 5 (I/O convergent traces). Consider an I/O process T . Let t
and t′ be two traces, such that t ∈ traces(T ). We say that t′ is an I/O convergent
trace of t (t′ cvg t) if, and only if:
(t′ = t) ∨

(#t′ > #t) ∧ ∃ t1, t3 : Σ∗, ∃ne : Σ |
t′ = t1 ˆ〈ne〉ˆt3 ∧ t1 ≤ t ∧
ne ∈ inputs ∧ ne /∈ in(T, t1) ∧
t1 ˆt3 cvg t


Based on the definition of convergent traces, we are now able to define be-
havioural convergence.
Definition 6 (I/O convergent behaviour). Consider two I/O process T and
T ′. T ′ is an I/O convergent behaviour of T (T ′ io cvg T ) if, and only if:
∀(t′, X) ∈ F(T ′), ∃(t, Y ) ∈ F(T ) •

t′ cvg t ∧
Y ∩ inputs ⊇ X ∩ inputs ∧
Y ∩ outputs ⊆ X ∩ outputs

15
An I/O process T ′ is convergent to T if, for any trace t′ ∈ T(T ′), there exists
a trace t ∈ T(T ), such that t′ cvg t, and T ′ after t′ can offer more or equal
inputs (Y ∩ inputs ⊇ X ∩ inputs) but is restricted to offer less or equal outputs
(Y ∩ outputs ⊆ X ∩ outputs) when compared with T after t.
Convergence is a more restrictive relation than those based solely on co-
variation of inputs and contravariation of outputs (such as ioco [32]), because
it requires, after a new-in-context event, the process to converge to its parent,
which allows extensions but ensures substitutability as we discuss later. Let us
consider the I/O processes T (Listing 1) and T ′ (Listing 2), whose LTSs are
depicted in Figures 5a and 5b, respectively. Recall that the suffixes in and out
are used to mark input and output events, respectively.
T = c.in.v.1 -> (c.out.v.1 -> T |~| c.out.v.2 -> T)
[]
c.in.v.2 -> (c.out.v.3 -> T |~| c.out.v.4 -> T)
Listing 1: I/O process T
T’ = c.in.v.1 -> (c.in.v.2 -> c.out.v.1 -> T’
[]
c.in.v.3 -> c.out.v.2 -> T’)
[]
c.in.v.2 -> c.out.v.4 -> T’
[]
c.in.v.3 -> (c.in.v.1 -> c.in.v.3 -> c.out.v.1 -> T’
[] c.in.v.2 -> c.out.v.3 -> T’)
Listing 2: I/O process T’(version 1)
T’ = c.in.v.1 -> ( c.in.v.2 -> c.out.v.1 -> T’
[] c.in.v.3 -> c.out.v.2 -> T’)
[]
c.in.v.2 -> c.out.v.4 -> T’
[]
c.in.v.3 -> c.in.v.4 -> (c.out.v.1 ->
(c.in.v.1 -> c.out.v.1 -> T’
[] c.in.v.2 -> c.out.v.4 -> T’)
16
T0
1
c.in.v.1
2
c.in.v.2
5
τ
6
τ
3
τ
4
τ
c.out.v.1 c.out.v.2 c.out.v.3 c.out.v.4
(a) Original process
T'
0
3
c.in.v.3
1
c.in.v.1
2
c.in.v.2
4
c.in.v.1
5
c.in.v.2
8
c.in.v.3
7
c.in.v.2
c.out.v.4
c.out.v.2c.out.v.1
6
c.in.v.3
c.out.v.3
c.out.v.1
(b) Convergent process
T''
0
1
c.in.v.1
2
c.in.v.2
3
c.in.v.3
13
c.in.v.2
14
c.in.v.3
c.out.v.4
4
c.in.v.4
c.out.v.1 c.out.v.2
5
τ
6
τ
10
c.out.v.1
7
c.out.v.2
11
c.in.v.1
12
c.in.v.2
8
c.in.v.1
9
c.in.v.2
c.out.v.2 c.out.v.3c.out.v.1 c.out.v.4
(c) Extended convergent process
Figure 5: I/O convergent behaviours
|~|
c.out.v.2 ->
(c.in.v.1 -> c.out.v.2 -> T’
[] c.in.v.2 -> c.out.v.3 -> T’))
Listing 3: I/O process T’(version 2)
Based on Definition 6, we have that T ′ io cvg T . To explain why this is the
case, let (t′, X) and (t, Y ) be failures of T ′ and T , respectively. Then, by a non-
exhaustive analysis, where {|c|} stands for all events that can be communicated
17
through the channel c:
• let (t′, X) = (〈c.in.v.3, c.in.v.1, c.in.v.3〉, {|c|} 8 {c.out.v.1}), which means
that after trace t′, T ′ can only communicate c.out.v.1, rejecting everything
else (i.e., {|c|} 8 {c.out.v.1}). Considering that (t, Y ) = (〈c.in.v.1〉, {|c|} 8
{c.out.v.1}) is a failure of T , we have t′ cvg t as c.in.v.3 is a new-in-
context input of T in both states 0 and 3 of its LTS (see Figure 5a); also
Y ∩ inputs = X ∩ inputs = {|c.in|} and Y ∩ outputs = X ∩ outputs =
{|c.out|} 8 {c.out.v.1};
• let (t′, X) = (〈c.in.v.1〉, {|c|} 8 {c.in.v.2, c.in.v.3}), which means that after
trace t′, T ′ can only communicate c.in.v.2 or c.in.v.3 rejecting everything
else. Considering that (t, Y ) = (〈c.in. v.1〉, {|c|} 8 {c.out.v.2}) is a failure
of T , we have t′ cvg t as equal traces are also convergent by definition;
also X ∩ inputs = {|c.in|} 8 {c.in.v.2, c.in.v.3}, X ∩ outputs = {|c.out|},
Y ∩ inputs = {|c.in|} and Y ∩ outputs = {|c.out|} 8 {c.out.v.2}.
A convergent I/O process can engage in more inputs so that, when converg-
ing, it can take more deterministic decisions on what to output. Nevertheless,
it can be useful to offer other events after a new input and before converging to
its original behaviour according to the relation. This extension to convergence
allows convergent processes to add more implementation details. We define this
relation in the traces and failures behavioural models in Definitions 7 and 8,
respectively.
Definition 7 (I/O extended convergent traces). Consider two I/O processes
T and T ′. Let t and t′ be two of their traces, respectively. We say that t′ is an
18
I/O extended convergent trace of t (t′ ecvg t) if and only if:
(t′ = t) ∨

(#t′ > #t) ∧ ∃ t1, t2, t3 : Σ∗, ∃ne ∈ Σ |
t′ = t1 ˆ〈ne〉ˆt2 ˆt3 ∧ t1 ≤ t ∧
ne ∈ inputs ∧ ne /∈ in(T, t1) ∧
set(t2) ∩ (in(T, t1) ∪ out(T, t1)) = ∅ ∧
t1 ˆt3 ecvg t


A trace t′ is I/O extended convergent to t if they are the same or if it is
possible to equate them by concealing each event ne that is offered by T ′ but
not for T after a common subtrace, say t1, of t and t
′ (ne /∈ in(T, t1), but
ne ∈ in(T ′, t1)); furthermore, since we allow more events after a new input ne,
we also conceal them (set(t2) ∩ (in(T, t1) ∪ out(T, t1)) = ∅).
Definition 8 (I/O extended convergent behaviour). Consider two I/O pro-
cesses T and T ′. We say that T ′ is an I/O extended convergent behaviour of T
(T ′ io ecvg T ), if and only if:
∀(t′, X) ∈ F(T ′), ∃(t, Y ) ∈ F(T ) • t′ ecvg t ∧

 Y ∩ inputs ⊇ X ∩ inputs ∧
Y ∩ outputs ⊆ X ∩ outputs

∨ (Σ8Y ⊆ X)

Definition 8 is very similar to Definition 6, but allows the extended con-
vergent process T ′ to accept any event not expected by T (Σ8Y ⊆ X) in an
extended convergent point of their execution (t′ ecvg t), provided a new input
ne (see Definition 7) has happened, marking the start of the extended convergent
behaviour of T ′.
We illustrate this definition with an example. Let us consider the processes
T (Listing 1) and T ′′ (Listing 3), whose LTSs are depicted in Figures 5a and
5c, respectively. By Definition 8, we have that T ′′ io ecvg T . To gather some
evidence that this is the case, we analyse a couple of failures of these processes.
Assume that (t′, X) ∈ F(T ′′) and (t, Y ) ∈ F(T ), then:
• considering (t′, X) = (〈c.in.v.3, c.in.v.4〉, {|c|} 8 {c.out.v.1}), we can find
(t, Y ) = (〈〉, {|c|} 8 {c.in.v.1, c.in.v.2}), such that t′ ecvg t, Σ8Y = {c.in.v.1,
c.in.v.2} and, therefore, Σ8Y ⊆ X;
19
• if (t′, X) = (〈c.in.v.1, c.in.v.3〉, {|c|} 8 {c.out.v.2}), we can find the failure
(t, Y ) = (〈c.in.v.1〉 , {|c|} 8 {c.out.v.2}), such that t′ ecvg t, X = Y and,
therefore, Definition 8 holds;
• finally, assuming (t′, X) = (〈c.in.v.2〉, {|c|} 8 {c.out.v.4}), we can find the
failure (t, Y ) = (〈c.in.v.2〉, {|c|} 8 {c.out.v.4}) and Definition 8 trivially holds.
As one might expect, extended convergence is a generalisation of conver-
gence, which comes from Lemmas 1, 2 and 3 proved in Appendix C. Consider
two traces with a common prefix; the first lemma ensures that if one of these
traces is convergent to the other, starting from that common prefix trace, it is
also extended convergent.
Lemma 1 (cvg implies ecvg on trace prefixing). Consider two I/O proc–
esses T and T ′ such that, t1ˆt3 ∈ T(T ) and t′ ∈ T(T ′). If t′ cvg t1ˆt3, where
t1 ≤ t′, then t′ ecvg t1ˆt3.
Lemma 2 formalises extended convergence as a generalisation of conver-
gence; therefore, if two traces are convergent they are also extended convergent.
Lemma 3 proves the same for I/O processes.
Lemma 2 (cvg ⊆ ecvg). Consider two I/O processes T and T ′, and t and t′
such that t ∈ T(T ) and t′ ∈ T(T ′). If t′ cvg t then t′ ecvg t.
Lemma 3 (io cvg ⊆ io ecvg). Consider two I/O processes T and T ′. If we
have T ′ io cvg T then T ′ io ecvg T .
3.3. Extensibility
Our definition of inheritance deals with component structural and behavior-
al aspects. Structurally, it guarantees that the inheriting component preserves
at least its parent’s channels and their types: if T ′ extends T we have that
RT ⊆ RT ′ . Regarding behaviour, they are related by convergence. Additionally,
it guarantees, for substitutability purposes, that the inherited component T ′
refines the protocols exhibited by common channels (default channel congruence,
20
as in Definition 9) or that additional inputs (new in context, see Definitions 6
and 8) over common channels are not exercised by any possible client of its
parent T (input channel congruence, Definition 10).
The BRIC component model restricts how components can be assembled
to avoid deadlock. Channel congruence aims at paving a safe way to extend
a specification by using convergence without introducing deadlock; it does not
reduce possible inputs, but disciplines the way in which existing inputs can be
used in convergent extensions. The simplest, but restrictive, form of achieving
this is by guaranteeing that the protocol over a channel must be refined, in the
failures classical sense (Definition 9).
Definition 9 (Default channel congruence). An I/O process Tdc has a de-
fault congruent channel, say c, to another I/O process T (Tdc def -cong(c) T ),
when there is a failures refinement relation between their projections over c:
F(Tdc \ (Σ 8 {c})) ⊆ F(T \ (Σ 8 {c})),
which is equivalent to F(Tdc |` {c}) ⊆ F(T |` {c})
A more flexible way is given by Definition 10: I/O processes Tic and T are
input congruent on an I/O channel c if, after both have done the same trace t,
either of the following holds:
i. if T cannot engage in any input, then Tic cannot input on c: it avoids
T ’s clients from deadlocking when interacting with Tic, since these clients
do not communicate (after the trace t) outputs on c to T , otherwise they
deadlock; therefore Tic, as T , cannot expect inputs on c after the trace t;
ii. if T is not able to input on c, Tic can only do it for events outside T ’s alpha-
bet: it avoids T ’s clients to engage in a possible unexpected communication
over c, which can (but not necessarily) lead to deadlock. It is worth saying
that in places where T can input over c, Tic can also input new-in-context
events over c; it is possible because they are offered in external choice, so T ’s
clients will not be able to communicate these new-in-context inputs offered
by Tic. This happens because T ’s clients are not ready to engage in these
21
new-in-context inputs; otherwise, this would mean that their composition
with T deadlocks, because T is not able to offer such new-in-context inputs.
An I/O process Tic has an input congruent channel c to an I/O process
T (Tic inp-cong(c) T ), if after a common trace t, such that (t,X) ∈ F(Tic)
and (t, Y ) ∈ F(T ), the following holds: T refuses to input (inputs ⊆ Y )
and Tic refuses to input over c ({|c.in|} ⊂ X) or T refuses to input over c
({|c.in|} ⊆ Y ) and Tic refuses the events on c that can be communicated by T
({|c.in|} 8 (αTic 8αT ) ⊂ X), where αTic and αT stand for the alphabets of Tic
and T , respectively. The formal definitions is as follows.
Definition 10 (Input channel congruence). Given two I/O processes Tic
and T , and a channel c, we say that Tic inp-cong(c) T if, and only if:
∀(t,X) ∈ F(Tic) • ∃(t, Y ) ∈ F(T )⇒

