Lecture 8: Decision Tables 2018-05-28 Prof. Dr. Andreas Podelski, - - PDF document

lecture 8 decision tables
SMART_READER_LITE
LIVE PREVIEW

Lecture 8: Decision Tables 2018-05-28 Prof. Dr. Andreas Podelski, - - PDF document

Jan 20, 2024 105 likes •396 views

Softwaretechnik / Software-Engineering Lecture 8: Decision Tables 2018-05-28 Prof. Dr. Andreas Podelski, Dr. Bernd Westphal Albert-Ludwigs-Universitt Freiburg, Germany 8 2018-05-28 main Topic Area Requirements Engineering:

slide-1
SLIDE 1

– 8 – 2018-05-28 – main –

Softwaretechnik / Software-Engineering

Lecture 8: Decision Tables

2018-05-28

  • Prof. Dr. Andreas Podelski, Dr. Bernd Westphal

Albert-Ludwigs-Universität Freiburg, Germany

Topic Area Requirements Engineering: Content

– 8 – 2018-05-28 – Sblockcontent –

2/48

  • Introduction
  • Requirements Specification
  • Desired Properties
  • Kinds of Requirements
  • Analysis Techniques
  • Documents
  • Dictionary, Specification
  • Specification Languages
  • Natural Language
  • Decision Tables
  • Syntax, Semantics
  • Completeness, Consistency, ...
  • Scenarios
  • User Stories, Use Cases
  • Live Sequence Charts
  • Syntax, Semantics
  • Definition: Software & SW Specification
  • Wrap-Up

VL 6 . . . VL 7 . . . VL 8 . . . VL 9 . . . VL 10 . . .

slide-2
SLIDE 2

– 8 – 2018-05-28 – main –

3/48

Risks Implied by Bad Requirements Specications

– 6 – 2018-05-07 – Sreintro –

6/42

negotiation negotiation require- ments speci- fication design / implemen- tation design / implemen- tation quality assurance quality assurance acceptance acceptance docu- mentation docu- mentation re-use re-use customer developer

negotiation

(with customer, marketing department, or ...)

design and implementation,

  • without specification,

programmers may just “ask around” when in doubt, possibly yielding different interpretations difficult integration

documentation, e.g., the user’s manual,

  • without specification, the user’s manual author can only

describe what the system does, not what it should do (“every observation is a feature”)

preparation of tests,

  • without a description of allowed outcomes, tests are

randomly searching for generic errors (like crashes) systematic testing hardly possible

acceptance by customer, resolving later

  • bjections or regress

claims,

  • without specification, it

is unclear at delivery time whether behaviour is an error (developer needs to fix) or correct (customer needs to accept and pay) nasty disputes, additional effort

re-use,

  • without specification, re-use needs to be based on

re-reading the code risk of unexpected changes

  • later re-implementations.
  • the new software may need to adhere to requirements of the old software; if not properly specified,

the new software needs to be a 1:1 re-implementation of the old additional effort

– 8 – 2018-05-28 – main –

4/48

Requirements on Requirements Specications

– 6 – 2018-05-07 – Sre –

14/42

A requirements specification should be

  • correct

— it correctly represents the wishes/needs of the customer,

  • complete

— all requirements (existing in somebody’s head, or a document, or ...) should be present,

  • relevant

— things which are not relevant to the project should not be constrained,

  • consistent, free of contradictions

— each requirement is compatible with all other requirements; otherwise the requirements are not realisable,

  • neutral, abstract

— a requirements specification does not constrain the realisation more than necessary,

  • traceable, comprehensible

— the sources of requirements are documented, requirements are uniquely identifiable,

  • testable, objective

— the final product can objectively be checked for satisfying a requirement.

  • Correctness and completeness are defined relative to something

which is usually only in the customer’s head. is is difficult to be sure of correctness and completeness.

  • “Dear customer, please tell me what is in your head!” is in almost all cases not a solution!

It’s not unusual that even the customer does not precisely know...!

For example, the customer may not be aware of contradictions due to technical limitations.

slide-3
SLIDE 3

– 8 – 2018-05-28 – main –

5/48

Structure of Topic Areas

– 1 – 2018-04-16 – Sccontent –

28/45

Example: Requirements Engineering Vocabulary

e.g. consistent, complete, tacit, etc.

