Safe Controller â An Application of Sequence-Based Specification. Atomic black box: BBX : Xâ â R. BBX = BBY2 ⦠Ï. BBX(λ)=0. âu â Xâ, âx â X,. BBX(ux) =.
Safe Controller – An Application of Sequence-Based Specification
Lan Lin, Jesse H. Poore, Stacy J. Prowell Department of Computer Science University of Tennessee Knoxville, TN 37996
ut-cs-05-555 June 2005
Contents 1 Requirements
3
2 Enumeration 2.1 System Boundary, Atomic Stimuli, and Responses . . . . . . 2.2 Abstraction 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3 Abstraction 2 . . . . . . . . . . . . . . . . . . . . . . . . . . .
3 3 4 7
3 State Machine
11
4 Regular Expression
12
5 Prefix-recursive Function 5.1 Canonical Sequence Analysis 5.2 Specification Function . . . . 5.3 Abstract Black Box . . . . . . 5.4 Atomic Black Box . . . . . .
13 13 14 15 15
6 Compatibility
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
17
Safe Controller – An Application of Sequence-Based Specification
List of Tables 1 2 3 4 5 6 7 8
Safe Controller Requirements . . . . . . . . . . . . . . . . Safe Controller Stimuli . . . . . . . . . . . . . . . . . . . . Safe Controller Responses . . . . . . . . . . . . . . . . . . Sequence Enumeration under Abstraction 1 . . . . . . . . Sequence Enumeration under Abstraction 2 . . . . . . . . Enumerations for pG and pB . . . . . . . . . . . . . . . . . Canonical Sequence Analysis for Enumerations for pG and Sequence Analysis for Enumeration under Abstraction 2 .
. . . . . . . . . . . . pB . .
3 4 4 6 8 9 10 14
List of Figures 3.1
A State Machine for the Safe Controller under Abstraction 2
2
12
Safe Controller – An Application of Sequence-Based Specification
1
Requirements
The safe controller as presented in [1] is a simple application of sequencebased specification techniques. Requirements for the simple safe controller are given in Table 1. Tag 1
2
3
4 5 6 7 8
D1 D2
Requirement The combination consists of three digits (0-9) which must be entered in the correct order to unlock the safe. The combination is fixed in the safe firmware. Following an incorrect combination entry, a “clear” key must be pressed before the safe will accept further entry. The clear key also resets any combination entry. Once the three digits of the combination are entered in the correct order, the safe unlocks and the door may be opened. When the door is closed, the safe automatically locks. The safe has a sensor which reports the status of the lock. The safe ignores keypad entry when the door is open. There is no external confirmation for combination entry other than unlocking the door. It is assumed (with risk) that the safe cannot be opened by means other than combination entry while the software is running. Sequences with stimuli prior to system initialization are illegal by system definition. Re-initialization (power-on) makes previous history irrelevant. Table 1: Safe Controller Requirements
2 2.1
Enumeration System Boundary, Atomic Stimuli, and Responses
The system boundary cuts the interfaces between the system and the external power, keypad, door sensor, and lock actuator. Atomic stimuli and responses can be identified as in Table 2 and Table 3.
3
Safe Controller – An Application of Sequence-Based Specification
Stimulus 0-9 C D L U
Description Digit press Clear key press Door closed Power on with door locked Power on with door unlocked
Interface keypad keypad door sensor power, door sensor power, door sensor
Table 2: Safe Controller Stimuli Response lock unlock
Description Locking the door Unlocking the door
Interface lock actuator lock actuator
Table 3: Safe Controller Responses
2.2
Abstraction 1
Atomic stimulus set: X = {0, 1, 2, . . . , 9, C, D, L, U } Abstract stimulus set: Y1 = {d, C, D, L, U } Abstraction in ANF: φ : X ∗ → Y1∗ φ(λ) = λ ∀u ∈ X ∗ ,∀x ∈ X, φ(u)d φ(u)C φ(u)D φ(ux) = φ(u)L φ(u)U φ(u)
if pd (ux) if pC (ux) if pD (ux) if pL (ux) if pU (ux) otherwise
Characteristic predicates pi : X ∗ → {true, false}, ∀i ∈ Y1 pd (λ) = false ∀u ∈ X ∗ , ( ∀x ∈ X, true pd (ux) = false
if x ∈ {0, 1, . . . , 9} otherwise
4
Safe Controller – An Application of Sequence-Based Specification
pC (λ) = false ∀u ∈ X ∗ , ( ∀x ∈ X, true pC (ux) = false
if x = C otherwise
pD (λ) = false ∀u ∈ X ∗ , ∀x ( ∈ X, true pD (ux) = false
if x = D otherwise
pL (λ) = false ∀u ∈ X ∗ , ( ∀x ∈ X, true pL (ux) = false
if x = L otherwise
pU (λ) = false ∀u ∈ X ∗ , ( ∀x ∈ X, true pU (ux) = false
if x = U otherwise
Predicate refinement is needed to enumerate under Abstraction 1, when letting d denote any digit press results in a slight overabstraction. Predicate p is introduced for this purpose. Let c1 c2 c3 be the correct combination entry. p : X ∗ → { true, false} ∀u ∈ X ∗ , p(u) = true ⇔ ∃v ∈ X ∗ , u = vc1 c2 c3 . The complete enumeration is produced as in Table 4.
