# Refinement-Based Development of Timed Systems Jesper Berthing<sup>1</sup>, Pontus Boström<sup>2</sup>, Kaisa Sere<sup>2</sup>, Leonidas Tsiopoulos<sup>2</sup>, and Jüri Vain<sup>3</sup> Abstract. Refinement-based development supported by Event-B has been extensively used in the domain of embedded and distributed systems design. For these domains timing analysis is of great importance. However, in its present form, Event-B does not have a built-in notion of time. The theory of refinement of timed transition systems has been studied, but a refinement-based design flow of these systems is weakly supported by industrial strength tools. In this paper, we focus on the refinement relation in the class of Uppaal Timed Automata and show how this relation is interrelated with the data refinement relation in Event-B. Using this interrelation we present a way how the Event-B and Uppaal tools can complement each other in a refinement-based design flow. The approach is demonstrated on a fragment of an industrial case study. #### 1 Introduction The Correct-by-Construction Design (CCD) workflow has proven its importance with motivating facts from recent industrial practice. Peugeot Automobiles has developed the model of the functioning of subsystems (lightings, airbags, engine, etc) for Peugeot after sales service; RATP (Paris Transportation) used the model of automatic platform doors to equip an existing metro line to verify the consistency of System Specification. Event-B [1] as one such CCD supporting formalism has proven its relevance in data intensive development while lacking sufficient support for timing analysis and refinement of timed specifications. Uppaal Timed Automata (UPTA) [2] address timing aspects of systems providing efficient data structures and algorithms for their representation and analysis but are less focusing on supporting refinement-based development, especially data refinement. The goal of this paper is to advocate the model-based transformational design method where these two approaches are combined to mutually complement each other. The transformational design flow discussed in the paper consists of alternation between data and timing refinement steps (see Fig. 1). The result of a data J. Derrick et al. (Eds.): IFM 2012, LNCS 7321, pp. 69–83, 2012. <sup>©</sup> Springer-Verlag Berlin Heidelberg 2012 Fig. 1. CCD workflow with interleaving data and timing refinement steps refinement step, performed within Event-B, after being proved correct, serves as an input to timing refinement step. The timing refinement means mapping the constraints of the previous level timing specification onto the UPTA model that is derived from the UPTA model of the previous design step and from the Event-B refinement of the current step. Then the newly introduced refinement of Event-B model must be decorated with timing attributes so that timing correctness criteria are satisfied. The timing correctness of refinement is verified using Uppaal [2] tool in two steps. At first, the consistency of the model being the result of timing refinement step is verified internally. Here the properties, e.g. deadlock and non-Zenoness are checked. Second, the preservation of timing properties introduced in the previous refinement step are verified. The design flow depicted in Fig. 1 is not complete since the real design flow may include also backtracking over several earlier design steps. For instance, when no feasible timing refinement is possible, it may require revision of much earlier functional refinement phases. The design backtracking issues and error diagnostics are not addressed also in the current paper. # 2 Related Work An extensive study of automata models for timed systems is presented in [12]. A general automaton model is defined as the context for developing a variety of simulation proof techniques for timed systems. These techniques include refinements, forward and backward simulations, hybrid forward-backward and backward-forward simulations, and other relations. Relationships between the different types of simulations are stated and proved. To improve model checking performance of timed systems, timing constraint refinement methods such as the efficient forward algorithm based on zones for checking reachability [3] and the counter example guided automatic timing refinement technique [8] have been studied. The refinement of timing has been addressed as part of specification technique recently in [7] where the constructs for refinement of Timed I/O specifications were defined for development of compositional design methodology. In works [3,7,8] the motivation behind timing refinement has been rather model checking or automated design verification than stepwise transformation-based design development. The way how timing refinement steps are constructed in the course of practical design flow has deserved relatively little attention. For systematic and modular co-use of refinement transformations both data and timing refinement transformations must be specified explicitly in terms of syntactic constraints, i.e., the domain of refinement transformations must consist of well-defined syntactic