new lecture 8: decision tables · 2018. 5. 28. · decision tables –8– 2018-05-28– main–...
TRANSCRIPT
–8
–2
018
-05
-28
–m
ain
–
Softwaretechnik / Software-Engineering
Lecture 8: Decision Tables
2018-05-28
Prof. Dr. Andreas Podelski, Dr. Bernd Westphal
Albert-Ludwigs-Universität Freiburg, Germany
Topic Area Requirements Engineering: Content
–8
–2
018
-05
-28
–S
blo
ckco
nte
nt
–
2/48
• Introduction
• Requirements Specification
• Desired Properties
• Kinds of Requirements
• Analysis Techniques
• Documents
• Dictionary, Specification
• Specification Languages
• Natural Language
• Decision Tables
• Syntax, Semantics
• Completeness, Consistency, . . .
• Scenarios
• User Stories, Use Cases
• Live Sequence Charts
• Syntax, Semantics
• Definition: Software & SW Specification
• Wrap-Up
VL 6
.
..
VL 7
.
..
VL 8...
VL 9
.
..
VL 10...
–8
–2
018
-05
-28
–m
ain
–
3/48
Risks Implied by Bad Requirements Speci�cations
–6
–2
018
-05
-07
–S
rein
tro
–
6/42
negotiationnegotiation
require-mentsspeci-fication
design /implemen-tation
design /implemen-tation
qualityassurancequalityassurance
acceptanceacceptance
docu-mentationdocu-mentation
re-usere-use
customer developer
negotiation(with customer,
marketing
department, or
. . . )
design and implementation,
• without specification,programmers may just “askaround” when in doubt, possiblyyielding different interpretations� difficult integration
documentation, e.g., the user’s manual,
• without specification, the user’s manual author can onlydescribe what the system does, not what it should do(“every observation is a feature”)
preparation of tests,
• without a description of allowed outcomes, tests arerandomly searching for generic errors (like crashes)� systematic testing hardly possible
acceptance bycustomer,resolving laterobjections or regressclaims,
• without specification, itis unclear at deliverytime whether behaviouris an error (developerneeds to fix) or correct(customer needs toaccept and pay) �nasty disputes,additional effort
re-use,
• without specification, re-use needs to be based onre-reading the code � risk of unexpected changes
• later re-implementations.
• the new software may need to adhere to requirements of the old software; if not properly specified,the new software needs to be a 1:1 re-implementation of the old � additional effort
–8
–2
018
-05
-28
–m
ain
–
4/48
Requirements on Requirements Speci�cations
–6
–2
018
-05
-07
–S
re–
14/42
A requirements specification should be
• correct— it correctly represents the wishes/needs ofthe customer,
• complete— all requirements (existing in somebody’shead, or a document, or . . . ) should be present,
• relevant— things which are not relevant to the projectshould not be constrained,
• consistent, free of contradictions— each requirement is compatible with all otherrequirements; otherwise the requirements arenot realisable,
• neutral, abstract— a requirements specification does notconstrain the realisation more than necessary,
• traceable, comprehensible— the sources of requirements are documented,requirements are uniquely identifiable,
• testable, objective— the final product can objectively be checkedfor satisfying a requirement.
• Correctness and completeness are defined relative to somethingwhich is usually only in the customer’s head.
� is is difficult to be sure of correctness and completeness.
• “Dear customer, please tell me what is in your head!” is in almost all cases not a solution!
It’s not unusual that even the customer does not precisely know. . . !
For example, the customer may not be aware of contradictions due to technical limitations.
–8
–2
018
-05
-28
–m
ain
–
5/48
Structure of Topic Areas
–1
–2
018
-04
-16
–S
cco
nte
nt
–
28/45
Example: Requirements Engineering
Vocabulary e.g. consistent,complete, tacit, etc.
