Analyzing the Requirements with Formal Specifications Vienna Development Method Specification Language (VDM-SL) Book: Formal Software Development From VDM to Java Quentin Charatan and Aoron Kans

The Case Study: Incubator Control Problem: The temperature of the incubator needs to be carefully controlled and monitored  The aim is to provide the correct conditions for a particular biological experiment to be undertaken  The software is needed to monitor and control the incubator temperature.

The Case Study: Incubator Control (simple version of the system )  In this version, control of the hardware lies outside of our system;  In other words, a system will be specified that simply monitors the temperature of the incubator.

The Case Study: Incubator Control  The hardware increments or decrements the temperature of the incubator in response to instructions  Each time a change of one degree has been achieved, the software is informed of the change  According to the safety requirements, the temperature of the incubator must never be allowed to rise above 10 Celsius, nor fall below 10 Celsius.

The UML specification identify a single class, IncubatorMonitor  one attribute and three methods are identified  The attribute records the temperature of the system and will be of type integer;  The first two methods do not involve any input or output (since they merely record an increase or decrease of one degree);  The third method reads the value of the temperature, and therefore will output an integer. The UML diagram indicates that these is no input as formal parameter In case of formal parameter each name is followed by its type (separated by a colon) If there is an output from the operation, this would be placed after the brackets.

Specifying the State of the System in VDM-SL  The state refers to the permanent data that must be stored by the system and which can be accessed by operations  It corresponds to the attributes in the class diagram.  The state is specified by declaring variables  This is done in a programming language;  The notation is similar to the form in the UML diagram.  One or more variables are specified each with  a name  type of data

Basic variable types in VDM-SL

Specifying the state of the Incubator Monitor System only data item is the current temperature of the incubator defined with type integer called as temp. The state is specified as follows: the variable temp (to hold the temperature) is an integer and is declared to be of type  his is the only item of data to record in this case.

Specifying the Operations  A number of operations is specified – The system should be able perform these operations by accessing the data (i.e. state)  in VDM operations it is possible to access the state either by reading or writing the data, or both.

Operation Types for this problem  There are three operations  an operation that records an increment in the temperature;  an operation that records a decrement in the temperature;  an operation that reads the value of the temperature

Specifying the Operations In VDM-SL, an operation consists of four sections:  the operation header;  the external clause;  the precondition;  the postcondition

The increment operation  Operation names (headers) are generally written in upper case in VDM texts.  Here lower case will be used  So that the operation names will correspond to the UML diagrams, and to the Java code

The external clause  Introduced by the VDM keyword ext;  Keywords are written in lower case they are bold and non-italic  Variable and type names are plain but italicized.  The purpose of the external clause is to restrict the access of the operation to only components of the state  The other purpose of the external clause is to specify the mode of access  read-only (indicated by the keyword rd)  read-write (indicated by the keyword wr)

The external clause  There is only one component to the state (temp)  In this operation it is necessary to have read-write access to that component  The operation needs actually to change the temperature

The postcondition (keyword post)  The postcondition states the conditions after the operation has been performed  it is a predicate, containing one or more variables  The main goal is to make the value of the whole statement true  state variables that are only in the ext clause can be included in the postcondition

The postcondition  Any operation that has write access to a component of the state can change the value of that component  Thereforeit is necessary to distinguish the value of the state component before the operation and the value after it has taken place - in other words the old value and the new value  in VDM-SL we do this by placing an overscore over the old value, to distinguish it from the new value ;  The postcondition for the increment operation is:

Important What should happen is being described and not how it should happen.

The precondition (keyword pre)  The purpose of the precondition is to place any necessary constraints on an operation  In the incubator system the temperature is allowed to vary only within the range -10 to +10 degrees  If a precondition was not specified here, system would allow to record a temperature that was outside of the allowed range o Therefore we would be allowing abnormal behavior of the system by including a precondition

The precondition (keyword pre)  We can specify the outcome of the operation only if certain conditions are met prior to the operation being invoked  If our precondition is not met we can say nothing about what should happen

The decrement operation

The getTemp operation  The output variable is placed after the brackets that follow the operation name, together with its type.  This operation does not require write access to temp, since it is not going to change this value, but simply read it - hence the use of the keyword rd in the external clause

The getTemp operation  The precondition consists simply of the word TRUE;  we are effectively saying here is that this operation needs no precondition  It is a simple read operation and there is no set of circumstances under which the operation should not take place  A precondition with a value of TRUE is the weakest possible precondition  It is acceptable in such a case to leave the precondition out altogether, rather than to specify it as TRUE.

