Verifying Controlled Components. by Schneider, S & Treharne, H
Verifying Controlled Components
Steve Schneider and Helen Treharne
Department of Computer Science  Royal Holloway  University of London
Abstract  Recent work on combining CSP and B has provided ways
of describing systems comprised of components described in both B to
express requirements on state and CSP to express interactive and con
troller behaviour This approach is driven by the desire to exploit exist
ing tool support for both CSP and B  and by the need for compositional
proof techniques This paper is concerned with the theory underpinning
the approach  and proves a number of results for the development and
verication of systems described using a combination of CSP and B In
particular  new results are obtained for the use of the hiding operator 
which is essential for abstraction The paper provides theorems which
enable results obtained possibly with tools on the CSP part of the de
scription to be lifted to the combination Also  a better understanding
of the interaction between CSP controllers and B machines in terms of
non discriminating and open behaviour on channels is introduced  and
applied to the deadlockfreedom theorem The results are illustrated with
a toy lift controller running example
  Introduction
Morgan s failuresdivergences semantics for event systems Mor enables the
various CSP semantics to be given to B machines These CSP semantics allow
machines to be treated as CSP components within a concurrent system and
we can combine them with other CSP components using architectural operators
such as parallel composition and abstraction
Recent work Tre has considered the interaction between a particular kind
of B machine and a controller written as a recursive	 sequential CSP process
An important property of a controller for a machine is that it should invoke ma

chine operations only within their preconditions Previous results Tre have
identied conditions sucient to guarantee P k M to be divergence
free for a
controller P and machine M  which ensures this important property These re

sults require identication of a control loop invariant CLI	 on the state of the
B machineM  which must be true on every recursive call This is established by
considering the semantics of the B operations as they are called within the con

troller and essentially computing the weakest precondition required to establish
the CLI
In combining communicating B machines we use a particular architecture
STb to restrict the interaction between components by ensuring that each
B machine interacts only with its own controller A system will be structured as
CSP
B
P
 
P

M
 
M
      
     
Fig    A CSP and B combined system architecture
a collection of B machines M
 
   M
n
 each with its own CSP controller process
P
 
   P
n
 A controlled component is the parallel combination of a controller and
its B machine of the form P kM 
Each M
i
is under the control of the corresponding P
i
 and the P
i
 s can also
interact with each other This architecture is illustrated in Figure  Interaction
across the system can occur only between the CSP processes This approach
enables compositional verication whereby we are able to verify properties of the
entire system by obtaining results about smaller structures within the system
In particular both CSP and B already have mature tool support which we aim
to apply in the verication of combined systems
The model
checker FDR For performs model
checking on systems de

scribed in CSP and is therefore suitable for analysing the controllers individ

ually and in combination The paper provides theorems which enable results
obtained possibly with tools	 on the CSP part of the description to be lifted to
the combination
 
 We obtain a number of theorems in the various CSP semantic
models
In practice we nd that it is often the case that a property holds in a com

bined system for reasons associated with the state within the B components In
this case the CSP controller descriptions need to be augmented with the rel

evant state information This paper also provides theorems which support the
required manipulations of CSP controllers A fuller version of this paper STa
gives rigorous proofs of all the theorems and lemmas In this paper we provide
informal explanations of the theorems
 Background
  CSP Events
CSP processes are dened in terms of the events that they can and cannot do
Processes interact by synchronising on events and the occurrence of events is
atomic The set of all events is denoted by 
 
The FDR checks discussed in this paper are available at
http wwwcsrhulacukresearchformalstevecodeliftsfdr
Events may be compound in structure consisting of a channel name and
some possibly none	 data values Thus events have the form cv
 
v
n
 where c
is the channel name associated with the event and the v
i
are data values The
type of the channel c is the set of values that can be associated with c to produce
events
For example if trans is a channel name and N Zis its type then events
associated with trans will be of the form transnz  where n  N and z Z For
example trans is one such event
A partial event or following Sca	 partially completed datatype value is a
channel name together with some values but not necessarily all For example
trans is a partial event Any channel is a special case of a partial event
Given a set of partial events PE  we can dene the set of events fj PE jg
which are the completions of events in PE  as follows
fj PE jg  fpw j p  PE  pw  g
We use alphabetised CSP so every process has an alphabet which is the set of
events whose occurrence requires its participation The alphabet of a process P
is denoted P	 For the purposes of this paper we will require that the alphabet
of any process is given by a set of channels C  so that P	  fj C jg
   CSP controllers
A controller for a B machine is a particular kind of CSP process To interact
with the B machine it makes use of control channels which have both input and
output and provide the means for controllers to synchronise with B machines
For each operation w  ev	 of a controlled machine with v of type T
in
e	
and w of type T
out
e	 there will be a channel e of type T
in
e	   T
out
e	 so
communications on e are of the form ev w 
Controller descriptions may also include assertions about the values of vari

ables they are using These are incorporated in CSP either as blocking assertions
which block if the assertion is false	 or as diverging assertions which diverge if
the assertion is false	 depending on the role they play in verication
When we talk about a CSP controller P we mean a process which has a given
set of control channels C  The controlled B machine will have exactly fj C jg as
its alphabet it can communicate only on channels in C 
Controller syntax Controllers are generated from the following subset of the
CSP syntax as discussed in STb
P  a  P jcx  P jd v  P jevxfE x 	g  P jevx hE x 	i  P j
P
 
