Event-B in the Coq Proof Assistant

. We formalize a fragment of the theory of institutions suﬃ-cient to establish basic facts about the institution EVT for Event-B, and its relationship with the institution FOPEQ for ﬁrst-order predicate logic. We prove the satisfaction condition for EVT and encode the institution comorphism FOPEQ → EVT embedding FOPEQ in EVT .


Introduction
The theory of institutions [4] was introduced by Joseph Goguen and Rod Burstall to give concrete form to the informal notion of a "logical system", identifying a common structure among the many logics in regular use in computer science. A 2017 paper by Marie Farrell, Rosemary Monahan, and James Power [3] uses the theory of institutions to provide a sound mathematical semantics and modularization constructs for the industrial-strength state-based formal modelling language Event-B [1], providing interoperability with other formalisms. In related work, the Heterogeneous Tool Set (Hets) [7] makes use of institutions to provide heterogeneous specifications.
Event-B has an associated development process for system-level modelling and analysis. Key features include the use of set theory as a modelling notation, the use of refinement to represent systems at different abstraction levels and the use of mathematical proof to verify consistency between refinement levels. The primary purpose of this research is to formalize the work in [3] within the Coq proof assistant, and more generally to provide the rudiments of a Coq library for the theory of institutions.
We build on earlier work formalizing universal algebra in Agda by Emmanuel Gunther, Alejandro Gadea, and Miguel Pagano [5]. However, the purpose of this work is not to provide a comprehensive development of universal algebra; we only develop as much as we need in order to define the institutions for first-order logic and Event-B. We also depend on the development of category theory by John Wiegley at jwiegley/category-theory. While some obligations remain to be formally discharged for the institution FOPEQ for first-order predicate logic with equality, our developments for the institution EVT for Event-B are complete. We have also encoded the institution comorphism FOPEQ → EVT , which embeds the simpler FOPEQ institution into EVT , providing the underlying mathematical language for EVT . It remains, however, to prove the naturality condition in our encoding. The formalization is not axiom-free, assuming dependent function extensionality and proof irrelevance. A more careful development might use setoids (as in [2,5]), and in the future we may experiment with grounding these efforts in homotopy type theory.
Throughout this paper, we will assume some familiarity with basic category theory, as well as the first two chapters of [8].

The Institution for Event-B
An institution [4] consists of -a category Sig of signatures (non-logical syntax); -a sentence functor Sen : Sig → Set (logical syntax); -a model functor Mod : Sig op → Cat (semantics for non-logical syntax); and -a semantic entailment relation Σ ⊆ |Mod(Σ)| × Sen(Σ) for each Σ ∈ Sig, such that for any signature translation σ : Σ → Σ , any sentence φ ∈ Sen(Σ), and any model M ∈ Mod(Σ ), the satisfaction condition holds: This kind of institution is sometimes referred to as a set/cat institution, since the target of Sen is Set and the target of Mod is Cat. To avoid encoding a "category of categories" in Coq, we implement set/set institutions [6].
We will now provide a precise but brief definition for the institution for Event-B, alongside its definition in Coq. For details, we refer the reader to [3]. Throughout, let Status = {ordinary ≤ anticipated ≤ convergent}.
The category of EVT -signatures has as objectsΣ = Σ, E, X, X , where Σ is a first-order signature, E : Status → Type is a status-indexed set of events, and X, X : sorts Σ → Type are sorts-indexed sets of pre-and post-variables, respectively. In Coq, this becomes: An EVT -signature morphismΣ 1 →Σ 2 consists of a first-order signature morphism σ : Σ 1 → Σ 2 translating the base signature, along with a function E 1 → E 2 mapping events in such a way as to preserve the ordering on statuses, and functions X 1 → X 2 • σ, X 1 → X 2 • σ mapping variables, regarded as morphisms in their respective indexed categories. It is convenient to assume that the initialization event is not in E, so there is no need for the assumption that the initial event is preserved by signature morphisms. If the initialization/event distinction is made at the level of sentences, then we can enforce preservation of the initialization event definitionally. EVT -sentences are either initialization sentences, Init ψ where ψ : FOSen(Σ + X ), or event sentences, Event e ψ where ψ : FOSen(Σ + X + X ). Note that the base signature is expanded to include the EVT -variables as constant operation names. Initialization sentences describe how variables are initially set. Event sentences describe how events change the variables. As a very simple example, given an event inc which increments a variable n, inc :≡ begin n := n + 1 end, we write the EVT -sentence Event(inc, n = n + 1), where n ∈ X and n ∈ X are respectively pre-and post-variables from the ambient Event-B signature. Given an initialization event which starts n at 0, init :≡ begin n := 0 end, we write the EVT -sentence Init(n = 0). For details on this correspondence, see again [3].
Event-B sentences rely on the ability to construct the expansion of first-order signatures by adjoining a sorts-indexed set of constant operation names, which in Coq we denote by SigExpand Σ X. EVT -sentences can be defined as follows. Proving that EVT is an institution amounts to instantiating this class to the above definitions and discharging the generated obligations. The proofs rely on custom induction principles for the dependent records we introduce above, since the induction principles generated by Coq are too strong. For example, if one wishes to prove that two Event-B signature morphismsσ andσ are equal, of course it suffices to prove that they are equal componentwise. Consider equality on the on_vars component. The statement of this equality will depend on a proof p : σ = σ that the underlying first-order signature morphisms are equal, which we write p * (on_varsσ) = on_varsσ . Notice that this requirement is substantially stronger than necessary; it suffices in this case to know that σ and σ agree on sorts. Hence, given p : on_sorts σ = on_sorts σ , we only need to prove p * (on_varsσ) = on_varsσ . This dramatically simplifies the proofs.

Future Work
In the future, it will be interesting to investigate Coq's code extraction facilities to generate provably correct code derived from, for example, the institution comorphism FOPEQ → EVT . We also wish to prove the amalgamation property for EVT , and more generally to build institution-independent constructions and proofs, which we have already explored to some extent for modal logics and linear-time temporal logics. The proofs involved in the definition for first-order predicate logic were rather complicated, but the proofs for EVT often reduced to properties of first-order logic. This suggests that quick progress could be made defining further institutions, verifying their properties, and providing interoperability between represented formalisms represented in our framework.