DOCSLIB.ORG

XCD – a Design-By-Contract Architecture Description Language

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
XCD – a Design-By-Contract Architecture Description Language XCD – A Design-by-Contract Architecture Description Language Mert Ozkaya and Christos Kloukinas Department of Computer Science, City University London, London, EC1V 0HB, UK Abstract— Software architecture description languages indicates that the languages developed in academia so far (ADL) have been proposed as a way to properly specify have not been very successful in practice. Practitioners the architectures of complex software systems, in a way remarked that they need to analyze their systems for non- that allows both communication among the different stake- functional properties like performance or reliability, which holders and an early analysis of these systems for a number are not usually supported by ADL and their related tools. of properties. However, practitioners seem to have shunned They also considered the formal notations used in ADL as the ADL developed in academia and mainly use other imposing a learning curve that is too steep and having a low modeling languages, that were not originally created for return on investment in their eyes. describing architectures. In a recent survey, practitioners We take the view that both these issues are important have expressed a wish for analyzing their architectures but we cannot resolve the former without first resolving (esp. for non-functional properties) and at the same time the latter. This is because safety and liveness properties, expressed their dissatisfaction with existing ADL, finding like deadlock-freedom, are of a more basic nature than that the formal notations they use have a learning curve performance and reliability analyses – after all, a deadlocked that they perceive as being too steep. system has zero performance and zero reliability. Therefore In this paper we propose a new ADL, called XCD, that we need to design an ADL that allows practitioners to attempts to address these issues. To this end, XCD is a formal specify behaviors in a way that allows for formal verification language, allowing the formal analysis of systems. In its but without imposing upon them a notation that is unfamiliar current form, it focuses on safety and liveness properties to them. For this reason we have developed XCD, a new (deadlocks, etc.), leaving support for non-functional proper- ADL that follows a Design-by-Contract (DbC) approach ties, such as reliability or performance, for later. In order to [26]. XCD allows architects to specify the behaviors of avoid imposing a steep learning curve on practitioners, XCD their systems in a language that resembles a programming follows a Design-by-Contract (DbC) approach. DbC has the language, which should render the investment required in advantage of allowing practitioners to express formal models learning the new notation small enough for it to become a in a notation that resembles the programming languages they reasonable approach to consider. use. DbC has in fact already been embraced by practitioners, who so far use it mainly for improving their testing methods. 1.1 XCD Language Design Considerations Table 1 shows a number of ADL, covering both the major early ones (Darwin to XADL) and more recent ones 1. Introduction (PRISMA to CONNECT). It compares them against three characteristics that we believe to be important for supporting There has been significant work on architectural descrip- the architectural specification of complex systems, namely tion languages (ADL) from the early nineties as a way whether they allow formal behavior specification, whether of specifying the architecture of complex software systems they support complex connectors as first-class elements and [15], [30]. Rapide [21], Wright [1], Darwin [22], UniCon whether the architectures expressed in them are realisable. [34], ACME [14], XADL [10], and C2 [25] are widely- Most of these ADL do allow formal behavior specification, known early ADLs; LEDA [7], AADL [11], Koala [35], albeit in notations that practitioners have found to require a COSA [28], SOFA [31], RADL [32], PRISMA [29], π-ADL steep learning curve. The ones that do not support formal [27], PiLar [9], and Connect [18] are ones developed more behavior specification do so because they focus more on recently. These languages have explored different ways of direct code production from architectural descriptions. In- representing architectures, using component and connector terestingly, practitioners surveyed in [24] did not rate code abstractions or just component abstractions. Many among production as an important feature. them have been designed to facilitate formal analysis of Then we see that the ADLs in Table 1 are more or less safety and liveness properties, for which they require ar- divided between those that do support complex connectors chitects to specify the behaviors of system elements using as first-class elements and those that do not, either allowing some formal language, usually a form of a process algebra. a limited set of connectors only or requiring that architects A recent survey by Malavolta et al. [24] on the needs simulate these through components. We acknowledge that of the industry with respect to architectural specification, this is somewhat a question of taste, just like Java requires Table 1: Some important ADL characteristics are to behave in their environment and interact with other ADLs Formal First-class Realisable components; thus, it is very likely that those components are behaviour complex unable to be composed successfully to a whole