Evidential Diagnosis of Inconsistencies in Object-Oriented DesignsGeorge Spanoudakis Kuriakos Kasis Flora DragaziDepartmen...
inconsistencies in object-oriented design models of software systems expressed in theUnified Modeling Language (UML)1. Inc...
The diagnostic framework identifies characteristics of the main kinds of elements in UMLdesign models (i.e., classes, asso...
A, B and C). Appendix A provides an overview of the Dempster-Shafer theory ofevidence (referred to as "D-S theory" in the ...
More specifically, as shown in Fig. 1, in the UML meta-model:• Classes are represented as instances of the meta-class Clas...
In the diagnosis framework, a class is said to be "generic" if it has numerous subclasses.Generic classes normally abstrac...
where (i) c.Sub* is the set of the direct and indirect subclasses of c, and (ii) M.Classes isthe set of classes of the mod...
Definition 2: The belief in whether or not a class c has a coordinating capacity in a set ofobject interactions S is measu...
The class SearchByKeyword has a coordinating capacity in I2 as it displays a searchform, gets keywords from this form, for...
Fig. 3. Interactions for a library systemNote, however, that SearchMenu has a coordinating capacity in I1 as in this inter...
essential for c. This probability can be measured assuming that when an object sends amessage m: (a) it may use any of the...
Definition 3: The degree of belief in whether or not an opposite association end a isfunctionally essential for a class c ...
SearchByKeyword sends two messages to instances of the type of sform but only onemessage to instances of the type of imp. ...
(x.name = o.name) ∧ (∀p): ((p ε x.parameter[i]) → (∃q): ((q ε o.parameter[i]) ∧ (p.type= q.type))) ∧ (∀q) : ((q ε o.parame...
in them, combining the data that these operations may generate, and eventually notifyingthe combined outcome of the intera...
m5(coordinating-m(m, S)) = 0 if Asig(m, S) = ∅m5(¬coordinating-m(m, S)) = 1 − m5(coordinating-m(m, S))where• S is a set of...
executeQuery(String,Ocollection) and setVisible(boolean) in I2 are: m5(coordinating-m(execute(),{I2})) = 0.57, m5(coordina...
m(executeQuery(String, Ocollection), I2)) = 0.28, and m6(fdominant-m(setVisible(Boolean), I2)) = 0. The above beliefs refl...
OCL-condition-over-x) becomes true if OCL-condition-over-x is true for all the elementsof set. Similarly, an expression of...
predicates that designate the characteristics defined in Sections 3.1-3.6) or non atomic(i.e., expressions that specify lo...
Fdominant-m(elem_ref_name1,elem_ref_name2)elem_ref_name1.type = Message ANDelem_ref_name2.type = Set (Interaction)Non atom...
4.2 Computation of beliefs for the satisfiability of significance criteriaTo assess the significance of the violations of ...
Bel(andi=1,…,n pi) = Πi=1,…,n mi(pi) if pi ≠ pj and pi ≠ ¬pj (∀i, j: i ≠ j), and Bel(andi=1,…,n pi) = 0otherwiseTheorem 9:...
appear in the interaction I2 of Fig. 3, the messages: execute(), setVisible(boolean),getKeywords(), executeQuery(String, O...
Bel(coordinating-m(executeQuery(),{I2})) = 0 and Bel(coordinating-c(Statement,{I2})) =0.2Note that in this case, the use o...
it uses the retrieved model elements to calculate beliefs in the satisfaction of the atomicS-expressions of the criterion ...
