Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Harsh Beohar
Goal
To briefly describe ASD as a methodology. To describe the behavior of system under design in brief. To briefly describe the scenarios which are designed using ASD. Problems encountered while using ASD.
CONFIDENTIAL
ASD Methodology[1]
CONFIDENTIAL
CONFIDENTIAL
Mealy Machine
Differences with Automaton: A Mealy machine does not have final states In Mealy machine each transition produces output based on current state and input. This motivates us to model a reactive system through Mealy Machine. To enable the use of predicates in transition of states, we need to add one more tuple in Mealy Machine. M=(Q,,,P,,,qi) Q : is a finite set of states. : is a finite set of stimulus S (finite input alphabet). : is a finite set of responses R (finite output alphabet). P : is a set of unbounded predicates. : Q Q (next state function). : Q (output function). qi : initial state
CONFIDENTIAL
BB : S R
*
Defined as total function that maps stimulus history to responses.
CONFIDENTIAL
BSDM contd
State Box is derived from black box and introduces internal state.
Let Q,S and R denote the set of states, stimuli and responses respectively. Then, the state box is given as
SB : (Q S ) (Q R )
Clear box is an implementation of state box in any high level language, C++, Java etc.
CONFIDENTIAL
CONFIDENTIAL
Model checking is performed by generating CSP, and using FDR2 to verify system properties. Specification Implementation: means that every behavior of Implementation is also behavior of Specification. In more detail, Let Ii and Iu denote the set of implemented and used interfaces of a component respectively. Let D denote the design of that component. Then, Verum check for
||| I
i
(||| I ) || D
FD
u u
Also, they check for requirements by specifying requirements in CSP and then checking through the above refinements.
CONFIDENTIAL
CONFIDENTIAL
Thus, durative and non-durative action can be seen as asynchronous and synchronous calls respectively.
CONFIDENTIAL
CONFIDENTIAL
ASD concepts:
Run to Completion semantics means : Once a stimulus has fired, all corresponding responses will be processed completely in the specified order.
AND
All state predicates are updated before the state transition is made. Call-back Semantics: Callback events are decoupled via queue mechanism. This decoupling happens in thread context different from a calling thread, known as DPC server thread. Synchronization semantics:
Get Client Mutex Get Client DPCMutex Call Processing Release Client DPCMutex Conditional Wait (DPC call-back) Release Client Mutex
CONFIDENTIAL
CONFIDENTIAL
CONFIDENTIAL
CONFIDENTIAL
CONFIDENTIAL
17
Some terminology
System: collection of software components one is interested in specifying. Environment: all entities external to the system with which the system (when implemented) directly communicates. Stimuli: Events (inputs, interrupts, invocations) in environment which can affect system behavior. Responses: System behavior[s] which are observable in the environment. These above definitions are very helpful to make a context diagram.
CONFIDENTIAL
18
Orchestration Controller
System Boundary
Preparation Controller
Selection Controller
FEClient
Patient Administration
CONFIDENTIAL
19
Scenarios Identified
Prepare-Unprepare : handled in Preparation Controller. Select Acquisition Case : handled in Selection Controller. Select Acquisition Protocol Step : handled in Selection Controller. System Startup/Shutdown: handled in Orchestration Controller. EPX Validation with User. EPX Validation without User. Select Examination.
CONFIDENTIAL
20
Prepare-Unprepare Scenario
The preparation of an image acquisition is initiated only by Front End (by pressing a foot pedal). Similarly, the un-preparation of an image acquisition is initiated by FE (by releasing a foot pedal). The FE always start and stop acquisition by invoking a request (to Orchestration Controller) Prepare and Unprepare, respectively. Orchestration Controller informs FE with Prepared if the services are prepared. Similarly for Unprepare.
If Orchestration Controller informs FE with PrepareFailed message then FE must sent an Unprepare message for before requesting for next prepare cycle.
CONFIDENTIAL
21
Prepare Scenario
FEClient Orchestration Controller IPreparation Controller. Prepare Preparation Controller Acquisition Service XRay IP Service
Note Note
Note: The order in which the services return their result is not fixed, depends on how much time they need to process the prepare request.
CONFIDENTIAL
22
Decisions Made
Prepare-Unprepare Scenarios : The orchestration-controller will send a Prepare command to the services for next run even though the after-run-data for current run has not yet been received. The services will prepare and send Prepared/PrepareFailed to the orchestration controller. The orchestration-controller will then wait for the after-run-data from the FE (with a time-out). If AfterRunData is received, Orchestration will send prepared to FE upon receiving the AfterRunData and handle the AfterRunData asynchronously.
CONFIDENTIAL 23
CONFIDENTIAL
24
CONFIDENTIAL
25
Further Work.
Represent the remaining scenarios as Sequence Based Specification (in Excel Sheet). Model Check Preparation Controller (Interface Model), PAACSelector (Interface Model), and Orchestration Controller (Design Model). Does Individual components and components under parallel composition are deadlock free, live lock free? Still to explore code-generation limitations and test case generation while using ASD.
CONFIDENTIAL
26
ASD Limitations.
Routing a message from any Service to the Orchestration Controller [w.r.t Context Diagram] becomes complex as compared to implementation in any high level language. ASD assumes if processes are in different process boundaries then the channel which provides communication is ideal (it will never breakdown). Unable to describe how to transform data, whether data is to be stored persistently. A complete system is impossible to design and verify in ASD if foreign components are present. A foreign component is generally a handwritten component or a component whose implementation is generated by other tools. Only suited to design systems having complex state behavior.
CONFIDENTIAL
Conclusions
Design can be rigorously verified against their requirements and interface specification. ASD (in particular SBS method) helps in making design decisions.
Not for a complete system, but the test cases to ASD components can be generated. (by selecting an option usage model in the plug-in.)
Compared to conventional software development lifecycle, design errors can be found before implementation phase. This methodology is understandable to all project stakeholders.
CONFIDENTIAL
BL-Components, Harsh Beohar, April 04, 2008
References
[1] Guy Broadfoot and Philippa J. Hopcroft. An Analytical Software Design System. World Intellectual Property Organization, Nov 2005. [2] Harlan D. Mills, Richard C. Linger, and Alan R. Hevner. Principles of Information Systems Analysis and Design. Academic Press Professional, CA, USA, 1986. [3] S. J. Prowell and J. H. Poore. Foundations of Sequence-Based Software Specification. IEEE Trans. Of Soft. Eng., 2003 [4] Guy Broadfoot and Philippa J. Hopcroft. Combining the Box Structured development method and CSP. In Proceedings of 19th IEEE International Conference on Automated Software Engineering, 2004.
CONFIDENTIAL