Perspicuity and Granularity in Refinement

J. Derrick , E.A. Boiten, S. Reev es (Eds.): Refinement W orkshop 2011. EPTCS 55, 2011, pp. 155–165, doi:10.4204/EPTCS.55.10 P erspic uity and Granularity in Refinement Eerke Boiten School of Computing, Univ ersity of Kent, Canterb ury , Kent, CT2 7NF , UK. E.A.Boiten @kent.ac.uk This paper reco nsiders refinemen ts which introdu ce actions on the con crete level which wer e n ot present at the abstract lev el. It draws a distinction between concrete actions which are “perspicuou s” at the abstract le vel, and changes of granular ity of actions between different le vels of abstraction. The main contribution of this pap er is in explorin g the relation betwe en these different methods of “action refinemen t”, and the basic re finement relation that is used. In par ticular, it shows ho w the “refining skip ” metho d is incom patible with failures-based refinement r elations, an d con sequently some decisions in designing Event-B refinement are entangled . Ke ywords: R efinement, a ction refinement, stutt ering steps, ASM, Eve nt-B, Z, internal operatio ns, weak refinement, granular ity , perspi cuity , di ver gence. 1 Introd uction This paper discus ses ho w diffe rent ways of introd ucing “extra ” actions in refinement (such as w eak re- finement, ac tion refine ment, stuttering ste ps) relat e to the underl ying refinement re lations use d (e.g. trace refinement, failur es refinement). In particul ar , we aim to show ho w the choi ces in those two dimensions are in terdepend ent. The paper is not inten ded to be p olemic (“my fo rmalism/refinement relation is better than yours ”) nor is it really meant to be a first int roduction to the topic. Where it appears to state the ob- vious, this is in an attempt to ensure that commona lities, dif ferenc es, and design decisions in refinement relatio ns are exhi bited in an unambiguou s and uncontro versia l way . Before describi ng the issue s in detail, we consider an example. The exampl e is presente d in Z, b ut the nota tion used is not essential to what follo ws in this paper . In general, most of what is described in this paper could be expres sed in ASM [18], (Event-) B [1], Z [19], bin ary relations [11], UT P [15] or man y other state -based formalisms; for the moment we make no assumptions about what refinement relatio n is “in force”. This e xample is due to C arroll Morgan , who presented it durin g an enlight ening con vers ation at the 2009 Dagstuhl seminar “Refinement Based Method s for the Constr uction of Depend able Systems”. The abstra ct specificat ion is essentially a priority queue, store d as a bag, so taking out an element in volv es selecti ng the minimum of the bag. Obvio us specifica tions of funct ions min on bags and (later) sorted on sequen ces are omitted. The schema AS describ es system states, AInit initial states, and the schemas Ain and Aout the operations of adding and remov ing an element. The preconditi on b 6 = [ [ ] ] is included exp licitly in A out , in recognition of it ha ving to be an exp licit guard in alterna tiv e notat ions such as 156 Perspicu ity and Granula rity in Refinement Event -B. AS b : bag N Ain ∆ AS x ? : N b ′ = b ⊎ [ [ x ? ] ] AInit AS ′ b ′ = [ [ ] ] Aout ∆ AS x ! : N b 6 = [ [ ] ] b = b ′ ⊎ [ [ x ! ] ] x ! = min ( b ) The concre te specification uses a se quence to represent the queue. Removing an ele ment is on ly poss ible when the sequenc e is non-e mpty and sorted, in which case the element to be remov ed is at the head of the sequence. The schema Sort describ es the sorting of the sequence . The schema Cycle is mostly a red herrin g 1 and not part of Mor gan’ s original example. CS s : seq N Cin ∆ CS x ? : N s ′ = s a h x ? i Sort ∆ CS items s = items s ′ sorted ( s ′ ) CInit CS ′ s ′ = h i Cout ∆ CS x ! : N s 6 = h i sorted ( s ) s = h x ! i a s ′ Cycle ∆ CS s = h i ∧ s ′ = h i ∨ s ′ = ( tail s ) a h head s i This paper discus ses the many ways in which one may consid er the concrete specification to refine the abstra ct one, possibly after a sligh t modification , or possibly not at all, depend ing on the notion s of refinement and action refinement emplo yed. Before w e m ov e on to that le vel of complication, consider the composed schema SortOut == Sort o 9 Cout , w hose meanin g is gi ven by SortOut ∆ CS x ! : N s 6 = h i ∃ s ′′ : seq N • items s = items s ′′ ∧ sorte d ( s ′′ ) ∧ s ′′ = h x ! i a s ′ 1 One m ight use it to represent the non-determinism in a distributed imp lementation where ind ividual c lients hav e no control ov er the access pointer in a cyclical