Graded Refinement, Retrenchment, and Simulation
Article No.: 29, Pages 1 - 69
Abstract
Refinement of formal system models towards implementation has been a mainstay of system development since the inception of formal and Correct by Construction approaches to system development. However, pure refinement approaches do not always deal fluently with all desirable system requirements. This prompted the development of alternatives and generalizations, such as retrenchment. The crucial concept of simulation is key to judging the quality of the conformance between abstract and more concrete system models. Reformulations of these theoretical approaches are reprised and are embedded in a graded framework. The added flexibility this offers is intended to deal more effectively with the needs of applications in which the relationship between different levels of abstraction is not straightforward, and in which behavior can oscillate between conforming quite closely to an idealized abstraction and deviating quite far from it. The framework developed is confronted with an intentionally demanding case study: a model active control system for the protection of buildings during earthquakes. This offers many challenges: it is hybrid/cyber-physical; it has to respond to rather unpredictable inputs; and it has to straddle the gap between continuous behavior and discretized/quantized/numerical implementation.
References
[1]
M. Abadi and L. Lamport. 1991. The existence of refinement mappings. Theor. Comp. Sci. 82 (1991), 253–284.
[2]
J.-R. Abrial. 1996. The B-Book: Assigning Programs to Meanings. Cambridge University Press.
[3]
J.-R. Abrial. 2010. Modeling in Event-B: System and Software Engineering. Cambridge University Press.
[4]
N. Ahmed. 2006. Dynamic Systems and Control with Applications. World Scientific.
[5]
R. Alur. 2015. Principles of Cyberphysical Systems. MIT Press.
[6]
R. Alur, C. Courcoubetis, T. Henzinger, and P.-H. Ho. 1993. Hybrid automata: An algorithmic approach to the specification and verification of hybrid systems. In Proc. Workshop on Theory of Hybrid Systems (LNCS), Vol. 736. Springer, 209–229.
[7]
K. Apt. 1981. Ten years of Hoare’s logic: A survey part I. ACM Trans. Prog. Lang. Sys. 3 (1981), 431–483.
[8]
R. Banach. 1994. Regular relations and bicartesian squares. Theor. Comp. Sci. 129 (1994), 187–192.
[9]
R. Banach. 1995. On regularity in software design. Sci. Comp. Prog. 24 (1995), 221–248.
[10]
R. Banach. 2015. Model based refinement and the design of retrenchments. J. Soft Comp. Soft. Eng. 5 (2015), 31–54.
[11]
R. Banach and J. Baugh. 2018. A simple hybrid event-b model of an active control system for earthquake protection. In Proc. Susan Stepney Festschrift (Emergence, Complexity, Computation), Vol. 35. Springer, 157–194.
[12]
R. Banach, M. Butler, S. Qin, N. Verma, and H. Zhu. 2015. Core hybrid event-B I: Single hybrid event-B machines. Sci. Comp. Prog. 105 (2015), 92–123.
[13]
R. Banach, M. Butler, S. Qin, and H. Zhu. 2017. Core hybrid event-B II: Multiple cooperating hybrid event-B machines. Sci. Comp. Prog. 139 (2017), 1–35.
[14]
R. Banach and C. Jeske. 2015. Retrenchment and refinement interworking: The tower theorems. Math. Struc. Comp. Sci. 25 (2015), 135–202.
[15]
R. Banach, C. Jeske, and M. Poppleton. 2008. Composition mechanisms for retrenchment. J. Log. Alg. Prog. 75 (2008), 209–229.
[16]
R. Banach, C. Jeske, M. Poppleton, and S. Stepney. 2006. Retrenching the purse: Finite exception logs, and validating the small. In Proc. Software Engineering Workshop. IEEE, 234–245.
[17]
R. Banach, C. Jeske, M. Poppleton, and S. Stepney. 2006. Retrenching the purse: Hashing injective CLEAR codes, and security properties. In Proc. International Symposium On Leveraging Applications of Formal Methods, Verification and Validation. IEEE, 82–90.
[18]
R. Banach, C. Jeske, M. Poppleton, and S. Stepney. 2007. Retrenching the purse: The balance enquiry quandary, and generalised and (1,1) forward refinements. Fund. Inf. 77 (2007), 29–69.
[19]
R. Banach and M. Poppleton. 1998. Retrenchment: An engineering variation on refinement. In Proc. B’98, Vol. 1393. Springer, LNCS, 129–147.
[20]
R. Banach, M. Poppleton, C. Jeske, and S. Stepney. 2005. Retrenching the purse: Finite sequence numbers and the tower pattern. In Proc. FM’05, Vol. 3582. Springer, LNCS, 382–398.
[21]
R. Banach, M. Poppleton, C. Jeske, and S. Stepney. 2007. Engineering and theoretical underpinnings of retrenchment. Sci. Comp. Prog. 67 (2007), 301–329.
[22]
M. Bardi and I. Capuzzo-Dolcetta. 2008. Optimal Control and Viscosity Solutions of Hamilton-Jacobi-Bellman Equations. Birkhauser.