self.receiver.feature −> exists(o:Operation | (self.action.operation = o))(iii) Rule-3 which requires that the lower multi...
n 3 Name[1]: let n1 = self.receiverName[2]: let n2 = self.interactionhas a coordinating capacity in thespecific sequence d...
Criterion 1Nc 5 2 4 4 9 6 21 11 16 12 7 2 10 30 13 10 41 13 13 4RC 0.251 0.570.80.260.320.260.280.50.750.390.330.200.270.3...
average. This indicates that the criteria used were capable of producing relativelyelaborate rankings of significance. Our...
Mb 0.170.260.290.210.250.290.210.280.390.270.220 0.420.380.280.190.250.640.160.17MDb 0.110.170.290.250.180.290.150.250.420...
Rule 3 MODEL1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20Ninc 1 10 5 9 1 2 9 8 12 9 14 5 23 7 15 1 2 24 33 2Criterion...
ability of the framework to produce elaborate rankings of significance deteriorates as thenumber of the inconsistencies in...
sufficient diversity to produce as elaborate rankings of inconsistencies as in the case ofsmall models. A possible way to ...
Although the diagnosis of the significance of inconsistencies has been acknowledged asan important task in the activity of...
(belief function m3) is similar to the method-to-variable connection matrix (MVCM [29]).The main difference between m3 and...
1. Boehm B., In H. "Identifying Quality Requirements Conflicts", IEEE Software, March1996, pp. 25-35.2. Chidamber S., Keme...
Addison-Wesley, 1995.15.Lorenz M., "Object-Oriented Software Development: A Practical Guide", Prentice Hall,1993.16.McDerm...
Survey and Open Research Issues", Handbook of Software Engineering andKnowledge Engineering, (ed) Chang S. K., Vol. 1, Wor...
(a8) ΣI ⊆ {1,...,n}, and I ≠ θ (–1)|I|+1Bel(∩ i ε I Pi) ≤ Bel(∪i=1, …, n Pi) where n = |℘(θ)| and P ⊆ θ , (i=1,…,n)Two bas...
the elements of M• A function f giving the number of characteristics applicable to a model element g-1(i)5.f is defined as...
• If g-1(i).type = Message then Vij (j = k+1,…,2k) denotes the coordinating capacity of g-1(i) in a set of interactions S ...
Note also that the basic probability assignments m1, …, m6 are assumed to assign abelief equal to 0 to any subset of θ tha...
the axioms a1-a3.(a1): It is satisfied since by definitions 3 and 6, 0 ≤ |Rel(a,c)| and 0 ≤ |Mes(a,c,M)|. Alsoby Definitio...
(a3): It is satisfied since: ΣP⊆θ m5(P) = ΣP⊆θ and P≠coordinating-m(m,S) and P≠coordinating-m(m,S) m5(P) +m5(coordinating-...
functional form:m(X) = ΠiεImi(Si) × ΠjεImj(Sj) if X = ∩iεISi ∩jεISj (for any I ⊆ {1,2,…,n})m(X) = 0 if X ≠ ∩iεISi ∩jεISj (...
For n=k+1: Let m = m1 ⊕ m2 ⊕ … ⊕ mk ⊕ mk+1. From Theorem 3.3 in [23, p.61] we havethat: m = (m1 ⊕ m2 ⊕ … ⊕ mk) ⊕ mk+1 = m ...
probability assignment resulting from their combination, that is m = m1 ⊕ m2 ⊕ … ⊕ mn.Then, it follows from the definition...
Bel(ori=1,…,npi) = 1 otherwiseProof: Let S1, S2, …, Sn be the subsets of the frame of discernment θ constructed for Mwhich...
corresponding to p will be: S = Sj∪ Sj = θ. Thus, Bel((p1 or p2 or p3 or … or pn) = Bel((p1or (not p1)) or p3 or … or pn) ...
Evidential diagnosis of inconsistencies in object oriented designs
Evidential diagnosis of inconsistencies in object oriented designs
Upcoming SlideShare
Loading in …5
×

