Definition and Documentation of Software Architectures David M. Weiss, David Lorge Parnas. Abstract

Similar documents
Fundamentals to Creating Architectures using ISO/IEC/IEEE Standards

David Lorge Parnas. Abstract

Software Architectures. Lecture 6 (part 1)

Ch 1: The Architecture Business Cycle

Architecture Viewpoint Template for ISO/IEC/IEEE 42010

Quality-Driven Architecture Design Method

Complexity. Object Orientated Analysis and Design. Benjamin Kenwright

Domain Engineering And Variability In The Reuse-Driven Software Engineering Business.

ENTITIES IN THE OBJECT-ORIENTED DESIGN PROCESS MODEL

OBJECT-ORIENTED SOFTWARE DEVELOPMENT Using OBJECT MODELING TECHNIQUE (OMT)

Analysis and Design with the Universal Design Pattern

Software Development Methodologies

Topics in Object-Oriented Design Patterns

Introducing MESSIA: A Methodology of Developing Software Architectures Supporting Implementation Independence

ISO/IEC/ IEEE INTERNATIONAL STANDARD. Systems and software engineering Architecture description

Design Pattern: Composite

What is Software Architecture

An Information Model for High-Integrity Real Time Systems

Software Service Engineering

Comparative Analysis of Architectural Views Based on UML

Heuristic Evaluation of Groupware. How to do Heuristic Evaluation of Groupware. Benefits

Sommerville Chapter 6 The High-Level Structure of a Software Intensive System. Architectural Design. Slides courtesy Prof.

Specifying Usability Features with Patterns and Templates

Nick Rozanski Andy Longshaw Eoin Woods. Sold! How to Describe, Explain and Justify your Architecture

Introduction to UML What is UML? Motivations for UML Types of UML diagrams UML syntax Descriptions of the various diagram types Rational Rose (IBM.. M

Software Architecture. Lecture 5

The Center for Internet Security

The Past, Present and Future of Software Architecture

From Domain Models to Architectures

Software Architecture

Software Architecture and Design I

Introduction to Software Engineering. 5. Modeling Objects and Classes

Software Language Engineering of Architectural Viewpoints

Product-Line Requirements Specification (PRS): an Approach and Case Study

In his paper of 1972, Parnas proposed the following problem [42]:

JOURNAL OF OBJECT TECHNOLOGY

L17: Assurance. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Developing Software Applications Using Middleware Infrastructure: Role Based and Coordination Component Framework Approach

Transformation of analysis model to design model

Case 1:98-cv CKK Document Filed 06/15/2006 Page 1 of 7 IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA

Thirty one Problems in the Semantics of UML 1.3 Dynamics

SOME TYPES AND USES OF DATA MODELS

Certification Authorities Software Team (CAST) Position Paper CAST-25

Common Lisp Object System Specification. 1. Programmer Interface Concepts

Adding Formal Requirements Modeling to SysML

Supervised classification of law area in the legal domain

ARCHITECTING IN THE GAPS

Computer Aided Draughting and Design: Graded Unit 1

CS 575: Software Design

Course "Softwaretechnik" Book Chapter 2 Modeling with UML

Rose/Architect: a tool to visualize architecture

Module 1. Introduction:

Chapter 12. UML and Patterns. Copyright 2008 Pearson Addison-Wesley. All rights reserved

Getting a Quick Start with RUP

SOFTWARE DESIGN COSC 4353 / Dr. Raj Singh

Style-specific techniques to design product-line architectures

A-7E SOFTWARE MODULE GUIDE

Designing and documenting the behavior of software

PRINCIPLES AND FUNCTIONAL REQUIREMENTS

ER Modeling Data Modeling and the Entity-Relationship (ER) Diagram Pg 1

II. Review/Expansion of Definitions - Ask class for definitions

21) Functional and Modular Design

Computer Science 520/620 Spring 2013 Prof. L. Osterweil" Use Cases" Software Models and Representations" Part 4" More, and Multiple Models"

Computer Science 520/620 Spring 2013 Prof. L. Osterweil" Software Models and Representations" Part 4" More, and Multiple Models" Use Cases"

Current Best Practices in Software Architecture. Session 1: What Is Software Architecture? Why Is It Important?