[23]
M. Barr and C. Wells. 1990. Category Theory for Computing Science. Prentice-Hall.
[24]
E. Boiten and J. Derrick. 2005. Formal program development with approximations. In Proc. ZB’05, Vol. 3455. Springer, LNCS, 374–392.
[25]
F. Borceux. 1994. Handbook of Categorical Algebra, Vols I-III. Cambridge University Press.
[26]
E. Börger. 2003. The ASM refinement method. Form. Asp. Comp. 15 (2003), 237–257.
[27]
E. Börger and R. F. Stärk. 2003. Abstract State Machines. A Method for High Level System Design and Analysis. Springer.
[28]
L. Carloni, R. Passerone, A. Pinto, and A. Sangiovanni-Vincentelli. 2006. Languages and tools for hybrid systems design. Foundations and Trends in Electronic Design Automation 1 (2006), 1–193.
[29]
C. Chicone. 2006. Ordinary Differential Equations with Applications (2nd ed.). Springer.
[30]
A. Chopra. 2015. Dynamics of Structures: Theory and Applications to Earthquake Engineering (4th ed.). Pearson.
[31]
F. Clarke. 2013. Functional Analysis, Calculus of Variations and Optimal Control. Springer.
[32]
L. Dai, T. Gan, B. Xia, and N. Zhan. 2017. Barrier certificates revisited. J. Symb. Comp. 80 (2017), 62–86.
[33]
W.-P. de Roever and K. Engelhardt. 1998. Data Refinement: Model-Oriented Proof Methods and their Comparison. Cambridge University Press.
[34]
J. Derrick and E. Boiten. 2001. Refinement in Z and Object-Z: Foundations and Advanced Applications. Springer-Verlag UK.
[35]
E. Dijkstra. 1976. A Discipline of Programming. Prentice-Hall.
[36]
ESW. Embedded systems week conferences.
[37]
P.-L. Garoche. 2019. Formal Verification of Control System Software. Princeton.
[38]
E. Geisberger and M. Broy (eds.). 2015. Living in a Networked World. Integrated Research Agenda Cyber-Physical Systems (agendaCPS). 293 pages. http://www.acatech.de/fileadmin/user_upload/Baumstruktur_nach_Website/Acatech/root/de/Publikationen/Projektberichte/acaetch_STUDIE_agendaCPS_eng_WEB.pdf.
[39]
I. Gelfand and S. Fomin. 2000. Calculus of Variations. Dover.
[40]
A. Girard, J. Agung, and G. Pappas. 2008. Approximate simulation relations for hybrid systems. Discrete Event Dyn. Sys. 18 (2008), 163–179.
[41]
A. Girard and G. Pappas. 2007. Approximation bisimulation relations for constrained linear systems. Automatica 43 (2007), 1307–1317.
[42]
A. Girard and G. Pappas. 2007. Approximation metrics for discrete and continuous systems. IEEE Trans. Autom. Control 52 (2007), 782–798.
[43]
W. Haddad and V. Chellaboina. 2008. Nonlinear Dynamical Systems and Control: A Lyapunov-Based Approach. Princeton University Press.
[44]
E. Hairer, S. Norsett, and G. Wanner. 1993. Solving Ordinary Differential Equations I: Nonstiff Problems. Springer.
[45]
E. Hairer and G. Wanner. 1996. Solving Ordinary Differential Equations II: Stiff and Differential-Algebraic Problems. Springer.
[46]
J. He. 1994. From CSP to hybrid systems. In A Classical Mind, Essays in Honour of C.A.R. Hoare, W. Roscoe (Ed.). Prentice-Hall, 171–189.
[47]
T. Henzinger. 1996. The theory of hybrid automata. In Proc. IEEE LICS’96. IEEE, 278–292. Also http://mtc.epfl.ch/tah/Publications/the_theory_of_hybrid_automata.pdf.
[48]
D. Hinrichsen and A. Pritchard. 2005. Mathematical Systems Theory I. Springer.
[49]
C. Hoare. 1969. An axiomatic basis for computer programming. Comm. ACM 12 (1969), 576–580.
[50]
HSCC. Hybrid systems: Command and control conferences.
[51]
ISO/IEC 13568 2002. Information Technology – Z Formal Specification Notation – Syntax, Type System and Semantics: International Standard. ISO/IEC 13568. http://www.iso.org/iso/en/ittf/PubliclyAvailableStandards/c021573_ISO_IEC_13568_2002(E).zip.
[52]
C. B. Jones, P. O’Hearne, and J. Woodcock. 2006. Verified software: A grand challenge. IEEE Computer 39, 4 (2006), 93–95.
[53]
C. Jones and J. Woodcock (Eds.). 2008. Special issue on the Mondex verification. Form. Asp. Comp. 20 (2008), 1–139.
[54]
G. Kelly. 1982. Basic Concepts of Enriched Category Theory. London Mathematical Society Lecture Note Series, Vol. 64, Cambridge University Press.
