Ch9
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Ch9 as PDF for free.
More details
- Words: 3,837
- Pages: 40
Formal Specification ●
Techniques for the unambiguous specification of software
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 1
Objectives ●
●
●
To explain why formal specification techniques help discover problems in system requirements To describe the use of algebraic techniques for interface specification To describe the use of modelbased techniques for behavioural specification
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 2
Topics covered ● ● ●
Formal specification in the software process Interface specification Behavioural specification
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 3
Formal methods ●
●
●
Formal specification is part of a more general collection of techniques that are known as ‘formal methods’ These are all based on mathematical representation and analysis of software Formal methods include • • • •
©Ian Sommerville 2000
Formal specification Specification analysis and proof Transformational development Program verification Software Engineering, 6th edition. Chapter 9
Slide 4
Acceptance of formal methods ●
Formal methods have not become mainstream software development techniques as was once predicted • • • •
©Ian Sommerville 2000
Other software engineering techniques have been successful at increasing system quality. Hence the need for formal methods has been reduced Market changes have made timetomarket rather than software with a low error count the key factor. Formal methods do not reduce time to market The scope of formal methods is limited. They are not well suited to specifying and analysing user interfaces and user interaction Formal methods are hard to scale up to large systems Software Engineering, 6th edition. Chapter 9
Slide 5
Use of formal methods ●
●
●
Formal methods have limited practical applicability Their principal benefits are in reducing the number of errors in systems so their mai area of applicability is critical systems In this area, the use of formal methods is most likely to be costeffective
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 6
Specification in the software process ●
●
●
Specification and design are inextricably intermingled. Architectural design is essential to structure a specification. Formal specifications are expressed in a mathematical notation with precisely defined vocabulary, syntax and semantics.
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 7
I n c r e a s i n g c o n t r a c t o r i n v o l e m n t D l i e fecitw o areionH idghslenvl R edqufirnem ttosR n espquciS rfpem teaciiofsationA n rcdhitsecgnuralspS D esign
Specification and design
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 8
R e q u i r e m n t s F o r m a l s p c f a i o s p e c i f t i o n R edqufirnem ttosm n H i g h l e v l d s i g n S sodtlem y A r c h i t e c u r a l ing dsgn Specification in the software process
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 9
Specification techniques ●
Algebraic approach •
●
The system is specified in terms of its operations and their relationships
Modelbased approach •
©Ian Sommerville 2000
The system is specified in terms of a state model that is constructed using mathematical constructs such as sets and sequences. Operations are defined by modifications to the system’s state
Software Engineering, 6th edition. Chapter 9
Slide 10
Formal specification languages
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 11
Use of formal specification ●
●
●
●
Formal specification involves investing more effort in the early phases of software development This reduces requirements errors as it forces a detailed analysis of the requirements Incompleteness and inconsistencies can be discovered and resolved Hence, savings as made as the amount of rework due to requirements problems is reduced
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 12
C ostIm V a l i d a t i o n D eplsm igen atdionS V a l i d a t i o n D e s i g n a d I m p l m e t i o n p e c i f a t i o n S pecifation W ispth teci faorim o u anl sW ipecth form ationl
Development costs with formal specification
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 13
Interface specification ●
●
●
●
Large systems are decomposed into subsystems with welldefined interfaces between these subsystems Specification of subsystem interfaces allows independent development of the different subsystems Interfaces may be defined as abstract data types or object classes The algebraic approach to formal specification is particularly wellsuited to interface specification
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 14
I n t e r f a c e o b j t s S ubsA ytem S ubsB ytem
Subsystem interfaces
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 15
< SP TIO ic ar am sort < na impo < L OF TIO Inf or mal iptio t a at Ope ation the p Axio atio vetr
The structure of an algebraic specification
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 16
Specification components ●
Introduction •
●
Description •
●
Informally describes the operations on the type
Signature •
●
Defines the sort (the type name) and declares other specifications that are used
Defines the syntax of the operations in the interface and their parameters
Axioms •
©Ian Sommerville 2000
Defines the operation semantics by defining axioms which characterise behaviour Software Engineering, 6th edition. Chapter 9
Slide 17
Systematic algebraic specification ●
Algebraic specifications of a system may be developed in a systematic way • • • • • •
©Ian Sommerville 2000
Specification structuring. Specification naming. Operation selection. Informal operation specification Syntax definition Axiom definition
Software Engineering, 6th edition. Chapter 9
Slide 18
Specification operations ●
●
●
Constructor operations. Operations which create entities of the type being specified Inspection operations. Operations which evaluate entities of the type being specified To specify behaviour, define the inspector operations for each constructor operation
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 19
Operations on a list ADT ●
Constructor operations which evaluate to sort List •
●
Inspection operations which take sort list as a parameter and return some other sort •
●
Create, Cons and Tail
Head and Length.
