Richard Banach

Retrenchment: An Engineering Variation on Refinement

It is argued that refinement, in which I/O signatures stay the same, preconditions are weakened and postconditions strengthened, is too restrictive to describe all but a fraction of many realistic developments. An alternative notion is proposed called retrenchment, which allows information to migrate between I/O and state aspects of operations at different levels of abstraction, and which allows only a fraction of the high level behaviour to be captured at the low level. This permits more of the informal aspects of design to be formally captured and checked. The details are worked out for the B-Method.

Engineering and theoretical underpinnings of retrenchment

Refinement is reviewed, highlighting in particular the distinction between its use as a specification constructor at a high level, and its use as an implementation mechanism at a low level. Some of its shortcomings as a specification constructor at high levels of abstraction are pointed out, and these are used to motivate the adoption of retrenchment for certain high level development steps. Basic properties of retrenchment are described, including a justification of the operation proof obligation, simple examples, its use in requirements engineering and model evolution, and simulation properties. The interaction of retrenchment with refinement notions of correctness is overviewed, as is a range of other technical issues. Two case study scenarios are presented. One is a simple digital redesign control theory problem, and the other is an overview of the application of retrenchment to the Mondex Purse development.

Core Hybrid Event-B I

Faced with the increasing need for correctly designed hybrid and cyber-physical systems today, the problem of including provision for continuously varying behaviour as well as the usual discrete changes of state is considered in the context of Event-B. An extension of Event-B called Hybrid Event-B is presented, that accommodates continuous behaviours (called pliant events) in between familiar discrete transitions (called mode events in this context). The continuous state change can be specified by a combination of indirect specification via ordinary differential equations, or direct specification via assignment of variables to values that depend on time, or indirect specification by demanding that behaviour obeys a time dependent predicate. The syntactic elements of the extension are discussed, and the semantics is described in terms of the properties of time dependent valuations of variables. Refinement is examined in detail, with reference to the notion of refinement inherited from discrete Event-B. A full suite of proof obligations is presented, covering all aspects of the new framework. A selection of examples and case studies is presented. A particular challenge - bearing in mind the desirability of conforming to existing intuitions about discrete Event-B, and the impact on tool support (as embodied in tools for discrete Event-B like Rodin) - is to design the whole framework so as to disturb as little as possible the existing structures for handling discrete Event-B. Extends Event-B, as seamlessly as possible, to encompass continuous behaviours.Considers formal semantics.Considers refinement.Presents a full suite of proof obligations.Gives a selection of small case studies.

Composition mechanisms for retrenchment

Retrenchment is a flexible model evolution formalism that arose as a reaction to the limitations imposed by refinement, and for which the proof obligations feature additional predicates for accommodating design data. Composition mechanisms for retrenchment are studied. Vertical, horizontal, dataflow, parallel and fusion compositions are described. Of particular note are the means by which the additional predicates compose. It is argued that all of the compositions introduced are associative, and that they are mutually coherent. Composition of retrenchment with refinement, so important for the smooth interworking of the two techniques, is discussed. Decomposition, allowing finer grained retrenchments to be extracted from a single large grained retrenchment, is also investigated.

Retrenching the purse: finite sequence numbers, and the tower pattern

The Mondex Electronic Purse system [18] is an outstanding example of formal refinement techniques applied to a genuine industrial scale application, and notably, was the first verification to achieve ITSEC level E6 certification. A formal abstract model including security properties, and a formal concrete model of the system design were developed, and a formal refinement was hand-proved between them in Z. Despite this success, certain requirements issues were set beyond the scope of the formal development, or handled in an unnatural manner. Retrenchment is reviewed in a form suitable for integration with Z refinement, and is used to address one such issue in detail: the finiteness of the transaction sequence number in the purse funds transfer protocol. A retrenchment is constructed from the lowest level model of the purse system to a model in which sequence numbers are finite, using a suitable elaboration of the Z promotion [21 ] technique. We overview the lifting of that retrenchment to the abstraction level of the higher models of the purse system. The concessions of the various retrenchments generated, formally capture the dissonance between the unbounded sequence number idealisation and the bounded reality. Reasoning about when the concession can become valid influences the actual choice of sequence number bound. The retrenchment-enhanced formal development is proposed as an example of a widely applicable methodological pattern for formal developments of this kind: the Tower Pattern.

