Z Formal Specification Language - an Overview Mr

Home , Formal specification, Specification language

International Journal of Engineering Research & Technology (IJERT) ISSN: 2278-0181

Vol. 1 Issue 6, August - 2012

Z Formal Specification Language - An Overview Mr. Vishal Ruhela Graduate Trainee Engineer, HCL Technologies, Noida, India

In this paper an outline of formal method is Abstract described in Section 2.In Section 3 Difference between formal and informal specification

language is presented. In Section 4 An Formal methods provide a much needed overview of Z formal specification language is solid software engineering foundation for the described. In Section 5 An example to describe ‘art’ of programming computers. Formal Z is presented. Conclusions are presented in specifications can be used to provide an Section 6. unambiguous and consistent supplement to natural language descriptions and can be rigorously validated and verified leading to the 2. An Outline early detection of specification errors. Z is a model oriented formal specification language In this section we describe formal method, based on Zermelo-Fränkel axiomatic set formal specification language and its different theory and first order predicate logic. It is a types. mathematical specification language, with the help of which natural language requirements 2.1. Formal Method can be converted into mathematical form. In this paper an overview of formal method is Formal methods used in developing presented. Z formal specification language is computer systems are mathematical techniques described using small example. for portraying system properties. Such formal methods provide structures within which software system can be specified, developed Keywords: Informal and Formal and verified in a systematic, rather than ad hoc, Specification Language, Model Oriented , Z. manner [2]. Formal methods can be applied throughout the development of a system to 1. Introduction precisely describe a system and involve the use of refinement techniques and proof obligation at each stage to ensure the correctness, With the ever-increasing complexity of completeness and consistency of specification. computer systems, reliable and effective, Formal methods used in developing computer design and development of high quality systems are mathematical based techniques for systems that satisfy their requirements is portraying system properties. extremely important. In the mission and safety critical system failure can cause cost overrun, loss of lives or even severe economic Formal methods can be used at a number consequences can arise. So, in such situations, of levels: it is necessary that errors are uncovered before software is put into operation. These Formal Specification: In computer science, challenges call for acceptance of proper a formal specification is a mathematical engineering methods and tools and have description of software or hardware that may motivated the use of formal methods in be used to develop an implementation. It software engineering. describes what the system should do, not There are varieties of formal specification (necessarily) how the system should do it. languages available to fulfill this goal and one Given such a specification, it is possible to use way to achieve this goal is by using Z formal formal verification techniques to demonstrate specification language. Z is model oriented that a candidate system design is correct with formal method based on set theory and first respect to the specification. This process of order predicate calculus [1]. formal specification is similar to the process of converting a word problem into algebraic notation.

www.ijert.org 1 International Journal of Engineering Research & Technology (IJERT) ISSN: 2278-0181

Vol. 1 Issue 6, August - 2012 objects properly satisfy the specification. Formal development and verification: Formal specification languages use Formal development process involves mathematics as their basis. Most complex iteratively refining a formal specification to systems can be modeled using simple produce the finished system. Formal Methods mathematical objects, such as sets, relations differ from other specification systems by their and functions. A mathematical statement is heavy emphasis on provability and correctness. unambiguous and precise, which provides a By building a system using a formal way to give convincing arguments to justify specification, the designer is actually ones solutions, and allows proving that an developing a set of theorems about his system. implementation satisfies the mathematical By proving these theorems correct, the formal specification [2]. methods ensures the correctness of the system. The process of proving or disproving properties of the software system against a 2.3. Types of Formal Specification formal specification is known as formal Languages verification. Different types of Formal Specification Implementation: Once the model has been Languages are: specified and verified, it is implemented by converting the specification into code. As the 2.3.1. Model Based Languages difference between software and hardware design grows narrower, formal methods for There are a number of different ways to developing embedded systems have been write a precise specification. One approach is developed [2]. model based languages. In it the specification is expressed as a system state model. This state 2.2. Formal Specification Language model is constructed using well understood mathematical entities such as sets, relations, The representation used in formal methods is sequences and functions. Operations of a called a formal specification language. The system are specified by defining how they language is formal in the sense that it has a affect the state of the system model. formal semantics and as a result can be used to Operations are also described by the predicates express specifications in a clear and given in terms of pre and post conditions [3]. unambiguous manner. A formal specification The most widely used notations for developing language can be used to specify the task at model based languages are Vienna hand in a clear and concise manner. As formal Development Method (VDM) [4], Zed (Z) [1] methods and formal specification language has and B [5]. sound mathematical basis, it provides the means of proving that specification is 2.3.2. Algebraic Specification Languages realizable, complete, consistent and Process algebras are amenable to algebraic unambiguous. Even the most complex systems manipulation; however, there are also can be modeled using relatively simple languages which describe a system solely in mathematical objects, such as sets, relations terms of its algebraic properties. These and functions [2]. algebraic specification languages describe the A formal specification language is usually behavior of a system in terms of axioms that composed of three primary components or in characterize its desired properties. Examples of mathematical term we can say that it consists algebraic specification languages include OBJ of two sets, syntax and semantics and a set of [7] and the Common Algebraic Specification relation [2]. Language (CASL) [6]. In mathematical terms The specific notation with which specification algebra (or an algebraic system) consists of (1) is represented is defined by syntactic domain a set of symbols denoting values of some type, or syntax. Formal techniques can have referred to as the carrier set of the algebra; and considerably different semantic domain. (2) a set of operations on the carrier set. Semantics helps to define a universe of objects that will be used to describe the system. Set of 2.3.3. Process oriented Languages relations defines the rules that indicate which

