1

Chapter 28Formal Methods

Chapter 28Formal Methods

Software Engineering: A Practitioner’s Approach, 6th editionby Roger S. Pressman

2

Problems with Conventional Specification contradictions

ambiguities vagueness incompleteness mixed levels of abstraction

3

Formal SpecificationFormal Specification Desired properties—consistency, completeness, and lack of

ambiguity—are the objectives of all specification methods The formal syntax of a specification language (Section 28.4)

enables requirements or design to be interpreted in only one way, eliminating ambiguity that often occurs when a natural language (e.g., English) or a graphical notation must be interpreted The descriptive facilities of set theory and logic notation (Section

28.2) enable clear statement of facts (requirements). Consistency is ensured by mathematically proving that initial

facts can be formally mapped (using inference rules) into later statements within the specification.

Desired properties—consistency, completeness, and lack of ambiguity—are the objectives of all specification methods

The formal syntax of a specification language (Section 28.4) enables requirements or design to be interpreted in only one way, eliminating ambiguity that often occurs when a natural language (e.g., English) or a graphical notation must be interpreted The descriptive facilities of set theory and logic notation (Section

28.2) enable clear statement of facts (requirements). Consistency is ensured by mathematically proving that initial

facts can be formally mapped (using inference rules) into later statements within the specification.

4

Formal Methods ConceptsFormal Methods Concepts data invariant—a condition that is true throughout the execution of the

system that contains a collection of data state

Many formal languages, such as OCL (Section 28.5) , use the notion of states as they were discussed in Chapters 7 and 8, that is, a system can be in one of several states, each representing an externally observable mode of behavior.

The Z language (Section 28.6)defines a state as the stored data which a system accesses and alters

operation—an action that takes place in a system and reads or writes data to a state precondition defines the circumstances in which a particular operation is

valid postcondition defines what happens when an operation has completed its

action

data invariant—a condition that is true throughout the execution of the system that contains a collection of data

state Many formal languages, such as OCL (Section 28.5) , use the notion of

states as they were discussed in Chapters 7 and 8, that is, a system can be in one of several states, each representing an externally observable mode of behavior.

The Z language (Section 28.6)defines a state as the stored data which a system accesses and alters

operation—an action that takes place in a system and reads or writes data to a state precondition defines the circumstances in which a particular operation is

valid postcondition defines what happens when an operation has completed its

action

5

An Example—Print Spooler

Limits

LP1 -> 750

LP2 -> 500

LAS1 -> 300

LAS2 -> 200

Device queues

ftax -> 650newdata -> 450

exres -> 50persons -> 700

Size

LP1

LP2

LAS1

LAS2

ftax

newdata

exres

persons

files awaiting printing

6

States and Data Invariant

The state of the spooler is represented by the four The state of the spooler is represented by the four components components Queues, OutputDevices, Limits,Queues, OutputDevices, Limits, and and Sizes.Sizes.

The data invariant has five components:The data invariant has five components:

•• Each output device is associated with an upper Each output device is associated with an upper limit of print lineslimit of print lines

•• Each output device is associated with a possibly Each output device is associated with a possibly nonempty queue of files awaiting printingnonempty queue of files awaiting printing

•• Each file is associated with a sizeEach file is associated with a size

•• Each queue associated with an output device Each queue associated with an output device contains files that have a size less than the upper contains files that have a size less than the upper limit of the output devicelimit of the output device

•• There will be no more than There will be no more than MaxDevsMaxDevs output output devices administered by the spoolerdevices administered by the spooler

7

OperationsOperations An operation which adds a new output device to the

spooler together with its associated print limit An operation which removes a file from the queue

associated with a particular output device An operation which adds a file to the queue

associated with a particular output device An operation which alters the upper limit of print lines

for a particular output device An operation which moves a file from a queue

associated with an output device to another queue associated with a second output device

An operation which adds a new output device to the spooler together with its associated print limit

An operation which removes a file from the queue associated with a particular output device

An operation which adds a file to the queue associated with a particular output device

An operation which alters the upper limit of print lines for a particular output device

An operation which moves a file from a queue associated with an output device to another queue associated with a second output device

8

Pre- & Postconditions

For the first operation (adds a new output device to For the first operation (adds a new output device to the spooler together with its associated print limit):the spooler together with its associated print limit):

Precondition:Precondition: the output device name does not the output device name does not already exist and that there are currently less than already exist and that there are currently less than MaxDevsMaxDevs output devices known to the spooler output devices known to the spooler

Postcondition:Postcondition: the name of the new device is added to the name of the new device is added to the collection of existing device names, a new entry is the collection of existing device names, a new entry is formed for the device with no files being associated formed for the device with no files being associated with its queue, and the device is associated with its with its queue, and the device is associated with its print limit. print limit.

9

Mathematical ConceptsMathematical Concepts

sets and constructive set specification set operators logic operators

e.g., i, j: • i > j i2 => j2 which states that, for every pair of values in the

set of natural numbers, if i is greater than j, then i2 is greater than j2.

sequences

sets and constructive set specification set operators logic operators

e.g., i, j: • i > j i2 => j2 which states that, for every pair of values in the

set of natural numbers, if i is greater than j, then i2 is greater than j2.

sequences

10

Sets and Constructive SpecificationSets and Constructive Specification A set is a collection of objects or elements and is used as a

cornerstone of formal methods. Enumeration

{C++, Pascal, Ada, COBOL, Java} #{C++, Pascal, Ada, COBOL, Java} implies

cardinality = 5 Constructive set specification is preferable to

enumeration because it enables a succinct definition of large sets. {x, y : N | x + y = 10 (x, y2)}

A set is a collection of objects or elements and is used as a cornerstone of formal methods. Enumeration

{C++, Pascal, Ada, COBOL, Java} #{C++, Pascal, Ada, COBOL, Java} implies

cardinality = 5 Constructive set specification is preferable to

enumeration because it enables a succinct definition of large sets. {x, y : N | x + y = 10 (x, y2)}

11

Set OperatorsSet Operators A specialized set of symbology is used to represent set and logic operations.

Examples The P operator is used to indicate membership of a set. For example,

the expression x P X

The operators , , and # take sets as their operands. The predicate A , B

has the value true if the members of the set A are contained in the set B and has the value false otherwise.

