Regardless of the analysis method that is chosen, the operational principlesapply. Data, function, and behavior are modeled. The resultant ...
Regardless of the analysis method that is chosen, the operational principlesapply. Data, function, and behavior are modeled. The resultant models must be partitioned (refined) to provide increasingly greater detail. The overall objective is to move from a specification that captures the essence of a problem to a specification that provides substantial implementation detail.
Cleanroom software engineering complies with the operational analysis principles by using a method called box structure specification. A “box” encapsulates the system (or some aspect of the system) at some level of detail. Through a process of stepwise refinement, boxes are refined into a hierarchy where each box has referential transparency. That is, “the information content of each box specification is sufficient to define its refinement, without depending on the implementation of any other box”. This enables the analyst to partition a system hierarchically, moving from essential representation at the top to implementation-specific detail at the bottom. Three types of boxes are used:
Black box. The black box specifies the behavior of a system or a part of a system. The system (or part) responds to specific stimuli (events) by applying a set of transition rules that map the stimulus into a response.
State box. The state box encapsulates state data and services (operations) in a manner that is analogous to objects. In this specification view, inputs to the state box (stimuli) and outputs (responses) are represented. The state box also represents the “stimulus history” of the black box; that is, the data encapsulated in the state box that must be retained between the transitions implied.
Clear box. The transition functions that are implied by the state box are defined in the clear box. Stated simply, a clear box contains the procedural design for the state box.
Figure illustrates the refinement approach using box structure specification. A black box (BB1) defines responses for a complete set of stimuli. BB1 can be refined into a set of black boxes, BB1.1 to BB1.n, each of which addresses a class of behavior. Refinement continues until a cohesive class of behavior is identified (e.g., BB1.1.1). A state box (SB1.1.1) is then defined for the black box (BB1.1.1). In this case, SB1.1.1 contains all data and services required to implement the behavior defined by BB1.1.1. Finally, SB1.1.1 is refined into clear boxes (CB1.1.1.n) and procedural design details are specified.
As each of these refinement steps occurs, verification of correctness also occurs. State-box specifications are verified to ensure that each conforms to the behavior defined by the parent black-box specification. Similarly, clear-box specifications are verified against the parent state box.
It should be noted that specification methods based on formal methods can be used in lieu of the box structure specification approach. The only requirement is that each level of specification can be formally verified.
A black-box specification describes an abstraction, stimuli, and response using the notation shown in figure. The function f is applied to a sequence, S*, of inputs (stimuli), S, and transforms them into an output (response), R. For simple software components, f may be a mathematical function, but in general, f is described using natural language (or a formal specification language).
Many of the concepts introduced for object-oriented systems are also applicable for the black box. Data abstractions and the operations that manipulate those abstractions are encapsulated by the black box. Like a class hierarchy, the black box specification can exhibit usage hierarchies in which low-level boxes inherit the properties of those boxes higher in the tree structure.
The state box is “a simple generalization of a state machine”. Recalling the discussion of behavioral modeling and state transition diagrams , a state is some observable mode of system behavior. As processing occurs, a system responds to events (stimuli) by making a transition from the current state to some new state. As the transition is made, an action may occur. The state box uses a data abstraction to determine the transition to the next state and the action (response) that will occur as a consequence of the transition.
Referring to figutr, the state box incorporates a black box. The stimulus, S, that is input to the black box arrives from some external source and a set of internal system states, T. Mills provides a mathematical description of the function, f, of the black box contained within the state box:
g : S* T*--> R x T
where g is a subfunction that is tied to a specific state, t. When considered collectively, the state-subfunction pairs (t, g) define the black box function f.
The clear-box specification is closely aligned with procedural design and structured programming. In essence, the subfunction g within the state box is replaced by the structured programming constructs that implement g.
As an example, consider the clear box shown in figure. The black box, g, shown in figure , is replaced by a sequence construct that incorporates a conditional. These, in turn, can be refined into lower-level clear boxes as stepwise refinement proceeds.
It is important to note that the procedural specification described in the clear-box hierarchy can be proved to be correct.