www.ijert.org 2 International Journal of Engineering Research & Technology (IJERT) ISSN: 2278-0181

Vol. 1 Issue 6, August - 2012 Concurrent systems are described using operator logs into the system. In this extract, process oriented formal specification language. does the word it refers to the password or the A specific implicit model for concurrency is operator identity? the basis for these languages. In these Vagueness often occurs because a system languages processes are denoted and built up specification is a very bulky document. by expressions and elementary expressions, Achieving a high level of precision respectively, which describe particularly consistently is an almost impossible task. It simple processes. Ex. Communicating can lead to statements such as the Sequential Processes (CSP) [8]. interface to the system used by radar operators should be user-friendly or the virtual interface 2.3.4. Hybrid Languages shall be based on simple overall concepts that Many systems are built with a combination of are straightforward to understand and use and analog and digital components. In order to few in number. A casual perusal of these specify and verify such systems it is necessary statements might not detect the underlying lack to use a specification language that of any useful information. encompasses both discrete and continuous Incompleteness: The most frequently mathematics. There has been recent interest in occurring problems with system specifications. these hybrid languages, such as CHARON [9]. For example, consider the functional A simple example of a nonlinear hybrid requirement: The system should maintain the system is that of a temperature controller. The hourly level of the reservoir from depth temperature of a room is controlled through a sensors situated in the reservoir. These values thermostat which continuously senses the should be stored for the past six months. This temperature and turns the heater on and off. describes the main data storage part of a system. If one of the commands for the system 3. Difference between Informal and was: The function of the AVERAGE Formal Specification language command is to display on a PC the average Requirements specification languages may be water level for a particular sensor between two classified into two types: formal specification times. Assuming that no more detail was languages and informal specification presented for this command, the details of the languages. Informal specification language command would be seriously incomplete. For uses natural language like English for example, the description of the command does specifying requirements. But they tend to not include what should happen if a user of a include various deficiencies such as a system system specifies a time that was more than six specification can contain contradictions, months before the current hour. ambiguities, vagueness, and incomplete On the other hand Formal specification statements. languages have a mathematical (usually formal Contradictions: Sets of statements that are at logic) basis and employ a formal notation to variance with each other. For example, one model system requirements. The desired part of a system specification may state that properties of a formal specification the system must monitor all the temperatures consistency, completeness, and lack of in a chemical reactor while another part, ambiguity are the objectives of all perhaps written by another member of staff, specification methods. However, the use of may state that only temperatures occurring formal methods results in a much higher within a certain range are to be monitored. likelihood of achieving these ideals. The Normally, contradictions that occur on the formal syntax of a specification language same page of a system specification can be enables requirements or design to be detected easily. However, contradictions are interpreted in only one way, eliminating often separated by a large number of pages. ambiguity that often occurs when a natural Ambiguities: Statements that can be language (e.g., English) or a graphical notation interpreted in a number of ways. For example, must be interpreted by a reader. The the following statement is ambiguous: The descriptive facilities of set theory and logic operator identity consists of the operator name notation (enable clear statement of facts and password; the password consists of six (requirements). To be consistent, facts stated in digits. It should be displayed on the security one place in a specification should not be VDU and deposited in the login file when an contradicted in another place. Consistency is ensured by mathematically proving that initial

www.ijert.org 3 International Journal of Engineering Research & Technology (IJERT) ISSN: 2278-0181