5
Safe Controller – An Application of Sequence-Based Specification
Sequence λ d C D L U Ld LC LD LL LU Ud UC UD UL UU Ldd LdC LdD LdL LdU Ldd[d, p] Ldd[d, ¬p] LddC LddD LddL LddU Ldd[d, ¬p]d Ldd[d, ¬p]C Ldd[d, ¬p]D Ldd[d, ¬p]L Ldd[d, ¬p]U
Response 0 ω ω ω 0 0 0 0 ω 0 0 0 0 lock 0 0 0 0 ω 0 0 unlock 0 0 ω 0 0 0 0 ω 0 0
Equivalence
L L U U U L L U L L U U L L U Ldd[d, ¬p] L L U
Trace Method D1 D1 D1 5 5 7 2,7 8 5,D2 5,D2 6 6 4 5,D2 5,D2 7 2,7 8 5,D2 5,D2 1,3,7 1,2,7 2,7 8 5,D2 5,D2 2,7 2,7 8 5,D2 5,D2
Table 4: Sequence Enumeration under Abstraction 1
6
Safe Controller – An Application of Sequence-Based Specification
2.3
Abstraction 2
Atomic stimulus set: X = {0, 1, 2, . . . , 9, C, D, L, U } Abstract stimulus set: Y2 = {G, B, C, D, L, U } Abstraction in ANF: φ : X ∗ → Y2∗ φ(λ) = λ ∀u ∈ X ∗ ,∀x ∈ X, φ(u)G φ(u)B φ(u)C φ(ux) = φ(u)D φ(u)L φ(u)U φ(u)
if pG (ux) if pB (ux) if pC (ux) if pD (ux) if pL (ux) if pU (ux) otherwise
Characteristic predicates pi : X ∗ → {true , false}, ∀i ∈ {C, D, L, U } pi (λ) = false ∀u ∈ X ∗ , (∀x ∈ X, true pi (ux) = false
if x = i otherwise
Informal definitions for pG and pB can be used to obtain a complete enumeration. Let pG = true denote entering the correct combination entry in order, and let pB = true denote entering the combination incorrectly. Their formal definitions can be derived easily with a complete enumeration in hand. The complete enumeration under Abstraction 2 is constructed in Table 5. To get formal definitions for characteristic predicates pG and pB , we need complete enumerations for them in X ∗ . To avoid inefficient work, we introduce the abstraction of d to represent any digit press. Three predicates are defined as follows, which will be used to define pG and pB : Let c1 c2 c3 be the correct combination entry. pc1 : “The current digit is the correct 1st digit c1 .” pc2 : “The current digit is the correct 2nd digit c2 .” pc3 : “The current digit is the correct 3rd digit c3 .” pci : X ∗ → {true , false}, ∀i ∈ {1, 2, 3}
7
Safe Controller – An Application of Sequence-Based Specification
Sequence λ G B C D L U LG LB LC LD LL LU UG UB UC UD UL UU LBG LBB LBC LBD LBL LBU
Response 0 ω ω ω ω 0 0 unlock 0 0 ω 0 0 0 0 0 lock 0 0 0 0 0 ω 0 0
Equivalence
U L L U U U U L L U LB LB L L U
Trace Method D1 D1 D1 D1 5 5 1,3,7 1,2,7 2,7 8 5,D2 5,D2 6 6 6 4 5,D2 5,D2 2,7 2,7 2,7 8 5,D2 5,D2
Table 5: Sequence Enumeration under Abstraction 2
8
Safe Controller – An Application of Sequence-Based Specification
pci (λ) = false ∀u ∈ X ∗ , ∀x ( ∈ X, true pci (ux) = false
if x = ci otherwise
