Consistency Checking of Conceptual Models via Model Merging
Mehrdad Sabetzadeh (U Toronto, Canada)Shiva Nejati (U Toronto, Canada)Sotirios Liaskos (York U, Canada)
Steve Easterbrook (U Toronto, Canada)Marsha Chechik (U Toronto, Canada)
International Requirements Engineering Conference (RE’07)
October 19, 2007
Collaborative RE
2
➜ Different teams work on separate models➥Models independent but related
➥Relationships between models described explicitly
Distributed Development
3
➜ Different teams work on separate models➥Models independent but related
➥Relationships between models described explicitly
Distributed Development
3
M1 M2
StaffMember
Nurse Doctor
MedTeamMember
Physician Technician
➜ Different teams work on separate models➥Models independent but related
➥Relationships between models described explicitly
Distributed Development
3
M1 M2
StaffMember
Nurse Doctor
MedTeamMember
Physician Technician
➜ Never entirely sure how concepts are related
Building Relationships
4
Calendar
Unit
Schedule
Ward?
➜ Never entirely sure how concepts are related
Building Relationships
4
Calendar
Unit
Schedule
Ward?
Relationships need to be validated
➜ Human-centric➥ negotiation, repertory grid, etc.
➜ Automatic➥ consistency checking, simulation, etc.
Means for Analyzing Relationships
5
➜ Human-centric➥ negotiation, repertory grid, etc.
➜ Automatic➥ consistency checking, simulation, etc.
Means for Analyzing Relationships
5
Focus of this work
Checking Consistency of Relationships: Examples
6
M1
Line
Rect
M2
Rectangle
Polygon
Checking Consistency of Relationships: Examples
6
M1
Line
Rect
M2
Rectangle
PolygonMultiple In
heritance
Checking Consistency of Relationships: Examples
6
M1
Widget
Canvas
M2
Canvas
Component
Widget
Checking Consistency of Relationships: Examples
6
M1
Widget
Canvas
M2
Canvas
Component
Widget
Cyclic Inh
eritan
ce
Challenge➜ Often faced with a system of related models
7
M2M1
M4
M3
M7
M6
M5R12
R23R34
R57R25
R67R36
R47
Is the “system” consistent?➥Consistency of individual mappings not enough!
➣ ... it does not guarantee global consistency [Van Lamsweerde et al, Nuseibeh et al]
Global Inconsistency: Examples
8
M1
Line
Rect
M2
Rectangle
Polygon
M3
Square
Box
Global Inconsistency: Examples
8
M1
Line
Rect
M2
Rectangle
Polygon
M3
Square
Box
✔ ✔
Individually Consistent
Global Inconsistency: Examples
8
M1
Line
Rect
M2
Rectangle
Polygon
M3
Square
Box
✘
Globally Inconsistent
Container
Panel
Widget
Canvas
UIObject UIContext
Global Inconsistency: Examples
9
M1
M2
M3
Container
Panel
Widget
Canvas
UIObject UIContext
Global Inconsistency: Examples
9
M1
M2
M3
✔ ✔
✔Individually Consistent
Container
Panel
Widget
Canvas
UIObject UIContext
Globally Inconsistent
Global Inconsistency: Examples
9
M1
M2
M3
✘
Existing Research
10
R
M1
Widget
Canvas
M2
Canvas
Component
Widget
!!, y, z, t · R(!, y)" R(z, t)"Re"ch(!, z)" Re"ch(t, y)
Existing Research
10
R
M1
Widget
Canvas
M2
Canvas
Component
Widgetz
x
t
y
!!, y, z, t · R(!, y)" R(z, t)"Re"ch(!, z)" Re"ch(t, y)
Existing Research
10
R
M1
Widget
Canvas
M2
Canvas
Component
Widgetz
x
t
y
!!, y, z, t · R(x,y)"R(z, t)"Re"ch(!, z)" Re"ch(t, y)
Rule coupled with mapping!
Not generalizable to global consistency checking!
Our Solution
11
Construct a merge before checking consistency!
Our Solution
11
Input Models and Mappings
Merge
Construct a merge before checking consistency!
Our Solution
11
Input Models and Mappings
Merge
+<traceinfo model="ex" diagram="Threeway">! <element uid="645">! <lineage view="Rob" uid="25"/>! </element>! <element uid="644">! <lineage view="Rob" uid="21"/>! </element>! <element uid="646">! <lineage view="Rob" uid="32"/>! <lineage view="Connector1" uid="343"/>! <lineage view="Sue" uid="12"/>! <unifier name="C1-To-Sue" srcuid="343" tgtuid="12"/>! <unifier name="C1-To-Rob" srcuid="343" tgtuid="32"/>! </element>! <element uid="647">! <lineage view="Sue" uid="2"/>! </element>! <element uid="643">! <lineage view="Rob" uid="19"/>! <lineage view="Connector1" uid="341"/>! <lineage view="Sue" uid="6"/>! <unifier name="C1-To-Sue" srcuid="341" tgtuid="6"/>! <unifier name="C1-To-Rob" srcuid="341" tgtuid="19"/>! </element>!</traceinfo>
TraceabilityData
Merged Model
Construct a merge before checking consistency!