Tail can be defined using the simpler constructors Create and Cons. No need to define Head and Length with Tail.
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 20
ΛΙΣΤ ( Ελεµ sort List impor INTE Define v e d from th T ation he o , wh ings into e xisten , Con , whic w lis , Length v a e , luate He v a lu eleme T a il, w y re vin input li Create → → Λιστ Ηεαδ → Ελεµ ( Λενγτη Ιντεγ Τ α Λιστ ιλ (Λ Head exce (em if L = Cr then v else He Length T aif il (Cr L il (Co = Cr then Cre else Co ail
List specification
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 21
Recursion in specifications ● ●
Operations are often specified recursively Tail (Cons (L, v)) = if L = Create then Create else Cons (Tail (L), v) • • • • • •
©Ian Sommerville 2000
Cons ([5, 7], 9) = [5, 7, 9] Tail ([5, 7, 9]) = Tail (Cons ( [5, 7], 9)) = Cons (Tail ([5, 7]), 9) = Cons (Tail (Cons ([5], 7)), 9) = Cons (Cons (Tail ([5]), 7), 9) = Cons (Cons (Tail (Cons ([], 5)), 7), 9) = Cons (Cons ([Create], 7), 9) = Cons ([7], 9) = [7, 9]
Software Engineering, 6th edition. Chapter 9
Slide 22
Interface specification in critical systems ●
●
●
●
Consider an air traffic control system where aircraft fly through managed sectors of airspace Each sector may include a number of aircraft but, for safety reasons, these must be separated In this example, a simple vertical separation of 300m is proposed The system should warn the controller if aircraft are instructed to move so that the separation rule is breached
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 23
A sector object ●
Critical operations on an object representing a controlled sector are • • • •
©Ian Sommerville 2000
Enter. Add an aircraft to the controlled airspace Leave. Remove an aircraft from the controlled airspace Move. Move an aircraft from one height to another Lookup. Given an aircraft identifier, return its current height
Software Engineering, 6th edition. Chapter 9
Slide 24
Primitive operations ●
●
●
It is sometimes necessary to introduce additional operations to simplify the specification The other operations can then be defined using these more primitive operations Primitive operations • • • •
©Ian Sommerville 2000
Create. Bring an instance of a sector into existence Put. Add an aircraft without safety checks Inspace. Determine if a given aircraft is in the sector Occupied. Given a height, determine if there is an aircraft within 300m of that height
Software Engineering, 6th edition. Chapter 9
Slide 25
Sector specification
Σ Ε Χ Τ Ο Ρ L tE s o r S e c t o r iM m p s I N T E G R , B O L E A N rP tC ru n o e a d s a n i r c a f t o t h e s c t o r i f s a f e t y c o n d i t o n s a r e s a t i s f e d a v r e m o v e s n i r c a f r o m h e c o r n g h a h e r f f o d o k u p F i n d t h e g h t o a a i r c a f t i n t e s c t o tE e a e c r e a s a n m p y s e c t o IO n d s n i r c f t o a r w i t h n o c n s t r a i n t c h e c k s s p h k a n i r c a f i s a l r e a d y i a e c o r iΛ c e c e s i s p e e d h g s v l b Ινρ rΠ tΧ (υ n S t o r , C a l g n , H i g t ) → Σ ε χ τ ο ρ εΜ α ϖ ε ( Σ ε χ τ ο ρ , Χ α λ − σ ι γ ν ) → Σ ε χ τ ο ρ ο , Η ε ι γ η ) κ υ π Η ι γ η ε α τ ε → Σ ε χ τ ο ρ (E Σ χ τ ο ρ , Χ α λ − σ ι γ ν , Η ε ι γ η