Formal Specification in Software Engineering SE9

Formal Specification Techniques for the unambiguous specification of software

Objectives To explain why formal specification techniques help discover problems in system requirements To describe the use of algebraic techniques for interface specification To describe the use of model-based techniques for behavioural specification

Topics covered Formal specification in the software process Interface specification Behavioural specification

Formal methods Formal specification is part of a more general collection of techniques that are known as ‘formal methods’ These are all based on mathematical representation and analysis of software Formal methods include Formal specification Specification analysis and proof Transformational development Program verification

Acceptance of formal methods Formal methods have not become mainstream software development techniques as was once predicted Other software engineering techniques have been successful at increasing system quality. Hence the need for formal methods has been reduced Market changes have made time-to-market rather than software with a low error count the key factor. Formal methods do not reduce time to market The scope of formal methods is limited. They are not well-suited to specifying and analysing user interfaces and user interaction Formal methods are hard to scale up to large systems

Use of formal methods Formal methods have limited practical applicability Their principal benefits are in reducing the number of errors in systems so their mai area of applicability is critical systems In this area, the use of formal methods is most likely to be cost-effective

Specification in the software process Specification and design are inextricably intermingled. Architectural design is essential to structure a specification. Formal specifications are expressed in a mathematical notation with precisely defined vocabulary, syntax and semantics.

Specification in the software process

Specification techniques Algebraic approach The system is specified in terms of its operations and their relationships Model-based approach The system is specified in terms of a state model that is constructed using mathematical constructs such as sets and sequences. Operations are defined by modifications to the system’s state

Formal specification languages

Use of formal specification Formal specification involves investing more effort in the early phases of software development This reduces requirements errors as it forces a detailed analysis of the requirements Incompleteness and inconsistencies can be discovered and resolved Hence, savings as made as the amount of rework due to requirements problems is reduced

Development costs with formal specification

Interface specification Large systems are decomposed into subsystems with well-defined interfaces between these subsystems Specification of subsystem interfaces allows independent development of the different subsystems Interfaces may be defined as abstract data types or object classes The algebraic approach to formal specification is particularly well-suited to interface specification

The structure of an algebraic specification

Specification components Introduction Defines the sort (the type name) and declares other specifications that are used Description Informally describes the operations on the type Signature Defines the syntax of the operations in the interface and their parameters Axioms Defines the operation semantics by defining axioms which characterise behaviour

Systematic algebraic specification Algebraic specifications of a system may be developed in a systematic way Specification structuring. Specification naming. Operation selection. Informal operation specification Syntax definition Axiom definition

Specification operations Constructor operations. Operations which create entities of the type being specified Inspection operations. Operations which evaluate entities of the type being specified To specify behaviour, define the inspector operations for each constructor operation

Operations on a list ADT Constructor operations which evaluate to sort List Create, Cons and Tail Inspection operations which take sort list as a parameter and return some other sort Head and Length. Tail can be defined using the simpler constructors Create and Cons. No need to define Head and Length with Tail.

Recursion in specifications Operations are often specified recursively Tail (Cons (L, v)) = if L = Create then Create else Cons (Tail (L), v) Cons ([5, 7], 9) = [5, 7, 9] Tail ([5, 7, 9]) = Tail (Cons ( [5, 7], 9)) = Cons (Tail ([5, 7]), 9) = Cons (Tail (Cons ([5], 7)), 9) = Cons (Cons (Tail ([5]), 7), 9) = Cons (Cons (Tail (Cons ([], 5)), 7), 9) = Cons (Cons ([Create], 7), 9) = Cons ([7], 9) = [7, 9]

Interface specification in critical systems Consider an air traffic control system where aircraft fly through managed sectors of airspace Each sector may include a number of aircraft but, for safety reasons, these must be separated In this example, a simple vertical separation of 300m is proposed The system should warn the controller if aircraft are instructed to move so that the separation rule is breached

A sector object Critical operations on an object representing a controlled sector are Enter. Add an aircraft to the controlled airspace Leave. Remove an aircraft from the controlled airspace Move. Move an aircraft from one height to another Lookup. Given an aircraft identifier, return its current height

Primitive operations It is sometimes necessary to introduce additional operations to simplify the specification The other operations can then be defined using these more primitive operations Primitive operations Create. Bring an instance of a sector into existence Put. Add an aircraft without safety checks In-space. Determine if a given aircraft is in the sector Occupied. Given a height, determine if there is an aircraft within 300m of that height

Specification commentary Use the basic constructors Create and Put to specify other operations Define Occupied and In-space using Create and Put and use them to make checks in other operation definitions All operations that result in changes to the sector must check that the safety criterion holds

Behavioural specification Algebraic specification can be cumbersome when the object operations are not independent of the object state Model-based specification exposes the system state and defines the operations in terms of changes to that state The Z notation is a mature technique for model-based specification. It combines formal and informal description and uses graphical highlighting when presenting specifications

Modelling the insulin pump The schema models the insulin pump as a number of state variables reading? dose, cumulative_dose r0, r1, r2 capacity alarm! pump! display1!, display2! Names followed by a ? are inputs, names followed by a ! are outputs

Schema invariant Each Z schema has an invariant part which defines conditions that are always true For the insulin pump schema it is always true that The dose must be less than or equal to the capacity of the insulin reservoir No single dose may be more than 5 units of insulin and the total dose delivered in a time period must not exceed 50 units of insulin. This is a safety constraint (see Chapters 16 and 17) display1! shows the status of the insulin reservoir.

The dosage computation The insulin pump computes the amount of insulin required by comparing the current reading with two previous readings If these suggest that blood glucose is rising then insulin is delivered Information about the total dose delivered is maintained to allow the safety check invariant to be applied Note that this invariant always applies - there is no need to repeat it in the dosage computation

Output schemas The output schemas model the system displays and the alarm that indicates some potentially dangerous condition The output displays show the dose computed and a warning message The alarm is activated if blood sugar is very low - this indicates that the user should eat something to increase their blood sugar level

Schema consistency It is important that schemas are consistent. Inconsistency suggests a problem with the system requirements The INSULIN_PUMP schema and the DISPLAYare inconsistent display1! shows a warning message about the insulin reservoir (INSULIN_PUMP) display1! Shows the state of the blood sugar (DISPLAY) This must be resolved before implementation of the system

Key points Formal system specification complements informal specification techniques Formal specifications are precise and unambiguous. They remove areas of doubt in a specification Formal specification forces an analysis of the system requirements at an early stage. Correcting errors at this stage is cheaper than modifying a delivered system

Key points Formal specification techniques are most applicable in the development of critical systems and standards. Algebraic techniques are suited to interface specification where the interface is defined as a set of object classes Model-based techniques model the system using sets and functions. This simplifies some types of behavioural specification

Formal Specification in Software Engineering SE9

Recommended

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Formal Specification in Software Engineering SE9 (20)

More from koolkampus (20)

Recently uploaded (20)

Formal Specification in Software Engineering SE9