schach5-chap11-14[1]

8/14/2019 schach5-chap11-14[1]

1/100

Slide 11.1

The McGraw-Hill Companies, 2002

Object-Oriented andClassical Software

Engineering

Fifth Edition, WCB/McGraw-Hill, 2002

Stephen R. [email protected]

8/14/2019 schach5-chap11-14[1]

2/100

Slide 11.2


CHAPTER 11

SPECIFICATIONPHASE

8/14/2019 schach5-chap11-14[1]

3/100

Slide 11.3


Overview

q The specification document

q Informal specifications

q Structured systems analysis

q Other semiformal techniques

q Entity-relationship modeling

q Finite state machines

q Petri nets

q Other formal techniques

8/14/2019 schach5-chap11-14[1]

4/100

Slide 11.4


Overview (contd)

q Comparison of specification techniques

q Testing during the specification phase

q CASE tools for the specification phase

q Metrics for the specification phase

q Air Gourmet Case Study: structuredsystems analysis

q Air Gourmet Case Study: software

project management planq Challenges of the specifications phase

8/14/2019 schach5-chap11-14[1]

5/100

Slide 11.5


Specification Phase

q Specification document must be Informal enough for client

Formal enough for developers

Free of omissions, contradictions, ambiguities

8/14/2019 schach5-chap11-14[1]

6/100

Slide 11.6


Specification Document

q Constraints Cost

Time

Parallel running

Portability Reliability

Rapid response time

8/14/2019 schach5-chap11-14[1]

7/100

Slide 11.7


Specification Document (contd)

q Acceptance criteria Vital to spell out series of tests

Product passes tests, deemed to satisfy specifications

Some are restatements of constraints

8/14/2019 schach5-chap11-14[1]

8/100

Slide 11.8


Solution Strategy

q General approach to building the productq Find strategies without worrying about

constraintsq Modify strategies in the light of constraints, if

necessaryq Keep a written record of all discarded

strategies, and why they were discarded To protect the specification team

To prevent unwise new solutions during themaintenance phase

8/14/2019 schach5-chap11-14[1]

9/100

Slide 11.9


Informal Specifications

q ExampleIf sales for current month are below target sales,then report is to be printed, unless differencebetween target sales and actual sales is less thanhalf of difference between target sales and actualsales in previous month, or if difference betweentarget sales and actual sales for the current monthis under 5%

8/14/2019 schach5-chap11-14[1]

10/100

Slide 11.10


Meaning of Specification

q Sales target for January was $100,000, actual

sales were only $64,000 (36% below target) Print report

q Sales target for February was $120,000, actualsales were only $100,000 (16.7% below target) Percentage difference for February (16.7%) less than

half of previous months percentage difference (36%),do not print report

q Sales target for March was $100,000, actual saleswere $98,000 (2% below target)

Percentage difference < 5%, do not print

8/14/2019 schach5-chap11-14[1]

11/100

Slide 11.11


But Specifications Do Not Say This

q [D]ifference between target sales and actualsales There is no mention of percentage difference

q Difference in January was $36,000, difference in

February was $20,000 Not less than half of $36,000, so report is printed

q [D]ifference [of] 5% Again, no mention of percentage

q Ambiguityshould the last clause readpercentage difference [of] 5% or difference [of] $5,000 or something else entirely?

q Style is poor

8/14/2019 schach5-chap11-14[1]

12/100

Slide 11.12


Informal Specifications (contd)

q Claim This cannot arise with professional specifications writers

q Refutation Text Processing case study

8/14/2019 schach5-chap11-14[1]

13/100

Slide 11.13


Episode 1

q 1969 Naur Paper

Given a text consisting of words separated byblankor bynl(new line) characters, convert it to line-by-line form in accordance with following rules:

(1) line breaks must be made only where given texthas blankornl ;

(2) each line is filled as far as possible, as long as

(3) no line will contain more than maxpos characters

q

Naur constructed a procedure (25 lines of Algol60), and informally proved its correctness

8/14/2019 schach5-chap11-14[1]

14/100

Slide 11.14


Episode 2

q 1970 Reviewer in Computing Reviews First word of first line is preceded by a blank unless the

first word is exactly maxpos characters long

8/14/2019 schach5-chap11-14[1]