Techniques
informal
semi-formal
formal
In the course:
e.g. “Whenever a crash. . . ”
e.g. “Always, if hcrashi at t. . . ”
e.g. “� t, t� � Time • . . . ”
Use Cases
Pattern Language
Decision TablesLive Sequence Charts
Content
–8
–2
018
-05
-28
–S
con
ten
t07
–
6/48
• (Basic) Decision Tables
• Syntax, Semantics
• . . . for Requirements Specification
• . . . for Requirements Analysis
• Completeness,
• Useless Rules,
• Determinism
• Domain Modelling
• Conflict Axiom,
• Relative Completeness,
• Vacuous Rules,
• Conflict Relation
• Collecting Semantics
• Discussion
Logic
Decision Tables
–8
–2
018
-05
-28
–m
ain
–
7/48
–8
–2
018
-05
-28
–m
ain
–
8/48
Decision Table Syntax
–7
–2
018
-05
-14
–S
core
et
–
24/64
• Let C be a set of conditions and A be a set of actions s.t. C �A = �.
• A decision table T over C and A is a labelled (m+ k)× n matrix
T : decision table r1 · · · rn
c1 description of condition c1 v1,1 · · · v1,n
..
....
..
.. . .
..
.
cm description of condition cm vm,1 · · · vm,n
a1 description of action a1 w1,1 · · · w1,n
..
....
..
.. . .
..
.
ak description of action ak wk,1 · · · wk,n
• where• c1, . . . , cm � C ,
• a1, . . . , ak � A,
• v1,1, . . . , vm,n � {�,×, �} and
• w1,1, . . . , wk,n � {�,×}.
• Columns (v1,i, . . . , vm,i, w1,i, . . . , wk,i), 1 � i � n, are called rules,
• r1, . . . , rn are rule names.
• (v1,i, . . . , vm,i) is called premise of rule ri,
(w1,i, . . . , wk,i) is called effect of ri.
–8
–2
018
-05
-28
–m
ain
–
9/48
Decision Table Semantics
–7
–2
018
-05
-14
–S
core
et
–
25/64
Each rule r � {r1, . . . , rn} of table T
T : decision table r1 · · · rn
c1 description of condition c1 v1,1 · · · v1,n
..
....
..
.. . .
..
.
cm description of condition cm vm,1 · · · vm,n
a1 description of action a1 w1,1 · · · w1,n
......
.... . .
...
ak description of action ak wk,1 · · · wk,n
is assigned to a propositional logical formula F(r) over signature C �� A as follows:
• Let (v1, . . . , vm) and (w1, . . . , wk) be premise and effect of r.
• ThenF(r) := F (v1, c1) � · · · � F (vm, cm)
| {z }
=:Fpre(r)
�F (w1, a1) � · · · � F (wk, ak)| {z }
=:Fe� (r)
where
F (v, x) =
�
�
�
�
�
x , if v = ×
¬x , if v = �
true , if v = �
–8
–2
018
-05
-28
–m
ain
–
10/48
Decision Table Semantics: Example
–7
–2
018
-05
-14
–S
core
et
–
26/64
F(r) := F (v1, c1) � · · · � F (vm, cm)
� F (v1, a1) � · · · � F (vk, ak)F (v, x) =
�
�
�
�
�
x , if v = ×
¬x , if v = �
true , if v = �
T r1 r2 r3
c1 × × �
c2 × � �
c3 � × �
a1 × � �
a2 � × �
• F(r1) = c1 � c2 � ¬c3 � a1 � ¬a2
• F(r2) = c1 � ¬c2 � c3 � ¬a1 � a2
• F(r3) = ¬c1 � true � true � ¬a1 � ¬a2
Decision Tables as Requirements Specification
–8
–2
018
-05
-28
–m
ain
–
11/48
Yes, And?
–8
–2
018
-05
-28
–S
eta
ssp
ec
–
12/48
We can use decision tables to model (describe or prescribe) the behaviour of software!
Example:Ventilation system oflecture hall 101-0-026.
T : room ventilation r1 r2 r3
b button pressed? × × −
off ventilation off? × − ∗
on ventilation on? − × ∗
go start ventilation × − −
stop stop ventilation − × −
• We can observe whether button is pressed and whether room ventilation is on or off,and whether (we intend to) start ventilation of stop ventilation.
• We can model our observation by a boolean valuation σ : C ∪A → B, e.g., set
σ(b) := true, if button pressed now and σ(b) := false, if button not pressed now.
σ(go) := true, we plan to start ventilation and σ(go) := false, we plan to stop ventilation.
• A valuation σ : C ∪A → B can be used to assign a truth value to a propositional formula ϕ over C ∪A.
