Stochastic Analogues of Invariants
Martingales in Stochastic Event-B
Richard Banach
School of Computer Science, University of Manchester, Manchester, U.K.
Keywords:
Model based Frameworks, Event-B, Stochastic Extensions, Invariants, Martingales.
Abstract:
In conventional formal model based development frameworks, invariants play a key role in controlling the
behaviour of the model (when they contribute to the definition of the model) or in verifying the model’s
properties (when the model, independently defined, is required to preserve the invariants). However, when
variables take values distributed according to some probability distribution, the possibility of verifying that
system behaviour is, in the long term, confined to some acceptable set of states can be severely diminished
because the system might, in fact, with low probability fail to be thus confined. This short paper proposes
martingales as suitable analogues of invariants for capturing suitable properties of non-terminating systems
whose behaviour is with high probability good, yet where a small chance of poor behaviour remains. The idea
is explored in the context of the well-known Event-B framework.
1 INTRODUCTION
In conventional formal model based development
frameworks invariants play a key role in controlling
the behaviour of the model. In frameworks in which
they are part of the definition of the model (such as
Z (Spivey, 1992; ISO-Z, 2002)) they restrict the be-
haviour of the rest of the model. In most frameworks
though, and typically in the various dialects of the B-
Method (Abrial, 1989; Abrial, 1996; Abrial, 2010),
invariants are proposed independently of the system
model and then the behaviour of the system as defined
must be provedto conform to the invariants — i.e. the
reachable set, as defined by the system model, must
be a subset of any stated invariant set of states. This
is normally done by an inductive technique which
proves that every state change allowed by the system
model results in an after-state that is within the in-
variant set, provided the before-state was also in the
invariant set.
All of this works fine when variable values are
assigned either deterministically, or in more abstract
settings, nondeterministically. Considering pure non-
determinism, no restriction is placed on the occur-
rence of any allowed value, so any system invariant
must include all the possibilities permitted by all the
nondeterminism in the model in order that the model
preserves the invariant. However, in practice, systems
often have smaller families of states that are visited
frequently, with other permitted states visited much
less frequently. A simple invariant cannot capture the
distinction between the smaller ‘frequently visited’
subset and the infrequently visited ‘outlying states’.
The distinction between frequently visited and in-
frequently visited is quantified in probabilistic terms.
When the values taken by variables are labelled with
probabilities (implicitly also labelling the transitions
that cause those values to be adopted), then in prin-
ciple, we can make precise statements regarding the
likelihood that the system trajectory remains in a cer-
tain region of the state space. Useful byproducts of
this are statements that the long term behaviour of the
system is predominantly confined to a relatively small
portion of the state space, despite the probability of its
visiting other states being non-zero (though small).
This short paper proposes the martingale concept
from stochastic calculus (see e.g. (Resnick, 1992;
Grimmett and Stirzaker, 2001)) as a suitable analogue
for an invariant in comparable situations. For exam-
ple, it can be used to capture such properties of non-
terminating systems as when their behaviour is with
high probability ‘good’, yet where a limited probabil-
ity of ‘poor’ behaviour remains. The idea is explored
in the context of the well-known Event-B framework,
using a small case study drawn from the Mondex
Electronic Purse problem (Stepney et al., 2000) —
this was the first problem in the Verification Grand
Challenge, active for a number of years now (Jones
238
Banach R..
Stochastic Analogues of Invariants - Martingales in Stochastic Event-B.
DOI: 10.5220/0005431602380243
In Proceedings of the 10th International Conference on Evaluation of Novel Approaches to Software Engineering (ENASE-2015), pages 238-243
ISBN: 978-989-758-100-7
Copyright
c
2015 SCITEPRESS (Science and Technology Publications, Lda.)
et al., 2006; Woodcock, 2006; Woodcock and Banach,
2007; Jones and Woodcock (eds.), 2008).
In the rest of this paper we do the following. In
Section 2 we give a brief description of Event-B, for
purposes of orientation. In Section 3 we describe a
fragment of the Mondex Purse problem, originally de-
veloped in Z, using Event-B. In Section 4 we give a
short introduction to martingales, in the form we will
need them later. In Section 5 we focus our martingale
discussion on the Mondex problem introduced earlier.