Enumerations for pG and pB are shown in Table 6. It happens that the sequence column and the equivalence column are the same for two enumerations; thus we combine two tables into one. Sequence λ [d, pc1 ] [d, ¬pc1 ] C D L U [d, pc1 ][d, pc2 ] [d, pc1 ][d, ¬pc2 ] [d, pc1 ]C [d, pc1 ]D [d, pc1 ]L [d, pc1 ]U [d, ¬pc1 ]d [d, ¬pc1 ]C [d, ¬pc1 ]D [d, ¬pc1 ]L [d, ¬pc1 ]U [d, pc1 ][d, pc2 ][d, pc3 ] [d, pc1 ][d, pc2 ][d, ¬pc3 ] [d, pc1 ][d, pc2 ]C [d, pc1 ][d, pc2 ]D [d, pc1 ][d, pc2 ]L [d, pc1 ][d, pc2 ]U
Resp. for pG false false false false false false false false false false false false false false false false false false true false false false false false
Resp. for pB false false true false false false false false true false false false false true false false false false false true false false false false
Table 6: Enumerations for pG and pB
9
Equiv.
λ λ λ λ [d, ¬pc1 ] λ λ λ λ [d, ¬pc1 ] λ λ λ λ λ [d, ¬pc1 ] λ λ λ λ
Safe Controller – An Application of Sequence-Based Specification
Canonical sequence analysis for enumerations in Table 6 is performed to derive formal definitions for pG and pB . The analysis is given in Table 7. Canonical Sequence λ [d, pc1 ] [d, ¬pc1 ] [d, pc1 ][d, pc2 ]
Combo 0 1 x 2
Table 7: Canonical Sequence Analysis for Enumerations for pG and pB Specification function Combo : X ∗ → {0, 1, x, 2} Combo(λ) = 0 ∀u ∈ X ∗ , ∀x ∈X, 1 x 2 x 0 Combo(ux) = 0 0 x 0 Combo(u)
if Combo(u) = 0 ∧ x = c1 if Combo(u) = 0 ∧ x 6= c1 ∧ x ∈ {0, 1, . . . , 9} if Combo(u) = 1 ∧ x = c2 if Combo(u) = 1 ∧ x 6= c2 ∧ x ∈ {0, 1, . . . , 9} if Combo(u) = 1 ∧ x ∈ {C, D, L, U } if Combo(u) = x ∧ x ∈ {C, D, L, U } if Combo(u) = 2 ∧ x = c3 if Combo(u) = 2 ∧ x 6= c3 ∧ x ∈ {0, 1, . . . , 9} if Combo(u) = 2 ∧ x ∈ {C, D, L, U } otherwise
Characteristic predicate pG : X ∗ → {true , false}
pG (λ) = false ∀u ∈ X ∗ , ∀x ∈ X, false false pG (ux) = false true false
if Combo(u) = 0 if Combo(u) = 1 if Combo(u) = x if Combo(u) = 2 ∧ x = c3 if Combo(u) = 2 ∧ x 6= c3 ∧ x ∈ {0, 1, . . . , 9}
Characteristic predicate pB : X ∗ → {true , false}
10
Safe Controller – An Application of Sequence-Based Specification
pB (λ) = false ∀u ∈ X ∗ , ∀x ∈ X, false true false true pB (ux) = false true false true
3
if Combo(u) = 0 ∧ x ∈ {C, D, L, U, c1 } if Combo(u) = 0 ∧ x 6= c1 ∧ x ∈ {0, 1, . . . , 9} if Combo(u) = 1 ∧ x ∈ {C, D, L, U, c2 } if Combo(u) = 1 ∧ x 6= c2 ∧ x ∈ {0, 1, . . . , 9} if Combo(u) = x ∧ x ∈ {C, D, L, U } if Combo(u) = x ∧ x ∈ {0, 1, . . . , 9} if Combo(u) = 2 ∧ x ∈ {C, D, L, U, c3 } if Combo(u) = 2 ∧ x 6= c3 ∧ x ∈ {0, 1, . . . , 9}