The union operator, <, takes two sets and forms a set that contains all the elements in the set with duplicates eliminated.

{File1, File2, Tax, Compiler} < {NewTax, D2, D3, File2} is the set {Filel, File2, Tax, Compiler, NewTax, D2, D3}

A specialized set of symbology is used to represent set and logic operations. Examples

The P operator is used to indicate membership of a set. For example, the expression

x P X The operators , , and # take sets as their operands. The predicate

A , B has the value true if the members of the set A are contained in the set

B and has the value false otherwise. The union operator, <, takes two sets and forms a set that contains all the

elements in the set with duplicates eliminated. {File1, File2, Tax, Compiler} < {NewTax, D2, D3, File2} is the set {Filel, File2, Tax, Compiler, NewTax, D2, D3}

12

Logic OperatorsLogic Operators Another important component of a formal method is logic: the algebra

of true and false expressions. Examples:

V or ¬ not => implies

Universal quantification is a way of making a statement about the elements of a set that is true for every member of the set. Universal quantification uses the symbol, . An example of its use is

i, j : N i > j => i2 > j2

which states that for every pair of values in the set of natural numbers, if i is greater than j, then i2 is greater than j2.

Another important component of a formal method is logic: the algebra of true and false expressions. Examples:

V or ¬ not => implies

Universal quantification is a way of making a statement about the elements of a set that is true for every member of the set. Universal quantification uses the symbol, . An example of its use is

i, j : N i > j => i2 > j2

which states that for every pair of values in the set of natural numbers, if i is greater than j, then i2 is greater than j2.

13

SequencesSequences Sequences are designated using angle brackets. For example, the

preceding sequence would normally be written as k Jones, Wilson, Shapiro, Estavezl

Catenation, X, is a binary operator that forms a sequence constructed by adding its second operand to the end of its first operand. For example,

k 2, 3, 34, 1l X k12, 33, 34, 200 l = k 2, 3, 34, 1, 12, 33, 34, 200 l Other operators that can be applied to sequences are head, tail, front,

and last. head k 2, 3, 34, 1, 99, 101 l = 2 tail k 2, 3, 34, 1, 99, 101 l = 73, 34, 1,99, 1018 last k 2, 3, 34, 1, 99, 101 l = 101 front k 2, 3, 34, 1, 99, 101 l = 72, 3, 34, 1, 998

Sequences are designated using angle brackets. For example, the preceding sequence would normally be written as k Jones, Wilson, Shapiro, Estavezl

Catenation, X, is a binary operator that forms a sequence constructed by adding its second operand to the end of its first operand. For example,

k 2, 3, 34, 1l X k12, 33, 34, 200 l = k 2, 3, 34, 1, 12, 33, 34, 200 l Other operators that can be applied to sequences are head, tail, front,

and last. head k 2, 3, 34, 1, 99, 101 l = 2 tail k 2, 3, 34, 1, 99, 101 l = 73, 34, 1,99, 1018 last k 2, 3, 34, 1, 99, 101 l = 101 front k 2, 3, 34, 1, 99, 101 l = 72, 3, 34, 1, 998

14

Formal SpecificationFormal Specification The block handler

The block handler maintains a reservoir of unused blocks and will also keep track of blocks that are currently in use. When blocks are released from a deleted file they are normally added to a queue of blocks waiting to be added to the reservoir of unused blocks.

The stateused, free: P BLOCKSBlockQueue: seq P BLOCKS

Data Invariantused > free = \ used < free = AllBlocks i: dom BlockQueue BlockQueue i # used i, j : dom BlockQueue i ≠ j => BlockQueue i > BlockQueue j = \

Precondition #BlockQueue > 0

Postconditionused' = used \ head BlockQueue free’ = free < head BlockQueue BlockQueue' = tail BlockQueue

The block handler The block handler maintains a reservoir of unused blocks and will also keep track of blocks

that are currently in use. When blocks are released from a deleted file they are normally added to a queue of blocks waiting to be added to the reservoir of unused blocks.

The stateused, free: P BLOCKSBlockQueue: seq P BLOCKS

Data Invariantused > free = \ used < free = AllBlocks i: dom BlockQueue BlockQueue i # used i, j : dom BlockQueue i ≠ j => BlockQueue i > BlockQueue j = \

Precondition #BlockQueue > 0

Postconditionused' = used \ head BlockQueue free’ = free < head BlockQueue BlockQueue' = tail BlockQueue

15

Formal Specification LanguagesFormal Specification Languages A formal specification language is usually composed of three

primary components: a syntax that defines the specific notation with which the

specification is represented semantics to help define a "universe of objects" [WIN90] that will

be used to describe the system a set of relations that define the rules that indicate which objects

properly satisfy the specification The syntactic domain of a formal specification language is often

based on a syntax that is derived from standard set theory notation and predicate calculus.

The semantic domain of a specification language indicates how the language represents system requirements.

A formal specification language is usually composed of three primary components: a syntax that defines the specific notation with which the

specification is represented semantics to help define a "universe of objects" [WIN90] that will

be used to describe the system a set of relations that define the rules that indicate which objects

properly satisfy the specification The syntactic domain of a formal specification language is often

based on a syntax that is derived from standard set theory notation and predicate calculus.

The semantic domain of a specification language indicates how the language represents system requirements.

16

Object Constraint Language (OCL)Object Constraint Language (OCL) a formal notation developed so that users of UML

can add more precision to their specifications All of the power of logic and discrete mathematics

is available in the language However the designers of OCL decided that only

ASCII characters (rather than conventional mathematical notation) should be used in OCL statements.

a formal notation developed so that users of UML can add more precision to their specifications

All of the power of logic and discrete mathematics is available in the language

However the designers of OCL decided that only ASCII characters (rather than conventional mathematical notation) should be used in OCL statements.

17

OCL OverviewOCL Overview

Like an object-oriented programming language, an OCL expression involves operators operating on objects.

However, the result of a complete expression must always be a Boolean, i.e. true or false.

The objects can be instances of the OCL Collection class, of which Set and Sequence are two subclasses.