system. specification connectors Darwin [22] FSP No Yes Having mentioned the importance of explicit complex Wright [1] CSP Yes Potentially no connectors in design, a careful reader will notice that in (glue centralised Table 1 each referred ADL supporting connectors as a first- controller element) class entity have a realisability problem. That is, centralised ACME [14] Possible with Yes Potentially no annotations (when Wright global constraints are allowed (if not forced) to be speci- connectors fied that coordinate the behaviour of components – which employed) however can never exist in distributed (i.e., decentralised) Rapide [21] Event patterns No Potentially no (global systems. In such a case, specifications would become un- architectural realisable that cannot easily be implemented in reality. constraints pattern) Separating the global constraints into distributed protocols UniCon [34] No No Yes C2 [25] Z No Yes for the participating components may avoid this, which may LEDA [7] pi-calculus No Yes however be impossible to do. Worse yet, no tool can warn OLAN [2] No No Yes designers that their design is potentially unrealisable, as the XADL [10] Possible with Yes Potentially no schema (when Wright realisability problem is undecidable in general. extension connectors Therefore, connectors in XCD are not specified with glue- employed) like centralised units. Instead, as depicted in Figure 1, we PRISMA [29] pi-calculus Yes Potentially no consider connectors as abstractions of decentralised roles, (when connector aspects are which represent the interaction behaviour of participating employed) components, and connector channels between the roles. RADL [32] Finite State No Yes Thus, architectural design of distributed systems is specified Machine in a decentralised manner without the restriction of using PiLar [9] process Yes Potentially no algebraic (when constraints centralised glues rendering them realisable by construction. notation are employed) In cases where glue-like centralised choreographers are π-ADL [27] pi-calculus Yes Potentially no desired, they are specified as explicit connector roles too. (when connector protocols are employed) 2. Architecture Specification with Design AADL [11] Automata No Yes Koala [35] No No Yes by Contract COSA [28] No Yes Potentially no (glue centralised Design by Contract (DbC) invented by Bertrand Meyer controller element) [26] is considered as an approach for specifying the be- SOFA [31] Behaviour No Yes Protocols haviour of software in terms of contracts consisting es- (simplified sentially of pre-conditions and post-conditions. A contract CSP) herein imposes on software units that if the required pre- CONNECT [18] FSP Yes Potentially no condition is satisfied by the caller of the unit, then the unit (glue centralised controller element) is executed and is ensured to meet certain post-condition. In this section, we focus on the idea of adopting and extending DbC for specifying software architectures that can that every procedure is specified as a method of some class be easily developed and formally analyzed. while C++ allows independent procedures too. As we do not like having to write Math.sqrt() in Java to call the square 2.1 Why Design-by-Contract (DbC) root function, we believe that it is better to not try to fit Formal specification DbC essentially promotes a formal everything into a single element and offer a separate notion specification of software behaviour in that the notion of con- to characterize protocols – connectors. tracts has its formal semantics based on Hoare’s logic [16] Indeed, when (complex) connectors are implicit entities and VDM’s rely-guarantee [3] specification approach. embedded in components (as is, for instance, the case with Familiar to developers DbC has been supported by various Darwin, Rapide, OLAN, LEDA, and RADL), they cannot programming languages and thus already known and used be re-used in different contexts. Furthermore, components by many developers. This highly aids in contractual speci- become less re-usable too being specific to certain interac- fications being more familiar
Load more

Recommended publications
  • The Architecture Analysis and Design Language: an Overview Outline
    Institut Supérieur de l’Aéronautique et de l’Espace The Architecture Analysis and Design Language: an overview Outline 1. AADL a quick overview 2. AADL key modeling constructs 1. AADL components 2. Properties 3. Component connection 3. AADL: tool support AADL Tutorial -- MODELS'15 2 Introduction > ADL, Architecture Description Language: » Goal : modeling software and hardware architectures to master complexity … to perform analysis » Concepts : components, connections, deployments. » Many ADLs : formal/non formal, application domain, … > ADL for real-time critical embedded systems: AADL (Architecture Analysis and Design Language). AADL Tutorial -- MODELS'15 3 AADL: Architecture Analysis & Design Language > International standard promoted by SAE, AS-2C committee, released as AS5506 family of standards > Version 1.0 (2004), version 2 (2009), 2.1 (2012) » Based on feedback from the aerospace industry > Annex document to address specific needs » Behavior, data, error modeling, code generation, … > AADL objectives are “to model a system” » With analysis in mind » To ease transition from well-defined requirements to the final system : code production > Require semantics => any AADL entity has a semantics (natural language or formal methods). AADL Tutorial -- MODELS'15 4 AADL components > AADL model : hierarchy/tree of components » Textual, graphical representations, XMI serialization > AADL component models a software or a hardware entity » May be organized in packages : reusable » Has a type/interface, one or several implementations » May