Section 6 concludes, and looks forward to the further
development of the ideas presented here, especially
in their application to hybrid and cyber-physical sys-
tems.
2 EVENT-B
In this section, we briefly review Event-B machines
and their ingredients. Explicit examples of these
things will appear below.
In a nutshell, an Event-B MACHINE has a name,
it SEES one or more static contexts, and it owns
some VARIABLES. The latter are allowed to be up-
dated via EVENTS, but are required to always satisfy
the INVARIANTS (this requirement generating ver-
ifications conditions a.k.a. proof obligations (POs)).
The events can declare their own parameters (which
are bound variables which can be used to reduce in-
ternal nondeterminism, or to carry input values or
output values). Furthermore, each event has one
or more guards which define when the event is en-
abled, and one or more actions which defines the state
change to be implemented by the event, specified via
before-after predicates (or notations such as assign-
ment for simpler cases). Among the events there is an
INITIALISATION, whose guard must be true.
The semantics of Event-B machines, is expressed
via a number of POs. These must be provable in order
for the machine in question to be well defined. We
quote the main ones of interest to us, mentioning the
others more briefly. See (Abrial, 2010; Abrial et al.,
2010) for full details.
For a machine A to be well defined the initialisa-
tion, feasibility and correctness POs must hold:
Init
A
(u
′
) ⇒ I(u
′
) (1)
I(u) ∧ G
Ev
A
(u) ⇒ (∃u
′
• Ev
A
(u,u
′
)) (2)
I(u) ∧ G
Ev
A
(u) ∧ Ev
A
(u,u
′
) ⇒ I(u
′
) (3)
In (1), Init
A
is the initialisation event and (1) says that
the value u
′
of A’s state variable u established by Init
A
satisfies A’s invariant I(u
′
). Then (2) says that event
Ev
A
is feasible; i.e. when it is enabled in an invariant
state (I(u) ∧ G
Ev
A
(u)) then an after-state u
′
exists so
that Ev
A
(u,u
′
) can complete successfully. Likewise,
(3) says that for Ev
A
, if A’s invariant I(u), and Ev
A
’s
guard G
Ev
A
(u), both hold in the before-state u of the
event, and Ev
A
’s before-after relation Ev
A
(u,u
′
) also
holds (for an after-state u
′
whose existence is estab-
lished by (2)), then the after-state will satisfy the in-
variant I once more (i.e. we have invariant preserva-
tion). In (1), (2) and (3) we have suppressed mention
of the details of the static contexts seen by machine
A, and have suppressed mention of any local bound
variables or of inputs or outputs. These would be
easy to include in the before-after relation if desired.
Aside from (1), (2) and (3), the initialisation must also
be feasible, and for non-terminating systems we must
also have deadlock freedom:
I(u) ⇒\/
\/
\/
k
G
Ev
A,k
(u
′
) (4)
This says that if the invariant I(u) holds in a state u,
then some event Ev
A,k
is enabled. See (Abrial, 2010;
Abrial et al., 2010) for more details. Non-terminating
systems are of particular interest in this paper.
3 THE MONDEX PURSE
The Mondex Electronic Purse (Stepney et al., 2000),
produced by the NatWest Development Team, is a
system of Smartcard-based electronic purses carry-
ing currency for electronic commerce applications.
Clearly, this is a security-critical application. For this
reason, the developers of Mondex (formerly a part of
NatWest Bank U.K.), employed state of the art meth-
ods to ensure the implementation was as robust as
possible. At the time of its creation (in the late 1990s),
the Mondex Purse achieved an ITSEC (D.T.I., 1991)
rating of E6. This requires a formal abstract model,
a formal concrete model, and a proof of correspon-
dence between them. (In the case of Mondex, the cor-
respondence proof was a proof of refinement.) This
was the the highest possible dependability standard
achievable at the time, and the development was a
trailblazer for showing that fully formal techniques
could be applied within realistic time and cost limi-
tations to industrial scale applications.