See Table 28.1 for summary of OCL notation

Like an object-oriented programming language, an OCL expression involves operators operating on objects.

However, the result of a complete expression must always be a Boolean, i.e. true or false.

The objects can be instances of the OCL Collection class, of which Set and Sequence are two subclasses.

See Table 28.1 for summary of OCL notation

18

BlockHandler using UMLBlockHandler using UML

Block

number

addBlock()

BlockHandler

BlockSet

1

*

1*

removeBlock()

allBlocks

free used

blockQueue

{ordered}

{subset}

{subset}

**

*

1 1 1

elements

19

BlockHandler in OCLBlockHandler in OCL No block will be marked as both unused and used.

context BlockHandler inv: (self.used->intersection(self.free)) ->isEmpty()

All the sets of blocks held in the queue will be subsets of the collection of currently used blocks. context BlockHandler inv: blockQueue->forAll(aBlockSet | used->includesAll(aBlockSet ))

No elements of the queue will contain the same block numbers. context BlockHandler inv: blockQueue->forAll(blockSet1, blockSet2 | blockSet1 <> blockSet2 implies blockSet1.elements.number->excludesAll(blockSet2.elements.number)) The expression before implies is needed to ensure we ignore pairs where both elements are the same Block.

The collection of used blocks and blocks that are unused will be the total collection of blocks that make up files. context BlockHandler inv: allBlocks = used->union(free)

The collection of unused blocks will have no duplicate block numbers. context BlockHandler inv: free->isUnique(aBlock | aBlock.number)

The collection of used blocks will have no duplicate block numbers. context BlockHandler inv: used->isUnique(aBlock | aBlock.number)

No block will be marked as both unused and used. context BlockHandler inv: (self.used->intersection(self.free)) ->isEmpty()

All the sets of blocks held in the queue will be subsets of the collection of currently used blocks. context BlockHandler inv: blockQueue->forAll(aBlockSet | used->includesAll(aBlockSet ))

No elements of the queue will contain the same block numbers. context BlockHandler inv: blockQueue->forAll(blockSet1, blockSet2 | blockSet1 <> blockSet2 implies blockSet1.elements.number->excludesAll(blockSet2.elements.number)) The expression before implies is needed to ensure we ignore pairs where both elements are the same Block.

The collection of used blocks and blocks that are unused will be the total collection of blocks that make up files. context BlockHandler inv: allBlocks = used->union(free)

The collection of unused blocks will have no duplicate block numbers. context BlockHandler inv: free->isUnique(aBlock | aBlock.number)

The collection of used blocks will have no duplicate block numbers. context BlockHandler inv: used->isUnique(aBlock | aBlock.number)

20

The Z Language

organized into schemas defines variables establishes relationships between variables the analog for a “module” in conventional languages

notation described in Table 28.2

21

BlockHandler in ZBlockHandler in Z

——————BlockHandler——————————————BlockHandler——————————————used, freeused, free : : PP BLOCKSBLOCKSBlockQueueBlockQueue : seq : seq PP BLOCKSBLOCKS——————————————————————————————————————————————usedused >> freefree = = \\ usedused << freefree = = AllBlocksAllBlocks ii: dom : dom BlockQueueBlockQueue BlockQueueBlockQueue ii ## usedused i, ji, j : dom : dom BlockQueueBlockQueue ii ≠≠ jj => => BlockQueue iBlockQueue i >> BlockQueue jBlockQueue j = = \\ ————————————————————————

The following example of a schema describes the state of The following example of a schema describes the state of the block handler and the data invariant:the block handler and the data invariant:

See Section 28.6.2 for further expansion of the specification

22

Chapter 29Cleanroom Software

Engineering

Chapter 29Cleanroom Software

EngineeringSoftware Engineering: A Practitioner’s Approach, 6th editionby Roger S. Pressman

23

The Cleanroom Process Model

RequirementsGathering

Box StructureSpecification

FormalDesign

CorrectnessVerification

CodeInspection

StatisticalUse

Testing

Cerfification

Test Planning

SystemEngineering

RequirementsGathering

Box StructureSpecification

FormalDesign

CorrectnessVerification

CodeInspection

StatisticalUse

Testing

Cerfification

Test Planning

RequirementsGathering

Box StructureSpecification

FormalDesign

CorrectnessVerification

CodeInspection

StatisticalUse

Testing

Cerfification

Test Planning

increment #1

increment #2

increment #n

24

The Cleanroom Strategy-IIncrement Planning—adopts the incremental strategy

Requirements Gathering—defines a description of customer level requirements (for each increment)

Box Structure Specification—describes the functional specification

Formal Design—specifications (called “black boxes”) are iteratively refined (with an increment) to become analogous to architectural and procedural designs (called “state boxes” and “clear boxes,” respectively).

Correctness Verification—verification begins with the highest level box structure (specification) and moves toward design detail and code using a set of “correctness questions.” If these do not demonstrate that the specification is correct, more formal (mathematical) methods for verification are used.

Code Generation, Inspection and Verification—the box structure specifications, represented in a specialized language, are transmitted into the appropriate programming language.

25

The Cleanroom Strategy-II

Statistical Test Planning—a suite of test cases that exercise of “probability distribution” of usage are planned and designed

Statistical Usage Testing—execute a series of tests derived from a statistical sample (the probability distribution noted above) of all possible program executions by all users from a targeted population

Certification—once verification, inspection and usage testing have been completed (and all errors are corrected) the increment is certified as ready for integration.

26

Box Structure Specification

BB1

BB1.1

BB1.2

BB1.n

BB1.1.1

BB1.1.2

BB1.1.3

SB1.1.1

CB1.1.1.1

CB1.1.1.2

CB1.1.1.3

black box

state box

clear box

27

Box Structures

f:S* RS R

black boxstate box

clear box

S Rblack box, g

StateT

S R

StateT

g11

g12

g13

cg1

28

Design Refinement & Verification

If a function f is expanded into a sequence g and h, the If a function f is expanded into a sequence g and h, the correctness condition for all input to f is:correctness condition for all input to f is:

• • Does g followed by h do f?Does g followed by h do f?

