CSULA CS 337 Software Engineering ch09

FormalSpecification
Techniquesforthe
unambiguousspecificationof
software
IanSommerville2000
SoftwareEngineering,6thedition.Chapter9
Slide1
Objectives
Toexplainwhyformalspecificationtechniques
helpdiscoverproblemsinsystemrequirements
Todescribetheuseofalgebraictechniquesfor
interfacespecification
Todescribetheuseofmodelbasedtechniques
forbehaviouralspecification
IanSommerville2000
Slide2
Topicscovered
Formalspecificationinthesoftwareprocess
Interfacespecification
Behaviouralspecification
IanSommerville2000
Slide3
Formalmethods
Formalspecificationispartofamoregeneral
collectionoftechniquesthatareknownasformal
methods
Theseareallbasedonmathematicalrepresentation
andanalysisofsoftware
Formalmethodsinclude
Formalspecification
Specificationanalysisandproof
Transformationaldevelopment
Programverification
IanSommerville2000
Slide4
Acceptanceofformalmethods
Formalmethodshavenotbecomemainstream
softwaredevelopmenttechniquesaswasonce
predicted
Othersoftwareengineeringtechniqueshavebeensuccessfulat
increasingsystemquality.Hencetheneedforformalmethodshas
beenreduced
Marketchangeshavemadetimetomarketratherthansoftwarewith
alowerrorcountthekeyfactor.Formalmethodsdonotreducetime
tomarket
Thescopeofformalmethodsislimited.Theyarenotwellsuitedto
specifyingandanalysinguserinterfacesanduserinteraction
Formalmethodsarehardtoscaleuptolargesystems
IanSommerville2000
Slide5
Useofformalmethods
Formalmethodshavelimitedpractical
applicability
Theirprincipalbenefitsareinreducingthe
numberoferrorsinsystemssotheirmaiareaof
applicabilityiscriticalsystems
Inthisarea,theuseofformalmethodsismost
likelytobecosteffective
IanSommerville2000
Slide6
Specificationinthesoftwareprocess
Specificationanddesignareinextricably
intermingled.
Architecturaldesignisessentialtostructurea
specification.
Formalspecificationsareexpressedina
mathematicalnotationwithpreciselydefined
vocabulary,syntaxandsemantics.
IanSommerville2000
Slide7
I
n
c
r
e
a
s
i
n
g
c
o
n
t
r
a
c
t
o
r
i
n
v
o
l
e
m
n
t
D
l
i
e
fecitw
o
areionH
idghslenvl
R
edqufirnem
ttosR
n
espquciS
rfpem
teaciiofsationA
n
rcdhetsicgnuralspS
D
esign
Specificationanddesign
IanSommerville2000
Slide8
R
e
q
u
i
r
e
m
n
t
s
F
o
r
m
a
l
s
p
c
f
a
i
o
s
p
e
c
i
f
t
i
o
n
R
edqufirnem
ttosm
n
H
i
g
h
l
e
v
l
d
s
i
g
n
S
sodtlem
y
A
r
c
h
i
t
e
c
u
r
a
l
ing dsgn
Specificationinthesoftwareprocess
IanSommerville2000
Slide9
Specificationtechniques
Algebraicapproach
Thesystemisspecifiedintermsofitsoperationsandtheir
relationships
Modelbasedapproach
Thesystemisspecifiedintermsofastatemodelthatis
constructedusingmathematicalconstructssuchassetsand
sequences.Operationsaredefinedbymodificationstothe
systemsstate
IanSommerville2000
Slide10
Formalspecificationlanguages
IanSommerville2000
Slide11
Useofformalspecification
Formalspecificationinvolvesinvestingmore
effortintheearlyphasesofsoftwaredevelopment
Thisreducesrequirementserrorsasitforcesa
detailedanalysisoftherequirements
Incompletenessandinconsistenciescanbe
discoveredandresolved
Hence,savingsasmadeastheamountofrework
duetorequirementsproblemsisreduced
IanSommerville2000
Slide12
C
ostIm
V
a
l
i
d
a