Our Solution
11
Input Models and Mappings
Merge
+<traceinfo model="ex" diagram="Threeway">! <element uid="645">! <lineage view="Rob" uid="25"/>! </element>! <element uid="644">! <lineage view="Rob" uid="21"/>! </element>! <element uid="646">! <lineage view="Rob" uid="32"/>! <lineage view="Connector1" uid="343"/>! <lineage view="Sue" uid="12"/>! <unifier name="C1-To-Sue" srcuid="343" tgtuid="12"/>! <unifier name="C1-To-Rob" srcuid="343" tgtuid="32"/>! </element>! <element uid="647">! <lineage view="Sue" uid="2"/>! </element>! <element uid="643">! <lineage view="Rob" uid="19"/>! <lineage view="Connector1" uid="341"/>! <lineage view="Sue" uid="6"/>! <unifier name="C1-To-Sue" srcuid="341" tgtuid="6"/>! <unifier name="C1-To-Rob" srcuid="341" tgtuid="19"/>! </element>!</traceinfo>
TraceabilityData
Merged Model
Construct a merge before checking consistency!
Consistency Checking
<html>! <head>! ! </head>! <body>! <h2>! Diagnostics for <a href="view://merge/none">merge</a>! </h2>! <em><font color="#FF0000">(note the filters applied)</font></em><hr><strong>Objects ! with multiple parents:</strong>!! <ul>! <li>! <a href="view://merge/258">merge/258</a> <em><font color="#FF00FF">  ( Parents: <a href="view://merge/257">merge/257</a>  <a href="view://merge/260">merge/260</a>  )</font></em>! </li>! </ul>! <hr>! </body>!</html>
Diagnostics
Our Solution
11
Inconsistency Projection
Input Models and Mappings
Merge
+<traceinfo model="ex" diagram="Threeway">! <element uid="645">! <lineage view="Rob" uid="25"/>! </element>! <element uid="644">! <lineage view="Rob" uid="21"/>! </element>! <element uid="646">! <lineage view="Rob" uid="32"/>! <lineage view="Connector1" uid="343"/>! <lineage view="Sue" uid="12"/>! <unifier name="C1-To-Sue" srcuid="343" tgtuid="12"/>! <unifier name="C1-To-Rob" srcuid="343" tgtuid="32"/>! </element>! <element uid="647">! <lineage view="Sue" uid="2"/>! </element>! <element uid="643">! <lineage view="Rob" uid="19"/>! <lineage view="Connector1" uid="341"/>! <lineage view="Sue" uid="6"/>! <unifier name="C1-To-Sue" srcuid="341" tgtuid="6"/>! <unifier name="C1-To-Rob" srcuid="341" tgtuid="19"/>! </element>!</traceinfo>
TraceabilityData
Merged Model
Construct a merge before checking consistency!
Consistency Checking
<html>! <head>! ! </head>! <body>! <h2>! Diagnostics for <a href="view://merge/none">merge</a>! </h2>! <em><font color="#FF0000">(note the filters applied)</font></em><hr><strong>Objects ! with multiple parents:</strong>!! <ul>! <li>! <a href="view://merge/258">merge/258</a> <em><font color="#FF00FF">  ( Parents: <a href="view://merge/257">merge/257</a>  <a href="view://merge/260">merge/260</a>  )</font></em>! </li>! </ul>! <hr>! </body>!</html>
Diagnostics
Our Solution
11
Inconsistency Projection
Input Models and Mappings
Merge
+<traceinfo model="ex" diagram="Threeway">! <element uid="645">! <lineage view="Rob" uid="25"/>! </element>! <element uid="644">! <lineage view="Rob" uid="21"/>! </element>! <element uid="646">! <lineage view="Rob" uid="32"/>! <lineage view="Connector1" uid="343"/>! <lineage view="Sue" uid="12"/>! <unifier name="C1-To-Sue" srcuid="343" tgtuid="12"/>! <unifier name="C1-To-Rob" srcuid="343" tgtuid="32"/>! </element>! <element uid="647">! <lineage view="Sue" uid="2"/>! </element>! <element uid="643">! <lineage view="Rob" uid="19"/>! <lineage view="Connector1" uid="341"/>! <lineage view="Sue" uid="6"/>! <unifier name="C1-To-Sue" srcuid="341" tgtuid="6"/>! <unifier name="C1-To-Rob" srcuid="341" tgtuid="19"/>! </element>!</traceinfo>
TraceabilityData
Merged Model
Construct a merge before checking consistency!
