Saima Zareen

Formal Specification of a SystemFormal Specification describes the

System behavior Operations of system

Problem with formal specification is large amount of detailed information which is required for accurate system specification.

A structured approach is required.The basic building block of a specification is

abstract machine. Large specification can be constructed from smaller

ones. AMN (abstract Machine Notation ) is used.

Compositional structuringThe combination of abstract machine is also an

abstract machine permitting hierarchical specification.

Abstract MachinesIt is the specification of a system.It contains pieces of information, that describes

various aspects of the specification.Specification must describe what the component

should do?(Operations,Functions).Operations/Functions

Take inputs from the user Supply outputs to the user. Affect any change within the component.

Interface Collection of operations by which machine interacts with

environment.Components/parts of Abstract machines

It is required by the machine to maintain or process information.

For this a local state is required.State is mentioned by the local variables.State variables are listed under VARIABLES heading.INVARIANT

Their types and any other information are listed. The information which must be true of the state. For example type of variable must not be changed during

the execution.

INITIALISATION Represents initial state

Machine Name Machine must have a name ,so that other machines

can refer to it. The name is given under the heading MACHINE. Machine

It is not like an object in object oriented sense. It has a name, internal state, and set of operations

as do objects. It may be considered as a black box with buttons on

the side corresponding to the operations, and a set of state variables inside.

Abstract machineInteraction must be through these buttons.

Example of abstract machineConsider the example of ticket dispenser,

which is used in shop to order the queue. On entry to the shop customer takes a numbered ticket from the dispenser. When a sales assistant is ready to serve, a display indicates the number of the customer who is to be served next. Customers wait until it is their turn to be served. The system is pictured in figure

A ticketing System

The behavior of ticket system can be represented using abstract machine.

First of all name the machine as

MACHINE Ticket

VARIABLESTo maintain the state of a system we define variables,

a variable should be of the type which is suitable to express kind of value it can store.

How the systems are understood rather than implemented.

In terms of values, sets, relations, sequences .A variable can be of the type N, natural numbers

set(0,1,2,…..).In the example we have two kind of tickets Ticket number being servedNumber of Next ticket to be dispensed.We can model with variables:

next serve

VARIABLES serve, nextINVARIANT

Provides information about the variables of the machineIt gives type of values of variableRestrictions on their possible valuesRelationships to each otherValues of variables may change but it describes the

properties of the variables which must be true during execution process.

Type of variable is expressed as: Either an element of a set var € TYPE Subset of a set var⊑ TYPE. Var=expression

At least one invariant clause should be defined for each variable. Listed Next € N Sreve € N

Furthure restrictions imposed by the operation can also be added

In Ticket machine number being served must be less than the number of the ticket to be given out. server≤next

INVARIANT serve € N ⋀ next € N ⋀ serve ≤ next

OPERATIONSIt has following parts

The name of the operation Input parameters Output parameters What the operation requires.(restrictions, conditions) What the operation modifies (variables that are modified) The effects or behavior of the operation(what the

operation does). In B, operation is described in a structured way

Name, input, output parameters of an operation are given by an operation header

Outputs ⃖ name(inputs) Where name refers to operation name, outputs is a list

of output and inputs is a list of inputs

Name must be givenInputs and outputs are optional parameters.Ticket machine will offer two operations

One to serve customer and update the indicator board To provide the customer with the next ticket. Ss ⃖serve_next tt ⃖take_ticketOperation has precondition, It states that what

the operation requires in order to behave correctly.Information of all input variables.Assumptions/state of the inputs

The requirements on the user to ensure that the requirements are met whenever the operation is called.

For example, the serve_next operation will be called when the sales assistant has finished serving a customer.

In this case serve must be less than next.If the shop is empty, then the value of serve will be the

same as next.Thus the precondition will be serve ≤nextBody of the operation, describes what the operation

achieves.It must assign some value to one of the outputs.Output should be in terms of initial state and input values.Update the state of the variable

In case of serve_next, Serve should be incremented Output should be incremented to show state serve.

In AMN assignment is written as x:=E (pronounced x becomes E) Serve:= serve+1 Output of this operation is assigned the same value Ss, serve:=serve+1,serve+1. Body shows the states, there is no intermediate

statement in the operation, therefore multiple assignments must be shown in simultaneous assignment, rather than a sequence of assignments one after the other.

The complete specification of the operation serve_next is as follows

Type of the output variable ss is given by the assignment, there is no need to declare its type.

It is determined from the operation.After the execution of operation it must

guarantee that the invariant is still true on the updated state.

Then the operation is consistent.Is the operation serve_next consistent with the

inavriant?If the precondition is weaker then there will be

the chance of inconsistency with its variant.

Strengthening the precondition of serve_next to serve<next imposes more constraints on the user.

Then the operation becomes consistent.Operation take_ticket

If a precondition is true, it may be dropped from the specification

Is consistent with the invariant of the Ticket machine?

INITIALISATIONDescribes possible initial state of the machine.All variables listed must be initialised.The Ticket machine should start with 0 on the

display board,0 is the number of the first ticket to be taken.

INITIALISATION serve, next:=0,0INITILISATION can only be consistent if initial

states are correct with respect to the invariant.

complete Specification of Ticket machine

Set TheoryThe B method makes use of the language of set

theory and logic with in AMN in order to express these requirements in a formal and precise way.

SetCollection of entities of some sort.Notation for set membership is e € S, pronounced

e is a member of S for a set S and element e.Finite setNaming Convention of set in B

Names of given sets are in upper case SMALLSQUARE={4, 16, 0, 1,9}

Empty set{}

Set comprehensionSet can be defined as a collection of elements

of some type which meet a particular property.SMALLSQUARE

Segment of the natural numbers can be expressed using the notation m…n, which defines the set of numbers between m and n

SubsetIf all the members S are also the members of

another set then S is said to be a subset of TS ⊑T

Set combinationsIf S and T are both sets ,then their union S⊔ T

is another set which contains elements that appear in either S or T..

Generalized union ⊔ SS over set of SS. Elements that appear in any set S€ SS.

Intersection The intersection of S∩T of two sets is the set of elements

that are in both S and T. Generalized intersection ∩SS over a set of sets SS. The set of elements that appear in every set S€ SS. If S∩T={} then S and T are said to be disjoint

Set SubtractionS-T is used to obtain the set of members of S which

are not members of T.For example CHESS_GO is the set of all chess

players who do not play GO.Subset

Sets which contain only elements from S.Empty set {} is always one such set.SET={alice,bob}

{} {alice} {bob} {alice, bob}

Power setThe collection of subsets of S is called power set

and written as

Cartesian ProductS x T of two sets S and T will be the set of

ordered pairs of elements (s, t)In which s€ S for the first element of the pair,

andT€ T for the second element.

The Cartesian product is the set of all possible pairings of such elements.

For example{alice, bob} and {home, work}

{alice, home} {alice, work} {bob, home} {bob, work} The Cartesian product of two sets is given by

Set theoretic notation

The size or cardinality of set s is written card(S).

It is the number of elements it contains.For example

Card({alice, bob}) = 2Task