constructs of the modelling language. In [4,11,13] attempts have been made to incorporate discrete time directly into formalisms without having a native notion of time. However, the clocks are not an integrated part, but are modelled as ordinary variables. Hence, continuous time specific problems such as Zeno behaviour cannot be addressed directly in, for example, the Event-B proof system. Furthermore, timing can be seen as an extra functional property and adding this to a functional Event-B model will make it cluttered with non-functional aspects. This will, apart from making the model less readable, make the proofs harder to automate. An earlier attempt to integrate stepwise development in Event-B with model checking in Uppaal is given in [10] where the events are grouped into more coarse grained processes with timing properties. We aim to provide a framework where the timing refinements can be addressed by reusing the model constructs of Event-B introduced in the course of data refinement steps. That provides opportunity to verify data refinement steps also from the timing feasibility point of view. # 3 Case-Study: Safety Related Controller Design The CCD methodology introduced above will be deployed on an industrial redundant safety controller design case study by Danfoss A/S. The case study concerns an emergency shutdown module for a frequency converter that is used to control the speed of an electrical motor. An emergency switch and a safe field bus are used to activate the safety functions. The emergency shutdown module provides two safety functions, the Safe Torque Off (STO) and the Safe Stop 1 (SS1). In this paper we focus on the activation of the safety functions through the emergency switch only. The safety functions are activated if at least one of the two emergency switches (ES) is pushed. STO will remove the torque on the electrical motor. If SS1 is configured active, on activation of SS1 a timer with a configurable delay shall be started and the frequency converter is requested to start a non-safe ramp down. After the timer expires, STO shall be activated. In addition to these functional requirements we need to take into account timing requirements. Specifically, the reaction time from user terminal (pushing of ES) to active STO or active SS1 shall be less than 10 ms. STO or SS1 shall not be activated if the duration of the ES signal is shorter than or equal to 3 ms. The deployment of our CCD methodology starts with a specification which captures an abstract description of the behaviour of the whole system. Stepwise refinements should introduce the algorithms needed for the implementable system to behave according to the specification. The abstract specification and refinements should be done in such a manner that we can prove all (safety and liveness) properties stated in the requirements as invariant properties or refinements. Because of the space limit, in this paper we will present only one refinement step introducing the needed redundancy. The safety integrity requirements of this safety critical system require the safety controller to be mapped onto a redundant architecture (see 1002 architecture of IEC 61508-6 [9]). Before we proceed with the actual modelling of the emergency shutdown module we first present in the next section preliminaries of Event-B and UPTA as well as the mapping between the two formalisms. #### 4 Preliminaries #### 4.1 Preliminaries of Event-B Consider an Event-B model M with variables v, invariant I(v) and events $\mathcal{E}_1, \ldots, \mathcal{E}_m$ . All events can be written in the form $$\mathcal{E}_i = when G_i(v) then v : |S_i(v, v')| end$$ where $G_i(v)$ is a predicate called the guard and $v:|S_i(v,v')$ is a statement that describes a nondeterministic relationship between variable valuations before and after executing the event. Event-B models do not have a fixed semantics [1], but correctness of a model is defined by a set of proof obligations. We can use these proof obligations to prove correctness of many transition systems. In order to guarantee that $\mathcal{E}_i$ preserves invariant I(v) we need to show that [1]: $$-I(v) \wedge G_i(v) \wedge S_i(v,v') \Rightarrow I(v') \text{ (INV)}.$$ <sup>&</sup>lt;sup>1</sup> The domain restriction operator $\lhd$ is defined as: $g \lhd s = \{\sigma \mapsto \sigma' \in s | \sigma \in g\}$ . #### 4.2 Preliminaries of UPTA An UPTA is given as the tuple $(L, E, V, Cl, Init, Inv, T_L)$ , where L is a finite set of locations, E is the set of edges defined by $E \subseteq L \times G(Cl, V) \times Sync \times Act \times L$ , where G(Cl, V) is the set of constraints allowed in guards. Sync is a set of synchronisation actions over channels. An action send over a channel h is denoted by h! and its co-action receive is denoted by h?. Act is a set of sequences of assignment actions with integer and boolean expressions as well as with clock resets. V denotes the set of integer and boolean variables. Cl denotes the set of real-valued clocks $(Cl \cap V = \emptyset)$ . $Init \subseteq Act$ is a set of assignments that assigns the initial values to variables and clocks. $Inv : L \to I(Cl, V)$ is a function