Integrating UML with Service Refinement for Requirements Modeling and Analysis

Integrating UML with Service Refinement for Requirements Modeling and Analysis


[]Yilong Yangmum \authorentry[]Jing Yangngz \authorentry[]Xiaoshan Linum \affiliate[um]The authors are with the Department of Computer and Information Science, Faculty of Science and Technology, University of Macau \affiliate[gz]The author is with the College of Computer Science and Information, Guizhou University, China {summary} Unified Modeling Language (UML) is the de facto standard for requirements modeling and system design. UML as a visual language can tremendously help customers, project managers, and developers to specify the requirements of a target system. However, UML lacks the ability to specify the requirements precisely such as the contracts of the system operation, and verify the consistency and refinement of the requirements. These disadvantages result in that the potential faults of software are hard to be discovered in the early stage of software development process, and then requiring to pay much efforts in software testing to find the bugs. Service refinement is a formal method, which could be a supplement to enhance the UML. In this paper, we show how to integrate UML with service refinement to specify requirements, and verify the consistency and refinements of the requirements through a case study of online shopping system. Particularly, requirements are modeled through UML diagrams, which includes a) use case diagram, b) system sequence diagrams and c) conceptual class diagram. Service refinement enhances the requirements model by introducing the contracts. Furthermore, the consistency and refinements of requirement model can be verified through service refinement. Our approach demonstrates integrating UML with service refinement can require fewer efforts to achieve the consistency requirements than only using UML for requirement modeling. ML, requirement analysis, service refinement, interface contract, formal methods

1 Introduction

The methodology of software development has been tremendously evolved from object-oriented, component-based to service-oriented approach [1]. Those methodologies are focus on dealing with the complexity of software [2]. UML can help the developer to handle inherent complexity by modelling and analyzing the functionality of the target system. Particularly, the developers can use use-case diagram and system sequence diagrams to specify the requirements model in the procedure of the requirements analysis, which includes defining the services interface and interaction protocols between the interface and environment. Furthermore, the domain model of the target system can be specified by the conceptual class diagram. However, the developers cannot know the potential issue of the requirements only depended on those diagrams, because UML cannot self-verify no bad properties (E.g., dead-lock and live-lock) in requirements models, and it does not contain any techniques to verify the correctness of refinements. That will make an embarrassing situation when several ”un-verified” requirements models are specified from the different stage of software development processes, the developers cannot guarantee that the new requirements model is enhanced from the previous one, by adding more the functional requirements without introducing any problems. Those disadvantages are the motivations of this paper to integrate UML with formal methods [3, 4, 5] to precisely define the requirement model, and verify consistency and refinement of the requirements.

Service refinement is chosen [6] to enhance UML, because it is a well-designed formal method on the calculus of contract refinement. It lays the foundation of guard design and design refinement from Unifying Theories of Programming (UTP) [7], and the refinement of divergence and failures from Communicating Sequential Processes (CSP) [8]. It models and verified many large system such as rocket, high-speed train, aerospace system. However, service refinement is not natively designed for object-oriented requirements modeling and analysis. We made some necessary extensions to service refinement before integrating with UML:

1) service visibility. The scope of visibility is used by UML to describe whether an operation of the interface is public or private. Corresponding, we extended the interface of service refinement with visible scope, which can specify whether a service is accessible for the outside environment or only serves as an internal service for other services.

2) divergence by private service. The divergence state defines the system in the unstable state of livelock, in which the system infinitely invokes internal actions. After extending service refinement with visible scope, divergence state is defined as infinitely invoking the private services of the interface.

3) consistency as deadlock-free and livelock-free. The consistency of service refinement only consider the deadlock. The extended consistency of contract must be deadlock-free and livelock-free. That means after any trace, not all services including private and public services are refusal to the environment, and the trace must not contain the infinitely private service invoking for livelock-free.

4) refinement by hiding private services. The refinement defined that the interface has the same behavioural with environment, but has less bad properties such as deadlock and livelock. We need hidden the private service to make the refinement definition consistent. Therefore, the extended refinement is defined as hiding the private services from the contract, the refined contract has less divergences and failures.

Contributions Online Shopping System (OSS) is the most common used and large system in our daily life. We adopt the case-based approach to present our methods through OSS case study. In summary, our major contributions are:

1) The extension of service refinement for requirements modeling and analysis by UML.

2) We illustrate that UML can enhance service refinement to elicit start-up requirements, which includes the skeleton of the service interface and domain model through use case diagram and interface and conceptual class diagrams, the draft of protocol and failures of contracts by system sequence diagram.