Techniques

informal semi-formal formal

In the course:

e.g. “Whenever a crash...” e.g. “Always, if hcrashi at t...” e.g. “ t, t Time • ...” Use Cases Pattern Language Decision Tables Live Sequence Charts

Content

– 8 – 2018-05-28 – Scontent07 –

6/48

  • (Basic) Decision Tables
  • Syntax, Semantics
  • ...for Requirements Specification
  • ...for Requirements Analysis
  • Completeness,
  • Useless Rules,
  • Determinism
  • Domain Modelling
  • Conflict Axiom,
  • Relative Completeness,
  • Vacuous Rules,
  • Conflict Relation
  • Collecting Semantics
  • Discussion

Logic

slide-4
SLIDE 4

Decision Tables

– 8 – 2018-05-28 – main –

7/48

– 8 – 2018-05-28 – main –

8/48

Decision Table Syntax

– 7 – 2018-05-14 – Scoreet –

24/64

  • Let C be a set of conditions and A be a set of actions s.t. C A = .
  • A decision table T over C and A is a labelled (m + k) × n matrix

T: decision table r1 · · · rn c1 description of condition c1 v1,1 · · · v1,n . . . . . . . . . ... . . . cm description of condition cm vm,1 · · · vm,n a1 description of action a1 w1,1 · · · w1,n . . . . . . . . . ... . . . ak description of action ak wk,1 · · · wk,n

  • where
  • c1, . . . , cm C,
  • a1, . . . , ak A,
  • v1,1, . . . , vm,n {, ×, } and
  • w1,1, . . . , wk,n {, ×}.
  • Columns (v1,i, . . . , vm,i, w1,i, . . . , wk,i), 1 i n, are called rules,
  • r1, . . . , rn are rule names.
  • (v1,i, . . . , vm,i) is called premise of rule ri,

(w1,i, . . . , wk,i) is called effect of ri.

slide-5
SLIDE 5

– 8 – 2018-05-28 – main –

9/48

Decision Table Semantics

– 7 – 2018-05-14 – Scoreet –

25/64

Each rule r {r1, . . . , rn} of table T

T : decision table r1 · · · rn c1 description of condition c1 v1,1 · · · v1,n . . . . . . . . . ... . . . cm description of condition cm vm,1 · · · vm,n a1 description of action a1 w1,1 · · · w1,n . . . . . . . . . ... . . . ak description of action ak wk,1 · · · wk,n

is assigned to a propositional logical formula F(r) over signature C A as follows:

  • Let (v1, . . . , vm) and (w1, . . . , wk) be premise and effect of r.
  • Then

F(r) := F(v1, c1) · · · F(vm, cm) | {z }

=:Fpre(r)

F(w1, a1) · · · F(wk, ak) | {z }

=:Fe (r)

where F(v, x) =

  • x

, if v = × ¬x , if v = true , if v =

– 8 – 2018-05-28 – main –

10/48

Decision Table Semantics: Example

– 7 – 2018-05-14 – Scoreet –

26/64 F(r) := F(v1, c1) · · · F(vm, cm) F(v1, a1) · · · F(vk, ak)

F (v, x) =

  • x

, if v = × ¬x , if v = true , if v =

T r1 r2 r3 c1 × ×

  • c2

×

  • c3
  • ×
  • a1

×

  • a2
  • ×
  • F(r1) = c1 c2 ¬c3 a1 ¬a2
  • F(r2) = c1 ¬c2 c3 ¬a1 a2
  • F(r3) = ¬c1 true true ¬a1 ¬a2
slide-6
SLIDE 6

Decision Tables as Requirements Specification

– 8 – 2018-05-28 – main –

11/48

Yes, And?

– 8 – 2018-05-28 – Setasspec –

12/48

We can use decision tables to model (describe or prescribe) the behaviour of software! Example: Ventilation system of lecture hall 101-0-026.

T: room ventilation r1 r2 r3 b button pressed? × × −

  • ff

ventilation off? × − ∗

  • n

ventilation on? − × ∗ go start ventilation × − − stop stop ventilation − × −

  • We can observe whether button is pressed and whether room ventilation is on or off,

and whether (we intend to) start ventilation of stop ventilation.

  • We can model our observation by a boolean valuation σ : C ∪ A → B, e.g., set

σ(b) := true, if button pressed now and σ(b) := false, if button not pressed now. σ(go) := true, we plan to start ventilation and σ(go) := false, we plan to stop ventilation.