τ ) → Σ ε χ τ ο ρ − σ π ( , Χ α λ − σ ν Β ο λ α ν Ο χ ι ε δ Σ ε χ τ ο ρ Η ε ι γ η τ ) → t e n e rlvis fe (e , ( C S P ,u rP C S H ) = L fa ie IS O n s p a c e ( S , C S t h e n S e x c e p t i o n ( A i r c a f t a l r e a d y i n s e c t o r ) c u i d H ) H e g h o n f i c t ) t ( S , C e a ) = C r e a t e x c e p t i o n ( A i r c a f t n o t i n s e c t o r ) t ( S , C S 1 , H 1 ) , C S ) = = C 1 t h e n S l s P u t ( L a v e S , C S ) , C S 1 , H 1 ) M o e v (lO e ,s e ,H E S H ) = L io fN = C r e a t t h e n C r e a t e x c e p t i o n ( N o a i r c a f t i n s e c t o r ) n o t I n s p c ( S , S ) h n S x c e p t i n ( A o i n s e c t o r ) O c u i d ( S , H ) t h n S H e g h t o l c ) P ( L e a v e C C , H ) I G H T i s c o n s t a n t i d c a t i n g t h a t v a l i d h e i g h t c a n o t b e r t u r n e d k u p ( C r e a t , C S ) = N O H E I G H T e x c e p t o n ( A r c a f o t i s c o ) P u ( S 1 , H 1 ) , C S ) = i In O fcs e C S = 1 t h e n e l s e L o k u p ( S , C S ) i ip ffl a u (s p e d C r e a , H ) = f a P u t ( S C S 1 , H 1 ) , H ) = H 1 > H n d ² 3 0 ) o r ( H > H 1 a n d H H 1 ² 3 0 ) t h e n t r u e C e O c p i e d ( cS (C re t,h )e S = fe a e = P u a (1 S C ,n 1 tru H 1 )ls, e C S )= I n sp a ce (S , C S )
Specification commentary ●
●
●
Use the basic constructors Create and Put to specify other operations Define Occupied and Inspace using Create and Put and use them to make checks in other operation definitions All operations that result in changes to the sector must check that the safety criterion holds
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 27
Behavioural specification ●
●
●
Algebraic specification can be cumbersome when the object operations are not independent of the object state Modelbased specification exposes the system state and defines the operations in terms of changes to that state The Z notation is a mature technique for model based specification. It combines formal and informal description and uses graphical highlighting when presenting specifications
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 28
conte cCont S h e m a n m e S c h e m a s i g n a t u r e S c h e m a p r e d i c a t e capa conte
The structure of a Z schema
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 29
Insu Need Cl Pum assem Con Al Sens Dis Disp Pow
An insulin pump
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 30
Modelling the insulin pump ●
The schema models the insulin pump as a number of state variables • • • • • • •
●
reading? dose, cumulative_dose r0, r1, r2 capacity alarm! pump! display1!, display2!
Names followed by a ? are inputs, names followed by a ! are outputs
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 31
Schema invariant ●
●
Each Z schema has an invariant part which defines conditions that are always true For the insulin pump schema it is always true that • • •
©Ian Sommerville 2000
The dose must be less than or equal to the capacity of the insulin reservoir No single dose may be more than 5 units of insulin and the total dose delivered in a time period must not exceed 50 units of insulin. This is a safety constraint (see Chapters 16 and 17) display1! shows the status of the insulin reservoir.
