www.wileyeurope.com/college/van lamsweerde chap.4: formal requirements specification © 2009 john...

www.wileyeurope .com/college/van lamsweerde Chap.4: Formal Requirements Specification © 2009 John Wiley and Sons

Fundamentals of REFundamentals of RE

Chapter 4

Requirements Specification & Documentation:

Formal SpecificationFormal Specification

2www.wileyeurope .com/college/van lamsweerde Chap.4: Formal Requirements Specification © 2009 John Wiley and Sons

start

Chap. 2:Elicitationtechniques

Chap. 3:Evaluationtechniques

alternative options

agreedrequirements

documented requirements

consolidatedrequirements

Chap. 4: Chap. 4: Specification &Specification &documentationdocumentationtechniquestechniques

Chap.1: RE products and processes

Where are we?


Requirements specification & documentation: formal specification techniques

Formal specification: what, why? LogicLogic as a basis for formalizing statements

– Propositional logic– First-order predicate logic– First-order specification languages

History-basedHistory-based specification– Linear temporal logic– Branching temporal logic

State-basedState-based specification– Vienna development method

Formal spec: strengths & limitations


Formal Specification

A semi formal specification declares some items of the requirements document (RD) formally, but leaves the prescriptive* and descriptive** statements about the informal items.

Formal specification formalizes descriptive and prescriptive statements

The benefits expected from the formalization are: a higher degree of precision in the formalization of

statements

much more validation and verification than can be automated by tools

*Prescriptive statement: A train is moving if and only if its physical speed is not-null

**descriptive statement: Train tracks are in good conditionc except the track segment X under maintainance


Formal specification: what,

why? To complement NL & diagrammatic specs, especially for

mission-critical aspects

Full formalization of RD items ...– declaration part: item structure (like diagrams) .Here the

variables of the interests are declared

– assertion partassertion part: item propertiesproperties --prescriptive, descriptive.Here the intended properties of the declared variables are formalized

– mechanisms for structuringstructuring large specs into small units

Formal = in machine-processable language– often based on mathematical logic– syntax, semantics, rules for inference of new information

Benefits ...– higher precision in statement formulation– more precise rules of interpretation– automation of more sophisticated checks & derivations


Logic as a basis for formalizing statements

Like any formal system, logic is made up of three

components:

A syntax

A semantics

A proof theory


Propositional Logic

First order predicate logic

First order specification language


Propositional Logic: Syntax

Recursive composition of non-decomposable statements through logical connectives andand, oror, notnot, ifif ... thenthen, iffiff– limited expressiveness: no variables, no quantification

The syntax of propositional logic can be recursively defined by two simple rules over a vocabulary of propositional symbols(non –decomposable statements like train moving , doors closed )

Syntax rules for grammatically well-formed staments:

<atomicProposition> ::= true | false | <propositionSymbol>

<statement> ::= <atomicProposition> | (¬¬ <statement>)

| (<statement> <statement>) | (<statement> <statement>)

| (<statement> <statement>) | (<statement>

<statement>) Example trainStopped Emergency

doorsOpen


Propositional Logic: semantics

Definition of meaning of statements in some interpretation– interpretationinterpretation I for statement S assigns truth values to all their

specification symbols

- valI is the interptration function that assigns truth values to each atomic proposition in S

– meaningmeaning VALI of S in I: truth value T, F of S under valI Semantic rules:

VALI (true) = T ; VALI (false) = F ;

VALI (atomProp) = valI (atomProp)

VALI (¬ S) = T ifif VALI (S) = F; F otherwiseotherwise

VALI (S1 S2) = T ifif VALI (S1) = T andand VALI (S2) = T; F otherwiseotherwise

VALI (S1 S2) = T ifif VALI (S1) = T oror VALI (S2) = T; F otherwiseotherwise

VALI (S1 S2) = T ifif VALI (S1) = FF oror VALI (S2) = T; F otherwiseotherwise

VALI (S1 S2) = T ifif VALI (S1) == VALI (S2); F otherwiseotherwise


Compound Propositions


Semantics of propositional logic (2)

Example of semantic evaluation:

under interpretation

valI (trainMoving) = F, valI (doorsClosed) = F

the semantics of trainMoving doorsClosed is:

VALI (trainMoving doorsClosed) = T

(using implication rule)


Propositional Logic: proof theory

Rules for infering new statements from available ones– soundsound rule if conclusion is true under any interpretation that makes premise true

– enables automatic derivations without semantic evaluation

Sample of inference rules:

P Q , P P Q , Q R P Q , P R Q P R Q R

Example of derivation using 3rd rule (resolution):

fromfrom trainMoving doorsClosed, trainStopped trainMoving

we getwe getdoorsClosed trainStopped

premise conclusion


First-order predicate logic: syntax

Extends expressiveness of propositional logic through variables, constants, quantifications, relations & functions

Terms are used to define specific objects in the domain of interest

Syntax rules:

<term> ::= <constant> | <variable> | <functionSymbol> (<term>*)

<atomicPredicate> ::= true | false | <predicateSymbol> (<term>*)

<statement> ::= <atomicPredicate> | (¬¬ <statement>)

| (<statement> <statement>) | (<statement> <statement>)

| (<statement> <statement>) | (<statement>

<statement>)

| (( <variable>)( <variable>)(< statement >)) | (( <variable>) ( <variable>) (< statement >))

xy


Example: The distance between two successive trains should be

kept sufficient to avoid collisions if the first train stops suddenly

tr1, tr2Following (tr2, tr1) Dist (tr2, tr1) >> WCS-Dist (tr2)

To evaluate the statement semantically, an interpretation is required for its building blocks

The domain of interpretation for the statement is the set of trains in the system The atomic predicate Following (tr2, tr1) is true if and only if the pair (tr2, tr1)

is a member of the binary relation Following over trains, defined as the set of pairs of trains in which the first train in the pair directly follows the second.