Subject: Audit Report 16-50, IT Disaster Recovery, California State University, Fresno

How and Why to Use the Unified Modeling Language. among software components, architectural-based

NOTES ON OBJECT-ORIENTED MODELING AND DESIGN

Architecture-Centric Evolution in Software Product Lines:

CIS 771: Software Specifications

Towards the integration of security patterns in UML Component-based Applications

A Sketchy Evolution of Software Design. Three Papers by David Parnas

Executable UML. Stephen J. Mellor

CS560 Lecture: Software Architecture Includes slides by I. Sommerville

WHAT IS SOFTWARE ARCHITECTURE?

Massive Data Analysis

Introduction. Chapter 1. What Is Visual Modeling? The Triangle for Success. The Role of Notation. History of the UML. The Role of Process

Software Architecture

Design of Embedded Systems

A CPU Scheduling Algorithm Simulator

Introduction to Software Engineering. 6. Modeling Behaviour

Object Oriented Finite Element Modeling

Internet Printing Protocol (IPP): Override Attributes for Documents and Pages

ISO/IEC : 1994(E) ITU-T Rec. X.200 (1994 E) Information Processing Systems OSI Reference Model The Basic Model

Improving System Usability Through the Automation of User's Routine Intentions: an Image Edition Tool Case Study

The Analysis and Proposed Modifications to ISO/IEC Software Engineering Software Quality Requirements and Evaluation Quality Requirements

Sub- PPL Unit-I Class-SE Comp

Review Software Engineering October, 7, Adrian Iftene

Designing Component-Based Architectures with Rational Rose RealTime

UC Irvine UC Irvine Previously Published Works

A Transformation-Based Model of Evolutionary Architecting for Embedded System Product Lines

DIGITAL VS. ANALOG SIGNAL PROCESSING Digital signal processing (DSP) characterized by: OUTLINE APPLICATIONS OF DIGITAL SIGNAL PROCESSING

Granularity of Documentation

1. Federation Participant Information DRAFT

Relaxed Memory-Consistency Models

ACCOMMODATING USABILITY DRIVEN CHANGES IN EXISTING SOFTWARE ARCHITECTURE

Human Error Taxonomy

Object-Oriented Software Engineering Practical Software Development using UML and Java

Diseño y Evaluación de Arquitecturas de Software. Architecture Based Design Method

A Framework for Enforcing Constrained RBAC Policies

Transcription:

Definition and Documentation of Software Architectures David M. Weiss, David Lorge Parnas Abstract This paper discusses the work of the software architect by describing a software architect s concerns and the documents that a software architect should produce. It proposes a definition of software architecture and discusses archtectural design criteria based on the idea that every architecture is expected to meet a specified set of goals. We start with a discussion of the meaning of architecture, then discuss the goals of an architect, proceed to what s needed to achieve those goals, describe ways of documenting architectural design decisions, and finally discuss how to determine how well the design goals have been met for any given architecture. 1 An Analogy: Traditional Architecture When buildings are designed, constructed, or renovated, key designers, designated as architects, have a broad range of responsibilities. An architect prepares initial sketches of the building, showing both external appearance and internal layout, and discusses these sketches with clients until all concerned have agreed that what is shown is what they want. The sketches are abstractions; they omit many details of the building. After the clients and architects agree on these abstractions, the architects prepare, or supervise the preparation of, much more detailed drawings as well as associated textual specifications. These drawings and specifications describe many nitty gritty details of a building, such as plumbing, siding materials, window glazing, electrical wiring, etc. On rare occasions an architect simply hands the detailed plans to a builder who completes the project in accordance with the plans. For more important projects, the architect remains involved, regularly inspects the work, and may propose changes or accept suggestions for change from builder and customer. When the architect supervises the project, it is not considered complete until the architect certifies that it is in substantial compliance with the plans and specifications. We employ architect(s) to assure that the design (1) meets the needs of the client, (2) has conceptual integrity, i.e. that the same design rules are used throughout, and (3) meets legal and safety requirements. An important part of the architect s role is to insure that the design concepts are consistently realised during the implementation. Sometimes, the architect also acts as a mediator between builder and client. It is important to note that a building architect is concerned with far more than the facade of the building and that the architect s decisions constrain the builders. However, it is even more important to note that the architect does not make all of the design decisions. The architect specifies certain essential properties of the design, but project supervisors, carpenters and others often have to make further decisions while completing the construction. There is often some disagreement about which decisions are in the realm of the architect and which are left to others, but it is always clear that the architect makes the major decisions, including all that can affect the usability, safety, and maintainability of the structure. 10/12/01 1/8