15/100

Slide 11.15


Episode 3

q 1971 London found 3 more faults Including: procedure does not terminate unless a word

longer than maxpos characters is encountered

8/14/2019 schach5-chap11-14[1]

16/100

Slide 11.16


Episode 4

q 1975 Goodenough and Gerhart found 3 further

faults Includinglast word will not be output unless it is

followed by blank ornl

q

Goodenough and Gerhart then produced new setof specifications, about four times longer thanNaurs

8/14/2019 schach5-chap11-14[1]

17/100

Slide 11.17


Case Study (contd)

q 1985 Meyer detected 12 faults in Goodenough

and Gerharts specificationsq Goodenough and Gerharts specifications

Were constructed with the greatest of care

Were constructed to correct Naurs specifications Went through two versions, carefully refereed

Were written by experts in specifications

With as much time as they needed

For a product about 30 lines long

q What chance do we have of writing fault-freespecifications for a real product?

8/14/2019 schach5-chap11-14[1]

18/100

Slide 11.18


Episode 5

q 1989 Schach found fault in Meyers

specifications Item (2) of Naurs original requirement (each line

is filled as far as possible) is not satisfied

8/14/2019 schach5-chap11-14[1]

19/100

Slide 11.19


Informal Specifications

q Conclusion Natural language is nota good way to specify product

q Fact Many organizations still use natural language, especially

for commercial productsq Reasons

Uninformed management

Undertrained computer professionals

Management gives in to client pressure

Management is unwilling to invest in training

8/14/2019 schach5-chap11-14[1]

20/100

Slide 11.20


Structured Systems Analysis

q Three popular graphical specification methods of

70s DeMarco

Gane and Sarsen

Yourdonq All equivalent

q All equally good

q Many U.S. corporations use them for commercialproducts

q Gane and Sarsen used for object-oriented design

8/14/2019 schach5-chap11-14[1]

21/100

Slide 11.21


Structured Systems Analysis Case Study

Sallys Software Store buys software from various

suppliers and sells it to the public. Popular softwarepackages are kept in stock, but the rest must beordered as required. Institutions and corporations aregiven credit facilities, as are some members of the

public. Sallys Software Store is doing well, with amonthly turnover of 300 packages at an average retailcost of $250 each. Despite her business success, Sallyhas been advised to computerize. Should she?

q

Better question What sections?q Still better

How? Batch, or online? In-house or out-service?

8/14/2019 schach5-chap11-14[1]

22/100

Slide 11.22


Case Study (contd)

q Fundamental issue What is Sallys objective in computerizing her business?

q Because she sells software? She needs an in-house system with sound and light

effectsq Because she uses her business to launder hot

money? She needs a product that keeps five different sets of

books, and has no audit trailq Assume: Computerization in order to make more

money Cost/benefit analysis for each section of business

8/14/2019 schach5-chap11-14[1]

23/100

Slide 11.23


Case Study (contd)

q The danger of many standard

approaches First produce the solution, then find out what

the problem is!

q Gane and Sarsens method

Nine-step method Stepwise refinement is used in many steps

8/14/2019 schach5-chap11-14[1]

24/100

Slide 11.24


Case Study (contd)

q Data flow diagram (DFD) shows logical data flow what happens, not how it happens

8/14/2019 schach5-chap11-14[1]

25/100

Slide 11.25


Step 1. Draw the DFD

q First refinement

q Infinite number of possible interpretations

8/14/2019 schach5-chap11-14[1]

26/100

8/14/2019 schach5-chap11-14[1]

27/100

Slide 11.27


Step 1 (contd)

q Portion of

thirdrefinement

8/14/2019 schach5-chap11-14[1]

28/100

Slide 11.28


Step 1 (contd)

q Final DFD

Larger, But easily understood by clientq Larger DFDs

Hierarchy

Box becomes DFD at lower level

q Frequent problem Process P at level L, expanded at level L+1

Correct place for sources and destinations of data forprocess P is level L+1

Clients cannot understand DFDsources anddestinations of data for P are missing

q Solution Draw correct DFD, modify by moving sources and

destinations of data one or more levels up

8/14/2019 schach5-chap11-14[1]