t
i
o
n
D
eplsm
igenatdionS
V
a
l
i
d
a
t
i
o
n
D
e
s
i
g
n
a
d
I
m
p
l
m
e
t
i
o
n
p
e
c
i
f
a
t
i
o
n
S
pecifation
W
ispth
tecifaorim
o
u
anl sW
ipecthform
ationl
Developmentcostswithformalspecification
IanSommerville2000
Slide13
Interfacespecification
Largesystemsaredecomposedintosubsystemswith
welldefinedinterfacesbetweenthesesubsystems
Specificationofsubsysteminterfacesallows
independentdevelopmentofthedifferentsubsystems
Interfacesmaybedefinedasabstractdatatypesor
objectclasses
Thealgebraicapproachtoformalspecificationis
particularlywellsuitedtointerfacespecification
IanSommerville2000
Slide14
I
n
t
e
r
f
a
c
e
o
b
j
t
s
S
ubsA
ytem S
ubsB
ytem
Subsysteminterfaces
IanSommerville2000
Slide15
<
TIO
SP
ic
ar
am
sort
<
na
impo
<
OF
TIO
L
Inf
or
mal
iptio
t
at
a
Ope
ation
the
p
Axio
atio
vetr
Thestructureofanalgebraicspecification
IanSommerville2000
Slide16
Specificationcomponents
Introduction
Description
Informallydescribestheoperationsonthetype
Signature
Definesthesort(thetypename)anddeclaresotherspecificationsthat
areused
Definesthesyntaxoftheoperationsintheinterfaceandtheir
parameters
Axioms
Definestheoperationsemanticsbydefiningaxiomswhich
characterisebehaviour
IanSommerville2000
Slide17
Systematicalgebraicspecification
Algebraicspecificationsofasystemmaybe
developedinasystematicway
Specificationstructuring.
Specificationnaming.
Operationselection.
Informaloperationspecification
Syntaxdefinition
Axiomdefinition
IanSommerville2000
Slide18
Specificationoperations
Constructoroperations.Operationswhichcreate
entitiesofthetypebeingspecified
Inspectionoperations.Operationswhichevaluate
entitiesofthetypebeingspecified
Tospecifybehaviour,definetheinspector
operationsforeachconstructoroperation
IanSommerville2000
Slide19
OperationsonalistADT
ConstructoroperationswhichevaluatetosortList
Inspectionoperationswhichtakesortlistasa
parameterandreturnsomeothersort
Create,ConsandTail
HeadandLength.
Tailcanbedefinedusingthesimpler
constructorsCreateandCons.Noneedtodefine
HeadandLengthwithTail.
IanSommerville2000
Slide20
sort
List
impor
INTE
Define
v
e
d
from
The
ation
,
ings
wh
th
o
into
xisten
,
,
Con
w
whic
,
e
lis
Length
v
a
e
,
luate
v
a
He
lu
eleme
T
a
il,
y
vin
re
w
input
li
Create
Head
exce
(em
if
L
then
=
else
v
He
Cr
Length
T
aif
ilL
(Cr
then
=else
Cre
(Co
ail
Co
Cr
Listspecification
IanSommerville2000
Slide21
Recursioninspecifications
Operationsareoftenspecifiedrecursively
Tail(Cons(L,v))=ifL=CreatethenCreate
elseCons(Tail(L),v)
Cons([5,7],9)=[5,7,9]
Tail([5,7,9])=Tail(Cons([5,7],9))=
Cons(Tail([5,7]),9)=Cons(Tail(Cons([5],7)),9)=
Cons(Cons(Tail([5]),7),9)=
Cons(Cons(Tail(Cons([],5)),7),9)=
Cons(Cons([Create],7),9)=Cons([7],9)=[7,9]
IanSommerville2000
Slide22
Interfacespecificationincriticalsystems
Consideranairtrafficcontrolsystemwhere
aircraftflythroughmanagedsectorsofairspace
Eachsectormayincludeanumberofaircraftbut,
forsafetyreasons,thesemustbeseparated
Inthisexample,asimpleverticalseparationof
300misproposed
Thesystemshouldwarnthecontrollerifaircraft
areinstructedtomovesothattheseparationruleis
breached
IanSommerville2000
Slide23
Asectorobject
Criticaloperationsonanobjectrepresentinga