2 Software Architecture Software development projects need people who play the same role in software development that traditional architects play when buildings are constructed or renovated. However it has never been clear exactly which decisions are the purview of the architect and which can be left to the implementors. The definition of what an architect does in a software project is more difficult than the analogous definition for building architects because of three factors, (1) lack of tradition, (2) the abstract nature of the product, and (3) the complexity of the product. In particular: Building architects can look back to thousands of years of history to see what architects have done in the past; in software we have only a few decades of history. Furthermore, there are standards for describing the drawings and specifications that the architects produce, allowing present architects to take advantage of the recorded history of architecture. Buildings are physical products; there is a clear distinction between the plans produced by the architects and the building produced by the workers. Buildings are very simple objects when compared to the software that we build today. A portrayal of how a software architect carries out his/her role within a large software development organization can be found in [12]; in this paper we will discuss only the workproducts (documents) produced by a software architect and set aside issues of process. On major projects, there are often many architects. Some architects are quite specialized and always work as part of a team, but in the following we will write as if there were only one. 3 What constitutes a software architecture? It is a mistake to think of an architecture as if it were a simple entity that could be described by a single document or drawing. Architects must make many design decisions. To be useful, these decisions must be documented so that they can be reviewed, discussed, modified, approved and then serve to constrain subsequent decision making and construction. For software products, the most important design decisions are behavioral and structural. External behavioral descriptions show how the product will interface with its users, other systems, and external devices, and should take the form of requirements documents such as [8]. Structural descriptions show how the product is divided into parts and the relations between those parts. Internal behavioral descriptions are needed to describe the interfaces between components [6]. Structural descriptions often show several distinct views of the same object because it is impossible to put all the information in one drawing or document. A component in one view may be a part of a component in another. In the sequel, we will use the word architecture to refer to a set of annotated diagrams and functional descriptions, which we describe in detail in subsequent sections. 4 What are the concerns of an architect? Throughout the course of a project, the following issues concern an architect. Concern 1. Concern 2. Concern 3. What functionality does the product offer to its users? What changes may be needed in the software in the future, and what changes are unlikely and need not be especially easy to make in the future. What will the performance of the product be? 10/12/01 2/8

Concern 4. Concern 5. Concern 6. How is the task of writing the software organized into work assignments (modules)? How can the software be built as a set of components that can be independently implemented and verified? What components should be acquired from external suppliers? If the product will exist in several variations, how can it be developed as a product-line, taking advantage of the commonality among the versions, and what are the steps by which the products in the product-line can be developed? What investment should be made in creating a software product-line? What is the expected return from creating the options to develop different members of the product-line? In particular, is it possible to develop the smallest, minimally useful product first and then develop additional members of the family by adding components without having to change the code that was written previously. Concern 7. If the product requires authorization for its use, or must restrict access to data [] how can security of data be ensured? How can denial of service attacks be prevented? 5 What are the important structures and their associated concerns? Key structural decisions divide the product into components and define the relationships among those components [2], [5], [10], [11]. For any given product, there are many structures that need to be designed. Each must be designed separately, i.e., must be viewed as a separate concern. For each structure that we discuss, we describe the components and the relations among them that define the structure as well as the concerns that the structure addresses. We consider the structures described in the following sections to be of primary importance given the concerns on our list. 5.1 The Information Hiding Module Structures Components and Relations: The primary components are known as information hiding modules, where each module is a work assignment for a group of developers, and each module embodies a design decision. We say that a design decision is the secret of a module if the decision can be changed without affecting any other module [9, Chapters 7,16]. The most basic relation between the modules is part of. Information hiding module A is part of information hiding module B if A s secret is a part of B s secret. Note that it must be possible to change A s secret without changing any other part of B; otherwise A is not a submodule according to our definition. Each module (work assignment) includes a set of programs to be written. Some of these programs are accessible on the module s interface, others are internal. A second information hiding module structure is based on the relation contained in between programs and modules. A program P is contained in a module M if part of the work assignment M is to write P. Note that every program is contained in a module because every program must be part of some developer s work assignment. Modules may also be related through interfaces. A module s interface is a set of assumptions that programs outside the module may make about the module and the set of assumptions that the module s programs make about programs and data structures of other modules. A is said to depend on B s interface if a change to B s interface might require a change in A. 10/12/01 3/8