  P

jP
 
u P

j
u
x jEx 
P j if b then P
 
else P

jS p	
where a and is a synchronisation event c is a communication channel accepting
inputs d is a communication channel sending output values e is a control chan 
nel x represents all data variables on a channel v represents all data values
being passed along a channel E x 	 is a predicate on x it may be elided in
which case it is considered to be true	 b is a boolean expression and S p	 is a
process expression
The process a  P is initially prepared to engage in an a event after which
it behaves as P  The input cx  P is prepared to accept any value x along
channel c and then behave as P whose behaviour can be dependent on x 	 The
output d v  P provides v as output The operation call evxfE x 	g  P
is an interaction with an underlying B machine the value v is passed from the
process as input to the B operation and the value x is accepted as output from
the B operation If x meets the condition E x 	 then the process behaves as P 
If x does not meet the condition then the process diverges On the other hand
evx hE x 	i  P only allows ev x if E x 	 otherwise the event is blocked
Behaviour subsequent to ev x is that of P 
The external choice process P
 
  P

is initially prepared to behave either
as P
 
or as P

 and the choice is resolved on occurrence of the rst event
Binary and general internal choice are possible though not used in the example
presented here The conditional choice if b then P
 
else P

behaves as P
 
or P

depending on the evaluation of the condition b Finally the process expression
S p	 expresses a recursive call
  CSP semantic models
There are three semantic models used in this paper the Tracesmodel the Stable
Failures model and the FailuresDivergences model We introduce the relevant
features of them here Full details of these models can be found in RosSch
Traces A trace is a nite sequence of events A sequence tr is a trace of a
process P if there is some execution of P in which exactly that sequence of
events is performed The set tracesP	 is the set of all possible traces of process
P  The traces model for CSP associates a set of traces with every CSP process
If tracesP	  tracesQ	 then P and Q are equivalent in the traces model and
we write P 
T
Q 
Stable Failures A stable failure is a pair tr  X 	 consisting of a trace tr and a
set of events X  Such a pair is a stable failure of a process P if there is some
execution of P on which tr is the sequence of events performed reaching a state
in which all events in X can be refused and also no internal progress is possible
The set SF P  is the set of stable failures of P  The stable failures model
for CSP associates a set of stable failures and a set of traces with every CSP
process If SF P   SF Q  and also tracesP	  tracesQ	 then P and Q are
equivalent in the stable failures model and we write P 
SF
Q 
Failures and Divergences A divergence is a nite sequence of events tr  Such
a sequence is a divergence of a process P if it is possible for P to perform an
innite sequence of internal events such as a livelock loop	 on some prex of tr 
The set of divergences of a process P is written D P 
A failure is a pair tr  X 	 consisting of a trace tr and a set of events X  It is
a failure of a process P if either tr is a divergence of P in which case X can be
any set	 or tr  X 	 is a stable failure of P  The set of all possible failures of a
process P is written F P  If D P   D Q  and F P   F Q  then P and
Q are equivalent in the failuresdivergences model written P 
FD
Q 
The dierent models are used to analyse CSP systems with respect to dif

ferent properties This paper is concerned with the failures
divergences model
is used to check for liveness properties such as divergence
freedom If a system
description includes the possibility of divergence for example if it includes in

ternal events	 then it is necessary to use the failures divergences model to check
for divergence
freedom
An important relationship between the stable failures model and the failures
divergences model is that if a process is divergence
free ie its set of divergences
is empty	 then its failures are the same as its stable failures This is captured
in the following theorem
Theorem  If D P   fg then F P   SF P 
This theorem is useful because it allows us to carry out analysis in the stable
failures model which is more ecient and to establish results which remain valid
in the failures divergences model For example if a process P is divergence
free
then to check that it is deadlock
free ie that tr   P		 cannot be a failure
of P for any tr	 it is sucient to check this in the stable failures model that
tr   P		 cannot be a stable failure	 The model
checker FDR For can carry
out divergence
freedom and deadlock
freedom checks mechanically
  CSP semantics for B machines
Morgan s CSP
style semantics Mor for event systems enables us to dene
such semantics for B machines A machine M thus has a set of traces T M  a
set of failures F M  and a set of divergences D M  A sequence of operations
he
 
  e

   e
n
i is a trace of M if it can possibly occur This is true precisely when
it is not guaranteed to be blocked or in other words it is not guaranteed to
achieve false In wp notation we write wpe
 
 e

     e
n
  false	 or in Abstract
Machine Notation e
 
 e     e
n
false	 The empty trace is treated as skip	
A sequence does not diverge if it is guaranteed to terminate ie establish true	
Thus a sequence is a divergence if it is not guaranteed to establish true ie
e
 
 e     e
n
true	 Finally given a set of events X  each event e  X
is associated with a guard g
e
 A sequence with a set of events is a failure of
M if the sequence is not guaranteed to establish the disjunction of the guards
Thus e
 