[55]
H. Kong, F. He, X. Song, W. Hung, and M. Gu. 2002. Exponential-condition-based barrier certificate generation for safety verification of hybrid systems. In Proc. CAV-13, Vol. 8044. Springer, LNCS, 242–257.
[56]
E. Lee and S. Shesha. 2015. Introduction to Embedded Systems: A Cyberphysical Systems Approach (2nd ed.). LeeShesha.org.
[57]
D. Liberzon. 2012. Calculus of Variations and Optimal Control Theory. Princeton.
[58]
J. Liu, J. Lv, Z. Quan, H. Zhao, C. Zhou, and L. Zou. 2010. A calculus for hybrid CSP. In Proc. APLAS-10, K. Ueda (Ed.), Vol. 6461. Springer, LNCS, 1–15.
[59]
N. Lynch and F. Vaandrager. 1995. Forward and backward simulations part I: Untimed systems. Inf. and Comp. 121 (1995), 214–233.
[60]
Mathematica. 2022. http://www.wolfram.com.
[61]
A. Platzer. 2010. Logical Analysis of Hybrid Systems: Proving Theorems for Complex Dynamics. Springer.
[62]
A. Platzer. 2018. Logical Foundations of Hybrid Systems. Springer.
[63]
A. Polyanin and V. Zaitsev. 2018. Handbook of Ordinary Differential Equations: Exact Solutions, Methods, and Problems. C.R.C. Press.
[64]
S. Prajna and A. Jadbabaie. 2004. Safety verification of hybrid systems using barrier certificates. In Proc. HSCC’04, Vol. 2289. Springer, LNCS, 477–492.
[65]
P. Prenter. 2008. Splines and Variational Methods. Dover.
[66]
Retrenchment Homepage. 2022. http://www.cs.man.ac.uk/banach/retrenchment.
[67]
I. Ross. 2015. A Primer on Pontryagin’s Principle in Optimal Control. Collegiate.
[68]
H. Sagan. 1992. Introduction to the Calculus of Variations. Dover.
[69]
R. Sanfelice. 2021. Hybrid Feedback Control. Princeton.
[70]
S. Schneider, H. Treharne, and H. Wehrheim. 2014. The behavioural semantics of event-B refinement. Form. Asp. Comp. 26 (2014), 251–280.
[71]
E. Sekerinski and K. Sere. 1998. Program Development by Refinement: Case Studies Using the B-Method. Springer.
[72]
E. Sontag. 1998. Mathematical Control Theory. Springer.
[73]
S. Stepney, D. Cooper, and J. Woodcock. 2000. An Electronic Purse: Specification, Refinement and Proof. Technical Report PRG-126. Oxford University Computing Laboratory.
[74]
Symbolaris. 2014. http://www.symbolaris.org.
[75]
P. Tabuada. 2009. Verification and Control of Hybrid Systems: A Symbolic Approach. Springer.
[76]
W. Walter. 1998. Ordinary Differential Equations. Springer.
[77]
Wikipedia. 2022. Cubic hermite spline.
[78]
Wikipedia. 2022. Duhamel’s integral.
[79]
J. Woodcock. 2006. First steps in the the verified software grand challenge. IEEE Computer 39, 10 (2006), 57–64.
[80]
J. Woodcock and R. Banach. 2007. The verification grand challenge. JUCS 13, 5 (2007), 661–668.
[81]
J. Woodcock and J. Davies. 1996. Using Z, Specification, Refinement and Proof. Prentice Hall.
[82]
N. Zhan, S. Wang, and H. Zhao. 2017. Hybrid CSP. In Formal Verification of Simulink/Stateflow Diagrams: A Deductive Approach. Springer, 71–90.
Index Terms
- Graded Refinement, Retrenchment, and Simulation
Recommendations
Retrenchment: Extending the Reach of Refinement
ASE '99: Proceedings of the 14th IEEE international conference on Automated software engineeringDiscussion of a simple example demonstrates various expressive limitations of the refinement calculus, and suggests a liberalization of refinement, called retrenchment, which will support an analogous formal development calculus. Useful concrete system ...
Engineering and theoretical underpinnings of retrenchment
Refinement is reviewed, highlighting in particular the distinction between its use as a specification constructor at a high level, and its use as an implementation mechanism at a low level. Some of its shortcomings as a specification constructor at high ...
Retrenchment for Event-B: UseCase-wise development and Rodin integration
AbstractUseCase-wise Development, an ‘Agile Method’ which introduces functionality into an application stage by stage, with each stage being carried through (ideally) to implementation before the next is considered, is examined with a view to its being ...
Comments
Information & Contributors
Information
Published In
March 2023
946 pages
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 31 March 2023
Online AM: 24 May 2022
Accepted: 27 April 2022
Revised: 14 February 2022
Received: 01 October 2021
Published in TOSEM Volume 32, Issue 2
Check for updates
Author Tags
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 179Total Downloads
- Downloads (Last 12 months)56
- Downloads (Last 6 weeks)5
Reflects downloads up to 12 Sep 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderFull Text
View this article in Full Text.
Full TextHTML Format
View this article in HTML Format.
HTML Format