fundamentals of re - philadelphia university...define animation scope – what should be shown for...
TRANSCRIPT
www.wileyeurope .com/college/van lamsweerde Chap.5: Requirements Quality Assurance © 2009 John Wiley and Sons
Fundamentals of RE
Chapter 5
Requirements Quality Assurance
2 www.wileyeurope .com/college/van lamsweerde Chap.5: Requirements Quality Assurance © 2009 John Wiley and Sons
start
Chap. 2: Elicitation techniques
Chap. 3: Evaluation techniques
alternative options
agreed requirements
documented requirements
consolidated requirements
Chap. 4: Spec/doc techniques
Chap. 5: Quality assurance
techniques
Chap.1: RE products and processes
3 www.wileyeurope .com/college/van lamsweerde Chap.5: Requirements Quality Assurance © 2009 John Wiley and Sons
Quality assurance at RE time
Errors & flaws in requirements documents ...
– the most expensive, numerous, persistent, dangerous
– different types: omission, contradiction, inadequacy, ambiguity, unmeasurability, noise, overspecification, poor structuring, opacity
F cf. Chap.1
QA task 1: find as many of these as possible in the RD by ...
– validation: adequacy of RD items wrt real needs ?
– verification: completeness, consistency of RD items ?
– checks for other target qualities
• non-ambiguity, measurability, feasibility, good structure, ...?
QA task 2: report defects, analyze their causes, fix them
4 www.wileyeurope .com/college/van lamsweerde Chap.5: Requirements Quality Assurance © 2009 John Wiley and Sons
Quality assurance at RE time (2)
Various products resulting from this phase
– consolidated RD
– acceptance test data, prototype
– development plan
– project contract
Complements the requirements evaluation phase (Chap.3):
– later, more accurate analysis
– along selected options
– on detailed specifications
5 www.wileyeurope .com/college/van lamsweerde Chap.5: Requirements Quality Assurance © 2009 John Wiley and Sons
Requirements quality assurance: outline
Requirements inspections and reviews
– The requirements inspection process
– Inspection guidelines
– Requirements inspection checklists
Queries on a specification database
Requirements validation by specification animation
Formal checking
– Language checks
– Dedicated consistency and completeness checks
– Model checking
– Theorem proving
6 www.wileyeurope .com/college/van lamsweerde Chap.5: Requirements Quality Assurance © 2009 John Wiley and Sons
Requirements inspections and reviews
Simple idea:
– ask selected people to inspect the RD individually
– meet to agree on list of problems to be fixed
Various forms
– walkthroughs: internal inspection by project members
– more structured: external reviewers, well-prepared meetings,
inspection reports, etc.
Fairly common for source code (cf. Fagan inspections)
Empirical studies showed it effective for requirements too
7 www.wileyeurope .com/college/van lamsweerde Chap.5: Requirements Quality Assurance © 2009 John Wiley and Sons
A structured inspection-based QA process
determine reviewers, timing, scope of meetings, report format
Inspection planning
Individual reviewing
Defect evaluation at review meetings
RD consolidation
Free mode: no directive on where to find what
Checklist-based: specific issues, defect types, RD parts
Process-based: specific role for each reviewer, specific procedure, defect type, focus, analysis technique
F more effective
collect defects, agree on serious ones, analyze causes, recommend, report
revise according to recommendations
8 www.wileyeurope .com/college/van lamsweerde Chap.5: Requirements Quality Assurance © 2009 John Wiley and Sons
Inspection guidelines
Inspection report should be...
– informative, accurate, constructive
(no opinion, no offending comment)
– standard structure with room for free comments, lightweight
• may guide individual reviewing
Inspectors should be ...