 e     e
n
 X 	 is a failure ofM if e
 
 e     e
n

W
e X
g
e
	 More
details of the semantics of B machines can be found in Tre
Morgan does not give a stable failures semantics for action systems We
will dene the stable failures SF M  for a machine M in terms of its failures
divergences semantics as follows
Denition  The stable failures of a B machine are dened as follows
SF M   ftr  X 	 j tr  X 	  F M   tr  D M g
MACHINE iLift
VARIABLES ifloor
INVARIANT ifloor   NAT
INITIALISATION ifloor   
OPERATIONS
iincnn 
PRE nn   NAT	
THEN ifloor   ifloor 
 nn
END
idec 
PRE ifloor  
THEN ifloor   ifloor  	
END
bb  iisZero 
IF ifloor  
THEN bb   TRUE
ELSE bb   FALSE
END
END
i LiftCtrl 
i upy   i incy   i LiftCtrl
  i downy   i DOWN y
  i ground   i LOWER
i DOWN n 
if n  	
then i LiftCtrl
else i isZerobb 
if bb  TRUE
then i LiftCtrl
else i dec  i DOWN n  

i LOWER 
i isZerobb 
if bb  TRUE
then i LiftCtrl
else i dec  i LOWER
Fig    A Lift machine i Lift and its controller i LiftCtrl
Observe that with this denition Theorem  also holds for B machines M 
We have a technique TreSTb based on control loop invariants for es

tablishing that a combination P k M is divergence
free In other words previous
results provide a means to establish that D P kM   fg This paper is not con

cerned with that technique Rather we are concerned with composing together a
number of P
i
kM
i
pairs once we have established that D P
i
k M
i
  fg for each
pair Hence a number of the theorems in this paper will include an assumption
that D P
i
k M
i
  fg The assumption in particular cases can be discharged
using the control loop invariant technique
 A motivating toy example a lift controller
As motivation for the results presented in this paper we consider a toy example
of a collection of lift machines described in B controlled by CSP controller
processes An individual lift is given in Figure  It describes a particular lift
indexed by i  We will then go on to dene a system consisting of a collection of
such lifts
 Individual lifts
The Lift machine provides three operations i inc nn which moves the lift up
nn oors i dec which moves the lift down one oor and a query operation
i isZero which indicates whether or not the lift is on the ground oor
i up
i down
i ground
i inc
i dec i isZero
i LiftCtrl
i Lift
Fig    The controlled lift system
The CSP controller is also given in Figure  It interacts with a user through
the events i up i down and i ground  and controls the lift accordingly
 on i upy  it calls i inc and moves the lift up y oors
 on i downy  it calls i dec y times or until it reaches the ground if this is
sooner
 on i ground  it is required to move the lift to the ground oor To do this it
repeatedly checks using i isZero	 whether the lift is on the ground oor
and if not then it moves the lift down a oor with i dec
We are rstly interested in each controlled lift combination
i LiftSys  i Lift k i LiftCtrl	 n fj i inc  i dec  i isZero jg
which is pictured in Figure  We require as a minimum that this combination
is deadlock
free and divergence
free
These properties are apparent in this simple example Deadlock
freedom is
immediate because the B machine is always willing to engage in any event re

quired by the controller and the controller itself is either waiting for an interac

tion from its environment or else ready to call a controller operation Divergence
could arise either i	 from a B operation being called outside its precondition or
ii	 from an innite sequence of internal events In the case of i	 the only oper

ation with a non
trivial precondition is i dec and the controller is constructed
so that i dec is only ever called when the lift is not at oor  In the case of
ii	 the lift will eventually reach the ground oor and so an innite sequence of
calls of i dec cannot occur
In more complex examples the properties may not be so apparent and it
would be useful to be able to apply analysis tools to carry out model
checking
on the combined system However no tools currently exist which can analyse a
combination of B and CSP descriptions The best we can aim for is to analyse
the descriptions separately and combine results In particular for considering
properties such as deadlock and livelock we would aim to apply a tool such
as FDR For to the CSP part of the description and deduce results about
the controlled combination In particular once it has been established that the
i LiftCtrlf  
i upy   i incy   i LiftCtrlf  y
  i downy   i DOWN f  y
  i ground   i LOWERf 
i LOWERf  
i isZerobb
 



fbb  TRUE  f  	g  
if bb  TRUE
then i LiftCtrlf 
else i dec   i LOWERf  

i DOWN f  n 
if n  	
then i LiftCtrlf 
else i isZerobb
 



fbb  TRUE  f  	g  
if bb  TRUE
then i LiftCtrlf 
else i dec 
i DOWN f  
n  

Fig    The controller with diverging assertions
controller does not call operations outside their precondition then the aim is that
all deadlocking and divergent behaviour is essentially contained in the controller
and can be identied without further reference to the B machine
It has previously been established STb that under appropriate condi

tions the deadlock
freedom of a controller P implies the deadlock
freedom of a
controlled combination P kM  This result appears in this paper as Theorem 
We also establish in this paper Theorem 	 that under appropriate condi

tions if P n E is divergence
free then so too is P kM 	 n E 
These two theorems are exactly what is required We have only to check that
i LiftCtrl is deadlock
free to deduce the same for i LiftSys And we have only
to check that i LiftCtrl n fj i inc  i dec  i isZero jg is divergence
free to deduce
this for i LiftSys These are both checks that are easily done using FDR
However the second check turns out not to be correct The description of
i LiftCtrl n fj i inc  i dec  i isZero jg in fact contains a divergence arising from
the innite sequence hi ground   i isZerofalse  i dec  i isZerofalse  i dec    i of
i LiftCtrl  It is the machine i Lift that ensures that this cannot occur  but
that machine was not included in the FDR analysis
The problem is that some of the control ow is dependent on the state in

formation maintained in the B machine and so the useful theorems we have
available are not directly applicable We need to include the relevant state infor