When a function f is refined into a conditional (if-then-else), the When a function f is refined into a conditional (if-then-else), the correctness condition for all input to f is:correctness condition for all input to f is:

• • Whenever condition <c> is true does g do f and whenever Whenever condition <c> is true does g do f and whenever <c> is false, does h do f?<c> is false, does h do f?

When function f is refined as a loop, the correctness conditions When function f is refined as a loop, the correctness conditions for all input to f is:for all input to f is:

•• Is termination guaranteed?Is termination guaranteed?

• • Whenever <c> is true does g followed by f do f, and Whenever <c> is true does g followed by f do f, and whenever <c> is false, does skipping the loop still do f?whenever <c> is false, does skipping the loop still do f?

29

Advantages of Design VerificationAdvantages of Design Verification It reduces verification to a finite process. It lets cleanroom teams verify every line

of design and code. It results in a near zero defect level. It scales up. It produces better code than unit testing.

It reduces verification to a finite process. It lets cleanroom teams verify every line

of design and code. It results in a near zero defect level. It scales up. It produces better code than unit testing.

30

Cleanroom TestingCleanroom Testing statistical use testing

tests the actual usage of the program determine a “usage probability distribution”

analyze the specification to identify a set of stimuli stimuli cause software to change behavior create usage scenarios assign probability of use to each stimuli test cases are generated for each stimuli according

to the usage probability distribution

statistical use testing tests the actual usage of the program

determine a “usage probability distribution” analyze the specification to identify a set of stimuli stimuli cause software to change behavior create usage scenarios assign probability of use to each stimuli test cases are generated for each stimuli according

to the usage probability distribution

31

Certification

1.1. Usage scenarios must be created.Usage scenarios must be created.

2.2. A usage profile is specified.A usage profile is specified.

3.3. Test cases are generated from the Test cases are generated from the profile.profile.

4.4. Tests are executed and failure data Tests are executed and failure data are are recorded and analyzed.recorded and analyzed.

5.5. Reliability is computed and certified.Reliability is computed and certified.

32

Certification Models

Sampling model.Sampling model. Software testing executes Software testing executes mm random test cases and is certified if no failures or a random test cases and is certified if no failures or a specified numbers of failures occur. The value of specified numbers of failures occur. The value of mm is is derived mathematically to ensure that required derived mathematically to ensure that required reliability is achieved.reliability is achieved.

Component model.Component model. A system composed of A system composed of nn components is to be certified. The component model components is to be certified. The component model enables the analyst to determine the probability that enables the analyst to determine the probability that component component ii will fail prior to completion. will fail prior to completion.

Certification model.Certification model. The overall reliability of the The overall reliability of the system is projected and certified. system is projected and certified.

33

Chapter 30Component-Based

Software Engineering

Chapter 30Component-Based

Software EngineeringSoftware Engineering: A Practitioner’s Approach, 6th editionby Roger S. Pressman

34

The Key QuestionsThe Key Questions When faced with the possibility of reuse, the software team

asks: Are commercial off-the-shelf (COTS) components available

to implement the requirement? Are internally-developed reusable components available to

implement the requirement? Are the interfaces for available components compatible

within the architecture of the system to be built? At the same time, they are faced with the following impediments

to reuse ...

When faced with the possibility of reuse, the software team asks: Are commercial off-the-shelf (COTS) components available

to implement the requirement? Are internally-developed reusable components available to

implement the requirement? Are the interfaces for available components compatible

within the architecture of the system to be built? At the same time, they are faced with the following impediments

to reuse ...

35

Impediments to Reuse Few companies and organizations have anything that even slightly

resembles a comprehensive software reusability plan. Although an increasing number of software vendors currently sell

tools or components that provide direct assistance for software reuse, the majority of software developers do not use them.

Relatively little training is available to help software engineers and managers understand and apply reuse.

Many software practitioners continue to believe that reuse is “more trouble than it’s worth.”

Many companies continue to encourage of software development methodologies which do not facilitate reuse

Few companies provide an incentives to produce reusable program components.

36

The CBSE Process

DomainAnalysis

SoftwareArchitectureDevelopment

ReusableArtifact

Development

Domain Engineering

Domainmodel

StructuralModel

RepositoryReusableArtifacts/

Components

Software Engineering

UserRequirements

SystemAnalysis

Specification&

DesignConstruction

SystemSpec

Analysis& DesignModels

ApplicationSoftware

37

Domain EngineeringDomain Engineering

1. 1. Define the domain to be investigated.Define the domain to be investigated.2. Categorize the items extracted from the 2. Categorize the items extracted from the domain.domain.3. Collect a representative sample of 3. Collect a representative sample of applications in the domain.applications in the domain.4. Analyze each application in the sample.4. Analyze each application in the sample.5. Develop an analysis model for the objects5. Develop an analysis model for the objects..

38

Identifying Reusable ComponentsIdentifying Reusable Components

• • Is component functionality required on future Is component functionality required on future implementations?implementations?• • How common is the component's function within the domain?How common is the component's function within the domain?• • Is there duplication of the component's function within the Is there duplication of the component's function within the domain?domain?• • Is the component hardware-dependent?Is the component hardware-dependent?• • Does the hardware remain unchanged between Does the hardware remain unchanged between implementations?implementations?• • Can the hardware specifics be removed to another Can the hardware specifics be removed to another component?component?• • Is the design optimized enough for the next implementation?Is the design optimized enough for the next implementation?• • Can we parameterize a non-reusable component so that it Can we parameterize a non-reusable component so that it becomes reusable?becomes reusable?• • Is the component reusable in many implementations with only Is the component reusable in many implementations with only minor changes?minor changes?• • Is reuse through modification feasible?Is reuse through modification feasible?• • Can a non-reusable component be decomposed to yield Can a non-reusable component be decomposed to yield reusable components?reusable components?• • How valid is component decomposition for reuse?How valid is component decomposition for reuse?

39

Structural ModelingStructural Modeling every application has structural patterns that have the potential

for reuse a “structure point” is a construct with the structure

A structure point is an abstraction that should have a limited number of instances. Restating this in object-oriented jargon , the size of the class hierarchy should be small.

The rules that govern the use of the structure point should be easily understood. In addition, the interface to the structure point should be relatively simple.