State Machine
For the following sections, we only consider representations of the safe controller module equivalent to the enumeration under Abstraction 2. M = hQ, X, δ, qλ , R, ν, φi is a Mealy machine for the module, where Q = {qλ , qL , qU , qLB , qω }, X = {G, B, C, D, L, U }, R = {0, ω, lock, unlock}, δ : Q × X → Q and ν : Q × X → R are total functions defined as follows:
δ(qλ , G) = qω δ(qλ , B) = qω δ(qλ , C) = qω δ(qλ , D) = qω δ(qλ , L) = qL δ(qλ , U ) = qU δ(qL , G) = qU δ(qL , B) = qLB δ(qL , C) = qL δ(qL , D) = qω δ(qL , L) = qL δ(qL , U ) = qU
ν(qλ , G) = ω ν(qλ , B) = ω ν(qλ , C) = ω ν(qλ , D) = ω ν(qλ , L) = 0 ν(qλ , U ) = 0 ν(qL , G) = unlock ν(qL , B) = 0 ν(qL , C) = 0 ν(qL , D) = ω ν(qL , L) = 0 ν(qL , U ) = 0
11
Safe Controller – An Application of Sequence-Based Specification
δ(qU , G) = qU δ(qU , B) = qU δ(qU , C) = qU δ(qU , D) = qL δ(qU , L) = qL δ(qU , U ) = qU δ(qLB , G) = qLB δ(qLB , B) = qLB δ(qLB , C) = qL δ(qLB , D) = qω δ(qLB , L) = qL δ(qLB , U ) = qU
ν(qU , G) = 0 ν(qU , B) = 0 ν(qU , C) = 0 ν(qU , D) = lock ν(qU , L) = 0 ν(qU , U ) = 0 ν(qLB , G) = 0 ν(qLB , B) = 0 ν(qLB , C) = 0 ν(qLB , D) = ω ν(qLB , L) = 0 ν(qLB , U ) = 0
The state machine diagram is drawn in Figure 3.1.
Figure 3.1: A State Machine for the Safe Controller under Abstraction 2
4
Regular Expression
Regular expressions for each legal equivalence class:
12
Safe Controller – An Application of Sequence-Based Specification rλ rL rU
rLB
= λ = (L + U (G + B + C + U )∗ (D + L)) (C + L + B(G + B)∗ (C + L)+ (G + U )(G + B + C + U )∗ (D + L)+ B(G + B)∗ U (G + B + C + U )∗ (D + L))∗ = (U + (L + U (G + B + C + U )∗ (D + L)) (C + L + B(G + B)∗ (C + L)+ (G + U )(G + B + C + U )∗ (D + L)+ B(G + B)∗ U (G + B + C + U )∗ (D + L))∗ (G + U )+ (L + U (G + B + C + U )∗ (D + L)) (C + L + B(G + B)∗ (C + L)+ (G + U )(G + B + C + U )∗ (D + L)+ B(G + B)∗ U (G + B + C + U )∗ (D + L))∗ B(G + B)∗ U ) (G + B + C + U )∗ = (L + U (G + B + C + U )∗ (D + L)) (C + L + B(G + B)∗ (C + L)+ (G + U )(G + B + C + U )∗ (D + L)+ B(G + B)∗ U (G + B + C + U )∗ (D + L))∗ B(G + B)∗
Regular expressions for each response: r0 r
ω
rlock
runlock
= λ + rλ (L + U ) + rL (B + C + L + U )+ rU (G + B + C + L + U ) + rLB (G + B + C + L + U ) = (rλ (G + B + C + D) + rL D + rLB D) (G + B + C + D + L + U )∗ = rU D = rL G
The second set is expressed in terms of the first for brevity.
5 5.1
Prefix-recursive Function Canonical Sequence Analysis
Specification functions with one possible set of values for each are given in Table 8 for the enumeration in Table 5.
