Analyzing the Requirements with Formal Specifications

Vienna Development MethodSpecification Language (VDM-SL)

Book: Formal Software Development From VDM to JavaQuentin Charatan and Aoron Kans

The Case Study: Incubator Control

Problem: The temperature of the incubator needs to be carefully controlled and monitored

The aim is to provide the correct conditions for a particular biological experiment to be undertaken

The software is needed to monitor and control the incubator temperature.

The Case Study: Incubator Control

(simple version of the system )

In this version, control of the hardware lies outside of our system;In other words, a system will be specified that

simply monitors the temperature of the incubator.

The Case Study: Incubator Control

The hardware increments or decrements the temperature of the incubator in response to instructions

Each time a change of one degree has been achieved, the software is informed of the change

According to the safety requirements , the temperature of the incubator must never be allowed to rise above 10 Celsius, nor fall below 10 Celsius.

The UML specificationidentify a single class, IncubatorMonitor

one attribute and three methods are identified The attribute records the temperature of the system and will be of type

integer; The first two methods do not involve any input or output (since they

merely record an increase or decrease of one degree); The third method reads the value of the temperature, and therefore will

output an integer.

The UML diagram indicates that these is no input as formal parameterIn case of formal parameter each name is followed by its type (separated by a colon) If there is an output from the operation, this would be placed after the brackets.

Specifying the State of the System in VDM-SL

The state refers to the permanent data that must be stored by the system and which can be accessed by operations It corresponds to the attributes in the class diagram.

The state is specified by declaring variables This is done in a programming language;The notation is similar to the form in the UML diagram.

One or more variables are specified each with a nametype of data

Basic variable types in VDM-SL

Specifying the state of the Incubator Monitor System

• only data item is the current temperature of the incubator

• defined with type integer• called as temp.The state is specified as follows:

the variable temp (to hold the temperature) is an integer and is declared to be of type This is the only item of data to record in this case.

Specifying the Operations

A number of operations is specified – The system should be able perform these

operations by accessing the data (i.e. state) in VDM operations it is possible to access the

state either by reading or writing the data, or both.

Operation Types for this problem

There are three operations an operation that records an increment in the

temperature;an operation that records a decrement in the

temperature;an operation that reads the value of the

temperature

Specifying the Operations

In VDM-SL, an operation consists of four sections:

the operation header;the external clause; the precondition; the postcondition

The increment operation

Operation names (headers) are generally written in upper case in VDM texts. Here lower case will be used So that the operation names will correspond to the

UML diagrams, and to the Java code

The external clauseIntroduced by the VDM keyword ext;

Keywords are written in lower case• they are bold and non-italic

Variable and type names are plain but italicized. The purpose of the external clause is to

restrict the access of the operation to only components of the state

The other purpose of the external clause is to specify the mode of accessread-only (indicated by the keyword rd) read-write (indicated by the keyword wr)

The external clause

There is only one component to the state (temp) In this operation it is necessary to have read-write

access to that componentThe operation needs actually to change the

temperature

The postcondition(keyword post)

The postcondition states the conditions after the operation has been performed

it is a predicate, containing one or more variables The main goal is to make the value of the whole

statement truestate variables that are only in the ext clause

can be included in the postcondition

The postconditionAny operation that has write access to a component

of the state can change the value of that componentThereforeit is necessary to distinguish the value of

the state component before the operation and the value after it has taken place - in other words the old value and the new value

in VDM-SL we do this by placing an overscore over the old value, to distinguish it from the new value ;

The postcondition for the increment operation is:

Important

What should happen is being described and not how it should happen .

The precondition(keyword pre)

The purpose of the precondition is to place any necessary constraints on an operationIn the incubator system the temperature is

allowed to vary only within the range -10 to +10 degrees

If a precondition was not specified here, system would allow to record a temperature that was outside of the allowed range o Therefore we would be allowing abnormal behavior of

the system by including a precondition

The precondition(keyword pre)

We can specify the outcome of the operation only if certain conditions are met prior to the operation being invoked

If our precondition is not met we can say nothing about what should happen

The decrement operation

The getTemp operation

The output variable is placed after the brackets that follow theoperation name, together with its type. This operation does not require write access to temp, since it is

not going to change this value, but simply read it - hence the use of the keyword rd in the external clause

The getTemp operationThe precondition consists simply of the word TRUE;

we are effectively saying here is that this operation needs no precondition

It is a simple read operation and there is no set of circumstances under which the operation should not take place

A precondition with a value of TRUE is the weakest possible precondition

It is acceptable in such a case to leave the precondition out altogether, rather than to specify it as TRUE.