The getTemp operation  The postcondition is straightforward - we just declare the output value, currentTemp, to be equal to that of the temperature of the incubator, This is a predicate, not an assignment statement – it could have been written:

Declaring constants  It is possible in VDM-SL to specify constants This is not essential to any specification, but can greatly enhance its readability;  It is done by using the keyword values;  The declaration would come immediately before the state definition.

Declaring constants  The convention is to use upper case for constant values.  These values could then be used in our functions and operations:

Specifying functions  A function is a set of assignments from one set to another  The function receives an input value (or values) and maps this to an output value according to some rule. For example  A function could accept an integer and output the square of that integer  A function could accept the name of a person and output that person's telephone number.  There are two ways in which we can specify a function in VDM-SL

Specifying a Function Explicitly  we explicitly define the method of transforming the inputs to the output. Example: adding two numbers together :  The first line is called the function signature  its purpose is to state the input types that the function accepts the left of the arrow, together with the output type the right of the arrow  This function takes two inputs, both of type real numbers, and outputs a value that is also of type real number.  The second part is the definition, and describes the algorithm that is used for transforming the inputs to the output;  This definition is placed on the right of the symbol, It is read "is defined as". Function signature Function algorithm

Specifying a Function Implicitly  A pre-and postcondition are in the same way as described for operation  The function does not access the state variables. The add function defined implicitly

Example 1: An Absolute Function defined implicitly The implicit specification  The postcondition is a predicate consisting of two disjunctions;  For the predicate to be true, then one of these disjunctions must be true.  The first disjunction, z<0  r = -z, ensures that if the input, z, is negative, then the output, r, will be equal to -z;  The second disjunct, z  0  r = z, ensures that if z is positive (or zero), the output r will be equal to z;  Both disjunctions cannot be true at the same time.

Example 1: An absolute function defined explicitly The explicit specification (uses the keywords if, then and else) Important  if a function requires a precondition then in the explicit definition, this is placed after the definition.

Example 2: Recursive functions  Some functions can be specified by a recursive definition  It means that the function calls itself a factorial function:

Specifying a State Invariant  The requirements of the incubator states that the temperature of the incubator must stay within the range -10 to +10 Celsius  There is a mechanism for such a restrictions applied to the specification of the state  Specifying a function known as a state invariant is called as creating a global constraint This is different from the local constraint which is the preconditions.  The invariant definition uses the keyword inv.

Specifying a State Invariant For the IncubatorMonitor system the invariant is specified as After the keyword inv, there is the expression mk-IncubatorMonitor(t) It is the input to the inv function

 This expression is itself a function, and is known as a make function (the mk "make")  its purpose is to construct an object (IncubatorMonitor) from the values in the parameter list in the brackets; the parameter names are arbitrary; they are matched to the components of the state there is only one component, temp for example on the right of the symbol there is the predicate that the input parameters must satisfy From the example the temperature lie between -10 and +10 celsius (MIN and MAX ). · Specifying a State Invariant

Specifying an Initialization Function  When the incubator is turned on, its temperature is adjusted until a steady 5 degrees Celsius is obtained;  At this point the software system is activated;  The initialization function should state that when the system is first invoked, the temperature should be set to 5.  This function is specified after the declaration of the invariant  Prescribes the conditions that the system must satisfy when it is first brought into being.

 This is similar in style to the invariant function, and has the same signature; right hand side  The interpretation is that the expression on the right hand side of the symbol defines that  the conditions that must be true after the system is first brought into being.  This function preserves the invariant since it sets the temperature to 5 degrees  it is within the constraints allowed Specifying an Initialization Function