29/100

Slide 11.29


Step 2. Decide What Parts to Computerize

q Depends on how much client is prepared to spend

q Large volumes, tight controls Batch

q Small volumes, in-house microcomputer

Onlineq Cost/benefit analysis

8/14/2019 schach5-chap11-14[1]

30/100

Slide 11.30


Step 3. Refine Data Flows

q Data items for each data flow

q Refine each flow stepwise

q Refine further

q Need a data dictionary

8/14/2019 schach5-chap11-14[1]

31/100

Slide 11.31


Step 3. Refine Data Flows (contd)

q Sample data dictionary entries

8/14/2019 schach5-chap11-14[1]

32/100

Slide 11.32


Step 4. Refine Logic of Processes

q Have processgive educational discount Sally must explain discount for educational institutions

10% on up to 4 packages, 15% on 5 or more

q Translate into decision tree

8/14/2019 schach5-chap11-14[1]

33/100

Slide 11.33


Step 4 (contd)

q Advantage of decision tree Missing items are quickly apparent

q Can also use decision tables

CASE tools for automatic translation

S f S

8/14/2019 schach5-chap11-14[1]

34/100

Slide 11.34


Step 5. Refine Data Stores

q Define exact contents and representation (format) COBOL: specify to pic level

Ada: specify digits or delta

q Specify where immediate access is required

Data immediate access diagram (DIAD)

St 6 D fi Ph i l R

8/14/2019 schach5-chap11-14[1]

35/100

Slide 11.35


Step 6. Define Physical Resources

q For each file, specify File name

Organization (sequential, indexed, etc.)

Storage medium

Blocking factor Records (to field level)

St 7 D t i I t/O t t S

8/14/2019 schach5-chap11-14[1]

36/100

Slide 11.36


Step 7. Determine Input/Output Specs

q Specify input forms, input screens, printed output

St 8 P f Si i

8/14/2019 schach5-chap11-14[1]

37/100

Slide 11.37


Step 8. Perform Sizing

q Numerical data for Step 9 to determine

hardware requirements Volume of input (daily or hourly)

Size, frequency, deadline of each printed report

Size, number of records passing between CPUand mass storage

Size of each file

St 9 H d R i t

8/14/2019 schach5-chap11-14[1]

38/100

Slide 11.38


Step 9. Hardware Requirements

q DASD requirements

q Mass storage for back-up

q Input needs

q Output devices

q Is existing hardwareadequate?

q If not, recommend buy/lease

H

8/14/2019 schach5-chap11-14[1]

39/100

Slide 11.39


However

q Response times cannot be determined

q Number of I/O channels can only be guessed

q CPU size and timing can only be guessed

q Nevertheless, no other method provides these

data for arbitrary products

q The method of Gane and Sarsen/De

Marco/Yourdon has resulted in majorimprovements in the software industry

E tit R l ti hi Di

8/14/2019 schach5-chap11-14[1]

40/100

Slide 11.40


Entity-Relationship Diagrams

q Semi-formal technique

q Widely used for specifying databases

q Used for object-oriented analysis

E tit R l ti hi Di ( td)

8/14/2019 schach5-chap11-14[1]

41/100

Slide 11.41


Entity-Relationship Diagrams (contd)

q Many-to-many relationshipq More complex entity-relationship diagrams

F lit I f lit

8/14/2019 schach5-chap11-14[1]

42/100

Slide 11.42


Formality versus Informality

q Informal method

English (or other natural language)q Semiformal methods

Gane & Sarsen/DeMarco/Yourdon

Entity-Relationship Diagrams

Jackson/Orr/Warnier,

SADT, PSL/PSA, SREM, etc.

q Formal methods Finite State Machines

Petri Nets

Z

ANNA, VDM, CSP, etc.