Software Engineering, 6th edition. Chapter 9
Slide 32
id lc Ird n s u n _ p u m p e a d g ? : ,o 0 o c l a t i v e _ d o s e : rχ 1 r 2 / u t o r e c o r d t h e l a s t 3 r e a d i n g s t a k e n iα :iπ tlu a se p y !p { χ m f²a ,ιτy o o n } 1 d i s p l a y 2 ! : S T R I N G c p a c t ∧ δ ο σ ε ″ 5 ∧ χ υ µ υ λ α τ ι ϖ ε _ δ ο σ ε ″ 5 0 ψ ≥ 4 0 ⇒ ι π λ α ψ 1 ! = ∀ ″ 3 9 χ α χ τ ≥ 0 ⇒ δ σ π ψ 1 ! = ∀ Ι ν σ υ λ ι ν ο ω ∀ λ ρ µ ! = ο ν ∧ δ ι σ π λ α ψ 1 ! = ∀ Ι ν σ υ λ ι ϖ ε ρ ψ λ ρ 2=ρ εα δινγ?
Insulin pump schema
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 33
The dosage computation ●
●
●
●
The insulin pump computes the amount of insulin required by comparing the current reading with two previous readings If these suggest that blood glucose is rising then insulin is delivered Information about the total dose delivered is maintained to allow the safety check invariant to be applied Note that this invariant always applies there is no need to repeat it in the dosage computation
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 34
D O S A G E Ι(δο ∆ ν ισ σ υ λ ν _ Π υ µ π ε = 0 ∧ ( ρ 1 ≥ ρ 0 ) ∧ ( ρ 2 = ρ 1 ) ∨ > ″ < 1 − 2 > ( ρ 0 − 1 ) )δδο ∨ ο σ ε = 4 ∧ ()σ ( ρ 1 ″ ρ 0 ) ∧ ( ρ 2 = ρ 1 ) ∨ < − 2 ″ ( ρ 0 − 1 ) ∨ ε = ( ρ 2 − ρ 1 ) ∗ 4 ∧ ()χ ″ ρ 0 ) ( ρ 2 > ρ 1 ) ∨ ( ρ 1 > ∧ − ≥ ( ρ 1 − ρ 0 ) )ρ ι0υ α π χ τ ψ ∋ = χ α π χ ι τ ψ − δ ο σ ε µ λ α ϖ ε _ δ ο σ ε ∋ = χ υ µ υ λ α τ ι ϖ ε _ δ ο σ ε + δ ο σ ε ∋=ρ 1∧ ρ 1∋=ρ 2
DOSAGE schema
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 35
Output schemas ●
●
●
The output schemas model the system displays and the alarm that indicates some potentially dangerous condition The output displays show the dose computed and a warning message The alarm is activated if blood sugar is very low this indicates that the user should eat something to increase their blood sugar level
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 36
I∆ D S P L A Y Ιδ(ρ ιιεα ν σ υ λ ν _ Π υ µ π π α ψ 2 ! ∋ = Ν α τ _ ο σ τ ρ ι ν γ ( δ ο σ ε ) ∧ ιΑ δ ν γ ? < 3 ⇒ δ ι π λ α ψ 1 ! ∋ = ∀ Σ υ γ α ρ λ ο ω ∀ ∨ > 0 η ι γ ≥ α ν ρ ε δ ι ν γ ? ″ 3 0 ⇒ δ σ π α ψ 1 ! ∋ = ∀ Ο Κ ∀ ) Λ Ρ Μ Ι(ρ ∆ ιεα ν σ υ λ ν _ Π υ µ π δινγ?< 3 ∨ ρ ε α δ ι ν γ ? > 3 0 ) ⇒ α λ ρ µ ! ∋ = ο ν ∨ ≥∧″ φ
Output schemas
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 37
Schema consistency ●
●
It is important that schemas are consistent. Inconsistency suggests a problem with the system requirements The INSULIN_PUMP schema and the DISPLAYare inconsistent • •
●
display1! shows a warning message about the insulin reservoir (INSULIN_PUMP) display1! Shows the state of the blood sugar (DISPLAY)
This must be resolved before implementation of the system
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 38
Key points ●
●
●
Formal system specification complements informal specification techniques Formal specifications are precise and unambiguous. They remove areas of doubt in a specification Formal specification forces an analysis of the system requirements at an early stage. Correcting errors at this stage is cheaper than modifying a delivered system
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 39
Key points ●
●
●
Formal specification techniques are most applicable in the development of critical systems and standards. Algebraic techniques are suited to interface specification where the interface is defined as a set of object classes Modelbased techniques model the system using sets and functions. This simplifies some types of behavioural specification
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 40
Techniques for the unambiguous specification of software
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 1
Objectives ●
●
●
To explain why formal specification techniques help discover problems in system requirements To describe the use of algebraic techniques for interface specification To describe the use of modelbased techniques for behavioural specification
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 2
Topics covered ● ● ●
Formal specification in the software process Interface specification Behavioural specification
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 3
Formal methods ●
●
●
Formal specification is part of a more general collection of techniques that are known as ‘formal methods’ These are all based on mathematical representation and analysis of software Formal methods include • • • •
©Ian Sommerville 2000
Formal specification Specification analysis and proof Transformational development Program verification Software Engineering, 6th edition. Chapter 9
Slide 4
Acceptance of formal methods ●
Formal methods have not become mainstream software development techniques as was once predicted • • • •
©Ian Sommerville 2000