mation in the description of the CSP controller and also the expectation that
the value true will be received on channel i isZero exactly when f   This is
included as an assertion as shown in Figure  It is straightforward to show that
i LiftCtrl	 is an appropriate driver for i Lift using control loop invariant
f  oor	 The proof that i LiftCtrl	 k i Lift has no divergences involves
establishing the truth of the assertion for the input bb on i isZero
Introducing a diverging assertion means that i LiftCtrl	 trivially has a
divergence ie the behaviour when the assertion is not met	 so it is not ap

propriate to check i LiftCtrl	 n fj i inc  i dec  i isZero jg for divergence

freedom However in the context of i Lift we know the assertion will always be
i LiftCtrlf  
i upy   i incy   i LiftCtrlf  y
  i downy   i DOWN f  y
  i ground   i LOWERf 
i LOWERf  
i isZerobb
 



hbb  TRUE  f  	i  
if bb  TRUE
then i LiftCtrlf 
else i dec   i LOWERf  

i DOWN f  n 
if n  	
then i LiftCtrlf 
else i isZerobb
 



hbb  TRUE  f  	i  
if bb  TRUE
then i LiftCtrlf 
else i dec 
i DOWN f  
n  

Fig    The controller with blocking assertions
true so we may replace the diverging assertion by a blocking one and yield a
controller with the same behaviour in the context of i Lift  The only dierence
is that this controller blocks rather than diverges when the assertion is false
and since the assertion is never false in the context of i Lift  the resulting be

haviour is the same This transformation is justied by Corollary  Thus we
obtain a variant i LiftCtrl	 of the controller given in Figure  such that
i LiftCtrl	 k i Lift  i LiftCtrl	 k i Lift 
Now we have a transformation of the controller which is divergence
free when
the internal events are hidden i LiftCtrl	 n fj i inc  i dec  i isZero jg is
divergence
free and this can be checked using FDR given a bound on the num

ber of possible consecutive i up events	 So we can conclude that i LiftCtrl	 k
i Lift	 n fj i inc  i dec  i isZero jg is divergence
free
Now Corollary  also allows the assertions of i LiftCtrl	 to be dropped
completely resulting in a controller whose behaviour does not depend on the
value of the parameter f at all and which is therefore equivalent to i LiftCtrl 
This transformation is discussed in more detail in STa We have therefore
now established divergence
freedom of the original combination i LiftCtrl k
i Lift	 n fj i inc  i dec  i isZero jg
To sum up we identied two new controllers which are equivalent in the
presence of i Lift to the original controller i LiftCtrl  and which are each used
in a dierent part of the proof
i LiftCtrl	 k i Lift  i LiftCtrl	 k i Lift  i LiftCtrl k i Lift
 The combination i LiftCtrl	 k i Lift can be shown to be divergence
free
using techniques from STb
 i LiftCtrl	 n fj i inc  i dec  i isZero jg is divergence
free and so
i LiftCtrl	 k i Lift	 n fj i inc  i dec  i isZero jg is divergence
free
 And i LiftCtrl	 k i Lift is equivalent to the original i LiftCtrl k i Lift 
These results together establish the required result that the original combination
i LiftCtrl k i Lift	 n fj i inc  i dec  i isZero jg is divergence
free The state

 LiftCtrl

 Lift
 LiftCtrl
 Lift
 LiftCtrl
 Lift
 LiftCtrl
 Lift
req
bottom
 up
 down
 ground
 inc
 dec
 isZero
send
reset
DispatchCtrl
Dispatch
Fig    The complete system Lifts
information was introduced into the controller purely to enable the verication
to take place and can be removed once the result has been established
We also deduce that i LiftCtrl k i Lift	 n fj i inc  i dec  i isZero jg is
deadlock
free This follows from deadlock
freedom of i LiftCtrl k i Lift 
  A collection of lifts
We will now combine the lifts into a single system together with a Dispatch and
DispatchCtrl component which manages requests for lifts from buttons on the
various oors When a request for a lift is made from a particular oor only one
of the lifts needs to be sent An example architecture made up of four lifts is
pictured in Figure 
The Dispatch machine contains some algorithm for deciding which lift should
be sent to a particular oor It has an operation ii   nn  dd  send 	 On input
of the oor  to send a lift to it provides as output the lift ii to be sent the
number of oors nn and the direction dd that lift ii will need to travel as
computed by Dispatch	 Dispatch has another operation reset  which is called
when all lifts return to the ground oor The particular details of Dispatch are
not relevant to this example and will not be given here
The DispatchCtrl controller accepts requests along channel req  an input
reqx is a request for a lift to go to oor x  It makes use of the Dispatch machine
to decide which lift to allocate and then sends the appropriate instruction to
the relevant lift The controller can also accept an instruction bottom to return
all lifts to the ground oor It is dened as follows
DispatchCtrl  reqx  send xind  if d  ascend
then i upn  DispatchCtrl
else i downn  DispatchCtrl
  bottom   ground   ground   ground
  ground  reset  DispatchCtrl
Our overall system is then composed of the controlled lift components Lifts 
k
i   
i LiftCtrl k i Lift	 interacting with the DispatchCtrl k Dispatch com