    [Show full text]
  • A Pattern Approach to Interaction Design
    A Pattern Approach to Interaction Design Jan O. Borchers Department of Computer Science Darmstadt University of Technology Alexanderstr. 6, 64283 Darmstadt, Germany [email protected] ABSTRACT perts need to work together very closely with team members To create successful interactive systems, user interface de- from other disciplines. Most notably, they need to coop- signers need to cooperate with developers and application erate with application domain experts to identify the con- domain experts in an interdisciplinary team. These groups, cepts, tasks, and terminology of the product environment, however, usually miss a common terminology to exchange and with the development team to make sure the internal ideas, opinions, and values. system design supports the interaction techniques required. This paper presents an approach that uses pattern languages However, these disciplines lack a common language: It is to capture this knowledge in software development, HCI, difficult for the user interface designer to explain his guide- and the application domain. A formal, domain-independent lines and concerns to the other groups. It is often even definition of design patterns allows for computer support more problematic to extract application domain concepts without sacrificing readability, and pattern use is integrated from the user representative in a usable form. And it is into the usability engineering life cycle. hard for HCI people, and for application domain experts even more so, to understand the architectural and techno- As an example, experience from building an award-winning logical constraints and rules that guide the systems engineer interactive music exhibit was turned into a pattern language, in her design process.
    [Show full text]
  • Pattern Languages in HCI: a Critical Review
    HUMAN–COMPUTER INTERACTION, 2006, Volume 21, pp. 49–102 Copyright © 2006, Lawrence Erlbaum Associates, Inc. Pattern Languages in HCI: A Critical Review Andy Dearden Sheffield Hallam University Janet Finlay Leeds Metropolitan University ABSTRACT This article presents a critical review of patterns and pattern languages in hu- man–computer interaction (HCI). In recent years, patterns and pattern languages have received considerable attention in HCI for their potential as a means for de- veloping and communicating information and knowledge to support good de- sign. This review examines the background to patterns and pattern languages in HCI, and seeks to locate pattern languages in relation to other approaches to in- teraction design. The review explores four key issues: What is a pattern? What is a pattern language? How are patterns and pattern languages used? and How are values reflected in the pattern-based approach to design? Following on from the review, a future research agenda is proposed for patterns and pattern languages in HCI. Andy Dearden is an interaction designer with an interest in knowledge sharing and communication in software development. He is a senior lecturer in the Com- munication and Computing Research Centre at Sheffield Hallam University. Janet Finlay is a usability researcher with an interest in design communication and systems evaluation. She is Professor of Interactive Systems in Innovation North at Leeds Metropolitan University. 50 DEARDEN AND FINLAY CONTENTS 1. INTRODUCTION 2. THE SCOPE OF THIS REVIEW 2.1. General Software Design Patterns 2.2. Interface Software Design Patterns 2.3. Interaction Design Patterns 3. A SHORT HISTORY OF PATTERNS 3.1.
    [Show full text]
  • Prudent Design Principles for Information Flow Control
    Prudent Design Principles for Information Flow Control Iulia Bastys Frank Piessens Andrei Sabelfeld Chalmers University of Technology Katholieke Universiteit Leuven Chalmers University of Technology Gothenburg, Sweden Heverlee, Belgium Gothenburg, Sweden [email protected] [email protected] [email protected] ABSTRACT Motivation. Recent years have seen a proliferation of research Recent years have seen a proliferation of research on information on information flow control [16, 17, 19, 39, 49, 55, 67, 70, 72, 73], flow control. While the progress has been tremendous, it has also leading to applications in a wide range of areas including hard- given birth to a bewildering breed of concepts, policies, conditions, ware [8], operating system microkernels [59] and virtualization and enforcement mechanisms. Thus, when designing information platforms [32], programming languages [36, 37], mobile operating flow controls for a new application domain, the designer iscon- systems [44], web browsers [12, 43], web applications [13, 45], and fronted with two basic questions: (i) What is the right security distributed systems [50]. A recent special issue of Journal of Com- characterization for a new application domain? and (ii) What is the puter Security on verified information flow60 [ ] reflects an active right enforcement mechanism for a new application domain? state of the art. This paper puts forward six informal principles for designing While the progress has been tremendous, it has also given birth information flow security definitions and enforcement mechanisms: to a bewildering breed of concepts, policies, conditions, and en- attacker-driven security, trust-aware enforcement, separation of policy forcement mechanisms. These are often unconnected and ad-hoc, annotations and code, language-independence, justified abstraction, making it difficult to build on when developing new approaches.
