Proof Obligations. For a combination of a flow and machine we would like to be able to demonstrate that the flow is consistent or concrete (the latter requires the former). The general strategy is split an overall proof into a collection of simpler conditions. For flow consistency, a suitable way to do this is to analyse each instance of sequential composition individually as suggested by the condition of Theorem 1 (see Definition 6 for operator cons). For an instance of a sequential composition, from Definition 5 we have the following feasibility condition for a composed event. I(v) ∧ G(p, v) ▶ ∃v' · (S(p, v, v'); (∃q · H(q, v) ∧ R(q, v, v'))) ▶ ∃ · ∧ ∃ · ∧ ' v1 (S(p, v, v1) q H(q, v1) R(q, v1, v ))) The condition is far too complex in the current form. A more compact one could be found. Let us first assume that the composed events are feasible on their own. This gives the following two axioms. axm1 : I(v) ∧ G(p, v) ▶ ∃v' · S(p, v, v') ∧ ▶ ∃ · ' ' axm2 : I(v) H(q, v) v R(q, v, v ) Applying axiom axm1, the feasibility condition for a composed event is sim- plified to the following: I(v) ∧ G(p, v) ∧ S(p, v, v1) ▶ ∃ q · H(q, v1) ∧ R(q, v1, v') With the help of the second axiom we are able to remove R(q, v1, v′) clause from the goal: ∧ ∧ ▶ ∃ · I(v) G(p, v) S(p, v, v1) q H(q, v1) Finally, extending the above with the consideration of model constants and sets, the following proof obligation is formulated. P (c, s) ∧ I(c, s, v) ∧ G(c, s, pe, v) ∧ S(c, s, pe, v, v') ▶ H(c, s, q, v) Here G and S are the guard and before-after predicate (actions) of what is possibly a result of merging several model events. The proof obligation demon- strates that an event characterised by G and S is able to pass control to another (possibly merged) event with guard H for any possible state permitted by G. The axioms we have rely upon are sound since they are a part of model consistency proof obligations that are to be discharge for every Event-B model[3]. With a similar procedure we are able to find a practical form of a proof obli- gation for demonstrating that a flow is concrete. The following proof obligation requires that for a given instance p; q of a sequential composition the choice branches in q, if there any, are mutually exclusive. P (c, s) ∧ I(c, s, v) ∧ G(c, s, p, v) ∧ S(c, s, p, v, v') ▶ {s,t}∈EN(q)∧s/=t ¬(Hs(c, s, qs, v') ∧ Ht(c, s, qt, v')) Here Hs and Ht are the guards of possibly merged events. The goal in this proof obligation may become lengthy in some extreme case when there is a...
Proof Obligations. For a combination of a flow and machine we would like to be able to demonstrate that the flow is consistent or concrete (the latter requires the former). The general strategy is split an overall proof into a collection of simpler conditions. For flow consistency, a suitable way to do this is to analyse each instance of sequential composition individually as suggested by the condition of Theorem 1 (see Definition 6 for oper- ator cons). For an instance of a sequential composition, from Definition 5 we have the following feasibility condition for a composed event. A ▶ I(v) G(p, v) I · I · A ▶ vr (S(p, v, vr); ( q H(q, v) R(q, v, vr))) I · A I · A v1 (S(p, v, v1) q H(q, v1) R(q, v1, vr))) The condition is far too complex in the current form. A more compact one could be found. Let us first assume that the composed events are feasible on their own. This gives the following two axioms. A ▶ I · axm1 : I(v) G(p, v) vr S(p, v, vr) A ▶ I · axm2 : I(v) H(q, v) vr R(q, v, vr) Applying axiom axm1, the feasibility condition for a composed event is simplified to the following: I(v) AG(p, v) AS(p, v, v1) ▶ I q · H(q, v1) AR(q, v1, vr) With the help of the second axiom we are able to remove R(q, v1, vr) clause from the goal: I(v) AG(p, v) AS(p, v, v1) ▶ I q · H(q, v1) Finally, extending the above with the consideration of model constants and sets, the follow- ing proof obligation is formulated. P(c, s) AI(c, s, v) AG(c, s, pe, v) AS(c, s, pe, v, vr) ▶ H(c, s, q, v) Here G and S are the guard and before-after predicate (actions) of what is possibly a result of merging several model events. The proof obligation demonstrates that an event characterised by G and S is able to pass control to another (possibly merged) event with guard H for any possible state permitted by G. The axioms we have rely upon are sound since they are a part of model consistency proof obligations that are to be discharge for every Event-B model[3]. With a similar procedure we are able to find a practical form of a proof obligation for demon- strating that a flow is concrete. The following proof obligation requires that for a given instance p; q of a sequential composition the choice branches in q, if there any, are mutually exclusive. V r r(H (c s q v ) H (c s q v )) P(c, s) AI(c, s, v) AG(c, s, p, v) AS(c, s, p, v, vr) ▶ {s,t}∈EN(q)As/=t ч s , , s, A t , , t , Here Hs and Ht are the guards of possibly merged events. The goal in this proof obligation may become lengthy in some extreme case when there i...
Proof Obligations. In the second application (start/stop system) we started not with a requirement set, we developed the needed requirements by ourselves. We did not produce a comparable chart to the one for the cruise control system. In the second pilot we were more interested in gathering evidence that the proof obligations, which arise using Event-B, are manageable.
Proof Obligations. Compatible Parallel Composition From components with verified contract compliance, we now compose systems and provide safety guarantees about them, without redoing system proofs. For L