ponent and with all events apart from req and bottom internal

k
i   
i LiftCtrl k i Lift	 k DispatchCtrl k Dispatch		 n Int
Int 
S
i
fj i inc  i dec  i isZero  i up  i down  i groundg  fj send   reset jg
We will see in Section  that this system is deadlock
free and divergence
free
 Deadlockfreedom
An essential requirement for controlled components is deadlock
freedom This is
easily checked in FDR but only for processes that are expressed in CSP Thus
we aim to establish a theorem that allows the deadlock
freedom of P k M to be
deduced from deadlock
freedom of P which can then be checked using FDR	
In general parallel composition does not preserve deadlock
freedom Fortu

nately in the case of CSP controllers and B machines we are able to identify
conditions which ensure that the processes involved interact on their common
channels in a particular way ensuring that introducing a B machine cannot
introduce any new deadlocks In other words any deadlocks possible for the
controlled component P k M must already have been possible in P 
Open on possible inputs The required property of the B machine is that
it should always be able to accept any input for any operation and be able to
provide some output The need for this property is precisely why only machines
with non
blocking operations are permitted If a machine meets this property
then we will say it is open on the particular operations and inputs
In CSP terms this is dened formally for CSP processes Q as follows
Denition   A process Q is open on a set of partial events PE if given any
tr  X 	  SF Q  and e  PE there is some w such that ew  X 
This will apply to B machines as follows given any machine operation w 
ev	 we would expect the machine to be open on any partial event of the form
ev

 which corresponds to passing the input v

to operation e In other words
there should be some output w

which is made available by the machine and
hence does not appear in the refusal set X 	
The set of possible inputs for a machine will be all those partial events which
correspond to operations being called with some input The events are partial
because they do not include the output values
Denition  Given a B machine M with operations w
i
 e
i
v
i
	 the set
piM 	 of possible inputs for M is dened by
piM 	 
S
i
fe
i
v
i
j v
i
 T
in
e
i
	g
Example  The set of partial inputs for the machine i Lift is given in terms of
the three operations as follows
pii Lift	  fj i inci j i Zjg  fj i dec jg  fj i isZero jg
Observe that in the cases of i inc and i dec there are no outputs so the partial
events are in fact complete events Being open on these events means that they
cannot be refused since their output eld is empty	 There are two completions
of the partial event i isZero i isZerotrue and i isZerofalse i Lift being open
on this partial event means that at any stage at least one of these completions
cannot be refused by i Lift 
The key property of non
blocking machines is that they will always be open
on their possible inputs
Lemma  Any 	non blocking
 B machine M is open on piM 	
This states in CSP semantics terms that any operation call with any input should
always produce some result
Nondiscriminating controllers The condition on a controller P is that
whenever it calls an operation of the controlled B machine M  it should be able
to accept any output provided by M  We call this property non discriminating
and it can be expressed formally in CSP terms with the following denition
Denition  A CSP process P is non
discriminating on a set of partial events
PE if for any failure tr  X 	  SF P  and subset CV 	 PE we have that

 cv  CV  w  cv w  X 	 tr  X  fj CV jg	  SF P 
This denition states that if any event cv w can be refused ie appears in
the refusal set X 	 then all the inputs on channel cv ie outputs from the B
machine	 could be refused thus the refusal X can be augmented with fj cv jg
Example  The control process i LiftCtrl is non
discriminating on i isZero at
any stage i LiftCtrl can either refuse all of fj i isZero jg or else none of it In
terms of the denition whenever some event from fi isZerotrue  i isZerofalseg
can be refused then all can be refused
Observe that i LiftCtrl is also non
discriminating on fi inci j i Zg and on
i dec In fact a process will trivially be non
discriminating on complete events
The approach is restricted to non blocking B machines In other words oper

ations w  ev	 must always be enabled though they might be called outside
their preconditions which leads to divergence	 and on any input they must pro

vide some output
Controllers which do not include blocking assertions on the control channels
are able to accept any output from the associated B machine whenever they call
an operation with any particular inputs Thus they will be non
discriminating
on the possible inputs to the machine This is expressed by the following lemma
Lemma   If P is a controller for machine M with no blocking assertions on
any channels of M  then P is non discriminating on the set piM 	 of M s pos 
sible inputs
Observe that this lemma is illustrated by i LiftCtrl in Example  above
Establishing Deadlockfreedom We now have ingredients which are su

cient to deduce deadlock
freedom of P k Q from deadlock
freedom of P  The
idea is that the interface between P and Q is dened by a set of partial events
PE  P should be non
discriminating on these partial events and Q should be
open on them We can show that if P k Q can deadlock then so can P 
If P k Q does have a deadlock state then all events can be simultaneously
refused in that state For any partial event e Q is open on e so Q cannot refuse
all of fj e jg Hence P must be refusing some event in fj e jg and so because P
is non
discriminating P can refuse all of fj e jg Thus we nd that all events in
the interface can be refused by P in this state and P cannot perform any other
events either Hence P is in a deadlocked state
Consider this reasoning in the context of a controlled component Consider
a state of P kM  If P in this state is not deadlocked then either
 P is ready to perform an event outside M 	 In this caseM cannot prevent
that event and the combination P k M is ready to perform the event and
hence is not deadlocked or
 P is ready to perform an interaction with M  In this case it is an operation
call c with some input v  P is ready to accept any output from this operation
call since it is non
discriminating on cv  M is ready to provide an output
w in response to cv  since it is open on cv  Hence the combination P kM
is ready to perform cv w  and so is not in a deadlocked state
The lemma that this reasoning establishes is the following
Lemma  If
 P is non discriminating on a set of partial events PE and
 Q is open on PE and
 Q	  fj PE jg
then if P is deadlock free in the stable failures model then so too is P k Q
For a particular controlled component P k M  we already have the conditions
for Lemma  P is non
discriminating on piM 	 from Lemma 	 M is open on
piM 	 from Lemma 	 and M 	  fj piM 	 jg
Finally we obtain the following theorem for controlled components
Theorem   If P is a CSP controller for M with no blocking assertions on any
channels of M  and P is deadlock free in the stable failures model then P k M
is deadlock free in the stable failures model
This theorem is exactly what is required to establish deadlock
freedom of P kM
from deadlock
freedom of P  In fact a direct proof of this theorem in terms of the
CSP semantics has previously been presented in STb However we nd the
identication of the properties non
discriminating and open yields more under