  • A valuation σ : C ∪ A → B can be used to assign a truth value to a propositional formula ϕ over C ∪ A.

As usual, we write σ | = ϕ iff ϕ evaluates to true under σ (and σ | = ϕ otherwise).

  • Rule formulae F(r) are propositional formulae over C ∪ A

thus, given σ, we have either σ | = F(r) or σ | = F(r).

  • Let σ be a model of an observation of C and A.

We say, σ is allowed by decision table T if and only if there exists a rule r in T such that σ | = F(r).

slide-7
SLIDE 7

Example

– 8 – 2018-05-28 – Setasspec –

13/48

T: room ventilation r1 r2 r3 b button pressed? × × −

  • ff

ventilation off? × − ∗

  • n

ventilation on? − × ∗ go start ventilation × − − stop stop ventilation − × −

F(r1) = b ∧ off ∧ ¬on ∧ go ∧ ¬stop F(r2) = b ∧ ¬off ∧ on ∧ ¬go ∧ stop F(r3) = ¬b ∧ true ∧ true ∧ ¬go ∧ ¬stop (i) Assume: button pressed, ventilation off, we (only) plan to start the ventilation.

  • Corresponding valuation: σ1 = {b → true, off → true, on → false, start → true, stop → false}.
  • Is our intention (to start the ventilation now) allowed by T?

Yes! (Because σ1 | = F(r1)) (ii) Assume: button pressed, ventilation on, we (only) plan to stop the ventilation.

  • Corresponding valuation: σ2 = {b → true, off → false, on → true, start → false, stop → true}.
  • Is our intention (to stop the ventilation now) allowed by T?
  • Yes. (Because σ2 |

= F(r2)) (iii) Assume: button not pressed, ventilation on, we (only) plan to stop the ventilation.

  • Corresponding valuation:
  • Is our intention (to stop the ventilation now) allowed by T?
slide-8
SLIDE 8

– 8 – 2018-05-28 – Setasspec –

15/48

slide-9
SLIDE 9

Decision Tables for Requirements Analysis

– 8 – 2018-05-28 – main –

16/48

slide-10
SLIDE 10

Completeness

– 8 – 2018-05-28 – Setana –

18/48

  • Definition. [Completeness] A decision table T is called complete if and only if the

disjunction of all rules’ premises is a tautology, i.e. if | =

  • r∈T

Fpre(r).

Completeness: Example

– 8 – 2018-05-28 – Setana –

19/48

T: room ventilation r1 r2 r3 b button pressed? × × −

  • ff

ventilation off? × − ∗

  • n

ventilation on? − × ∗ go start ventilation × − − stop stop ventilation − × −

  • Is T complete?
  • No. (Because there is no rule for, e.g., the case σ(b) = true, σ(on) = false, σ(off ) = false).

Recall:

F(r1) = c1 ∧ c2 ∧ ¬c3 ∧ a1 ∧ ¬a2 F(r2) = c1 ∧ ¬c2 ∧ c3 ∧ ¬a1 ∧ a2 F(r3) = ¬c1 ∧ true ∧ true ∧ ¬a1 ∧ ¬a2

Fpre(r1) ∨ Fpre(r2) ∨ Fpre(r3) = (c1 ∧ c2 ∧ ¬c3) ∨ (c1 ∧ ¬c2 ∧ c3) ∨ (¬c1 ∧ true ∧ true) is not a tautology.

slide-11
SLIDE 11

For Convenience: The ‘else’ Rule

– 8 – 2018-05-28 – Setana –

21/48

  • Syntax:

T: decision table r1 · · · rn else c1 description of condition c1 v1,1 · · · v1,n . . . . . . . . . ... . . . cm description of condition cm vm,1 · · · vm,n a1 description of action a1 w1,1 · · · w1,n w1,e . . . . . . . . . ... . . . . . . ak description of action ak wk,1 · · · wk,n wk,e

  • Semantics:

F(else) := ¬

  • r∈T \{else} Fpre(r)
  • ∧ F(w1,e, a1) ∧ · · · ∧ F(wk,e, ak)
  • Proposition. If decision table T has an ‘else’-rule, then T is complete.
slide-12
SLIDE 12

Uselessness

– 8 – 2018-05-28 – Setana –

22/48

  • Definition. [Uselessness] Let T be a decision table.

