Formal Specification of Topological Relations Erika Asnina, Janis Osis and Asnate Jansone Riga Technical University The 10th International Baltic Conference on Databases and Information Systems (Baltic DB&IS 2012) July 8-11, 2012, Vilnius, Lithuania 1

Software Engineering (SE) VS Software Development (SD) 2 System Software SE foresees the analysis of both the system and software. SD narrows it to the analysis of software and only a part of its interaction with the system.

Why? Main reasons of ignoring the proper analysis of the system are: – Time. First results must be delivered to the client as fast as possible; – Deliverable items. The most important deliverable item is software not specifications, designs, or results of the analysis; – Finance. The proper system analysis requires more finance at the beginning of the project. 3

Is there a solution? The solution could be if system analysis and design models are used directly for producing software code  MODEL-DRIVEN SOFTWARE DEVELOPMENT 4

Model-Driven SD Principles 5 Computation Independent Model (CIM) Platform Independent Model (PIM) Platform Specific Model (PSM) Code Intuitive Manual Transformation Automated M2M Transformation Automated M2C Transformation

MDSD + System Analysis? System analysis is conducted at the computation independent level In order to make software engineering by model-driven, the CIM must also “drive” development, i.e., it must be included in the model transformation chain  The CIM must be formal and transformable to design models 6

Model-Driven SD Principles 7 Computation Independent Model (CIM) Platform Independent Model (PIM) Platform Specific Model (PSM) Code Topological Functioning Model, Requirements Specification, Data Vocabulary Design Model (e.g., in UML) Platform Specific Design Model (e.g., in UML profile for J2EE) Code (e.g., J2EE / Java code) Automated M2M Transformation Automated M2C Transformation Automated M2M Transformation

Topological Functioning Model(1) It is a computation independent model It provides correspondence between system and software models by means of mathematical continuous mapping between graphs It is a means for verification of requirements completeness, determination of shared functionality and derivation of use cases, integration of system knowledge that usually are expressed as a set of interrelated fragments, and derivation of system’s structure and behavior. 8

Topological Functioning Model(2) A topological functioning model A topological space (X,  ). X is a finite set of system properties called functional features.  is a set topology in the form of a digraph A digraph describes cause-and-effect relations among system functional features or properties Notation – nodes  functional features – arcs  cause-and-effect relations 9

The Challenge The holistic nature of the TFM requires identification and analysis of all cause-and-effect relations, which are important for system’s operation.  This intuitive work must be formalized! 10

TFM Cause-and-Effect Relations It has a time dimension, since a cause chronologically precedes an effect; In causal connections “something is allowed to go wrong”, whereas logical statements allow no exceptions; Causes may be sufficient or necessary (in other words, complete or partial) for generating an effect; Cause-and-effect relations involve multiple factors. Sometimes there are factors in series. Sometimes there are factors in parallel; The causality is universal. This means that there is no such a problem domain without causes and effects. ________________________________________________ Cause-and-Effect Relations  Control Flows 11

System Functioning Controlled by Cause and Effect Relations When some phenomenon occurs in the external environment, a process starts. Conduction of functional feature begins with the initiation event (init), then functional feature (A) is executing, and after successful execution the termination event (terminated) occurs. Following control flow that is represented as a cause-and-effect relation (such as ones between A and B1, B1 and B2), the initiation event of other functional feature (B1) occurs, and so on till the phenomenon sent to the external environment, the process ends. 12

The Common Case of Cause and Effect Relations A functional feature starts if its preconditions are satisfied, and ends setting post-conditions. But completeness of post-conditions to satisfy a precondition of the effect depends on proper analysis of the system knowledge. 13

Formal Definition of a Cause and Effect Relation A unique tuple, where – C (cause) is a functional feature that generates functional feature E, this could not be empty; – E (effect) is a functional feature that is generated by functional feature C, this could not be empty; – N is necessity of the functional feature C for generating the functional feature E; the values are true or false; – S is sufficiency of the functional feature C; the values are true or false; – Refs (references) is a set of unique tuples, where Ref_Ids is a set of tuples of cause-and-effect relations that participate in logical operation LOp together. 14

Classical Logic Logical operators LOp are operators from classical logic such as conjunction (AND), disjunction (OR), and negation (NOT). Conjunction indicates synchronous occurrence of referenced causes. Disjunction indicates asynchronous occurrence of referenced causes. The necessity of the cause is determined when the occurrence of the effect indicates on the occurrence of the cause. The sufficiency of the cause is determined when the occurrence of the cause indicates on the occurrence of the effect. The necessary and sufficient cause is when the occurrence of the effect is possible if and only if the cause occurred, and occurrence of the effect indicates on the obligatory occurrence of the cause. 15

Possible Combinations An incorrectly defined cause in a cause-and-effect relation between functional features is when a cause is not necessary and not sufficient for generating an effect functional feature. Existence of logical operators between two causes (input cause-and-effect relations): – AND operator must be set between two causes if they all are necessary but not sufficient; – OR operator must be set between two causes if they all are sufficient but not necessary. If every of more than one cause is both necessary and sufficient, then these causes are joined by the logical operator XOR (exclusive OR). In general case, we must review all the combination of necessity and sufficiency of causes and elect those where both necessity and sufficiency (or at least sufficiency) are true. 16

Illustration: The Library TFM (1) f13: Taking back a book copy, {}, Lib; f14: Checking the term of loan of a book copy, {}, Lib; f15: Evaluating the condition of a book copy, {}, Lib; f16: Imposing a fine, {the loan term is exceeded, the lost book, or the damaged book}, Lib; f17: Returning the book copy to a book fund, {}, Lib; f18: Paying a fine, {imposed fine}, R; f19: Closing a fine, {paid fine}, Lib; 17

Illustration: The Library TFM (2) Functional Features – f13: Taking back a book copy, {}, Lib; – f14: Checking the term of loan of a book copy, {}, Lib; – f15: Evaluating the condition of a book copy, {}, Lib; Case 1: – r13-14: C= f13, E= f14, N=true, S=true, Refs = empty set; Case 2: – r14-15: C= f14, E= f15, N=false, S=false, Refs = empty set; – The relation is removed. The new relation r13-15 is established. 18

Illustration: The Library TFM (3) Functional Features – f14: Checking the term of loan of a book copy, {}, Lib; – f15: Evaluating the condition of a book copy, {}, Lib; – f16: Imposing a fine, {the loan term is exceeded, the lost book, or the damaged book}, Lib; – f18: Paying a fine, {imposed fine}, R; – f19: Closing a fine, {paid fine}, Lib; Case 3: – r14-16: C= f14, E= f16, N= false, S=true, Refs = {r15-16; OR}; – r15-16: C= f15, E= f16, N= false, S= true, Refs = {r14-16; OR}; Case 4: – r16-19: C= f16, E= f19, N= true, S=false, Refs = {r18-19, AND}; – r18-19: C= f18, E= f19, N=true, S= false, Refs ={r16-19, AND}; 19

Illustration: The Library TFM (4) Functional Features – f14: Checking the term of loan of a book copy, {}, Lib; – f15: Evaluating the condition of a book copy, {}, Lib; – f16: Imposing a fine, {the loan term is exceeded, the lost book, or the damaged book}, Lib; – f17: Returning the book copy to a book fund, {}, Lib; Case 5: – r14-17: C= f14, E= f17, N= true, S = false, Refs = ?; – r15-17: C= f15, E= f17, N= true, S= false, Refs = ?; – r16-17: C= f16, E= f17, N=true, S= true, Refs = ?; 20

Illustration: The Library TFM (5) Case 5: – r14-17’: C= f14, E= f17, N= true, S = false, Refs = {r15-17’, ¬r16- 17’, AND} XOR {r16-17’,¬r15-17’, AND}; see rows 5 and 6. – r15-17’: C= f15, E= f17, N= true, S= false, Refs = {r14-17’,¬r16- 17’, AND} XOR {r16-17’, ¬r14-17’, AND}; see rows 3 and 6. – r16-17’: C= f16, E= f17, N = true, S= true, Refs = {¬r14-17’, ¬r15- 17’, AND} XOR {r15-17, ¬ r14-17’, AND} XOR { r14-17’, ¬ r15-17’, AND}; see rows 2, 3, and Rowf14f15f16f17NecessarySufficient 10000false 20011true false 51011true false

The Source TFM “Before” and The Corresponding UML Activity Diagram 22

The Source TFM “After” and The Corresponding UML Activity Diagram 23

Conclusions The proposed formalization allows – discovering of misunderstandings or mistakes in the already constructed TFM; – defining synchronous and asynchronous occurrences of the causes automatically in a part of cases. It is a step towards – better understanding of the system functionality, and – automated M2M transformation starting from the very beginning of the software development process. 24

Further Research Directions Model checking for the TFM – Model checking is a field where results of analysis and modeling of system and software behavior are formally and automatically verified. 25

Thank You for Attention ! 26