As usual, we write σ |= ϕ iff ϕ evaluates to true under σ (and σ 6|= ϕ otherwise).
• Rule formulae F(r) are propositional formulae over C ∪ A
thus, given σ, we have either σ |= F(r) or σ 6|= F(r).
• Let σ be a model of an observation of C and A.
We say, σ is allowed by decision table T if and only if there exists a rule r in T such that σ |= F(r).
Example
–8
–2
018
-05
-28
–S
eta
ssp
ec
–
13/48
T : room ventilation r1 r2 r3
b button pressed? × × −
off ventilation off? × − ∗
on ventilation on? − × ∗
go start ventilation × − −
stop stop ventilation − × −
F(r1) = b ∧ off ∧ ¬on ∧ go ∧ ¬stop
F(r2) = b ∧ ¬off ∧ on ∧ ¬go ∧ stop
F(r3) = ¬b ∧ true ∧ true ∧ ¬go ∧ ¬stop
(i) Assume: button pressed, ventilation off, we (only) plan to start the ventilation.
• Corresponding valuation: σ1 = {b 7→ true, off 7→ true, on 7→ false, start 7→ true, stop 7→ false}.
• Is our intention (to start the ventilation now) allowed by T ? Yes! (Because σ1 |= F(r1))
(ii) Assume: button pressed, ventilation on, we (only) plan to stop the ventilation.
• Corresponding valuation: σ2 = {b 7→ true, off 7→ false, on 7→ true, start 7→ false, stop 7→ true}.
• Is our intention (to stop the ventilation now) allowed by T ? Yes. (Because σ2 |= F(r2))
(iii) Assume: button not pressed, ventilation on, we (only) plan to stop the ventilation.
• Corresponding valuation:
• Is our intention (to stop the ventilation now) allowed by T ?
–8
–2
018
-05
-28
–S
eta
ssp
ec
–
15/48
Decision Tables for Requirements Analysis
–8
–2
018
-05
-28
–m
ain
–
16/48
Completeness
–8
–2
018
-05
-28
–S
eta
na
–
18/48
Definition. [Completeness] A decision table T is called complete if and only if thedisjunction of all rules’ premises is a tautology, i.e. if
|=∨
r∈T
Fpre(r).
Completeness: Example
–8
–2
018
-05
-28
–S
eta
na
–
19/48
T : room ventilation r1 r2 r3
b button pressed? × × −
off ventilation off? × − ∗
on ventilation on? − × ∗
go start ventilation × − −
stop stop ventilation − × −
• Is T complete?
No. (Because there is no rule for, e.g., the case σ(b) = true, σ(on) = false, σ(off ) = false).
Recall:
F(r1) = c1 ∧ c2 ∧ ¬c3 ∧ a1 ∧ ¬a2
F(r2) = c1 ∧ ¬c2 ∧ c3 ∧ ¬a1 ∧ a2
F(r3) = ¬c1 ∧ true ∧ true ∧ ¬a1 ∧ ¬a2
Fpre(r1) ∨ Fpre(r2) ∨ Fpre(r3)
= (c1 ∧ c2 ∧ ¬c3) ∨ (c1 ∧ ¬c2 ∧ c3) ∨ (¬c1 ∧ true ∧ true)
is not a tautology.
For Convenience: The ‘else’ Rule
–8
–2
018
-05
-28
–S
eta
na
–
21/48
• Syntax:
T : decision table r1 · · · rn else
c1 description of condition c1 v1,1 · · · v1,n...
......
. . ....
cm description of condition cm vm,1 · · · vm,n
a1 description of action a1 w1,1 · · · w1,n w1,e
..
....
..
.. . .
..
....
ak description of action ak wk,1 · · · wk,n wk,e
• Semantics:
F(else) := ¬(
∨
r∈T\{else} Fpre(r))
∧ F (w1,e, a1) ∧ · · · ∧ F (wk,e, ak)
Proposition. If decision table T has an ‘else’-rule, then T is complete.
Uselessness
–8
–2
018
-05
-28
–S
eta
na
–
22/48
Definition. [Uselessness] Let T be a decision table.