list, . . . maybe. E.A. Boiten 157 Then, uncon trov ersially , in most sensible refinement relations, the operation Aout is refined by SortOut (or more precisely: the data type ( AS , AInit , Ain , Aout ) is refined by ( CS , CInit , Cin , SortOut ) ) under the retrie ve relat ion b = items s . In fact, this is normally an equi va lence: refinement also holds in the re verse directio n 2 . The rest of this paper is structured as follo ws. In Section 2 we describe diffe rent basic refinement notion s. Then in Section 3 we discuss the vario us m ethods in which “extra” operati ons may appear in refinement steps. In Section 4 we compare how thes e metho ds can b e used to model the d ecompositio n of action s into smaller grai ned ones, an d how this impact s on the var ious basic refinement notions. Finally , Section 5 present s some conclu sions. 2 Basic Notions of Refinement W e hav e giv en detail ed fully formal descripti ons and comparisons of the dif ferent basic notions of re- finement for state-b ased and concurr ent systems in many previo us paper s, e.g. [6, 11, 5]. Rather than repeat ing this and there by fixing a formalism or e ven introd ucing a new one, we remain informal here, using v arious formalisms and their refinement notions as illustration s. In basic data refinemen t, systems (or machine s or abstract data types) are compared which ha ve identi cal alphab ets (or sets of labels of operations (or action s or ev ents)). Apart from condition s on initial and poss ibly final states, and oth er details which depend on what observ ations can be made of these systems, operation s are compared in pairs of an abstr act and a concre te operatio n, with refinement condit ions being some subset of the follo w ing propertie s: (1) Consistency T he ef fect of the concrete operatio n is one that is allo wed by th e abstract operation. (2) Enabledness When operatio ns can be in vo ked in the abstract state, they can be in vo ked in the con- crete state as well. (3) Restricted consistency In states where the abstract operation is enable d, the effect of the concrete operat ion is one that is allo wed by the abstr act operat ion. Property (1) or its w eake r v ariant (3) represent s the essence of refinement : that a client would be unable to observ e conclusi vely that the y are using the concrete rather than the abstract system. Property (2) ensure s that the client is indeed able to perform the same “ex periments” on both systems. Proper ty (1) obv iously implies (3), and also a con verse of (2): where concrete operatio ns are enabled (leading to an “ef fect”), their abs tract cou nterparts should be enabled , too (in order to allo w compari son of effects ). The pro perties leav e out d etail about what an ef fect is, are purposefu lly vague on “can be in v oked” in (2 ) to allow a va riety of interpr etations, and leav e an y linki ng between abstract and concr ete states implicit. They are also some w hat biase d to wards do wnward simulatio n. A few examples should make all this clearer . The refinement relations described belo w will be re fered to in later sections. T raditiona l (do wnward simulation) Z r efinement [19, 11] is charac terised by proper ties (2) and (3), with “can be in v oked” in a state computed as indi vidual opera tions’ precondit ions, i.e. whether their defining predicates can be satisfied for some after- state. Condition (2) is called “applicabil ity” and typi - cally formulated as pre A Op ∧ R ⇒ pre CO p 2 A refinement link ing Ain to Cin o 9 Sort instead is equally p ossible b ut would require strengthening the concrete state inv ariant to sorted sequences; Cin o 9 Sort then simplifies to the insert operation of insertion sort. 158 Perspicu ity and Granula rity in Refinement where pre AOp == ∃ AS ′ • AOp denotes the computed precondi tion. Condition (3) is called “correctness ”, and typica lly formulate d as pre A Op ∧ R ∧ COp ⇒ ∃ AS ′ • R ′ ∧ A O p W e hav e s ometimes called this refinemen t relatio n the “co ntract” model of refineme nt as it constra ins the implementa tion only within the origina l preco ndition. T race r efinement is chara cterised by (1) only , only requi ring that anythin g that does happen in the concre te specificatio n is consis tent with the abstract one. As such, it represents preserv ation of safety proper ties only , “nothing bad happens”. No concrete operatio ns being enabled at all, for example , is an accept able trace refinement. Basic Event-B r efinement (called simple refinement in [1, Ch. 14]) is characteris ed by (1), with (op- tional ly) a weak alternati ve to (2): if