Finite State Machines

8/14/2019 schach5-chap11-14[1]

43/100

Slide 11.43


Finite State Machines

q Case studyA safe has a combination lock that can be in one ofthree positions, labeled 1, 2, and 3. The dial canbe turned left or right (L or R). Thus there are sixpossible dial movements, namely 1L, 1R, 2L, 2R,

3L, and 3R. The combination to the safe is 1L, 3R,2L; any other dial movement will cause the alarm togo off

Finite State Machines (contd)

8/14/2019 schach5-chap11-14[1]

44/100

Slide 11.44


Finite State Machines (contd)

q Transition table

Extended Finite State Machines

8/14/2019 schach5-chap11-14[1]

45/100

Slide 11.45


Extended Finite State Machines

q Extend FSM with global predicates

q Transition rules have form

state and event and predicate new state

Elevator Problem

8/14/2019 schach5-chap11-14[1]

46/100

Slide 11.46


Elevator Problem

A product is to be installed to control n elevators in abuilding with m floors. The problem concerns the logic

required to move elevators between floors according tothe following constraints:

1. Each elevator has a set ofm buttons, one for eachfloor. These illuminate when pressed and cause

elevator to visit corresponding floor. Illumination iscanceled when corresponding floor is visited by elevator

2. Each floor, except the first and the top floor, has 2buttons, one to request an up-elevator, one to request a

down-elevator. These buttons illuminate when pressed.The illumination is canceled when an elevator visits thefloor, then moves in the desired direction

3. If an elevator has no requests, it remains at its

current floor with its doors closed

Elevator Problem: FSM

8/14/2019 schach5-chap11-14[1]

47/100

Slide 11.47


Elevator Problem: FSM

q Two sets of buttons

Elevator buttonsin each elevator, one for each floor

Floor buttonstwo on each floor, one for up-elevator,one for down-elevator

EB(e, f): Elevator Button in elevator e pressed to request floor f

8/14/2019 schach5-chap11-14[1]

48/100

Elevator Buttons (contd)

8/14/2019 schach5-chap11-14[1]

49/100

Slide 11.49


Elevator Buttons (contd)

q Two eventsEBP(e,f): Elevator Button (e,f) Pressed

EAF(e,f): Elevator e Arrives at Floor f

q Global predicate

V(e,f): Elevator e is Visiting (stopped at) floor f

q Transition RulesEBOFF(e,f) and EBP(e,f) and not V(e,f) EBON(e,f)

EBON(e,f) and EAF(e,f) EBOFF(e,f)

Floor Buttons

8/14/2019 schach5-chap11-14[1]

50/100

Slide 11.50


Floor Buttons

q Floor buttonsFB(d, f): Floor Button on floor f that requests elevator traveling in

direction d

q StatesFBON(d, f): Floor Button (d, f) ON

FBOFF(d, f): Floor Button (d, f) OFF

If floor button is on and an elevator arrives at floor f,traveling in correct direction d, then light is turned off

If light is off and a button is pressed, then light comes

on

Floor Buttons (contd)

8/14/2019 schach5-chap11-14[1]

51/100

Slide 11.51


Floor Buttons (contd)

q Events

FBP(d, f): Floor Button (d, f) PressedEAF(1..n, f):Elevator 1 or or n Arrives at Floor f

q PredicateS(d, e, f): elevator e is visiting floor f

Direction of motion is up (d = U), down (d = D), or no requests arepending (d = N)

q Transition rulesFBOFF(d, f) and FBP(d, f) and not S(d, 1..n, f) FBON(d, f)

FBON(d, f) and EAF(1..n, f) and S(d, 1..n, f) FBOFF(d, f),

d = U or D

Elevator Problem: FSM (contd)

8/14/2019 schach5-chap11-14[1]

52/100

Slide 11.52



q State of elevator consists of

component substates, including: Elevator slowing

Elevator stopping

Door opening

Door open with timer running

Door closing after a timeout


8/14/2019 schach5-chap11-14[1]

53/100

Slide 11.53



q Assume elevator controller moves elevator

through substates Three elevator states

M(d, e, f): Moving in direction d (floor f is next)

S(d, e, f): Stopped (d-bound) at floor f

W(e,f): Waiting at floor f (door closed)

For simplicity, three stopped states S(U, e, f), S(N, e, f),and S(D, e, f) are grouped into one larger state


8/14/2019 schach5-chap11-14[1]

54/100

Slide 11.54




8/14/2019 schach5-chap11-14[1]

55/100

Slide 11.55



q EventsDC(e,f): Door Closed for elevator e, floor fST(e,f): Sensor Triggered as elevator e nears floor f