13
Safe Controller – An Application of Sequence-Based Specification
Canonical Sequence λ L U LB
Door unknown lock unlock lock
Error false true
Table 8: Sequence Analysis for Enumeration under Abstraction 2
5.2
Specification Function
Specification function Door : Y2∗ → {unknown, lock, unlock} Door(λ) = unknown ∈ Y2 , ∀u ∈ Y2∗ , ∀x lock unlock unlock Door(ux) = unlock lock lock Door(u)
if Door(u) = unknown ∧ x = L if Door(u) = unknown ∧ x = U if Door(u) = lock ∧ x = G if Door(u) = lock ∧ x = U if Door(u) = unlock ∧ x = D if Door(u) = unlock ∧ x = L otherwise
Specification function Error : Y2∗ → {true, f alse} Error(λ) = any ∀u ∈ Y2∗ , ∀x ∈Y2 , f alse any true any f alse Error(ux) = f alse f alse any Error(u)
if Error(u) = any ∧ x = L if Error(u) = f alse ∧ x = G if Error(u) = f alse ∧ x = B if Error(u) = f alse ∧ x = U if Error(u) = any ∧ x = D if Error(u) = true ∧ x = C if Error(u) = true ∧ x = L if Error(u) = true ∧ x = U otherwise
Note that when Error(u) takes the value “any”, it can be either true or false. 14
Safe Controller – An Application of Sequence-Based Specification
5.3
Abstract Black Box
Abstract black box BBY2 : Y2∗ → R BBY2 (λ) = 0 ∈ Y2 , ∀u ∈ Y2∗ , ∀x ω
if BBY2 (u) 6= ω ∧ Door(u) = unknown∧ Error(u) = any ∧ x ∈ {G, B, C, D} 0 if BBY2 (u) 6= ω ∧ Door(u) = unknown∧ Error(u) = any ∧ x ∈ {L, U } unlock if BBY2 (u) 6= ω ∧ Door(u) = lock∧ Error(u) = f alse ∧ x = G 0 if BBY2 (u) 6= ω ∧ Door(u) = lock∧ Error(u) = f alse ∧ x ∈ {B, C, L, U } ω if BBY2 (u) 6= ω ∧ Door(u) = lock∧ BBY2 (ux) = Error(u) = f alse ∧ x = D 0 if BBY2 (u) 6= ω ∧ Door(u) = unlock∧ Error(u) = any ∧ x ∈ {G, B, C, L, U } lock if BBY2 (u) 6= ω ∧ Door(u) = unlock∧ Error(u) = any ∧ x = D 0 if BB (u) 6= ω ∧ Door(u) = lock∧ Y2 Error(u) = true ∧ x ∈ {G, B, C, L, U } ω if BBY2 (u) 6= ω ∧ Door(u) = lock∧ Error(u) = true ∧ x = D ω if BBY2 (u) = ω
5.4
Atomic Black Box
Given formal definitions of the abstract black box (in prefix-recursive form) and the abstraction function (in ANF), we can obtain the atomic black box by function composition. Here we still take Abstraction 2 as an example. Abstract black box: BBY2 : Y2∗ → R Abstraction: φ : X ∗ → Y2∗ Atomic black box: BBX : X ∗ → R Relationship: BBX = BBY2 ◦ φ The abstract black box is formally defined from the complete enumeration, as shown in Section 5.3. For brevity we are omitting some of the
15
Safe Controller – An Application of Sequence-Based Specification
details here and simply use different predicates to denote the conditions under which different response values are implied. Note that these predicates partition the whole abstract space. Abstract stimulus set: Y2 = {G, B, C, D, L, U } Response set: R = {lock, unlock, 0, ω} Abstract black box: BBY2 : Y2∗ → R BBY2 (λ) = 0 ∈ Y2 , ∀v ∈ Y2∗ , ∀y lock unlock BBY2 (vy) = 0 ω
if plock (vy) if punlock (vy) if p0 (vy) if pω (vy)
The abstraction function is defined as in Section 2.3. Note that the characteristic predicates for all abstract stimuli do not partition the whole atomic space, thus we have the “otherwise” case. Atomic stimulus set: X = {0, 1, 2, . . . , 9, C, D, L, U } Abstract stimulus set: Y2 = {G, B, C, D, L, U } Abstraction in ANF: φ : X ∗ → Y2∗ φ(λ) = λ ∀u ∈ X ∗ ,∀x ∈ X, φ(u)G φ(u)B φ(u)C φ(ux) = φ(u)D φ(u)L φ(u)U φ(u)
if pG (ux) if pB (ux) if pC (ux) if pD (ux) if pL (ux) if pU (ux) otherwise
By function composition, we have the atomic black box defined as follows. Note that when none of the characteristic predicate is satisfied on an atomic sequence, we are losing some information in the abstraction, thus are losing some information in the atomic black box function.