inputs ⊆ Y ⇒ {|c.in|} ⊂ X
∨
{|c.in|} ⊆ Y ⇒ {|c.in|} 8 (αTic 8αT ) ⊂ X

provided
(∃(t,X ′) ∈ F(Tic)⇒ X ′ ⊆ X) ∧ (∃(t, Y ′) ∈ F(T )⇒ Y ′ ⊆ Y )
In the definition above, the proviso guarantees that (t,X) and (t, Y ) are maximal
failures.
The following is the most important definition of this work, the component
inheritance relation, which allows behaviour extension and, moreover, guaran-
tees substitutability.
Definition 11 (BRIC inheritance). Consider T and T ′ two BRIC compo-
nents, such that RT ⊆ RT ′ . We say that T ′ inherits from T :
• by convergence: T ^cvg T ′ ⇔ BT ′ io cvg BT
• by extended convergence: T ^ecvg T ′ ⇔ BT ′ io ecvg BT
provided
∀ c : CT • (BT ′ def -cong(c) BT ) ∨ (BT ′ inp-cong(c) BT )
22
The provided clause guarantees that, when interacting with T ′, a component
originally designed to interact with T will not engage in T ′ extensions trigged
by inputs also used by T , which in T ′ have a different meaning.
3.4. Semantics and refinement
In this section, we contribute with a denotational semantics and a refinement
relation for BRIC. Furthermore, we show that the refinement and inheritance
relations form a hierarchy. We also prove that our relations preserve deadlock
freedom and moreover, that they respect the substitutability principle. We
start by defining a function SJ·K from a BRIC component to an underpinning
mathematical model. Consider the component T : 〈B,R, I,C〉, the semantics of
T is given by:
SJT K = (failures(B), {(c, failures(B |` {c.i})) | c ∈ C ∧ i ∈ I ∧ (c, i) ∈ R})
This semantics captures the relevant properties of a BRIC component: its
overall behaviour (given by the failures of the I/O process B that defines the
component behaviour) and those exhibited through its channels (a set of pairs
where each channel c maps into the failures of the overall behaviour projected
to c); such projected behaviours are crucial in composition rules. Whenever
the type of a particular channel c is known we can simplify its semantics to
SJT K = (failures(B), {(c, failures(B |` c.i)) | c ∈ C}). It is important to note
that we are not presenting SJ·K in a compositional manner, by induction on the
process structure; rather, the more concise and simpler presentation is sufficient
in this work. With a component semantics we can define a refinement notion
(monotonic with respect to the BRIC composition rules [33]).
Definition 12 (BRIC refinement). Consider two components T and T ′. If
we consider SJT K = (f, fp) and SJT ′K = (f ′, fp′), with f and f ′ standing for the
overall behaviour of T and T ′, and fp and and fp′ for the projected behaviours
on their channels, respectively, then we say that T ′ refines T (T vB T ′) if, and
only if:
(f ′ ⊆ f) ∧ (dom fp = dom fp′) ∧ (∀ c ∈ dom fp • fp′(c) ⊆ fp(c))
23
This definition ensures that T and T ′ have the same interaction points.
Moreover, it guarantees that the component behaviour of T ′ refines that of T ,
which is equivalent to:
(BT vF BT ′) ∧ (CT = CT ′) ∧ (∀ c : CT • RT (c) ⊆ RT ′(c))
Theorem 2 (proved in Appendix C) states that the refinement and inheri-
tance relations form a hierarchy. Component refinement is the strongest relation
between BRIC components; it implies inheritance. We can see refinement as the
strongest form of inheritance. As expected, inheritance by convergence is a more
strict form of inheritance than extended convergence, as their names suggest.
Theorem 2 (Hierarchy). The relations vB, ^cvg and ^ecvg form a hierar-
chy: vB ⊆ ^cvg ⊆ ^ecvg.
This concludes an important result that relates refinement and the notions
of inheritance based on (extended) convergence.
3.4.1. Substitutability
We prove, in Lemma 4, that BRIC inheritance preserves deadlock freedom.
A more interesting result, proved by Theorem 3, guarantees that a component T ′
can replace T , in any context produced by the BRIC composition rules, without
introducing deadlock, provided T ′ inherits by convergence from T . These results
are proved in Appendix C.
Lemma 4 (Inheritance preserves deadlock freedom). Consider T and T ′
two BRIC components, such that T is deadlock free. If T ^ecvg T ′ then T ′ is
deadlock free.
Theorem 3 (Substitutability). Let T and T ′ be two components such that
T ^ecvg T ′. Consider S[T ] a deadlock free component contract that includes, as
part of its behaviour, a deadlock free component contract T ; then S[T ′], which
stands for S with T replaced with T ′, is deadlock free.
Note that this result also holds for the other two relations (vB and ^cvg),
as a consequence of the hierarchy established by Theorem 2.
24
4. Checking convergence
Behaviour convergence and the relations built on top of it are the backbone
of this work; therefore, we must have an automated strategy to check whether
two I/O processes are related by convergence. We start addressing this issue
by choosing FDR4 (Failures-Divergence Refinement) [23] as the model-checker
to carry out the analysis; it seems a natural choice given the widespread use of
FDR4 both in academy and industry, which makes it a de facto standard tool
for analysing CSP specifications. Its method of establishing whether a prop-
erty holds is to check for the refinement between CSP specifications, internally
represented by labelled transition systems.
To check conformance of I/O Processes, say P and P ′, our strategy is to
construct, for each relation, a verification strategy of the form:
P ′ io cvg P ⇐⇒ GLB CV G(P ) vF P ′
P ′ io ecvg P ⇐⇒ GLB ECV G(P ) vF P ′
To explain how these parametrised GLB processes can be constructed, we
need to present some additional background on failures refinement, convergence
and I/O process alternative representations. Consider P an I/O process, then
cvg+P stands for a set of I/O processes such that: ∀P ′ ∈ cvg+P • P ′ io cvg P ;
it contains every I/O process convergent to P , including P itself. The set cvg+P
is infinite, which makes its use prohibitive for any implementation that aims to
traverse it. A finite subset of cvg+P is given by cvg+nP , which stands for the
P convergent processes whose depth differ from that of P by at most n. An
I/O process depth is given by the longest trace after which the process returns
(for the first time) to its initial state or, by considering its LTS, the maximum
number of transitions (labelled with visible events) from the initial state to itself.
An I/O process depth can be equivalently expressed in two ways: (a) in terms
of traces and failures-semantics or (b) based on its LTS representation, where
P
t
=⇒ P means that the I/O process P returns to its initial state after the trace
25
t:
(a) depth(P ) = max{#t | t ∈ T(P ) ∧ P ≡F P/t ∧ (6 ∃ s < t | P ≡F P/s)}
(b) depth(P ) = max{#t | P t=⇒ P ∧ (6 ∃ s < t | P s=⇒ P )}
For example, the depths of the processes in Figures 5a, 5b and 5c are, re-
spectively, 2, 4 and 5. The core of our strategy is to build a CSP process
GLB, such that it belongs to cvg+nP and every member Q of cvg+nP refines
it, GLB vF Q. Furthermore, if there is any other process, say R, which sat-
isfies this property, then R vF GLB. It means that the process GLB is the
Greatest Lower Bound [34, 24] of the set cvg+nP under the CSP failures refine-
ment relation (vF). Our intention is to construct GLB CV G(P ) to be failures
equivalent to GLB, GLB CV G(P ) ≡F GLB. Therefore, to verify if a process
P ′ is convergent to P , i.e., if P ′ belongs to cvg+nP , one needs only to verify
if GLB CV G(P ) vF P ′. The same reasoning applies to the extended conver-
gence relation. The next section details how we construct GLB CV G(P ) and
GLB ECV G(P ) for an I/O process P .
4.1. Building GLB CV G
Let P and P ′ be I/O processes that differ in depth by n. To test whether
P ′ io cvg P , we must build from P a new process GLB CV G(P ), which must
be able to do at most n new-in-context inputs in every state of P . Such a
process is, by Definition 6, convergent to P . As we stated before, any process
convergent to P (which differs in depth by at most n) must refine in failures
GLB CV G(P ). An important practical question to build GLB CV G(P ) is to
compute the new-in-context inputs for any state of P . Given a state of P , the
easiest way of computing the new-in-context inputs available is to know which
inputs can be accepted in this state; the result will be its complement. The
problem is that CSP does not have a native mechanism for backtracking a pro-
cess execution: we cannot synchronise on an event and then go back to the state
before this communication. A complicating factor is that we are dealing with
new-in-context events, not new-in-alphabet events; if this were the case, alpha-
26
betised parallelism and hiding could be sufficient to compare the behaviours of
the two components modulo the new events, as already demonstrated in [35].
To circumvent this problem we define an alternative representation for I/O
processes, with a finite LTS. We serialise an I/O process as a sequence of tuples
of the form (ev, a ev, l), for a particular state, where the event ev is possible
from this state and if it happens the next state can accept the events in the
sequence a ev, which is at the level l + 1. The initial state’s level is zero; each
subsequent state has the level of its immediate predecessor increased by one.
Let us consider a practical example on how an I/O process can be seri-
alised. Consider the process P in Figure 5a. We define two special events start
and end; these are used only as marking events, and will not be part of the
GLB CV G behaviour, but will play a role in its construction: start indicates
that a process is ready to engage by offering its initial events; end marks the
state where it is ready to come back to its initial state. Line 1 of P_serial
(see Listing 4) indicates that P can, initially (state level zero) accept c.in.v.1
or c.in.v.2; if c.in.v.1 happens (line 2, state level 1) then it can output
(non-deterministically) c.out.v.1 or c.out.v.2; if it outputs c.out.v.1 (line
3, state level 2) then it can only go back to its initial state (end). Note that we
follow a nested-structural pattern, which allows us to backtrack an I/O process
by traversing its serial representation in a recursive manner.
1 P_serial = <(start, <c.in.v.1, c.in.v.2>, 0),
2 (c.in.v.1, <c.out.v.1, c.out.v.2>, 1),
3 (c.out.v.1, <end>, 2),
4 (end, <>, 3),
5 (c.out.v.2, <end>, 2),
6 (end,<>, 3),
7 (c.in.v.2, <c.out.v.3, c.out.v.4>, 1),
8 (c.out.v.3, <end>, 2),
9 (end, <>, 3),
10 (c.out.v.4, <end>,2),
11 (end, <>, 3)>
Listing 4: Serialisation
27
A question that arises is how to deal with parallelism in such a represen-
tation. We take advantage of the fact that any parallel process has a unique
sequential representation in terms of the operators→, u and 2 [24]. This is the
background we need to present our strategy (Figure 6). Given an I/O process
P we serialise it as P serial, which is passed to the process CV G BUILDER;
CV G BUILDER(P serial) is our strategy to build precisely GLB CV G(P ),
by coordinating the processes EXEC and EXEC Q. CV G BUILDER tra-
verses the P serial tuples testing whether it has: (a) found an output event,
which makes it offer, prior to this output, all inputs in internal choice itera-
tively, for n times (behaving as EXEC), then recursing on the next branch of
P serial; (b) found an input event, in which case it offers in internal choice it-
eratively, for n times (by using EXEC Q) the complementary inputs, while en-
suring this complement do not take precedence over expected inputs; (c) reached
P serial end, then recursing to its start. Processes EXEC and EXEC Q rely
on the branch function to traverse all behavioural paths of P (subsequences of
P serial). The construction of GLB CV G(P ) ensures it offers, at any point, at
least n new-in-context inputs, therefore, a process P ′ convergent to P (differing
in depth by at most n) must refine GLB CV G(P ).
We detail these processes in the sequel, using the CSP syntax (Appendix
A). The process EXEC(evs, n), in Listing 5, offers the internal choice between
the events evs iteratively, up to n times. The process EXEC D (Listing 6) is
quite similar to EXEC but differs as it offers evs in external choice.
1 EXEC(evs,n) =
2 if n > 0 then
3 u x : evs @ ((x → EXEC(evs, n-1)) u
4 EXEC(evs, n-1))
5 else
6 SKIP
7 end
Listing 5: EXEC
1 EXEC D(evs,n) =
2 if n > 0 then
3 2 x : evs @ ((x → EXEC D(evs, n-1)) 2
4 EXEC D(evs, n-1))
5 else
6 SKIP
7 end
Listing 6: EXEC D
The process EXEC Q (Listing 7) combines EXEC and EXEC D in par-
allel. Let evs1 and evs2 be sets of events such that evs2 ⊆ evs1, then EXEC
28
P P serial
GLB CV G(P ) = CV G BUILDER(P serial)
CV G BUILDER
branch
us
es
EXEC
EXEC Q
u
ses
uses
EXEC D
uses
use
s
serialisation
P ′
input
input
output
GLB CV G(P ) vF P ′
Figure 6: Conformance checking strategy
offers evs1 8 evs2 in internal choice and EXEC D offers evs1 in external choice,
iteratively, up to n times, synchronising, in each step, on the set evs1 8 evs2.
EXEC Q(evs1, evs2, n) =
EXEC(diff(evs1, evs2),n)
‖
diff(evs1,evs2)
EXEC D(evs1,n)
Listing 7: process EXEC Q
channel start, end
e1((e, , )) = e
e2(( ,e, )) = e
e3(( , ,e)) = e
subset(s1,s2) = empty(diff(s1,s2))
Listing 8: Helper functions
Given a 3-tuple of an I/O process serialised representation, the functions e1,
e2 and e3 (Listing 8) yield the first, the second and the third element of the
tuple, respectively. We declare the aforementioned channels start and end and
define the function subset(s1, s2) to check whether s1 is a subset of s2.
The branch function (Listing 11) yields a local view of a serialized I/O
process: giving some event key at a particular level l, it provides the tuples (a
branch) reached from key (at level l) until the end mark (the event end). For
example, considering P_serial (Listing 4), the branch of the event c.in.v.1,
29
at the level one, and of the event c.out.v.2, at the level two, gives, respectively,
the local serialised views at Listings 9 e 10.
1 <(c.in.v.1, <c.out.v.1, c.out.v.2>, 1),
2 (c.out.v.1, <end>, 2),
3 (end, <>, 3),
4 (c.out.v.2, <end>, 2),
5 (end, <>, 3)>
Listing 9: Branch at level one
1 <(c.out.v.2, <end>, 2),
2 (end, <>, 3)>
Listing 10: Branch at level two
The branch function (Listing 11) works by finding the tuples, in a sequence
s, whose events are offered together, by looking for one of them, say key, at a
specific level l. If s is empty (line 2) the search is finished and the result remains
unchanged (line 3). Otherwise, we check if the current tuple has the event at
the level we are looking for (line 5); if it is the case, we append this tuple to the
result and call branch recursively, passing to it the remainder of the sequence
and setting the parameter b (marking the first occurrence of a tuple with key)
to true (line 6).
If we have found the key event (b is true, line 8), we must check if we have
not reached another branch of the process LTS at the same level (line 9), which
