Professional Documents
Culture Documents
Charles Wallace Xinli Wang Virginia Bluth Michigan Technological University wallace@mtu.edu
Software problems
(Jackson, 1995) Problem context: interaction between software machine and its environment Requirements: stated purely in terms of environmental phenomena Specification: restricted to machine-environment phenomena phenomena that affect machine state
environmental phenomena
specification phenomena
machine phenomena
Problem stated in terms of concrete, observable phenomena avoids overgeneralization of context (getting away from the realities of the customers world) Problem stated in terms of machine-environment interaction avoids overgeneralization of requirements (getting away from the realities of the customers problem)
Problem structuring
(Jackson, 1995, 2000)
Attack the complexity of a software problem by creating a set of projections of the problem Projections (subproblems) may overlap (i.e. share phenomena) Each projection belongs to a well-known class of similar problems: a problem frame Strong similarities to notion of design patterns As we deal with instances of each problem frame, we learn heuristics (rules of thumb) for documenting and learning about such problems
Domains
represent sets of individuals (distinguishable things of interest in problem) domain may possess certain attributes may be related to other domains via shared phenomena Machine domain: exactly one per problem frame no attributes except those shared with environment Realized (designed) domain: software developers may help in its design typically, electronic representations of data
Connection domain
exists purely as intermediary between multiple domains e.g. communication channel can always be ignored... pro: higher abstraction level con: abstraction may leak reasons to include connection domain: communication failure communication delay connection domain referred to in requirements conversion of phenomena via connection domain
Note the abstraction here: mechanism for accepting and detecting coin ignored OK if coin detection is a given; not OK if we're designing the coin detector
customer insert coin admission machine
Note: this can be broken into multiple binary interfaces... with a lowering of abstraction level pay
customer take
clerk give
product Now, we have to stipulate that give precedes take; if pay fails, then take shall also fail,
Requirement
Form: If (antecedent), then (consequent) Antecedent and consequent refer to shared phenomena References in the antecedent: descriptive (indicative) mood References in the consequent: prescriptive (optative) mood No indicative or optative references to machine domain: requirements don't refer to machine Antecedent may be empty, but consequent must not
Requirement example
If the customer inserts a coin, the gate shall become unlocked. customer
insert (event) insert (event)
admission machine
gate
admission criteria
This requirement refers to the (unshared) lock status of gate, rather than the (shared) machine-gate events lock and unlock
A patient monitoring program is required for the ICU in a hospital. Each patient is monitored by an analog device which measures factors such as pulse, temperature, and blood pressure. The program reads these factors on a periodic basis (specified for each patient) and stores them in a database. For each patient, safe ranges for each factor are also specified by medical staff. If a factor falls outside a patient's safe range, or if an analog device fails, the nurses station is notified.
A patient may be connected to an intravenous pump that supplies medication. There are three ways in which medication may be administered via the pump. First, medical staff may stipulate that a patient is to receive regular periodic dosages through the pump. Second, staff may request a single dosage to be applied immediately. Finally, if authorized earlier by medical staff, a patient may request an immediate dosage by pressing a button on the pump. In all cases, the total daily dosage must not exceed the limit entered earlier by medical staff. If a pump fails, the nurses station is notified.
Domains: monitoring program (machine) patients analog devices medical staff nurses' station intravenous pump
Since the pump and the analog devices both connect patients to the machine, should they be merged into a single domain?
The pump and the analog devices have little state information or shared phenomena in common; best to treat them as separate domains
What can we learn from patients? Some examples: range of expected vital sign values range of expected analog device readings frequency of patient movement in/out of the ICU frequency of additions/deletions to PR&D database patients need for pain medication usability issues surrounding dosage requests
if yes if yes if no
f medical staff
a: periods, ranges, dosages b: factor report c: alert d: pump control / request dose e: patient readings f: enter period/range/dose g: dose button / administer dose h: vital signs
Problem frames
Simple, generic archetypal subproblems Information display problem Required behavior problem Commanded behavior problem Workpieces problem Transformation problem
b: Reports (IS)
When world state is so-and-so... machine detects state info and sends report... causing appropriate change in display state.
Information display
When world state is so-and-so real world may be static or dynamic if world is static and small, problem is trivial if world is dynamic, how frequently does machine sample world? e.g. Device and patient alert problems: both involve dynamic real-world phenomena Device alert sampling frequency: fixed Patient alert sampling frequency: determined by medical staff Device alert sampling must be frequent enough not to hide patient alerts
Information display
machine detects state info... often, there is a machine-real world connection domain real world interpreted by sensor or data-entry person a: SensorData (S) b: WorldData (RW) information system (IS) a sensor (S) Usual concerns apply with regard to connection domains: failure, translation, ... real world (RW)
Information display
Device alert problem: What is the failure model of the devices? Does device signal its impending failure? (unlikely) Fail-stop: device simply stops sending data In this case, we may sense failure via device heartbeat Byzantine: failed device continues to send (bogus) data This complicates failure detection
Information display
Machine must model the real world e.g. patient modeled as a triple: (temp, blood pressure, pulse rate) each factor is an electronic approximation of the real vital signs gap between model and real world: how accurate must model be? What is the frequency of model state checking? What is the granularity of data?