The part of structure is a hierarchy. At the leaf nodes of the hierarchy are modules that contain no identified sub-modules. The contained in structure is also a hierarchy, since each program is contained in only one module. The depends on relation does not necessarily define a hierarchy as two modules may depend on each other either directly or through a longer loop in the depends on relation. Note that depends on should not be confused with uses as defined in a following section. Concerns Satisfied: The information hiding structures should be designed so that they satisfy concerns 2, 4, and 5. 5.2 The Uses Structure Components and Relation: Information hiding modules, as defined previously, comprise one or more programs. Two programs are included in the same module if and only if they share a secret. The components of the uses structure are programs that may be independently invoked, such as procedures, functions, or named macros. Note that programs may be invoked by each other or by the hardware, (e.g, an interrupt routine), and the invocation may come from a program in a different name space, e.g., an operating system routine or a remote procedure. 1 Furthermore, the time at which an invocation may occur could be any time from compile time through run time. We say that program A uses program B if B must be present and satisfy its specification for A to satisfy its specification. In other words, B must be present and operate correctly for A to operate correctly. The uses relation is sometimes known as requires the presence of a correct version of. For a further explanation and example, see [9, Chapter 14]. A desirable property in the uses relation for a software system is that it defines a hierarchy, i.e., has no loops in it. When there is a loop in the uses relation, all programs that participate in the loop must be present and working in the system for any of them to work. When there are no loops in the uses relation, a layered structure is imposed on the software. At the bottom layer, level 0, are all programs that use no other programs. Level n consists of all programs that use programs in level n-1 or below. The uses structure determines what working subsets can be built. A system that has a hierarchical uses structure can be built one or a few layers at a time. These layers are sometimes known as levels of abstraction, but this is a misnomer. As the components are individual programs, not whole modules, they do not abstract from (hide) anything. The levels should be called levels of abstraction only if all programs in a module are at the same level. As shown in the references, this is not generally a good idea [9, Chapter 14]. Since it may not be possible to construct a completely loop-free uses relation, an architect may wish to treat all of the programs in a uses loop as a single program for the purpose of subseting; A subset must include either the whole program or none of it. Often, a large software system may have too many programs to make the description of the uses relation among programs easily understandable. In such cases, the uses relation may be formed on aggregations of programs. Such aggregated descriptions lose important information but help to present the big picture. For example, one can sometimes form a uses relation on 1.We will only consider forming a uses structure among programs that operate at the same binding time. It is probably easiest just to think about programs that operate at run-time, first, but we could form a uses relation among programs that operate at compile-time or load-time. 10/12/01 4/8