that assigns an invariant to each location, I(Cl, V) is the set of invariants over clocks Cl and variables V. $T_L : L \to \{ordinary, urgent, committed\}$ is the function that assigns the type to each location of the automaton. We introduce the semantics of UPTA as defined in [2]. A clock valuation is a function $val_{cl}: Cl \to \mathbb{R}_{\geq 0}$ from the set of clocks to the non-negative reals. A variable valuation is a function $val_v: V \to \mathbb{Z} \cup BOOL$ from the set of variables to integers and booleans. Let $\mathbb{R}^{Cl}$ and $(\mathbb{Z} \cup BOOL)^V$ be the sets of all clock and variable valuations, respectively. The semantics of an UPTA is defined as an LTS $(\Sigma, init, \to)$ , where $\Sigma \subseteq L \times \mathbb{R}^{Cl} \times (\mathbb{Z} \cup BOOL)^V$ is the set of states, the initial state init = Init(cl, v) for all $cl \in Cl$ and for all $v \in V$ , with cl = 0, and $cl \in L \times \mathbb{R}^{Cl} \mathbb{R}$ $$(l, val_{cl}, val_v) \xrightarrow{\underline{d}} (l, val_{cl} + \underline{d}, val_v)$$ if $\forall \underline{d}' : 0 \leq \underline{d}' \leq \underline{d} \Rightarrow val_{cl} + \underline{d}' \models Inv(l)$ , and $(l, val_{cl}, val_v) \xrightarrow{\underline{act}} (l', val'_{cl}, val'_v)$ if $\exists \underline{e} = (l, act, G(cl, v), r, l') \in E$ s.t. $val_{cl}, val_v \models G(cl, v), val'_{cl} = [re \mapsto 0]val_{cl}$ , and $val'_{cl}, val'_v \models Inv(l')$ , where for delay $\mathbf{d} \in \mathbb{R}_{\geq 0}$ , $val_{cl} + \mathbf{d}$ maps each clock cl in Cl to the value $val_{cl} + \mathbf{d}$ , and $[re \mapsto 0]val_{cl}$ denotes the clock valuation which maps (resets) each clock in re to 0 and agrees with $val_{cl}$ over $Cl \setminus re$ . We have now obtained the correspondence between Event-B and UPTA models through their semantics definition as LTS. ## 4.3 Mapping from Event-B Models to UPTA The goal in this paper is to extend the Event-B based stepwise CCD to timed systems. In the subsequent description of CCD model transformations the following notions are used: - $-\mathcal{R}^{\mathcal{T}}$ Refinement transformation of type $\mathcal{T} \in \{\sqsubseteq_{evt}, \sqsubseteq_{e}, \sqsubseteq_{l}\}$ , where $\sqsubseteq_{evt}$ stands for *event* refinement, $\sqsubseteq_{e}$ and $\sqsubseteq_{l}$ stand for *edge* and *location* refinement respectively (elaborated in Section 5). - $-M_{i}^{\bar{\mathsf{T}}}$ Model of type T resulting in $i^{th}$ refinement step, where T is given as $\mathsf{T} \in \{{}^{B},{}^{EFSM},{}^{UPTA}\}.$ - $M_0^{\mathrm{T}}$ The initial specification of type T. - $\mathsf{T}^{kl}: M^{\mathsf{T}_k} \mapsto M^{\mathsf{T}_l}$ Syntactic map of model $M^{\mathsf{T}_k}$ to $M^{\mathsf{T}_l}$ , where $\mathsf{T}_k$ , $\mathsf{T}_l \in \{{}^B, {}^{EFSM}, {}^{UPTA}\}$ and $\mathsf{T}_k \neq \mathsf{T}_l$ . - $-dom(\mathcal{R}^{\mathcal{T}}, M_i^{\mathsf{T}})$ domain of the refinement $\mathcal{R}^{\mathcal{T}}$ in the model $M_i^{\mathsf{T}}$ (Note that $dom(\mathcal{R}^{\mathcal{T}}, M_i^{\mathsf{T}}) = \emptyset$ , if $\mathcal{R}^{\mathcal{T}}$ is not defined in $M_i^{\mathsf{T}}$ ). - $-ran(\mathcal{R}^{\mathcal{T}}, M_i^{\mathsf{T}})$ co-domain of the refinement $\mathcal{R}^{\mathcal{T}}$ in the model $M_i^{\mathsf{T}}$ . Let us now state some properties of the transformations: - For any $M_i^{\mathsf{T}_l} = ran(\mathcal{R}^{\mathcal{T}}, M_i^{\mathsf{T}_k}) \Rightarrow \mathsf{T}_k = \mathsf{T}_l \ (\mathcal{R} \text{ is conservative regarding the}$ type of argument model) – Submodel: $M_j^{\mathbb{T}_i} \subseteq M_i^{\mathbb{T}_i}$ iff $\forall el \in M_j^{\mathbb{T}_i} \Rightarrow el \in M_i^{\mathbb{T}_i}$ - $\ M_j^{\mathsf{T}} = dom(\mathcal{R}^{\mathcal{T}}, M_i^{\mathsf{T}}) \Rightarrow M_j^{\mathsf{T}} \subseteq M_i^{\mathsf{T}}, \text{ where } dom(\mathcal{R}^{\mathcal{T}}, M_i^{\mathsf{T}}) \text{ is submodel of } M_i^{\mathsf{T}}, \\ \text{and } M_k^{\mathsf{T}_i} \text{ is model complement of } M_j^{\mathsf{T}_i} \text{ in } M_i^{\mathsf{T}_i} : M_i^{\mathsf{T}_i} \setminus M_j^{\mathsf{T}_i} = \{el \mid el \in \mathcal{T}, \mathcal{T}_i \in \mathcal{T}_i \}$ $M_i^{\mathsf{T}_i}, \ el \notin M^{\mathsf{T}_j}, \ M_i^{\mathsf{T}_i} \}$ - $-M_i^{\mathsf{T}_i}|M_j^{\mathsf{T}_j}$ projection of the model $M_i^{\mathsf{T}_i}$ on the model $M_i^{\mathsf{T}_j}$ Due to the fact that $M^B \mapsto M^{UPTA}$ mappings depicted in Fig. 1 preserve locality of $M^B$ changes introduced by refinements, only those model fragments that are introduced by Event-B refinements need to be mapped to the corresponding UPTA fragments. The rest of the refined UPTA model remains same. The Event-B to UPTA mapping proceeds in following steps: **Step 1:** The Event-B model $M^B$ is transformed to a flat Extended Finite State Machine (EFSM) model $M^{EFSM}$ that serves as an UPTA skeleton to be decorated in the next step with UPTA specific timing attributes. The step can be implemented in two sub-steps: Step 1.1: The Event-B specification is transformed to a Hierarchical Abstract State Transition Machine (HASTM) representation by the algorithm described in [5]. HASTM is a subclass of UML state charts without