The function symbol Dist gives the real-value function, for two given trains The function symbol WSC-Dist gives the real-valued function for a given train

returns the worst-case distance needed for the train to stop in emergency The predicate symbol > used in infix form, shows the > binary relation over real

numbers


First-order predicate logic: semantics

InterpretationInterpretation: definition of what unquantified variables, constants, functions, predicates designate in domain of interest

– predicate specs have meaning only within specific interpretation

DocumentingDocumenting interpretations is essential for communication, non-ambiguity, adequacy checking ...– Domain of interestDomain of interest e.g. trains connecting airport terminals

– For constantsconstants a, unquantified variablesunquantified variables x:

valI (a), valI (x) = specific domain elements

e.g. valI (MTP) = main terminal platform

– For functionfunction symbol f: valI (f) = specific function over domain

e.g. valI (WCS-Dist) = function returning the worst-case distance for the given train to stop in emergency

– For n-ary predicatepredicate symbol P: valI (P) = n-ary relation over domain e.g. valI (Following) = set of train pairs with 1st directly behind 2nd

xy


First-order predicate logic: semantic rules

Within specific interpretation I, semantic value VALI is ...

VALI (a) = valI (a) for constants

VALI (x) = valI (x) for unquantified variable occurrences

VALI ( f (t1, ..., tn) ) = (valI (f )) (VALI (t1), ..., VALI (tn)) for terms

VALI (true) = T , VALI (false) = F

VALI ( P (t1, ..., tn)) = (valI (P )) (VALI (t1), ..., VALI (tn)) for atomic predic

VALI (¬ S), VALI (S1 S2), VALI (S1 S2), VALI (S1 S2),

VALI (S1 S2): cf. propositional logic

VALI ((x) S ) = T ifif VAL{x dd}oI (S ) = T for eachfor each domain element d

F ifif VAL{x dd}oI (S ) = F for somefor some domain element d

VALI ((x) S ) = T ifif VAL{x dd}oI (S ) = T for somefor some domain element d

F ifif VAL{x dd}oI (S ) = F for eachfor each domain element d

xy


First-order predicate logic: proof theory

Inference rules from propositional logic + specific ones, e.g.

(x) S u1 = v1, ..., un = vn u1 = v1, ..., un = vn

S [x / t] f (u1, ..., un ) = f (v1, ..., vn ) P (u1, ..., un ) P (v1, ..., vn )

=> automated derivation/checking of more expressive statements

xy

instantiation term/predicate rewriting under equality of args


First-order specification languages

VariablesVariables designate objects involved in reqs, dom props, assumptions (e.g. entity instances in ER diagram)– with value generally changing over time

StateState of variable x: pair (x, v) v: value

System stateSystem state: pair (X, V) X: set of system variables, V: set of corresponding values

e.g. train tr2 followingfollowing tr1 at distance of 100m100m , WCS-Dist = 50m50m

In many spec languages, specs are interpreted over states– spec satisfied by some states, falsified by others

Many first-order spec languages are sortedsorted– typed variable designates some instance in a set– e.g. tr1, tr2: Train: Train

Following (tr2, tr1) Dist (tr2, tr1) > WCS-Dist (tr2)

xy

sort

instance variables (e.g. entity instances)


The logic underlying many first order specification languages is in general a sorted one; that is, the variables are “typed”.

A type variable gives an instance in a specific set (called sort)

A sort can be an entity from an entity-relationship diagram or a set of data values. tr1, tr2: Train: Train

Following (tr2, tr1) Dist (tr2, tr1) > WCS-Dist (tr2)

Tr1 and tr2 gives arbitrary instances of the train entity, the atomic predicate Following corresponds to attributes of Following and train, respectively.

A state of variable tr2 might be characterized by the fact that the related train is following another train, designated by tr1, at a distance of 100 metres and with a worst-case stopping distance of 50 meters in thar state.


First-order specification languages (2)

Formal specification = logical “theory”

= set of formal statements (“axioms”) from which new statements can be derived (“theorems”) by inference rules

For example stakeholders may be shown the derived thorems, after translation into natural language, and asked whether they really want the consequences of what was specified.

More precise characterization of specification errors/flaws ...– ContradictionContradiction: no interpretation of interest that can make all statements

true together

– AmbiguityAmbiguity: multiple interpretations of interest that can make all statements true together

– RedundancyRedundancy: some statements can be inferred from others

Automated derivation of theorems is useful for ...– adequacy ckecking (“do you want this consequence?”) – consistency checking (false as derivable theorem)

xy

www.wileyeurope.com/college/van lamsweerde chap.4: formal requirements specification © 2009 john...

Documents