A rule r ∈ T is called useless (or: redundant) if and only if there is another (different) rule r′ ∈ T

  • whose premise is implied by the one of r and
  • whose effect is the same as r’s,

i.e. if ∃ r′ = r ∈ T • | = (Fpre(r) = ⇒ Fpre(r′)) ∧ (Feff (r) ⇐ ⇒ Feff (r′)). r is called subsumed by r′.

  • Again: uselessness is decidable; reduces to SAT.

Uselessness: Example

– 8 – 2018-05-28 – Setana –

23/48

T: room ventilation r1 r2 r3 r4 b button pressed? × × − −

  • ff

ventilation off? × − ∗ −

  • n

ventilation on? − × ∗ × go start ventilation × − − − stop stop ventilation − × − −

  • Rule r4 is subsumed by r3.
  • Rule r3 is not subsumed by r4.
  • Useless rules “do not hurt” as such.
  • Yet useless rules should be removed to make the table more readable,

yielding an easier usable specification.

slide-13
SLIDE 13

Determinism

– 8 – 2018-05-28 – Setana –

24/48

  • Definition. [Determinism]

A decision table T is called deterministic if and only if the premises of all rules are pairwise disjoint, i.e. if ∀ r1 = r2 ∈ T• | = ¬(Fpre(r1) ∧ Fpre(r2)). Otherwise, T is called non-deterministic.

  • And again: determinism is decidable; reduces to SAT.
slide-14
SLIDE 14

Determinism: Example

– 8 – 2018-05-28 – Setana –

25/48

T: room ventilation r1 r2 r3 b button pressed? × × −

  • ff

ventilation off? × − ∗

  • n

ventilation on? − × ∗ go start ventilation × − − stop stop ventilation − × −

  • Is T deterministic?

Determinism: Example

– 8 – 2018-05-28 – Setana –

25/48

T: room ventilation r1 r2 r3 b button pressed? × × −

  • ff

ventilation off? × − ∗

  • n

ventilation on? − × ∗ go start ventilation × − − stop stop ventilation − × −

  • Is T deterministic?

Yes.

slide-15
SLIDE 15

Determinism: Another Example

– 8 – 2018-05-28 – Setana –

26/48 Tabstr : room ventilation r1 r2 r3 b button pressed? × × − go start ventilation × − − stop stop ventilation − × −

  • Is Tabstr determistic?

No. By the way...

  • Is non-determinism a bad thing in general?
  • Just the opposite: non-determinism is a very, very powerful modelling tool.
  • Read table Tabstr as:
  • the button may switch the ventilation on

under certain conditions (which I will specify later), and

  • the button may switch the ventilation off

under certain conditions (which I will specify later).

We in particular state that we do not (under any condition) want to see on and off executed together, and that we do not (under any condition) see go or stop without button pressed.

  • On the other hand: non-determinism may not be intended by the customer.

Content

– 8 – 2018-05-28 – Scontent07 –

27/48

  • (Basic) Decision Tables
  • Syntax, Semantics
  • ...for Requirements Specification
  • ...for Requirements Analysis
  • Completeness,
  • Useless Rules,
  • Determinism
  • Domain Modelling
  • Conflict Axiom,
  • Relative Completeness,
  • Vacuous Rules,
  • Conflict Relation
  • Collecting Semantics
  • Discussion

Logic

slide-16
SLIDE 16

Domain Modelling for Decision Tables

– 8 – 2018-05-28 – main –

28/48

Domain Modelling

– 8 – 2018-05-28 – Setconflax –

29/48

Example:

T: room ventilation r1 r2 r3 b button pressed? × × −

  • ff

ventilation off? × − ∗

  • n

ventilation on? − × ∗ go start ventilation × − − stop stop ventilation − × −

  • If on and off model opposite output values of one and the same sensor for “room ventilation on/off”,

then σ | = on ∧ off and σ | = ¬on ∧ ¬off never happen in reality for any observation σ.

  • Decision table T is incomplete for exactly these cases.

(T “does not know” that on and off can be opposites in the real-world).

  • We should be able to “tell” T that on and off are opposites (if they are).

Then T would be relative complete (relative to the domain knowledge that on/off are opposites).