the concrete stat e deadlocks (i.e. no ev ents are enabled ), then so should the abstract state. Enabled ness of e vents is gi ven by explicitly specified guards, with a “feasibil- ity” proof obli gation ensuring that they a re at least as st rong as any comput ed preconditio n. Abrial [ 1, p. 429] states tha t condition (2) could be i mposed, but “th is happens to be someti mes too strong”. (W e wil l return to this.) F ailu r es-based varia nts of refinement are charact erised by (1) and (2), where (2) conside rs indi- vidual opera tions for “blocking Z refinement” and singleton failur es refinement, or sets of concurr ently enable d operat ions for failu res refinemen t as in CSP . W e refer to [6, 17, 5] fo r d etailed discus sion of these refinement relation s and the finer distinct ions between them, which are not rele v ant in the current paper . Note that a re finement relation character ised by pro perty (3) without propert y (2) is no nsensica l as it is not transiti ve: precondit ions or gua rds can be strength ened (lack of (2)) and then weaken ed (by (3)), b ut the composition of such steps does not respect (3). 3 Adding Operations in Refinement The basic refinement rules describ ed above deal only w ith the situati on where the abstract and concrete specifica tions hav e the same alphabet of operations . There are man y ways in which one could allo w a refined specification to ha ve “extra ” operati ons – we discu ss a number of them. First, we mention alphab et extension and alphabet translation [11 , Ch. 14] for completeness . Then, w e get to the core of this paper: stutteri ng steps, the introduct ion of internal operation s, and action refinement, and how thes e sometimes get conflated. 3.1 Alphabet Extension and T ranslati on The simplest way of allo wing ne w operation s in refineme nt is alpha bet ext ension : to just acc ept them without an y fur ther constra ints. If we make the intu itiv e step of identifying a n on-exi stent operation with one that is nev er enable d, alphabet exten sion should be perfect ly accept able in tradit ional Z refinement: it means w e allo w implementors to pro vide functionali ty that we had not asked for . In a process alge bra conte xt alph abet exte nsion is typicall y not allowed , and indeed that would make sense in our intuiti ve vie w: it would go against refinement property (1), by ha ving no matching abstract beha viour for some concre te beha viour . In alphabe t tra nslation , a single abstract operation is implement ed by multipl e concrete ones, w hich requir es an exp licit mappi ng, recording for ev ery concre te operat ion which abstract operation it repre- sents, and thus which opera tion’ s beha viour it needs to correspon d with. (If this mapping is not required E.A. Boiten 159 to be total , alphabet extensio n is subsu med.) A typical exa mple for this would be an abstract two- dimensio nal grid specificat ion with a “move ” o peration, which is re fined into “mo veNort h”, “mo veEast”, etc. Alphabe t transl ation is allo wed in Event-B, where it is calle d “spli tting” an abstr act e vent. The semantic prop erty establi shed in alphabet transla tion is: ev ery con crete trace (with its corre- spond ing observ ations) is c onsistent with an abstract tr ace th at re lates to it by the gi ven mapping (a pplied elementwis e) with its correspo nding obser vati ons. 3.2 Pe rspicuous O perations State-bas ed syste ms potentially change state when operatio ns are exec uted. When no operation is in- v oked, the state does not normal ly chang e. Some formal isms tak e this into acco unt by incl uding ex - plicitl y so-calle d stuttering steps in their semantics : steps w here the state does not change between two observ ations, due to no ev ent having taken place. In the light of that, it is intuiti vely obvio us to accept the introdu ction of additional conc rete e vents as refinements of the identity oper ation (a.k.a. skip ) on the abstract stat e. W e w ill call these per spicuous concre te eve nts, to be distingui shed from “interna l e vents” (see belo w ) which incur additiona l assumptio ns and requirement s. In particular , in subsequent refinement steps , pers picuous operations do not ha ve a di ffere nt stat us from operati ons that were p resent earlier . Abrial [1] present s a similar moti va tion for the introduci on of ne w ev ents in Event-B, analog ous to ho w this is done in action syste ms [3], an d refe rs to it as “observin g our discre te system in the refinement with a finer grain than in the abstra ction”. Even t-B is explicit about the