marks the end of our search (line 10), otherwise we append such a tuple to the
result and call branch to the rest of the sequence (line 12). If we have not yet
found the key, we maintain the result unchanged and recursively call branch to
the rest of the sequence (line 15).
30
1 branch(key,<>, l, b) = <>
2 branch(key,s, l, b) =
3 if (e1(head(s)) == key and e3(head(s)) == l) then
4 <head(s)> ˆ branch(key,tail(s),l, true)
5 else
6 if b then
7 if (e1(head(s)) != key and e3(head(s)) == l)
then
8 <>
9 else
10 <head(s)> ˆ branch(key,tail(s),l, b)
11 end
12 else
13 branch(key,tail(s),l, b)
14 end
15 end
Listing 11: branch function
1 CVG BUILDER(src,crt) =
2 if e1(head(crt))==end then
3 CVG BUILDER(src,src)
4 else
5 if subset(set(e2(head(crt))), inputs) then
6 EXEC Q(inputs, set(e2(head(crt))), GAP);
CVG BUILDER(src,crt))
7 u
8 2 x:set(e2(head(crt))) @ x →
9 CVG BUILDER(src, branch(x,tail(crt),
e3(head(crt))+1, false)
10 else
11 EXEC(inputs,GAP);
12 u x:set(e2(head(crt))) @ x →
13 CVG BUILDER(src,
branch(x,tail(crt), e3(head(crt))+1,
false))
14 end
15 end
16 GLB CVG(P) =
CVG BUILDER(P serial,P serial) \ {end}
Listing 12: CVG BUILDER and GLB cvg
The process CV G BUILDER (Listing 12) coordinates the auxiliary pro-
cesses we have seen in the procedure of building GLB CV G(P ) for an I/O pro-
cess P . Let src be the serialised representation of P and crt the serialisation of
a P ’s current execution branch. Both are parameters of the CV G BUILDER
process and are equal initially. If we have found the end of a branch (line
2), CV G BUILDER returns to P ’s initial state by making crt equal to src
(line 3) again. Otherwise it must offer an external choice between inputs (line
5) or an internal choice between outputs (line 10). In the first case, it has
the chance to execute up to n (n = GAP |GAP ∈ N) new-in-context in-
puts (line 6) before converging to P (lines 8 and 9). Note that only new
in-context-inputs (inputs 8 set(e2(head(crt))) are allowed to be executed non-
deterministically, as we cannot violate the external choice between expected
inputs set(e2(head(crt)); therefore we use the helper process EXEC Q to do
such a task. In the second case (line 10), before an internal choice between
31
outputs is offered, CV G BUILDER can do up to n inputs (line 11) before
converging to P (lines 12 and 13).
Therefore, if we consider the CSP processes T and T ′, whose labelled transi-
tion systems are depicted in Figures 5a and 5b, respectively, the following FDR4
assertions hold:
i. assert GLB_CVG(T_serial) [F= T’
ii. assert GLB_CVG(T_serial) [F= T
According to our strategy, the first assertion implies that T ′ io cvg T . The
second assertion is particularly not surprising: it comes from Lemma 2, by which
T io cvg T because T vF T .
4.2. Building GLB ECV G
The construction of GLB ECV G follows the same principles used to build
GLB CV G. The differences relate to some additional auxiliary processes,
mainly because GLB ECV G must be able to do, after a new-in-context in-
put, a sequence of any new-in-context events, before converging (Definition 8).
Processes EXEC D (Listing 6) and EXEC Q (Listing 7) remain as presented
before.
As we need to detect an occurrence of a new-in-context input before allowing
any new-in-context event we performed a subtle change in the EXEC process
(Listing 13): it acknowledges (by communicating the in ack event) every time
some event happens, making it possible to know when a new-in-context input
was communicated.
The process AFT IN (Listing 14) acts like a watcher for in acks events,
reverberating them by communicating the in rdt event. We model the process
EXEC AFTER IN (Listing 14) to catch the in rdt event and turn back to
EXEC. Note that, playing the role of watchers, both processes cannot force
anything to happen, so the successful termination, SKIP , is always a possibility.
32
1 EXEC(evs, n) =
2 if (n > 0) then
3 u x : evs @ (x → in ack → EXEC(evs, n -1)
4 u
5 EXEC(evs, n -1))
6 else
7 SKIP
8 end
Listing 13: processes EXEC
AFT IN = in ack → in rdt → SKIP 2 SKIP
EXEC AFTER IN(evs,n) =
in rdt → EXEC(evs, n) 2 SKIP
Listing 14: AFT IN and EXEC AFTER IN
1 EXEC Q AFT(evs1, evs2, evs3, n) =
2 (EXEC Q(evs1, evs2, 1) ‖
{|in ack|}
AFT IN )
3 ‖
{|in rdt|}
4 EXEC AFTER IN(diff(evs3, evs2),n)
5 EXEC AFT(evs1, evs2, evs3, n) =
6 (EXEC(evs1,1) ‖
{|in ack|}
AFT IN)
7 ‖
{|in rdt|}
8 EXEC AFTER IN(diff(evs3, evs2),n)
Listing 15: EXEC Q AFT and EXEC AFT
1 ECVG BUILDER(src,crt) =
2 if e1(head(crt))==end then
3 ECVG BUILDER(src,src)
4 else
5 if subset(set(e2(head(crt))), inputs) then
6 EXEC Q AFT(inputs, set(e2(head(crt))), all,
GAP-1);
7 ECVG BUILDER(src,crt)
8 u
9 2 x:set(e2(head(crt))) @ x →
10 ECVG BUILDER(src, branch(x,tail(crt),
e3(head(crt))+1, false))
11 else
12 EXEC AFT(inputs, set(e2(head(crt))), all,
GAP-1);
13 u x:set(e2(head(crt))) @ x →
14 ECVG BUILDER(src, branch(x,tail(crt),
e3(head(crt))+1, false))
15 end
16 end
17 GLB ECVG(P) =
ECVG BUILDER(P serial,P serial)
18 \ {end, in ack,in rdt}
Listing 16:ECVG BUILDER and GLB ECVG
The process EXEC Q AFT (Listing 15) acts like a wrapper to EXEC Q.
It is parametrised by three sets of events evs1, evs2 and evs3: the first two have
the same intent of their counterparts in EXEC Q, where the purpose of the
latter is to receive the set containing the events that can happen after a new-
in-context input of evs1 8 evs2 (line 1). After an input, EXEC Q synchronises
on in ack with AFT IN (line 2), which in turn communicates in rdt, at this
time synchronising with EXEC AFTER IN , which is responsible for offering,
iteratively, up to n times any evs3 8 evs2 (inputs or outputs) new-in-context
events (line 4).
Process EXEC AFT follows the same reasoning used in EXEC Q AFT ,
but it uses EXEC instead of EXEC Q: it is designed to be used before an
internal choice among outputs, therefore there is no need to retain the external
33
choice of expected inputs, as EXEC Q does.
The process ECV G BUILDER (Listing 16) coordinates the auxiliary pro-
cesses we have seen in the task of building GLB ECV G(P ) for an I/O pro-
cess P , based on its serialised representation src (line 1). It distinguishes
from CV G BUILDER by the use of the auxiliary processes EXEC Q AFT
and EXEC AFT instead of EXEC Q and EXEC, respectively. The process
EXEC Q AFT (line 6) can execute up to n (where n = GAP ) new-in-context
events (all = inputs ∪ outputs), but the first must be an input; as mentioned
earlier, it differs from EXEC AFT (line 12) as it preserves the external choice
among expected inputs.
Now if we consider the CSP processes T and T ′′ in Figures 5a and 5c,
respectively, the following FDR4 assertions hold:
i. assert GLB_ecvg(T_serial) [F= T’’
ii. assert GLB_ecvg(T_serial) [F= T
As before, the first assertion holds, which implies, according to our strategy,
that T ′′ io ecvg T and the second one, as a consequence of Lemma 2, from
where we know T io ecvg T because T vF T .
5. Case Study
We model an autonomous healthcare robot that monitors and medicates
patients, being able to contact the relevant individuals or systems in case of
emergency. It receives data from a number of sensors and actuates by injecting
intravenous drugs and/or by calling the emergency medical services and the
patient’s relatives or neighbours. We use the following data types (Listing 17):
BI (breath intensity), BT (body temperature), DD (drug dose), BGL (blood glucose
level), CL (call list, the relevant individuals to be called in the case of emergency),
DRUG (the drugs in the robot’s actuators), QUEST (the robot’s question list, to
ask the patient when its voice recognition module is used).
34
nametype BI = {1..5}
nametype BT = {34..41}
nametype DD = {0..5}
datatype BGL = low | normal | threshold | high
datatype CL = c911 | cFamily | cNeighbor | ack
datatype DRUG = insulin | painkiller | antipyretic
datatype QUEST = chest | head | vision | lst
datatype EVENTS =
breath.BI | bodyTemp.BT | bloodGlucose.BGL |numbnessFace.Bool |
fainting.Bool | cough.Bool | troubleSpeaking.Bool |
visionTrouble.Bool | chestDiscomfort.Bool | headache.Bool |
ask.QUEST| call.CL | administer.DRUG.DD
datatype IO = out.EVENTS | in.EVENTS
subtype BS = breath.BI | bodyTemp.BT | bloodGlucose.BGL
subtype I_BS = in.BS | out.BS
subtype IS = numbnessFace.Bool | fainting.Bool
subtype I_IS = in.IS | out.IS
Listing 17: Types
subtype VS = cough.Bool | troubleSpeaking.Bool
subtype I_VS = in.VS | out.VS
subtype TK = visionTrouble.Bool | chestDiscomfort.Bool |
headache.Bool | ask.QUEST
subtype I_TK = in.TK | out.TK
subtype PH = call.CL
subtype I_PH = in.PH | out.PH
subtype IVN = administer.DRUG.DD
subtype I_IVN = in.IVN | out.IVN
channel bodySen : I_BS
channel imageRec : I_IS
channel voiceRec : I_VS
channel talk : I_TK
channel phone : I_PH
channel intravenousNeedle : I_IVN
Listing 18: Types and channels
These types are composed into more elaborated ones whose data will be com-
municated through the channels used to connect sensors, actuators and phones
to the robot. The set EVENTS encompasses the data sent in and out of: the
body attached sensors (breath.BI, bodyTemp.BT and bloodGlucose.BGL), the
vision recognition devices (numbnessFace.Bool and fainting.Bool), the noise
recognition device (cough.Bool and troubleSpeaking.Bool), the voice inter-
action devices (visionTrouble.Bool, chestDiscomfort.Bool, headache.Bool
and ask.QUEST), the phone interface (call.CL) and the intravenous injection
actuator (administer.DRUG.DD).
An event in EVENTS can be communicated as an output to a component
and become an input to the other to which it connects by one of the BRIC
composition rules. We define IO as the set EVENTS where each value is tagged
with in and out, which differentiates inputs from outputs.
Each sensor/device communicates with the robot component via a specific
channel, according to this schema (Listing 18): bodySen, the body attached
sensors; imageRec, the vision recognition devices/sensors; voiceRec, the noise
recognition devices/sensors; talk, the voice interaction devices/sensors; phone,
the phone’s interface and intravenousNeedle, the intravenous injection actu-
35
ator. Each channel has its own type (a subset of IO) that involves only func-
tionality related events. As an example, consider a channel with the I_BS type
(I_BS ⊂ IO and BS ⊂ EVENTS), then it can communicate any event registered by
the body attached sensors: breath, body temperature and blood glucose level.
The behaviour of our healthcare robot is defined in terms of the I/O pro-
cess HC_BOT (Listing 19). It waits for the breath level indicator; if this level
is critical (< 3), then it behaves as MOD_CALL_P1 (module phone call prior-
ity one), which contacts a patient’s neighbour, the registered emergency ser-
vice and relatives, in this order; then it waits for at least two of them to ac-
knowledge before coming back to its initial state. Otherwise, the patient is
breathing normally, and the robot reads the noise sensor to check whether he or
she is coughing (voiceRec.in.cough?b). If so, it reads the body temperature
(bodySen.in.bodyTemp?t) and blood glucose (bodySen.in.bloodGluco se?g)
sensors. If the body temperature exceeds 38◦C, then it administers a dose of
antipyretic (intravenousNeedle.out.administer.antipyretic.d_ap). If the
blood glucose level is in the threshold or high, it administers the hormone in-
sulin (intravenousNeedle.out.administer.insulin.d_in), otherwise it just
comes back to its initial state. After administrating any drug, and before com-
ing back to its initial state, the robot must contact the patient’s neighbour and
relatives by behaving as MOD_CALL_P2 (module phone call priority two, Listing
19), in which case at least one of them must acknowledge.
If the patient is breathing normally but in silence, the robot asks the image
recognition module to inform about: any unusual sign in his face (imageRec.in.
numbnessFace?nf) or if he fainted (imageRec.in.fainting?f). If at least one
condition holds, the robot administers a painkiller (intravenousNeedle.out.
administer.painkill er.d_pk), calls the relevant individuals by behaving as
MOD_CALL_P1 (Listing 19). In any case, it goes to its initial state.
36
HC_BOT = bodySen.in.breath?x ->
if (x < 3) then bodySen.out.breath.x -> MOD_CALL_P1; HC_BOT
else voiceRec.in.cough?b ->
if (b) then bodySen.in.bodyTemp?t-> bodySen.in.bloodGlucose?g->
if(t > 38)
then |~| d_ap : DD @
intravenousNeedle.out.administer.antipyretic.d_ap ->
MOD_CALL_P2 ; HC_BOT
else
if (g == high or g ==threshold)
then |~| d_in : DD @
intravenousNeedle.out.administer.insulin.d_in ->
MOD_CALL_P2 ; HC_BOT
else HC_BOT
else
imageRec.in.numbnessFace?nf ->
imageRec.in.fainting?f ->
if (nf or f) then
|~| d_pk : DD @
intravenousNeedle.out.administer.painkiller.d_pk ->
MOD_CALL_P1; HC_BOT
else HC_BOT
MOD_CALL_P1 = phone.out.call.cNeighbor -> phone.out.call.c911 ->
phone.out.call.cFamily -> phone.in.call.ack ->
phone.in.call.ack -> SKIP
MOD_CALL_P2 = phone.out.call.cNeighbor ->
phone.out.call.cFamily -> phone.in.call.ack -> SKIP
Listing 19: HC BOT
HC_BOT_ACC = bodySen.in.breath?x ->
if (x < 3) then bodySen.out.breath.x -> MOD_CALL_P1; HC_BOT_ACC
else voiceRec.in.cough?b ->
if (b)
then bodySen.in.bodyTemp?t -> bodySen.in.bloodGlucose?g ->
if(t > 38)
then intravenousNeedle.out.administer.antipyretic.t%37 ->
MOD_CALL_P2 ; HC_BOT_ACC
else
if (g == high)
then |~| d_in_h : {3,4,5} @
intravenousNeedle.out.administer.insulin.d_in_h ->
MOD_CALL_P2 ; HC_BOT_ACC
else
if (g == threshold)
then |~| d_in_t : {1,2} @
intravenousNeedle.out.administer.insulin.d_in_t ->
MOD_CALL_P2 ; HC_BOT_ACC
else HC_BOT_ACC
else imageRec.in.numbnessFace?nf -> imageRec.in.fainting?f ->
if (nf or f) then |~| d_pk : DD @
intravenousNeedle.out.administer.painkiller.d_pk ->
MOD_CALL_P1; HC_BOT_ACC
else HC_BOT_ACC
Listing 20: HC BOT ACC
In BRIC, the healthcare robot is defined in terms of the CtrHC BOT contract
(Figure 7a). It behaves as HC_BOT and can interact with its environment by one
of its visible communication channels: bodySen, imageRec, voiceRec, phone
and intravenousNeedle.
The robot CtrHC BOT is able to diagnose and select the appropriate drug to
be administered. Nevertheless, this process abstracts from establishing an ap-
propriate drug dose given the seriousness of the patient condition; in fact it is a
nondeterministic decision. For example, consider the indexed nondeterministic
choice |~| ds:DD @ intravenous Needle.out.administer.antipyretic.ds,
which offers the events intravenousNeedle.out.administer.antipyretic.ds
for all values of ds in DD. No matter the seriousness of the fever, one might
know what will be the dose ds to be administered to the patient. The I/O
process HC_BOT_ACC (Listing 20) addresses the dose issue by using two cri-
teria: each degree above 38◦C corresponds to a unit of the prescribed an-
37
CtrHC BOT =̂
〈
HC BOT,