3) Base on the start-up UML requirements, we demonstrate that service refinement can refine the requirements model more precisely through specifying the contracts and protocols of requirements mathematically.

4) We demonstrate that service refinement can give system analysts the directions of refinement, prove the correctness of refinements and verify the consistency.

5) To demonstrate our approach works, we use the model checking tool FDR to specify the same contracts of online shopping system, and then verify the deadlock-free and livelock-free as well as the refinement of the contracts.

The remainder of this paper is organized as follows: Section 2 is preliminary of service refinement and the extensions. Section 3 presents requirement elicitation by UML. And then Section 4 shows formal specifications by service refinement. Section 5 presents refinement of contract and consistency verification. Finally, section 6 concludes this paper and discuss the future work.

2 Service Refinement: Preliminary and Extension

For self-contained and completeness of our paper, the brief introduction and extension of the service refinement [6] are presented in this section.

2.1 Interface

The interfaces are the access points of the system. An interface is defined as a tuple with a resource declaration sector and a service declaration sector:

RDec is a set of variables, variable defines as , where stands for the type of the variable. SDec is a set of the services, the service signature declares service holds variables of type and variables of type as its input and output parameters of the service respectively.

Extension for Interface

The prefix signature of service indicates the visibility of the service for the environments. We use the same notation of interface described in UML. The prefix notation ”+” indicates the service is a public service. The notation prefix ”-” indicates the service is a private service, which is not visible for the environment. The prefix set is . E.g, a public service describes as . In default, the service without a prefix is regarded as a public service.

Semantics of Service

A specification of a service is a triple , where

1) comprises all the resource managed by the service.

2) is the firing condition of the service, characterizing the circumstance under the service can be activated.

3) is a reactive design, describing the behavior of execution of service.

2.2 Contract

Contracts are the specifications of interfaces. A contract of an interface specifies the functionality of services declared in the interface, the protocol of the interactions.

A contract is a quadruple where


is an interface.


specifies the initial state of the design

where stands for resources of interface .


Spec maps each service of interface to its specification


is a protocol set of valid traces of service activation events, specifying the interaction pattern between the contract with its environment, where the event represents the call of service with the input . The protocol indicates that the contract can provides the normal response if its services are invoked in the orders included in . Otherwise, the result will be unpredictable.

Semantics of Contract

The dynamic behaviour of contract is described by the triple , where

  • Prot(Ctr) retrieves the weakest protocol of contract .

  • Failures(Ctr) is the set of pairs(s, X) where s is a sequence of interactions between and its environment, and denotes a set of events and in which the contract may refuse to engage after it has performed all actions in s.

  • Divergences(Ctr) consists a set of the sequences of interactions between with its environment which leads the contract to a divergent state.

Extension of Semantics of Contract

In UML, divergences(Ctr) specifies the interactions in an use-case which leads the system into a divergent state, in which a private service is invoked infinitely times. Therefore, the extension of divergences(Ctr) is:

In UML, the private service can only be invoked from other services in the same interface. Therefore, private services are in the refusal set of , except when the service invokes private service , that means

2.3 Contract Consistency

A contract is consistent, if it will never enter deadlock states unless its environment violates the protocol, i.e.,

where and represents the subsequences of which is formed by the input events. The notation means sequence is the prefix of .

Extension of Contract Consistency

In the extension, contract is consistent must be both deadlock-free and livelock-free. That means only if after any trace, the refusal set dose not contain all the private and public services,

and the subsequences trace of does not include infinitely invoking the private services.

2.4 Contract Refinement

Let are two contracts with the same set of services. is refined by , denoted by , if



Extension of Contract Refinement

In UML, the trace of divergence and failures contain the private services invoking. We need hidden them to keep the refinement definition consistent. Let are two contracts with the same set of public services. and re private service sets of and . is refined by , denoted by , if



Note that means hidden the private services in from .

Above is the brief introduction of service refinement. In the next section, we will show how service refinement support for requirements analysis with UML.

3 Requirements Modeling

Online Shopping System [9, 10] is a form of electronic commerce system which allows consumers to directly buy products from sellers over the Internet. Consumers can search interested products through the website, which displays the same product’s availability and pricing at different e-retailers. In recent years, customers can shop online using a range of different computers and devices, including desktop computers, laptops, tablet computers and smart phones. The Alibaba, Amazon, and eBay are the largest companies providing online shopping services for billions of people all over the world.

