using alloy in process modelling
DESCRIPTION
Using Alloy in Process Modelling. Chris Wallace UWE. Plan. Alloy Case Studies Alloy limitations Alloy benefits. Alloy. Developed by Daniel Jackson and his group at MIT based on Z, relational algebra, Syntropy, ... Principles declarative, hence compositional textural, readable - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Using Alloy in Process Modelling](https://reader035.vdocuments.us/reader035/viewer/2022081603/56814e54550346895dbbe7eb/html5/thumbnails/1.jpg)
Using Alloy in Process Modelling
Chris Wallace
UWE
![Page 2: Using Alloy in Process Modelling](https://reader035.vdocuments.us/reader035/viewer/2022081603/56814e54550346895dbbe7eb/html5/thumbnails/2.jpg)
Plan
• Alloy
• Case Studies
• Alloy limitations
• Alloy benefits
![Page 3: Using Alloy in Process Modelling](https://reader035.vdocuments.us/reader035/viewer/2022081603/56814e54550346895dbbe7eb/html5/thumbnails/3.jpg)
Alloy• Developed by Daniel Jackson and his group at MIT
• based on Z, relational algebra, Syntropy, ...
• Principles– declarative, hence compositional– textural, readable– analysable using SAT solver– 1st order predicate calculus over relations – competitor to OCL but complete ( like USE/OCL)
![Page 4: Using Alloy in Process Modelling](https://reader035.vdocuments.us/reader035/viewer/2022081603/56814e54550346895dbbe7eb/html5/thumbnails/4.jpg)
Alloy - domain• Entity sets
– sig Level{}
• Relations– sig Module { level : Level}– defines relation <Module, Level> - a functional dependency (many-
one)
• Relations subsume– sets - relation of arity 1– scalars - set of cardinality 1
• Integers – + - = #S cardinality of S
![Page 5: Using Alloy in Process Modelling](https://reader035.vdocuments.us/reader035/viewer/2022081603/56814e54550346895dbbe7eb/html5/thumbnails/5.jpg)
Alloy - operators
• ‘Set’ operators applied to relations– intersection +– union &– difference -– membership e in S
• Logical operators– and &&– or ||– implication =>, => else– not !
![Page 6: Using Alloy in Process Modelling](https://reader035.vdocuments.us/reader035/viewer/2022081603/56814e54550346895dbbe7eb/html5/thumbnails/6.jpg)
Alloy - relational operators
• Join .– a.b
• a, b relations => join on rightmost field of a with leftmost field of b• a or b is scalar => de-referencing I.e. a’s bs
• Product ->– a->b
• a, b relations => a->b is the cartesian product• a, b scalars => a->b is the tuple <a,b>
• Transpose ~ r• Transitive closure ^r = r + r.r + r.r.r ..
![Page 7: Using Alloy in Process Modelling](https://reader035.vdocuments.us/reader035/viewer/2022081603/56814e54550346895dbbe7eb/html5/thumbnails/7.jpg)
Alloy - predicate calculus
• Quantifiers– some, no, all, sole, one, two
• e.g all m:Module | one m.level
• Comprehensions– {all m : Module | no m.prereq}
![Page 8: Using Alloy in Process Modelling](https://reader035.vdocuments.us/reader035/viewer/2022081603/56814e54550346895dbbe7eb/html5/thumbnails/8.jpg)
Alloy - relational algebra
• Relational constants– none[t] – univ[t]– iden[e]
• Relational algebra– if a is <T,S> , b is <S,R>
• T.a , a.S - Projections of a • all a | p(a) - Restrict• a.b - Natural Join, giving <T,R>
![Page 9: Using Alloy in Process Modelling](https://reader035.vdocuments.us/reader035/viewer/2022081603/56814e54550346895dbbe7eb/html5/thumbnails/9.jpg)
Developing a model(1)
• Construct initial model– declarations - sig ..– constraints - fact { ..}– functions (parameterised formula) - fun f () {…}– assertions - assert g {.}– examples - run f for 4– counter-examples - check g– compile
![Page 10: Using Alloy in Process Modelling](https://reader035.vdocuments.us/reader035/viewer/2022081603/56814e54550346895dbbe7eb/html5/thumbnails/10.jpg)
Developing a model (2)
• Model space is converted to a boolean expression in Conjunctive Normal Form
• CNF formula sent to SAT solver
• If instance found, it is displayed– in tree form – in graphical form using GraphViz’s dot
• Correct model, recompile and re-execute
![Page 11: Using Alloy in Process Modelling](https://reader035.vdocuments.us/reader035/viewer/2022081603/56814e54550346895dbbe7eb/html5/thumbnails/11.jpg)
Case studies in Process Modelling
• Data modelling– The old Emp Dept example again
• Fowlers Patterns– Organisational structure
• Process Modelling– State-based - Student progression– Declarative
• Puzzles– Who owns the zebra?