standing as to why the theorem works and allows an easier proof of Theorem 
and others
Example  For example consider the combination i LiftCtrl k i Lift  in a
state after some trace tr  in which fi isZerotrue  i isZerofalseg is refused We
know that i Lift is open on fj i isZero jg so it cannot refuse the whole set
fi isZerotrue  i isZerofalseg Since the parallel combination does refuse that
whole set it must be that i LiftCtrl is refusing at least one of i isZerotrue
i isZerofalse But i LiftCtrl is non
discriminating on i isZero so this means
that it can itself refuse the whole set fj i isZero jg
The same reasoning applies to all partial events in the interface between
i LiftCtrl and i Lift  Thus if i LiftCtrl k i Lift could reach a deadlock state
then all events in the interface would be refused by i LiftCtrl k i Lift  and so
they could also be refused purely by i LiftCtrl  Thus i LiftCtrl would also have
a deadlock state
As observed previously i LiftCtrl is deadlock
free Hence Theorem  allows
us to deduce that i LiftCtrl k i Lift is deadlock
free
 Restricting events to prevent divergence
The use of abstraction is essential in the compositional development of large sys

tems We will therefore generally need to hide control channels within controlled
components
Since hiding has the potential to introduce divergence we need to be able to
establish when this does not occur In particular it would be useful to be able
to check divergence
freedom of a controller P n C using FDR and to be able to
deduce divergence
freedom of the controlled component P kM 	 n C 
The following theorem on CSP processes P and Q gives such a condition
Theorem  If P k Q is divergence free and C 	 P	 and P n C is
divergence free then P k Q	 n C is divergence free
This is immediately applicable to controlled components since C 	 P	 as
a consequence of our architecture Thus divergence
freedom of P k M 	 n C
follows directly from divergence
freedom of P n C 
However in practice it will often be the case that P n C turns out not to be
divergence
free even if P k M 	 n C is For instance in the lift example we found
that i LiftCtrl n fj inc  dec  isZero jg was not divergence
free and instead we
had to transform the controller description to i LiftCtrl	 in order to obtain
a controller such that i LiftCtrl	 n fj inc  dec  isZero jg is divergence
free So
it is necessary to identify theorems which justify such transformations
Our approach is to identify behaviours of controller P which cannot occur in
the context of the machine M under control We then aim to nd P

such that
 P

is the same as P except possibly	 on the behaviours that have been
identied and
 P

n C is divergence
free
Thus P

k M will be the same as P k M  which by assumption is divergence

free Theorem  applied to P

yields that P

k M 	 n C is divergence
free and
hence P kM 	 n C is divergence
free
This is the approach that was taken in the lift example The relevant be

haviour that cannot occur in the context of i Lift is the output of false from
isZero when the lift is at the ground oor This behaviour is blocked in i LiftCtrl	
However i LiftCtrl	 is the same as i LiftCtrl for all behaviours that are pos

sible in parallel with i Lift 
The way we identify traces that cannot occur is to require divergence when

ever they do occur and then look for divergences If we are concerned with a set
of traces T 	 A

 then we can express this by dening a new process DIV
A
T 	
which behaves as RUN
A
except that it diverges on any trace in T 
F DIV
A
T 	  ftr   fg	 j tr  A

g  ftr
a
tr

 X 	 j tr  T  tr

 A

 X 	 Ag
D DIV
A
T 	  ftr
a
tr

j tr  T  tr

 A

g
Observe that DIV
A
fg	  RUN
A
and DIV
A
A

	  DIV
A

The process DIV
A
T 	 can then be used to mask behaviour in a process P 
The process P k DIV
A
T 	 behaves exactly as P  except that whenever a trace
in T is performed then it diverges Thus if P k DIV
A
T 	  P

k DIV
A
T 	
then P and P

have the same behaviour except possibly with regard to traces
in T  which are masked by the introduction of divergence
The following theorem allows a process P to be replaced by an alternative
process P

in the context of another process Q  In particular if P does not
diverge in the context of Q ie P k Q is divergence
free	 and P

is the same
as P except on divergent traces of P  then P and P

have the same executions
when executed in parallel with Q since none of P  s divergent traces will be
performed	
Theorem  If P P

and Q are such that
 P k Q is divergence free
 P 
FD
P

k DIV
P
D P 	
 P	  P

	
then P k Q  P

k Q
This states that if P

is dierent to P only with respect to where P diverges
and P k Q does not diverge then P and P

behave the same in the context of
Q  This follows because if P k Q does not diverge then none of the traces of P
which lead to divergence are possible when executing in parallel with Q  Since
P

is exactly the same as P except for these traces and Q prevents such traces
from occurring it follows that P