3.1 Use Case Diagram

Figure 1: UseCase Diagram on Online Shopping System

UML provides use case diagram to help customers specify the requirements of target system. The basic scenarios of shopping online system are specified in Fig. 1:

a) Search Products: The customer can search the desired products by the keywords, and the system displays the candidate products to the customers for further examinations.

b) Shopping Cart: When customers found the desired products, they can add the products to the shopping cart if the products are available, e.g., in the stock. The customer can also check the state of the shopping cart in any time, while they find some dislike products in the cart, they can quickly remove them, and when they like to buy more, the customer also can change the number of the item in the shopping car. E.g., there is already one Nike Shoes in Jack’s shopping car, and Jack likes to buy one more for his daddy, he could quickly change the number of shoes in the shopping cart.

c) Manage Order: When shopping cart is ready, the customer can place the order under his account. That means the customer must have an account and log into the system. Moreover, at least one address must be added to their accounts for receiving products. But if the customers have more than one addresses, the system will ask them to choose one for the shipment. Once customers logged into the system, they can check the state of order at any time, which will show whether the order is paid or not. Even the customer can track their products through the delivery system once the their products are sent out.

d) Payment : While placing the order, the customers must choose the payment approach. If they choose cash on delivery, the cash must be given to the delivery man when receiving products. If the customers choose online payment, the system will check his balance under the account, if the account has not enough balance to pay, the system must ask the customers to pay with their credit cards through third party payment services.

e) Manage Account: If customers are the first time to use this online shopping system, they must register membership before checking order out. The customers can modify their information at any time, which includes delivery addresses as well as their credit cards information.

3.2 System Interfaces and Domain Concepts Modeling

The primary use cases are presented in the previous section. In this section, we use the interface of class diagram of UML to specify the services of use cases in Fig.2.

Figure 2: Interfaces of Online Shopping System

For example, the interface of ManageAccount contains the service signup() for the new customer to register membership, the services login() and logout() for the member to log into and out the system, editPersonalInformation() is used for editing the personal information in this system, checkBalance() is used for checking balance in your account and deposit() is used for adding the account balance.

The interface can define all the services of the system, and it even can specify the input and output parameters of interface and required resource. However, UML lacks the ability to define the contract for each service precisely. The formal method, service refinement, not only provides the approach can precisely define service specification, interface, and contract, but also can verify the consistency and the refinement of the contracts. For example, the interface ManageAccount can be described by the interface of service refinement as follows:

The signatures of services are defined in SDec. For example, service login() requires variables username and password typed String as input variables, returns a variable R typed Boolean to indicate customer successful login. The required resource is defined in RDec. In which, the login state of customer are represented in variable LoginState with basic type Boolean. The current customer is represented as variable CurrentCustomer with the type Customer. This is not a basic type such as Float, Double, String, Boolean, and Date, but is a domain concept. This complex type should contain at least attributes such as Name:String, Passwd:String and Balance:Double, and it can be represented as a domain conceptual class of UML. Once we define all the interfaces of the system like above interface ManageAccountIF, we can forge the domain model by UML conceptual class diagram in Fig. 3. The conceptual class diagram describes abstract and meaningful concepts in the problem domain, and it decomposes the problem regarding individual concepts. This is an important trophy in requirement analysis. Therefore, we can tell that service refinement can help UML to get the more precisely model about the target system in at least requirement election stage.

Figure 3: Conceptual Class Diagram of Online Shopping System

4 Formal Specifications by Service Refinement

4.1 Service Specification

We have use cases, service interfaces, and domain model of the target system at this moment. For each service, we only know the name, but we need to precisely define the semantics of service, such as when does the service can be activated, what does the service do but not how to do, by describing the system state changes carried out by the service. UML diagrams cannot describe the semantics of service, but service refinement has the triple , that can specify the semantics of service. For example, the semantic of service deposit() can be defined as follow:

The customer can make a deposit into his account through service deposit(), this service has one input parameter inNewBalance, and one output parameter outR. is a guard condition describing only when resource LoginState is equal to True, the service deposit() can be invoked. The design main contains precondition and postcondition . describes that the state of the system before the execution of the service. describe the state of system when the execution service has finished. In the specification of service deposit(), describes the minimum deposit amount is at least 10 dollars. describes after execution of the service, the balance of current customer is equal to the origin balance plus the new deposit account, and the value of variable ourR is True. All the required resource are defined in , which contains variables LoginState, inNewBalance, outR and CurrentCustomer. Once we specified all the semantics of services in the interface of Manage Account, we can get Spec of interface ManageAccountIF:

At this moment, the semantics of all services are specified. However, the interactions between the interfaces of system and environment (actors) are not described. We will do it in the next section.