A rule r ∈ T is called useless (or: redundant)if and only if there is another (different) rule r′ ∈ T
• whose premise is implied by the one of r and
• whose effect is the same as r’s,
i.e. if
∃ r′ 6= r ∈ T • |= (Fpre(r) =⇒ Fpre(r′)) ∧ (Feff (r) ⇐⇒ Feff (r
′)).
r is called subsumed by r′.
• Again: uselessness is decidable; reduces to SAT.
Uselessness: Example
–8
–2
018
-05
-28
–S
eta
na
–
23/48
T : room ventilation r1 r2 r3 r4
b button pressed? × × − −
off ventilation off? × − ∗ −
on ventilation on? − × ∗ ×
go start ventilation × − − −
stop stop ventilation − × − −
• Rule r4 is subsumed by r3.
• Rule r3 is not subsumed by r4.
• Useless rules “do not hurt” as such.
• Yet useless rules should be removed to make the table more readable,yielding an easier usable specification.
Determinism
–8
–2
018
-05
-28
–S
eta
na
–
24/48
Definition. [Determinism]
A decision table T is called deterministicif and only if the premises of all rules are pairwise disjoint, i.e. if
∀ r1 6= r2 ∈ T• |= ¬(Fpre(r1) ∧ Fpre(r2)).
Otherwise, T is called non-deterministic.
• And again: determinism is decidable; reduces to SAT.
Determinism: Example
–8
–2
018
-05
-28
–S
eta
na
–
25/48
T : room ventilation r1 r2 r3
b button pressed? × × −
off ventilation off? × − ∗
on ventilation on? − × ∗
go start ventilation × − −
stop stop ventilation − × −
• Is T deterministic?
Determinism: Example
–8
–2
018
-05
-28
–S
eta
na
–
25/48
T : room ventilation r1 r2 r3
b button pressed? × × −
off ventilation off? × − ∗
on ventilation on? − × ∗
go start ventilation × − −
stop stop ventilation − × −
• Is T deterministic? Yes.
Determinism: Another Example
–8
–2
018
-05
-28
–S
eta
na
–
26/48
Tabstr : room ventilation r1 r2 r3
b button pressed? × × −
go start ventilation × − −stop stop ventilation − × −
• Is Tabstr determistic? No.
By the way. . .
• Is non-determinism a bad thing in general?
• Just the opposite: non-determinism is a very, very powerful modelling tool.
• Read table Tabstr as:
• the button may switch the ventilation onunder certain conditions (which I will specify later), and
• the button may switch the ventilation offunder certain conditions (which I will specify later).
We in particular state that we do not (under any condition) want to see on and off executed together,and that we do not (under any condition) see go or stop without button pressed.
• On the other hand: non-determinism may not be intended by the customer.
Content
–8
–2
018
-05
-28
–S
con
ten
t07
–
27/48
• (Basic) Decision Tables
• Syntax, Semantics
• . . . for Requirements Specification
• . . . for Requirements Analysis
• Completeness,
• Useless Rules,
• Determinism
• Domain Modelling
• Conflict Axiom,
• Relative Completeness,
• Vacuous Rules,
• Conflict Relation
• Collecting Semantics
• Discussion
Logic
Domain Modelling for Decision Tables
–8
–2
018
-05
-28
–m
ain
–
28/48
Domain Modelling
–8
–2
018
-05
-28
–S
etc
on
flax
–
29/48
Example:
T : room ventilation r1 r2 r3
b button pressed? × × −
off ventilation off? × − ∗
on ventilation on? − × ∗
go start ventilation × − −
stop stop ventilation − × −
• If on and off model opposite output values of one and the same sensor for “room ventilation on/off”,
then σ |= on ∧ off and σ |= ¬on ∧ ¬off never happen in reality for any observation σ .
• Decision table T is incomplete for exactly these cases.
(T “does not know” that on and off can be opposites in the real-world).
• We should be able to “tell” T that on and off are opposites (if they are).
Then T would be relative complete (relative to the domain knowledge that on/off are opposites).
Bottom-line:
• Conditions and actions are abstract entities without inherent connection to the real world.
• When modelling real-world aspects by conditions and actions,we may also want to represent relations between actions/conditions in the real-world
(→ domain model (Bjørner, 2006)).
Conflict Axioms for Domain Modelling
–8
–2
018
-05
-28
–S
etc
on
flax
–
30/48
• A conflict axiom over conditions C is a propositional formula ϕconfl over C .