RL: Request Logged (button pressed)

q Transition Rules

If elevator e is in state S(d, e, f) (stopped, d-bound, atfloor f), and doors close, then elevator e will move up,down, or go into wait state

DC(e,f) and S(U, e, f) M(U, e, f+1)

DC(e,f) and S(D, e, f) M(D, e, f-1)

DC(e,f) and S(N, e, f) W(e,f)

Power of FSM to Specify Complex Systems

8/14/2019 schach5-chap11-14[1]

56/100

Slide 11.56



q No need for complex preconditions and

postconditionsq Specifications take the simple form

current state and event and predicate next state


8/14/2019 schach5-chap11-14[1]

57/100

Slide 11.57



q Using an FSM, a specification is

Easy to write down

Easy to validate

Easy to convert into design

Easy to generate code automatically

More precise than graphical methods

Almost as easy to understand

Easy to maintain

q However Timing considerations are not handled

Who Is Using FSMs?

8/14/2019 schach5-chap11-14[1]

58/100

Slide 11.58


Who Is Using FSMs?

q Commercial products

Menu driven Various states/screens

Automatic code generation a major plus

q System software

Operating system Word processors

Spreadsheets

q Real-time systems Statecharts are a real-time extension of

FSMs CASE tool: Rhapsody

Petri Nets

8/14/2019 schach5-chap11-14[1]

59/100

Slide 11.59


Petri Nets

q A major difficulty with specifying real-time

systems is timing Synchronization problems

Race conditions

Deadlock

q Often a consequence of poorspecifications

Petri Nets (contd)

8/14/2019 schach5-chap11-14[1]

60/100

Slide 11.60


Petri Nets (contd)

q Petri nets

Powerful technique for specifyingsystems with potential timing problems

q A Petri net consists of four parts: Set of places P

Set of transitions T

Input function I

Output function O

Petri Nets (contd)

8/14/2019 schach5-chap11-14[1]

61/100

Slide 11.61


Petri Nets (contd)

q Set of places P is

{p1, p2, p3, p4}

q Set of transitionsT is {t1, t2}

q

Input functions:I(t1) = {p2, p4}

I(t2) = {p2}

q Output functions:O(t1) = {p1}

O(t2) = {p3, p3}

Petri Nets (contd)

8/14/2019 schach5-chap11-14[1]

62/100

Slide 11.62


Petri Nets (contd)

q More formally, a Petri net is a 4-tuple C = (P, T, I, O)

q P = {p1, p2,,pn} is a finite set ofplaces, n 0q T = {t1, t2,,tm} is a finite set oftransitions, m 0, with P

and T disjointq I : T P is inputfunction, mapping from transitions to

bags of placesq O : T P is outputfunction, mapping from transitions

to bags of places

q (A bagis a generalization of sets which allows for

multiple instances of element in bag, as in exampleabove)

q Markingof a Petri net is an assignment of tokens tothat Petri net

Petri Nets (contd)

8/14/2019 schach5-chap11-14[1]

63/100

Slide 11.63


Petri Nets (contd)

q Four tokens, one in p1, two in p2, none inp3, and one in p4

Represented by vector(1,2,0,1)q Transition is enabled if each of its input

places has as many tokens in it as therearcs from the place to that transition

Petri Nets (contd)

8/14/2019 schach5-chap11-14[1]

64/100

Slide 11.64


Petri Nets (contd)

q Transition t1 is enabled (ready to fire)

Ift1 fires, one token is removed from p2 and one fromp4, and one new token is placed in p1

q Important: Number of tokens is not conserved

q Transition t2 is also enabled

Petri Nets (contd)

8/14/2019 schach5-chap11-14[1]

65/100

Slide 11.65


Petri Nets (contd)

q Petri nets are indeterminate

Suppose t1 fires

q Resulting marking is (2,1,0,0)

Petri Nets (contd)

8/14/2019 schach5-chap11-14[1]

66/100

Slide 11.66


Petri Nets (contd)

q Now only t2 is

enabled It fires

q Marking is now(2,0,2,0)

SPetri Nets (contd)

8/14/2019 schach5-chap11-14[1]