4.2 The Protocol of Interface

Service refinement can specify the interactions in the protocol Prot of interface contract. The protocol of interface is a set of valid event traces of service request and response represented as , where represents a request of service with parameter . represents the response of service with parameters . For example, the protocol of ManageAccount interface is:

Like regular expression, we introduce asterisk * at the right top of the event indicates zero or more occurrences of the preceding element and the question mark ? at the right top of the event indicates zero or one occurrence of the preceding element. The sequential invoking the services in the interface , the trace set is . The mediate traces are omit because the limit space of paper, we only show the initial trace and final trace in the following protocols. The protocol describes three main stories of interface ManageAccount: 1) In the initial state of the interface, no service is invoked yet, therefore, the trace of interface is empty. 2) If the users are the new customers, they must request service signUp() to open accounts in the system. 3) If they successfully register accounts or already have accounts in the system, they can call service login() to log in the system, check their balance of accounts, deposit into their accounts. Then they may log out of the system.

Figure 4: The Basic Event Flow of ManageAccount

4.3 System Sequence Diagram for Interface Protocol

The protocol of interface can define the interactions of use case as above, but it is not easy to understand for the end-users, even for the developers. UML provides activity diagram and system sequence diagram, which can describe event flow in a clear way. For example, the protocol of ManageAccount represented as system sequence diagram is in Fig. 4. Like using the question mark ? in the protocol to describe the optional of the event, system sequence diagram can take combined fragment opt to describe the same situation. Combined fragment loop can describes same loop situation as * asterisk. Furthermore, system sequence diagram can shows the system interface and the environment actor, and the request event and response event between actor and interface. In this point, UML can help service refinement to describe the protocol of the interface.

4.4 The Contract of Interface

Until now, we specified the functional requirements in interfaces of system I, the specification of services Spec including guard condition for activating service, the states of the system before and after execution of service, and the interactions protocol of interface Prot between the system and the environment. However, we still lack the information about the initial state of the interface. In the theory of service refinement, the contract of interface specifies the initial state of the resources. For example, the interface ManageAccount contains resource in RDec:

The initial operations of those resources are described as:

After system initialization, the resource UserDB contains all the customers in the database, CurrentCustomer is a reference initialized as Null, that means this resource is not refer to any variable. TempCustomer is Null, the boolean variable LoginState is False. The variable wait is False, which represents the system in the stable state, and system ready for receiving service requests from environments. After specifying the initial state of interface, we can derive the contract of the interface. For example, the contract of interface ManageAccount is specified as:


The contract of the interface contains the specifications of resources, services, the initial state of the interface, and protocol of the interface. However, the protocol only provides the valid interactions between system and the environment. We not only need to know what the interfaces of the system can do but also what they refuse to do. Service refinement can specify the refusal scenarios by modeling Failures(Ctr) of the contract. A failure is a pair where is the traces of interactions between environments and the system, and denote the refutation set of the services of the contract after trace . Failures(Ctr) is the set of all Ctr failures, which defined as:

This fragment of failure describes the refusal requests of services because the guards of service do not hold in the initial state of interface. For the contract of ManageAccount, the variable LoginState is equal to False in the initial state. In Fig.4 of workflow about usecase ManageAccount, the services checkBalance(), deposit(), and logOut() can be activated only if . That means those services refuse to response environments at the initial state of system interface. Formally, after initialization with empty trace , the refusal service of interface ManageAccount are:

The next fragment definition of contract failures are:

This failure set describes after execution of a sequence request events, the guards of services became false. The postcondition of login service shows the variable LoginState’ = True after successfully logging the system. That means when the customers have already logged in the system, they can not log in again because the guard condition of login service cannot be satisfied at this moment. Formally, after the traces of login service

The refusal service are . After the traces of logout service,

the variable LoginState become False. Thus, the refusal services are .

The next fragment of failures describe for every request of service, the system must have response to the environment, even when the service is in the fault. The formal description is:

In Fig.4 of the event flow of contract ManageAccount, every request event of service has a corresponding response event. Therefore, the system does not refuse to response for any request.