Other software engineering techniques have been successful at increasing system quality. Hence the need for formal methods has been reduced Market changes have made timetomarket rather than software with a low error count the key factor. Formal methods do not reduce time to market The scope of formal methods is limited. They are not well suited to specifying and analysing user interfaces and user interaction Formal methods are hard to scale up to large systems Software Engineering, 6th edition. Chapter 9
Slide 5
Use of formal methods ●
●
●
Formal methods have limited practical applicability Their principal benefits are in reducing the number of errors in systems so their mai area of applicability is critical systems In this area, the use of formal methods is most likely to be costeffective
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 6
Specification in the software process ●
●
●
Specification and design are inextricably intermingled. Architectural design is essential to structure a specification. Formal specifications are expressed in a mathematical notation with precisely defined vocabulary, syntax and semantics.
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 7
I n c r e a s i n g c o n t r a c t o r i n v o l e m n t D l i e fecitw o areionH idghslenvl R edqufirnem ttosR n espquciS rfpem teaciiofsationA n rcdhitsecgnuralspS D esign
Specification and design
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 8
R e q u i r e m n t s F o r m a l s p c f a i o s p e c i f t i o n R edqufirnem ttosm n H i g h l e v l d s i g n S sodtlem y A r c h i t e c u r a l ing dsgn Specification in the software process
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 9
Specification techniques ●
Algebraic approach •
●
The system is specified in terms of its operations and their relationships
Modelbased approach •
©Ian Sommerville 2000
The system is specified in terms of a state model that is constructed using mathematical constructs such as sets and sequences. Operations are defined by modifications to the system’s state
Software Engineering, 6th edition. Chapter 9
Slide 10
Formal specification languages
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 11
Use of formal specification ●
●
●
●
Formal specification involves investing more effort in the early phases of software development This reduces requirements errors as it forces a detailed analysis of the requirements Incompleteness and inconsistencies can be discovered and resolved Hence, savings as made as the amount of rework due to requirements problems is reduced
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 12
C ostIm V a l i d a t i o n D eplsm igen atdionS V a l i d a t i o n D e s i g n a d I m p l m e t i o n p e c i f a t i o n S pecifation W ispth teci faorim o u anl sW ipecth form ationl
Development costs with formal specification
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 13
Interface specification ●
●
●
●
Large systems are decomposed into subsystems with welldefined interfaces between these subsystems Specification of subsystem interfaces allows independent development of the different subsystems Interfaces may be defined as abstract data types or object classes The algebraic approach to formal specification is particularly wellsuited to interface specification
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 14
I n t e r f a c e o b j t s S ubsA ytem S ubsB ytem
Subsystem interfaces
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 15
< SP TIO ic ar am sort < na impo < L OF TIO Inf or mal iptio t a at Ope ation the p Axio atio vetr
The structure of an algebraic specification
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 16
Specification components ●
Introduction •
●
Description •
●
Informally describes the operations on the type
Signature •
●
Defines the sort (the type name) and declares other specifications that are used
Defines the syntax of the operations in the interface and their parameters
Axioms •
©Ian Sommerville 2000
Defines the operation semantics by defining axioms which characterise behaviour Software Engineering, 6th edition. Chapter 9
Slide 17
Systematic algebraic specification ●
Algebraic specifications of a system may be developed in a systematic way • • • • • •
©Ian Sommerville 2000
Specification structuring. Specification naming. Operation selection. Informal operation specification Syntax definition Axiom definition
Software Engineering, 6th edition. Chapter 9
Slide 18
Specification operations ●
●
●
Constructor operations. Operations which create entities of the type being specified Inspection operations. Operations which evaluate entities of the type being specified To specify behaviour, define the inspector operations for each constructor operation
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 19
Operations on a list ADT ●
Constructor operations which evaluate to sort List •
●
Inspection operations which take sort list as a parameter and return some other sort •
●
Create, Cons and Tail
Head and Length.