    [Show full text]
  • Design Discourse: a Way Forward for Theistic Evolutionism?
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by Helsingin yliopiston digitaalinen arkisto NZSTh 2018; 60(3): 435–451 Erkki Vesa Rope Kojonen* Design Discourse: A Way Forward for Theistic Evolutionism? https://doi.org/10.1515/nzsth-2018-0025 Summary: It is usually supposed that biological design arguments (where biologi- cal complex order is seen as evidence of a Creator) are made obsolete by Darwi- nian evolutionary theory. However, philosopher Alvin Plantinga and others have defended the continued possibility of a rational “design discourse”, in which biological order is taken as a sign of God’s purposeful action. In this article, I consider two objections to design discourse: (1) a theological objection to biologi- cal design based on the problem of natural evil, and (2) the evolutionary objec- tion, according to which evolutionary theory removes the justification for any biological design perception. Whereas Plantinga’s own response utilizes the arguments of the Intelligent Design movement, I argue in favor of utilizing “de- sign discourse” as part of a theistic evolutionist view. Keywords: theistic evolutionism, teleology, design argument, problem of natural evil, Alvin Plantinga Zusammenfassung: Es wird gemeinhin angenommen, dass biologische Design Argumente (welche die komplexe biologische Ordnung als Beweis für einen Schöpfer erachten) durch Darwins Evolutionstheorie obsolet werden. Der Philo- soph Alvin Plantinga und andere haben jedoch die Möglichkeit eines fortgeführ- ten rationalen „Design Diskurses“ verteidigt, der die biologische Ordnung als ein Zeichen Gottes zielgerichteter Handlung begreift. In diesem Artikel betrachte ich zwei Einwände gegen den Design Diskurs: (1) einen theologischen Einwand zum biologischen Design basierend auf dem Problem der natürlichen Übel und (2) den evolutionären Einwand, nach dem die Evolutionstheorie die Berechtigung jeder biologischen Design Vorstellung aufhebt.
    [Show full text]
  • Spatial Expressions in Design Idea Capture Languages
    Open University Computing Department Research Report 95/16 Spatial Expressions in Design Idea Capture Languages Martin Stacey Computing Department, The Open University, Milton Keynes, UK. [email protected] Paper for the AID'96 Workshop on Visual Representation, Reasoning and Interaction in Design Convened by J.C.B. Damski and N.H. Narayanan. Abstract. Intelligent support systems for conceptual design in engineering have so far failed to support spatial thinking in conceptual design. But multimedia interface technology including techniques for recognising speech and drawn gestures offers solutions to the HCI problems involved in computer support for spatial conceptual design. Effective computer support could be made possible by the use of a design idea capture language for expressing and changing shapes and qualitative spatial and functional relationships, fluently in a machine-understandable way. The design idea capture language would serve to constrain the expression of design ideas sufficiently to enable the successful use of AI techniques for generating coherent spatial representations from sets of spatial expressions in the language. This paper discusses the design meanings required for spatial conceptual design with reference to linguistic studies of spatial expressions in natural language, which show that geometric approaches are insufficient for representing spatial relationships important in design. 1. Introduction So far spatial aspects of conceptual design have been neglected in the development of intelligent support systems for conceptual design in engineering. This paper takes the view that the goal of research on intelligent design support systems for engineering should be developing systems that provide workspaces in which designers express their ideas as they create them, so that creating computer representations of designs to support AI reasoning is coextensive with designing.
