lamsweerde Chap.4: Formal Requirements Specification © 2009 John Wiley and Sons Fundamentals of RE Chapter 4 Requirements Specification & Documentation: Formal Specification
2 lamsweerde Chap.4: Formal Requirements Specification © 2009 John Wiley and Sons start Chap. 2: Elicitation techniques Chap. 3: Evaluation techniques alternative options agreed requirements documented requirements consolidated requirements Chap. 4: Specification & documentationtechniques Chap.1: RE products and processes Where are we?
3 lamsweerde Chap.4: Formal Requirements Specification © 2009 John Wiley and Sons Requirements specification & documentation: formal specification techniques Formal specification: what, why? Logic Logic as a basis for formalizing statements –Propositional logic –First-order predicate logic –First-order specification languages History-based History-based specification –Linear temporal logic –Branching temporal logic State-based State-based specification –Vienna development method Formal spec: strengths & limitations
4 lamsweerde Chap.4: Formal Requirements Specification © 2009 John Wiley and Sons Formal Specification A semi formal specification declares some items of the requirements document (RD) formally, but leaves the prescriptive* and descriptive** statements about the informal items. Formal specification formalizes descriptive and prescriptive statements The benefits expected from the formalization are: a higher degree of precision in the formalization of statements much more validation and verification than can be automated by tools *Prescriptive statement: A train is moving if and only if its physical speed is not-null **descriptive statement: Train tracks are in good conditionc except the track segment X under maintainance
5 lamsweerde Chap.4: Formal Requirements Specification © 2009 John Wiley and Sons Formal specification: what, why? To complement NL & diagrammatic specs, especially for mission-critical aspects Full formalization of RD items... –declaration part: item structure (like diagrams). Here the variables of the interests are declared –assertion partproperties –assertion part: item properties --prescriptive, descriptive.Here the intended properties of the declared variables are formalized structuring –mechanisms for structuring large specs into small units Formal = in machine-processable language –often based on mathematical logic –syntax, semantics, rules for inference of new information Benefits... –higher precision in statement formulation –more precise rules of interpretation –automation of more sophisticated checks & derivations
6 lamsweerde Chap.4: Formal Requirements Specification © 2009 John Wiley and Sons Logic as a basis for formalizing statements Like any formal system, logic is made up of three components: A syntax A semantics A proof theory
7 lamsweerde Chap.4: Formal Requirements Specification © 2009 John Wiley and Sons Propositional Logic First order predicate logic First order specification language
8 lamsweerde Chap.4: Formal Requirements Specification © 2009 John Wiley and Sons Propositional Logic: Syntax andornotiftheniff Recursive composition of non-decomposable statements through logical connectives and, or, not, if... then, iff –limited expressiveness: no variables, no quantification The syntax of propositional logic can be recursively defined by two simple rules over a vocabulary of propositional symbols(non – decomposable statements like train moving, doors closed ) Syntax rules for grammatically well-formed staments: ::= true | false | ¬ ::= | ( ¬ ) | ( ) | ( ) | ( ) | ( ) Example trainStopped Emergency doorsOpen
9 lamsweerde Chap.4: Formal Requirements Specification © 2009 John Wiley and Sons Propositional Logic: semantics Definition of meaning of statements in some interpretation –interpretation –interpretation I for statement S assigns truth values to all their specification symbols - val I is the interptration function that assigns truth values to each atomic proposition in S –meaning –meaning VAL I of S in I: truth value T, F of S under val I Semantic rules: VAL I (true) = T ; VAL I (false) = F ; VAL I (atomProp) = val I (atomProp) ifotherwise VAL I (¬ S) = T if VAL I (S) = F; F otherwise ifandotherwise VAL I (S1 S2) = T if VAL I (S1) = T and VAL I (S2) = T; F otherwise iforotherwise VAL I (S1 S2) = T if VAL I (S1) = T or VAL I (S2) = T; F otherwise ifForotherwise VAL I (S1 S2) = T if VAL I (S1) = F or VAL I (S2) = T; F otherwise if=otherwise VAL I (S1 S2) = T if VAL I (S1) = VAL I (S2); F otherwise
10 lamsweerde Chap.4: Formal Requirements Specification © 2009 John Wiley and Sons Compound Propositions
11 lamsweerde Chap.4: Formal Requirements Specification © 2009 John Wiley and Sons Semantics of propositional logic (2) Example of semantic evaluation: under interpretation val I (trainMoving) = F, val I (doorsClosed) = F the semantics of trainMoving doorsClosed is: VAL I (trainMoving doorsClosed) = T (using implication rule)
12 lamsweerde Chap.4: Formal Requirements Specification © 2009 John Wiley and Sons Propositional Logic: proof theory Rules for infering new statements from available ones –sound –sound rule if conclusion is true under any interpretation that makes premise true –enables automatic derivations without semantic evaluation Sample of inference rules: P Q, P P Q, Q R P Q, P R QP R Q R Example of derivation using 3rd rule (resolution): from from trainMoving doorsClosed, trainStopped trainMovi ng we get we get doorsClosed trainStopped premise conclusion
13 lamsweerde Chap.4: Formal Requirements Specification © 2009 John Wiley and Sons First-order predicate logic: syntax Extends expressiveness of propositional logic through variables, constants, quantifications, relations & functions Terms are used to define specific objects in the domain of interest Syntax rules: ::= | | ( * ) ::= true | false | ( * ) ¬ ::= | ( ¬ ) | ( ) | ( ) | ( ) | ( ) ( )()( ) () | ( )( ) | ( ) ( ) xyxy