Intuition: a conflict axiom characterises all those cases,i.e. all those combinations of condition values which ‘cannot happen’— according to our understanding of the domain.
• Note: the decision table semantics remains unchanged!
Example:
• Let ϕconfl = (on ∧ off ) ∨ (¬on ∧ ¬off ).
“on models an opposite of off , neither can both be satisfied nor both non-satisfied at a time”
• Notation:T : room ventilation r1 r2 r3
b button pressed? × × −
off ventilation off? × − ∗
on ventilation on? − × ∗
go start ventilation × − −
stop stop ventilation − × −
¬[(on ∧ off ) ∨ (¬on ∧ ¬off )]
Relative Completeness
–8
–2
018
-05
-28
–S
etc
on
flax
–
31/48
Definition. [Completeness wrt. Conflict Axiom]
A decision table T is called complete wrt. conflict axiom ϕconfl if and only if thedisjunction of all rules’ premises and the conflict axiom is a tautology, i.e. if
|= ϕconfl ∨∨
r∈T
Fpre(r).
• Intuition: a relative complete decision table explicitly cares for all cases which ‘may happen’.
Relative Completeness
–8
–2
018
-05
-28
–S
etc
on
flax
–
31/48
Definition. [Completeness wrt. Conflict Axiom]
A decision table T is called complete wrt. conflict axiom ϕconfl if and only if thedisjunction of all rules’ premises and the conflict axiom is a tautology, i.e. if
|= ϕconfl ∨∨
r∈T
Fpre(r).
• Intuition: a relative complete decision table explicitly cares for all cases which ‘may happen’.
• Note: with ϕconfl = false, we obtain the previous definitions as a special case.
Fits intuition: ϕconfl = false means we don’t exclude any states from consideration.
Example
–8
–2
018
-05
-28
–S
etc
on
flax
–
32/48
T : room ventilation r1 r2 r3
b button pressed? × × −
off ventilation off? × − ∗
on ventilation on? − × ∗
go start ventilation × − −
stop stop ventilation − × −
¬[(on ∧ off ) ∨ (¬on ∧ ¬off )]
• T is complete wrt. its conflict axiom.
• Pitfall: if on and off are outputs of two different, independent sensors,then σ |= on ∧ off is possible in reality (e.g. due to sensor failures).
Decision table T does not tell us what to do in that case!
Pitfalls in Domain Modelling (Wikipedia, 2015)
–8
–2
018
-05
-28
–S
etc
on
flax
–
33/48
“Airbus A320-200 overran runway at Warsaw Okecie Intl. Airport on 14 Sep. 1993.”
• To stop a plane after touchdown, there are spoilers and thrust-reverse systems.
• Enabling one of those while in the air, can have fatal consequences.
• Design decision: the software should block activation of spoilers or thrust-revers while in the air.
• Simplified decision table of blocking procedure:
T r1 r2 r3 else
splq spoilers requested × × −
thrq thrust-reverse requested − − ×
lgsw at least 6.3 tons weight on each landing gear strut × ∗ ×
spd wheels turning faster than 133 km/h ∗ × ∗
spl enable spoilers × × − −
thr enable thrust-reverse − − × −
Idea: if conditions lgsw and spd not satisfied, then aircraft is in the air.
14 Sep. 1993:
• wind conditions not as announced from tower, tail- and crosswinds,
• anti-crosswind manoeuvre puts too little weight on landing gear
• wheels didn’t turn fast due to hydroplaning.
"Flight 29041129" by Anynobody - Own work. Licensed under CC BY-SA 3.0 via Wikimedia Commons -http://commons.wikimedia.org/wiki/File:Flight_29041129.png#/media/File:Flight_29041129.png
"Lu
fth
ansa
Flig
ht
29
04
cras
hsi
teS
ieci
nsk
i"b
yM
ariu
szS
ieci
nsk
i-h
ttp
://
ww
w.a
irlin
ers
.ne
t/p
ho
to/
Luft
han
sa/
Air
bu
s-A
32
0-2
11/
02
65
54
1/L
/.