k Q is the same as P k Q 
Example  As an example to illustrate Theorem  consider the following pro

cesses P and P

have alphabet A  fa  b  cg and Q has alphabet fa  bg
P  a  b  DIV
A
  a  c  P		
P

 a  b  c  P

  a  c  P

		
Q  a  a  Q	   b  STOP	
 Firstly we see that P k Q can only ever perform a and c events and is
deadlock
free In particular the process Q prevents P from performing the
b event the only event that can lead to divergence since there is no point
at which P and Q can agree to perform b
 The behaviour of P

after b occurs is dierent to that of P which is diver

gent	 but if b does not occur then P and P

behave the same Thus P and
P

are the same except on the divergences of P 
 Finally note that P and P

have the same alphabet
Thus we can conclude that P k Q  P

k Q 
The reason this result is useful is because it supports the introduction and
manipulation of assertions on the control channels If we introduce a divergent
assertion on a control channel between P and M  and we then establish that
P k M is divergence
free using CLI techniques	 then we can alter the behaviour
of P when the assertion is false in which case P diverges	 and obtain a related
controller P

which matches P outside P  s divergences and for which P k M 
P

k M  The aim is to obtain a controller P

in this way for which P

n C is
divergence
free
The next lemma lists some ways in which diverging assertions within a con

troller can be transformed
Lemma  If a controller P

is obtained from controller P by replacing clauses
of the form evxfE x 	g  Rx 	 with one of
 evxfE

x 	g  Rx 	 where 
 x E x 	 E

x 	
 evx  if E x 	 then Rx 	 else Qx 	
 evx  Rx 	
 evx hE x 	i  Rx 	
then P 
FD
P

k DIV
P
D P 	
Thus we obtain the following corollary for controlled components
Corollary  If P kM is divergence free then behaviour in P following an in 
put which fails a diverging assertion can be changed in accordance with Lemma 
without aecting the behaviour of the parallel combination
This means that diverging assertions in P  once they have been discharged in
a context M  can be replaced with blocking assertions or else removed com

pletely This is precisely the justication for the transformation of i LiftCtrli	
to i LiftCtrli	 in the context of i Lift  i LiftCtrl	 does not diverge
 Parallel combinations of controlled components
All the results of the previous sections have been presented as applying to a
single CSP controller process P in parallel with a single B machineM  However
systems we are generally concerned with such as the combination of lifts	 have
the form
k
i
P
i
k M
i
	 as illustrated in Figure  Many of the results we have
obtained for a single controlled component can be lifted to combinations of
components and we will consider some of these in this section
Divergencefreedom Firstly we consider divergence
freedom It is straightfor

ward to establish divergence
freedom of a combined system using the following
theorem from STb
Theorem  If P
i
k M
i
are divergence free for each i then
k
i
P
i
k M
i
	 is
divergence free
This follows immediately from the semantics for parallel composition which
preserves divergence
freedom Thus we need only establish divergence
freedom
for the component pairs and the result follows
Example  In the parallel lift system since each of the controlled lift compo

nents is divergence
free and since we are given that the controlled dispatcher
component is divergence
free it follows that the overall parallel combination of
all the components of the multiple lift system is divergence
free
Establishing deadlockfreedom Associativity and commutativity of the par

allel operator means that we can group the controller processes together and the
machines together rearranging the parallel composition as follows
k
i
P
i
kM
i
	  
k
i
P
i
	 k 
k
i
M
i
	
Now we can consider 
k
i
P
i
	 as a CSP process and 
k
i
M
i
	 as another CSP pro

cess and we are concerned with the parallel combination of these two processes
The reason for grouping the components in this way is that the properties
non
discriminating  and open  are preserved by parallel composition in CSP
We can thus obtain the following two lemmas
Lemma  If P
i
is a collection of controllers for machines M
i
respectively
where each P
i
has no blocking assertions on any channels of its associated M
i

then
k
i
P
i
is non discriminating on the set
S
i
piM
i
		
Lemma 	 Any collection of 	non blocking
 B machines M
i
has that
k
i
M
i
is
open on
S
i
piM
i
		
Lemma  states that if each machine is able to engage in any of its operations
then the parallel combination of all the machines is able to engage in any of the
operations of any of its machines
These two lemmas mean that the conditions for Lemma  are met for con

trollers with no blocking assertions

k
i
P
i
is non
discriminating on the set
S
i
piM
i
		

k
i
M
i
is open on
S
i
piM
i
		
 
k
i
M
i
	  fj
S
i
piM
i
		 jg
This means that Lemma  is directly applicable to a collection of parallel con

trolled components in which deadlock
freedom of the overall parallel combina

tion follows from deadlock
freedom of the combination of controllers
PQ

 LiftCtrl

 Lift
 LiftCtrl
 Lift
 LiftCtrl
 Lift
 LiftCtrl
 Lift
req
bottom
DispatchCtrl
Dispatch
Fig    Splitting the system into P and Q to verify divergencefreedom
Theorem 	 Given a collection of CSP controllers P
i
and corresponding con 
trolled machines M
i
 such that no controller has any blocking assertions on the
control channels then if
k
i
P
i
is deadlock free in the stable failures model then
so too is k
i
P
i
kM
i
	