Consistency Checking
<html>! <head>! ! </head>! <body>! <h2>! Diagnostics for <a href="view://merge/none">merge</a>! </h2>! <em><font color="#FF0000">(note the filters applied)</font></em><hr><strong>Objects ! with multiple parents:</strong>!! <ul>! <li>! <a href="view://merge/258">merge/258</a> <em><font color="#FF00FF">  ( Parents: <a href="view://merge/257">merge/257</a>  <a href="view://merge/260">merge/260</a>  )</font></em>! </li>! </ul>! <hr>! </body>!</html>
Diagnostics
Key Benefit:
Can detect global inconsistencies
without coupling the rules with
the mappings!
Approach in Action
12
M1
Line
Rect
M2
Rectangle
Polygon
M3
Square
Box
http://www.cs.toronto.edu/~mehrdad/tremer/re07demoDemo:
12
http://www.cs.toronto.edu/~mehrdad/tremer/re07demoDemo:
12
Core Idea:
Check inter-model constraints via
checking intra-model constraints
of a merged model
Building Blocks
13
Model Merging
Consistency Checking
Rules
Diagnostics Generation
➜ Builds on [RE’05]
➜ Highlights➥Concentrates on conceptual models
➥Customizable to different graph-based notations
➥Tolerates incompleteness and inconsistency
➥Can merge several models at a time
14
Model Merging [ICSE’01, ASE’03, FSE’04, RE’05, ICSE’07]
➜ Builds on [RE’05]
➜ Highlights➥Concentrates on conceptual models
➥Customizable to different graph-based notations
➥Tolerates incompleteness and inconsistency
➥Can merge several models at a time
14
Model Merging [ICSE’01, ASE’03, FSE’04, RE’05, ICSE’07]
Key for global
consistency
checking
Consistency Rules in Conceptual Modelling: Some Patterns
➜ Endpoint Compatibility
➜ Multiplicity
➜ Reachability
15
!
!
...
! ...! !
!
!
...
!! !
What Logic ?➜ (Standard) First Order Logic ?
➥Can’t express transitive closure➣ hence, doesn’t capture the reachability pattern
➥No counting operator➣ leads to complex formulas for the multiplicity pattern
➜ Temporal Logic (CTL / LTL) ?➥Unnatural for structural models
➥ Limited quantification power and no counting operator➣ can’t capture the multiplicity pattern at all
16
Language for Consistency Checking➜ We use FO + transitive closure + counting
➥ Implementation: CrocoPat [Beyer et al]
➜ CrocoPat Examples➥ Let E(x,y) denote x → y
# of predecessors of “A” ?
nodes reachable from “D”?
17
A
B C
D
Language for Consistency Checking➜ We use FO + transitive closure + counting
➥ Implementation: CrocoPat [Beyer et al]
➜ CrocoPat Examples➥ Let E(x,y) denote x → y
# of predecessors of “A” ?
nodes reachable from “D”?
17
A
B C
D
A
B C
D
Language for Consistency Checking➜ We use FO + transitive closure + counting
➥ Implementation: CrocoPat [Beyer et al]
➜ CrocoPat Examples➥ Let E(x,y) denote x → y
# of predecessors of “A” ?
nodes reachable from “D”?
17
n := #(E(x,“A”));
A
B C
D
Language for Consistency Checking➜ We use FO + transitive closure + counting
➥ Implementation: CrocoPat [Beyer et al]
➜ CrocoPat Examples➥ Let E(x,y) denote x → y
# of predecessors of “A” ?
nodes reachable from “D”?