The abstract model of the Mondex Purse system
describes a world of purses which exchange value
through atomic transactions, and specifies the security
properties: purse authentication, preservation of over-
all system value, and correct processing of both trans-
ferred and lost value. The concrete model describes
a distributed system of purses, transferring value via
an insecure and lossy medium using an n-step pro-
tocol. Security features are implemented locally on
StochasticAnaloguesofInvariants-MartingalesinStochasticEvent-B
239
each purse. In the field each purse is self-sufficient,
logging any lost value from failed transactions locally,
for later central archiving and reconciliation.
We have neither the space nor the need to describe
all of the above fully. A good account, from the van-
tage point of the work done on Mondex in the Veri-
fication Grand Challenge, can be gained from (Jones
and Woodcock (eds.), 2008) in particular.
For us, it will be sufficient to focus on one detail
of Mondex’s operation, the event —to use Event-B
terminology— that updates the sequence number that
each purse maintains to prevent replay attacks. This
event is introduced at the intermediate level of mod-
elling in (Stepney et al., 2000) and is in fact an ab-
straction of a number of internal operations of a real
purse that need the no-replay property. (Evidently an
event that literally does nothing other than increase a
sequence number is rather pointless in a real applica-
tion.) In Event-B notation it can be captured in the
following small machine:
MACHINE Mondex0
VARIABLES
seqno
INVARIANTS
seqno ∈N
EVENTS
INITIALISATION
BEGIN
seqno := 0
END
Increase
ANY inc
WHERE inc ∈N ∧
0 < inc
THEN
seqno :=
seqno+inc
END
END
In Mondex0, having been initialised to 0, the vari-
able seqno increases by an arbitrary positive integer at
each Increase event (the arbitrariness being intended
to prevent attacks based on predicting the next se-
quence number). More realistically, the increment
will not really be arbitrary, but will be drawn from
a finite range, say 1 ≤inc ≤10, yielding:
MACHINE Mondex1
... ... ... ...
Increase
ANY inc
WHERE inc ∈N ∧
1 ≤inc ≤ 10
THEN
seqno :=
seqno+ inc
END
END
In such a case all that we could say with certainty
would be that seqno was not greater than 10 times the
number of Increase calls, nor smaller than one times
the number of Increase calls, a fact that we could ex-
press via an invariant if we introduced a variable to
count the number of calls to Increase.
However, it is reasonable to presume that individ-
ual occurrences of inc in a run would be uniformly
distributed over 1..10 for example. In that case, it is
equally reasonable to deduce that, on average, seqno
would increase by 5
1
2
on each Increase call. In fact,
a closer probabilistic analysis reveals that the more
calls to Increase are made, the closer, on average, the
behaviour of seqno adheres to that behaviour. But it is
impossible to express such a fact via a straightforward
state invariant. This observation brings us to the topic
of martingales.
4 MARTINGALES
In this section we give a brief introduction to mar-
tingales. We start with the idea of a stochastic pro-
cess. A stochastic process is a family of random vari-
ables X = X
0
,X
1
,X
2
,.. . indexed by ‘some analogue
of time’. If the analogue of time is a conventional dis-
crete set, such as the natural numbers, then the family
can be written in a form similar to X and we speak
of a discrete stochastic process. Alternatively, if the
analogue of time is, say, a segment of the reals, then
we need a continuous index, and we speak of a con-
tinuous stochastic process. (We will not need the con-
tinuous case in this paper.)
With the family X we associate another family
of random variables S = S
0
,S
1
,S
2
,.. . indexed in the
same way. The family S is a martingale with re-
spect to the family X if two conditions hold. Firstly,
the expectation of the absolute value of each random
variable S
n
is finite: E(| S
n
|) < ∞. Secondly, the ex-
pectation of each ‘next’ S
n+1
, conditional on the val-
ues of all the X
j
s up to n, is equal to the value of
S
n
: E(S
n+1
| X
0
... X
n
) = S
n
. (Of course it is possi-
ble for a family X to be a martingale with respect to
itself, but in most cases of interest this does not quite
work, and we typically need to apply some function
to the members of X before a martingale is derived:
S
n
= φ
n
(X
0
... X
n
).)