– independent from RD authors
– representative of all stakeholders, different background
Inspection should come not too soon, not too late
– shorter, repeated meetings are more effective
More focus required on critical parts
– the more defects in some part, the more scrutiny required
9 www.wileyeurope .com/college/van lamsweerde Chap.5: Requirements Quality Assurance © 2009 John Wiley and Sons
Inspection checklists
Aim: guide defect search towards specific issues
Defect-driven checklists – list of generic questions structured by defect type (cf. Sect. 1.1.7)
Quality-specific checklists – specialize defect-driven questions to specifc NFR categories
• safety, security, performance, usability, ...
– sometimes based on guidewords (cf. Sect. 3.2.2)
– often focussed on omissions
Domain-specific checklists – further specialization to domain concepts & operations
– for increased guidance in defect search
Language-based checklists – specialize defect-driven checklists to spec language constructs – support automation
F richer spec languages => more sophisticated checks
10 www.wileyeurope .com/college/van lamsweerde Chap.5: Requirements Quality Assurance © 2009 John Wiley and Sons
Defect-driven checklists: a sample
(Omissions?)
Is this precisely defined somewhere ?
Is there any hidden assumption required for this ?
Is the rationale for this made explicit somewhere ?
(Contradictions?)
Is this consistent with stated objectives or constraints?
(Inadequacies?)
Does this formulate what stakeholders really want?
(Ambiguities?)
Can this be interpreted differently ?
Any other statement using this term with a different meaning?
(Unmeasurability?)
Is there a fit criterion for this quality requirement?
Is this stated in a way discriminating from alternative options?
11 www.wileyeurope .com/college/van lamsweerde Chap.5: Requirements Quality Assurance © 2009 John Wiley and Sons
Defect-driven checklists: a sample (2)
(Noises?)
Is this relevant to system objectives or constraints?
Does the negation of this make any sense?
Any other statement using this under different terms?
(Overspecification?)
Does this entail premature design choices - any sensible alternative?
(Unfeasibility?)
Is this implementable within reasonable time/budget?
(Unintelligibility?)
Is this comprehensible by anyone needing to use it?
(Remorse ?)
Has this concept been used already before this definition?
12 www.wileyeurope .com/college/van lamsweerde Chap.5: Requirements Quality Assurance © 2009 John Wiley and Sons
Defect-driven checklists: a sample (3)
(Poor structuring?)
Is the structuring rule for those sections apparent, and natural ?
Any item related to this and described elsewhere?
Is this covering unrelated requirements?
Is this mixing requirements and assumptions altogether?
Is this mixing requirements and domain properties?
Any unnecessary mixing of functional & non-functional concerns?
(Opacity?)
Any inderdependent items whose dependencies are not made visible?
(Poor modifiability?)
Would any change to this require propagation throughout major portions of the RD?
13 www.wileyeurope .com/college/van lamsweerde Chap.5: Requirements Quality Assurance © 2009 John Wiley and Sons
Quality-specific checklists: a sample
Any unspecified response to out-of-range input values?
Any unspecified response to receiving expected input values too early; too late; or never?
Is the OR of input conditions on this operation a tautology?
Any recovery operation in case of input saturation?
Any output producible faster than it can be consumed?
Any input from sensors unused by the software controller?
Does every state sequence from a hazardous state lead to a low-risk state?
Is there a data consistency check before a decision is made
from these data?
14 www.wileyeurope .com/college/van lamsweerde Chap.5: Requirements Quality Assurance © 2009 John Wiley and Sons
Language-specific checklists: a sample for statement templates
Is this statement identifier used consistently throughout the RD?
Does the indicated type for this statement correctly refer to a
requirement, assumption, domain property, or definition?
Is this fit criterion defined in terms of measurable quantities &
measurement protocols?
Is this rationale consistent with the stated system objectives?
Is this priority consistent with the priority of other requirements
this requirement contributes to?