introduct ion of such ev ents as being refinements of modelling : introducing not just aspects of a solution, b ut more detail of the model. Indeed , where refinement is vie wed as only moving from a complete descript ion of a problem to its so- lution , the introd uction of pers picuous operatio ns which achie ve nothi ng in the abstract wo rld can hardly be useful by itself 3 . Both ac tion sys tems and Event-B include a relativ e dea dlock freed om condit ion with this kind of refinement: the new system should deadlock (i.e., terminate, in the action systems view) no more often than the old one. The semantic relation established by this kind of generalised refinement is: for ev ery concrete trace with its correspondi ng observ ations , an abst ract trace cons tructed by crossing out all perspic uous actions is consi stent with it. In the running ex ample, under most refinement relatio ns and with the obvio us ret riev e relation items s = b bot h concrete operations Sort and Cycle are c andidate perspicu ous opera tions, as they satisf y items s = items s ′ and t hus rela te identi cal abstract stat es. The y are both a pplicable in eve ry concr ete state and thus are refinements of an abstrac t skip ev en when prope rty (2) is imposed . For p erspicuou s operatio ns, the n otion of diver gence comes into the pi cture. A collec tion of perspic- uous opera tions is di ver gent if infinit ely often in successio n, from some state, one of its members ca n be in vok ed. In a trace-b ased view , where perspicuo us operations coul d be inserte d at arbitrary points be- tween “normal” operati ons, non-di ver gence is necessary to ensure that a fi nite trace canno t get ext ended into an infinite one by that proces s. This is how A brial [1] explains it 4 . W ith addition al assumption s, such as that a system m ight perform perspicu ous operations independ ently , di ver gence becomes a prac- tical as well as a theore tical problem. Butler [9 ] exp lains the non-di ver gence requirement in E vent -B by saying “The new ev ents introd uced in a refinemen t step can be vie w ed as hidden e vents not visible to the en vironment of a system and are thus outside the contr ol of the en vironment” which would suggest 3 This is not intended to be a controv ersial statement or implicit criticism on Event-B: the crux is in the phrase by itself , and this should become clearer later when we compare the different w ays of encoding action refinement. 4 His use of the term “reachable” is a bit unfortunate, though – this tends t o be an existential property (some path is finit e) rather than the required uni versal (all paths are finite) property required. 160 Perspicu ity and Granula rity in Refinement these are not just perspicuou s ev ents, b ut e ven inte rnal e vents as we will discuss next. In action systems [3], which are vie wed as a main inspiration for Event-B, all actions could be considered to be intern al (e ven if the variab les they modify are not), which conforms more with Abrial’ s explanati on than with Butler’ s 5 . A typical m ethod of p roving non-di ver gence is by establishin g a v ariant (well-foun ded, strictly decrea sing functi on) on ne wly introduced ( collection s of) perspicuou s operatio ns [8, 12, 1]. If refine ment is ba sed on pro perty (1) rathe r than proper ty (3), i.e., an action cannot g ain beha viour in refinement, then non-d iv erg ence is preserved by subseq uent refinement steps. In the example, both perspicuou s operations are di ver gent. This is obvious from the f act that the y are enabled in every concrete state. Sort allo ws an infinite sequence of in v ocations of which only the first does not neces sarily corres pond to a concr ete skip . For formalisms that use infinite traces and allo w stutter ing steps, s uch a s TLA, this may not be a pro blem. Removing div er gence on each of the op erations can be don e using sev eral possible small m odificatio ns. The div er gence prob lem for Sort could be fi xed by including a guard ¬ sort ed ( s ) , b ut this makes it a refinement of skip only if proper ty (2) is not i mposed and gua rds can be streng thened. Anothe r way would b e to add a flag that ensu res Sort is in vok ed ex actly once after e very occurre nce of Cin or Cycle (po ssibly also prev enting the next Cin until after sorting). A counter could be used to remove div er gence in Cycle , with each of the other operations (excl uding Sort ) setting the counter to fix the maximal numbe r of occurrences of Cycle to follo w it, and Cycle decremen ting it at ev ery step until it is 0 . None of those modi fications wou ld retain the property that Sort or Cycle refines skip if the pre val ent refinement relation respects (2). 