67/100

Slide 11.67


Petri Nets (contd)

q More formally, a marking M of a Petri net

C = (P, T, I, O) is a function from the set of places Pto the non-negative integers N

M : P N

q A marked Petri net is then 5-tuple (P, T, I, O, M )

Slid 11 68Petri Nets (contd)

8/14/2019 schach5-chap11-14[1]

68/100

Slide 11.68


e e s (co d)

q Inhibitor arcs

Inhibitor arc is marked by small circle, not arrowhead

q Transition t1 is enabled In general, transition is enabled if at least one token on

each (normal) input arc, and no tokens on any inhibitorinput arcs

8/14/2019 schach5-chap11-14[1]

69/100

Slid 11 70Elevator Problem: Petri Net (contd)

8/14/2019 schach5-chap11-14[1]

70/100

Slide 11.70


( )

q First constraint

1. Each elevator has a set ofmbuttons,one for each floor. These illuminate whenpressed and cause the elevator to visit thecorresponding floor. The illumination iscanceled when the corresponding floor is

visited by an elevatorq Elevator button for floor f is represented

by place EBf, 1 f mq Token in EBf denotes that the elevator

button for floorf is illuminated

Slide 11 71Elevator Problem: Petri Net (contd)

8/14/2019 schach5-chap11-14[1]

71/100

Slide 11.71


( )

q A button must be illuminated the first time button

is pressed and subsequent button presses mustbe ignored

q If button EBfis not illuminated, no token in place

and transition EBfpressed is enabled Transition fires, new token is placed in EBf

q Now, no matter how many times button ispressed, transition EBf

pressed cannot be enabled


8/14/2019 schach5-chap11-14[1]

72/100

Slide 11.72


( )

q When elevator reaches floor g, token is in place Fg,

transition Elevator in action is enabled, and thenfires

Tokens in EBf and Fg removed

This turns off light in button EBf

New token appears in Ff This brings elevator from floorg to floorf


8/14/2019 schach5-chap11-14[1]

73/100

Slide 11.73


( )

q Motion from floorg to floorf

cannot take place instantaneously Timed Petri nets


8/14/2019 schach5-chap11-14[1]

74/100

Slide 11.74


( )

q Second constraint

2. Each floor, except the first and the top floor, has 2buttons, one to request an up-elevator, one to request adown-elevator. These buttons illuminate when pressed.The illumination is canceled when the elevator visits the

floor, and then moves in desired directionq Floor buttons represented by places FBufand FBdf


8/14/2019 schach5-chap11-14[1]

75/100

Slide 11.75


( )


8/14/2019 schach5-chap11-14[1]

76/100

Slide 11.76


( )

q The situation when an elevator reaches floorf

from floorg with one or both buttons illuminated If both buttons are illuminated, only one is turned off

(A more complex model is needed to ensure that thecorrect light is turned off)


8/14/2019 schach5-chap11-14[1]

77/100

Slide 11.77


( )

q Third constraint

C3. If an elevator has no requests, it remains at itscurrent floor with its doors closed

q If no requests, no Elevator in action transition isenabled

Slide 11 78Petri Nets (contd)

8/14/2019 schach5-chap11-14[1]

78/100

Slide 11.78


q Petri nets can also be used for design

q Petri nets possess the expressive powernecessary for specifying timing aspects ofreal-time systems

Slide 11.79Z (zed)

8/14/2019 schach5-chap11-14[1]

79/100

Slide 11.79


q Formal specification language

q High squiggle factorq Z specification consists of four sections:

1. Given sets, data types, and constants

2. State definition 3. Initial state

4. Operations

Slide 11.80Elevator Problem: Z

8/14/2019 schach5-chap11-14[1]

80/100


q 1. Given Sets

q Sets that need not be defined in detail Names appear in brackets

Here we need the set ofallbuttons Specification begins

[Button]

Slide 11.81Elevator Problem: Z (contd)

8/14/2019 schach5-chap11-14[1]

81/100


q 2. State Definition

q Z specification consists of a number of schemata Schema consists of group of variable declarations, plus

List of predicates that constrain values of variables


8/14/2019 schach5-chap11-14[1]

82/100


q Four subsets ofButton

The floor buttons The elevator buttons

buttons (the set of all buttons in the elevator problem)

pushed (the set of buttons that have been pushed)


8/14/2019 schach5-chap11-14[1]

83/100


q Schema Button_State


8/14/2019 schach5-chap11-14[1]

84/100


q 3. Initial State

q State when the system is first turned on

Button_Init [Button_State' | pushed' = ]

(In the above equation, the should be a = with a ^ ontop. Unfortunately, this is hard to type in PowerPoint!)