Vol. 1 Issue 6, August - 2012 facts can be formally mapped (using inference rules) into later statements within the specification. Completeness is difficult to achieve, even when formal methods are used. Some aspects of a system may be left undefined as the specification is being created; other characteristics may be purposely omitted to allow designers some freedom in choosing an implementation approach; and finally, it is impossible to consider every operational scenario in a large, complex system. Things may simply be omitted by mistake [2].

4. Overview of Z Formal Specification Language Figure 2.1: Z Process In this section, we briefly describe Z formal specification language. A Z specification for Z also helps in refinement towards an employee maintenance is presented to implementation by mathematically relating the illustrate the use of language. We then describe abstract and concrete states. Z is being used by how the specification can be strengthened. a wide variety of companies for many different applications. 4.1. Description of Z Formal Specification Language In the Z notation there are two languages [1]: The Z language is a model oriented, Mathematical Language formal specification language that was The mathematical language is used to describe proposed by Jean-Raymond Abrail, Steve various aspects of a design: objects and the Schuman and Betrand Meyer in 1977 and it relationships between them by using was later further developed at the propositional logic, predicate logic, sets, programming research group at Oxford relation and functions. University [10]. It is based on Zermelo Fränkel axiomatic set theory and first order predicate Schema Language logic. The Z notation [1], [11] is a strongly The schema language is used to structure and typed, mathematical, specification language. It compose descriptions: collecting pieces of has robust commercially available tool support information, encapsulating them, and naming for checking Z texts for syntax and type errors them for reuse. in much the same way that a compiler checks code in an executable programming language. 4.2. Structure for Z Specification It cannot be executed, interpreted or compiled Schemas are box like structure that introduces into a running program. It allows specification variables and specifies the relationship to be decomposed into small pieces called between these variables [1]. A schema is schemas. The schema is the main feature that shown below. All declarations are made above distinguishes Z from other formal notations. In the central line and predicates are defined Z, both static and dynamic aspects of a system below the central line. can be described using schemas. The Z specification describes the data model, system state and operations of the system. Z SchemaName specification is useful for those who find the requirements, those who implement programs Declarations to meet those requirements, those who test the Predicates consequences, and those who write instruction manuals for the system [1]. DECLARATION: The declarations part of the schema will contain:

www.ijert.org 4 International Journal of Engineering Research & Technology (IJERT) ISSN: 2278-0181

Vol. 1 Issue 6, August - 2012 4.4. Benefits and Limitations of Z a list of variable declarations; and 4.4.1. Benefits of Z [1]: A Z specification forces the software developer to completely analyze the references to other schemas (this is called problem domain. (e.g. identify the state schema inclusion) space and pre and post conditions for all . operations).

PREDICATES: Values of variables are A Z specification forces all major design constrained below the central line. The decisions to be made prior to coding the predicate part of a schema contains: implementation. Coding should not a list of predicates, separated either by commence until you are certain about semi-colons or new lines. what you should be coding.

The declarations part is separated from the A Z specification is a valuable tool for predicate part by the horizontal line. generating test data, and the conformance testing of completed systems. 4.3. Z Conventions [1] If any variable name, N, is followed by „ A Z specification allows formal e.g. N‟, this means that it represents the exploration of properties of system. value of the state variable N after the operation. In Z terminology, N is decorated with a dash. The flexibility to model a specification which can directly lead to the code. If a schema name is decorated with , this introduces the dashed values of all names A large class of structural models can be defined in the specification together with described in Z without higher – order the invariant applying to these values. features, and can thus be analyzed efficiently. If a variable name is decorated with !, this means that it is an output e.g. message!. Independent Conditions can be easily added later.