Tail can be defined using the simpler constructors Create and Cons. No need to define Head and Length with Tail.
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 20
ΛΙΣΤ ( Ελεµ sort List impor INTE Define v e d from th T ation he o , wh ings into e xisten , Con , whic w lis , Length v a e , luate He v a lu eleme T a il, w y re vin input li Create → → Λιστ Ηεαδ → Ελεµ ( Λενγτη Ιντεγ Τ α Λιστ ιλ (Λ Head exce (em if L = Cr then v else He Length T aif il (Cr L il (Co = Cr then Cre else Co ail
List specification
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 21
Recursion in specifications ● ●
Operations are often specified recursively Tail (Cons (L, v)) = if L = Create then Create else Cons (Tail (L), v) • • • • • •
©Ian Sommerville 2000
Cons ([5, 7], 9) = [5, 7, 9] Tail ([5, 7, 9]) = Tail (Cons ( [5, 7], 9)) = Cons (Tail ([5, 7]), 9) = Cons (Tail (Cons ([5], 7)), 9) = Cons (Cons (Tail ([5]), 7), 9) = Cons (Cons (Tail (Cons ([], 5)), 7), 9) = Cons (Cons ([Create], 7), 9) = Cons ([7], 9) = [7, 9]
Software Engineering, 6th edition. Chapter 9
Slide 22
Interface specification in critical systems ●
●
●
●
Consider an air traffic control system where aircraft fly through managed sectors of airspace Each sector may include a number of aircraft but, for safety reasons, these must be separated In this example, a simple vertical separation of 300m is proposed The system should warn the controller if aircraft are instructed to move so that the separation rule is breached
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 23
A sector object ●
Critical operations on an object representing a controlled sector are • • • •
©Ian Sommerville 2000
Enter. Add an aircraft to the controlled airspace Leave. Remove an aircraft from the controlled airspace Move. Move an aircraft from one height to another Lookup. Given an aircraft identifier, return its current height
Software Engineering, 6th edition. Chapter 9
Slide 24
Primitive operations ●
●
●
It is sometimes necessary to introduce additional operations to simplify the specification The other operations can then be defined using these more primitive operations Primitive operations • • • •
©Ian Sommerville 2000
Create. Bring an instance of a sector into existence Put. Add an aircraft without safety checks Inspace. Determine if a given aircraft is in the sector Occupied. Given a height, determine if there is an aircraft within 300m of that height
Software Engineering, 6th edition. Chapter 9
Slide 25
Sector specification
Σ Ε Χ Τ Ο Ρ L tE s o r S e c t o r iM m p s I N T E G R , B O L E A N rP tC ru n o e a d s a n i r c a f t o t h e s c t o r i f s a f e t y c o n d i t o n s a r e s a t i s f e d a v r e m o v e s n i r c a f r o m h e c o r n g h a h e r f f o d o k u p F i n d t h e g h t o a a i r c a f t i n t e s c t o tE e a e c r e a s a n m p y s e c t o IO n d s n i r c f t o a r w i t h n o c n s t r a i n t c h e c k s s p h k a n i r c a f i s a l r e a d y i a e c o r iΛ c e c e s i s p e e d h g s v l b Ινρ rΠ tΧ (υ n S t o r , C a l g n , H i g t ) → Σ ε χ τ ο ρ εΜ α ϖ ε ( Σ ε χ τ ο ρ , Χ α λ − σ ι γ ν ) → Σ ε χ τ ο ρ ο , Η ε ι γ η ) κ υ π Η ι γ η ε α τ ε → Σ ε χ τ ο ρ (E Σ χ τ ο ρ , Χ α λ − σ ι γ ν , Η ε ι γ η τ ) → Σ ε χ τ ο ρ − σ π ( , Χ α λ − σ ν Β ο λ α ν Ο χ ι ε δ Σ ε χ τ ο ρ Η ε ι γ η τ ) → t e n e rlvis fe (e , ( C S P ,u rP C S H ) = L fa ie IS O n s p a c e ( S , C S t h e n S e x c e p t i o n ( A i r c a f t a l r e a d y i n s e c t o r ) c u i