The next fragment of failures describe the requests of services leading the system into a waiting state. The formal description is:

The deposit service will lead system into a waiting state. For example, when a customer uses his credit card to add the balance to his account. The system will wait for the response from the third-party payment service. Usually, the system only need to wait seconds before getting the reply of the payment service, and then set the variable wait to False after execution the deposit service. However, the third-party payment service may be ignoring the payment request or not receive the request because of the fault of the internet and too many requests beyond his processing ability. If the requirements are not taken the exception cases into account, that will lead a deadlock. In that situation, the system will not give any response to any the request of the services from the environments. The failure of this case can specify as, after the execution services of traces

The system refuses to response any requests of public services . There is a terrible property of the system, and we must refine the contract to the deadlock-free requirements before making any implementation. The simple idea to handle this situation is designed an internal service repeatInvolkingPayment() to periodically such as 30s send the request to the third-party payment service until it is successfully getting the response. Note that the repeatInvokingPayment() must be a deadlock-free service. It has a inside timer to count the waiting time, once it does not can response from the third-part payment service till the maximum waiting time, it will force repeatInvokingPayment() to return a result. It is the useful strategy against the fault of the internet such as lost package and denies offer service of the third-party system.


The interface in class diagram can also have the ability to describe the internal service. The services in UML interface diagram of Fig.2 are public with the prefix mark ”+”, the internal service is private with the prefix mark ”-”. However, this internal service will make the system even worse. When third-party service is dead forever, repeatInvolkingPayment() service will never stop to send the request. That will make the system only make this internal service running forever, but not make any useful response to the environment. That is so-called livelock of the system, or the system is in the diverged state. Once the system stuck into the livelock, the system will refuse to responses from the environment. That is the last situation specified in the failures of the contract. Formally, the fragment of failures about divergences of the contract are defined as the set of the pair . Divergences shows the request event of service will lead system into a unstable state where is false. In divergence state, the internal services are infinitely invoked, that cannot affect system into a stable state. In our case, the internal service repeatInvolkingPayment() will lead system into a divergences state when the third-party service is forever unavailable. Formally, the divergence of interface ManageAccount is:

Once we specified divergence of ManageAccountIF, the last failures fragment of interface manage account are . In the divergence state, the interface ManageAccount will refuse to response any services of the interface.

In this section, we show how to use service refinement to specify all possible valid traces from the initial state of the interface with the refusal service sets. That precisely defines the semantics of the interface. We also see that UML diagrams can help to give a clue for modeling each case. UML diagrams and service refinement are complementary for each other. Although we get all the possible traces and refusal sets, that may contain the deadlock and livelock. The requirements model must meet at least functional correctness with the deadlock-free and livelock-free before implementation.

5 Refinement and Verification

In this section, we will show how to refine the contracts of interfacess to the deadlock-free and livelock-free contracts through theory of service refinement, and use model checking tool to confirm the refinements.

5.1 Contract Refinement

The main refinement strategy is to add more control strategies and resources to make refusal set is a proper subset of all the services set from . As we mentioned in the previous section, failures set of contract ManageAccount has two refusal all service pairs with the traces while executing of deposit service, first one is in the deadlock state because the fault of request to the third-party payment service, the second one is in the livelock (divergence) state when the infinitely repeat to request the third-party payment service by the internal repeatInvokingPayment() service. We specify the original contract of ManageAccount as , and the added internal service repeatInvokingPayment() contract as . Although contract is deadlock-free contract, does not refine because they violate the refinement definition. The contract is more divergence than : . We continue to improve the to livelock-free contract by adding a variable MaxRepeatedTimes typed Integer to the RDec of interface ManageAccount, and add an control strategy, that once invoking repeatInvokingPayment() reach times (e.g, 3 times), it will return the result , and set as . At that moment, the refusal service set of the contract will not contain all public services after the traces:

After adding the variable MaxRepeatedTimes and maximum trying strategy to contract of interface ManageAccount, while request service ?deposit(inNewBalance) service, the environment eventually receives the response !deposit(outR) after no more than MaxRepeatedTimes times invoking the internal service repeatInvokingPayment(). contract will not make system into a divergence state. Therefore, the contract is a deadlock-free and livelock-free contract, and refines because after hiding the private service set = {repeatInvokingPayment()}, the failures and divergences of and that holds:



Furthermore, the contract is a consistency contract, it will never enter deadlock and livelock states if environment follows the protocol of the contract. Formally, the of is:

The only difference between the protocols of and is in the last fragment contains the request events of where the number 0..MaxRepeatedTimes represents the repeat times of the event. The of is: