Formal Methods in Software Engineering Saima Zareen

Assignment Alpha group A software system is to be developed to manage the records of patients who enter a clinic for treatment. The records include records of all regular patient monitoring (temperature, blood pressure, etc.) treatments given, patient reactions and so on. After treatment, the records of their stay are sent to the patient’s doctor who maintains their complete medical record. Identify the state variables and design an AMN.

Date of submission Before next lecture Evaluation policy Individual assignment Copied assignments shall be marked ZERO

Assignment Omega group An automated ticket-issuing system sells rail tickets. Users select their destination and input a credit card and a personal identification number. The rail ticket is issued and their credit card account charged. When the user presses the start button, a menu display of potential destinations is activated, along with a message to the user to select a destination. Once a destination has been selected, users are requested to input a personal identifier. When the credit transaction has been validated, the ticket is issued.

Date of submission Before next lecture Evaluation policy Individual assignment Copied assignments shall be marked ZERO

Query Operations A query operation is one which provides some information as output about the state of the machine, but does not alter the state. The body of the a query operation will typically consist of a number of assignments to output variables, but with no assignments to any of the state variables. Query operations may also have input variables.

Query Operations contd.. Query operations are always consistent with the invariant. There are never any proof obligations associated with query operations of a machine.

MACHINE parameters All machines in a development must have different names. Parameters must be listed after the name of the machine. Two kinds of parameters. Set valued Written in uppercase Parameter must be instantiated with a non empty set when the machine is used. Scalar valued Written in lowercase

MACHINE parameters contd.. E.g. MACHINE Store(ITEM) ITEM as a type in its other clauses in the same way that N and N1 are available as types for variables. Scalar value parameter must be instantiated with a scalar value. The club machine has one parameter, capacity and so this is declared as follows: MACHINE club(capacity) Its type N1 is not given with the parameter, but will instead be given in the CONSTRAINTS clause.

CONSTRAINTS CONSTRAINTS clause provides explicit information about any further restrictions on the values of the parameters. It must include type information about any scalar parameters, either as one of the set parameters, that is also passed. CONSTRAINT clause may also contain any other information about parameters. It bears the same relationship to machine parameters as the INVARIANT clause does to the machine variables.

CONSTRAINTS contd.. E.g CONSTRAINTS capacity € N1 ⋀ capacity ≤ 4096

RECAP My name is …………………… I remember ………………….

SETS in addition passing sets to a machine via its parameters, other types can be introduced into a specification by explicitly listing them in the SETS clause. They are written in uppercase. Sets introduced might simply be named without any further information being provided, deferring their definition until some later stage of the development. E.g. SETS REPORT={yes, no};NAME

CONSTANTS Names of the constants that are to be used within the machine. Their type must be given in the properties clause. Constants can be of any type that is known to the machine: Types introduced through sets Provided as parameters Standard types such as N Type constructors such as the powerset constructor P, the product constructor x

CONSTANTS contd.. E.g. CONSTANTS total

PROPERTIES Describes the conditions that must hold on the sets and constants described in those two clauses. These can be related to the parameters that are passed to the machine. For example in the club machine the size of the set NAME introduced in the SETS clause is bounded below by the parameter capacity. E.g. PROPERTIES card(NAME)>capacity ⋀total €N1 ⋀ capacity< total

PROPERTIES contd.. Parameters instantiations for the sets and constants should meet the PROPERTIES clause.

Context Parameters, constants, sets, properties define the particular behavior of the machine known as framework or context. The visibility between the items can be introduced into a machine description and the information about those items. The invariant and the various operations can refer to any of the parameters, sets, and constants as appropriate. On the other hand the constraints can refer to only parameters The properties can refer to the parameters, sets and constants.

Visibility of items in a machine description

Context of the Club machine

The clauses of machine

Proof obligations for CONSTRAINTS If C describes the constraints on the parameters of the machine, then there should be some values of the parameters p that meet these constraints. Otherwise it will never be possible to successfully invoke any instantiation of the machine. Proof obligation ∃p.C ∃ capacity.(capacity €ℕ1 ⋀ capacity ≤4096)

Proof obligation for PROPERTIES Given the constraints of parameters are satisfied, It is necessary to ensure that there will always be sets ST and constants k that meet the PROPERTIES clause B. C=> ST, k.B Whenever C is true then parameters are acceptable. In the club machine the proof obligation is Capacity €ℕ1⋀ capacity ≤4096 =>∃ NAME,REPORT, total.(card(NAME))> capacity ⋀ total € ℕ1 ⋀ total > 4096.

Proof obligation for INVARIANT It should allow at least one legitimate state of the machine. The values of the parameters, sets, and constants need to be taken into account. Once the parameters, sets, and constants are all provided, the constraints C and properties B are true. Under these conditions the machine should have at least one state A setting of its variables v Which satisfies its invariant I.

Proof obligation for INVARIANT B ⋀ C=>∃v. I

Proof obligations for INITIALIZATION and OPERATIONS It is necessary that the initialization T is guaranteed to establish the invariant I, under the assumption that C and B hold that the context of the machine is satisfactory. B⋀C=>[T]I It is necessary to prove that all operations PRE p THEN S END preserve the invariant, gain under the assumption that C and B hold. When an operation is called appropriately the invariant I will be true.

Proof obligations for INITIALIZATION and OPERATIONS Its precondition should also be true otherwise the user has no right to call the operation. B and C are known to be static part of the machine description. (B^C^I^P)=>[S]I If I and P are true then the operation should be guaranteed to establish I again.

Summary AMN can contain parameters and these parameters are defined in Constraint, SETS and PROPERTIES Clause. We call them as the context of the AMN. In order to find the consistency of the AMN, its proof obligations need to be re-visited in terms of CNSTRAINT, PROPERTIES and INVARIANT clauses.