The intuition behind the martingale concept may
be briefly described as follows. The outcomes of the
random variables S
0
... S
n
, being random, are unpre-
dictable. But having arrived at these outcomes, there
are no grounds for expecting the outcome of the next
one in the sequence S
n+1
, to be different, on average,
to the value that has been arrived at thus far. This
comment also helps to explain why we usually need
two sequences, X and S , to define a martingale. The
sequence most conveniently to hand in an application,
X say, will typically display a ‘drift’ of some kind that
prevents it from being a martingale in its own right;
and so, to obtain a martingale, we modify it in an ap-
propriate way (using functions φ
n
say) to get a mar-
tingale S .
Why are martingales (which are intensely studied
in probability theory) of interest? The main reason is
that under rather mild restrictions, martingales enjoy
ENASE2015-10thInternationalConferenceonEvaluationofNovelSoftwareApproachestoSoftwareEngineering
240
significant convergence properties. (N. B. The pre-
cise details of these properties and of the needed re-
strictions vary according to the specific convergence
theorem being discussed — we do not delve into the
technical details in this paper.) Although the details
vary from result to result, in general, the restrictions
involve uniform bounds on a low order moment of
the martingale, and promise convergence (in a suit-
able sense) of the martingale sequence to a limiting
random variable S
∞
, i.e. S → S
∞
in a suitable manner.
The convergence to a limiting behaviour given by
S
∞
is the feature of a martingale S that we identify
as being analogous to an invariant property. It allows
us to neglect transient details in favour of concentrat-
ing on the long term properties of the behaviour that
are often of the greatest interest for practical appli-
cations. Of course, whether it is permissible to ne-
glect such transient details will depend critically on
the application in question, and refers very much to
the requirements pertaining to the transients and to
their significance in the application as a whole. When
it is appropriate to do so, the martingale approach can
be expected to give a much tighter quantification of
system behaviour than an invariant based approach in
which the invariants must accommodate every possi-
ble outlier, no matter how extreme it is or how rarely
it might occur.
5 THE MONDEX SEQUENCE
NUMBER AS MARTINGALE
With the preceding background, we reexamine our
Mondex sequence number case study. Bearing in
mind the remarks just above concerning require-
ments, we first accept that being interested in the
sequence number in terms of its average behaviour
is reasonable. We know from the Mondex0 and
Mondex1 models, that the sequence number is guar-
anteed to increase at each call of Increase, which
would (in an application of more realistic size) help
to ensure the key no-replay safety property.
With this aspect confirmed, we can look at quan-
tifying the average behaviour via a martingale. We
knowfrom our previous discussion that we expect that
the seqno variable will increase by about 5
1
2
on each
call of Increase, so we want to turn this behaviour into
a martingale. Obviously the variable seqno by itself
will not do, since it evidently does not approach any
limit. This illustrates rather well the remark made in
Section 4, that often, the most selfevident variables do
not provide a martingale directly, but that some ad-
justment is needed before the requisite convergence
properties emerge.
In our case, we can take the X
j
random variables
as the successive values of seqno, and one way to ob-
tain convergence is to introduce a suitable analogue
of time. For us, a ‘tick’ variable tk that is incremented
by 1 on each Increase call will do the job. Now we
can divide the successive values of seqno by the cor-
responding value of tk, and the resulting sequence
of values will converge to the mean of a single trial,
namely 5
1
2
, as required. These successive values can
be taken as the S
j
values corresponding to our X
j
val-
ues. We are not quite done though. Martingale con-
vergence requires that low order moments of S
j
are
uniformly bounded.
Looking at the successive values of seqno/tk, and
noting that they are successive sums of independent
identically distributed random variables, each drawn
from a finite distribution, we can use the Central
Limit Theorem to deduce that although the mean of
seqno −5
1
2
tk tends to 0, the standard deviation will
grow as the square root of the number of trails, i.e. as
the value of
√
tk. So seqno/tk−5
1
2
will tend to 0, and
its standard deviation will tend to 0. In other words
the limiting distribution for seqno/tk will converge(in
probability) to a point mass centred on 5
1
2
. This gives
us a martingale derived from the seqno variable’s be-
haviour.