bodySen 7→ I BS, imageRec 7→ I IS,
voiceRec 7→ I VS, phone 7→ I PH,
intravenousNeedle 7→ I IVN
 ,

I BS, I IS,
I VS, I PH,
I IVN
 ,
{bodySen, imageRec, voiceRec, phone, intravenousNeedle}
〉
(a) CtrHC BOT
CtrHC BOT ACC =̂
〈
HC BOT ACC,

bodySen 7→ I BS, imageRec 7→ I IS,
voiceRec 7→ I VS, phone 7→ I PH,
intravenousNeedle 7→ I IVN
 ,

I BS, I IS,
I VS, I PH,
I IVN
 ,
{bodySen, imageRec, voiceRec, phone, intravenousNeedle}
〉
(b) CtrHC BOT ACC
CtrHC BOT TK =̂
〈
HC BOT TK,

bodySen 7→ I BS, imageRec 7→ I IS,
voiceRec 7→ I VS, phone 7→ I PH,
intravenousNeedle 7→ I IVN,
talk 7→ I TK

,

I BS, I IS,
I VS, I PH,
I IVN, I TK
 ,
{bodySen, imageRec, voiceRec, phone, intravenousNeedle, talk}
〉
(c) CtrHC BOT TK
Figure 7: Autonomous healthcare robots components
tipyretic (intravenousNeedle.out.administer.antipyretic.t%37, where %
is the CSP operator for modulo) and the insulin dose will be one or two units
if the blood glucose level is on the threshold, or greater than two, otherwise.
This behaviour extension is defined by the BRIC contract CtrHC BOT ACC
(Figure 7b). This healthcare robot version has a better (more deterministic)
decision-making mechanism on the drug dose to be administered to the patient
it monitors. By Definition 12, we have that CtrHC BOT vB CtrHC BOT ACC :
both components share the same channels with equivalent types (interfaces) and
have their behaviours related by failures refinement HC_BOT vF HC_BOT_ACC; it
can be verified by the FDR4 assertion assert HC_BOT [F= HC_BOT_ACC.
The CtrHC BOT ACC brings some improvements to CtrHC BOT . Never-
theless, the addition of new functionalities (or the enhancement of the existing
ones) cannot be always addressed by refinement, even if we hide the implemen-
tation details before trying to establish such a relation, as already discussed.
The component we present next, CtrHC BOT TK (Figure 7c), extends (inherits
from) CtrHC BOT ACC (Figure 7b) with the addition of a talk module, which
allows this robot to ask patients about their symptoms and thus can possibly
38
better help them.
The I/O process HC_BOT_TK (CtrHC BOT TK behaviour, Listing 21) im-
proves HC_BOT_ACC by being able to interact with patients via the voice simu-
lation/recognition device through the new channel talk. Together with the
events bodySen.in.breath?x, it offers, initially, the possibility of behaving
as MOD_TALK: it receives a chat request (talk.in.ask.lst), then collects in-
formation about chest discomfort (talk.in.chestDiscomfort?cd), headache
(talk.in.headache? hd) and vision problems (talk.in.visionTrouble?vt).
If the patient reports chest discomfort associated with headache or vision prob-
lems, the robot understands that a serious situation is under way and calls all
the relevant individuals by behaving as MOD_CALL_P1. In any case, it goes to its
initial state.
HC_BOT_TK =
bodySen.in.breath?x ->
if (x < 3)
then bodySen.out.breath.x -> MOD_CALL_P1; HC_BOT_TK
else voiceRec.in.cough?b ->
if (b) then bodySen.in.bodyTemp?t ->
bodySen.in.bloodGlucose?g ->
if(t > 38)
then intravenousNeedle.out.administer.antipyretic.t%37 ->
MOD_CALL_P2 ; HC_BOT_TK
else
if (g == high)
then |~| d_in_h : {3,4,5} @
intravenousNeedle.out.administer.insulin.d_in_h ->
MOD_CALL_P2 ; HC_BOT_TK
Listing 21: HC BOT TK
else
if (g == threshold)
then |~| d_in_t : {1,2} @
intravenousNeedle.out.administer.insulin.d_in_t ->
MOD_CALL_P2 ; HC_BOT_TK
else HC_BOT_TK
else
imageRec.in.numbnessFace?nf -> imageRec.in.fainting?f ->
if (nf or f)
then |~| d_pk : DD @
intravenousNeedle.out.administer.painkiller.d_pk ->
MOD_CALL_P1; HC_BOT_TK
else HC_BOT_TK
[]
MOD_TALK ; HC_BOT_TK
MOD_TALK = talk.in.ask.lst ->
talk.out.ask.chest -> talk.in.chestDiscomfort?cd ->
talk.out.ask.head -> talk.in.headache?hd ->
talk.out.ask.vision -> talk.in.visionTrouble?vt ->
if (cd and (hd or vt)) then MOD_CALL_P1 else SKIP
By Definition 11, we have that CtrHC BOT ACC ^ecvg CtrHC BOT TK .
Note that the attempt to establish a failures relation between HC_BOT_ACC and
HC_BOT_TK, provided the events communicated through talk are hidden on the
latter, fails: as the FDR4 assertion HC_BOT_ACC [F= HC_BOT_TK \ {|talk|}
proves. This shows that convergence and inheritance, in the behavioural and
component level perspectives, provide an entire new approach to evolve com-
ponent based specifications, whilst preserving deadlock freedom. The resulting
component hierarchy is depicted in Figure 8.
39
This hierarchy guarantees important results when composing the healthcare
robot. Suppose we have a drug storage component CtrDRUG STR that dispenses
drugs, as requested, and informs, afterwards, stock level status; also, consider
a communicator hub component CtrHUB COM that handles communications
through different mediums: phone calls, messages, audio stream and e-mails
(their I/O processes are omitted here for the sake of brevity). Considering the
following three compositions:
CtrSY S = CtrHC BOT [intravenousNeedle↔ drugDispenser]CtrDRUG STR
CtrSY S2 = CtrHC BOT ACC [intravenousNeedle↔ drugDispenser]CtrDRUG STR
CtrSY S3 = (CtrHC BOT TK [intravenousNeedle↔ drugDispenser]CtrDRUG STR)
[talk↔ audioStream]CtrHUB COM
We have that (a) since CtrHC BOT vB CtrHC BOT ACC , we know, by
monotonicity of BRIC component refinement, that CtrSY S vB CtrSY S2 also
holds (both being deadlock free) and, for CtrDRUG STR, it is impossible to
distinguish between the different healthcare robots; (b) as CtrHC BOT ACC^ecvg CtrHC BOT TK , CtrSY S3 is deadlock free and, again for CtrDRUG STR,
it is impossible to distinguish between robots, which is true not only for the com-
ponent CtrDRUG STR but for any component able to connect to CtrHC BOT ,
no matter whether new channels on CtrHC BOT TK are exercised (as the talk
channel, which is hooked to audioStream from CtrHUB COM ).
It is important to consider non-convergent component extensions, which
can introduce deadlock. Suppose we define a contract CtrHC BOT TK ECHO,
which echoes the patient possible responses (output events) asking for confir-
mation. As these events are new-in-context outputs (not inputs), the contract
CtrHC BOT TK ECHO does not inherit by convergence from CtrHC BOT TK ,
as the former can output and, without response lock, where the latter does not.
In FDR4 the assert GLB_CVG(HC_BOT_TK_serial)[F= HC_BOT_TK_ECHO fails.
Although the traces:
• 〈bodySen.in.breath.2, bodySen.out.breath.2, phone.out.call.cNeighbor〉,
from HC_BOT_TK
40
CtrHC BOT
I_IVNintravenousNeedle
I_ISimageRec
I_VSvoiceRec
I_BSbodySen
I_PH phone
HC BOT
vB
CtrHC BOT ACC
I_IVNintravenousNeedle
I_ISimageRec
I_VSvoiceRec
I_BSbodySen
I_PH phone
HC BOT ACC
^
e
c
v
g
CtrHC BOT TK
I_IVNintravenousNeedle
I_ISimageRec
I_VSvoiceRec
I_BSbodySen
I_PH phone
I TK talk
HC BOT TK
Figure 8: Autonomous healthcare robot hierarchy
• 〈bodySen.in.breath.2, bodySen.out.breath.2, phone.out.call.cNeighbor,
echo.in.response.yes〉, from HC_BOT_TK_ECHO
are convergent, the following traces:
• 〈bodySen.in.breath.2, bodySen.out.breath.2, phone.out.call.cNeighbor〉,
from HC_BOT_TK)
• 〈bodySen.in.breath.2, bodySen.out.breath.2, phone.out.call.cNeighbor,
echo.out.timeout, echo.out.response.yes〉, from HC_BOT_TK_ECHO
are not convergent, causing the nonconformance. It happens because of the
echo.out.timeout, which signals a timeout in the patient response, but it is a
new-in-context output, not a new-in-context input.
Finally, it is important to notice that this work does not provide a guideline
to evolve or correct the models with respect to convergence: it is beyond the
scope of this work and is a topic to be addressed as future work.
6. Related work
Apart from the precise definition of component behaviour and interface, a
formal approach to CB-MDD must specify how components can be assembled
into more complex ones, how they can be refined and, ultimately, how to evolve
41
them into more specialised or functional ones. Several works have proposed a
formal foundation for CB-MDD: [25, 36, 37, 38, 39, 40, 5, 6, 41]. Specially, the
work reported in [25] focuses on the development of deadlock free component-
based systems by construction. Nevertheless, it does not propose a refinement
or an inheritance relation for components, which is the main purpose of the
current work.
In rCOS [36] a component has a provided and a required interface and code
associated to each of their method signatures. An interface is a syntactic no-
tion that encompasses typed variable declarations, called fields, and method
signatures with input and output parameters alongside with their types. This
approach is distinguished from BRIC by not treating inputs as an environ-
ment decision and outputs as an internal decision, by not analysing behavioural
properties in its composition rules and by stating the results on traces instead
of the failures model, which compromises substitutability, since, for example,
the traces model does not allow one to reason about deadlock freedom.
In rCOS, a contract refines another when there is a corresponding refine-
ment between their required and provided interfaces (given in terms of the Uni-
fying Theories of Programming (UTP) semantics [42]) and between their traces
(traces semantics). The works in [36, 39, 40] require that both components
have the same provided and required interface, as we assume in our refinement
relation, although the approaches in [37] and [38] allow interface extension.
Other works, notably [6, 41], have established their roots in the transition
systems theory: in [6], the authors define an I/O labelling as a 3-tuple of outputs,
inputs and internal labels used by an I/O-transition system, which encompasses
a set of states and transitions. A component is formed of a set of ports and
an observable behaviour given in terms of an I/O-transition system. A compo-
nent refines another if both have the same ports and there is a correspondence
between the states of their I/O-transition systems. There is no possibility of
functionality extension, since both components must have the same ports and
any observable behaviour of one must be possible by the other. The approach
in [41] uses similar I/O transition systems to define component behaviour. It
42
allows functionality extension by expressing component refinement in terms of a
mapping function between states and transitions of two I/O transition systems.
It adopts a similar approach to [5], whereas ours stands with that of [6], since our
understanding is towards distinguishing refinement from inheritance, consider-
ing refinement as a way to achieve non-determinism reduction and inheritance
as a way to embed on new system functionalities.
Some works have proposed inheritance relations for behavioural specifica-
tions [11, 17, 13, 15, 16, 18]. In [13, 11] inheritance relations are defined in terms
of invariants over state components and by pre and postconditions over defined
methods. The remaining works define subtype relations based on models like
failures and failures-divergences (denotational models of CSP), relating refine-
ment with inheritance [17]. None of them differentiates inputs from outputs nor
considers structural elements besides behavioural specifications, although [17]
analyses substitutability and relates it with behavioural properties, as deadlock
freedom.
Aligned to the mentioned works on behavioural inheritance, we also state
our relations in the failures model, but we distinguish inputs from outputs,
not only by putting them in different sets, but restricting the way they can
be communicated. The work in [43] presents a relation named I/O abstraction
that has some connection with convergence. It allows an implementation to
input more but restricts it to output less than its abstractions; however, it does
