RE04 keynote - 2014

Download Report

Transcript RE04 keynote - 2014 

Fundamentals of RE
Chapter 4
Requirements Specification & Documentation:
Formal Specification
www.wileyeurope .com/college/van lamsweerde
Chap.4: Formal Requirements Specification
© 2009 John Wiley and Sons
Where are we?
Chap.1: RE products and processes
alternative options
Chap. 2:
Elicitation
techniques
consolidated
requirements
Chap. 3:
Evaluation
techniques
agreed
requirements
start
Chap. 4:
Specification &
documentation
techniques
documented requirements
www.wileyeurope .com/college/van lamsweerde
Chap.4: Formal Requirements Specification
© 2009 John Wiley and Sons
2
Requirements specification & documentation:
formal specification techniques

Formal specification: what, why?

Logic as a basis for formalizing statements
– Propositional logic
– First-order predicate logic
– First-order specification languages

History-based specification
– Linear temporal logic
– Branching temporal logic

State-based specification
– Vienna development method

Formal spec: strengths & limitations
www.wileyeurope .com/college/van lamsweerde
Chap.4: Formal Requirements Specification
© 2009 John Wiley and Sons
3
Formal Specification



A semi formal specification declares some items of the
requirements document (RD) formally, but leaves the
prescriptive* and descriptive** statements about the
informal items.
Formal specification formalizes descriptive and prescriptive
statements
The benefits expected from the formalization are:
 a higher degree of precision in the formalization of statements
 much more validation and verification than can be automated by
tools
*Prescriptive statement: A train is moving if and only if its physical speed is not-null
**descriptive statement: Train tracks are in good conditionc except the track segment X under
maintainance
www.wileyeurope .com/college/van lamsweerde
Chap.4: Formal Requirements Specification
© 2009 John Wiley and Sons
4
Formal specification: what, why?


To complement NL & diagrammatic specs, especially for
mission-critical aspects
Full formalization of RD items ...
– declaration part: item structure (like diagrams) .Here the variables
of the interests are declared
– assertion part: item properties --prescriptive, descriptive.Here
the intended properties of the declared variables are formalized
– mechanisms for structuring large specs into small units

Formal = in machine-processable language
– often based on mathematical logic
– syntax, semantics, rules for inference of new information

Benefits ...
– higher precision in statement formulation
– more precise rules of interpretation
– automation of more sophisticated checks & derivations
www.wileyeurope .com/college/van lamsweerde
Chap.4: Formal Requirements Specification
© 2009 John Wiley and Sons
5
Logic as a basis for formalizing
statements
Like any formal system, logic is made up of three
components:
A syntax
A semantics
A proof theory
www.wileyeurope .com/college/van lamsweerde
Chap.4: Formal Requirements Specification
© 2009 John Wiley and Sons
6

Propositional Logic

First order predicate logic

First order specification language
www.wileyeurope .com/college/van lamsweerde
Chap.4: Formal Requirements Specification
© 2009 John Wiley and Sons
7


Propositional Logic: Syntax
Recursive composition of non-decomposable statements
through logical connectives and, or, not, if ... then, iff
– limited expressiveness: no variables, no quantification


The syntax of propositional logic can be recursively defined by two
simple rules over a vocabulary of propositional symbols(non –
decomposable statements like train moving , doors closed )
Syntax rules for grammatically well-formed staments:
<atomicProposition> ::= true | false | <propositionSymbol>
<statement> ::= <atomicProposition> | (¬ <statement>)
| (<statement>  <statement>) | (<statement>  <statement>)
| (<statement>  <statement>) | (<statement>  <statement>)
Example
trainStopped  Emergency  doorsOpen
www.wileyeurope .com/college/van lamsweerde
Chap.4: Formal Requirements Specification
© 2009 John Wiley and Sons
8


Propositional Logic: semantics
Definition of meaning of statements in some interpretation
– interpretation I for statement S assigns truth values to all
their specification symbols
- valI is the interptration function that assigns truth values to
each atomic proposition in S
– meaning VALI of S in I: truth value T, F of S under valI