The structure point should implement information hiding by hiding all complexity contained within the structure point itself. This reduces the perceived complexity of the overall system.

every application has structural patterns that have the potential for reuse

a “structure point” is a construct with the structure A structure point is an abstraction that should have a limited

number of instances. Restating this in object-oriented jargon , the size of the class hierarchy should be small.

The rules that govern the use of the structure point should be easily understood. In addition, the interface to the structure point should be relatively simple.

The structure point should implement information hiding by hiding all complexity contained within the structure point itself. This reduces the perceived complexity of the overall system.

40

Structural PatternsStructural Patterns An interface that enables the user to interact with the

system. A bounds-setting mechanism that allows the user to

establish bounds on the parameters to be measured. A sensor management mechanism that communicates

with all monitoring sensors. A response mechanism that reacts to the input provided

by the sensor management system. A control mechanism that enables the user to control the

manner in which monitoring is carried out.

An interface that enables the user to interact with the system.

A bounds-setting mechanism that allows the user to establish bounds on the parameters to be measured.

A sensor management mechanism that communicates with all monitoring sensors.

A response mechanism that reacts to the input provided by the sensor management system.

A control mechanism that enables the user to control the manner in which monitoring is carried out.

41

Component-Based DevelopmentComponent-Based Development a library of components must be available components should have a consistent

structure a standard should exist, e.g.,

OMG/CORBA Microsoft COM Sun JavaBeans

a library of components must be available components should have a consistent

structure a standard should exist, e.g.,

OMG/CORBA Microsoft COM Sun JavaBeans

42

CBSE ActivitiesCBSE Activities

Component qualification Component adaptation Component composition Component update

Component qualification Component adaptation Component composition Component update

43

QualificationQualification

Before a component can be used, you must consider:Before a component can be used, you must consider:

• • application programming interface (API)application programming interface (API)• • development and integration tools required by the development and integration tools required by the componentcomponent• • run-time requirements including resource usage (e.g., run-time requirements including resource usage (e.g., memory or storage), timing or speed, and network protocolmemory or storage), timing or speed, and network protocol• • service requirements including operating system service requirements including operating system interfaces and support from other componentsinterfaces and support from other components• • security features including access controls and security features including access controls and authentication protocolauthentication protocol• • embedded design assumptions including the use of embedded design assumptions including the use of specific numerical or non-numerical algorithmsspecific numerical or non-numerical algorithms• • exception handlingexception handling

44

AdaptationAdaptation

The implication of “easy integration” is: The implication of “easy integration” is:

(1) that consistent methods of resource (1) that consistent methods of resource management have been implemented for management have been implemented for all components in the library; all components in the library;

(2) that common activities such as data (2) that common activities such as data management exist for all components, and management exist for all components, and

(3) that interfaces within the architecture (3) that interfaces within the architecture and with the external environment have and with the external environment have been implemented in a consistent manner. been implemented in a consistent manner.

45

CompositionComposition

An infrastructure must be established to bind components together

Architectural ingredients for composition include: Data exchange model Automation Structured storage Underlying object model

An infrastructure must be established to bind components together

Architectural ingredients for composition include: Data exchange model Automation Structured storage Underlying object model

46

OMG/ CORBAOMG/ CORBA The Object Management Group has published a common object request

broker architecture (OMG/CORBA). An object request broker (ORB) provides services that enable reusable

components (objects) to communicate with other components, regardless of their location within a system.

Integration of CORBA components (without modification) within a system is assured if an interface definition language (IDL) interface is created for every component.

Objects within the client application request one or more services from the ORB server. Requests are made via an IDL or dynamically at run time.

An interface repository contains all necessary information about the service’s request and response formats.

The Object Management Group has published a common object request broker architecture (OMG/CORBA).

An object request broker (ORB) provides services that enable reusable components (objects) to communicate with other components, regardless of their location within a system.

Integration of CORBA components (without modification) within a system is assured if an interface definition language (IDL) interface is created for every component.

Objects within the client application request one or more services from the ORB server. Requests are made via an IDL or dynamically at run time.

An interface repository contains all necessary information about the service’s request and response formats.

47

ORB ArchitectureORB Architecture

InterfaceRepository

ORBinterface

LAN

Client

ServerObjects

ORB Core

ClientIDL

Stubs

DynamicInvocation

InterfaceRepository

ORBinterface

ServerIDL

Stubs

ObjectAdapter

48

Microsoft COMMicrosoft COM The component object model (COM) provides a

specification for using components produced by various vendors within a single application running under the Windows operating system.

COM encompasses two elements: COM interfaces (implemented as COM objects) a set of mechanisms for registering and passing

messages between COM interfaces.

The component object model (COM) provides a specification for using components produced by various vendors within a single application running under the Windows operating system.

COM encompasses two elements: COM interfaces (implemented as COM objects) a set of mechanisms for registering and passing

messages between COM interfaces.

49

Sun JavaBeansSun JavaBeans The JavaBeans component system is a portable, platform independent

CBSE infrastructure developed using the Java programming language. The JavaBeans component system encompasses a set of tools, called

the Bean Development Kit (BDK), that allows developers to analyze how existing Beans (components) work customize their behavior and appearance establish mechanisms for coordination and communication develop custom Beans for use in a specific application test and evaluate Bean behavior.

The JavaBeans component system is a portable, platform independent CBSE infrastructure developed using the Java programming language.

The JavaBeans component system encompasses a set of tools, called the Bean Development Kit (BDK), that allows developers to analyze how existing Beans (components) work customize their behavior and appearance establish mechanisms for coordination and communication develop custom Beans for use in a specific application test and evaluate Bean behavior.

50

ClassificationClassification Enumerated classification—components are

described by defining a hierarchical structure in which classes and varying levels of subclasses of software components are defined

Faceted classification—a domain area is analyzed and a set of basic descriptive features are identified

Attribute-value classification—a set of attributes are defined for all components in a domain area

Enumerated classification—components are described by defining a hierarchical structure in which classes and varying levels of subclasses of software components are defined

Faceted classification—a domain area is analyzed and a set of basic descriptive features are identified

Attribute-value classification—a set of attributes are defined for all components in a domain area

51

IndexingIndexing

52

The Reuse EnvironmentThe Reuse Environment A component database capable of storing software

components and the classification information necessary to retrieve them.