not consider what happens after the implementation communicates a new in-
put, which clearly weakens substitutability and thus the behavioural properties
preservation, as deadlock freedom, in the composition rules. In the same way,
the conformance relation used for testing, ioco [44], allows new inputs to be
communicated by an implementation, but as the I/O abstraction relation, it
differs from our work by not considering how the implementation behaves after
engaging in a new input. We also highlight an important design decision we
have taken in this work: we allow functionality extension to be implemented
not only in terms of new events but also by existing ones; therefore we al-
low new-in-context (not only new-in-alphabet) events to be communicated by
43
an inherited component. It gives more flexibility, but presents a challenge to
the inheritance verification as we have demonstrated in the construction of an
automated strategy for verifying convergence using the FDR4 model checker.
The treatment of inputs as an environment decision and outputs as being
internally resolved by the component itself (I/O process definition) is also con-
sidered by the approach proposed in [45], but it differs from ours by developing
a new semantic model named IOFailures, which is not compositional, in gen-
eral. Also, such a relation is proposed for testing, whereas we focus on a design
that preserves behavioural properties by construction, supported by the BRIC
composition rules.
The concept of evolution by retrenchment is presented in [46]: a retrench-
ment represents a contradiction of the current specification followed by an evo-
lution of it in a different direction. We understand it is useful in the early stages
of a specification, but as it evolves, we generally need to define evolutions that
conform to the previous ones.
Following the lines of [11, 17], although focusing on data refinement, the
work reported in [47] presents the concept of evolution of reactive action systems
by superposition. Extensions must not change the original behaviour and are
restricted to be defined in terms of new events. In our work, we allow extensions
to reuse existing events, additionally we develop an automated strategy to ensure
such extensions are valid.
It is also important to mention that [48] defines an inheritance relation be-
tween components, based on the notion of projection, whose semantics is given
in terms of Petri nets and equivalence is checked by bisimulation. Projections
define loose relationships between behaviour specifications and in general they
do not allow reuse of existing events. We differ by defining inheritance for a
component model (based on CSP) where behavioural properties are guaranteed
by construction and are locally verified by the FDR4 model checker.
Recent works have addressed how inheritance affects substitutability [49] and
how evolution can benefit from it [50]. In a large-scale study conducted in thou-
sands of Java projects, the work reported in [49] has shown that a major portion
44
of inheritance implementations violate the substitutability principle, specially
in the contexts where threads were used. It highlights the importance of having
theories and tools that guarantee inheritance does not break substitutability,
as we propose here. In [50], Petri nets are used to model the behaviour of web
services and, as BRIC does, it also distinguishes inputs from outputs and sub-
stitutability is given in terms of structural and behavioural aspects. We differ
from the latter aspect bacause our inheritance relations ensure behaviours even-
tually will converge, whereas, in [50], a candidate extension is only obligated
to contain the original behaviour but it is free do communicate anything else,
which clearly does not guarantee deadlock-freedom.
More recently, the work presented in [51] has discussed the rules for in-
heritance in multi-level modelling, assuming every abstraction has at least one
realization. It provides rules for substitutability in each level of modelling, fo-
cusing on the structural and data aspects of inheritance relations, whereas we
focus on both structural and behavioural aspects of extensions as a means to
guarantee behavioural properties.
From what we have seen and, as far as we are aware, this is the first time
component inheritance relations are developed for a formal and sound CB-MDD
approach, with a formal semantics, a refinement relation, an analysis on the
impact of substitutability and an automated strategy to check conformance.
7. Conclusions
We have developed in this work a novel concept called behavioural conver-
gence for specifications that distinguish inputs from outputs. Based on that
we have developed refinement and inheritance relations for an approach to CB-
MDD, where we consider structural and behavioural aspects. We incorporated
these relations in a set of composition rules that guarantee deadlock freedom by
construction.
First, we defined a congruent semantics for BRIC that considers compo-
nent structure and behaviour. This makes it possible to understand the precise
meaning of a component, and is the basis to define component refinement and
45
inheritance. Our refinement notion guarantees the relevant properties required
by the BRIC component compositions, fulfilling the substitutability principle
(a refinement should be usable wherever its abstraction is expected, without a
client being able to tell the difference)
As a major contribution of this work, we defined two inheritance relations for
BRIC, both based on a novel concept called behavioural convergence. It captures
the idea that components can evolve by accepting new inputs or establishing a
communication session after these inputs, but then they must converge to the
predicted behaviour exhibited by its abstraction. Our definition of inheritance
deals with component structural and behavioural aspects and guarantees sub-
stitutability, in the composition rules, preserving deadlock freedom. Therefore
a component of a model can evolve by the reduction of non-determinism (re-
finement) or by the extension of functionality (inheritance) and still preserving,
in the entire model, deadlock freedom and protocol compatibility.
We have two forms of convergence and, consequently, two inheritance re-
lations upon them. We have proved that one is a generalisation of the other.
Indeed, we have proved our relations form a hierarchy, where component refine-
ment is the strongest relation between BRIC components.
We have developed an automated strategy for verifying convergence as re-
finement assertions using FDR4. We have systematised the construction of a
greatest lower bound process (under the failures refinement relation), of which
all convergent processes are stable-failure refinements. Based on this result,
we have converted an assertion about convergence (and extended convergence)
into a refinement verification, which can be carried out by FDR4. The over-
all approach was validated using a case study that involved the modelling and
verification of an autonomous healthcare robot.
Quality attributes of programming and modelling, like high cohesion and
low coupling, as well as some good practices of object-oriented design, are also
useful when adopting the approach we propose for component design evolution.
However, the main reuse aspect in our context is control flow behaviour, in con-
trast to data aspects. Therefore, some patterns, such as decorator , command ,
46
template method and chain of responsibility , and concurrent communication
patterns [24] as, for instance, client-server , resource sharing and routing , are
likely to potentialise an extensible component design model.
A major topic for future work is to devise a detailed process, tailored to sup-
port the approach proposed in this paper. The main benefit of this process is
to allow the user to define, as a separate concern, model extensions that ensure
convergence by construction. In this context, the developer would work, for
instance, with a more appealing notation like UML or SysML. Then, for verifi-
cation, the graphical models would be translated into CSP and the verification
could be carried out in background, completely hidden from the developer, with
proper and transparent traceability to the model.
Also as future work, we aim to develop industrial case studies such as traffic
aviation control systems and extend a BRIC modelling tool (BTS–BRIC Tool
Support [52]) to verify refinement and inheritance. We also plan to mechanise
the proofs of our theorems in CSP-Prover [53], an interactive theorem prover
for CSP based on Isabelle/HOL [54]. The cost of verifying convergence needs
to be further investigated. Finally, it is in our agenda to consider the preserva-
tion of other classical concurrency properties like (non)determinism and livelock
freedom, based on the approaches in [27, 28, 29], as well as domain specific prop-
erties.
References
References
[1] C. Szyperski, Component Software: Beyond Object-oriented Programming,
ACM Press/Addison-Wesley Publishing Co., New York, NY, USA, 1998.
[2] M. P. Papazoglou, D. Georgakopoulos, Introduction: Service-oriented com-
puting, Commun. ACM 46 (10) (2003) 24–28. doi:10.1145/944217.
944233.
URL http://doi.acm.org/10.1145/944217.944233
47
[3] R. L. Ackoff, Towards a system of systems concepts, Management Science
17 (11) (1971) 661–671. doi:10.1287/mnsc.17.11.661.
[4] H. Jifeng, X. Li, Z. Liu, rcos: A refinement calculus of object systems,
Theoretical Computer Science 365 (2006) 109 – 142, formal Methods for
Components and Objects Formal Methods for Components and Objects.
doi:http://dx.doi.org/10.1016/j.tcs.2006.07.034.
[5] S. Meng, L. S. Barbosa, Components as coalgebras: The refinement dimen-
sion, Theor. Comput. Sci. 351 (2) (2006) 276–294. doi:10.1016/j.tcs.
2005.09.072.
URL http://dx.doi.org/10.1016/j.tcs.2005.09.072
[6] R. Hennicker, S. Janisch, A. Knapp, Refinement of components in
connection-safe assemblies with synchronous and asynchronous commu-
nication, in: Proceedings of the 15th Monterey Conference on Founda-
tions of Computer Software: Future Trends and Techniques for Develop-
ment, Monterey’08, Springer-Verlag, Berlin, Heidelberg, 2010, pp. 154–180.
doi:10.1007/978-3-642-12566-9_9.
[7] F. Arbab, Reo: A channel-based coordination model for component com-
position, Mathematical. Structures in Comp. Sci. 14 (3) (2004) 329–366.
doi:10.1017/S0960129504004153.
URL http://dx.doi.org/10.1017/S0960129504004153
[8] Z. Chen, Z. Liu, A. P. Ravn, V. Stolz, N. Zhan, Refinement and verification
in component-based model-driven design, Sci. Comput. Program. 74 (4)
(2009) 168–196. doi:10.1016/j.scico.2008.08.003.
[9] M. Bu¨chi, E. Sekerinski, Formal Methods for Component Software: The
Refinement Calculus Perspective, Springer Berlin Heidelberg, Berlin, Hei-
delberg, 1998, pp. 332–337. doi:10.1007/3-540-69687-3_68.
URL http://dx.doi.org/10.1007/3-540-69687-3_68
48
[10] R. Kurki-Suonio, Component and Interface Refinement in Closed-System
Specifications, Springer Berlin Heidelberg, Berlin, Heidelberg, 1999, pp.
134–154. doi:10.1007/3-540-48119-2_10.
URL http://dx.doi.org/10.1007/3-540-48119-2_10
[11] B. H. Liskov, J. M. Wing, A behavioral notion of subtyping, ACM Trans.
Program. Lang. Syst. 16 (6) (1994) 1811–1841. doi:http://doi.acm.org/
10.1145/197320.197383.
[12] P. Wegner, S. B. Zdonik, Inheritance as an incremental modification mech-
anism or what like is and isn’t like, in: Proceedings of the European Con-
ference on Object-Oriented Programming, ECOOP ’88, Springer-Verlag,
London, UK, 1988, pp. 55–77.
URL http://portal.acm.org/citation.cfm?id=646148.679054