16
Safe Controller – An Application of Sequence-Based Specification
Atomic black box: BBX : X ∗ → R BBX = BBY2 ◦ φ BBX (λ) = 0 ∀u ∈ X ∗ , ∀x ∈ X, lock
BBX (ux) =
unlock
0
if
if
if
ω if unknown if
6
pG (ux) ∧ plock (φ(u)G) ∨pB (ux) ∧ plock (φ(u)B) ∨pC (ux) ∧ plock (φ(u)C) ∨pD (ux) ∧ plock (φ(u)D) ∨pL (ux) ∧ plock (φ(u)L) ∨pU (ux) ∧ plock (φ(u)U ) pG (ux) ∧ punlock (φ(u)G) ∨pB (ux) ∧ punlock (φ(u)B) ∨pC (ux) ∧ punlock (φ(u)C) ∨pD (ux) ∧ punlock (φ(u)D) ∨pL (ux) ∧ punlock (φ(u)L) ∨pU (ux) ∧ punlock (φ(u)U ) pG (ux) ∧ p0 (φ(u)G) ∨pB (ux) ∧ p0 (φ(u)B) ∨pC (ux) ∧ p0 (φ(u)C) ∨pD (ux) ∧ p0 (φ(u)D) ∨pL (ux) ∧ p0 (φ(u)L) ∨pU (ux) ∧ p0 (φ(u)U ) pG (ux) ∧ pω (φ(u)G) ∨pB (ux) ∧ pω (φ(u)B) ∨pC (ux) ∧ pω (φ(u)C) ∨pD (ux) ∧ pω (φ(u)D) ∨pL (ux) ∧ pω (φ(u)L) ∨pU (ux) ∧ pω (φ(u)U ) ¬(pG (ux) ∨ pB (ux) ∨ pC (ux) ∨pD (ux) ∨ pL (ux) ∨ pU (ux))
Compatibility
It is obvious that BBX is a refinement of both BBY1 and BBY2 . Consider the two black box functions with the same value set R: BBY1 = hY1 , R, ΣY1 , ΓY1 i 17
Safe Controller – An Application of Sequence-Based Specification
BBY2 = hY2 , R, ΣY2 , ΓY2 i
Consider the following abstraction φ12 : Y1∗ → Y2∗ φ12 (λ) = λ ∀u ∈ Y1∗ , ∀x ∈ Y1 , φ (u)G 12 φ12 (u)B φ12 (u)C φ12 (ux) = φ12 (u)D φ12 (u)L φ12 (u)U φ (u) 12
if pG (ux) if pB (ux) if pC (ux) if pD (ux) if pL (ux) if pU (ux) otherwise
The formal definitions for the characteristic predicates are the same as the definitions in Section 2.3, except that x ∈ {0, 1, . . . , 9} is replaced with x = d whenever it appears. Consider the equivalence classes represented by canonical sequences under Moore equivalence for Y1∗ and Y2∗ . Canonical Sequence in Y1∗
Canonical Sequence in Y2∗
λ L U UD Ldd[d, p] Ldd[d, ¬p] Ld Ldd
λ L U UD LG LB
∀u ∈ Y1∗ ,
18
Safe Controller – An Application of Sequence-Based Specification
if u ∈ [λ] φ(u) ∈ [λ] if u ∈ [L] φ(u) ∈ [L] if u ∈ [U ] φ(u) ∈ [U ] if u ∈ [U D] φ(u) ∈ [U D] if u ∈ [Ldd[d, p]] φ(u) ∈ [LG] if u ∈ [Ldd[d, ¬p]] φ(u) ∈ [LB] if u ∈ [Ld] φ(u) ∈ [L] ∪ [LB] if u ∈ [Ldd] φ(u) ∈ [L] ∪ [LB] thus ΓY1 ([u]ΣY1 ) ⊆ ΓY2 ([φ(u)]ΣY2 ) From above we can claim BBX is a refinement of BBY1 , which is a refinement of BBY2 .
References [1] Stacy J. Prowell and Jesse H. Poore, “Foundations of Sequence-Based Software Specification”, IEEE Transactions on Software Engineering, Vol. 29, No. 5, May 2003.
19