8/14/2019 schach5-chap11-14[1]

85/100


q 4. Operations

q Button pushed for first time is turned on, andadded to setpushed

q Without third precondition, results would beunspecified


8/14/2019 schach5-chap11-14[1]

86/100


q If elevator arrives at a floor, the correspondingbutton(s) must be turned off

q The solution does not distinguish between up anddown floor buttons

Slide 11.87Analysis of Z

8/14/2019 schach5-chap11-14[1]

87/100


q Most widely used formal specification language

CICS (part) Oscilloscope

CASE tool

Large-scale projects (esp. Europe)

Slide 11.88Analysis of Z (contd)

8/14/2019 schach5-chap11-14[1]

88/100


q Difficulties

Symbols Mathematics

q Reasons for great success Easy to find faults in Z specification

Specifier must be extremely precise Can prove correctness

Only high-school math needed to read Z

Decreases development time

Translation clearer than informalspecification

Slide 11.89Other Formal Methods

8/14/2019 schach5-chap11-14[1]

89/100


q Anna

Ada

q Gist, Refine Knowledge-based

q VDM Denotational semantics

q CSP Sequence of events

Executable specifications

High squiggle factor

Slide 11.90Comparison of Specification Techniques

8/14/2019 schach5-chap11-14[1]

90/100


q We must always choose the appropriate

specification methodq Formal methods

Powerful

Difficult to learn and use

q Informal methods Little power

Easy to learn and use

q Trade-off Ease of use versus power

8/14/2019 schach5-chap11-14[1]

91/100

Slide 11.92Newer Methods

8/14/2019 schach5-chap11-14[1]

92/100


q Many are untested in practice

q Risks Training costs

Adjustment from classroom to actual project

CASE tools may not work properly

q However, possible gains maybe huge

Slide 11.93Which Specification Method to Use?

8/14/2019 schach5-chap11-14[1]

93/100


q Depends on the

Project Development team

Management team

Myriad other factors

q It is unwise to ignore the latest developments

Slide 11.94Testing during the Specification Phase

8/14/2019 schach5-chap11-14[1]

94/100


q Specification inspection

Checklistq Doolan [1992]

2 million lines of FORTRAN

1 hour of inspecting saved 30 hours ofexecution-based testing

Slide 11.95CASE Tools for the Specification Phase

8/14/2019 schach5-chap11-14[1]

95/100


q Graphical tool

q Data dictionary Integrate them

q Specification method without CASE tools fails

SREM

Slide 11.96CASE Tools for the Specification Phase

8/14/2019 schach5-chap11-14[1]

96/100


q Typical tools

Analyst/Designer Software through Pictures

System Architect

Slide 11.97Metrics for the Specification Phase

8/14/2019 schach5-chap11-14[1]

97/100


q Five fundamental metrics

q Quality Fault statistics

Number, type of each fault

Rate of detection

q Metrics for predicting size of target product Total number of items in data dictionary

Number of items of each type

Processes vs. modules

Slide 11.98Air Gourmet Case Study: Structured Sys. Anal.

8/14/2019 schach5-chap11-14[1]

98/100


q Data flow diagram

reflects centralityofSPECIAL MEAL DATA

q See Appendix Efor remainder ofstructured systemsanalysis

Slide 11.99Air Gourmet Case Study: SPMP

8/14/2019 schach5-chap11-14[1]

99/100


q The Software Project Management Plan is given

in Appendix F

Slide 11.100Challenges of the Specification Phase

8/14/2019 schach5-chap11-14[1]

100/100

q A specification document must be

Informal enough for the client; and Formal enough for the development team

q The specification phase (what) should not crossthe boundary into the design phase (how)

q Do not try to assign modules to process boxes ofDFDs until the design phase

schach5-chap11-14[1]

Documents

Transcript of schach5-chap11-14[1]