[13] P. America, Designing an object-oriented programming language with be-
havioural subtyping, in: Proceedings of the REX School/Workshop on
Foundations of Object-Oriented Languages, Springer-Verlag, London, UK,
1991, pp. 60–90.
[14] B. Liskov, Keynote address - data abstraction and hierarchy, SIGPLAN
Not. 23 (5) (1987) 17–34. doi:10.1145/62139.62141.
[15] H. Bowman, J. Derrick, A Junction between State Based and Behavioural
Specification (Invited Talk), Kluwer, B.V., Deventer, The Netherlands,
1999, pp. 213–239.
URL http://portal.acm.org/citation.cfm?id=646816.708754
[16] F. Puntigam, Types for Active Objects Based on Trace Semantics, in: Pro-
ceedings FMOODS 96, Chapman and Hall, 1996, pp. 4–19.
[17] H. Wehrheim, Behavioral subtyping relations for active objects, Form.
Methods Syst. Des. 23 (2) (2003) 143–170. doi:http://dx.doi.org/10.
1023/A:1024764232069.
49
[18] J. Dihego, P. Antonino, A. Sampaio, Algebraic laws for process subtyping,
in: L. Groves, J. Sun (Eds.), Formal Methods and Software Engineering,
Vol. 8144 of Lecture Notes in Computer Science, Springer Berlin Heidel-
berg, 2013, pp. 4–19. doi:10.1007/978-3-642-41202-8_2.
[19] A. L. Rubinger, B. Burke, Enterprise JavaBeans 3.1, O’Reilly Media, Inc.,
2010.
[20] G. E. Krasner, S. T. Pope, A cookbook for using the model-view controller
user interface paradigm in smalltalk-80, J. Object Oriented Program. 1 (3)
(1988) 26–49.
URL http://dl.acm.org/citation.cfm?id=50757.50759
[21] R. Ramos, A. Sampaio, A. Mota, Systematic development of trustworthy
component systems, in: 2nd World Congress on Formal Methods, Vol. 5850
of Lecture Notes in Computer Science, Springer, 2009, pp. 140–156.
[22] J. Dihego, A. Sampaio, M. Oliveira, Constructive extensibility of trustwor-
thy component-based systems, in: Proceedings of the 30th Annual ACM
Symposium on Applied Computing, SAC ’15, ACM, New York, NY, USA,
2015, pp. 1808–1814. doi:10.1145/2695664.2695916.
URL http://doi.acm.org/10.1145/2695664.2695916
[23] T. Gibson-Robinson, P. J. Armstrong, A. Boulgakov, A. W. Roscoe, FDR3
- A modern refinement checker for CSP, in: Tools and Algorithms for
the Construction and Analysis of Systems - 20th International Conference,
TACAS 2014, 2014, Grenoble, France, April 5-13, 2014. Proceedings, 2014,
pp. 187–201. doi:10.1007/978-3-642-54862-8_13.
[24] A. W. Roscoe, Theory and Practice of Concurrency, Prentice-Hall Series
in Computer Science, Prentice-Hall, 1998.
[25] R. T. Ramos, Systematic Development of Trustworthy Component-based
Systems, Ph.D. thesis, Center of Informatics - Federal University of Per-
nambuco, Brazil (2011).
50
[26] P. R. G. Antonino, A. Sampaio, J. Woodcock, A refinement based strategy
for local deadlock analysis of networks of CSP processes, in: FM 2014:
Formal Methods, Singapore, May 12-16, 2014. Proceedings, 2014, pp. 62–
77. doi:10.1007/978-3-319-06410-9_5.
[27] M. S. C. Filho, M. V. M. Oliveira, A. Sampaio, A. Cavalcanti, Local Live-
lock Analysis of Component-Based Models, in: K. Ogata, M. Lawford,
S. Liu (Eds.), Formal Methods and Software Engineering - 18th Inter-
national Conference on Formal Engineering Methods, ICFEM 2016, Vol.
10009 of Lecture Notes in Computer Science, Springer International Pub-
lishing, 2016, pp. 279–295. doi:10.1007/978-3-319-47846-3_18.
URL http://dx.doi.org/10.1007/978-3-319-47846-3_18
[28] M. C. Filho, M. Oliveira, A. Sampaio, A. Cavalcanti, Compositional and
local livelock analysis for csp, Information Processing Letters 133 (2018)
21 – 25. doi:https://doi.org/10.1016/j.ipl.2017.12.011.
URL http://www.sciencedirect.com/science/article/pii/
S0020019018300036
[29] R. Otoni, A. Cavalcanti, A. Sampaio, Local analysis of determinism for csp,
in: S. Cavalheiro, J. Fiadeiro (Eds.), Formal Methods: Foundations and
Applications, Springer International Publishing, Cham, 2017, pp. 107–124.
[30] B. Roscoe, N. Dathi, The pursuit of deadlock freedom, Information and
Computation 75 (3) (1987) 289–327.
[31] A. W. Roscoe, Confluence thanks to extensional determinism, Electronic
Notes in Theoretical Computer Science 162 (2006) 305–309.
[32] M. van der Bijl, A. Rensink, J. Tretmans, Compositional testing with ioco,
in: A. Petrenko, A. Ulrich (Eds.), Formal Approaches to Software Testing,
Vol. 2931 of Lecture Notes in Computer Science, Springer Berlin Heidel-
berg, 2004, pp. 86–100. doi:10.1007/978-3-540-24617-6_7.
URL http://dx.doi.org/10.1007/978-3-540-24617-6_7
51
[33] Oliveira, M. and Sampaio, A. and Antonino,P. and Dihego, J. and Filho,
M. C. and Bryans, J., Compositional Analysis and Design of CML Mod-
els, Tech. rep., Comprehensive Modelling for Advanced Systems of Systems
(2014).
URL http://www.compass-research.eu/Project/Deliverables/D24.
4.pdf
[34] H. B. Enderton, Elements of set theory, Academic Press, New York, 1977.
URL http://opac.inria.fr/record=b1084859
[35] H. Wehrheim, Checking behavioural subtypes via refinement, in: B. Jacobs,
A. Rensink (Eds.), Formal Methods for Open Object-Based Distributed
Systems V, Springer US, Boston, MA, 2002, pp. 79–93.
[36] Z. Liu, C. Morisset, V. Stolz, rCOS: theory and tool for component-
based model driven development, in: Proceedings of the Third IPM inter-
national conference on Fundamentals of Software Engineering, FSEN’09,
Springer-Verlag, Berlin, Heidelberg, 2009, pp. 62–80. doi:10.1007/
978-3-642-11623-0_3.
[37] H. Jifeng, X. Li, Z. Liu, Component-based software engineering, in: Pro-
ceedings of the Second International Conference on Theoretical Aspects of
Computing, ICTAC’05, Springer-Verlag, Berlin, Heidelberg, 2005, pp. 70–
95. doi:10.1007/11560647_5.
URL http://dx.doi.org/10.1007/11560647_5
[38] Z. Wang, H. Wang, N. Zhan, Towards a theory of refinement of component-
based systems, Report 427, UNU-IIST (October 2009).
[39] Z. Chen, Z. Liu, A. P. Ravn, V. Stolz, N. Zhan, Refinement and verification
in component-based model-driven design, Sci. Comput. Program. 74 (4)
(2009) 168–196. doi:10.1016/j.scico.2008.08.003.
[40] X. Chen, J. He, Z. Liu, N. Zhan, A model of component-based program-
ming, in: Proceedings of the 2007 International Conference on Fundamen-
52
tals of Software Engineering, FSEN’07, Springer-Verlag, Berlin, Heidelberg,
2007, pp. 191–206.
URL http://dl.acm.org/citation.cfm?id=1775223.1775236
[41] S. Bauer, P. Mayer, A. Schroeder, R. Hennicker, On weak modal compat-
ibility, refinement, and the mio workbench, in: J. Esparza, R. Majumdar
(Eds.), Tools and Algorithms for the Construction and Analysis of Sys-
tems, Vol. 6015 of Lecture Notes in Computer Science, Springer Berlin
Heidelberg, 2010, pp. 175–189. doi:10.1007/978-3-642-12002-2_15.
[42] C. Hoare, J. He, Unifying Theories of Programming, Prentice-Hall, 1998.
[43] N. Bertrand, T. Je´ron, A. Stainer, M. Krichen, Off-line test selection with
test purposes for non-deterministic timed automata, in: Proceedings of the
17th international conference on Tools and algorithms for the construction
and analysis of systems, TACAS’11/ETAPS’11, Springer-Verlag, Berlin,
Heidelberg, 2011, pp. 96–111.
URL http://dl.acm.org/citation.cfm?id=1987389.1987402
[44] J. Tretmans, Test generation with inputs, outputs and repetitive quies-
cence, Software - Concepts and Tools 17 (3) (1996) 103–120.
[45] A. Cavalcanti, R. M. Hierons, Testing with inputs and outputs in csp,
in: Proceedings of the 16th international conference on Fundamental Ap-
proaches to Software Engineering, FASE’13, Springer-Verlag, Berlin, Hei-
delberg, 2013, pp. 359–374. doi:10.1007/978-3-642-37057-1_26.
[46] J. Garc´ıa-Duque, J. J. Pazos-Arias, M. Lo´pez-Nores, Y. Blanco-Ferna´ndez,
A. Ferna´ndez-Vilas, R. P. Dı´az-Redondo, M. Ramos-Cabrer, A. Gil-Solla,
Methodologies to evolve formal specifications through refinement and re-
trenchment in an analysisrevision cycle, Requir. Eng. 14 (3) (2009) 129153.
doi:10.1007/s00766-009-0074-z.
URL https://doi.org/10.1007/s00766-009-0074-z
53
[47] R. J. Back, K. Sere, Superposition refinement of reactive systems, Formal
Aspects of Computing 8 (3) (1996) 324–346.
[48] W. M. P. van der Aalst, K. M. van Hee, R. A. van der Toorn, Component-
based software architectures: A framework based on inheritance of be-
havior, Sci. Comput. Program. 42 (23) (2002) 129171. doi:10.1016/
S0167-6423(01)00005-3.
URL https://doi.org/10.1016/S0167-6423(01)00005-3
[49] J. Maddox, Y. Long, H. Rajan, Large-scale study of substitutability in
the presence of effects, in: Proceedings of the 2018 26th ACM Joint
Meeting on European Software Engineering Conference and Symposium
on the Foundations of Software Engineering, ESEC/FSE 2018, Associa-
tion for Computing Machinery, New York, NY, USA, 2018, p. 528538.
doi:10.1145/3236024.3236075.
URL https://doi.org/10.1145/3236024.3236075
[50] S. Bourouz, N. Zeghib, Towards formal checking of web services substi-
tutability, in: 2016 International Conference on Advanced Aspects of Soft-
ware Engineering (ICAASE), Vol. 2016, 2016, pp. 1–8.
[51] A. Lange, C. Atkinson, On the rules for inheritance in lml, in: 2019
ACM/IEEE 22nd International Conference on Model Driven Engineering
Languages and Systems Companion (MODELS-C), 2019, pp. 113–118.
[52] D. I. de A. Pereira, M. V. M. Oliveira, M. S. C. Filho, S. R. D. R. Silva, BTS:
A Tool for Formal Component-based Development, in: N. Polikarpova,
S. Schneider (Eds.), Proceedings of the 13th International Conference on
Integrated Formal Methods - IFM 2017, Vol. 10510 of Lecture Notes in
Computer Science, Springer, 2017, pp. 211–226.
URL https://doi.org/10.1007/978-3-319-66845-1
[53] Y. ISOBE, M. ROGGENBACH, Csp-prover: a proof tool for the verifica-
tion of scalable concurrent systems, Computer Software 25 (4).
54
[54] T. Nipkow, M. Wenzel, L. C. Paulson, Isabelle/HOL: A Proof Assistant for
Higher-order Logic, Springer-Verlag, Berlin, Heidelberg, 2002.
55
Appendix A. CSP
This appendix presents the relevant definitions, the syntax and the failures
semantics of CSP [24].
CSP CSPM description
STOP STOP termination
SKIP SKIP successful termination
c→ P c-> P prefix
P ;Q P;Q sequential composition
P \ X P \ X hiding
P 2 Q P[]Q external choice
P u Q P|~|Q internal choice
b&P b & P boolean guard
if b then P else Q if b then P else Q if-then-else
P [[a/b]] P[[a <- b]] renaming
P 9 Q P ||| Q interleaving
P ‖
a
Q P [|a|] Q alphabetized parallel
2 e : X @ P [] e :X @ P replicated external choice
u e : X @ P |~| e :X @ P replicated internal choice9 e : X @ P ||| e : X @ P replicated interleave
‖ e : X @ [X ′]P || e : X @ [X’] P replicated alphabetized parallel
Table A.1: CSP processes
56
CSP CSPM description
Σ all alphabet of all communications
{|c|} {| c |} the events communicated through channel c
X 8Y diff(X,Y) {e | e ∈ X ∧ e /∈ Y }
X (tick) termination event
τ (tau) invisible event
ΣX Σ ∪ {X}
ΣX,τ Σ ∪ {X, τ}
Table A.2: Events
CSP CSPM description
Σ∗ set of all finite traces over Σ
〈〉 <> the empty trace
tˆs t ^ s concatenation of traces
s ≤ t s <= t ≡ ∃u.sˆu = t (prefix order)
#s #s length of s
t− s t - s
t− 〈〉 = t
〈〉 − s = 〈〉
〈e〉ˆt− 〈e〉ˆs = t− s
(〈e1〉ˆt)− (〈e2〉ˆs) = 〈e1〉ˆ(t− (〈e2〉ˆs)) | e1 6= e2
R∗t
R : Σ→ Σ
R∗〈〉 = 〈〉
R∗(〈e〉ˆs) = 〈Re 〉ˆR∗s | e ∈ Σ ∧ s ∈ Σ∗
Table A.3: Traces
57
CSP failures semantics
STOP F(STOP ) = {(〈〉, X) | X ⊆ ΣX}
SKIP F(SKIP ) =
{(〈〉, X) | X ⊆ Σ}∪
{(〈X〉, X) | X ⊆ ΣX}
ev → P F(ev → P ) = {(〈〉, X) | ev /∈ X}∪
{(〈ev〉ˆs,X) | (s,X) ∈ F(P )}
P ;Q F(P ;Q) =
{(s,X) | s ∈ Σ∗ ∧ (s,X ∪ {X}) ∈ F(P )}
∪{(sˆt,X) | sˆ〈X〉 ∈ T(P ) ∧ (t,X) ∈ F(Q)}
P \ X F(P \ X) = {(s \ X,Y ) | (s,X ∪ Y ) ∈ F(P )}
P 2 Q F(P 2 Q) =
{(〈〉, X) | (〈〉, X) ∈ F(P ) ∩ F(Q)}
∪{(〈〉, X) | X ⊆ Σ ∧ 〈X〉 ∈ T(P ) ∪ T(Q)}
∪{(s,X) | (s,X) ∈ F(P ) ∪ F(Q) ∧ s 6= 〈〉}
P u Q F(P u Q) = F(P ) ∪ F(Q)
if b then P else Q F(if c then P else Q) = if c then F(P ), else F(Q)
P [[R]] F(P [[R]]) = {(t, R(X)) | ∃ s.s R∗ t ∧ (s,X) ∈ F(P )}
P ‖
X
Q F(P ‖
X
Q) =