![Page 12: Using Alloy in Process Modelling](https://reader035.vdocuments.us/reader035/viewer/2022081603/56814e54550346895dbbe7eb/html5/thumbnails/12.jpg)
ER Modelling
• Straightforward expression of ER models with additional structural constraints
• Modelling process is– start small– generate instances– if instances wrong, add constraints till the instances look
right– if no instances, weaken constraints – assert properties which should be true– alter constraints if counter-examples
![Page 13: Using Alloy in Process Modelling](https://reader035.vdocuments.us/reader035/viewer/2022081603/56814e54550346895dbbe7eb/html5/thumbnails/13.jpg)
module lecture/empdept
sig String {}sig Job {}sig Location {}sig Dept { name : String, loc : Location}
sig Emp { name : String, dept : Dept, role : Job, mgr : option Emp}
![Page 14: Using Alloy in Process Modelling](https://reader035.vdocuments.us/reader035/viewer/2022081603/56814e54550346895dbbe7eb/html5/thumbnails/14.jpg)
Constraints// departments and employees cant share a namefact { all d: Dept | no e : Emp | e.name = d.name }
// employee names are uniquefact { all disj e1,e2 : Emp | e1.name not = e2.name }
// employees cant manage themselvesfact { no e : Emp | e.mgr = e }
// all departments have employees
fact {all d : Dept | some dept.d }
// departments ahave unique locationfact { all disj d1,d2 : Dept | d1.loc not = d2.loc }
// management hierarchy - no employee can manage themselves or their managers manager etc
fact { all e : Emp { e !in e.^mgr // ^ is the relational closure operator }}
// only one bossfact { one e: Emp | no e.mgr }
![Page 15: Using Alloy in Process Modelling](https://reader035.vdocuments.us/reader035/viewer/2022081603/56814e54550346895dbbe7eb/html5/thumbnails/15.jpg)
State Transition Modelling
• Base model provides invariants
• Define set of transitions that change state of student
• Define guards on transitions
• Define generalised transition between states
• Constrain sequence of transitions
![Page 16: Using Alloy in Process Modelling](https://reader035.vdocuments.us/reader035/viewer/2022081603/56814e54550346895dbbe7eb/html5/thumbnails/16.jpg)
Defining states and transitionssig Level {}sig Module { disj prereq, coreq, excluded : set Module, level : Level}sig Student { taking, passed : set Module, level : Level, mode : Mode}sig Mode {}part disj sig Initial, Active, Suspended, Graduate extends Mode {}
fact {all s :Student | no s.taking & s.passed}fun canTake (m : Module, s: Student) { m !in (s.passed + s.taking) && m !in (s.passed + s.taking).excluded && m.prereq in s.passed && m.level = s.level}fun doTake (m : Module, s, s' : Student) { s'.taking = s.taking + m&& s'.passed = s.passed && s'.level = s.level}
![Page 17: Using Alloy in Process Modelling](https://reader035.vdocuments.us/reader035/viewer/2022081603/56814e54550346895dbbe7eb/html5/thumbnails/17.jpg)
The statechartfun doStep (s,s' : Student) { some a : Event | some m : Module |
s.mode = Initial && a in Enrol => (doEnrol(s,s') && s'.mode = Active) else s.mode= Active && a in Take && canTake(m,s) => (doTake(m,s,s') && s'.mode= Active ) else s.mode= Active && a in Pass && canSit(m,s) => (doPass(m,s,s') && s'.mode= Active) else s.mode= Active && a in Fail && canSit(m,s)=> (doFail(m,s,s') && s'.mode= Active) else s.mode= Active && canProgress(s) => (doProgress(s,s') && s'.mode= Active) else
![Page 18: Using Alloy in Process Modelling](https://reader035.vdocuments.us/reader035/viewer/2022081603/56814e54550346895dbbe7eb/html5/thumbnails/18.jpg)
