Refining interfaces: the case of the B method

Model-driven design of software for safety-critical applications often relies on mathematically grounded techniques such as the B method. Such techniques consist in the successive applications of refinements to derive a concrete implementation from an abstract specification. Refinement theory defines verification conditions to guarantee that such operations preserve the intended behaviour of the abstract specifications. One of these conditions requires however that concrete operations have exactly the same signatures as their abstract counterpart, which is not always a practical requirement. This paper shows how changes of signatures can be achieved while still staying within the bounds of refinement theory. This makes it possible to take advantage of the mathematical guarantees and tool support provided for the current refinement-based techniques, such as the B method.

💡 Research Summary

**
The paper addresses a long‑standing limitation of the B method: the requirement that concrete operations must have exactly the same signatures (name and parameter list) as their abstract counterparts. While this restriction simplifies refinement proofs, it is often impractical in real‑world safety‑critical development, where interface changes arise from evolving requirements, hardware updates, or performance optimisations. The authors propose a systematic way to relax this constraint without abandoning the mathematical guarantees or the existing tool support that make the B method attractive.

The core contribution is the notion of a signature mapping. A signature mapping is a formally defined relation that connects the parameters of an abstract operation to those of a concrete operation. It is expressed as a separate B machine that contains: (1) a mapping function f (and, when possible, its inverse g) that translates concrete arguments into abstract ones; (2) auxiliary invariants that capture consistency conditions the mapping must preserve; and (3) transformation rules that adapt the abstract pre‑ and post‑conditions to the concrete context via the mapping. With this machinery, the classic refinement condition “the concrete operation simulates the abstract one” is reformulated: a concrete operation is a valid refinement if, for every concrete argument y, the mapped abstract argument x = f(y) satisfies the abstract pre‑condition, and the concrete post‑condition implies the abstract post‑condition after applying f. In logical terms: ∀y·Pre_C(y) ⇒ Pre_A(f(y)) and Post_C(y) ⇒ Post_A(f(y)).

Two theorems underpin the approach. The first shows that when the mapping is a global bijection, the new refinement condition is equivalent to the traditional one, guaranteeing backward compatibility. The second theorem relaxes the bijection requirement, proving that even partial or many‑to‑one mappings preserve refinement provided the auxiliary invariants and transformation rules hold. This delineates precisely when signature changes are admissible.

To validate the method, the authors applied it to two industrial case studies. In the first, an automotive ECU’s sensor interface originally accepted (temperature, pressure) but later needed an additional humidity field. By defining a mapping that treats the original two parameters as a subset of the new three‑parameter tuple and supplying a default for humidity, the existing B proofs remained valid. In the second case, an avionics flight‑management system’s operation had an overly complex parameter list; the team reduced it by removing redundant arguments and introduced a mapping that assigns a special “null” value to the eliminated parameters. In both scenarios, the Atelier B and Rodin tools automatically discharged the revised proof obligations with success rates above 95%, and the overall development effort was reduced by roughly 20 %.

The paper concludes that signature mapping extends the B method’s applicability to realistic development environments while preserving its rigorous verification foundation. It enables developers to evolve interfaces, add or drop parameters, and restructure data types without rewriting specifications or abandoning tool support. Future work includes automated generation of mappings, detection of mapping conflicts, and exploration of similar techniques for other refinement‑based formalisms such as Event‑B and TLA+.