Formal support for design techniques: a Timethreads-LOTOS approach
IFIP Advances in Information and Communication Technology
A design methodology which allies the graphical expressiveness of the timethread notation with the analytical power of the LOTOS language and its associated tools is presented. The concept of timethread is at the basis of a design methodology based on scenarios. A simple telephone system is used as an example. It is shown how the main scenarios of such a system can be expressed by the timethread notation, leading to an abstract system design. Further, it is shown how the notation can be
... ed into LOTOS. LOTOS tools are used to validate the high-level design. Tools used include LOLA for analysis and design testing, LMC for checking temporal logic properties, and GOAL for checking reachability of actions. Keywords FDT-based software engineering, tools and tool support, design and design validation, timethreads, LOTOS INTRODUCTION Context and motivation A software design methodology should meet two criteria: expressiveness and flexibility of the design language, and power of analysis and validation methods. For this reason, one seeks design methods that are based on expressive visual design notations, and formal analysis methods that are based on sound theoretical foundations. Design methods are intended to be used by system designers (architects or engineers) to describe systems (or system properties, such as scenarios, architecture and data transformation), while formal methods are used to verify that the system has the desired properties. Timethreads are a high-level design notation for distributed systems that expresses scenario paths. In this paper, we show how the formal language LOTOS and its associated analysis methods and tools can be used to analyze and validate timethreads visual design descriptions. Scenario-based approaches are now widely used in industry for the design of distributed systems. One of the main reasons is that scenarios describe top-level critical requirements that need to be fulfilled by any detailed design, and thereafter by implementations. Also, scenarios can usually be obtained easily from requirements. They express sequences of activities that need to be executed within the system in order to produce correct outputs from triggering events. The concept of timethreads has been defined to be used in early stages of design (highlevel design) to capture the different scenario paths that should drive the design process. They are used as a thinking tool in the requirement analysis phase where system designers try to understand the set of requirements as a whole before stepping into the detailed-design phase. Timethreads are defined as scenario paths because they illustrate paths along which scenarios flow in the system. One of the particularities of the timethread methodology is that individual timethreads can be composed into a diagram called timethread map. Also, unlike other models for scenario description, timethreads make abstraction of specific mechanisms of component interaction. They provide for a notion of refinement of activities from a level of abstraction to the next. Timethreads exist independently of any system structure, or decomposition. However, they are usually superimposed on structures, in which case they illustrate the sequences of activities through the set of system components. In this case, timethread activities, also called responsibilities in the timethread literature, are assigned to system components that become responsible to execute them in the detailed-design. Space does not allow us to mention all aspects of the timethread methodology. Suffice is to say that it covers different stages of high-level design development. The ISO standard FDT (Formal Description Technique) LOTOS (ISO, 1988) is used in this project for formal analysis and validation purpose. The reasons for choosing LOTOS are multiple. LOTOS allows to express both individual timethreads, as LOTOS processes, and interactions between timethreads in timethread maps, as LOTOS process interactions. It is executable with a formal operational semantics. Also, LOTOS possesses a hide operator that allows the designer to explicitly hide some gates in the specification, without having to modify the rest of the specification. This allows designers to focus on certain sets of activities when executing a specification. Finally, since LOTOS is an ISO standard, the number of tools that support it and the analysis and validation power of these tools are constantly increasing. Research on integrating LOTOS in a design discipline which was a forerunner of timethreads was described in . Timethreads were then called slices. In the context of object-oriented systems , the authors renamed timethreads as use case paths. Requirements Scenarios (timethreads) High-Level Design (timethread map) Analysis & Req. Capture Composition Validation Single Timethread Interpretation Method (M3): This method aims at generating LOTOS behaviour expressions from single timethreads. Each behaviour expression is a LOTOS process corresponding to its associated timethread. Specification Composition Method (M4): We collect the structure expression and the set of behaviour expressions previously generated to produce a LOTOS specification. Analysis and validation in LOTOS Being formal and algebraic in nature, LOTOS lends itself to validation activities, which often are based on bisimulation concepts. This can help verifying that two specifications at two different levels of abstraction, or having different structures, are indeed comparable. If a LOTOS specification has a finite model, temporal logic analysis, such as model-checking, is possible. Being executable, a LOTOS specification produces a prototype of the entity specified, prototype which can be analyzed and tested (design-level testing). This opens a number of possibilities for validation, of which a few are demonstrated later in this paper. In our methodology, a formal interpretation model (LOTOS) is obtained from a semi-formal notation (Timethreads). Therefore, the correctness of a timethread-to-LOTOS translation cannot be ensured.