In the example lift system we have therefore only to check that

k
i   
i LiftCtrl	 k DispatchCtrl
is deadlock
free which is easily shown	 to deduce this for the complete system
Divergencefreedomof Lift System We are really concerned with divergence

freedom of

k
i   
i LiftCtrl k i Lift	 k DispatchCtrl k Dispatch		 n Int
Theorem  is the appropriate theorem to apply here We need to split the
system into P and Q such that P k Q is divergence
free and P n C is divergence

free The natural approach would take P as the combination of CSP controllers
andQ as the combination of B machines verication could indeed be established
by introducing assertions into the controllers along the lines of Section 
However we have already established the individual lifts are divergence
free
so we can re
use this result by splitting the system dierently as pictured in
Figure  P is DispatchCtrl  Q is the rest of the system and C is the interface
between P and Q 
P  DispatchCtrl
Q 
k
i
i LiftSys k Dispatch
C 
 
i
fj i up  i down  i ground jg  fj send   reset jg
We can check the conditions for Theorem 
 Each i LiftSys is divergence
free as established earlier	 and alsoDispatchCtrl k
Dispatch is divergence
free so the parallel combinationP k Q 
k
i
i LiftSys k
Dispatch k DispatchCtrl is divergence
free since divergence
freedom is pre

served by parallel composition	
 C 	 P	
 P n C is divergence
free This is easily checked with FDR	
Thus Lifts  P k Q	 n C is divergence
free
 Discussion
This paper has been concerned with providing the CSP underpinnings for devel

oping controlled components consisting of B machines controlled by CSP con

trollers under a particular architecture The work builds on the control loop
invariant method for verifying individual controlled components in the context
of the B Method and develops results for combining such veried components
All of the results presented in this paper have been developed using the CSP
semantics of all the component processes The emphasis has been on obtaining
compositional results which enable existing CSP verication methods and tools
to apply to our combined systems These results enable a particular strategy
for verication transform system descriptions to equivalent forms which are
amenable to CSP checking In the simplest case if the combination P k M is
equivalent to P

kM  and properties of P

k M can be established by analysing
P

with CSP tools	 then those same properties can be deduced for P kM  So
our approach is to transform a controller P to a process P

which behaves the
same way in the context of M 
Transforming system descriptions to enable pure CSP analysis may involve
the introduction of state information within the CSP controller descriptions so
that the behaviour in the context of the underlying B machine is not aected
In this paper we have illustrated the use of this technique
Ongoing work STa has obtained further results for this framework Firstly
it is often the case that controlled components are only correct in the context of
the rest of the system In this situation we will need to introduce assertions on the
channels between CSP controllers in order to establish divergence
freedom of the
individual controlled components Treating assertions as blocking or diverging
in particular cases is a delicate issue and depends on the particular verication
under consideration We have developed theorems STa which justify the use
of particular kinds of assertions Secondly we have results whose proofs use
the notions of non
discriminating and open	 concerning renement in the stable
failures model if SPEC v P n M 	 then SPEC v P k M 	 n M 	 under the
appropriate conditions This enables specied properties to be veried of com

bined systems These results have been applied to a Bounded Retransmission
Protocol EST for buer
style properties and in the Bank case studyTSB
There are several other approaches to combining a process
style controller
with a state
based system description eg ButFLWCSD	 The ap

proach closest to ours is Butler s cspB tool But which allows a CSP process
to be conjoined to a B machine in a way which corresponds to a controller for an
underlying machine However none of the other approaches exploit the semantic
models for CSP in the way presented here The ability to develop theory and tap
into existing tool support on both the concurrency side and the state
based side
is an important driver of the approach presented in this paper and originally
motivated the choices of CSP and B as the methods we chose to integrate
Acknowledgements Thanks are due to Neil Evans Susan Stepney Fiona Po

lack and Regine Laleau for discussions on this work and also to Neil for com

ments on drafts of this paper
References
But		 M Butler cspB A practical approach to combining CSP and B Formal
Aspects of Computing  
  			
EST	 N Evans  S A Schneider  and H E Treharne Investigating a le transmis
sion protocol using CSP and B In proceedings of STEVE workshop  		
FL	 M Frappier and R Laleau Proving event ordering properties for information
systems In ZB  		
For Formal Systems Europe Ltd Failures Divergences Renement FDR Man 
ual  

Mor	 C C Morgan Of wp and CSP In WHJ Feijen  A J M van Gesteren 
D Gries  and J Misra  editors  Beauty is our Business a birthday salute to
Edsger J Dijkstra SpringerVerlag  
	
Ros A W Roscoe The Theory and Practice of Concurrency PrenticeHall  

Sca B Scattergood The Semantics and Implementation of Machine Readable CSP
D Phil thesis  Oxford University  

Sch SA Schneider Concurrent and Real time Systems The CSP approach Wiley 


SD	
 G Smith and J Derrick Specication  renement and verication of concur
rent systems  an integration of ObjectZ and CSP Formal Methods in System
Design  
  		

ST	a S Schneider and H Treharne CSP theorems for communicating B machines
Technical Report CSDTR		  Royal Holloway  University of London  		
ST	b SA Schneider and HE Treharne Communicating B machines In ZB 
volume LNCS   		
Tre		 H E Treharne Combining control executives and software specications PhD
thesis  Royal Holloway  University of London  			
TSB	 HE Treharne  SA Schneider  and M Bramble Combining specications
using communication In ZB  		
WC	
 J C P Woodcock and A L C Cavalcanti A concurrent language for rene
ment In th Irish Workshop on Formal Methods  		