Declarative approach
sig Review {}disj part sig OKReview, FailReview extends Review {}
sig ExamModeration { request : option Request, draftPaper : option Paper, internalReview : set Review, revisedPaper : option Paper, internalSignature : option Signature, externalReview : set Review, externalSignature : option Signature}
![Page 19: Using Alloy in Process Modelling](https://reader035.vdocuments.us/reader035/viewer/2022081603/56814e54550346895dbbe7eb/html5/thumbnails/19.jpg)
Constraintsfact { all e : ExamModeration { one e.draftPaper => one e.request some e.internalReview => one e.draftPaper sole e.internalReview & OKReview one e.internalSignature => one r: e.internalReview | r in OKReview one e.internalSignature and some e.internalReview & FailReview => one e.revisedPaper one e.revisedPaper => some e.internalReview & FailReview e.revisedPaper not = e.draftPaper sole e.externalReview & OKReview some e.externalReview => one e.internalSignature one e.externalSignature => one r: e.externalReview | r in OKReview
no e.internalSignature & e.externalSignature no e.internalReview & e.externalReview }}
![Page 20: Using Alloy in Process Modelling](https://reader035.vdocuments.us/reader035/viewer/2022081603/56814e54550346895dbbe7eb/html5/thumbnails/20.jpg)
Who owns the Zebra?
• module cw/zebra• /* who owns the Zebra
• http://www.blakjak.demon.co.uk/zebra.htm
• */
![Page 21: Using Alloy in Process Modelling](https://reader035.vdocuments.us/reader035/viewer/2022081603/56814e54550346895dbbe7eb/html5/thumbnails/21.jpg)
sig House{colour: Colour,nation: Nation,pet: Pet,drink: Drink,smoke: Smoke
}
sig Colour {}// each house has its own unique colour{ one colour.this }static disj sig Red, Green,Yellow, Blue, White extends Colour
{}
…fact {// there are five houses #House=5 // the englishman lives in a red house one h: House | h.nation in English and h.colour in Red// The swede has a dog one h: House | h.nation in Swedish and h.pet in Dog// the dane drinks tea one h: House | h.nation in Danish and h.drink in Tea
![Page 22: Using Alloy in Process Modelling](https://reader035.vdocuments.us/reader035/viewer/2022081603/56814e54550346895dbbe7eb/html5/thumbnails/22.jpg)
Alloy limitations
• discrete - so no real numbers
• state space explosion – 4 Module, 4 Level sig {Module
• level : Level -- 4 * 4 =16
• level : option Level -- 4 * 4 * 2 = 32
• level : set Level -- 4 * 2^4 = 64
• not OO - single type, so single namespace, no overriding etc [but work underway to fix]
![Page 23: Using Alloy in Process Modelling](https://reader035.vdocuments.us/reader035/viewer/2022081603/56814e54550346895dbbe7eb/html5/thumbnails/23.jpg)
Alloy benefits
• Proven worth in uncovering problems in published systems
• Makes models testable
• Works with quite sizeable models
• Great for teaching - will replace Z
• Can be used to explore tricky structures and algorithms
• Interplay between the general and the particular is great step forward
![Page 24: Using Alloy in Process Modelling](https://reader035.vdocuments.us/reader035/viewer/2022081603/56814e54550346895dbbe7eb/html5/thumbnails/24.jpg)
Future of Analytic Modelling?
• The developer centric methods (open-source, extreme programming) don’t use models - – ‘all models are lies’ - Kent Beck
• The traditional methods use models only informally – ‘Bubbles don’t crash’ - Bertrand Meyer
• Alloy can appeal to both camps– responsive enough for the developers– learnable enough for the analysts