AND-parallelism. Step 1.2: The HASTM representation is flattened by means of the algorithm introduced in [6]. The transformation result is an EFSM model $M^{EFSM}$ with operational semantics that is equivalent to the one of the original Event-B model $M^B$ . Thus, the proposed $M^B \mapsto M^{EFSM}$ transformation implements a total injective syntactic map. The derivation of a partially defined (i.e., without timing) UPTA model $M^{UPTA\#}$ from the $M^{EFSM}$ is straightforward: Let a EFSM model $M^{EFSM} = (\Sigma, T, V, s_0)$ , be a syntactic representation of the LTS of the Event-B model $M^B$ , where $\Sigma$ is a finite set of states, V is a finite set of variables, V may include distinguished subsets I and O - of inputs and outputs respectively, T is the set of transitions, and $s_0$ is the initial state. Let $M^{UPTA\#} = (L^\#, E^\#, V, \emptyset, l_0)$ be an UPTA model without the elements of timing specification, i.e., $L^{\#}$ is a set of locations without clock invariants and committed or urgent types, $E^{\#}$ is a set of edges without clock resets and clock conditions in the edge guards. Then we can establish the correspondence between the elements of $M^{EFSM}$ and $M^{UPTA\#}$ as follows. $L^{\#} = \Sigma$ , $E^{\#} = T$ , V is the set of variables of the Event-B model $M^B$ (as well as of $M^{EFSM}$ due to **Step 1.2**), $l_0 = s_0$ . Step 2: In this step the partially defined UPTA model $M^{UPTA\#}$ is extended to full UPTA model $M^{UPTA}$ . The timing constraints to be added to the newly introduced by Event-B refinement $M^{UPTA\#}$ fragment, $M_i^{UPTA\#} = \mathsf{T}^{B,UPTA\#}$ $[ran(\mathcal{R}^T,\ M_{i-1}^B)]$ , have to satisfy also the timing constraints of the resultant model $M_{i-1}^{UPTA}$ of the previous timing refinement step. Thus, the arguments of the timing refinement operator $\mathcal{R}_i^T$ to be applied in $i^{th}$ step are untimed $M_i^{UPTA\#}$ and the timing constraints of $dom(\mathcal{R}^T,\ M_{i-1}^B) |\ M_{i-1}^{UPTA})$ . The rest of the timing specification $M_i^{UPTA}$ i.e., the parts that do not concern the $i^{th}$ refinement step remain the same as in $M_{i-1}^{UPTA}$ . The formal definition of UPTA timing refinement and its correctness properties are defined in section 5.1. ## 4.4 Abstract Event-B and UPTA Specifications of Safety Controller We can now proceed with the formal modelling of the shutdown module exemplifying the mapping from Event-B to UPTA proposed in the previous subsection. We start the modelling by defining only three externally observable variables, namely ES, STO and SS1, in the abstract Event-B model. The abstract Event-B specification $M_0^B$ named Safe is presented in Fig. 2a. We have a configuration parameter defined in SafeCTX named $ss1\_status$ which can be set either to active or nonactive. If $ss1\_status$ is set to active then activation of STO should occur after the delay when SS1 is activated. All the variables of this abstract model are of the boolean type BOOL. Value TRUE corresponds to STO or SS1 being active and value FALSE corresponds to STO or SS1 being nonactive. At initialisation STO is active. Event ES ReleasedReact2 takes care of reseting STO. Events ES Pushed and ES Released separately model the physical act of pushing and releasing ES and they can be considered as input events from the environment to the system. Events ES React1 and ES React2 model the eventual reaction of the system to the pushing of ES; ES React1 corresponds to the case when ss1 status=active and ES React2 corresponds to the case when ss1 status=nonactive. Similarly, we distinguish between these two cases for the reaction of the system to the release of ES with events ES ReleasedReact1 and ES ReleasedReact2. Already at this abstraction level we need to consider the redundancy of the system. Thus, these events are non-deterministic because both redundant systems need to first react to the pushing of ES and then they can be disabled. Moreover, the redundant STO outputs are disabled asynchronously. The last event SS1 DelayReact models the activation of STO after the timer triggered by the activation of SS1 has expired. For the same reasons as above this event is non-deterministic too at this point. The initial model describes the desired functionality of the system in such a manner that is easy to get an overview of the intended behaviour. Let us now introduce the corresponding UPTA abstract specification resulting from $M_0^B$ Safe incorporating the timing requirements. We map the events of $M_0^B$ Safe to edges of $M_0^{UPTA}$ that is defined as parallel composition of automata Safe and Environment. The parallel composition of automata is needed to avoid explicit modelling of system and environment events' interleaving. Similarly, interleaving of system and environment events is implicit in Event-B. Events $ES\_Pushed$ and $ES\_Released$ of $M_0^B$ Safe are modelled in automaton $M_0^{UPTA}$ Environment illustrated in Fig. 2c and all other events of $M_0^B$ Safe in ``` MACHINE Safe SEES SafeCTX VARIABLES ES, STO, SS1 INVARIANT inv1: STO ∈ BOOL ∧ inv2: SS1 ∈ BOOL ∧ inv3: ES ∈ 0··1 FVFNTS Init = BEGIN ES := 0 || STO := TRUE || SS1 := FALSE END ES_Pushed = WHEN ES = 0 THEN ES := 1 END ES_Released = WHEN ES = 1 THEN ES := 0 END ES_React1 = WHEN ss1_status = active \land ES = 1 THEN SS1 := TRUE END ES_React2 = WHEN ss1_status = nonactive A ES = 1 THEN STO := TRUE END ES_ReleasedReact1 = WHEN ES = 0 ∧ SS1 = TRUE THEN SS1 :∈ BOOL END ES_ReleasedReact2 = WHEN ES = 0 ∧ STO = TRUE THEN STO : € BOOL END SS1 DelayReact = WHEN SS1 = TRUE THEN STO := TRUE || SS1 :∈ BOOL END (ES ReleasedReact2) (a) ES==0 && STO (ES React1) && cl==Tick ES && ss1 status sto: BOOL1 && cl_ES >= 3 STO=sto, cl=0 && cl ES <= 4 L1 cl==Tick && ch3! ch1! cl<=SS1_delay cl ES<3 SS1=1, cl=0 ES==0 cl==SS1 delay cl=0 cl<=Tick ch1! ES=1. cl=0 ES==0 cl ES=0 ch1r! && SS1 ES_Released chE! /ch2! ES_Pushed SS1 && cl==Tick ES && ss1: BOOL1 ss1: BOOL1 ss1 status==0 STO = 1. cl_ES<=max_push_time SS1 = ss1, ES==1 && && cl_ES >= 3 SS1 = ss1 cl=0 && cl_ES <= 4 cl ES >= min push time (SS1 DelayReact) (ES_ReleasedReact1) STO = 1, cl=0 ES=0, (ES React2) cl_ES=0 (b) (c) ``` **Fig. 2.** (a) Event-B model $M_0^B$ Safe, (b) UPTA model $M_0^{UPTA}$ Safe and (c) UPTA model $M_0^{UPTA}$ Environment automaton $M_0^{UPTA}$ Safe illustrated in Fig. 2b. Since the only causally dependent event pair in $M_0^B$ is $ES\_React1$ and $SS1\_DelayReact$ their sequencing is mapped in $M_0^{UPTA}$ to the pair of edges connected via location L1. Second reason for L1 is to model $SS1\_delay$ . L2 is introduced for technical reasons to limit the number of channels per edge in UPTA. In fact, channels depicted in Fig. 2b and 2c are obsolete for $M_0^{UPTA}$ , they are shown only because of specifying synchronization constraints with the edges of refined model $M_1^{UPTA}$ in Fig. 4b and 4c respectively. $cl \leq SS1\_delay$ of location L1 and clock guard $cl == SS1\_delay$ of edge outgoing L1 model the SS1 delay. # 5 Proving Refinement of Timed Systems We now have an interpretation of Event-B models as UPTA. The goal is to ensure correctness of the abstract model and its refinements. Let us first introduce the refinement definition for timed systems presented by Lynch and Vaandrager [12]. We adapt this definition in order to correspond to the UPTA semantics of section 4.2. Let $cl_c$ and $cl_a$ be the concrete and abstract clocks of refinement and specification model N and M respectively. **Definition 1.** A specification M is refined by a specification N, written $M \subseteq N$ , iff there exists a binary relation $R \subseteq \Sigma^N \times \Sigma^M$ such that for each pair of states $(n, m) \in R$ we have: 1. whenever $$n_{(l_{ref},val_{cl_c},val_w)} \xrightarrow{act^N} n'_{(l'_{ref},val'_{cl_c},val'_w)}$$ for some $n' \in \Sigma^N$ then $m_{(l_{abs},val_{cl_a},val_v)} \xrightarrow{act^M} m'_{(l'_{abs},val'_{cl_c},val'_v)}$ and $(n',m') \in \mathbb{R}$ for some $m' \in \Sigma^M$ 2. whenever $$n_{(l_{ref},val_{cl_c},val_w)} \xrightarrow{\mathbf{d}^N} n'_{(l_{ref},val_{cl_c}+\mathbf{d},val_w)}$$ for $\mathbf{d} \in \mathbb{R}_{\geq 0}$ then $m_{(l_{abs},val_{cl_a},val_v)} \xrightarrow{\mathbf{d}^M} m'_{(l_{abs},val_{cl_a}+\mathbf{d},val_v)}$ and $(n',m') \in \mathbb{R}$ for some $m' \in \Sigma^M$ Let us introduce the original Event-B proof obligations that are considered in this paper and needed to be discharged in order to ensure correctness of refinements. Let M and N be Event-B models, where $M \sqsubseteq N$ with refinement transformation $\mathcal{R}^{\mathcal{T}}$ of type $\mathcal{T} \in \{\sqsubseteq_{evt}\}$ , where $\sqsubseteq_{evt}$ stands for event refinement. Let w be the concrete variables of model N and J(v,w) be the concrete invariant stating properties on variables w and the gluing invariant between the abstract and concrete state space. For a concrete transition r of model N with guards H(w) and before-after predicate R(w,w') refining the abstract transition e defined in section 4.1 the following proof obligations [1] need to be discharged: $$-I(v) \wedge J(v,w) \wedge H(w) \Rightarrow G(v) \text{ (GRD)},$$ - $I(v) \wedge J(v,w) \wedge H(w) \wedge R(w,w') \Rightarrow \exists v'. S(v,v') \wedge J(v',w') \text{ (INV-SIM)},$ where obligation GRD states the guard strengthening of event e by event r, obligation INV-SIM states the preservation of the invariant after updates on variables v and w and the simulation of the abstract event e by the concrete event r. It is easy to see that condition 1 of Definition 1 can be checked by the Event-B proof obligations given above [1]. Since the UPTA models are constructed from the Event-B models we need to extend the original refinement proof obligations GRD and INV-SIM to also check the timing obligations of all conditions of Let $J_t(cl_a, cl_c)$ be the concrete invariant stating properties on abstract and concrete clocks $cl_a$ and $cl_c$ in a timed system. Based on the untimed Event-B proof obligations given above we propose the following proof obligations elaborated with timing conditions for a concrete event r of model N with guards Definition 1. H(w) and $H_t(cl_c)$ , before-after predicate S(w, w') and clocks reset on $cl_c$ refining the abstract event e defined in section 4.1: $$-I(v) \wedge J(v, w) \wedge