controlledsectorare
Enter.Addanaircrafttothecontrolledairspace
Leave.Removeanaircraftfromthecontrolledairspace
Move.Moveanaircraftfromoneheighttoanother
Lookup.Givenanaircraftidentifier,returnitscurrentheight
IanSommerville2000
Slide24
Primitiveoperations
Itissometimesnecessarytointroduceadditional
operationstosimplifythespecification
Theotheroperationscanthenbedefinedusing
thesemoreprimitiveoperations
Primitiveoperations
Create.Bringaninstanceofasectorintoexistence
Put.Addanaircraftwithoutsafetychecks
Inspace.Determineifagivenaircraftisinthesector
Occupied.Givenaheight,determineifthereisanaircraftwithin
300mofthatheight
IanSommerville2000
Slide25
Sectorspecification
tE
s
o
r
S
e
c
t
o
r
iL
m
p
s
I
N
T
E
G
R
,
B
O
L
E
A
N
rC
tM
n
e
a
d
s
a
n
i
r
c
a
f
t
o
t
h
e
s
c
t
o
r
i
f
s
a
f
e
t
y
c
o
n
d
i
t
o
n
s
a
r
e
s
a
t
i
s
f
e
d
a
v
r
e
m
o
v
e
s
n
i
r
c
a
f
r
o
m
h
e
c
o
r
o
n
g
h
a
h
e
r
f
f
o
d
o
k
u
p
F
i
n
d
t
h
e
g
h
t
o
a
a
i
r
c
a
f
t
i
n
t
e
s
c
t
o
rIO
tE
e
a
e
c
r
e
a
s
a
n
m
p
y
s
e
c
t
o
P
-n
u
d
s
n
i
r
c
f
t
o
a
r
w
i
t
h
n
o
c
n
s
t
r
a
i
n
t
c
h
e
c
k
s
s
p
h
k
a
n
i
r
c
a
f
i
s
a
l
r
e
a
d
y
i
a
e
c
o
r
i
c
e
c
e
s
i
s
p
e
e
d
h
g
s
v
l
b
r
t
n
(
S
t
o
r
,
C
a
l
g
n
,
H
i
g
t
)
tL
ra
e
(lvis
,fe
S
,P
C
S
H
)
=
ie
fe
Ie
-(C
n
s
p
a
c
e
(
S
,
C
S
)
t
h
e
n
S
e
x
c
e
p
t
i
o
n
(
A
i
r
c
a
f
t
a
l
r
e
a
d
y
i
n
s
e
c
t
o
r
)
O
c
u
i
d
H
H
e
g
h
o
n
f
i
c
t
)
P
t
(
S
,
C
r
e
a
)
=
C
r
e
a
t
e
x
c
e
p
t
i
o
n
(
A
i
r
c
a
f
t
n
o
t
i
n
s
e
c
t
o
r
)
u
t
(
S
,
C
S
1
,
H
1
)
,
C
S
)
=
S
=
C
1
t
h
e
n
S
l
s
P
u
t
(
L
a
v
e
S
,
C
S
)
,
C
S
1
,
H
1
)
M
o
(N
,e
v
e
S
,
H
)
=
i-L
fo
=
C
r
a
t
h
e
n
C
r
e
a
t
e
x
c
e
p
t
i
o
n
(
N
o
a
i
r
c
a
f
t
i
n
s
e
c
t
o
r
)
lO
s
n
o
t
I
n
s
p
c
(
S
,
S
)
h
n
S
x
c
e
p
t
i
n
(
A
o
i
n
s
e
c
t
o
r
)
O
c
u
i
e
d
(
S
,
H
)
t
h
n
S
H
e
g
h
t
o
l
c
)
e
P
(
L
a
v
C
C
,
H
)
H
E
I
G
H
T
i
s
c
o
n
s
t
a
n
t
i
d
c
a
t
i
n
g
t
h
a
t
v
a
l
i
d
h
e
i
g
h
t
c
a
n
o
t
b
e
r
t
u
r
n
e
d
k
u
p
(
C
r
e
a
t
,
C
S
)
=
N
O
H
E
I
G
H
T
e
x
c
e
p
t
o
n
(
A
r
c
a
f
o
t
i
s
c
o
)
P
u
(
S
1
,
H
1
)
,
C
S
)
=
fIn
iO
C
S
=
1
t
h
e
n
e
l
s
e
L
o
k
u
p
(
S
,
C
S
)
c-se
iip
u
p
e
d
(
C
r
e
a
,
H
)
=
f
a
P
u
t
(
S
C
S
1
,
H
1
)
,
H
)
=
ffla
H
1
>
H
n
d
3
0
)
o
r
(
H
>
H
1
a
n
d
H
H
1
3
0
)
t
h
e
n
t
r
u
e
s
e
O
c
p
i
e
d
(
(C
c
rS
C
e
a
t,h
)e
C
S
ftru
=
a
e
(=1
P
u
S
,n
1
H
)els,e
1
C
S
)-=
In
sp
a
ce(S
,C
S
)
Specificationcommentary
UsethebasicconstructorsCreateandPutto
specifyotheroperations
DefineOccupiedandInspaceusingCreateand
Putandusethemtomakechecksinother
operationdefinitions
Alloperationsthatresultinchangestothesector
mustcheckthatthesafetycriterionholds
IanSommerville2000
Slide27
Behaviouralspecification
Algebraicspecificationcanbecumbersomewhenthe
objectoperationsarenotindependentoftheobjectstate
Modelbasedspecificationexposesthesystemstateand
definestheoperationsintermsofchangestothatstate
TheZnotationisamaturetechniqueformodelbased
specification.Itcombinesformalandinformal
descriptionandusesgraphicalhighlightingwhen
presentingspecifications
IanSommerville2000
Slide28
conte
cCont
S
h
e
m
a
n
m
e
S
c
h
e
m
a
s
i
g
n
a
t
u
r
e
S
c
h
e
m
a
p
r
e
d
i
c
a
t
e
