Lecture 7: Requirements Modeling III. Formal Methods in RE

Transcription

1 Lecture 7: Requirements Modeling III Last Last Week: Week: Modeling Modeling and and (II) (II) Modeling Modeling Functionality Functionality Structured Structured Object Object Oriented Oriented This This Week: Week: Modeling Modeling and and (III) (III) Formal Formal Modeling Modeling Techniques Techniques Program Program Specification Specification vs. vs. Reqts Reqts Modeling Modeling Egs: Egs: RSML, RSML, SCR, SCR, RML, RML, Telos, Telos, Albert Albert II II Tips Tips on on formal formal modeling modeling Next Next Week: Week: Communicating Communicating Reqts Reqts Specification Specification Languages Languages Documentation Documentation Standards Standards Traceability Traceability 1 What formalize in RE? Formal Methods in RE ƒ models of knowledge (so we can reason about m) ƒ specifications of (so we can document m precisely) Why Why formalize in in RE? RE? Why Why people don t don t formalize in in RE RE ƒ To To remove remove ambiguity ambiguity and and improve improve ƒ Formal Formal Methods Methods tend tend be be lower lower level level precision precision than than or or analysis analysis techniques techniques ƒ Provides Provides a a basis basis for for verification verification that They force you include o much detail that They force you include o much detail have have been been met ƒ met Formal Formal Methods Methods tend tend concentrate concentrate on on ƒ Allows Allows us us reason reason about about consistent, consistent, correct correct models models but most of time your models are but most of time your models are inconsistent, incorrect, incomplete Properties of formal models inconsistent, incorrect, incomplete Properties of formal models can be checked aumatically ƒ can be checked aumatically People People get get confused confused about about which which ols ols Can test for consistency, explore Can test for consistency, explore are are appropriate: appropriate: consequences, etc. consequences, etc. E.g. modeling program behaviour vs. E.g. modeling program behaviour vs. ƒ Allows Allows us us animate/execute animate/execute modeling modeling formal methods advocates get o attached formal methods advocates get o attached Helps with visualization and validation one ol! Helps with visualization and validation one ol! ƒ Will Will have have formalize formalize eventually eventually anyway ƒ anyway Formal Formal methods methods require require more more effort effort RE is all about bridging from informal...and payoff is deferred RE is all about bridging from informal...and payoff is deferred world a formal machine domain world a formal machine domain 2 1

2 What are Formal Methods? Broad View (Leveson) ƒ application of discrete mamatics software engineering ƒ involves modeling and analysis ƒ with an underlying mamatically-precise notation Narrow View (Wing) ƒ Use of a formal language a set of strings over some well-defined alphabet, with rules for distinguishing which strings belong language ƒ Formal reasoning about formulae in language E.g. formal proofs: use axioms and proof rules demonstrate that some formula is in language For modeling ƒ A notation is formal if: it comes with a formal set of rules which define its syntax and semantics. rules can be used analyse expressions determine if y are syntactically well-formed or prove properties about m. 3 Varieties of formal analysis Consistency analysis and typechecking does design meet? ƒ Is formal model well-formed? [assuming that we only use modeling languages where well-formedness is a useful thing check] Validation: ƒ Animation of model on small examples ƒ Formal challenges: if model is correct n following property should hold... ƒ What if questions: reasoning about consequences of particular ; reasoning about effect of possible changes ƒ State exploration E.g. use a model checking find traces that satisfy some property ƒ Checking application properties: will system ever do following... Verifying design refinement 4 2

3 Three different models?? D: a model of environment R: a model of is satisfied by acts upon constrains S: a model of software behaviour 5 FM in practice From Shuttle Study [Crow & DiVi 1996] ƒ More errors found in process of formalizing than were found in formal analysis Formalization forces you be precise and explicit, hence reveals problems Formal analysis n finds fewer, but more subtle problems ƒ Typical errors found include: inconsistent interfaces incorrect (system does wrong thing in response an input) clarity/maintainability problems Issue Severity With FM Existing High Major 2 0 Low Major 5 1 High Minor 17 3 Low Minor 6 0 Totals