Information display
requirement: If P(rw), then display P(rw). solution: create model m If Q(m(rw)), then display P(rw). Do we really need to require that Q(m(rw)) P(rw) ? A weaker condition may be sufficient: e.g. Q(m(rw)) P(rw) P(rw) Q(m(rw)) (no false positives) (no false negatives) In device/patient alert problems, false negatives unacceptable False positives may be tolerated: risks of wasting medical staff time, annoying patients
Information display
machine sends report, causing appropriate change in display state. e.g. Device/patient alert problems need to know precisely which device has failed also need to know which patient is connected to the device how are patients identified? Display design: important nonfunctional (usability) issues e.g. Alert problems: clarity of presentation is essential
a: WorldState (RW) b: Queries (EO) c: Reports (IS) d: DisplayState (D) When world state is so-and-so... machine detects state info... if operator then makes a query... machine sends a report... causing appropriate change in display state.
b: DomainState (CD)
Machine issues commands... (possibly after considering current domain state information)... that keep domain in an acceptable state.
Required behavior
Information display problem could be seen as required behavior, with the display being the controlled domain, but in information display problems, controlling the display is typically not difficult; the real difficulty is in capturing the real world accurately.
Required behavior
Machine issues commands What are the commands at the machines disposal? e.g. for Regular Dosage problem, say the commands are pump on, pump off This implies that dosages will be determined by precise timing on the part of the machine Note the distinction between the commands (at the CM-CD interface) and the domain state (mentioned in the requirement) The requirement does not mention anything about machine commands
Required behavior
possibly after considering current domain state information... How much feedback is needed from controlled domain? If effects of commands are totally predictable, and only our machine affects domain, then machine needs no state info Otherwise, need to know range of variation of commands effects how to detect failed commands how to undo/redo failed commands effects that other domains may have on the controlled domain
Required behavior
that keep domain in an acceptable state. What are the direct effects of the machine commands on the controlled domain? What are the indirect effects? e.g. Can we assume that keeping pump on for x seconds results in some amount f(x) of medication being administered? Controlled domain may include uncontrollable states (e.g. mobile unit that goes out of communication range) Can controller take domain to a state thats no longer controllable? If so, need to disable certain sequences of commands
a: OperatorCommands (O) b: MachineCommands (CM) c: DomainState (CD) Operator issues commands... machine rejects non-sensible ones... machine ignores commands unviable in current domain state... for sensible, viable commands, machine responds with its own commands that keep the domain in an acceptable state.
Commanded behavior
Operator issues commands... Operator commands and machine commands may be quite different e.g. single command from patient/staff translated into a pump on/ pump off sequence, with an appropriate time interval in between Design of operator commands is important e.g. staff-administered dosage: specify dosage level? need to balance flexibility/expressivity vs. ease/speed of use Note: patient-administered dosage requests come via the pump; design of the patient command interface is out of our hands
Commanded behavior
machine rejects non-sensible commands... sensible commands: have some reasonable meaning given the context of previous commands non-sensible commands may be disabled (e.g. grey out currently non-sensible menu items) e.g. Staff dosage request for a patient is not sensible without an earlier establishment of a daily dosage limit
Commanded behavior
machine ignores commands unviable in current domain state... viable commands: have some reasonable meaning given the current state of the controlled domain disabling unviable commands more difficult; requires sampling of controlled domain e.g. Patient dosage requests are always sensible, but not viable if self-dosage not authorized, or dose would put the daily dosage over the limit
b: WorkpieceOperations (ET)
Workpieces
Similar to Commanded behavior frame --but controlled domain here is totally computer-internal Workpieces: intangible software objects (e.g. documents, files) usually easier to control than domains outside the computer very often a designed domain: our right/responsibility to co-design it Challenges in workpieces problems: identifying syntactically correct, sensible user commands viability conditions mapping between user and machine commands
From a collection of input data, Source produces input stream... Machine responds by producing an output stream, creating output data at destination that respects the input-output mapping.
Transformation
Source produces input stream... Machine responds by producing an output stream input rate: is it truly streaming? Regular or intermittent? output rate: Is there an upper limit? Can input rate ever exceed maximum output rate? If so, can input data be dropped? If not, what is the max expected amount of buffering needed?
Transformation
creating output data at destination that respects the inputoutput mapping. Range of possible input data values Range of possible output data values Mapping: one-to-one, one-to-many, many-to-one? e.g. Does factors database store summary reports (many-to-one), or does it store each individual reading (one-to-one)?
References
M.A. Jackson. Software Requirements and Specifications. Addison Wesley, 1995. M.A. Jackson. Problem Frames. Addison Wesley, 2000. B.L. Kovitz. Practical Software Requirements. Manning, 1999.