(u, Y ∪ Z) | ∃ s, t.(s, Y ) ∈ F(P ) ∧
(t, Z) ∈ F(Q) ∧
Y 8XX = Z8XX ∧ u = s ‖
X
t,
where XX = X ∪ {X}

Table A.4: CSP failures semantics
58
Appendix B. BRIC
This appendix details theBRIC composition rules [21], which are represented
in terms of binary and unary asynchronous composition.
When a pair of channels are connected by a BRIC composition rule, outputs
from one will be inputs for the other and vice versa. There are two directional
flows of communication. Therefore, two buffers are required to emulate an
asynchronous medium between these channels, one for each flow.
Definition 13 (BRIC buffer). A BRIC buffer maps inputs to outputs and
vice versa (by the relations L and R), without loss or reordering.
BUFFnIO(L,R) = B
n(L) 9 Bn(R),where
Bn(R) = Bn〈 〉(R) = ?x : domR→ Bn〈x〉
Bns (R) = #s < n & ?x : domR→ Bnsˆ 〈x〉(R)
2 R(head(s))→ Bntail(s)(R)
The asynchronous binary composition (Definition 14) hooks two compo-
nents, say P and Q, with disjoint communication points, by their respective
channels c and z. Instead of communicating directly, their communications are
buffered by BUFFnIO(R
c→z
IO , R
z→c
IO ).
Definition 14 (Asynchronous binary composition). Let P and Q be two
distinct component contracts, and c ∈ CP and z ∈ CQ two channels, such that
CP and CQ are disjoint. Then, the asynchronous binary composition of P and
Q, P 〈c〉 〈z〉 Q, is given by:
P 〈c〉 〈z〉 Q = 〈BP ‖
{|c|}
BUFFnIO(R
c→z
IO , R
z→c
IO ) ‖
{|z|}
BQ,R
′, I′,C′〉
where C′ = (CP ∪ CQ)8{c, z}, R′ = C′  (RP ∪ RQ),
I′ = ranR′ and R a→bIO = {a.out.x 7→ b.in.x}.
In this composition, the channels c and z are combined such that output
events from one channel are consumed by input events of the other, and vice
59
versa. This correspondence is made by two mapping relations, R c→zIO and R
z→c
IO ,
which are used to input/output from the buffer BUFFnIO. The resulting compo-
nent behaviour is that of P synchronised with the buffer BUFFnIO(R
c→z
IO , R
z→c
IO )
on c and with Q on z. The interface, C′, of the resulting component, P 〈c〉 〈z〉 Q,
contains channels of both P and Q except for the hooked channels c and z
((CP ∪ CQ)8{c, z}). Therefore, only channels in C′ appear in the resulting rela-
tion R′ (S R restricts the domain of R to S) and in the resulting interface I′
(ranR′).
The asynchronous unary composition (Definition 15) hooks two channels, say
c and z of the same component P . It allows P to send and receive information
to/from itself. It can be very useful if P has inner components, that must be
connected ( for example, the dining of philosophers).
Definition 15 (Asynchronous unary composition). Let P be a compo-
nent contract, and {c, z} ⊆ CP two of its channels. Then, the asynchronous
unary composition of P by hooking c and z, P |〈c〉〈z〉, is given by:
P |〈c〉〈z〉 = 〈BP ‖{|c,z|}
BUFFnIO(R
c→z
IO , R
z→c
IO ),R
′, I′,C′〉
where C′ = CP 8{c, z}, R′ = C′  RP , I′ = ranR′ and
R a→bIO = {a.out.x 7→ b.in.x}.
The unary composition, like the binary one, combines two channels c and z
such that output events from one channel are consumed by input events of the
other, and vice versa; the difference is that both channels are from the same
component. The resulting component behaviour is that of P synchronised with
the buffer BUFFnIO(R
c→z
IO , R
z→c
IO ) on both channels c and z. The resulting
component P |〈c〉〈z〉 interface is the same as P except for the hooked channels
c and z (CP 8{c, z}). As the binary composition, only channels in C′ appear in
the resulting relation R′ and in the resulting interface I′.
Not all components can be connected, and some connections using binary or
unary compositions can lead to deadlock. The BRIC rules are defined in terms
of the unary and binary asynchronous compositions and define the conditions
60
where components can be safe (deadlock free) connected. They differ by the
preconditions and the number of components involved, which are detailed in
[21]. What follows summarises the BRIC composition rules.
The interleave composition rule is the simplest form of composition. It aggre-
gates two independent components such that, after composition, these compo-
nents still do not communicate between themselves. They directly communicate
with the environment as before, with no interference from each other.
Definition 16 (Interleave composition). Let P and Q be two component
contracts, such that CP ∩ CQ = ∅. The interleave composition of P and Q
(namely P [9]Q) is given by:
P [9]Q = P 〈〉  〈〉Q
This composition requires P and Q to have disjoint sets of channels (CP ∩
CQ = ∅). The resulting component P [9]Q is given by the binary composition
(Definition 14) of P and Q without hooking any of its channels (〈〉  〈〉), which
implies they run independently, in interleaving.
The second rule, the communication composition represents the most com-
mon way for linking channels of two different components. As interleaving, it
is given in terms of asynchronous binary composition, but it connects chan-
nels from P and Q components. The assembled channels cannot be used in
subsequent compositions, as imposed by Definition 14.
Definition 17 (Communication composition). Let P and Q be two com-
ponent contracts, and ic and oc two communication channels. The communica-
tion composition of P and Q (namely P [ic ↔ oc]Q) via ic and oc is defined as
follows:
P [ic↔ oc]Q = P 〈ic〉  〈oc〉Q
This rule assumes the components behaviours on channels ic and oc are
I/O confluent, strong compatible and satisfy the finite output property (FOP).
These properties are detailed in [30, 31, 25]: I/O confluence means that choosing
61
between inputs (deterministically) or outputs (non-deterministically) does not
prevents other inputs/outputs offered alongside from being communicated af-
terwards; two processes are strong compatible if all outputs produced by one are
consumed by the other, and vice versa; finally, FOP guarantees that a process
cannot output forever, so eventually it inputs after a finite sequence of outputs.
The resulting component P 〈ic〉  〈oc〉Q is the binary composition of P and Q
on channels ic and oc (Definition 14).
The next two compositions allow the link of two channels of a same compo-
nent by means of asynchronous unary composition. The feedback composition
provides the possibility of creating safe cycles for components with a tree topol-
ogy. It achieves this by, among others conditions, ensuring that the channels
being connected are decoupled: the behaviour projection over them are equiva-
lent to the interleaving of each one’s projection.
Definition 18 (Decoupled channels). Let B be an I/O process and {c, z}
two I/O channels. Then, c and z are decoupled in B if, and only, if:
B \ Σ8{|c, z|} ≡F (B \ Σ8{|c|}) 9 (B \ Σ8{|z|})
Definition 19 (Feedback composition). Let P be a component contract,
and ic and oc two communication channels. The feedback composition P
(P [oc ↪→ ic]) hooking oc to ic is defined as follows:
P [oc ↪→ ic] = P ∣∣〈ic〉〈oc〉
As the communication rule, the feedback composition assumes the compo-
nent behaviour on channels ic and oc are I/O confluent, strong compatible and
satisfy the finite output property (FOP). Moreover, it requires that P behaves
on ic and oc independently (as it were two distinct components), i.e., ic and oc
are decoupled channel [25]. The resulting component P ∣∣〈ic〉〈oc〉 is achieved by
synchronous unary composition of P on channels ic and oc.
The last composition rule, reflexive, is more general than the feedback com-
position; it is also more costly regarding verification, since it is able to assemble
62
dependent channels (feedback assembles only independent channels), and so in
general it requires a global analysis to ensure deadlock freedom. On the other
hand, reflexive composition allows to connect channels in a cyclic topology,
whereas feedback is restricted to tree topologies.
Definition 20 (Reflexive composition). Let P be a component contract,
and ic and oc two communication channels. The reflexive composition P (namely
P [oc ¯↪→ ic]) hooking oc to ic is defined as follows:
P [ic ¯↪→ oc] = P ∣∣〈ic〉〈oc〉
This last rule relaxes feedback composition restrictions by allowing the con-
nection of non decoupled channels but, nevertheless, it requires that outputs
produced by ic are consumed in the same rate (differing by at least one) by in-
puts from oc, and vice versa, i.e., the behaviour of P is self-injection compatible
on the hooked channels [25] .
63
Appendix C. Proofs
In this appendix we present proofs of some of our lemmas and theorems.
Lemma 1 (cvg implies ecvg on trace prefixing). Consider two I/O processes
T and T ′ such that, t1ˆt3 ∈ T(T ) and t′ ∈ T(T ′). If t′ cvg t1ˆt3, where t1 ≤ t′,
then t′ ecvg t1ˆt3.
Proof.
Proof by induction on t3
Basis step: t3 = 〈〉
t1 ≤ t′ . t′ cvg t1 ˆ〈〉
≡ [empty trace concatenation]
t1 ≤ t′ . t′ cvg t1
≡ [Definition 5]
t1 = t
′ . t1 cvg t1
≡ [Definition 7]
t1 = t
′ . t1 ecvg t1
Inductive step:
Inductive hypothesis: t1 ≤ t′ . t′ cvg t1 ˆt3 ⇒ t1 ≤ t′ . t′ ecvg t1ˆt3
Prove that t1 ≤ t′ ∧ e ∈ Σ . t′ cvg t1 ˆ(t3 ˆ〈e〉)⇒ t′ ecvg t1 ˆ(t3ˆ〈e〉)
t1 ≤ t′ ∧ e ∈ Σ . t′ cvg t1ˆ(t3 ˆ〈e〉)
Cases: e is new input (e /∈ in(T, t1 ˆt3) ∪ out(T, t1ˆt3)) or
e is a possible event after t1 ˆt3 (t1 ˆ(t3ˆ〈e〉) ∈ T(T ))
Case 1: e is a new input
rewrite LHS as (t1 ˆt3)ˆ〈ne′〉ˆt′3 where t′3 = 〈〉 and ne′ = e
⇒ [Definition 5]
t′ cvg (t1ˆt3)
⇒ [by inductive hypothesis]
64
t′ ecvg t1 ˆt3
Case 2: e is a possible event after t1ˆt3
rewrite LHS as (t1 ˆt3)ˆ〈e′〉ˆt′3 where t′3 = 〈〉 and e′ = e
⇒ [Definition 5]
t′ cvg (t1 ˆt3)ˆ〈e′〉 and (t1 ˆt3)ˆ〈e′〉 = t′ ⇒ t′ ecvg (t1 ˆt3)ˆ〈e′〉
Lemma 2 (cvg ⊆ ecvg). Consider two I/O processes T and T ′, and t and
t′ two of its traces, respectively (t ∈ T(T ) and t′ ∈ T(T ′)). If t′ cvg t then
t′ ecvg t.
Proof.
t′ cvg t
≡ [Definition 5]
(t′ = t) ∨

