1 / 36

The Case Study : Incubator Control

Analyzing the Requirements with Formal Specifications Vienna Development Method Specification Language (VDM-SL) Book : Formal Software Development From VDM to Java Quentin Charatan and Aoron Kans. The Case Study : Incubator Control .

nasya
Download Presentation

The Case Study : Incubator Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Analyzing the Requirements with Formal SpecificationsVienna Development MethodSpecification Language (VDM-SL) Book: Formal Software Development From VDM to JavaQuentinCharatanandAoronKans

  2. The Case Study: Incubator Control Problem: The temperature of the incubator needs to be carefully controlled and monitored • Theaim is toprovide the correct conditions for a particular biological experiment to be undertaken • The software is needed to monitor and control the incubator temperature.

  3. The Case Study: Incubator Control (simple version of the system) • In this version, control of the hardware lies outside of our system; • In other words, a system will be specifiedthat simply monitors thetemperature of the incubator.

  4. The Case Study: Incubator Control • The hardware increments or decrements the temperature of the incubator in response toinstructions • Each time a change of one degree has been achieved, the software is informed of thechange • Accordingtothesafety requirements , the temperature of the incubator must never beallowed to rise above 10 Celsius, nor fall below 10 Celsius.

  5. The UML specification identify a single class, IncubatorMonitor The UML diagram indicates that these is noinput as formalparameter Incase of formalparametereach name is followed by its type (separated by a colon) If there is an output from the operation, this would be placed after the brackets. • one attribute and three methodsareidentified • The attribute records the temperature of the system and will be of type integer; • The first two methods do not involve any input or output (since they merely record anincrease or decrease of one degree); • The third method reads the value of the temperature, and therefore will output aninteger.

  6. Specifying the State of theSystem in VDM-SL • The state refers to the permanent data that must be stored by the systemand which can be accessed byoperations • It corresponds to the attributes in the class diagram. • The state is specified by declaring variables • This is done in a programming language; • The notation is similar tothe form in the UML diagram. • One or more variablesarespecifiedeachwith • a name • type of data

  7. Basic variabletypes in VDM-SL

  8. Specifying the state of the Incubator Monitor System • only data item is the current temperature of the incubator • definedwithtype integer • called as temp. The state is specifiedas follows: the variable temp (to hold the temperature) is an integer and is declared to be of type This is the only item of data to record in this case.

  9. Specifying the Operations • A number of operations is specified • The system should be able perform these operations by accessing the data (i.e. state) • in VDM operations it is possible to access the state either by reading orwriting the data, or both.

  10. OperationTypesforthis problem • There are three operations • an operation that records an increment in the temperature; • an operation that records a decrement in the temperature; • an operation that reads the value of the temperature

  11. Specifying the Operations In VDM-SL, an operation consists of four sections: • the operation header; • the external clause; • the precondition; • the postcondition

  12. The increment operation • Operation names (headers) are generallywritten in upper case in VDM texts. • Here lower casewill be used • So that the operation names will correspond tothe UML diagrams, and to the Java code

  13. The external clause • Introduced by the VDM keyword ext; • Keywords are written in lower case • they are bold and non-italic • Variable and type namesare plain but italicized. • The purpose of the external clause is to restrict the access of the operation toonly components of the state • The otherpurpose of the external clause is to specify themode of access • read-only (indicated by the keyword rd) • read-write(indicated by the keyword wr)

  14. The external clause • There is only one component to the state (temp) • In thisoperation it is necessary to have read-write access to thatcomponent • The operation needs actually to change the temperature

  15. The postcondition(keyword post) • The postcondition states the conditions after the operation has been performed • it is a predicate, containing one or more variables • The main goal is to make the value of the whole statement true • state variables that are onlyin the extclausecan be included in the postcondition

  16. The postcondition • Any operation that has write access to a component of the state can changethe value of that component • Thereforeit is necessary to distinguishthe value ofthe state component before the operation and the value after ithas taken place - in other words the old value and the new value • in VDM-SL we do this by placing an overscore over the old value, todistinguish it from the new value ; • The postcondition for theincrement operation is:

  17. Important Whatshouldhappen is beingdescribedandnot how it shouldhappen .

  18. The precondition(keywordpre) • The purpose of the precondition is to place any necessary constraints on anoperation • In the incubator system the temperature is allowed tovary only within the range -10 to +10 degrees • If a preconditionwas not specified here, systemwouldallowto record a temperature that was outside of the allowed range • Thereforewe would be allowing abnormal behaviorof the system by including a precondition