3.3 Intern al O perations An internal operati on is a perspicuous operat ion with a special status : it is assumed to be in visible to the en vironment, and under internal contr ol of the system only . In process algebras, internal operatio ns natura lly occur in a number of ways. In CSP [14] the y arise from channels being hidden, for example encaps ulating an int ernal communicatio n chan nel w hen con sidering a system of commun icating subsys- tems. They may also be used, for example in LOT OS [7], to encode interna l choice when only external choice is a vail able as a basi c operator . Butle r first cons idered the introd uction of internal eve nts in B refinement [8 ], and based on this approac h we introd uced “weak refinement” for Z [12, 10], which was analys ed and compared to ASM refinement in detail by Schellhorn [18]. The requ irements impose d in this conte xt are inspired by how process algebras deal with inte rnal action s, for e xample in defining “weak ” bisimulation : where standard refinement conditi ons refer to a single action, their “weak” equi va lents consi der the same action possibly prefixed and postfix ed by occurr ences of internal actions. Thus, the refinement consistenc y property , e.g., will state that for ev ery concre te action, with intern al concre te beha viour before and a fter , its effect is c onsistent with the abstract action , possib ly also pre- and pos tfixed with (abstract) internal beha viour . E. g. in [12] the restricted consis tency (cor rectness) condition for w eak refinemen t in Z (do wnward simulat ion) is phra sed as pre ( Int A o 9 A Op ) ∧ R ∧ ( Int C o 9 COp o 9 Int C ) ⇒ ∃ AS ′ • R ′ ∧ ( Int A o 9 A Op o 9 Int A ) where Int C is arbitrary internal beha viour in the con crete state, i.e. the transiti ve refle xiv e closure of the union of internal operations , and similar for Int A . T aking this process algeb ra inspire d approach has a fe w consequen ces: 5 Note ho we ver that Abrial [1] does recog nise (on page 4 14) a differen t class of ope ration that “ is not pa rt of the pr otocol: it corr esponds to a “daemon” acting . . . ”. E.A. Boiten 161 • internal actions ha ve a special statu s which goes beyond the refinemen t step where the y are intro- duced . They can not only be introduc ed this way , b ut m ust also be taken into consi deration or can e ven be remo ved in subse quent refinement steps. • there is an assumption that if internal actions are necessary for progr ess, they w ill “ev entually” happe n, so external operatio ns are viewed as “enabled ” if their before-sta te is reacha ble throu gh intern al beha viour; in timed process algebras in particular , interna l actions are often taken as “ur- gent” meanin g the y happen as soon as they are enable d. • there need not b e independ ent refinement co nditions for internal ope rations: all internal beha viour is vi ewed in the conte xt of its composition with e xternal beha viour . Thus, i nternal operat ions need not be refinements of skip . Of cours e, all internal operat ions being perspic uous, with externa l operat ions corr espondin g as normal, is one way of satisfying the refinement conditions like the one above , but it is not the only way . In fac t, in some refinemen t relations , it may not be a viab le way , see belo w . The approache s for B and Z mentioned abo ve only in cluded pr eventi on of div er gence in weak refine ment steps. A more g eneral approach, also cons istent with the proces s algebraic view , is t o pr eserve or re duce any di ver gence that was alrea dy presen t in the abstract spe cification. This is work ed out in detail in [6], and the impact of dif fering notion s of “li velock” or div er gence is discussed in [4]. The semantic relatio n establ ished in this case is rou ghly that for e very concrete trace, an abstr act trace ex ists that is consi stent with it, with both traces ’ subse quences of e xternal actions being identical 6 . 