I_t(cl_a) \wedge J_t(cl_a, cl_c) \wedge H(w) \wedge H_t(cl_c) \Rightarrow G(v) \wedge G_t(cl_a)$$ (GRD+), $$\begin{array}{l} -\ I(v) \wedge J(v,w) \wedge H(w) \wedge R(w,w') \wedge I_t(cl_a) \wedge J_t(cl_a,cl_c) \wedge H_t(cl_c) \wedge cl_c' = \\ 0 \Rightarrow \exists v',cl_a' \cdot S(v,v') \wedge J(v',w') \wedge cl_a' = 0 \wedge J_t(cl_a',cl_c') \ (\text{INV-SIM}+). \end{array}$$ Note that if there are no clock resets on the event the clock reset updates are omitted. Let us elaborate more on obligation GRD+. Invariant $J_t(cl_a, cl_c)$ can be defined as: $$-J_t(cl_a, cl_c) = J1_t(cl_a, cl_c) \wedge J2_t(cl_c),$$ where $J1_t$ is the gluing invariant expressing that (i) resets of $cl_a$ and $cl_c$ are synchronous when entering source locations pre(e) and pre(r) of events e and r, respectively, and (ii) $J_t(cl_c) \wedge H_t(cl_c) \Rightarrow I_t(cl_a) \wedge G_t(cl_a)$ . $J2_t$ is the invariant of the source location of r. The proposed INV-SIM+ proof obligation can be decomposed by logic rules to two substatements (for each pair of concrete and abstract clocks $cl_c$ and $cl_a$ ): $$-I(v) \wedge J(v,w) \wedge H(w) \wedge R(w,w') \Rightarrow \exists v' \cdot S(v,v') \wedge J(v',w'), -I_t(cl_a) \wedge J_t(cl_a,cl_c) \wedge H_t(cl_c) \Rightarrow J_t(0,0).$$ The first condition corresponds to the original proof obligation within Event-B, while the second condition is the correctness condition for resetting of clocks. The general functional and timing statements introduced in this subsection are instantiated by UPTA syntax related refinement conditions introduced in the next subsection. ## 5.1 Superposition Refinement of UPTA To check the timing refinement conditions in UPTA, we use an approach where the abstract UPTA model is composed in parallel with models that describe the refined parts of the abstract model. Thus, the refinements are added to the abstract model incrementally in the course of design development process and to support compositional solving of model checking tasks. For composition the refinements have a wrapping construct "context frame" that allows their uniform and easy injection into the abstract model. To keep the clear correspondence between syntactic units of the abstract model and refinement we define the refinement transformations syntactic element wise, i.e., by locations and edges of UPTA calling them *location* and *edge* refinements respectively. Also, the course of refinement is made explicit in the model by introducing each refinement step as an increment to the resultant model of the previous refinement. It means that without changing the semantics of the abstract model we add the refinement of its syntactic element el as new automaton $M^{el}$ that is composed with the original model M. For composition we use synchronized parallel composition $||_{sync}$ , i.e. $M \sqsubseteq M ||_{sync} M^{el}$ . Synchronization of M and $M^{el}$ is needed to preserve the contract of el with its context after refinement. Technically, it means decorating the primary automaton M with auxiliary channel labels to synchronize the entry and leave points to/from the element el of M. For further elaboration of the technique, we define location refinement $(\sqsubseteq_l)$ and edge refinement $(\sqsubseteq_e)$ relations separately. Notice that the event (guard and update) refinement introduced in Event-B [1] can be considered as special case of edge refinement where the guards of edges are strengthened and new updates are added respectively in the refining model $M^e$ consisting of exactly one edge. Edge Refinement. We say that a synchronous parallel composition of automata M and $M^{e_i}$ is an edge refinement for edge $e_i$ of M, $(M \sqsubseteq_e M \parallel M^{e_i})$ iff: $$e_i \in E(M)$$ , and there exists $M^{e_i}$ such that $P_1 \wedge P_2 \wedge P_3 \wedge P_4$ , where $P_1(interference\ free\ new\ updates)$ : No variable of M is updated in $M^{e_i}$ , i.e. no variable of M occurs in the left-hand side of any update in $M^{e_i}$ . - $P_2(guard\ splitting)$ : Let $< l_0',\ l_F'>$ denote a set of all feasible paths from the initial location $l_0'$ to final location $l_F'$ in $M^{\mathbf{e}_i}$ and $< l_0',\ l_F'>_k \in < l_0',\ l_F'>$ be $k^{th}$ path in that set. Then, - $\forall k \in [1, | < l'_0, l'_F > |]. \land_{j \in [1, Length(k)]} G(e'_j) \Rightarrow G(e_i),$ i.e., the conjunction of edge guards of any path in $< l_0'$ , $l_F' >$ is not weaker than the guard of the edge $\mathbf{e}_i$ refined. - $$P_3(0$$ -duration unwinding): $\forall l_i' \in (L_{M^{\mathbf{e}_i}} \setminus l_0')$ . $\mathrm{T}(l_i') = committed$ , i.e., all edges in the refinement $M^{e_i}$ must be atomic and locations committed. $$- \ P_{4}(\textit{non-divergency}) \colon G(\mathbf{e}_{i}) \Rightarrow M^{\mathbf{e}}, \ l_{0}^{'} \models \mathbf{A} \lozenge l_{F}^{'},$$ i.e., validity of $G(e_i)$ implies the existence of a feasible path in $M^{e_i}$ . The context frame needed to implement the edge refinement is depicted in Fig. 3a. It includes auxiliary locations $l_0^{'}$ and $l_F^{'}$ . Location Refinement. We say that a synchronous parallel composition of automata M and $M^{l_i}$ is a location refinement for location $l_i$ of M, $(M \sqsubseteq_l M \parallel M^{l_i})$ iff $l_i \in L_M$ , and exists $M^{l_i}$ s.t. $P_1^{'} \wedge P_5 \wedge P_4^{'}$ , where: - $-P_1^{'}(interference\ free\ new\ updates\ -same\ as\ P_1\ above).