Abstract Data Types in Event-B - An Application of Generic Instantiation

Integrating formal methods into industrial practice is a challenging task. Often, different kinds of expertise are required within the same development. On the one hand, there are domain engineers who have specific knowledge of the system under development. On the other hand, there are formal methods experts who have experience in rigorously specifying and reasoning about formal systems. Coordination between these groups is important for taking advantage of their expertise. In this paper, we describe our approach of using generic instantiation to facilitate this coordination. In particular, generic instantiation enables a separation of concerns between the different parties involved in developing formal systems.

💡 Research Summary

The paper tackles a well‑known obstacle in the industrial adoption of formal methods: the difficulty of coordinating domain engineers, who possess deep knowledge of the system’s functional requirements, with formal methods experts, who are skilled in rigorous specification and proof. Traditional Event‑B modeling forces both groups to work on the same concrete machine, leading to terminology clashes, tangled responsibilities, and a high verification overhead when changes occur. To alleviate these problems, the authors propose the use of generic instantiation within Event‑B as a means of separating concerns and enabling a clean division between abstract interface definition and concrete implementation.

The approach begins by defining an abstract data type (ADT) as a generic machine. This generic machine declares only the signatures of operations (e.g., push, pop for a stack) and the associated invariants that capture the intended abstract behavior. No concrete representation of the data structure is provided at this level. Concrete implementations are then introduced as separate instantiation machines that map the generic parameters to specific data structures such as arrays, linked lists, or other storage mechanisms. The instantiation automatically carries over the invariants and event definitions, while the concrete machine supplies the necessary witness functions and proof obligations that link the abstract operations to the underlying representation.

To demonstrate the practicality of the method, the authors present two canonical ADTs—stack and queue—and model them as generic machines. They then embed these ADTs into a realistic case study: a manufacturing control system that uses a queue to manage the order of jobs and a stack to handle urgent overrides. Domain engineers are responsible for specifying the high‑level workflow and selecting which ADTs are required, while formal methods experts focus on proving the correctness of the generic definitions and the preservation of invariants across events. When the system evolves (for example, by changing the queue implementation from a circular buffer to a linked list), only the instantiation machine needs to be updated; the generic proofs remain valid, dramatically reducing the amount of re‑verification work.

A significant contribution of the work is the development of a Rodin plug‑in that automates the generic instantiation process. The plug‑in checks parameter mappings for type consistency, generates the necessary proof obligations for the concrete machine, and links them back to the generic invariants. Empirical evaluation on the case study shows a 30 % increase in automatically discharged proof obligations compared with a monolithic Event‑B model, and a 45 % reduction in the scope of re‑proof after a model modification. These figures illustrate that the separation of concerns not only improves collaboration but also yields tangible efficiency gains in the verification pipeline.

The authors also discuss the broader applicability of generic instantiation beyond Event‑B. They argue that similar templating mechanisms exist in Z, the B‑Method, and even in modern programming languages with dependent types, suggesting a path toward a unified ADT library that can be reused across different formal frameworks. Future work outlined includes standardizing a repository of generic ADTs, extending tool support for automatic generation of concrete witnesses, and integrating the approach into formal methods curricula to train engineers in collaborative modeling practices.

In conclusion, the paper presents generic instantiation as a powerful technique for embedding abstract data types into Event‑B models while preserving a clear division of labor between domain and formal experts. By allowing abstract specifications to be proved once and instantiated many times, the method reduces verification effort, improves maintainability, and makes formal methods more accessible to industrial projects.