If a variable is decorated with ?, this 4.4.2. Limitations of Z [12]: means that it is an input e.g. amount?. Z does not provide any support for concurrency. If a schema name is prefixed with the Greek character Xi (X), this means that It does not provide any concept for timing dashed versions of the variables defined in aspects. the named schema are introduced. For all variable names introduced in the schema, the values of corresponding dashed names Sequencing operations is difficult with Z. are the same. That is, the values of state variables are not changed by the Explicit representation of Non- operation. determinism (how to represent un- determined or unknown parameters ?! ) If a schema name is prefixed with the Greek character Delta (D), this implies No single approach has yet asserted itself that values of one or more state variables as the best starting point for defining will be changed by the operation where reasoning about real-time behavior in Z. that schema is introduced. For all variable names introduced in the named schema, corresponding dashed names are also 5. An Example introduced and may be referenced in A specification to convert requirements operations. written in natural language to Z formal

www.ijert.org 5 International Journal of Engineering Research & Technology (IJERT) ISSN: 2278-0181

Vol. 1 Issue 6, August - 2012 specification language method is given below. The specification depicts small operation to add, students details such as rollno, name, class, section, address into school database.

5.1. Specification

[ROLLNO,NAME,CLASS,SECTION,ADDRESS ]

STUDENT_REPORT ::= okadded | alreadyPresent

5.2. Verification

To type check a document clicks the fuzz button in Z/Word tool [13]. The results are displayed in a dialog box.

www.ijert.org 6 International Journal of Engineering Research & Technology (IJERT) ISSN: 2278-0181

Vol. 1 Issue 6, August - 2012 [2] R. Pressman, “Software Engineering- A Practitioner‟s Approach”, McGraw Hill, 5th edition, 2000. [3] D. Bjorner, Pinnacles of software engineering: 25 years of formal methods‖ , In Annals of Software Engineering, vol. 10, pp. 11–66, 2000. [4] C. B. Jones, “Systematic Software Development using VDM”, In Prentice Hall, 1990. [5] J.R. Abrial, “The B Book - Assigning Programs to Meanings”, Cambridge University Press, 1996. [6] P. D. MOSSES, CASL Reference Manual: The Complete Documentation the Common Algebraic Specification Language‖ , Lecture Notes in Computer Science, Springer-Verlag, Vol. 2960, Figure 5.1: Type checking the Z specifications. 2004. [7] J. A. Gougen and J. J. Tardo, An introduction to 6. Conclusions OBJ: a language for writing and testing formal algebraic Specifications. In The IEEE Conference on specifications of Reliable Software. IEEEComputer Society Press, pp. 170-189, 1979. Following conclusions are drawn: [8] C. A. R. Hoare, Communicating Sequential Z is one of the numbers of specification Processes‖ , In Prentice Hall, NJ, 1985. [9] R.Alur, R. Grosu, Y. Hur, V. Kumar, and I. Lee, languages which are being developed Modular specification of hybrid systems in around the world. Z can be used to CHARON. In Hybrid Systems: Computation and compactly specify real systems (ATM). Z Control, Third International Workshop, HSCC,2000. has various collection of library [10]J.R. Abrial, S. A. Schuman and B. Meyer: “A (Mathematical Toolkit), which supports Specification Language, in On the Construction of user to specify the requirements without Programs”, Cambridge University Press, eds. A. M. Macnaghten and R. M. McKeag, 1980. any ambiguity. Large specifications are achievable in [11] J.M. Spivey, “The Z Notation, Reference Manual”, 2nd edition, Prentice Hall International, Z, using the schema notation for 1992. structuring. Also it is possible to produce [12] M. Joseph, ―Formal Techniques in Real-Time hierarchical specifications. A part of a and Fault-Tolerant Systems‖ , Lecture Notes in Computer Science 331, pp. 160- 174. system is specified in isolation, and then [13] http://sourceforge.net/projects/zwordtools/. put into a global context.

By applying formal method in terms of Z notation, it is observed that it does not require a high level of mathematics rather it requires knowledge of basic set theory and first order logic for the analysis of a complete system.

Difficulties with Z are cannot do concurrency, Timing aspects, Algorithmic aspects and programming constraints, and Sequencing operations.

6. References

[1] J. Davies and J. Woodcock, “Using Z: Specification, Refinement, and Proof”, In Prentice Hall, 1996.