    [Show full text]
  • Technical Communication As Design: a Design Pedagogy Study
    Iowa State University Capstones, Theses and Graduate Theses and Dissertations Dissertations 2020 Technical communication as design: A design pedagogy study Philip Brandon Gallagher Iowa State University Follow this and additional works at: https://lib.dr.iastate.edu/etd Recommended Citation Gallagher, Philip Brandon, "Technical communication as design: A design pedagogy study" (2020). Graduate Theses and Dissertations. 17885. https://lib.dr.iastate.edu/etd/17885 This Thesis is brought to you for free and open access by the Iowa State University Capstones, Theses and Dissertations at Iowa State University Digital Repository. It has been accepted for inclusion in Graduate Theses and Dissertations by an authorized administrator of Iowa State University Digital Repository. For more information, please contact [email protected]. Technical communication as design: A design pedagogy study by Philip Brandon Gallagher A dissertation submitted to the graduate faculty in partial fulfillment of the requirements for the degree of DOCTOR OF PHILOSOPHY Major: Rhetoric and Professional Communication Program of Study Committee: Charlie Kostelnick, Major Professor Barbara Blakely Stacy Tye-Williams Margaret LaWare Carol Faber The student author, whose presentation of the scholarship herein was approved by the program of study committee, is solely responsible for the content of this dissertation. The Graduate College will ensure this dissertation is globally accessible and will not permit alterations after a degree is conferred. Iowa State University Ames, Iowa 2020 Copyright © Philip Brandon Gallagher, 2020. All rights reserved. ii DEDICATION To my most compassionate, loving, supportive, and unflappable family, I want you to know that I could not have accomplished this feat without each and every one of you.
    [Show full text]
  • Architecture Description Language) COMS W4115 Alan Khara Ask2206 February 11, 2014
    1 of 13 General Purpose ADL (Architecture Description Language) COMS W4115 Alan Khara Ask2206 February 11, 2014 1.0 Introduction In the design of system architecture1, a blueprint of the system typically comes second, after requirements are gathered in the process of architecture development. This is followed by design verification and, later, implementation. Initially, the domain of Architecture Description Languages (ADLs) was confined to the design phase and was highly motivated by Object Oriented paradigm [1] [2] [3]. ADLs were mainly graphical in nature, with numerous Line and Box representations that were later standardized by Object Management Group (OMG) in Unified Model Language2 (UML) [4][5]. Being quickly adopted by industry, UML was infested with ambiguous features: a given relationship between components of a system could be ambiguous and yield two different interpretations of the same drawing [2]. Research during the last decade has worked to solve this problem on two different fronts. One line of research seeks to extend UML in order to make it less ambiguous [6] [7] [8] [9]. Another kind of research is finding new ADLs (graphical and text based) that have more rigorous and well defined semantics [10] [11] [12][13]. Both of these trends are important with respect to defining the problem scope of the proposed project. Because they are mainly driven by industry, efforts to extend UML are inherently domain- specific [14]. The primary motivation behind the development of UML is to overcome ambiguity and reduced the communication gap that exists among various stakeholders. This is tackled by either introducing constraints or adding new vocabulary.
    [Show full text]
  • Fashion As Practice, Fashion As Process: Using Principles of Language As a Framework for Understanding the Design Process | Catálo…
    30/9/2019 Fashion as practice, fashion as process: using principles of language as a framework for understanding the design process | Catálo… Fashion as practice, fashion as process: using principles of language as a framework for understanding the design process Kurennaya, Anya Abstract: Cuadernos del Centro de Estudios de How do creative impulses and lived Diseño y Comunicación Nº 64 realities interact and inform one ISSN: 1668-0227 another throughout the design process? This project examines the Los procesos mechanics of the creative process by emergentes en la observing the work of three graduate enseñanza y la fashion design students as a first step práctica del diseño toward understanding the nature of the Año XVIII, Septiembre 2017, Buenos design process and the symbiosis Aires, Argentina | 326 páginas between object and process, using descargar PDF ver índice de la publicación ideas borrowed from modern linguistic theory as the starting point for Ver todos los libros de la publicación investigation. Referencing Cholachatpino’s et al. (2002) compartir en Facebook categorization of the microsubjective order of the fashion process as “a Esta obra está bajo una Licencia Creative dynamic process and not a linear Commons Atribución-NoComercial- CompartirIgual 4.0 Internacional continuum”, along with Ingold and Hallam’s (2009) notion of cultural improvisation and related theories from the field of linguistic anthropology, this paper argues that the fashion design process is open to the kind of improvisation inherent in any ongoing lived experience, the final product representing a culmination of the ideas, desires, decisions, obstacles, and other circumstances shaping its production. Ideas are not translated into their material form in a fluid and uncomplicated manner; in fact, there are many intervening forms of disruption, diversion, reformulation, and rearticulation, not unlike our everyday use of language in conversation.