17
n := #(E(x,“A”));
Reach(x,y):= TC(E(x,y));FromD(x):= Reach(“D”,x);
➜ Generated by instrumenting consistency rules➥Example diagnostics:
➣ Multiple inheritance
➣ Cyclic inheritance
Inconsistency Diagnostics
18
...FOR n IN MultipleParents(x) { ParentOfN(y) := EX(e, Src(e,n) & Tgt(e,y)); PRINT n, "Parents: ", ParentOfN(y); }
➜ Generated by instrumenting consistency rules➥Example diagnostics:
➣ Multiple inheritance
➣ Cyclic inheritance
Inconsistency Diagnostics
18
...FOR n IN MultipleParents(x) { ParentOfN(y) := EX(e, Src(e,n) & Tgt(e,y)); PRINT n, "Parents: ", ParentOfN(y); }
➜ Generated by instrumenting consistency rules➥Example diagnostics:
➣ Multiple inheritance
➣ Cyclic inheritance
Inconsistency Diagnostics
18
...FOR n IN MultipleParents(x) { ParentOfN(y) := EX(e, Src(e,n) & Tgt(e,y)); PRINT n, "Parents: ", ParentOfN(y); }
➜ Generated by instrumenting consistency rules➥Example diagnostics:
➣ Multiple inheritance
➣ Cyclic inheritance
Inconsistency Diagnostics
18
...FOR n IN MultipleParents(x) { ParentOfN(y) := EX(e, Src(e,n) & Tgt(e,y)); PRINT n, "Parents: ", ParentOfN(y); }
➜ Generated by instrumenting consistency rules➥Example diagnostics:
➣ Multiple inheritance
➣ Cyclic inheritance
Inconsistency Diagnostics
18
Preliminary Evaluation
19
Case StudyPerformance
Performance
20
020406080
100120140160180200
500 1000 5000 10000
Dangling Edges Parallel EdgesMultiple Inheritance Cyclic Inheritance
Number of Elements
Tim
e (s
eco
nd
s)
Case Study➜ Goal: Study the practical utility of global checking
➜ Models: 5 domain models for a healthcare system➥ developed independently by 5 individual students
➥models small (50-70 elements) but realistic
➜ Experiment1.Build preliminary relationships between models
2.Apply global consistency checking to improve these relationships
21
Observations
22
➜ Global checking ... ➥ ... useful for exploring design conflicts
=!StaffMember
Schedule
belo
ngs to
has
M1 M2 M3 Merge
StaffMember
Schedule
belo
ngs to
StaffMember
Schedule
has
StaffMember
Schedule
Observations
22
➜ Global checking ... ➥ ... useful for exploring design conflicts
=!StaffMember
Schedule
belo
ngs to
has
M1 M2 M3 Merge
StaffMember
Schedule
belo
ngs to
StaffMember
Schedule
has
StaffMember
Schedule
➥ ... collapses several pairwise checks into a single check
=!M1 M2 M3 Merge
Schedule ScheduleScheduleSchedule Schedule Schedule
➥ ... useful for hypothetical reasoning➣ Example question: What happens if I delete node X?
Observations
22
➜ Global checking ... ➥ ... useful for exploring design conflicts
=!StaffMember
Schedule
belo
ngs to
has
M1 M2 M3 Merge
StaffMember
Schedule
belo
ngs to
StaffMember
Schedule
has
StaffMember
Schedule
➥ ... collapses several pairwise checks into a single check
=!M1 M2 M3 Merge
Schedule ScheduleScheduleSchedule Schedule Schedule
Tool Support➜ TReMer+
➥Extended version of TReMer
➣Tool for Relationship-Driven Model Merging
➥New features:➣ Structural consistency checking
➠ for UML domain models, ERD’s, and hierarchical state machines➣ Traceability link generation and navigation➣ Usability enhancements
23
http://www.cs.toronto.edu/~mehrdad/tremer/
Related Work
24
Consistency Checking as Model Checking➥ Input: a model M and
a set of properties P
M inconsistent if M P
➥Examples ➣ Temporal property checking,
e.g. Spin [Holzmann] ➣ FO-based constraint checking,
e.g. OCL [OMG], xlinkit [Nentwich et al]
Consistency Checking as Model Finding➥ Input: a set of properties P
P inconsistent if there is no M s.t. M P
➥Examples➣ Proving logical consistency in Z
[Spivey], Alloy [Jackson], etc.
➣ Property-based synthesis [Pnueli]
|=!|=
Related Work
24
Consistency Checking as Model Checking➥ Input: a model M and
a set of properties P
M inconsistent if M P
➥Examples ➣ Temporal property checking,
e.g. Spin [Holzmann] ➣ FO-based constraint checking,
e.g. OCL [OMG], xlinkit [Nentwich et al]
Our approach falls here!
!|=
Related Work
24
Consistency Checking as Model Checking➥ Input: a model M and
a set of properties P
M inconsistent if M P
➥Examples ➣ Temporal property checking,
e.g. Spin [Holzmann] ➣ FO-based constraint checking,
e.g. OCL [OMG], xlinkit [Nentwich et al]
Our approach falls here!
➜ Main differences➥Detection of global
inconsistencies
➥Built with early RE in mind
!|=
Future Work
➥Handling heterogeneous models➣ ... through metamodel-based transformations and logical model
merging
➥ Integration with a model matcher➣ Work in progress! Stay tuned ...
➥Resolution of global inconsistencies
25
Summary➜ Developed a tool-supported technique for global
consistency checking➥Based on model merging
➜ Identified patterns for consistency rules in conceptual modelling➥Compatability, multiplicity, reachability
➜ Did a preliminary evaluation of our work➥ Performance, small case study
26
Thank You!Questions?
27