A library management system that provides access to the database.

A software component retrieval system (e.g., an object request broker) that enables a client application to retrieve components and services from the library server.

CBSE tools that support the integration of reused components into a new design or implementation.

A component database capable of storing software components and the classification information necessary to retrieve them.

A library management system that provides access to the database.

A software component retrieval system (e.g., an object request broker) that enables a client application to retrieve components and services from the library server.

CBSE tools that support the integration of reused components into a new design or implementation.

53

Reuse EconomicsReuse Economics Consider a new application, X, that requires 60 percent new code and the reuse of

three structure points, SP1, SP2, and SP3. Average costs for qualification, adaptation, integration, and maintenance are available. overall effort = Enew + Equal + Eadapt + Eint

where Enew = effort required to engineer and construct new software components

(determined using techniques described in Chapter 23). Equal = effort required to qualify SP1, SP2, and SP3. Eadapt = effort required to adapt SP1, SP2, and SP3. Eint = effort required to integrate SP1, SP2, and SP3.

The effort required to qualify, adapt, and integrate SP1, SP2, and SP3 is determined by taking the average of historical data collected for qualification, adaptation, and integration of the reusable components in other applications.

Consider a new application, X, that requires 60 percent new code and the reuse of three structure points, SP1, SP2, and SP3. Average costs for qualification, adaptation, integration, and maintenance are available. overall effort = Enew + Equal + Eadapt + Eint

where Enew = effort required to engineer and construct new software components

(determined using techniques described in Chapter 23). Equal = effort required to qualify SP1, SP2, and SP3. Eadapt = effort required to adapt SP1, SP2, and SP3. Eint = effort required to integrate SP1, SP2, and SP3.

The effort required to qualify, adapt, and integrate SP1, SP2, and SP3 is determined by taking the average of historical data collected for qualification, adaptation, and integration of the reusable components in other applications.

54

Reuse MetricsReuse Metrics

The benefit associated with reuse within a system S can be expressed as a ratio Rb(S) = [Cnoreuse – Creuse]/Cnoreuse where

Cnoreuse is the cost of developing S with no reuse. Creuse is the cost of developing S with reuse.

Devanbu and his colleagues [DEV95] suggest that Rb will be affected by the design of the system since Rb is affected by the design, it is important to make Rb a part of an assessment of design

alternatives the benefits associated with reuse are closely aligned to the cost benefit of each individual

reusable component. A general measure of reuse in object-oriented systems, termed reuse leverage [BAS94], is defined as Rlev = OBJreused/OBJbuilt where

OBJreused is the number of objects reused in a system. OBJbuilt is the number of objects built for a system.

The benefit associated with reuse within a system S can be expressed as a ratio Rb(S) = [Cnoreuse – Creuse]/Cnoreuse where

Cnoreuse is the cost of developing S with no reuse. Creuse is the cost of developing S with reuse.

Devanbu and his colleagues [DEV95] suggest that Rb will be affected by the design of the system since Rb is affected by the design, it is important to make Rb a part of an assessment of design

alternatives the benefits associated with reuse are closely aligned to the cost benefit of each individual

reusable component. A general measure of reuse in object-oriented systems, termed reuse leverage [BAS94], is defined as Rlev = OBJreused/OBJbuilt where

OBJreused is the number of objects reused in a system. OBJbuilt is the number of objects built for a system.

55

Chapter 31Reengineering

Chapter 31Reengineering

Software Engineering: A Practitioner’s Approach, 6th editionby Roger S. Pressman

56

ReengineeringReengineering

Business Business processesprocesses

ITITsystemssystems

SoftwareSoftwareapplicationsapplicationsReengineeringReengineering

57

Business Process ReengineeringBusiness Process Reengineering

Business definition. Business goals are identified within the context of four key drivers: cost reduction, time reduction, quality improvement, and personnel development and empowerment.

Process identification. Processes that are critical to achieving the goals defined in the business definition are identified.

Process evaluation. The existing process is thoroughly analyzed and measured. Process specification and design. Based on information obtained during the first

three BPR activities, use-cases (Chapter 7) are prepared for each process that is to be redesigned.

Prototyping. A redesigned business process must be prototyped before it is fully integrated into the business.

Refinement and instantiation. Based on feedback from the prototype, the business process is refined and then instantiated within a business system.

Business definition. Business goals are identified within the context of four key drivers: cost reduction, time reduction, quality improvement, and personnel development and empowerment.

Process identification. Processes that are critical to achieving the goals defined in the business definition are identified.

Process evaluation. The existing process is thoroughly analyzed and measured. Process specification and design. Based on information obtained during the first

three BPR activities, use-cases (Chapter 7) are prepared for each process that is to be redesigned.

Prototyping. A redesigned business process must be prototyped before it is fully integrated into the business.

Refinement and instantiation. Based on feedback from the prototype, the business process is refined and then instantiated within a business system.

58

Business Process Reengineering

Businessdefinition

Processidentification

ProcessEvaluation

ProcessSpecificationand Design

Prototyping

Refinement&

Instantiation

59

BPR Principles Organize around outcomes, not tasks.

Have those who use the output of the process perform the process.

Incorporate information processing work into the real work that produces the raw information.

Treat geographically dispersed resources as though they were centralized.

Link parallel activities instead of integrated their results. When different

Put the decision point where the work is performed, and build control into the process.

Capture data once, at its source.

60

Software Reengineering

Forwardengineering

Datarestructuring

coderestructuring

reverseengineering

documentrestructuring

inventoryanalysis

61

Inventory AnalysisInventory Analysis build a table that contains all applications establish a list of criteria, e.g.,

name of the application year it was originally created number of substantive changes made to it total effort applied to make these changes date of last substantive change effort applied to make the last change system(s) in which it resides applications to which it interfaces, ...

analyze and prioritize to select candidates for reengineering

build a table that contains all applications establish a list of criteria, e.g.,

name of the application year it was originally created number of substantive changes made to it total effort applied to make these changes date of last substantive change effort applied to make the last change system(s) in which it resides applications to which it interfaces, ...

analyze and prioritize to select candidates for reengineering

62

Document RestructuringDocument Restructuring Weak documentation is the trademark of many legacy systems. But what do we do about it? What are our options? Options …

Creating documentation is far too time consuming. If the system works, we’ll live with what we have. In some cases, this is the correct approach.