    [Show full text]
  • The Visual Language of Brutalist Web Design El Lenguaje Visual Del Diseño Web Brutalista
    The visual language of brutalist web design El lenguaje visual del diseño web brutalista Fernando Suárez-Carballo obtained a PhD from the Pontifical University of Salamanca in 2005 and is a perma- nent lecturer in Art Direction in the Faculty of Communication Studies at this university, where he has taught a range of subjects related to visual communication since the year 2000. He is a member of the research group Business Innovation and Creativity and the author of several articles and chapters of books on graphic design, the field that is his main line of research. His management responsibilities have included coordinating the degree course Advertising and Public Relations and his appointment as Associate Dean for students at the Faculty of Communication. He currently heads the Office for the Transfer of Research Results (Oficina de Transferencia de Resultados de Investigación, OTRI). Pontifical University of Salamanca, Spain [email protected] ORCID: 0000-0001-7498-6595 Received: 15/11/2018 - Accepted: 19/03/2019 Recibido: 15/11/2018 - Aceptado: 19/03/2019 Abstract: Resumen: Many authors agree on the current relevance of brutalist web Un gran número de autores coincide en señalar el protagonismo design, a trend inspired by the popular architectural style which, actual del diseño web brutalista, una corriente inspirada en el pop- ISSN: 1696-019X / e-ISSN: 2386-3978 in turn, is distinguished by the rawness of its materials, the ular estilo arquitectónico que, a su vez, se distingue por la desnudez geometric shapes or the absence of decoration. This study uses de sus materiales, las formas geométricas o la ausencia de orna- Content Analysis to discover whether it is possible to interpret mento.
    [Show full text]
  • Obscurity by Design
    07 - Hartzog Article.docx (Do Not Delete) 6/17/2013 1:55 PM OBSCURITY BY DESIGN Woodrow Hartzog* and Frederic Stutzman** Abstract: Design-based solutions to confront technological privacy threats are becoming popular with regulators. However, these promising solutions have left the full potential of design untapped. With respect to online communication technologies, design-based solutions for privacy remain incomplete because they have yet to successfully address the trickiest aspect of the Internet—social interaction. This Article posits that privacy-protection strategies such as “Privacy by Design” face unique challenges with regard to social software and social technology due to their interactional nature. This Article proposes that design-based solutions for social technologies benefit from increased attention to user interaction, with a focus on the principles of “obscurity” rather than the expansive and vague concept of “privacy.” The main thesis of this Article is that obscurity is the optimal protection for most online social interactions and, as such, is a natural locus for design-based privacy solutions for social technologies. To that end, this Article develops a model of “obscurity by design” as a means to address the privacy problems inherent in social technologies and the Internet. INTRODUCTION ................................................................................ 386 I. PRIVACY BY DESIGN MUST BE CLARIFIED TO APPLY TO THE USER INTERFACE OF SOCIAL MEDIA ................... 389 A. Privacy by Design Challenges Organizations to Rethink Established Approaches to Privacy ...................................... 390 B. Obscurity Can Improve Privacy by Design ......................... 392 II. BETTER LIVING THROUGH OBSCURITY ............................. 395 A. The Concept of Obscurity .................................................... 395 B. The Four Principles of Online Obscurity ............................. 397 1. Search Visibility ......................................................
    [Show full text]
  • Formal Models for User Interface Design Artefacts
    Innovations Syst Softw Eng (2008) 4:125–141 DOI 10.1007/s11334-008-0049-0 ORIGINAL PAPER Formal models for user interface design artefacts Judy Bowen · Steve Reeves Received: 1 October 2007 / Accepted: 28 February 2008 / Published online: 16 April 2008 © Springer-Verlag London Limited 2008 Abstract There are many different ways of building soft- Keywords Formal methods · User-centred design · ware applications and of tackling the problems of under- Refinement · User interfaces standing the system to be built, designing that system and finally implementing the design. One approach is to use for- mal methods, which we can generalise as meaning we follow a process which uses some formal language to specify the 1 Introduction behaviour of the intended system, techniques such as theo- rem proving or model-checking to ensure the specification Software development is an increasingly complex task, with is valid (i.e., meets the requirements and has been shown, many different, and often conflicting, requirements which perhaps by proof or other means of inspection, to have the must be satisfied (such as the requirement to produce the properties the client requires of it) and a refinement process software as quickly as possible and as cheaply as possible to transform the specification into an implementation. Con- but with high end-user expectations). We want the software versely, the approach we take may be less structured and that we build to be both correct and robust, that is we want rely on informal techniques. The design stage may involve to be sure that it not only does the right thing, but that it does jotting down ideas on paper, brainstorming with users etc.
    [Show full text]