However, the preceding is not the only way of
dealing with this example. The Central Limit The-
orem states that, in distribution, the successive values
of seqno satisfy, in the limit, (seqno −nµ)/
√
nσ
2
→
N(0,1), where n is the number of increments, σ
2
is
the variance of the distribution of a single trial, and
N(0,1) is the standard normal distribution. Applying
this to our situation, we create a martingale as follows.
The X
j
are as before, but this time the S
j
are de-
fined as seqno/
√
tk−5
1
2
√
tk. By what we said above,
this will converge to N(0,1)/SD, where SD is the
standard deviation of the single trial distribution. This
gives us a second martingale based on the same case
study. The structure of the second martingale displays
a feature that occurs commonly, namely a ‘drift’ term,
this being 5
1
2
√
tk, the term that has to be subtracted
from the ‘main’ term seqno/
√
tk in order to gain sta-
bility in the convergence process.
1
It remains to package these insights into a form
compatible with the structure of Event-B models. We
introduce a fresh syntactic component into an Event-
B machine, the MARTINGALES clause (allowing for
more than one, by analogy with the INVARIANTS
clause). In its most primitive form a syntactic martin-
gale of this kind will consist of four expressions: the
first being the ‘raw’ stochastic expression of interest,
1
In much of the martingale literature it would be referred
to as the compensator.
StochasticAnaloguesofInvariants-MartingalesinStochasticEvent-B
241
and the second being the drift term that has to be sub-
tracted from it. Next, we would have the mean of the
limiting distribution, followed by an additional term
that quantifies the standard deviation of the limiting
distribution.
In this way the first martingale we derived would
be expressed thus:
MARTINGALES
[ seqno/tk ; 0 ; 5
1
2
; 0 ]
and the second thus:
MARTINGALES
[ seqno/
√
tk ; 5
1
2
√
tk ; 0 ; 1/SD ]
The model Mondex2 below shows how these details
have been incorporated into the earlier model. The tk
variable has been included in the model,
2
and the de-
tails of the two martingales explored above have been
packaged into the MARTINGALES clause, each mar-
tingale’s components being enclosed in square brack-
ets, and each listed, separated by semicolons, in the
order: raw ; drift ; mean ; standard deviation.
MACHINE Mondex2
VARIABLES
seqno
tk
INVARIANTS
seqno ∈N
tk ∈ N
MARTINGALES
[ seqno/tk ;
0 ; 5
1
2
; 0 ]
[ seqno/
√
tk ;
5
1
2
√
tk ; 0 ; 1/SD ]
EVENTS
INITIALISATION
BEGIN
seqno := 0
tk := 0
END
Increase
ANY inc
WHERE inc ∈ N ∧
inc ∈U[1..10]
THEN
seqno :=
seqno+ inc
tk := tk+ 1
END
END
The account just developed may be compared with
the earlier treatment of the sequence number issue
that appeared in (Banach et al., 2005). In (Banach
et al., 2005), the authors considered the Mondex se-
quence number issue from a different perspective,
though based on very similar technical details.
In that work, we were interested in stepping from
a relatively ideal formal description of some of the re-
quirements (including deidealising an ideal model of
the sequence number) to a more realistic one.
3
So,
2
An alternative approach would be to incorporate such
an ‘analogue of time’ variable as part of the framework it-
self.
3
In fact the cited paper was just the first element in a
wider study of the imperfect treatment of some Mondex re-
quirements in the formal models of (Stepney et al., 2000),
see (Banach et al., 2005; Banach et al., 2006a; Banach et al.,
there, the idea was to quantify the difference between
the idealised and more realistic treatments of the se-
quence number, in order to produce evidence that the
parameters chosen for the real implementation were
appropriate. The simplest way of doing that involved
a calculation very similar in character to the one in
this paper. However, there, the whole process neces-
sarily resided outside of the formal elements of the
system model. In this paper, the more formal treat-
ment via martingales opens the door to a more generic
and systematic treatment of similar problems.