Documentation must be updated, but we have limited resources. We’ll use a “document when touched” approach. It may not be necessary to fully redocument an application.

The system is business critical and must be fully redocumented. Even in this case, an intelligent approach is to pare documentation to an essential minimum.

Weak documentation is the trademark of many legacy systems. But what do we do about it? What are our options? Options …

Creating documentation is far too time consuming. If the system works, we’ll live with what we have. In some cases, this is the correct approach.

Documentation must be updated, but we have limited resources. We’ll use a “document when touched” approach. It may not be necessary to fully redocument an application.

The system is business critical and must be fully redocumented. Even in this case, an intelligent approach is to pare documentation to an essential minimum.

63

Reverse Engineering

dirty source code

restructurecode

extractabstractions

refine&

simplify

clean source code

initial specification

final specification

processing

interface

database

64

Code RestructuringCode Restructuring Source code is analyzed using a restructuring tool. Poorly design code segments are redesigned Violations of structured programming constructs are

noted and code is then restructured (this can be done automatically)

The resultant restructured code is reviewed and tested to ensure that no anomalies have been introduced

Internal code documentation is updated.

Source code is analyzed using a restructuring tool. Poorly design code segments are redesigned Violations of structured programming constructs are

noted and code is then restructured (this can be done automatically)

The resultant restructured code is reviewed and tested to ensure that no anomalies have been introduced

Internal code documentation is updated.

65

Data RestructuringData Restructuring Unlike code restructuring, which occurs at a relatively low level of abstraction,

data structuring is a full-scale reengineering activity In most cases, data restructuring begins with a reverse engineering activity.

Current data architecture is dissected and necessary data models are defined (Chapter 9).

Data objects and attributes are identified, and existing data structures are reviewed for quality.

When data structure is weak (e.g., flat files are currently implemented, when a relational approach would greatly simplify processing), the data are reengineered.

Because data architecture has a strong influence on program architecture and the algorithms that populate it, changes to the data will invariably result in either architectural or code-level changes.

Unlike code restructuring, which occurs at a relatively low level of abstraction, data structuring is a full-scale reengineering activity

In most cases, data restructuring begins with a reverse engineering activity. Current data architecture is dissected and necessary data models are

defined (Chapter 9). Data objects and attributes are identified, and existing data structures are

reviewed for quality. When data structure is weak (e.g., flat files are currently implemented, when

a relational approach would greatly simplify processing), the data are reengineered.

Because data architecture has a strong influence on program architecture and the algorithms that populate it, changes to the data will invariably result in either architectural or code-level changes.

66

Forward Engineering

1. 1. The cost to maintain one line of source code may be 20 The cost to maintain one line of source code may be 20 to 40 times the cost of initial development of that line. to 40 times the cost of initial development of that line.

2. 2. Redesign of the software architecture (program Redesign of the software architecture (program and/or data structure), using modern design concepts, can and/or data structure), using modern design concepts, can greatly facilitate future maintenance.greatly facilitate future maintenance.

3. 3. Because a prototype of the software already exists, Because a prototype of the software already exists, development productivity should be much higher than development productivity should be much higher than average. average.

4. 4. The user now has experience with the software. The user now has experience with the software. Therefore, new requirements and the direction of change Therefore, new requirements and the direction of change can be ascertained with greater ease.can be ascertained with greater ease.

5.5. CASE tools for reengineering will automate some parts CASE tools for reengineering will automate some parts of the job. of the job.

6. 6. A complete software configuration (documents, A complete software configuration (documents, programs and data) will exist upon completion of programs and data) will exist upon completion of preventive maintenance.preventive maintenance.

67

Economics of Reengineering-IEconomics of Reengineering-I A cost/benefit analysis model for reengineering has been proposed by Sneed

[SNE95]. Nine parameters are defined: P1 = current annual maintenance cost for an application. P2 = current annual operation cost for an application. P3 = current annual business value of an application. P4 = predicted annual maintenance cost after reengineering. P5 = predicted annual operations cost after reengineering. P6 = predicted annual business value after reengineering. P7 = estimated reengineering costs. P8 = estimated reengineering calendar time. P9 = reengineering risk factor (P9 = 1.0 is nominal). L = expected life of the system.

A cost/benefit analysis model for reengineering has been proposed by Sneed [SNE95]. Nine parameters are defined:

P1 = current annual maintenance cost for an application. P2 = current annual operation cost for an application. P3 = current annual business value of an application. P4 = predicted annual maintenance cost after reengineering. P5 = predicted annual operations cost after reengineering. P6 = predicted annual business value after reengineering. P7 = estimated reengineering costs. P8 = estimated reengineering calendar time. P9 = reengineering risk factor (P9 = 1.0 is nominal). L = expected life of the system.

68

Economics of Reengineering-IIEconomics of Reengineering-II The cost associated with continuing maintenance of a candidate

application (i.e., reengineering is not performed) can be defined as

Cmaint = [P3 - (P1 + P2)] x L

The costs associated with reengineering are defined using the following relationship:

Creeng = [P6 - (P4 + P5) x (L - P8) - (P7 x P9)] `

Using the costs presented in equations above, the overall benefit of reengineering can be computed as

cost benefit = Creeng - Cmaint

The cost associated with continuing maintenance of a candidate application (i.e., reengineering is not performed) can be defined as

Cmaint = [P3 - (P1 + P2)] x L

The costs associated with reengineering are defined using the following relationship:

Creeng = [P6 - (P4 + P5) x (L - P8) - (P7 x P9)] `

Using the costs presented in equations above, the overall benefit of reengineering can be computed as

cost benefit = Creeng - Cmaint

69

Chapter 32The Road Ahead

Chapter 32The Road Ahead

Software Engineering: A Practitioner’s Approach, 6th editionby Roger S. Pressman

70

Importance of Software-RevisitedImportance of Software-Revisited In Chapter 1, software was characterized as a differentiator.

