Formal Aspects of Computing

, Volume 24, Issue 4–6, pp 555–567 | Cite as

External and internal choice with event groups in Event-B

  • Michael Butler
Original Article


Abrial’s Event-B formalism for refinement-based system development is influenced by Back’s action system approach. Morgan has defined a CSP-like failures-divergence semantics for action systems that distinguishes internal and external choice of actions. Morgan’s semantics has the characteristic that the choice between enabled actions is external while internal choice is represented less directly through nondeterministic effect of actions. Practical experience with Event-B has demonstrated the need to be able to represent both internal and external choice between enabled events more explicitly. In this paper, Morgan’s failures semantics for action systems is modified to allow both internal and external choice to be represented directly. This is achieved by grouping events so that external choice is between event groups and internal choice is within event groups. This leads to a refinement rule for preservation of choice between event groups while allowing for reduction of choice within event groups. We also provide a refinement rule for splitting event groups in order to increase external choice. The refinement rules are justified in terms of failures refinement.


Event Group Proof Obligation Proof Rule Weak Precondition Predicate Transformer 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. ABH+10.
    Abrial J-R, Butler M, Hallerstede S, Hoang TS, Mehta F, Voisin L (2010) Rodin: an open toolset for modelling and reasoning in Event-B. STTT 12(6): 447–466CrossRefGoogle Scholar
  2. Abr10.
    Abrial J-R (2010) Modeling in Event-B: system and software engineering. Cambridge University Press, CambridgezbMATHGoogle Scholar
  3. Bac90.
    Back R-JR (1990) Refinement calculus II: parallel and reactive systems. In: Bakker JW, de Roever WP, Rozenberg G (eds) Stepwise refinement of distributed systems, volume LNCS 430.. Springer, New YorkGoogle Scholar
  4. BB09.
    Ball E, Butler M (2009) Event-B patterns for specifying fault-tolerance in multi-agent interaction. In: Methods, models and tools for fault tolerance, volume 5454 of LNCS. Springer, pp 104–129Google Scholar
  5. But92.
    Butler M (1992) A CSP approach to action systems. D.Phil. Thesis, Programming Research Group, Oxford UniversityGoogle Scholar
  6. BvW94.
    Back R-JR, von Wright J (1994) Trace refinement of action systems. In: CONCUR, volume 836 of LNCS. Springer, pp 367–384Google Scholar
  7. BvW00.
    Back R-JR, von Wright J (2000) Contracts, games, and refinement. Inf Comput 156(1–2): 25–45zbMATHCrossRefGoogle Scholar
  8. BY08.
    Butler M, Yadav D (2008) An incremental development of the Mondex system in Event-B. Formal Asp Comput 20(1): 61–77CrossRefGoogle Scholar
  9. DB09.
    Damchoom K, Butler M (2009) Applying event and machine decomposition to a flash-based filestore in Event-B. In SBMF 2009, volume 5902. Springer, LNCS, pp 134–152Google Scholar
  10. FRB11.
    Fathabadi AS, Rezazadeh A, Butler M (2011) Applying atomicity and model decomposition to a space craft system in Event-B. In: NASA formal methods, volume 6617 of LNCS. Springer, pp 328–342Google Scholar
  11. GM91.
    Gardiner PHB, Morgan CC (1991) Data refinement of predicate transformers. Theor Comput Sci 87: 143–162MathSciNetzbMATHCrossRefGoogle Scholar
  12. Hal11.
    Hallerstede S (2011) On the purpose of Event-B proof obligations. Formal Asp Comput 23(1): 133–150MathSciNetzbMATHCrossRefGoogle Scholar
  13. He89.
    He J (1989) Process refinement. In: McDermid J (ed) The theory and practice of refinement. ButterworthsGoogle Scholar
  14. Hoa85.
    Hoare CAR (1985) Communicating sequential processes. Prentice–HallGoogle Scholar
  15. Jos88.
    Josephs MB (1988) A state-based approach to communicating sequential processes. Distrib Comput 3: 9–18zbMATHCrossRefGoogle Scholar
  16. Mor89.
    Morris JM (1989) Laws of data refinement. Acta Inform. 26: 287–308MathSciNetzbMATHGoogle Scholar
  17. Mor90.
    Morgan CC (1990) Of wp and CSP. In: Feijen WHJ, van Gasteren AJM, Gries D, Misra J (eds) Beauty is our business: a birthday salute to Edsger W. Dijkstra. SpringerGoogle Scholar
  18. SB11.
    Sarshogh MR, Butler M (2011) Specification and refinement of discrete timing properties in Event-B. In: AVoCS 2011Google Scholar
  19. STW11.
    Schneider S, Treharne H, Wehrheim H (2011) A CSP account of Event-B refinement. In: Refine, volume 55 of EPTCS, pp 139–154Google Scholar
  20. von94.
    von Wright J (1994) The lattice of data refinement. Acta Inform. 31(2): 105–135MathSciNetzbMATHCrossRefGoogle Scholar
  21. YB06.
    Woodcock JCP, Morgan CC (1990) Refinement of state-based concurrent systems. In: Bjørner D, Hoare CAR, Langmaack H (eds) VDM ’90, volume LNCS 428, SpringerGoogle Scholar
  22. 22.
    Yadav D, Butler M (2006) Rigorous design of fault-tolerant transactions for replicated database systems using Event B. In: RODIN book, volume 4157 of LNCS. Springer, pp 343–363Google Scholar

Copyright information

© British Computer Society 2012

Authors and Affiliations

  1. 1.Electronics and Computer ScienceUniversity of SouthamptonSouthamptonUK

Personalised recommendations