capa
conte
ThestructureofaZschema
IanSommerville2000
Slide29
Insu
Need
Cl
Pum
assem
Con
Al
Sens
Dis
Disp
Pow
Aninsulinpump
IanSommerville2000
Slide30
Modellingtheinsulinpump
Theschemamodelstheinsulinpumpasanumberof
statevariables
reading?
dose,cumulative_dose
r0,r1,r2
capacity
alarm!
pump!
display1!,display2!
Namesfollowedbya?areinputs,namesfollowedby
a!areoutputs
IanSommerville2000
Slide31
Schemainvariant
EachZschemahasaninvariantpartwhich
definesconditionsthatarealwaystrue
Fortheinsulinpumpschemaitisalwaystruethat
Thedosemustbelessthanorequaltothecapacityofthe
insulinreservoir
Nosingledosemaybemorethan5unitsofinsulinandthetotal
dosedeliveredinatimeperiodmustnotexceed50unitsof
insulin.Thisisasafetyconstraint(seeChapters16and17)
display1!showsthestatusoftheinsulinreservoir.
IanSommerville2000
Slide32
id
lc
Ird
n
s
u
n
_
p
u
m
p
e
a
d
g
?
:
,o
o
c
l
a
t
i
v
e
_
d
o
s
e
:
r
0
1
r
2
/
u
t
o
r
e
c
o
r
d
t
h
e
l
a
s
t
3
r
e
a
d
i
n
g
s
t
a
k
e
n
i
:i
tlu
a
p
y
!se
{p
f
m
,
o
o
n
}
a
y
1
d
i
s
p
l
a
y
2
!
:
S
T
R
I
N
G
c
p
a
c
t
Insulinpumpschema
IanSommerville2000
Slide33
Thedosagecomputation
Theinsulinpumpcomputestheamountofinsulin
requiredbycomparingthecurrentreadingwithtwo
previousreadings
Ifthesesuggestthatbloodglucoseisrisingtheninsulin
isdelivered
Informationaboutthetotaldosedeliveredismaintained
toallowthesafetycheckinvarianttobeapplied
Notethatthisinvariantalwaysappliesthereisnoneed
torepeatitinthedosagecomputation
IanSommerville2000
Slide34
D
O
S
A
G
E
DOSAGEschema
IanSommerville2000
Slide35
Outputschemas
Theoutputschemasmodelthesystemdisplays
andthealarmthatindicatessomepotentially
dangerouscondition
Theoutputdisplaysshowthedosecomputedand
awarningmessage
Thealarmisactivatedifbloodsugarisverylow
thisindicatesthattheusershouldeatsomething
toincreasetheirbloodsugarlevel
IanSommerville2000
Slide36
I
D
S
P
L
A
Y
Outputschemas
IanSommerville2000
Slide37
Schemaconsistency
Itisimportantthatschemasareconsistent.
Inconsistencysuggestsaproblemwiththesystem
requirements
TheINSULIN_PUMPschemaandtheDISPLAYare
inconsistent
display1!showsawarningmessageabouttheinsulinreservoir
(INSULIN_PUMP)
display1!Showsthestateofthebloodsugar(DISPLAY)
Thismustberesolvedbeforeimplementationofthe
system
IanSommerville2000
Slide38
Keypoints
Formalsystemspecificationcomplements
informalspecificationtechniques
Formalspecificationsarepreciseand
unambiguous.Theyremoveareasofdoubtina
specification
Formalspecificationforcesananalysisofthe
systemrequirementsatanearlystage.Correcting
errorsatthisstageischeaperthanmodifyinga
deliveredsystem
IanSommerville2000
Slide39
Keypoints
Formalspecificationtechniquesaremost
applicableinthedevelopmentofcriticalsystems
andstandards.
Algebraictechniquesaresuitedtointerface
specificationwheretheinterfaceisdefinedasa
setofobjectclasses
Modelbasedtechniquesmodelthesystemusing
setsandfunctions.Thissimplifiessometypesof
behaviouralspecification
IanSommerville2000
Slide40

CSULA CS 337 Software Engineering ch09

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CSULA CS 337 Software Engineering ch09

Uploaded by

Copyright:

Available Formats

FormalSpecification

You might also like