Semantic rules:
VALI (true) = T ; VALI (false) = F ;
VALI (atomProp) = valI (atomProp)
VALI (¬ S) = T if VALI (S) = F; F otherwise
VALI (S1  S2) = T if VALI (S1) = T and VALI (S2) = T; F otherwise
VALI (S1  S2) = T if VALI (S1) = T or VALI (S2) = T; F otherwise
VALI (S1  S2) = T if VALI (S1) = F or VALI (S2) = T; F otherwise
VALI (S1  S2) = T if VALI (S1) = VALI (S2); F otherwise
www.wileyeurope .com/college/van lamsweerde
Chap.4: Formal Requirements Specification
© 2009 John Wiley and Sons
9
Compound Propositions
www.wileyeurope .com/college/van lamsweerde
Chap.4: Formal Requirements Specification
© 2009 John Wiley and Sons
10


Semantics of propositional logic
(2)
Example of semantic evaluation:
under interpretation
valI (trainMoving) = F,
valI (doorsClosed) = F
the semantics of trainMoving  doorsClosed is:
VALI (trainMoving  doorsClosed) = T
(using implication rule)
www.wileyeurope .com/college/van lamsweerde
Chap.4: Formal Requirements Specification
© 2009 John Wiley and Sons
11


Propositional Logic: proof theory
Rules for infering new statements from available ones
– sound rule if conclusion is true under any interpretation that
makes premise true
– enables automatic derivations without semantic evaluation

Sample of inference rules:
PQ, P

Q

premise
conclusion
PQ, QR

PR
PQ, PR

Q R
Example of derivation using 3rd rule (resolution):
from  trainMoving  doorsClosed, trainStopped  trainMoving
we get doorsClosed  trainStopped
www.wileyeurope .com/college/van lamsweerde
Chap.4: Formal Requirements Specification
© 2009 John Wiley and Sons
12
"x$y



First-order predicate logic: syntax
Extends expressiveness of propositional logic through
variables, constants, quantifications, relations & functions
Terms are used to define specific objects in the domain of
interest
Syntax rules:
<term> ::= <constant> | <variable> | <functionSymbol> (<term>*)
<atomicPredicate> ::= true | false | <predicateSymbol> (<term>*)
<statement> ::= <atomicPredicate> | (¬ <statement>)
| (<statement>  <statement>) | (<statement>  <statement>)
| (<statement>  <statement>) | (<statement>  <statement>)
| (" <variable>)(< statement >) | ($ <variable>) (< statement >)
www.wileyeurope .com/college/van lamsweerde
Chap.4: Formal Requirements Specification
© 2009 John Wiley and Sons
13
Example: The distance between two successive trains should be
kept sufficient to avoid collisions if the first train stops
suddenly
" tr1, tr2
Following (tr2, tr1)  Dist (tr2, tr1) > WCS-Dist (tr2)
To evaluate the statement semantically, an interpretation is required
for its building blocks





The domain of interpretation for the statement is the set of trains in the
system
The atomic predicate Following (tr2, tr1) is true if and only if the pair
(tr2, tr1) is a member of the binary relation Following over trains, defined as
the set of pairs of trains in which the first train in the pair directly follows
the second.
The function symbol Dist gives the real-value function, for two given trains
The function symbol WSC-Dist gives the real-valued function for a given
train returns the worst-case distance needed for the train to stop in
emergency
The predicate symbol > used in infix form, shows the > binary relation over
real numbers
www.wileyeurope .com/college/van lamsweerde
Chap.4: Formal Requirements Specification
© 2009 John Wiley and Sons
14
"x$y

First-order predicate logic: semantics
Interpretation: definition of what unquantified variables,
constants, functions, predicates designate in domain of interest
– predicate specs have meaning only within specific interpretation