Lic
en
sed
un
de
rG
FD
Lvi
aW
ikim
ed
iaC
om
mo
ns
-h
ttp
://
com
mo
ns.
wik
ime
dia
.org
/w
iki/
File
:Lu
fth
ansa
_F
ligh
t_2
90
4_
cras
h_
site
_S
ieci
nsk
i.jp
g
Vacuity wrt. Conflict Axiom
–8
–2
018
-05
-28
–S
etc
on
flax
–
34/48
Definition. [Vacuity wrt. Conflict Axiom]
A rule r ∈ T is called vacuous wrt. conflict axiom ϕconfl if and only ifthe premise of r implies the conflict axiom, i.e. if |= Fpre(r) → ϕconfl .
• Intuition: a vacuous rule would only be enabled in states which ‘cannot happen’.
Example:T : room ventilation r1 r2 r3 r4
b button pressed? × × − ×
off ventilation off? × − ∗ ×
on ventilation on? − × ∗ ×
go start ventilation × − − −
stop stop ventilation − × − ×
¬[(on ∧ off ) ∨ (¬on ∧ ¬off )]
• Vacuity wrt. ϕconfl : Like uselessness, vacuity doesn’t hurt as such but
• May hint on inconsistencies on customer’s side. (Misunderstandings with conflict axiom?)
• Makes using the table less easy! (Due to more rules.)
• Implementing vacuous rules is a waste of effort!
Content
–8
–2
018
-05
-28
–S
con
ten
t07
–
35/48
• (Basic) Decision Tables
• Syntax, Semantics
• . . . for Requirements Specification
• . . . for Requirements Analysis
• Completeness,
• Useless Rules,
• Determinism
• Domain Modelling
• Conflict Axiom,
• Relative Completeness,
• Vacuous Rules,
• Conflict Relation
• Collecting Semantics
• Discussion
Logic
Conflicting Actions
–8
–2
018
-05
-28
–m
ain
–
36/48
Conflicting Actions
–8
–2
018
-05
-28
–S
etc
on
flre
l–
37/48
Definition. [Conflict Relation] A conflict relation on actionsA is a transitive and sym-metric relation ⊆ (A× A).
Definition. [Consistency] Let r be a rule of decision table T over C and A.
(i) Rule r is called consistent with conflict relation if and only if there are noconflicting actions in its effect, i.e. if
|= Feff (r) →∧
(a1,a2)∈ ¬(a1 ∧ a2).
(ii) T is called consistent with iff all rules r ∈ T are consistent with .
• Again: consistency is decidable; reduces to SAT.
Example: Conflicting Actions
–8
–2
018
-05
-28
–S
etc
on
flre
l–
38/48
T : room ventilation r1 r2 r3
b button pressed? × × −
off ventilation off? × − ∗
on ventilation on? − × ∗
go start ventilation × − −
stop stop ventilation × × −
¬[(on ∧ off ) ∨ (¬on ∧ ¬off )]
• Let be the transitive, symmetric closure of {(stop, go)}.
“actions stop and go are not supposed to be executed at the same time”
• Then rule r1 is inconsistent with .
• A decision table with inconsistent rules may do harm in operation!
• Detecting an inconsistency only late during a project can incur significant cost!
• Inconsistencies — in particular in (multiple) decision tables, created and edited by multiple people,as well as in requirements in general — are not always as obvious as in the toy examples given here!(would be too easy...)
• And is even less obvious with the collecting semantics (→ in a minute).
Content
–8
–2
018
-05
-28
–S
con
ten
t07
–
39/48
• (Basic) Decision Tables
• Syntax, Semantics
• . . . for Requirements Specification
• . . . for Requirements Analysis
• Completeness,
• Useless Rules,
• Determinism
• Domain Modelling
• Conflict Axiom,
• Relative Completeness,
• Vacuous Rules,
• Conflict Relation
• Collecting Semantics
• Discussion
Logic
A Collecting Semantics for Decision Tables
–8
–2
018
-05
-28
–m
ain
–
40/48
Collecting Semantics
–8
–2
018
-05
-28
–S
etc
oll
–
41/48
• Let T be a decision table over C and A
and σ be a model of an observation of C and A.
ThenFcoll(T ) :=
∧
a∈A
a ↔∨
r∈T,r(a)=× Fpre(r)
is called the collecting semantics of T .
• We say, σ is allowed by T in the collecting semantics if and only if σ |= Fcoll(T ).
