Analyzing the Requirements with Formal Specifications
Vienna Development MethodSpecification Language (VDM-SL)
Book: Formal Software Development From VDM to JavaQuentin Charatan and Aoron Kans
The Case Study: Incubator Control
Problem: The temperature of the incubator needs to be carefully controlled and monitored
The aim is to provide the correct conditions for a particular biological experiment to be undertaken
The software is needed to monitor and control the incubator temperature.
The Case Study: Incubator Control
(simple version of the system )
In this version, control of the hardware lies outside of our system;In other words, a system will be specified that
simply monitors the temperature of the incubator.
The Case Study: Incubator Control
The hardware increments or decrements the temperature of the incubator in response to instructions
Each time a change of one degree has been achieved, the software is informed of the change
According to the safety requirements , the temperature of the incubator must never be allowed to rise above 10 Celsius, nor fall below 10 Celsius.
The UML specificationidentify a single class, IncubatorMonitor
one attribute and three methods are identified The attribute records the temperature of the system and will be of type
integer; The first two methods do not involve any input or output (since they
merely record an increase or decrease of one degree); The third method reads the value of the temperature, and therefore will
output an integer.
The UML diagram indicates that these is no input as formal parameterIn case of formal parameter each name is followed by its type (separated by a colon) If there is an output from the operation, this would be placed after the brackets.
Specifying the State of the System in VDM-SL
The state refers to the permanent data that must be stored by the system and which can be accessed by operations It corresponds to the attributes in the class diagram.
The state is specified by declaring variables This is done in a programming language;The notation is similar to the form in the UML diagram.
One or more variables are specified each with a nametype of data
Basic variable types in VDM-SL
Specifying the state of the Incubator Monitor System
• only data item is the current temperature of the incubator
• defined with type integer• called as temp.The state is specified as follows:
the variable temp (to hold the temperature) is an integer and is declared to be of type This is the only item of data to record in this case.
Specifying the Operations
A number of operations is specified – The system should be able perform these
operations by accessing the data (i.e. state) in VDM operations it is possible to access the
state either by reading or writing the data, or both.
Operation Types for this problem
There are three operations an operation that records an increment in the
temperature;an operation that records a decrement in the
temperature;an operation that reads the value of the
temperature
Specifying the Operations
In VDM-SL, an operation consists of four sections:
the operation header;the external clause; the precondition; the postcondition
The increment operation
Operation names (headers) are generally written in upper case in VDM texts. Here lower case will be used So that the operation names will correspond to the
UML diagrams, and to the Java code
The external clauseIntroduced by the VDM keyword ext;
Keywords are written in lower case• they are bold and non-italic
Variable and type names are plain but italicized. The purpose of the external clause is to
restrict the access of the operation to only components of the state
The other purpose of the external clause is to specify the mode of accessread-only (indicated by the keyword rd) read-write (indicated by the keyword wr)
The external clause
There is only one component to the state (temp) In this operation it is necessary to have read-write
access to that componentThe operation needs actually to change the
temperature
The postcondition(keyword post)
The postcondition states the conditions after the operation has been performed
it is a predicate, containing one or more variables The main goal is to make the value of the whole
statement truestate variables that are only in the ext clause
can be included in the postcondition
The postconditionAny operation that has write access to a component
of the state can change the value of that componentThereforeit is necessary to distinguish the value of
the state component before the operation and the value after it has taken place - in other words the old value and the new value
in VDM-SL we do this by placing an overscore over the old value, to distinguish it from the new value ;
The postcondition for the increment operation is:
Important
What should happen is being described and not how it should happen .
The precondition(keyword pre)
The purpose of the precondition is to place any necessary constraints on an operationIn the incubator system the temperature is
allowed to vary only within the range -10 to +10 degrees
If a precondition was not specified here, system would allow to record a temperature that was outside of the allowed range o Therefore we would be allowing abnormal behavior of
the system by including a precondition
The precondition(keyword pre)
We can specify the outcome of the operation only if certain conditions are met prior to the operation being invoked
If our precondition is not met we can say nothing about what should happen
The decrement operation
The getTemp operation
The output variable is placed after the brackets that follow theoperation name, together with its type. This operation does not require write access to temp, since it is
not going to change this value, but simply read it - hence the use of the keyword rd in the external clause
The getTemp operationThe precondition consists simply of the word TRUE;
we are effectively saying here is that this operation needs no precondition
It is a simple read operation and there is no set of circumstances under which the operation should not take place
A precondition with a value of TRUE is the weakest possible precondition
It is acceptable in such a case to leave the precondition out altogether, rather than to specify it as TRUE.