  19. The precondition(keywordpre) • We can specify the outcome of the operationonly if certain conditions are met prior to the operation being invoked • If our precondition is not met we can say nothingabout what should happen

  20. The decrement operation

  21. The getTemp operation • The output variable is placed after the brackets that follow the • operation name, together with its type. • This operation does not require write access to temp, since it is notgoing to change this value, but simply read it - hence the use of thekeyword rd in the external clause

  22. The getTemp operation • The precondition consists simply of the word TRUE; • we are effectively saying here is that this operation needs noprecondition • It is a simple read operation and there is no set of circumstancesunder which the operation should not take place • A precondition with a value of TRUE is the weakest possibleprecondition • It is acceptable in such a case to leave the precondition out altogether,rather than to specify it as TRUE.

  23. The getTemp operation • The postcondition is straightforward - we just declare the output value, currentTemp, to be equal to that of thetemperature of the incubator, This is a predicate, not an assignmentstatement – itcould have been written:

  24. Declaring constants • It is possible in VDM-SL to specify constants This is not essential to any specification, but can greatly enhance its readability; • It is done by using the keyword values; • The declaration would come immediately before the state definition.

  25. Declaring constants • The convention is to use upper case for constant values. • These values could then be used in our functions and operations:

  26. Specifying functions • A function is a set of assignments from one set to another • The function receives an input value (or values) and maps this to an output valueaccording to some rule . For example • A functioncould accept an integer and output the square of that integer • A functioncouldaccept the name of a person and output that person's telephone number. • There are two ways in which we can specify a function in VDM-SL

  27. Specifying a Function Explicitly • we explicitly define the method oftransforming the inputs to the output. Example:adding two numbers together: Functionsignature Functionalgorithm • The first line is called the function signature • its purpose is to state the input types that the function accepts the left of thearrow, together with the output typethe right of the arrow • This function takes two inputs, both of type realnumbers, and outputs a value that is also of type realnumber. • The second part is the definition, and describes the algorithm that is used fortransforming the inputs to the output; • This definition is placed on the right of the symbol, • Itis read "is definedas".

  28. Specifying a Function Implicitly • A pre-and postconditionarein the same way as described for operation • Thefunctiondoes not access the state variables. The add function defined implicitly

  29. Example 1: An AbsoluteFunction defined implicitly Theimplicitspecification • The postcondition is a predicate consisting of two disjunctions; • For the predicate to be true, then one of these disjunctions must be true. • The first disjunction , z<0 r = -z, ensures that if the input, z, is negative, then the output, r, will be equal to -z; • The second disjunct, z 0 r = z, ensures that if z is positive (or zero), the output r will be equal to z; • Both disjunctions cannot be true at the same time.

  30. Example 1: An absolute function defined explicitly The explicit specification (uses the keywords if, then and else) • Important • if a function requires a preconditionthenin the explicit definition, this is placedafter the definition.

  31. Example 2: Recursive functions • Somefunctions can be specified by a recursive definition • Itmeansthatthefunction calls itself a factorial function:

  32. Specifying a StateInvariant • The requirements of the incubator states that the temperature of theincubator must stay within the range -10 to +10 Celsius • There is a mechanism for such a restrictions applied to the specification of the state • Specifyinga function known as a state invariantis called as creating a global constraint • This is differentfromthelocal constraint which is thepreconditions. • The invariant definition uses the keyword inv.

  33. Specifying a State Invariant For the IncubatorMonitor system the invariant is specified as Afterthe keyword inv,there is the expression mk-IncubatorMonitor(t) It is the input to the invfunction

  34. Specifying a State Invariant • This expression is itself a function, and is known as a make function (themk "make") • its purpose is to construct an object (IncubatorMonitor)from the valuesin theparameter list in the brackets; • the parameter names are arbitrary; • they are matchedto the components of the state • there is only one component,tempforexample • on the right of thesymbol there is the predicatethat the inputparameters must satisfy • Fromtheexamplethe temperature lie between -10 and+10 celsius (MINand MAX ). • ·

  35. Specifying an InitializationFunction • This function is specified after the declaration of the invariant • Prescribestheconditions that the system must satisfy when it is first brought into being. • When the incubator is turned on, its temperature is adjusted until asteady 5 degrees Celsius is obtained; • At this point the software system is activated; • The initialization function should state that when the system isfirst invoked, the temperature should be set to 5.

  36. This is similar in style to the invariant function, and has the samesignature; • The interpretation in this case is that the expression on the right handside of the symbol defines the conditions that must be true afterthe system is first brought into being. • We are able to argue that this function preserves the invariant sinceit sets the temperature to 5 degrees, which is within the constraintsallowed

More Related