4 How do FMs differ? Mamatical Foundation ƒ Logic first order predicate logic - e.g. RML temporal logic - e.g. Albert II, SCR, KAOS multi-valued logic e.g. Xchek ƒ Or algebraic languages - e.g. Larch set ory - e.g. Z Onlogy ƒ fixed states, events, actions - e.g. SCR entities, activities, assertions - e.g. RML ƒ extensible meta language for defining new concepts - e.g. Telos Treatment of Time ƒ State/event models time as a discrete sequence of events - e.g. SCR time as quantified intervals - e.g. KAOS ƒ Time as a first class object meta-level class represent time - e.g. Telos 7 Three traditions Formal Specification Languages ƒ Grew out of work on program verification ƒ Spawned many general purpose specification languages Suitable for specifying behaviour of program units ƒ Key technologies: Type checking, Theorem proving Reactive System Modeling ƒ Grew out of a need capture dynamic models of system behaviour ƒ Focus is on reactive systems (e.g. real-time, embedded control systems) support reasoning about safety, liveness, performance(?) provide a precise specification language ƒ Key technologies: Consistency checking, Model checking Formal Conceptual Modeling ƒ Grew out of a concern for capturing real-world knowledge in RE ƒ Focus is on modeling domain entities, activities, agents, assertions provide a formal onlogy for domain modeling use first order predicate logic as underlying formalism ƒ Key technologies: inference engines, default reasoning, KBS-shells Applicability Applicability RE RE is is poor poor No No abstraction abstraction or or structuring structuring closely closely tied tied program program semantics semantics Larch, Larch, Z, Z, VDM, VDM, Applicability Applicability RE RE is is good good modeling modeling languages languages were were developed developed specifically specifically for for RE RE Statecharts, Statecharts, RSML, RSML, Parnas-tables, Parnas-tables, SCR, SCR, Applicability Applicability RE RE is is excellent excellent modeling modeling schemes schemes capture capture key key concepts concepts Reqts Reqts Apprentice, Apprentice, RML, RML, Telos, Telos, Albert Albert II, II, 8 4

5 (1) Formal Specification Languages Three basic flavours: ƒ Operational - specification is executable abstraction of implementation good for rapid protyping e.g., Lisp, Prolog, Smalltalk ƒ State-based - views a program as a (large) data structures whose state can be altered by procedure calls using pre/post-conditions specify effect of procedures e.g., VDM, Z ƒ Algebraic - views a program as a set of abstract data structures with a set of operations operations are defined declaratively by giving a set of axioms e.g., Larch, CLEAR, OBJ Developed for specifying programs ƒ Programs are formal, man-made objects and can be modeled precisely in terms of input-output behaviour ƒ But in RE we re more concerned with: real-world concepts, stakeholders, goals, loosely define problems, environments ƒ So se languages are NOT appropriate for RE but people fail realise that specification program specification 9 (2) Reactive System Modeling modeling how a system should behave ƒ General approach: Model environment as a state machine Model system as a state machine Model safety, liveness properties of machine as temporal logic assertions Check wher properties hold of system interacting with its environment ƒ Statecharts Harel s notation for modeling large systems Adds parallelism, decomposition and conditional transitions STDs ƒ RSML Heimdahl & Leveson s Requirements State Machine Language Adds tabular specification of complex conditions Statecharts ƒ A7e approach Major project led by Parnas formalize A7e aircraft spec Uses tables specify transition relations & outputs ƒ SCR Heitmeyer et. al. Software Cost Reduction Extends A7e approach include dictionaries & support tables 10 5

6 (3) Formal Conceptual Modeling General approach ƒ model world beyond functional specifications a specification is prescriptive, concentrating on desired properties of machine but we also need capture an understanding of application domain hence build models of humans knowledge/beliefs about world ƒ make use of abstraction & refinement as structuring primitives ƒ RML - Requirements Modeling Language Developed by Greenspan & Mylopoulos in mid-1980s First major attempt use knowledge representation techniques in RE Essentially an object oriented language, with classes for activities, entities and assertions Uses First Order Predicate Language as an underlying reasoning engine ƒ Telos Extends RML by creating a fully extensible onlogy meta-level classes define onlogy ( basic set is built in) ƒ Albert II developed by Dubois & du Bois in mid-1990s Models a set of interacting agents that perform actions that change ir state uses an object-oriented real-time temporal logic for reasoning 11 Example: State Transition Diagram on hook / quiet busy idle off hook / dial ne on hook / quiet Dial busy number / busy ne dial ne on hook / quiet on hook / quiet Dial idle number / ringing ne Called party on hook / dial ne ringing Called party off hook / connected connected state transition stimulus response 12 6