(cf. Section 4.2.1)
15 www.wileyeurope .com/college/van lamsweerde Chap.5: Requirements Quality Assurance © 2009 John Wiley and Sons
Checking decision tables
N input conditions number of case combinations < 2N
=> missing cases
Train receives outdated acceleration command T T T T F F F
Train enters station block at speed X mph T T F F T F F
Preceding train is closer than Y yards T F T F F T F
Full braking activated X X
Alarm generated to station computer X X X X
(number of case combinations > 2N
=> redundant cases )
16 www.wileyeurope .com/college/van lamsweerde Chap.5: Requirements Quality Assurance © 2009 John Wiley and Sons
Language-specific checklists: intra- and inter-diagram checks
Any output flowing out this DFD operation not flowing out any
downstream suboperation in the DFD refining this operation?
Any relationship in ER diagram with inadequate multiplicities?
Any input (output) of this DFD operation not declared in ER diagram?
Is this event trace in ET diagram covered by a path in SM diagram?
Any non-final state in this SM diagram with no outgoing transition?
Any dynamic attribute/relationship defining this state in SM diagram
not declared in ER diagram?
(cf. Section 4.3.9)
F Can be automated by tools
17 www.wileyeurope .com/college/van lamsweerde Chap.5: Requirements Quality Assurance © 2009 John Wiley and Sons
Language-specific checklists: checks on formal specs
Is the type of the RHS of this equational postcondition compatible
with the declared type of the LHS output variable?
If the output variable in this Z operation schema is a partial function,
is there a precondition to specify where this variable is fully defined?
Is this precondition consistent with invariants in the imported Z data
schemas?
Is there an exception schema for the case where this precondition
does not hold?
Does this OR-combination of Z schemas cover all possible cases?
(cf. Section 4.4)
F Can be automated by tools
18 www.wileyeurope .com/college/van lamsweerde Chap.5: Requirements Quality Assurance © 2009 John Wiley and Sons
Requirements inspections and reviews:
strengths & limitations
J Experienced to be even more effective than code inspection
– process-based mode with mix of defect-based, quality-specific, domain-specific, language-specific checklists
J Wide applicability
– any defect type, any spec format
L Burden & cost of inspection process
– size of inspection material
– required time/cost for external inspectors, review meetings
L No guarantee of not missing important defects
19 www.wileyeurope .com/college/van lamsweerde Chap.5: Requirements Quality Assurance © 2009 John Wiley and Sons
Requirements quality assurance: outline
Requirements inspections and reviews
– The requirements inspection process
– Inspection guidelines
– Requirements inspection checklists
Queries on a specification database
Requirements validation by specification animation
Formal checking
– Language checks
– Dedicated consistency and completeness checks
– Model checking
– Theorem proving
20 www.wileyeurope .com/college/van lamsweerde Chap.5: Requirements Quality Assurance © 2009 John Wiley and Sons
Queries on a specification database
For diagrammatic specs (cf. Sect. 4.3)
Specs maintained in requirements database
– logical schema derived from structure of diagram language
– DB engine can be generated from meta-spec of diagram language
Queries capture checks for structural consistency intra- or inter-diagrams (automate checklist questions)
e.g. Any output flowing out of this DFD operation and
not flowing out of any of the refining sub-operations ?