6 CONCLUSIONS
The familiar invariant based way of specifying and
reasoning about programs has been used for a long
time to bring greater dependability to the systems
constructed using those techniques. However, many
properties of such systems are stochastic in nature
rather than absolute. For those aspects, the invariant
based approach tends to give extremely conservative
results, too conservative to be useful in practice. (This
is particularly so in the case of variables with distribu-
tions which are not bounded; for example if the incre-
ments of seqno were drawn from an exponential dis-
tribution. In such a case the only invariant one could
write regarding such a variable would be true.) What
is desirable for these situations is a more stochastic
analogue of the concept of program invariant. In this
paper we have advanced the idea that the martingale
concept from the theory of stochastic processes is a
plausible such analogue.
In the preceding sections, using a simple example,
we have proposed that martingales can give us an ana-
logue of invariants in situations where the long term
behaviour of a digital system tends to stability, even
though the short term behaviour may admit fluctua-
tions of much greater amplitude.
Of course, probabilistic behaviour in transition
systems is not new and has been studied intensively.
From an extensive literature we cite only (Heerink
and Tretmans, 1996; McIver and Morgan, 2005; van
Breugel and Worrell, 2001). In general, the stochastic
approachdoes not sit very comfortably with the famil-
iar nondeterminism and invariant based one, which
uses nondeterminism to circumscribe unknown as-
pects of system behaviour (rather than probability).
In the majority of the existing probabilistic work
(that focuses on the probabilistic quantification of
program behaviour), the focus is on detailed correct-
ness notions, in other words, despite permitting prob-
abilistic behaviour, the concern is with the properties
2006b; Banach et al., 2007).
ENASE2015-10thInternationalConferenceonEvaluationofNovelSoftwareApproachestoSoftwareEngineering
242
of individual steps. This contrasts with our focus,
which permits transient behaviour to be disregarded,
in favour of long term averaged properties.
Of course, the discussion in this paper is but a
first step in the incorporation of such ideas into a
generic formal context. A particularly fertile possi-
ble application area for such ideas is in the formal
description of cyberphysical systems, with their un-
avoidable involvement of continuous physical pro-
cesses (Sztipanovits, 2011; Willems, 2007; Sum-
mit Report, 2008; National Science and Technology
Council, 2011). There, the use of martingales for the
description of long term noisy physical components
is even more compelling than for the purely discrete
case, due to the fact that the relevant stochastic pro-
cesses typically enjoy an ‘independent increments on
disjoint intervals of time’ property, something well
captured via the theory of ideal continuous stochas-
tic processes. This makes the martingale behaviour of
stochastic physical variables in stable dynamical situ-
ations into a convincing metaphor for observed phe-
nomena. However, a proper treatment of these will
need an excursion into the more challenging continu-
ous version of martingale theory. This remains as fu-
ture work. Also, with the experience of a more fully
worked out proposal, there will be more clarity re-
garding what are the most useful verification condi-
tions that should be generated to support martingale
use in formal model based development.
REFERENCES
Abrial, J.-R. (1989). A Formal Approach to Large Soft-
ware Construction. In van de Snepscheut, editor,
Mathematics of Program Construction, volume 375 of
LNCS, pages 1–20. Springer.
Abrial, J.-R. (1996). The B-Book: Assigning Programs to
Meanings. Cambridge University Press.
Abrial, J.-R. (2010). Modeling in Event-B: System and Soft-
ware Engineering. Cambridge University Press.
Abrial, J.-R., Butler, M., Hallerstede, S., Hoang, T., Mehta,
F., and Voisin, L. (2010). Rodin: an open toolset for
modelling and reasoning in Event-B. Int. J. Software
Tools for Technology Transfer, 12(6):447–466.
Banach, R., Jeske, C., Poppleton, M., and Stepney, S.
(2006a). Retrenching the Purse: Finite Exception
Logs, and Validating the Small. In Hinchey, editor,
Proc. NASA/IEEE SEW-30, pages 234–245, Layola
College Graduate Center, Columbia, MD.