Documenting interpretations is essential for communication,
non-ambiguity, adequacy checking ...
– Domain of interest e.g. trains connecting airport terminals
– For constants a, unquantified variables x:
valI (a), valI (x) = specific domain elements
e.g. valI (MTP) = main terminal platform
– For function symbol f: valI (f) = specific function over domain
e.g. valI (WCS-Dist) = function returning the worst-case distance
for the given train to stop in emergency
– For n-ary predicate symbol P: valI (P) = n-ary relation over domain
e.g. valI (Following) = set of train pairs with 1st directly behind 2nd
www.wileyeurope .com/college/van lamsweerde
Chap.4: Formal Requirements Specification
© 2009 John Wiley and Sons
15
"x$y
First-order predicate logic: semantic rules
Within specific interpretation I, semantic value VALI is ...
VALI (a) = valI (a)
for constants
VALI (x) = valI (x) for unquantified variable occurrences
VALI ( f (t1, ..., tn) ) = (valI (f )) (VALI (t1), ..., VALI (tn))
for terms
VALI (true) = T , VALI (false) = F
VALI ( P (t1, ..., tn)) = (valI (P )) (VALI (t1), ..., VALI (tn)) for atomic predic
VALI (¬ S), VALI (S1  S2), VALI (S1  S2), VALI (S1  S2),
VALI (S1  S2):
cf. propositional logic
VALI (("x) S ) = T if VAL{x  d}oI (S ) = T for each domain element d
F if VAL{x  d}oI (S ) = F for some domain element d
VALI (($x) S ) = T if VAL{x  d}oI (S ) = T for some domain element d
F if VAL{x  d}oI (S ) = F for each domain element d
www.wileyeurope .com/college/van lamsweerde
Chap.4: Formal Requirements Specification
© 2009 John Wiley and Sons
16
"x$y
First-order predicate logic: proof theory
Inference rules from propositional logic + specific ones, e.g.
("x) S

S [x / t ]
u1 = v1, ..., un = vn

f (u1, ..., un ) = f (v1, ..., vn )
instantiation
u1 = v1, ..., un = vn

P (u1, ..., un )  P (v1, ..., vn )
term/predicate rewriting under equality of args
=> automated derivation/checking of more expressive statements
www.wileyeurope .com/college/van lamsweerde
Chap.4: Formal Requirements Specification
© 2009 John Wiley and Sons
17
"x$y

First-order specification languages
Variables designate objects involved in reqs, dom props,
assumptions (e.g. entity instances in ER diagram)
– with value generally changing over time



State of variable x: pair (x, v)
v: value
System state: pair (X, V)
X: set of system variables, V: set of corresponding values
e.g. train tr2 following tr1 at distance of 100m , WCS-Dist = 50m
In many spec languages, specs are interpreted over states
– spec satisfied by some states, falsified by others

Many first-order spec languages are sorted
– typed variable designates some instance in a set
sort
– e.g. " tr1, tr2: Train
Following (tr2, tr1)  Dist (tr2, tr1) > WCS-Dist (tr2)
instance variables (e.g. entity instances)
www.wileyeurope .com/college/van lamsweerde
Chap.4: Formal Requirements Specification
© 2009 John Wiley and Sons
18



The logic underlying many first order specification languages
is in general a sorted one; that is, the variables are “typed”.
A type variable gives an instance in a specific set (called sort)
A sort can be an entity from an entity-relationship diagram or
a set of data values.
 " tr1, tr2: Train
Following (tr2, tr1)  Dist (tr2, tr1) > WCS-Dist (tr2)
Tr1 and tr2 gives arbitrary instances of the train entity, the
atomic predicate Following corresponds to attributes of
Following and train, respectively.
A state of variable tr2 might be characterized by the fact that
the related train is following another train, designated by tr1,
at a distance of 100 metres and with a worst-case stopping
distance of 50 meters in thar state.
www.wileyeurope .com/college/van lamsweerde
Chap.4: Formal Requirements Specification
© 2009 John Wiley and Sons
19
"x$y

First-order specification languages
Formal specification = logical “theory”
(2)
= set of formal statements (“axioms”) from which new statements
can be derived (“theorems”) by inference rules
For example stakeholders may be shown the derived thorems, after
translation into natural language, and asked whether they really
want the consequences of what was specified.

More precise characterization of specification errors/flaws ...
– Contradiction: no interpretation of interest that can make all
statements true together
– Ambiguity: multiple interpretations of interest that can make all
statements true together
– Redundancy: some statements can be inferred from others

Automated derivation of theorems is useful for ...
– adequacy ckecking (“do you want this consequence?”)
– consistency checking
(false as derivable theorem) © 2009 John Wiley and Sons
Chap.4: Formal Requirements Specification
www.wileyeurope .com/college/van lamsweerde
20