set out-data = Data
which FlowsOut Operation with Operation.Name = ‘myOperation’ and which not FlowsOut ref-ops where set ref-ops = Operation
which Refines Operation with Operation.Name = ‘myOperation’
ER query language, constructs = diagram keywords
21 www.wileyeurope .com/college/van lamsweerde Chap.5: Requirements Quality Assurance © 2009 John Wiley and Sons
Queries on a specification database (2)
Diagram-specific query engine can be generated from
ER meta-spec of diagram language
Press-button mode commonly used by CASE tools - precooked queries for violation of standard consistency rules
1..* 1..*
Input
Component Name
Operation
Name MiniSpec GraphRepr
Data
Name GraphRepr
1..* 1..*
Output
FlowsIn
FlowsOut
To
From
Refinement
RefinedBy
Refines
0..*
0..*
Repository GraphRepr
Processor GraphRepr
Initiation Termination
Terminator Origin
query language constructs, diagram language keywords
22 www.wileyeurope .com/college/van lamsweerde Chap.5: Requirements Quality Assurance © 2009 John Wiley and Sons
Requirements validation by specification animation
Aim: check requirements adequacy wrt actual needs
Approach 1: show concrete interaction scenarios in action
C Enactment tools can be used on Event Trace diagram (cf. Sect. 4.3.6)
D Scenario coverage problem
Approach 2: use spec animation tool
1. Extract or generate executable model from specs
2. Simulate system behavior from this model • submit stimulus events to mimic environment behavior
• watch model's response
3. Visualize the simulation while running
4. Get user's feedback
Model-based (unlike prototyping, cf. Sect. 2.2.6)
Many animators available for variety of spec languages – SCR, LTSA, Statemate, Jaza, Octopus, etc
23 www.wileyeurope .com/college/van lamsweerde Chap.5: Requirements Quality Assurance © 2009 John Wiley and Sons
Simulating the model
1. Define animation scope – what should be shown for adequacy checking?
2. Produce an executable model – e.g. compile specs into parallel state machines (cf. Sect. 4.3.7)
3. Instantiate model to selected component instances – e.g. 2 trains, 3 platforms?
4. Run the NextState simulation function on selected instances in response to environment events
NextState (E, SC): % E: event set, SC: state configuration %
T = Triggered (E); % set of transitions triggered by events in E %
T’ = Enabled (T, SC) Permitted (T, CS) Consistent (T);
if T’ then E’ = EvGenerated (T’); % events generated by T' %
SC’ = newConfig (T’, SC);
NextState (E’, SC’) endif return
24 www.wileyeurope .com/college/van lamsweerde Chap.5: Requirements Quality Assurance © 2009 John Wiley and Sons
Visualizing the simulation
To submit environment events and watch model's reaction while simulation running: – textual format: input commands, execution traces
– diagrammatic: input event selection, tokens progressing along model diagram – domain scenes: input panels, animated scene in the environment
i/o panel
warnings
parallel scenes taking place
SM diagram in execution execution
trace
25 www.wileyeurope .com/college/van lamsweerde Chap.5: Requirements Quality Assurance © 2009 John Wiley and Sons
Requirements animation:
strengths & limitations
J Best way to check adequacy wrt real needs, actual environment
J Supports stakeholder involvement
– WYSIWYC: What You See Is What You Check
J Extendable to animate counterexamples generated by other tools (e.g., model checkers)
J Animation scenarios can be kept for later replay
– usable as acceptance test data
L Coverage? – requires careful design of scenarios likely to exibit problems
– no guarantee of not missing important inadequacies
L No free lunch: formal spec needed
26 www.wileyeurope .com/college/van lamsweerde Chap.5: Requirements Quality Assurance © 2009 John Wiley and Sons
Powerful, automated QA techniques require formal specs
Language checks
– e.g. correct syntax, typing, static semantics
Language-specific consistency/completeness checks
– e.g. does this SCR table represent a total I/O function ?
Property verification
– algorithmic: model checking
– deductive: theorem proving
"x$y
27 www.wileyeurope .com/college/van lamsweerde Chap.5: Requirements Quality Assurance © 2009 John Wiley and Sons
Requirements quality assurance: summary
Major concern in view of error diversity, frequency, criticality, cost
Requirements inspections and reviews
– any defect type, any spec format – more effective if well-planned process & specific checklists – limited tool support; less likely to reveal subtle errors
Queries on a specification database
– for structural inconsistencies & omissions in semi-formal specs – cheap; easy-to-use tools; surface errors
Requirements validation by specification animation
– for adequacy & completeness checks – formal, executable model required – possible stakeholder involvement; subtle errors; but partial
Formal checking
– QA from formal spec writing & sophisticated, automated checks – may reveal subtle errors; but more difficult to use