Retrenchment and Punctured Simulation

Some of the shortcomings of using refinement alone as the means of passing from high level simple models to actual detailed implementations are reviewed. Retrenchment is presented as a framework for ameliorating these. In retrenchment the relationship between an abstract operation and its concrete counterpart is mediated by extra predicates, allowing most particularly the description of non-refinement-like properties, and the mixing of I/O and state aspects in the passage between levels of abstraction. Stepwise simulation, the ability of simulator to mimic a sequence of execution steps of the simulatee, is introduced as the reference point for discussing the broader semantic issues surrounding retrenchment. Punctured simulation is introduced as a naturally occurring phenomenon implicit in the ability of retrenchments to describe of non-refinement-like properties; and it is shown to have relevance even in some refinements. Two special cases of retrenchment, simple simulable retrenchment and memory less regular retrenchment are introduced. Both enjoy a unique domain property for large maximal punctured simulations, and the former has an easy stepwise simulation property too. A simple case study is presented. The B-Method and notation are used throughout the paper.

Retrenching the Purse: Finite Exception Logs, and Validating the Small

The Mondex electronic purse is an outstanding example of industrial scale formal refinement, and was the first verification to achieve ITSEC level E6 certification. A formal abstract model and a formal concrete model were developed, and a formal refinement was hand-proved between them. Nevertheless, certain requirements issues were set beyond the scope of the formal development, or handled in an unnatural manner. The retrenchment tower pattern is used to address one such issue in detail: the finiteness of the purse log (which records unsuccessful transactions). A retrenchment is constructed from the lowest level model of the purse system to a model in which logs are finite, and is then lifted to create two refinement developments of the purse, working at different levels of detail, and connected via retrenchments, forming the tower. The tower development is appropriately validated, vindicating the design used

Controlling Control Systems: An Application of Evolving Retrenchment

We review retrenchment as a liberalisation of refinement, for the description of applications too rich (e.g. using continuous and infinite types) for refinement. A specialisation of the notion, evolving retrenchment, is introduced, motivated by the need for an approximate, evolving notion of simulation. The focus of the paper is the case study, a substantial second-order linear control system. The design step from continuous to zero-order hold discrete system is expressible as an evolving retrenchment. Thus we demonstrate that the retrenchment approach can formalise the development of useful applications, which are outside the scope of refinement.The work is presented in a data type-enriched language containing the B language of J.-R. Abrial.

Retrenching the Purse: Hashing Injective CLEAR Codes, and Security Properties

The Mondex Electronic Purse is an outstanding example of industrial scale formal refinement, and was the first verification to achieve ITSEC level E6 certification. A formal abstract model and a formal concrete model were developed, and a formal refinement was hand-proved between them. Nevertheless, certain requirements issues were set beyond the scope of the formal development, or handled in an unnatural manner. The retrenchment tower pattern is used to address one such issue in detail: the use of a hash function rather than a total injective function when clearing the highly constrained purse logs. A retrenchment is constructed from the lowest level model to a model using a hash, and is then lifted to create two refinement developments, working at different levels of detail, and connected via retrenchments. The tower development is appropriately validated, vindicating the design used.

Maximally abstract retrenchments

The more obvious and well known drawbacks of using refinement as the sole means of progressing from an abstract model to a concrete implementation are reviewed. Retrenchment is presented in a simple partial correctness framework as a more flexible development concept for formally capturing the early and otherwise preformal stages of development, and briefly justified. Given a retrenchment from an abstract to a concrete model, the problem of finding a model at the level of abstraction of the abstract model, but refinable to the concrete one, is examined. A construction is given that solves the problem in a universal manner, there being a canonical factorisation of the original retrenchment, into a retrenchment to the universal system followed by an I/O-filtered refinement. The universality amounts to the observation that the retrenchment component of any similar factorisation, factors uniquely through the universal model. The constructions claim to be at the right level of abstraction is supported by an idempotence property. The consequences of including termination criteria in the formal models is briefly explored.