The function delivered by software differentiates products, systems, and services and provides competitive advantage in the marketplace.

But software is more that a differentiator. The programs, documents, and data that are software help to

generate the most important commodity that any individual, business, or government can acquire—information.

In Chapter 1, software was characterized as a differentiator. The function delivered by software differentiates products,

systems, and services and provides competitive advantage in the marketplace.

But software is more that a differentiator. The programs, documents, and data that are software help to

generate the most important commodity that any individual, business, or government can acquire—information.

71

The Scope of ChangeThe Scope of Change Software connected technologies will impact

communications, energy, healthcare, transportation, entertainment, economics, manufacturing, and warfare, to name only a few

Some technologies to watch: Carbon nanotubes Biosensors OLED displays Grid Computing Cognitive machines

Software connected technologies will impact communications, energy, healthcare, transportation, entertainment, economics, manufacturing, and warfare, to name only a few

Some technologies to watch: Carbon nanotubes Biosensors OLED displays Grid Computing Cognitive machines

72

People - Building SystemsPeople - Building Systems

Communication is changing e.g., video conferencing

Work patterns are changing e.g., intelligent agents

Knowledge acquisition is changing e.g., data mining, the Web

Communication is changing e.g., video conferencing

Work patterns are changing e.g., intelligent agents

Knowledge acquisition is changing e.g., data mining, the Web

73

The “New” SE ProcessThe “New” SE Process Agile

the process and the people must be adaptable Incremental

Delivery occurs in increments All software engineering activities are iterative

Object-oriented Classes are defined Responsibilities are identified Collaboration is described

Agile the process and the people must be adaptable

Incremental Delivery occurs in increments All software engineering activities are iterative

Object-oriented Classes are defined Responsibilities are identified Collaboration is described

74

An Information Spectrum

data:no associativity information:

associativity withinone context

knowledge:associativity withinmultiple contexts

wisdom:creation of generalizedprinciples based onexisting knowledgefrom different sources

75

Technology TrendsTechnology Trends Combination technologies. When two important technologies are merged,

the impact of the merged result is often greater that sum of the impact of each taken separately.

Data fusion. The more data we acquire, the more data we need. More importantly, the more data we acquire, the more difficult it is to extract useful information.

Technology Push. Today, some technologies evolve as solutions looking for problems.

Networking and serendipity. In this context networking implies connections between people or between people and information.

Information overload. A vast sea of information is accessible by anyone with an Internet connection.

Combination technologies. When two important technologies are merged, the impact of the merged result is often greater that sum of the impact of each taken separately.

Data fusion. The more data we acquire, the more data we need. More importantly, the more data we acquire, the more difficult it is to extract useful information.

Technology Push. Today, some technologies evolve as solutions looking for problems.

Networking and serendipity. In this context networking implies connections between people or between people and information.

Information overload. A vast sea of information is accessible by anyone with an Internet connection.

76

Software Engineering Ethics-ISoftware Engineering Ethics-I An ACM/IEEE-CS Joint Task Force has produced a Software

Engineering Code of Ethics and Professional Practices (Version 5.1). The code [ACM98] states: Software engineers shall commit themselves to

making the analysis, specification, design, development, testing and maintenance of software a beneficial and respected profession. In accordance with their commitment to the health, safety and welfare of the public, software engineers shall adhere to the following Eight Principles:

An ACM/IEEE-CS Joint Task Force has produced a Software Engineering Code of Ethics and Professional Practices (Version 5.1). The code [ACM98] states: Software engineers shall commit themselves to

making the analysis, specification, design, development, testing and maintenance of software a beneficial and respected profession. In accordance with their commitment to the health, safety and welfare of the public, software engineers shall adhere to the following Eight Principles:

77

Software Engineering Ethics-ISoftware Engineering Ethics-I

1. PUBLIC - Software engineers shall act consistently with the public interest. 2. CLIENT AND EMPLOYER - Software engineers shall act in a manner that is in the

best interests of their client and employer consistent with the public interest. 3. PRODUCT - Software engineers shall ensure that their products and related

modifications meet the highest professional standards possible. 4. JUDGMENT - Software engineers shall maintain integrity and independence in their

professional judgment. 5. MANAGEMENT - Software engineering managers and leaders shall subscribe to

and promote an ethical approach to the management of software development and maintenance.

6. PROFESSION - Software engineers shall advance the integrity and reputation of the profession consistent with the public interest.

7. COLLEAGUES - Software engineers shall be fair to and supportive of their colleagues.

8. SELF - Software engineers shall participate in lifelong learning regarding the practice of their profession and shall promote an ethical approach to the practice of the profession.

1. PUBLIC - Software engineers shall act consistently with the public interest. 2. CLIENT AND EMPLOYER - Software engineers shall act in a manner that is in the

best interests of their client and employer consistent with the public interest. 3. PRODUCT - Software engineers shall ensure that their products and related

modifications meet the highest professional standards possible. 4. JUDGMENT - Software engineers shall maintain integrity and independence in their

professional judgment. 5. MANAGEMENT - Software engineering managers and leaders shall subscribe to

and promote an ethical approach to the management of software development and maintenance.

6. PROFESSION - Software engineers shall advance the integrity and reputation of the profession consistent with the public interest.

7. COLLEAGUES - Software engineers shall be fair to and supportive of their colleagues.

8. SELF - Software engineers shall participate in lifelong learning regarding the practice of their profession and shall promote an ethical approach to the practice of the profession.

78

Ethics-On a Personal levelEthics-On a Personal level Never steal data for personal gain. Never distribute or sell proprietary information obtained as part

of your work on a software project. Never maliciously destroy or modify another person’s programs,

files, or data. Never violate the privacy of an individual, a group, or an

organization. Never hack into a system for sport or profit. Never create or promulgate a computer virus or worm. Never use computing technology to facilitate discrimination or

harassment.

Never steal data for personal gain. Never distribute or sell proprietary information obtained as part

of your work on a software project. Never maliciously destroy or modify another person’s programs,

files, or data. Never violate the privacy of an individual, a group, or an

organization. Never hack into a system for sport or profit. Never create or promulgate a computer virus or worm. Never use computing technology to facilitate discrimination or

harassment.