Bottom-line:

  • Conditions and actions are abstract entities without inherent connection to the real world.
  • When modelling real-world aspects by conditions and actions,

we may also want to represent relations between actions/conditions in the real-world (→ domain model (Bjørner, 2006)).

slide-17
SLIDE 17

Conflict Axioms for Domain Modelling

– 8 – 2018-05-28 – Setconflax –

30/48

  • A conflict axiom over conditions C is a propositional formula ϕconfl over C.

Intuition: a conflict axiom characterises all those cases, i.e. all those combinations of condition values which ‘cannot happen’ — according to our understanding of the domain.

  • Note: the decision table semantics remains unchanged!

Example:

  • Let ϕconfl = (on ∧ off ) ∨ (¬on ∧ ¬off ).

“on models an opposite of off , neither can both be satisfied nor both non-satisfied at a time”

  • Notation:

T: room ventilation r1 r2 r3 b button pressed? × × −

  • ff

ventilation off? × − ∗

  • n

ventilation on? − × ∗ go start ventilation × − − stop stop ventilation − × − ¬[(on ∧ off ) ∨ (¬on ∧ ¬off )]

Relative Completeness

– 8 – 2018-05-28 – Setconflax –

31/48

  • Definition. [Completeness wrt. Conflict Axiom]

A decision table T is called complete wrt. conflict axiom ϕconfl if and only if the disjunction of all rules’ premises and the conflict axiom is a tautology, i.e. if | = ϕconfl ∨

  • r∈T

Fpre(r).

  • Intuition: a relative complete decision table explicitly cares for all cases which ‘may happen’.
slide-18
SLIDE 18

Relative Completeness

– 8 – 2018-05-28 – Setconflax –

31/48

  • Definition. [Completeness wrt. Conflict Axiom]

A decision table T is called complete wrt. conflict axiom ϕconfl if and only if the disjunction of all rules’ premises and the conflict axiom is a tautology, i.e. if | = ϕconfl ∨

  • r∈T

Fpre(r).

  • Intuition: a relative complete decision table explicitly cares for all cases which ‘may happen’.
  • Note: with ϕconfl = false, we obtain the previous definitions as a special case.

Fits intuition: ϕconfl = false means we don’t exclude any states from consideration.

Example

– 8 – 2018-05-28 – Setconflax –

32/48

T: room ventilation r1 r2 r3 b button pressed? × × −

  • ff

ventilation off? × − ∗

  • n

ventilation on? − × ∗ go start ventilation × − − stop stop ventilation − × − ¬[(on ∧ off ) ∨ (¬on ∧ ¬off )]

  • T is complete wrt. its conflict axiom.
  • Pitfall: if on and off are outputs of two different, independent sensors,

then σ | = on ∧ off is possible in reality (e.g. due to sensor failures). Decision table T does not tell us what to do in that case!

slide-19
SLIDE 19

Pitfalls in Domain Modelling (Wikipedia, 2015)

– 8 – 2018-05-28 – Setconflax –

33/48 “Airbus A320-200 overran runway at Warsaw Okecie Intl. Airport on 14 Sep. 1993.”

  • To stop a plane after touchdown, there are spoilers and thrust-reverse systems.
  • Enabling one of those while in the air, can have fatal consequences.
  • Design decision: the software should block activation of spoilers or thrust-revers while in the air.
  • Simplified decision table of blocking procedure:

T r1 r2 r3 else splq spoilers requested × × − thrq thrust-reverse requested − − × lgsw at least 6.3 tons weight on each landing gear strut × ∗ × spd wheels turning faster than 133 km/h ∗ × ∗ spl enable spoilers × × − − thr enable thrust-reverse − − × −

Idea: if conditions lgsw and spd not satisfied, then aircraft is in the air.

14 Sep. 1993:

  • wind conditions not as announced from tower, tail- and crosswinds,
  • anti-crosswind manoeuvre puts too little weight on landing gear
  • wheels didn’t turn fast due to hydroplaning.