information hiding modules, but unless all programs in a module are on the same level of the programmatic uses hierarchy important information is lost. In some projects, the uses relation for a system is not fully determined until the system is implemented, because the implementors determine what programs they will use as the implementation proceeds. However, the architects for the system may restrict the choices that the implementors have, i.e., they can create an allowed-to-use relation at design time that constrains the implementors choices. In the remainder of this paper, we will not distinguish between uses and allowed to use. Concerns Satisfied: 6 5.3 The Process Structures Components and Relation: The components that participate in the process structure are processes. Processes are run-time sequences of events that are controlled by programs [7], i.e., each program executes as part of a process. A program may be executing as part of many processes. The sequence of events in one process proceed independently of the sequence of events in another process except where the processes synchronize with each other, i.e., when one process waits for a signal or a message from the other. Processes are allocated resources, including memory and processor time, by support systems. A product may contain a fixed number of processes, or it may create and destroy processes while running. Processes are the components of several distinct relations. 5.3.1 Process gives work to structure One process may create work that must be completed by other processes. This structure is essential in determining whether or not a system can get into a deadlock. 5.3.2 Process gets resources from structure In systems with dynamic resource allocation, one process may control the resources used by another, where the second must request and return those resources. There may even be distinct controlling processes for each resource as a requesting process may request resources from several controllers. 5.3.3 Process shares resources with structure Two processes may share resources such as printers, memory, or ports. If two processes share a resource, synchronisation is necessary to prevent usage conflicts. There may be distinct relations for each resource. Concerns Satisfied: 3 5.3.4 Process contained in module structure Every process is controlled by a program, and, as noted in section 5.1, every program is contained in a module. Consequently, we can consider a process to be contained in a module. Concerns Satisfied: 2 5.3.5 Process uses program structure 10/12/01 5/8

Every process is controlled by a program which may use other programs. Thus, we may also design a process uses program structure, but the information in it can be derived from other structures. 5.4 Data Access Structure The data in a system may be divided into segments with the property that if a program has access to any data in a segment it has access to all data in that segment 2. The data access structure has two kinds of components, programs and segments. The relation is a relation between programs and segments entitled has access to. A system is thought to be more secure if this structure minimizes the access rights of programs and is tightly enforced. Concerns Satisfied: 7. 6 Summary of Structures Table1 summarizes the software structures, how they are defined, and the concerns that they satisfy. Figure 1: Structures And The Concerns That They Address Structure Components Relations Concerns Information Hiding Information Hiding Modules 7 Documenting An Architecture Is a part of, Is contained in Uses Programs Uses 6 Process Data Access Processes (Tasks, Threads) Programs and Segments Gives work to, Gets resources from, Shares resources with, Contained in, and others Documenting an architecture means documenting each of the structures. For each structure we propose a specific form of documentation. Each of these forms of documentation is designed especially to specify one architectural structure, and each has been used before [9, Chapter 18]. 7.1 Documenting the Information Hiding Module Hierarchy 1,2,4,5 An information hiding hierarchy is best documented in a module guide. A module guide describes an information hiding hierarchy as a tree 3 of modules. Modules are described by their secrets, and the lowest level of the tree consists of modules that are suitable for implementation by 2.To simplify the description the decomposition should use maximally sized segments by adding the condition that if two segments are accessed by the same set of programs, those two segments should be combined. 3 Has access to 7 10/12/01 6/8

