It is argued that refinement, in which I/O signatures stay the same, preconditions are weakened and postconditions strengthened, is too restrictive to describe all but a fraction of many realistic developments. An alternative notion is proposed called retrenchment, which allows information to migrate between I/O and state aspects of operations at different levels of abstraction, and which allows only a fraction of the high level behaviour to be captured at the low level. This permits more of the informal aspects of design to be formally captured and checked. The details are worked out for the B-Method.
Idealised and Realistic Modelling: The Inadequacy of Pure RefinementLike all good examples of terminology, the word "refinement" is far too evocative for its use ever to have been confined to exactly one concept. Even within the formal methods community, the word is used in at least two distinct senses. The first is a strict sense. An operation O C is a refinement of an operation O A iff the precondition of O C is weaker than the precondition of O A and the relation of O C is less nondeterministic than the relation of O A .The well known refinement calculus [Back (1981), Back (1988), von Wright (1989), von Wright (1994), Morris (1987), Morgan (1990)] captures this in a formal system within which one can calculate precisely.However there is a second, much less strict use of the word. In formalisms such as Z or VDM [Spivey (1993), Hayes (1993), , Jones and Shaw (1990)], requirements are frequently captured at a high level of abstraction, often involving for instance divine natural numbers or divine real numbers 1 , and neglecting whole rafts of detail not appropriate to a high level view, in order that the reader of the high level description "can see the wood for the trees". Such descriptions are then "refined" to lower levels of abstraction where the missing details are filled in, typically yielding longer, more tortuous and much less transparent but much more realistic definitions of the system in question. Indeed the complexity of such descriptions can often be comparable to or greater than that of their implementations, a fact cited by detractors of formal methods as undermining the value of formal methods themselves, though this seems to us to be like denigrating stereoscopic vision because the image seen by the left eye is of comparable complexity to that seen by the right.In truth the world is a complex place and developing descriptions of some part of it in two distinct but reconcilable formalisms (the specification and implementation), rather 1. By divine naturals, integers or reals, we mean the natural numbers, integers or real numbers that God made, abstract and infinite, in contrast to the finite discrete approximations that we are able to implement on any real world system. The latter we call mundane natural numbers, integers or real numbers.