"Flight 29041129" by Anynobody - Own work. Licensed under CC BY-SA 3.0 via Wikimedia Commons - http://commons.wikimedia.org/wiki/File:Flight_29041129.png#/media/File:Flight_29041129.png "Lufthansa Flight 2904 crash site Siecinski" by Mariusz Siecinski - http://www.airliners.net/photo/Lufthansa/Airbus-A320-211/0265541/L/. Licensed under GFDL via Wikimedia Commons - http://commons.wikimedia.org/wiki/File:Lufthansa_Flight_2904_crash_site_Siecinski.jpg

Vacuity wrt. Conflict Axiom

– 8 – 2018-05-28 – Setconflax –

34/48

  • Definition. [Vacuity wrt. Conflict Axiom]

A rule r ∈ T is called vacuous wrt. conflict axiom ϕconfl if and only if the premise of r implies the conflict axiom, i.e. if | = Fpre(r) → ϕconfl.

  • Intuition: a vacuous rule would only be enabled in states which ‘cannot happen’.

Example:

T: room ventilation r1 r2 r3 r4 b button pressed? × × − ×

  • ff

ventilation off? × − ∗ ×

  • n

ventilation on? − × ∗ × go start ventilation × − − − stop stop ventilation − × − × ¬[(on ∧ off ) ∨ (¬on ∧ ¬off )]

  • Vacuity wrt. ϕconfl: Like uselessness, vacuity doesn’t hurt as such but
  • May hint on inconsistencies on customer’s side. (Misunderstandings with conflict axiom?)
  • Makes using the table less easy! (Due to more rules.)
  • Implementing vacuous rules is a waste of effort!
slide-20
SLIDE 20

Content

– 8 – 2018-05-28 – Scontent07 –

35/48

  • (Basic) Decision Tables
  • Syntax, Semantics
  • ...for Requirements Specification
  • ...for Requirements Analysis
  • Completeness,
  • Useless Rules,
  • Determinism
  • Domain Modelling
  • Conflict Axiom,
  • Relative Completeness,
  • Vacuous Rules,
  • Conflict Relation
  • Collecting Semantics
  • Discussion

Logic

Conflicting Actions

– 8 – 2018-05-28 – main –

36/48

slide-21
SLIDE 21

Conflicting Actions

– 8 – 2018-05-28 – Setconflrel –

37/48

  • Definition. [Conflict Relation]A conflict relation on actions A is a transitive and sym-

metric relation ⊆ (A × A).

  • Definition. [Consistency] Let r be a rule of decision table T over C and A.

(i) Rule r is called consistent with conflict relation if and only if there are no conflicting actions in its effect, i.e. if | = Feff (r) →

(a1,a2)∈ ¬(a1 ∧ a2).

(ii) T is called consistent with iff all rules r ∈ T are consistent with .

  • Again: consistency is decidable; reduces to SAT.

Example: Conflicting Actions

– 8 – 2018-05-28 – Setconflrel –

38/48

T: room ventilation r1 r2 r3 b button pressed? × × −

  • ff

ventilation off? × − ∗

  • n

ventilation on? − × ∗ go start ventilation × − − stop stop ventilation × × − ¬[(on ∧ off ) ∨ (¬on ∧ ¬off )]

  • Let be the transitive, symmetric closure of {(stop, go)}.

“actions stop and go are not supposed to be executed at the same time”

  • Then rule r1 is inconsistent with .
  • A decision table with inconsistent rules may do harm in operation!
  • Detecting an inconsistency only late during a project can incur significant cost!
  • Inconsistencies — in particular in (multiple) decision tables, created and edited by multiple people,

as well as in requirements in general — are not always as obvious as in the toy examples given here! (would be too easy...)

  • And is even less obvious with the collecting semantics (→ in a minute).
slide-22
SLIDE 22

Content

– 8 – 2018-05-28 – Scontent07 –

39/48

  • (Basic) Decision Tables
  • Syntax, Semantics
  • ...for Requirements Specification
  • ...for Requirements Analysis
  • Completeness,
  • Useless Rules,
  • Determinism
  • Domain Modelling
  • Conflict Axiom,
  • Relative Completeness,
  • Vacuous Rules,
  • Conflict Relation
  • Collecting Semantics
  • Discussion

Logic

A Collecting Semantics for Decision Tables

– 8 – 2018-05-28 – main –

40/48

slide-23
SLIDE 23

Collecting Semantics

– 8 – 2018-05-28 – Setcoll –

41/48

  • Let T be a decision table over C and A

and σ be a model of an observation of C and A. Then Fcoll(T) :=

  • a∈A

a ↔

r∈T,r(a)=× Fpre(r)

is called the collecting semantics of T.