Banach, R., Jeske, C., Poppleton, M., and Stepney, S.
(2006b). Retrenching the Purse: Hashing Injective
CLEAR Codes, and Security Properties. In Steffen,
Margaria, and Philippou, editors, ISOLA-06, Paphos,
Cyprus. IEEE.
Banach, R., Jeske, C., Poppleton, M., and Stepney, S.
(2007). Retrenching the Purse: The Balance Enquiry
Quandary, and Generalised and (1,1) Forward Refine-
ments. Fundamenta Informaticae, 77:29–69.
Banach, R., Poppleton, M., Jeske, C., and Stepney, S.
(2005). Retrenching the Purse: Finite Sequence Num-
bers and the Tower Pattern. In Formal Methods 2005,
pages 382–398.
D.T.I. (1991). Information Technology Security Evalua-
tion Criteria. http://www.cesg.gov.uk/site/iacs/itsec/
media/formal-docs/Itsec.pdf.
Grimmett, G. and Stirzaker, D. (2001). Probability and
Random Processes. O.U.P., 3rd edition.
Heerink, L. and Tretmans, J. (1996). Formal Methods in
Conformance Testing: A Probabilistic Refinement. In
Testing of Communicating Systems, pages 261–276.
Springer.
ISO-Z (2002). Information Technology – Z Formal Specifi-
cation Notation – Syntax, Type System and Semantics:
International Standard. ISO/IEC 13568. http://www.
iso.org/iso/en/ittf/PubliclyAvailableStandards/
c021573
ISO IEC 13568 2002(E).zip.
Jones, C., O’Hearne, P., and Woodcock, J. (2006). Veri-
fied Software: A Grand Challenge. IEEE Computer,
39(4):93–95.
Jones, C. and Woodcock (eds.), J. (2008). FAC Special Is-
sue on the Mondex Verification. Formal Aspects of
Computing, 20(1):1–139.
McIver, A. and Morgan, C. (2005). Abstraction, Refinement
and Proof for Probabilistic Systems. Springer.
National Science and Technology Council
(2011). Trustworthy Cyberspace: Strate-
gic plan for the Federal Cybersecurity Re-
search and Development Program. http://
www.whitehouse.gov/sites/default/files/microsites/
ostp/fed
cybersecurity rd strategic plan 2011.pdf.
Resnick, S. (1992). Adventures in Stochastic Processes.
Birkhauser.
Spivey, J. (1992). The Z Notation: A Reference Manual.
Prentice-Hall, second edition.
Stepney, S., Cooper, D., and Woodcock, J. (2000). An Elec-
tronic Purse: Specification, Refinement and Proof.
Technical Report PRG-126, Oxford University Com-
puting Laboratory.
Summit Report (2008). Summit Report: Cyber-Physical
Systems. http://iccps2012.cse.wustl.edu/
doc/
CPS
Summit Report.pdf.
Sztipanovits, J. (2011). Model Integration and Cy-
ber Physical Systems: A Semantics Perspec-
tive. In Butler and Schulte, editors, Proc. FM-
11. Springer, LNCS 6664, p.1, http://sites.lero.ie/
download.aspx?f=Sztipanovits-Keynote.pdf. Invited
talk, FM 2011, Limerick, Ireland.
van Breugel, F. and Worrell, J. (2001). Towards Quantitative
Verification of Probabilistic Transition Systems. In
Proc. ALP-01, pages 421–432. Springer LNCS.
Willems, J. (2007). Open Dynamical Systems: Their Aims
and their Origins. Ruberti Lecture, Rome. http://
homes.esat.kuleuven.be/∼jwillems/Lectures/2007/
Rubertilecture.pdf.
Woodcock, J. (2006). First Steps in the The Verified Soft-
ware Grand Challenge. IEEE Computer, 39(10):57–
64.
Woodcock, J. and Banach, R. (2007). The Verification
Grand Challenge. JUCS, 13(5):661–668.
StochasticAnaloguesofInvariants-MartingalesinStochasticEvent-B
243