d H ) H e g h o n f i c t ) t ( S , C e a ) = C r e a t e x c e p t i o n ( A i r c a f t n o t i n s e c t o r ) t ( S , C S 1 , H 1 ) , C S ) = = C 1 t h e n S l s P u t ( L a v e S , C S ) , C S 1 , H 1 ) M o e v (lO e ,s e ,H E S H ) = L io fN = C r e a t t h e n C r e a t e x c e p t i o n ( N o a i r c a f t i n s e c t o r ) n o t I n s p c ( S , S ) h n S x c e p t i n ( A o i n s e c t o r ) O c u i d ( S , H ) t h n S H e g h t o l c ) P ( L e a v e C C , H ) I G H T i s c o n s t a n t i d c a t i n g t h a t v a l i d h e i g h t c a n o t b e r t u r n e d k u p ( C r e a t , C S ) = N O H E I G H T e x c e p t o n ( A r c a f o t i s c o ) P u ( S 1 , H 1 ) , C S ) = i In O fcs e C S = 1 t h e n e l s e L o k u p ( S , C S ) i ip ffl a u (s p e d C r e a , H ) = f a P u t ( S C S 1 , H 1 ) , H ) = H 1 > H n d ² 3 0 ) o r ( H > H 1 a n d H H 1 ² 3 0 ) t h e n t r u e C e O c p i e d ( cS (C re t,h )e S = fe a e = P u a (1 S C ,n 1 tru H 1 )ls, e C S )= I n sp a ce (S , C S )
Specification commentary ●
●
●
Use the basic constructors Create and Put to specify other operations Define Occupied and Inspace using Create and Put and use them to make checks in other operation definitions All operations that result in changes to the sector must check that the safety criterion holds
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 27
Behavioural specification ●
●
●
Algebraic specification can be cumbersome when the object operations are not independent of the object state Modelbased specification exposes the system state and defines the operations in terms of changes to that state The Z notation is a mature technique for model based specification. It combines formal and informal description and uses graphical highlighting when presenting specifications
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 28
conte cCont S h e m a n m e S c h e m a s i g n a t u r e S c h e m a p r e d i c a t e capa conte
The structure of a Z schema
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 29
Insu Need Cl Pum assem Con Al Sens Dis Disp Pow
An insulin pump
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 30
Modelling the insulin pump ●
The schema models the insulin pump as a number of state variables • • • • • • •
●
reading? dose, cumulative_dose r0, r1, r2 capacity alarm! pump! display1!, display2!
Names followed by a ? are inputs, names followed by a ! are outputs
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 31
Schema invariant ●
●
Each Z schema has an invariant part which defines conditions that are always true For the insulin pump schema it is always true that • • •
©Ian Sommerville 2000
The dose must be less than or equal to the capacity of the insulin reservoir No single dose may be more than 5 units of insulin and the total dose delivered in a time period must not exceed 50 units of insulin. This is a safety constraint (see Chapters 16 and 17) display1! shows the status of the insulin reservoir.
Software Engineering, 6th edition. Chapter 9
Slide 32
id lc Ird n s u n _ p u m p e a d g ? : ,o 0 o c l a t i v e _ d o s e : rχ 1 r 2 / u t o r e c o r d t h e l a s t 3 r e a d i n g s t a k e n iα :iπ tlu a se p y !p { χ m f²a ,ιτy o o n } 1 d i s p l a y 2 ! : S T R I N G c p a c t ∧ δ ο σ ε ″ 5 ∧ χ υ µ υ λ α τ ι ϖ ε _ δ ο σ ε ″ 5 0 ψ ≥ 4 0 ⇒ ι π λ α ψ 1 ! = ∀ ″ 3 9 χ α χ τ ≥ 0 ⇒ δ σ π ψ 1 ! = ∀ Ι ν σ υ λ ι ν ο ω ∀ λ ρ µ ! = ο ν ∧ δ ι σ π λ α ψ 1 ! = ∀ Ι ν σ υ λ ι ϖ ε ρ ψ λ ρ 2=ρ εα δινγ?