$ - $P_5(preservation of non-blocking invariant)$ : - $\bullet \ [(M \parallel M^{l_i}), \, (l_0, \, l_0^{'}) \models \mathsf{E} \lozenge \, \mathit{deadlock}] \Rightarrow [M, \, l_0 \models \mathsf{E} \lozenge \, \mathit{deadlock}].$ - $-P_4'(non-divergency)$ : - $inv(l_i) \equiv x \leq \mathtt{d} \text{ for } x \in Cl_M, \ \mathtt{d} < \infty \Rightarrow [M^{l_i}, \ l_0^{'} \models l_0^{'} \leadsto_{\mathtt{d}} l_F^{'}],$ where " $\leadsto_{\mathbf{d}}$ " denotes bounded reachability operator with non-negative integer time bound, $Cl_M$ is the set of clocks of M, locations $l_0'$ and $l_F'$ denote respectively auxiliary pre- and post-locations in the context frame of the refinement. $P_5$ and $P_4'$ are specified as Uppaal model checking queries expressed in TCTL. "deadlock" denotes a standard predicate in Uppaal about the existence of deadlocks in the model. $P_4'$ requires that the invariant of $l_i$ is not violated due to accumulated delays of $M^{l_i}$ runs. A graphical representation of the model fragment that schematically represents location refinement is depicted in Fig. 3b. The auxiliary context frame of $\sqsubseteq_l$ consists of the following elements (denoted by dashed line in Fig. 3b): - Synchronizing channel ch is needed to synchronize the executions of entering to and departing from location $l_i$ transitions with those entering and departing to and from refining model $M^{l_i}$ . - Auxiliary initial location $l'_0$ and final location $l'_F$ of $M^{l_i}$ are introduced to model waiting before the synchronization via channel ch arrives and after the execution of $M^{l_i}$ terminates. Location refinement can be applied when the refinement $M^{l_i}$ specifies non-instantaneous time bounded behaviours that are represented in abstract model as location $l_i$ . **Fig. 3.** (a) A fragment of the primary model M and refinement $M^{\mathbf{e}_i}$ of edge $\mathbf{e}_i$ . (b) A fragment of the abstract model M with location $l_i$ and its refinement $M^{l_i}$ . # 5.2 Event-B and UPTA Refinement of Safety Controller Let us now exemplify the refinement theory proposed above by performing a refinement on the abstract safety controller specification. The Event-B refinement presented in this subsection introduces the required redundancy for the system. The excerpt of the Event-B refined model $M_1^B$ Safe1 is presented in Fig. 4a. Each (redundant) variable becomes a function from the set of CPUs (including two instances, cpu1 and cpu2) to some boolean value. The new set is specified in a refined context. The refined variables are named $ES_Redundant$ , $STO_Redundant$ and $SS1_Redundant$ . **Fig. 4.** (a) Event-B refinement $M_1^B Safe1$ , (b) UPTA refinement $M_1^{UPTA} Safe1$ and (c) UPTA model $M_0^{UPTA} Environment$ Some gluing invariants are required to relate the abstract state with the more concrete state. Considering the deactivation and activation of STO, we need two different invariants. If STO is deactivated, then none of the redundant outputs are activated (inv4 in Fig. 4a). If STO is activated, then at least one of the redundant outputs is activated (inv5 in Fig. 4a). The reason for such invariants is that it is enough for only one of the redundant inputs and outputs to work in order for the system to be safe. Similar pairwise gluing invariants exist for the other two redundant variables. Let us focus on some of the refined events. Event $ES\_Pushed$ is refined as follows in order to model the redundant pushing of ES. Either ES can activate its corresponding safety function. The refined events $ES\_React1$ and $ES\_React2$ model the reaction of each CPU to its corresponding ES. The refinement of the previously non-deterministic events $ES\_ReleasedReact1$ and $ES\_ReleasedReact2$ takes into account the redundant CPUs. In order to allow reseting of an activated redundant safety function it is required that both redundant ES are released (handled by event $ES\_Released$ ). This can handle failure of an ES which would cause the deactivation of its corresponding safety function. Since only new variables and their updates are introduced by Event-B refinement $\mathcal{R}^{\sqsubseteq_{evt}}: M_0^B \to M_1^B$ the mapping $\mathsf{T}^{B,UPTA\#}: M_1^B \mapsto M_1^{UPTA\#}$ copies the control structure of model $M_0^{UPTA\#}$ by introducing two structurally identical parallel instances $M_1^{UPTA(0)}$ and $M_1^{UPTA(1)}$ to model the redundancy. Note that both instances need their own context frame. Technically, copying the control structure of $M_0^{UPTA}$ in $M_1^{UPTA}$ can be considered as an aggregate model resulting from refinement steps of all edges with simple variable renaming. Since the timing of $M_1^{UPTA}$ does not differ from that of $M_0^{UPTA}$ the edge $Idle\ time\ pass$ and location L2 of type committed added to $M_0^{UPTA\#}$ when specifying timing, do not need duplication. The edge refinement preserves the timing behaviour