(#t′ > #t) ∧ ∃ t1, t3 : Σ∗, ∃ne : Σ |
t′ = t1 ˆ〈ne〉ˆt3 ∧ t1 ≤ t ∧
ne ∈ inputs ∧ ne /∈ in(T, t1) ∧
t1 ˆt3 cvg t


⇒ [predicate calculus]
(t′ = t) ∨

(#t′ > #t) ∧ ∃ t1, t2, t3 : Σ∗, ∃ne ∈ Σ | t2 = 〈〉
∧

t′ = t1 ˆ〈ne〉ˆt2 ˆt3 ∧ t1 ≤ t ∧
ne ∈ inputs ∧ ne /∈ in(T, t1) ∧
set(t2) ∩ (in(T, t1) ∪ out(T, t1)) = ∅ ∧
t1 ˆt3 cvg t


⇒ [Lemma 1]
(t′ = t) ∨

(#t′ > #t) ∧ ∃ t1, t2, t3 : Σ∗, ∃ne ∈ Σ | t2 = 〈〉
∧

t′ = t1 ˆ〈ne〉ˆt2 ˆt3 ∧ t1 ≤ t ∧
ne ∈ inputs ∧ ne /∈ in(T, t1) ∧
set(t2) ∩ (in(T, t1) ∪ out(T, t1)) = ∅ ∧
t1 ˆt3 ecvg t


≡ [Definition 7] t′ ecvg t
65
Lemma 3 (io cvg ⊆ io ecvg). Consider two I/O processes T and T ′. If
T ′ io cvg T then T ′ io ecvg T .
Proof.
T ′ io cvg T
≡ [Definition 6]
∀(t′, X) ∈ F(T ′), ∃(t, Y ) ∈ F(T ) •

t′ cvg t ∧
Y ∩ inputs ⊇ X ∩ inputs ∧
Y ∩ outputs ⊆ X ∩ outputs

≡ [Lemma 2]
∀(t′, X) ∈ F(T ′), ∃(t, Y ) ∈ F(T ) •

t′ ecvg t ∧
Y ∩ inputs ⊇ X ∩ inputs ∧
Y ∩ outputs ⊆ X ∩ outputs

⇒ [a⇒ a ∨ b]
∀(t′, X) ∈ F(T ′), ∃(t, Y ) ∈ F(T ) •


t′ ecvg t ∧
Y ∩ inputs ⊇ X ∩ inputs ∧
Y ∩ outputs ⊆ X ∩ outputs

∨ (Σ8Y ⊆ X)

⇒ [Definition 8] T ′ io ecvg T
Theorem 2 (Hierarchy). The relations vB, ^cvg and ^ecvg form a hierar-
chy: vB⊆^cvg⊆^ecvg. In this proof, assume T and T ′ are components.
Proof.
Hypothesis: vB⊆^cvg
T vB T ′
≡ [Definition 12]
(BT vF BT ′) ∧ (CT = CT ′) ∧ (∀ c : CT • RT (c) ⊆ RT ′(c))
⇒ [failures semantics, hiding semantics]
(BT vF BT ′) ∧ (CT = CT ′) ∧ (∀ c : CT • BT |` c vF BT ′ |` c)
66
⇒ [Definition 9]
(BT vF BT ′) ∧ (CT = CT ′) ∧ (∀ c : CT • BT ′ def -cong(c) BT )
⇒ [Definition 6]
(BT ′ io cvg BT ) ∧ (CT = CT ′) ∧ (∀ c : CT • BT ′ def -cong(c) BT )
⇒ [Definitions 11] T ^cvg T ′
Hypothesis: ^cvg⊆^ecvg
T ^cvg T ′
≡ [Definition 11]
BT ′ io cvg BT ∧ RT ⊆ RT ′ ∧ ∀ c : CT •
 BT ′ def -cong(c) BT ∨
BT ′ inp-cong(c) BT

⇒ [Lemma 3]
BT ′ io ecvg BT ∧ RT ⊆ RT ′ ∧ ∀ c : CT •
 BT ′ def -cong(c) BT ∨
BT ′ inp-cong(c) BT

⇒ [Definition 11] T ^ecvg T ′
Lemma 4 (Inheritance preserves deadlock freedom). Consider T and T ′
two BRIC components, such that T is deadlock free. If T ^ecvg T ′ then T ′ is
deadlock free.
Proof.
T ^ecvg T ′ ∧ T is deadlock free
≡ [Definition 11,deadlock free process]
BT ′ io ecvg BT ∧ ∀ s ∈ Σ∗ • (s,ΣX) /∈ failures(BT )
≡ [Definition 8]
67
∀(t′, X) ∈ F(BT ′),∃(t, Y ) ∈ F(BT ) •
t′ ecvg t ∧
 Y ∩ inputs ⊇ X ∩ inputs ∧
Y ∩ outputs ⊆ X ∩ outputs

∨ (Σ8Y ⊆ X)

∧ ∀ s ∈ Σ∗ • (s,ΣX) /∈ failures(BT )
⇒ [failures semantics, predicate calculus]
∀(t′, X) ∈ F(BT ′),∃(t, Y ) ∈ F(BT ) •
(t′ ecvg t) ∧ (ΣX 6⊆ Y ) ∧
 Y ∩ inputs ⊇ X ∩ inputs ∧
Y ∩ outputs ⊆ X ∩ outputs

∨ (Σ8Y ⊆ X)

⇒ [predicate calculus]
∀(t′, X) ∈ F(BT ′) • (ΣX 6⊆ X)
⇒ [deadlock freedom]
BT ′ is deadlock free process⇒ T ′ is a deadlock free component
Theorem 3 (Substitutability). Let T , T ′ be two components such that
T ^ecvg T ′. Consider S[T ] a deadlock free component contract, where T is a
deadlock free component contract that appears within the context S, then S[T ′]
is deadlock free.
The proof follows by structural induction on the composition operators of
BRIC. Assuming it holds for T , we prove that it holds for the following cases:
T [9]Q, T [c↔ z]Q, T [c ↪→ z] and T [c ¯↪→ z], where Q is a BRIC component.
Proof.
Base case
S[T ] = T
⇒ [T ^ecvg T ′, S[T ] is deadlock free,Lemma 4]
S[T ′] = T ′ is deadlock free
Interleaving composition
68
S[T ] = T [9]Q
⇒ [T ^ecvg T ′, S[T ] is deadlock free,Lemma 4]
CT ′ ∩ CQ = ∅ ∧ T ′ is deadlock free
⇒ [Q is deadlock free,Definition 16,Theorem 1]
S[T ′] = T ′ [9]Q is deadlock free
Communication composition
T [c↔ z]Q
⇒ [T ^ecvg T ′, S[T ] is deadlock free,Lemma 4]
CT ′ ∩ CQ = ∅ ∧ T ′ is deadlock free
⇒ [Definition 17]
CT ′ ∩ CQ = ∅ ∧ T ′ is deadlock free ∧
BT [c↔z]Q = BT ‖
{|c|}
BUFFnIO(R
c→z
IO , R
z→c
IO ) ‖
{|z|}
BQ
⇒ [BT [c↔z]Q is deadlock free, hiding semantics, R c→zIO ∗t Appendix A ]
CT ′ ∩ CQ = ∅ ∧ T ′ is deadlock free ∧
∀ t ∈ T(BT |` c) • R c→zIO ∗t ∈ T(BQ |` z)⇒ R c→zIO out(BT |` c, t) ⊆ in(BQ |` z,R c→zIO ∗t),
R z→cIO out(BQ |` z,R c→zIO ∗t) ⊆ in(BT |` c, t)

⇒ [BT ′ def -cong(c) BT ∨ BT ′ inp-cong(c) BT ]
CT ′ ∩ CQ = ∅ ∧ T ′ is deadlock free ∧
∀ t : Σ∗ | t ∈ T(T |` c) ∧ t ∈ T(T ′ |` c) •
out(T ′, t) ⊆ out(T, t) ∧ in(T, t) ⊆ in(T ′, t) ∧
T(BT ′ |` c) ∩ T(BQ |` z[[R z→cIO ]]) ⊆ T(BT |` c) ∩ T(BQ |` z[[R z→cIO ]])
⇒ [Definition 17, Theorem 1]
S[T ′] = T ′[c↔ z]Q is deadlock free
Feedback composition
T [c ↪→ z]
69
⇒ [T ^ecvg T ′, S[T ] is deadlock free,Lemma 4]
CT ′ ∩ CQ = ∅ ∧ T ′ is deadlock free
⇒ [Definition 19]
CT ⊆ CT ′ ∧ T ′ is deadlock free ∧
BT [c ↪→ z] = BT ‖
{|c,z|}
BUFFnIO(R
c→z
IO , R
z→c
IO )
⇒ [BT [c ↪→ z] is deadlock free, hiding semantics]
CT ⊆ CT ′ ∧ T ′ is deadlock free ∧
∀ t ∈ T(BT |` c) • R c→zIO ∗t ∈ T(BT |` z)⇒
R c→zIO out(BT |` c, t) ⊆ in(BT |` z,R c→zIO ∗t)
∧
R z→cIO out(BT |` z,R c→zIO ∗t) ⊆ in(BT |` c, t)

⇒ [BT ′ def -cong(c) BT ∨ BT ′ inp-cong(c) BT ]
CT ⊆ CT ′ ∧ T ′ is deadlock free ∧
∀ t : Σ∗ | t ∈ T(T |` c) ∧ t ∈ T(T ′ |` c) •
out(T ′, t) ⊆ out(T, t) ∧ in(T, t) ⊆ in(T ′, t) ∧
T(BT ′ |` c) ∩ T(BT |` z[[R z→cIO ]]) ⊆ T(BT |` c) ∩ T(BT |` z[[R z→cIO ]])
⇒ [Definition 19, Theorem 1]]
S[T ′] = T ′[c ↪→ z] is deadlock free
Reflexive composition. It is almost identical to the feedback composition.
70