14 lamsweerde Chap.4: Formal Requirements Specification © 2009 John Wiley and Sons Example: The distance between two successive trains should be kept sufficient to avoid collisions if the first train stops suddenly tr1, tr2 > Following (tr2, tr1) Dist (tr2, tr1) > WCS-Dist (tr2) To evaluate the statement semantically, an interpretation is required for its building blocks The domain of interpretation for the statement is the set of trains in the system The atomic predicate Following (tr2, tr1) is true if and only if the pair (tr2, tr1) is a member of the binary relation Following over trains, defined as the set of pairs of trains in which the first train in the pair directly follows the second. The function symbol Dist gives the real-value function, for two given trains The function symbol WSC-Dist gives the real-valued function for a given train returns the worst-case distance needed for the train to stop in emergency The predicate symbol > used in infix form, shows the > binary relation over real numbers
15 lamsweerde Chap.4: Formal Requirements Specification © 2009 John Wiley and Sons First-order predicate logic: semantics Interpretation Interpretation: definition of what unquantified variables, constants, functions, predicates designate in domain of interes t –predicate specs have meaning only within specific interpretation Documenting Documenting interpretations is essential for communication, non-ambiguity, adequacy checking... –Domain of interest –Domain of interest e.g. trains connecting airport terminals constantsunquantified variables –For constants a, unquantified variables x: val I (a), val I (x) = specific domain elements e.g. val I (MTP) = main terminal platform function –For function symbol f: val I (f) = specific function over domain e.g. val I (WCS-Dist) = function returning the worst-case distance for the given train to stop in emergency predicate –For n-ary predicate symbol P: val I (P) = n-ary relation over domain e.g. val I (Following) = set of train pairs with 1st directly behind 2nd xyxy
16 lamsweerde Chap.4: Formal Requirements Specification © 2009 John Wiley and Sons First-order predicate logic: semantic rules Within specific interpretation I, semantic value VAL I is... VAL I (a) = val I (a) for constants VAL I (x) = val I (x) for unquantified variable occurrences VAL I ( f (t 1,..., t n ) ) = (val I (f )) (VAL I (t 1 ),..., VAL I (t n )) for terms VAL I (true) = T, VAL I (false) = F VAL I ( P (t 1,..., t n )) = (val I (P )) (VAL I (t 1 ),..., VAL I (t n )) for atomic predic VAL I (¬ S), VAL I (S1 S2), VAL I (S1 S2), VAL I (S1 S2), VAL I (S1 S2): cf. propositional logic if d for each VAL I (( x) S ) = T if VAL {x d}oI (S ) = T for each domain element d if d for some F if VAL {x d}oI (S ) = F for some domain element d if d for some VAL I (( x) S ) = T if VAL {x d}oI (S ) = T for some domain element d if d for each F if VAL {x d}oI (S ) = F for each domain element d xyxy
17 lamsweerde Chap.4: Formal Requirements Specification © 2009 John Wiley and Sons First-order predicate logic: proof theory Inference rules from propositional logic + specific ones, e.g. ( x) S u 1 = v 1,..., u n = v n u 1 = v 1,..., u n = v n S [x / t] f (u 1,..., u n ) = f (v 1,..., v n ) P (u 1,..., u n ) P (v 1,..., v n ) => automated derivation/checking of more expressive statements xyxy instantiation term/predicate rewriting under equality of args
18 lamsweerde Chap.4: Formal Requirements Specification © 2009 John Wiley and Sons First-order specification languages Variables Variables designate objects involved in reqs, dom props, assumptions ( e.g. entity instances in ER diagram) –with value generally changing over time State State of variable x: pair (x, v) v: value System state System state: pair (X, V) X: set of system variables, V: set of corresponding values following100m50m e.g. train tr2 following tr1 at distance of 100m, WCS-Dist = 50m In many spec languages, specs are interpreted over states –spec satisfied by some states, falsified by others sorted Many first-order spec languages are sorted –typed variable designates some instance in a set : Train –e.g. tr1, tr2: Train Following (tr2, tr1) Dist (tr2, tr1) > WCS-Dist (tr2) xyxy sort instance variables (e.g. entity instances)
19 lamsweerde Chap.4: Formal Requirements Specification © 2009 John Wiley and Sons The logic underlying many first order specification languages is in general a sorted one; that is, the variables are “typed”. A type variable gives an instance in a specific set (called sort) A sort can be an entity from an entity-relationship diagram or a set of data values. : Train – tr1, tr2: Train Following (tr2, tr1) Dist (tr2, tr1) > WCS-Dist (tr2) Tr1 and tr2 gives arbitrary instances of the train entity, the atomic predicate Following corresponds to attributes of Following and train, respectively. A state of variable tr2 might be characterized by the fact that the related train is following another train, designated by tr1, at a distance of 100 metres and with a worst-case stopping distance of 50 meters in thar state.
20 lamsweerde Chap.4: Formal Requirements Specification © 2009 John Wiley and Sons First-order specification languages (2) Formal specification = logical “theory” = set of formal statements (“axioms”) from which new statements can be derived (“theorems”) by inference rules For example stakeholders may be shown the derived thorems, after translation into natural language, and asked whether they really want the consequences of what was specified. More precise characterization of specification errors/flaws... –Contradiction –Contradiction: no interpretation of interest that can make all statements true together –Ambiguity –Ambiguity: multiple interpretations of interest that can make all statements true together –Redundancy –Redundancy: some statements can be inferred from others Automated derivation of theorems is useful for... –adequacy ckecking (“do you want this consequence?”) –consistency checking (false as derivable theorem) xyxy