3.4 Action Refinement Alphabet translatio n described abo ve allo ws for arbitrary matchi ngs of an occurence of an abstract ac tion with the occ urrence of a sing le concrete action . The most e xplicit way of changing the gran ularity of ac- tions is to allo w for matchings between sequences of abstract and concrete actions. This has bee n calle d “actio n refinement” [2] or “non-atomic refinement” [10 ]. In its most 7 genera l form, actio n refinement corres ponds to ASM 1-to- n diagrams with n possibly greate r than 1 [18 ], gen eralising the normal com- muting simulation diagram to one where the concret e ef fect is achie ved in n steps, without requiring a relatio n between abstra ct and inter mediate con crete state s. In this view , al l concrete operation s resulting from the deco mposition are of the same status, with only thei r orde r ha ving an impact on refinement condit ions. T his is also the vie w w e took in definining non-atomic refinement for Z [10], work which was conti nued by Derrick and W ehrheim [13]. This kind of action refinement is e ven possibl e withou t chang ing the state space in volv ed. It requires an ex plicit matching between abst ract acti ons and con- crete action sequ ences, which also extends to trac es. The semantic relation aimed for is that concrete traces are consis tent with abstract traces under this extende d m atchin g relation. The concrete and the abstra ct model s end up hav ing dif ferent interf aces with this approac h – this may be exac tly what is re- quired , though. For example, [11, Ch. 13] has an example of a watch which in the abstract model has a ResetT ime oper ation, which in the concrete model is represented by a series of execu tions of Button A and ButtonB operati ons. Consider ing for simplici ty no w only the case that n = 2, the refinement requiremen ts are like the introd uction of sequentia l compositi on in refinement calc ulus [16]. Splittin g an opera tion in two means 6 In fact it is a somewhat more subtle matching: non-determinism included in a single o peration on one abstraction level may be represen ted through a d ifferent choice of sequence of internal actions on the other lev el, so it is really a relation be tween sets of abstract vs. concrete traces with the same externa l subsequence. 7 A voidin g for no w the generalisation to m -t o- n diagram s with m 6 = 1. 162 Perspicu ity and Granula rity in Refinement finding an intermed iate state (predicate) such that the fi rst “half” land s in the intermediate state, and the second “ha lf” mov es from the intermediate to the original after -state. The pro blematic issue is wha t is or is not allo wed to happen in the intermediate state. In a concurrent con text, this comes under the heading of “interfere nce” – when the fi rst “half” of an operation has been exe cuted, should other operation s be disabl ed (non-i nterferenc e, as e.g. disc ussed for action syste ms in [3]), or should their ex ecutio n cancel out the eff ect of this one? Thi s is a well-kno wn problemati c area, discussed also in [10], which we will not focu s on here, as it is ortho gonal to the issues discuss ed: when an action is split w ith part of it being perspic uous or int ernal, that also creates an intermediate state with the same pot ential interference proble ms. 4 How to Red uce Granularity in Refinement From the discussi on above , it should be clear that there are at least three semantic models for reducin g the granul arity of action s in refinement: • by introducin g perspicuo us actions that take on some of the “work” – possibly requiring non- di ver gence; • by intro ducing internal actions to the same effe ct – either using the limited refinement rules for perspi cuous action s, or by using the more gener al “weak refinement ” rules; • by givi ng e xplicit decomposit ions of actions in which all parts hav e the same status. W e limit ourselv es for now to the case where we are decomposing an action into two actions, where the first part could be vie wed as “prepato ry work”, and the second part as the “real work” – in other words , the situation in our exampl e of refining Aout into Sort and Cout , where we expect Sort to be ex ecuted before Aout . Howe ver , in order to conc entrate on the general situation, let us consider refining A W ork into Pr epar e and C W ork . For the methods of reducing granularity by refining skip , we aim for Pr epar e to be perspicu ous, and for CW ork to be a refinement of A W ork . No w conside r an abstract state in which the operation A W ork was applicab le. If in ev ery correspond ing concrete state it would be possible to apply CW ork , then we ha ve a deg enerate situation: w e are intro ducing a new actio n Pr epar e whose contrib ution is unnecessar y in all situatio ns (i.e., it might as well be a concr ete skip , too). Thu s, in any rele va nt case of reducing granul arity , C W ork can be applic able in only a subset of the correspond ing concrete stat es – namely those whe re Pr epar e has nothing (left ) to do . Indeed, beca use Pr epar e is a refinement of an a bstract skip , if its before- state