one or a few developers. For each module in the lowest level we specify in separate documents its abstract interface and its internal design. For a further explanation of a module guide and examples see [9, Chapter 16], [15, Chapter 5]. For a description of how to create an abstract interface specification see [9, Chapter 15], and for a standard way of representing an abstract interface specification see [6]. 7.2 Documenting the Uses Relation The uses relation may be documented in a table, as in [4], or as a graph, as in [15, Chapter 5] and [9, Chapter 14]. Since the uses relation for a large system may become complicated, there are several ways in which its description may be simplified, notably by grouping together all of the programs in a single module for the purpose of specifying which other programs they are allowed to use, and then singling out exceptional cases, a device used in [4]. 7.3 Documenting the Process Structures Each of the process related structures discussed in section 5.3 must be documented separately, but they can all be documented using an incidence matrix. In this technique there is a row for every element of the domain of the relation and a column for every element of the range of a relation. A 1 in a given entry indicates that the element associated with the row maps onto the element associated with the domain. Processes that produce required outputs for the system are associated with modules that we call function driver modules. We can document their behavior by specifying the conditions under which they produce specific outputs, including their timing, as shown in [3]. Additional devices, such as message sequence charts, can be used to show the sequencing of messages exchanged among processes. 7.4 Documenting the data access structure Since the data access structure is governed by the has access to relation, which we define as whether or not a program has access to a data segment, we can also use incidence matrices for documentation. The rows in a matrix will represent programs and the columns represent data segments. Since an access relation may define more than just whether or not a program has access to a segment, and since one may want to categorize programs by access privileges, we leave it to the discretion of the architect to decide whether to use a single matrix to describe all data access privileges or to use several different matrices to describe different types of privileges. 8 Reviewing Software Architectures Reviewing a software architecture consists of analyzing the structures that comprise the architecture to determine if the concerns that drive the architecture are satisfied. We may use an active, goal-oriented process as described in [9. Chapter 17], or a software architecture review board, as described in [1], to conduct such a review. Standardizing on the concerns and the structures allows us to organize reviews in a standard way, drawing from a standard set of questions to focus the review. We then have a systematic way of verifying that an architecture satisfies each concern. 3.The relation must be a tree because if any module were part of two larger modules, there would be a violation of the information hiding principle. The secret of the shared submodule would be known to the two larger modules. 10/12/01 7/8

9 Summary We have identified the major concerns that architectures should satisfy, described the architectural structures that can be used to determine whether or not each concern is satisfied for a particular architecture, and proposed a set of documents that can be used to describe each structure. Using these structures and the accompanying documentation will allow Avaya software development projects better to create, specify, review, enforce, and evolve their software architectures and the implementations governed by those architectures. 10 Acknowledgements Birgit Geppert and Joe Maranzano made helpful comments on an early draft of this paper. 11 References 1. AT&T, Best Current Practices: Software Architecture Validation. 2. Booch, Rumbaugh, Jacobson, The UML Modeling Language User Guide, Addison-Wesley, 1999 3. Clements, P.; Function Specifications for the A-7E Function Driver Module, NRL Memorandum Report 4658, 27 November 1981 4. Clements, P.C., A-7E OFP Uses Specification, NRL Technical Memorandum 7595-011:PC:pc, June 1984, version 1.10, March 1986 5. Clements, P., Kazman, R., Bass, L.; Software Architecture in Practice, Addison Wesley, 1999 6. Clements, P.C., R.A. Parker, D.L. Parnas, J.E. Shore, and K.H. Britton; A Standard Organization for Specifying Abstract Interfaces, NRL Report 8815, June 14, 1984. 7. Dijkstra, E. W., Co-operating Sequential Processes, Programming Languages, ed. F. Genuys, New York: Academic Press, pp. 43-112, 1968 8. Heninger, K., Kallander, J., Parnas, D.L., Shore, J., Software Requirements for the A-7E Aircraft, NRL Report 3876, November 1978, 523 pgs. 9. Hoffman, D., Weiss, D. eds; Software Fundamentals: Collected Papers By David L. Parnas, Addison Wesley 2000 10. IEEE Recommended Practice for Architectural Description of Software Intensive Systems, IEEE Std 1471-2000 11. Garlan, D, Perry, D.; Introduction to the Special Issue on Software Architecture, IEEE Transactions on Software Engineering, Vol 21, No. 4, April 1995 12. Grinter, R. E. (1999) Systems Architecture: Product Designing and Social Engineering In Proceedings of ACM Conference on Work Activities Coordination and Collaboration (WACC '99). San Francisco, California: February 20-22. 11-18. 13. Parnas, D.L., Clements, P.C.; A Rational Design Process: How and Why to Fake It, IEEE Transactions on Software Engineering, SE-12, No. 2, February 1986, 251-257 14. Parnas, D.L.,Clements, P.C., Weiss, D.M.; The Modular Structure Of Complex Systems, IEEE Transactions on Software Engineering, SE-11., pp. 259-266, March 1985 15. Weiss, David M., Lai, Chi Tau Robert, Software Product Line Engineering, Addison Wesley Longman, 1999. 10/12/01 8/8