7 Example: Statecharts Off hook Lift receiver Dial (callee idle) idle Dial ne Ringing ne Replace receiver Dial (callee busy) Busy ne Callee replaces receiver Callee lifts receiver connected state Super-state Sub-state transition Default entry state stimulus guard 13 Four Variable Model: System Example: SCR Monired Variables input devices input data items software output data items output devices Controlled Variables Enviroment Enviroment Dictionaries: Monired/Controlled Variables Mode Transition Tables VariableTypeInitial ValueUnitsWarningFlagbooleanfalse-OrFlagbooleantrueFudgelevelenumeratedone-Waterlevelreal0.0mtemperaturereal0.0degrees CurrentModePoweredonToo ColdTemp OKToo CBlipCounterinteger0milesTimeNowreal100.0secAirBrakeAccreal0.0m/sec HotNew CurrentModePoweredonToo ColdTemp OKToo Hot Tables: CurrentModePoweredonToo ColdTemp OKToo HotNew Event Tables also: Assertions, Scenarios, light =OffOn =OffOn... Types TypeBaseTypeValuesUnitsWarningLevelenumeratedlow,med,high-Temperatureinteger degrees CWaterlevelinteger0..100metersFlagenumeratedon, off- Constants Condition Tables ModesEventsNoFailuretruefalseACFailuretemp > temp0 ConstantTypeValueUnitsLowTempinteger15degrees CHighTempinteger23degrees CMaxTimeOutinteger300millisecReferenceSafetyLevelsafetytypelow-TempMargininteger5degrees C ModesEventsNoFailurefalsetrueACFailure, HeatFailuretruefa On SCR Specification 14 7

8 SCR basics Modes and Mode classes ƒ A mode class is a finite state machine, with states called system modes Transitions in each mode class are triggered by events ƒ Complex systems are described using a number of mode classes operating in parallel System State ƒ A (system) state is defined as: system is in exactly one mode from each mode class and each variable has a unique value Events ƒ An event occurs when any system entity changes value An input event occurs when an input variable changes value Single input assumption - only one input event can occur at once means c changed from false true ƒ A conditioned event is an event with a WHEN d means: c became true when c was false and d was true Source: Adapted from Heitmeyer et. al SCR Tables Mode Class Tables ƒ Define set of modes (states) that software can be in. ƒ A complex system will have many different modes classes Each mode class has a mode table showing conditions that cause transitions between modes ƒ A mode table defines a partial function from modes and events modes Event Tables ƒ An event table defines how a term or controlled variable changes in response input events ƒ Defines a partial function from modes and events variable values Condition Tables ƒ A condition table defines value of a term or controlled variable under every possible condition ƒ Defines a tal function from modes and conditions variable values Source: Adapted from Heitmeyer et. al

9 Example: Temp Control System Mode transition table: Current Powered Too Cold Temp OK Too Hot New Mode Mode on - t - t t AC Off - - Heat - - AC Off - - Inactive Off - - Inactive Source: Adapted from Heitmeyer et. al Failure modes Mode transition table: Current Mode Powered on Cold Heater Too Cold Warm AC Too Hot New Mode NoFailure t - - HeatFailure t - t ACFailure HeatFailure t - - NoFailure ACFailure t - t NoFailure Event table: Modes never ACFailure, HeatFailure Warning light = Off On Source: Adapted from Heitmeyer et. al

10 Syntax Consistency Checks in SCR ƒ did we use notation correctly? Type Checks ƒ do we use each variable correctly? Disjointness ƒ is re any overlap between rows of mode tables? ensures we have a deterministic state machine Coverage ƒ does each condition table define a value for all possible conditions? Mode Reachability ƒ is re any mode that cannot ever happen? Cycle Detection ƒ have we defined any variable in terms of itself? 19 Using Formal Methods Selective use of Formal Methods ƒ Amount of formality can vary ƒ Need not build complete formal models Apply most critical pieces Apply where existing analysis techniques are weak ƒ Need not formally analyze every system property E.g. check safety properties only ƒ Need not apply FM in every phase of development E.g. use for modeling, but don t formalize system design ƒ Can choose what level of abstraction (amount of detail) model Lightweight Formal Methods ƒ Have become popular as a means of getting technology transferred ƒ Two approaches Lightweight use of FMs - selectively apply FMs for partial modeling Lightweight FMs - new methods that allow unevaluated predicates 20 10