That is, if exactly all actions of all enabled rules are planned/executed.
Example:
T : room ventilation r1 r2 r3 r4
b button pressed? × × − ×
off ventilation off? × − ∗ ∗
on ventilation on? − × ∗ ∗
go start ventilation × − − −
stop stop ventilation − × − −
blnk blink button − − − ×
¬[(on ∧ off ) ∨ (¬on ∧ ¬off )]
• “Whenever the button is pressed, let it blink (in addition to go/stop action.”
Consistency in the Collecting Semantics
–8
–2
018
-05
-28
–S
etc
oll
–
42/48
Definition. [Consistency in the Collecting Semantics]
Decision table T is called consistent with conflict relation in the collecting se-mantics (under conflict axiom ϕconfl ) if and only if there are no conflicting actionsin the effect of jointly enabled transitions, i.e. if
|= Fcoll (T ) ∧ ¬ϕconfl →∧
(a1,a2)∈ ¬(a1 ∧ a2).
Discussion
–8
–2
018
-05
-28
–m
ain
–
43/48
Formalisation Validation
–8
–2
018
-05
-28
–S
etd
isc
–
45/48
Two broad directions: • Option 1: teach formalism(usually not economic).
• Option 2: serve astranslator / mediator.
T : room ventilation r1 r2 else
b button pressed? × ×
off ventilation off? × −
on ventilation on? − ×
go start ventilation × − −
stop stop ventilation − × −
customer
FM expert
➀
scenario S (✔/✘)
➁
valuation σ
➂
|= / 6|=➃
✔/✘
➄6= : invalid= : may be valid
➀ domain experts tell system scenario S (maybe keep back, whether allowed / forbidden),
➁ FM expert translates system scenario to valuation σ,
➂ FM expert evaluates DT on σ,
➃ FM expert translates outcome to “allowed / forbidden by DT”,
➄ compare expected outcome and real outcome.
Formalisation Validation
–8
–2
018
-05
-28
–S
etd
isc
–
45/48
Two broad directions: • Option 1: teach formalism(usually not economic).
• Option 2: serve astranslator / mediator.
T : room ventilation r1 r2 else
b button pressed? × ×
off ventilation off? × −
on ventilation on? − ×
go start ventilation × − −
stop stop ventilation − × −
customer
FM expert
➀
scenario S (✔/✘)
➁
valuation σ
➂
|= / 6|=➃
✔/✘
➄6= : invalid= : may be valid
➀ domain experts tell system scenario S (maybe keep back, whether allowed / forbidden),
➁ FM expert translates system scenario to valuation σ ,
➂ FM expert evaluates DT on σ ,
➃ FM expert translates outcome to “allowed / forbidden by DT”,
➄ compare expected outcome and real outcome.
• Recommendation: (Course’s Manifesto?)
• use formal methods for the most important/intricate requirements
(formalising all requirements is in most cases not possible),
• use the most appropriate formalism for a given task,
• use formalisms that you know (really) well.
Tell Them What You’ve Told Them. . .
–8
–2
018
-05
-28
–S
ttw
ytt
07
–
46/48
• Decision Tables: one example for a formalrequirements specification language with
• formal syntax,
• formal semantics.
• Requirements analysts can use DTs to
• formally (objectively, precisely)
describe their understanding of requirements.Customers may need translations/explanation!
• DT properties like
• (relative) completeness, determinism,
• uselessness,
can be used to analyse requirements.
The discussed DT properties are decidable,there can be automatic analysis tools.
• Domain modelling formalises assumptionson the context of software; for DTs:
• conflict axioms, conflict relation,
Note: wrong assumptions can have serious consequences.
References
–8
–2
018
-05
-28
–m
ain
–
47/48
References
–8
–2
018
-05
-28
–m
ain
–
48/48
Balzert, H. (2009). Lehrbuch der Softwaretechnik: Basiskonzepte und Requirements Engineering. Spektrum, 3rdedition.
Bjørner, D. (2006). Software Engineering, Vol. 3: Domains, Requirements and Software Design. Springer-Verlag.
Ludewig, J. and Lichter, H. (2013). Software Engineering. dpunkt.verlag, 3. edition.
Wikipedia (2015). Lufthansa flight 2904. id 646105486, Feb., 7th, 2015.