is linked to a particul ar abst ract state, then so should its after- state. Again in order to ensure that Pr epar e does something useful in some circ umstances, there shou ld be some abst ract states link ed to the befo re-states of Pr epar e . This is where the prev alent notio n of refinemen t makes a diffe rence. If condi tion (2) (“en abledness ”) is in force , we hav e made it imposs ible for C W ork to be a refinement of A W ork , becaus e CW ork is only applica ble in a strict subs et of the corres ponding concrete states . This holds a fortio ri for strong er ver sions of con dition (2) such as failures refinement. Thus, conditio n (2) excludes reduction of granulari ty by introducin g perspic uous actions. I t also exc ludes reducti on of gran ularity by introduc ing internal action s using the “persp icuous actions” condi- tions. Ho wev er , the more general “weak refinemen t” rules can be used in combination w ith condition (2), as w e hav e sho wn in [6] in a context w ith conditio n (1) in force, and in [10] w ith conditio n (3) in force. This is ex plained by not being constrai ned to consi dering the conc rete operation in isolatio n, bu t rather only consid ering it in the conte xt of po ssible internal concrete behav iour . E.A. Boiten 163 The other way in which condition (2) is problematic for the refinement s of ski p is any requiremen ts for perspicuou s actions to be non -div er gent. I f the y are refinements of skip respec ting condition (2), then they are by definition applicab le in all states and thus always applica ble “again” and by definition di ver gent. Returnin g to the ex ample, ignor ing Cycle for no w , refinement reducin g granularity is pos sible in se veral ways: • by havin g Sort perspic uous, and guard ed by ¬ sorted ( s ) if it is also required to be non-di ver gent. This work s for trace refinement (just (1)), E vent -B refinement, but not the other forms. • by ha ving Sort internal, provide d it is guarded by ¬ sorted ( s ) . This works accordin g to the rules for Event-B, esta blishing normal Event-B refinement. Ho wev er , it can also work for stronger refinement relations respectin g condition (2), b ut then the more gene ral weak refinement rules need to be used to establ ish it. In particular , it would mean that Aout is compare d for refinement with Sort ∗ o 9 Cout . • for explicit action refinement of A out by Sort follo wed by Cout , there is no requirement for Sort to be guarde d (co mpare the watch exa mple referred to abov e: as concept ionally the user presses ButtonB , there is no guard pre ven ting the u ser from doing that infinitely often ), and re finement can be any kind, includ ing relations respe cting prope rty (2) or eve n (3). In fa ct, includin g a guard on Sort would disallo w the combined concre te output operation on states which are already sorted , and thus be una cceptable if the refinement relat ion obe ys property (2). 5 Conclusion The parad ox that led to the discus sion with Carroll Morgan referred to earlier was the following . If the work of one abstract opera tion is spli t between two concrete ones, and one of the concre te operation s makes no progre ss that can be detected abstractly 8 , why do we need this action at all? And if we do need it, ho w can the other concrete operat ion, achie ving some b ut not all of the wor k of its abstract counte rpart, be a refinement of the abstract one? The answer is hopefu lly somewhat clarified abo ve. It requir es a n otion of refinement that all ows for g uards to be st rengthene d. The underly ing issue may w ell ha ve been kno wn in “folklore” but it is not prese nted in any p ublished papers we are aware of. Coming back to Event-B sp ecifically , two of its design decision s are thus closely entangled : • to hav e essentially a trace semantics with only global deadlock prev ention; • to use stuttering step refinements for reducing granularity . Both lead to relati vely simple refinement obligations , which is attracti ve. In order for Event-B to streng then refinement to preserv e s tronger properties suc h as en coded in v arious refusal-bas ed semantics, it would also ha ve to gi ve up its simple notio n of redu ction of granu larity . It coul d do this in at least two ways: either by go ing the way of ASM and ha ving expli cit recip es for decomposin g operations with their corres ponding condition s, or by going the way of proces s algebra, and givin g certai n opera tions exp licit “intern al” status which they then would need to retai n subsequent ly . In either case, the price of gain ing semantic strength is a consid erable amount of complicati on of refinemen t condi tions, which may be too big a price to pay , particula rly for a formalis m which now has so much (automated) proof tool support a vail able. W ould that be what A brial had in mind when he wrote that (con dition (2)) “happen s to be sometimes too strong” ? 