The getTemp operation

The postcondition is straightforward - we just declare the output value,

currentTemp, to be equal to that of the temperature of the incubator,

This is a predicate, not an assignment statement – it could have been written:

Declaring constantsIt is possible in VDM-SL to specify constants

This is not essential to any specification, but can greatly enhance its readability;

It is done by using the keyword values;The declaration would come immediately

before the state definition.

Declaring constants

The convention is to use upper case for constant values.

These values could then be used in our functions and operations:

Specifying functionsA function is a set of assignments from one set to

anotherThe function receives an input value (or values) and

maps this to an output value according to some rule .For example

A function could accept an integer and output the square of that integer

A function could accept the name of a person and output that person's telephone number.

There are two ways in which we can specify a function in VDM-SL

Specifying a Function Explicitly we explicitly define the method of transforming the inputs to the

output.

Example: adding two numbers together:

The first line is called the function signature its purpose is to state the input types that the function accepts

the left of the arrow , together with the output type the right of the arrow

This function takes two inputs, both of type real numbers, and outputs a value that is also of type real number.

The second part is the definition, and describes the algorithm that is used for transforming the inputs to the output;This definition is placed on the right of the symbol, • It is read "is defined as".

Function signature Function algorithm

Specifying a Function ImplicitlyA pre-and postcondition are in the same way as

described for operation The function does not access the state

variables.The add function defined implicitly

Example 1: An Absolute Function defined implicitly

The implicit specification

The postcondition is a predicate consisting of two disjunctions; For the predicate to be true, then one of these disjunctions must

be true. The first disjunction , z<0 r = -z, ensures that if the input, z, is

negative, then the output, r, will be equal to -z; The second disjunct, z 0 r = z, ensures that if z is positive (or

zero), the output r will be equal to z; Both disjunctions cannot be true at the same time.

Example 1: An absolute function defined explicitly

The explicit specification (uses the keywords if, then and else)

Important if a function requires a precondition then in the

explicit definition, this is placed after the definition.

Example 2: Recursive functions

Some functions can be specified by a recursive definition It means that the function calls itself

a factorial function:

Specifying a State InvariantThe requirements of the incubator states that the

temperature of the incubator must stay within the range -10 to +10 Celsius

There is a mechanism for such a restrictions applied to the specification of the stateSpecifying a function known as a state invariant

is called as creating a global constraint• This is different from the local constraint which is the

preconditions.

The invariant definition uses the keyword inv.

Specifying a State Invariant

For the IncubatorMonitor system the invariant is specified as

After the keyword inv, there is the expression mk-IncubatorMonitor(t) It is the input to the inv function

This expression is itself a function, and is known as a make function (the mk "make")

its purpose is to construct an object (IncubatorMonitor) from the values in the parameter list in the brackets;

the parameter names are arbitrary; they are matched to the components of the state there is only one component, temp for example

on the right of the symbol there is the predicate that the input parameters must satisfy

From the example the temperature lie between -10 and +10 celsius (MIN and MAX ).·

Specifying a State Invariant

Specifying an Initialization Function

When the incubator is turned on, its temperature is adjusted until a steady 5 degrees Celsius is obtained;

At this point the software system is activated; The initialization function should state that when the

system is first invoked, the temperature should be set to 5.

This function is specified after the declaration of the invariant

Prescribes the conditions that the system must satisfy when it is first brought into being.

This is similar in style to the invariant function, and has the same signature;

The interpretation is that the expression on the right hand side of the symbol defines that the conditions that must be true after the system

is first brought into being.This function preserves the invariant since it

sets the temperature to 5 degreesit is within the constraints allowed

Specifying an Initialization Function