  • We say, σ is allowed by T in the collecting semantics if and only if σ |

= Fcoll(T). That is, if exactly all actions of all enabled rules are planned/executed. Example:

T: room ventilation r1 r2 r3 r4 b button pressed? × × − ×

  • ff

ventilation off? × − ∗ ∗

  • n

ventilation on? − × ∗ ∗ go start ventilation × − − − stop stop ventilation − × − − blnk blink button − − − × ¬[(on ∧ off ) ∨ (¬on ∧ ¬off )]

  • “Whenever the button is pressed, let it blink (in addition to go/stop action.”

Consistency in the Collecting Semantics

– 8 – 2018-05-28 – Setcoll –

42/48

  • Definition. [Consistency in the Collecting Semantics]

Decision table T is called consistent with conflict relation in the collecting se- mantics (under conflict axiom ϕconfl) if and only if there are no conflicting actions in the effect of jointly enabled transitions, i.e. if | = Fcoll(T) ∧ ¬ϕconfl →

(a1,a2)∈ ¬(a1 ∧ a2).

slide-24
SLIDE 24

Discussion

– 8 – 2018-05-28 – main –

43/48

slide-25
SLIDE 25

Formalisation Validation

– 8 – 2018-05-28 – Setdisc –

45/48

Two broad directions:

  • Option 1: teach formalism

(usually not economic).

  • Option 2: serve as

translator / mediator.

T: room ventilation r1 r2 else b button pressed? × ×

  • ff

ventilation off? × −

  • n

ventilation on? − × go start ventilation × − − stop stop ventilation − × −

customer FM expert

scenario S (✔/✘)

valuation σ

| = / | =

✔/✘

= : invalid = : may be valid

➀ domain experts tell system scenario S

(maybe keep back, whether allowed / forbidden),

➁ FM expert translates system scenario to valuation σ, ➂ FM expert evaluates DT on σ, ➃ FM expert translates outcome to “allowed / forbidden by DT”, ➄ compare expected outcome and real outcome.

Formalisation Validation

– 8 – 2018-05-28 – Setdisc –

45/48

Two broad directions:

  • Option 1: teach formalism

(usually not economic).

  • Option 2: serve as

translator / mediator.

T: room ventilation r1 r2 else b button pressed? × ×

  • ff

ventilation off? × −

  • n

ventilation on? − × go start ventilation × − − stop stop ventilation − × −

customer FM expert

scenario S (✔/✘)

valuation σ

| = / | =

✔/✘

= : invalid = : may be valid

➀ domain experts tell system scenario S

(maybe keep back, whether allowed / forbidden),

➁ FM expert translates system scenario to valuation σ, ➂ FM expert evaluates DT on σ, ➃ FM expert translates outcome to “allowed / forbidden by DT”, ➄ compare expected outcome and real outcome.

  • Recommendation: (Course’s Manifesto?)
  • use formal methods for the most important/intricate requirements

(formalising all requirements is in most cases not possible),

  • use the most appropriate formalism for a given task,
  • use formalisms that you know (really) well.
slide-26
SLIDE 26

Tell Them What You’ve Told Them. . .

– 8 – 2018-05-28 – Sttwytt07 –

46/48

  • Decision Tables: one example for a formal

requirements specification language with

  • formal syntax,
  • formal semantics.
  • Requirements analysts can use DTs to
  • formally (objectively, precisely)

describe their understanding of requirements. Customers may need translations/explanation!

  • DT properties like
  • (relative) completeness, determinism,
  • uselessness,

can be used to analyse requirements. The discussed DT properties are decidable, there can be automatic analysis tools.

  • Domain modelling formalises assumptions
  • n the context of software; for DTs:
  • conflict axioms, conflict relation,

Note: wrong assumptions can have serious consequences.

References

– 8 – 2018-05-28 – main –

47/48

slide-27
SLIDE 27

References

– 8 – 2018-05-28 – main –

48/48 Balzert, H. (2009). Lehrbuch der Softwaretechnik: Basiskonzepte und Requirements Engineering. Spektrum, 3rd edition. Bjørner, D. (2006). Software Engineering, Vol. 3: Domains, Requirements and Software Design. Springer-Verlag. Ludewig, J. and Lichter, H. (2013). Software Engineering. dpunkt.verlag, 3. edition. Wikipedia (2015). Lufthansa flight 2904. id 646105486, Feb., 7th, 2015.