8 Thus, some deg ree of data refinement is implied: a refinement of ski p on the same state really cannot make an y progress. 164 Perspicu ity and Granula rity in Refinement Postscript Finally , retur ning to the running e xample once m ore, a last word on the Cycle operation. It make s no useful progres s whatsoe ver , but the constraint s put upon this completely irrele van t operatio n in refine- ment in any “stutte ring steps ” approac h (namely: taming its div er gence), ha ve been no more and no less than on the suppos edly enormous ly useful Sort operation. Surely that is somewh at disappointi ng. Acknowledgeme nts T o Carrol l Mor gan for his expl anations, to Michael Butler , John Derrick, Stev e Dunne and Gerhard Schellho rn for useful discussi ons, and to the re vie wers for their commen ts. Refer ences [1] J.-R. Ab rial (2010): Modelling in Event-B . CUP . [2] L. Aceto (1 992): Actio n Refinement in Pr o cess Algebras . CUP . [3] R.J.R. Back (1993 ): Refinement o f P arallel and Reactive Pr ograms . In M. Broy , editor: Program Design Calculi , pp. 73–92 . [4] E.A . Boiten & J. Derrick (20 09): Modelling diver gence in Relational Con curr ent R efinement . In M . Leusch el & H. W ehrheim , editors: IFM 2009 : Integrated Formal Methods , LNCS 5423, Springer V er lag, pp. 183– 199, doi:10.1 007/9 78-3-642-00255-7-13 . [5] E.A . Boiten & J. Der rick (2010 ): Inco mpleteness of Rela tional Simulation s in the B locking P aradigm . Sci- ence of Computer Progra mming 75(12 ), pp. 1262– 1269, d oi:10.1 016/j.scico .2010 .07.003 . [6] E.A . Boiten, J. Derrick & G. Schellhorn (2 009) : Relation al Concurr ent Refi nement P art II: Inte rnal Opera- tions and Outputs . Formal Aspects of Computing 21(1- 2), pp. 65–10 2, doi:10.1007 /s00165 -007-0066-z . [7] T . Bolognesi & E. Brink sma (19 88): Intr odu ction to the ISO Sp ecification Language LOT OS . Computer Networks and ISDN Systems 14(1) , pp. 25–59, doi:10. 1016/0 169-7 552(87)90085-7 . [8] M. Butler (1997 ): An ap pr o ach to the de sign o f d istributed systems with B AMN . In J.P . Bowen, M G. H inchey & D. T ill, editors: ZUM’97: T he Z Formal Specification Notation , Lecture Notes in Computer Scien ce 1212, Springer-V erlag, pp. 223–241 , do i:10.100 7/BFb002 7291 . [9] M. Butler ( 2009) : Deco mposition Struc tur es for Even t-B . In M . Leusch el & H. W ehrheim, editors: IFM , Lecture Notes in Computer Science 5423, Springer, p p. 20–38, doi:10.100 7/978 -3-642-00255-7-2 . [10] J. Derrick & E.A. Boiten (199 9): Non- atomic r efinement in Z . In J.M. Wing, J.C P . W oodcock & J. Davies, editors: FM’99 , Lecture Note s in Computer Scien ce 1708, Spring er-V er lag, Berlin, pp. 1477 – 1496, doi:10 .1007 /3-540-481 18-4 28. [11] J. Der rick & E.A. Boiten (2001): Refi nement in Z and Object-Z: F ounda tions and Adva nced Ap plications . F A CIT , Springer V er lag, doi:10.1 007/9 78-1-4471-0257-1 . [12] J. Derrick, E.A. Boiten, H. Bowman & M.W .A. Steen (1998 ): S pecifying and R efining Intern al Op erations in Z . Formal Aspects of Computing 10, pp. 125 –159 , do i:10.100 7/s0016 50050007 . [13] J. Derrick & H. W eh rheim (200 3): Using coup led simulation s in non-ato mic r efinemen t . In D. Bert, J. B owen, S. King & M. W alden, editors: ZB 2003 : Formal Specification and Development in Z an d B , Lecture No tes in Computer Science 2651, Springe r , pp. 127–1 47, doi:10.1 007/3- 540-44880-2 -10 . [14] C.A R. Hoare (1985): Comm unicating Sequ ential Pr ocesses . Pren tice Hall. [15] C.A. R. Hoare & He Jifeng (1998 ): Unifying Theories of Pr ogramming . Pr entice Hall. [16] C.C. Morgan (19 94): P r ogramming fr o m Sp ecification s , 2nd edition. Internation al Series in Co mputer Sci- ence, Prentice Hall. E.A. Boiten 165 [17] S. Ree ves & D. Stread er ( 2008) : Data r efinement and sin gleton failur es refinement a r e no t equivalen t . Formal Aspects of Computin g 20(3) , pp. 295– 301, doi:10. 1007/s00 165-00 8-0076-5 . [18] G . Sch ellhorn (20 05): ASM Refinemen t an d Gen eralizations of F o rwar d Simulation in Data Refi nement: A Comparison . Theoretical Computer Science 336(2 -3), pp. 403–43 6, d oi:10.1 016/j.tcs.2 004.1 1.013 . [19] J.C.P . W o odcock & J. Davies (1996): Using Z: Sp ecification, Refinement, and Pr oof . Prentice Hall.