Insulin pump schema
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 33
The dosage computation ●
●
●
●
The insulin pump computes the amount of insulin required by comparing the current reading with two previous readings If these suggest that blood glucose is rising then insulin is delivered Information about the total dose delivered is maintained to allow the safety check invariant to be applied Note that this invariant always applies there is no need to repeat it in the dosage computation
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 34
D O S A G E Ι(δο ∆ ν ισ σ υ λ ν _ Π υ µ π ε = 0 ∧ ( ρ 1 ≥ ρ 0 ) ∧ ( ρ 2 = ρ 1 ) ∨ > ″ < 1 − 2 > ( ρ 0 − 1 ) )δδο ∨ ο σ ε = 4 ∧ ()σ ( ρ 1 ″ ρ 0 ) ∧ ( ρ 2 = ρ 1 ) ∨ < − 2 ″ ( ρ 0 − 1 ) ∨ ε = ( ρ 2 − ρ 1 ) ∗ 4 ∧ ()χ ″ ρ 0 ) ( ρ 2 > ρ 1 ) ∨ ( ρ 1 > ∧ − ≥ ( ρ 1 − ρ 0 ) )ρ ι0υ α π χ τ ψ ∋ = χ α π χ ι τ ψ − δ ο σ ε µ λ α ϖ ε _ δ ο σ ε ∋ = χ υ µ υ λ α τ ι ϖ ε _ δ ο σ ε + δ ο σ ε ∋=ρ 1∧ ρ 1∋=ρ 2
DOSAGE schema
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 35
Output schemas ●
●
●
The output schemas model the system displays and the alarm that indicates some potentially dangerous condition The output displays show the dose computed and a warning message The alarm is activated if blood sugar is very low this indicates that the user should eat something to increase their blood sugar level
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 36
I∆ D S P L A Y Ιδ(ρ ιιεα ν σ υ λ ν _ Π υ µ π π α ψ 2 ! ∋ = Ν α τ _ ο σ τ ρ ι ν γ ( δ ο σ ε ) ∧ ιΑ δ ν γ ? < 3 ⇒ δ ι π λ α ψ 1 ! ∋ = ∀ Σ υ γ α ρ λ ο ω ∀ ∨ > 0 η ι γ ≥ α ν ρ ε δ ι ν γ ? ″ 3 0 ⇒ δ σ π α ψ 1 ! ∋ = ∀ Ο Κ ∀ ) Λ Ρ Μ Ι(ρ ∆ ιεα ν σ υ λ ν _ Π υ µ π δινγ?< 3 ∨ ρ ε α δ ι ν γ ? > 3 0 ) ⇒ α λ ρ µ ! ∋ = ο ν ∨ ≥∧″ φ
Output schemas
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 37
Schema consistency ●
●
It is important that schemas are consistent. Inconsistency suggests a problem with the system requirements The INSULIN_PUMP schema and the DISPLAYare inconsistent • •
●
display1! shows a warning message about the insulin reservoir (INSULIN_PUMP) display1! Shows the state of the blood sugar (DISPLAY)
This must be resolved before implementation of the system
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 38
Key points ●
●
●
Formal system specification complements informal specification techniques Formal specifications are precise and unambiguous. They remove areas of doubt in a specification Formal specification forces an analysis of the system requirements at an early stage. Correcting errors at this stage is cheaper than modifying a delivered system
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 39
Key points ●
●
●
Formal specification techniques are most applicable in the development of critical systems and standards. Algebraic techniques are suited to interface specification where the interface is defined as a set of object classes Modelbased techniques model the system using sets and functions. This simplifies some types of behavioural specification
©Ian Sommerville 2000
Software Engineering, 6th edition. Chapter 9
Slide 40