of $M_0^{UPTA}$ by construction. Regardless the aggregation of several parallel refining models $M_1^{UPTA(i)}$ into one in Fig. 4b, the synchronization defined by $\mathcal{R}^{\sqsubseteq_0}$ needs to be preserved between the edges of $M_0^{UPTA}$ and their refinements in $M_1^{UPTA}$ . The correctness of $\mathcal{R}^{(\sqsubseteq_0)}$ : $M_0^{UPTA} \to M_1^{UPTA}$ follows trivially from the The correctness of $\mathcal{R}^{(\sqsubseteq_0)}: M_0^{UPTA} \to M_1^{UPTA}$ follows trivially from the proof obligations of the definition of edge refinement given in Section 5.1. Both the consistency of abstract timing specification of $M_0^{UPTA}$ and the correctness of timing refinement are verified by means of the Uppaal model checker. The proof obligations of this refinement are expressed in TCTL (query language of Uppaal). For instance, the reaction time requirement in $M_0^{UPTA}$ is expressed as bounded (with time bound t) liveness property $\varphi \to_{\leq t} \psi$ . The query: $$- (ES \&\& cl\_ES \ge 3) \rightarrow ((STO \ or \ SS1) \&\& \ gclock \le 10)$$ is satisfied for $M_1^{UPTA}$ if and only if after starting pushing ES longer than 3 time units the state where STO or SS1 is active is reached always within 10 time units. After timing refinement (in our example applying edge refinement as described above) one needs to model check the properties $P_2$ and $P_4$ . For $P_2$ it suffices from checking implication between guards of refined and abstract model edges. Checking $P_4$ reduces to checking the queries of form $A \lozenge post(r)$ where post(r) denotes the post location of edge r in refined model $M_1^{UPTA}$ . Properties $P_1$ and $P_3$ are subject to simple syntactic checks. #### 6 Conclusion and Future Work We propose a correct-by-construction design workflow where model-based design transformations combine alternating data and timing constraints refinement steps. The goal is to benefit from mutually complementing formalisms Event-B and Uppaal automata and related verification techniques. For bridging the data and timing refinement steps the Event-B to UPTA map and its timing refinement transformations have been defined. That allows to verify the data refinement correctness also from its timing feasibility point of view. The approach is demonstrated on a fragment of an industrial case study of a safety critical system. The approach does not guarantee the fully incremental design flow, backtracking is needed when there is no feasible timing refinement possible for a given data refinement result. The design backtracking and error diagnostics are not addressed in the current paper. Also the automation of the proposed design transformations remain for future work. **Acknowledgement.** This work has been partially funded by RECOMP project within the ARTEMIS joint undertaking (Grant agreement no. 100202). We would also like to thank the reviewers for their useful comments. #### References - Abrial, J.-R.: Modeling in Event-B: System and Software Engineering. Cambridge University Press (2010) - Behrmann, G., David, A., Larsen, K.G.: A Tutorial on UPPAAL. In: Bernardo, M., Corradini, F. (eds.) SFM-RT 2004. LNCS, vol. 3185, pp. 200–236. Springer, Heidelberg (2004) - 3. Bouyer, P., Laroussinie, F., Reynier, P.-A.: Diagonal Constraints in Timed Automata: Forward Analysis of Timed Systems. In: Pettersson, P., Yi, W. (eds.) FORMATS 2005. LNCS, vol. 3829, pp. 112–126. Springer, Heidelberg (2005) - Cansell, D., Méry, D., Rehm, J.: Time Constraint Patterns for Event B Development. In: Julliand, J., Kouchnarenko, O. (eds.) B 2007. LNCS, vol. 4355, pp. 140–154. Springer, Heidelberg (2006) - Chaudhari, D.L., Damani, O.P.: Generating hierarchical state based representation from Event-B models. In: Proceedings of the B 2011 Workshop. ENTCS, vol. 280 (2011) - 6. Chimisliu, V., Wotawa, F.: Abstracting timing information in UML state charts via temporal ordering and LOTOS. In: AST 2011, pp. 8–14. ACM (2011) - David, A., Larsen, K.G., Legay, A., Nyman, U., Wasowski, A.: Timed I/O Automata: A complete specification theory for real-time systems. In: HSCC 2010. ACM (2011) - 8. Dierks, H., Kupferschmid, S., Larsen, K.G.: Automatic Abstraction Refinement for Timed Automata. In: Raskin, J.-F., Thiagarajan, P.S. (eds.) FORMATS 2007. LNCS, vol. 4763, pp. 114–129. Springer, Heidelberg (2007) - International Electrotechnical Commission (IEC). IEC 61508-6: Functional safety of electrical/electronic/programmable electronic safety-related systems, 2nd edn. (2010) - Iliasov, A., Laibinis, L., Troubitsyna, E., Romanovsky, A., Latvala, T.: Augmenting Event-B modelling with real-time verification. Technical Report 1006, TUCS (2011) - Lamport, L.: Real-Time Model Checking Is Really Simple. In: Borrione, D., Paul, W. (eds.) CHARME 2005. LNCS, vol. 3725, pp. 162–175. Springer, Heidelberg (2005) - 12. Lynch, N., Vaandrager, F.: Forward and backward simulations Part II: Timing-Based systems. Information and Computation 128 (1995) - Sarshogh, M.R., Butler, M.: Specification and refinement of discrete timing properties in Event-B. Technical report, Electronic and Computer Science, University of Southampton (2011)