The getTemp operation
The postcondition is straightforward - we just declare the output value,
currentTemp, to be equal to that of the temperature of the incubator,
This is a predicate, not an assignment statement – it could have been written:
Declaring constantsIt is possible in VDM-SL to specify constants
This is not essential to any specification, but can greatly enhance its readability;
It is done by using the keyword values;The declaration would come immediately
before the state definition.
Declaring constants
The convention is to use upper case for constant values.
These values could then be used in our functions and operations:
Specifying functionsA function is a set of assignments from one set to
anotherThe function receives an input value (or values) and
maps this to an output value according to some rule .For example
A function could accept an integer and output the square of that integer
A function could accept the name of a person and output that person's telephone number.
There are two ways in which we can specify a function in VDM-SL
Specifying a Function Explicitly we explicitly define the method of transforming the inputs to the
output.
Example: adding two numbers together:
The first line is called the function signature its purpose is to state the input types that the function accepts
the left of the arrow , together with the output type the right of the arrow
This function takes two inputs, both of type real numbers, and outputs a value that is also of type real number.
The second part is the definition, and describes the algorithm that is used for transforming the inputs to the output;This definition is placed on the right of the symbol, • It is read "is defined as".
Function signature Function algorithm
Specifying a Function ImplicitlyA pre-and postcondition are in the same way as
described for operation The function does not access the state
variables.The add function defined implicitly
Example 1: An Absolute Function defined implicitly
The implicit specification
The postcondition is a predicate consisting of two disjunctions; For the predicate to be true, then one of these disjunctions must
be true. The first disjunction , z<0 r = -z, ensures that if the input, z, is
negative, then the output, r, will be equal to -z; The second disjunct, z 0 r = z, ensures that if z is positive (or
zero), the output r will be equal to z; Both disjunctions cannot be true at the same time.
Example 1: An absolute function defined explicitly
The explicit specification (uses the keywords if, then and else)
Important if a function requires a precondition then in the
explicit definition, this is placed after the definition.
Example 2: Recursive functions
Some functions can be specified by a recursive definition It means that the function calls itself
a factorial function:
Specifying a State InvariantThe requirements of the incubator states that the
temperature of the incubator must stay within the range -10 to +10 Celsius
There is a mechanism for such a restrictions applied to the specification of the stateSpecifying a function known as a state invariant
is called as creating a global constraint• This is different from the local constraint which is the
preconditions.
The invariant definition uses the keyword inv.
Specifying a State Invariant
For the IncubatorMonitor system the invariant is specified as
After the keyword inv, there is the expression mk-IncubatorMonitor(t) It is the input to the inv function
This expression is itself a function, and is known as a make function (the mk "make")
its purpose is to construct an object (IncubatorMonitor) from the values in the parameter list in the brackets;
the parameter names are arbitrary; they are matched to the components of the state there is only one component, temp for example
on the right of the symbol there is the predicate that the input parameters must satisfy
From the example the temperature lie between -10 and +10 celsius (MIN and MAX ).·
Specifying a State Invariant
Specifying an Initialization Function
When the incubator is turned on, its temperature is adjusted until a steady 5 degrees Celsius is obtained;
At this point the software system is activated; The initialization function should state that when the
system is first invoked, the temperature should be set to 5.
This function is specified after the declaration of the invariant
Prescribes the conditions that the system must satisfy when it is first brought into being.
This is similar in style to the invariant function, and has the same signature;
The interpretation is that the expression on the right hand side of the symbol defines that the conditions that must be true after the system
is first brought into being.This function preserves the invariant since it
sets the temperature to 5 degreesit is within the constraints allowed
Specifying an Initialization Function