Evidential diagnosis of inconsistencies in object oriented designs

390 views

Published on

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
390
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Evidential diagnosis of inconsistencies in object oriented designs

  1. 1. Evidential Diagnosis of Inconsistencies in Object-Oriented DesignsGeorge Spanoudakis Kuriakos Kasis Flora DragaziDepartment of ComputingCity University,Northampton Square, London EC1V 0HB, UKE–mail (of contact author): gespan@soi.city.ac.ukAbstractThis paper presents a diagnostic framework for assessing the significance ofinconsistencies (i.e., violations of consistency rules) in software design modelsexpressed in the Unified Modeling Language (UML). The assessment is based onsignificance criteria that software designers can specify and associate with specificconsistency rules. These criteria define characteristics that the model elements involvedin the violation of a rule should have for the inconsistency to be significant, and they arespecified in a formal language derived from the Object Constraint Language (OCL). Thesatisfiability of the criteria by individual model elements is measured by belief functionsdefined by the framework. The measures generated by these functions are used to rankthe inconsistencies caused by different model elements. The presented framework hasbeen evaluated through a set of experiments. The results of these experiments show thatcriteria definable in the framework can be used to produce relatively elaboratesignificance-rankings of inconsistencies.Keywords: diagnosis of inconsistencies, object-oriented design, software metrics,beliefs, Dempster-Shafer theory1. IntroductionThis paper presents a diagnostic framework for assessing the significance of1
  2. 2. inconsistencies in object-oriented design models of software systems expressed in theUnified Modeling Language (UML)1. Inconsistencies occur as violations of specificconsistency rules [7, 27]. As an example consider a UML design model with a set ofobject interaction diagrams (i.e. sequence and/or collaboration diagrams), and aconsistency rule requiring that the messages which are dispatched in the execution of anoperation in one interaction diagram of the model must be the same with the messageswhich are dispatched in the execution of the same operation in any other interactiondiagram of it. In this example, an inconsistency would arise if the execution of the sameoperation dispatches different sets of messages in different interaction diagrams.Inconsistencies are inevitable in software development [22]. And, although they shouldbe settled eventually, they may need to be tolerated temporarily to give designers achance to work independently developing different parts of a model without the need forcontinual reconciliation. Thus, in settings providing freedom for groupwork, it is importantto be able to diagnose the significance of an inconsistency in order to decide when andwith what degree of priority it has to be settled [7, 13, 27].In the diagnostic framework described in this paper, the significance of an inconsistencyis assessed based on the impact that it may have to different parts of a design model.This impact is indicated by particular characteristics of the elements of the model thathave caused the inconsistency and which make possible the propagation of its effectsfrom these elements to other parts of the model. For instance, an inconsistency in thespecification of an operation that has arisen as a violation of the rule described abovemay be considered to be significant only if the operation is inherited by many classes ofthe system or, equivalently in terms of our framework, if it is defined in a class that hasthe characteristic of genericity (see Section 3.1 below).1This framework has been developed as part of a semi-automatic method for managing inconsistencies in object-orientedsoftware models called "reconciliation". A full description of this method can be found in [25]. An account of the framework atan earlier stage of its development may also be found in [26].2
  3. 3. The diagnostic framework identifies characteristics of the main kinds of elements in UMLdesign models (i.e., classes, association ends, operations and messages) which canpropagate the impact of inconsistencies involving these elements to other elements ofthe model. These characteristics are the genericity and coordination capacity of classes,the functional essentiality of association ends, the charactericity of operations, and thefunctional dominance and coordinating capacity of messages. The framework allowssoftware designers to specify significance criteria determining the characteristic (orlogical combination of characteristics) that should be taken into account in assessing thesignificance of inconsistencies which arise as violations of specific consistency rules.These criteria are specified using a formal language derived from the Object ConstraintLanguage (OCL) [17], called "S-expressions". The consistency rules are specified inOCL.The satisfaction of a significance criterion by the model elements which have caused aset of inconsistencies is based on the computation of beliefs according to functions whichsatisfy the axiomatic foundation of Dempster−Shafer basic probability assignments [23]and have been defined in the framework for this purpose. These beliefs are used to rankand prioritize the inconsistencies.The rest of the paper is structured as follows. In Section 2, we overview therepresentation scheme assumed by the significance diagnosis framework. In Section 3,we introduce the characteristics of model elements used by the framework and definethe belief functions associated with these characteristics. In Section 4, we establish ascheme for expressing consistency rules and significance criteria, and for evaluating thesignificance of rule violations according to these criteria. In Section 5, we overview thetool that we have developed to implement the framework. In Section 6, we present theresults of a set of experiments that we have conducted to evaluate the framework. InSection 7, we give an overview of related work, and in Section 8 we present conclusionsand discuss directions for further work. The paper has also three appendices (Appendix3
  4. 4. A, B and C). Appendix A provides an overview of the Dempster-Shafer theory ofevidence (referred to as "D-S theory" in the following). Appendix B provides the proofs fortheorems which establish properties of these functions and combine them to obtainbeliefs for significance criteria. Appendix C provides the grammar for S-expressions.2. Representation frameworkOur significance diagnosis framework is defined in reference to the meta-model of UML[18]. A complete description of this meta-model is beyond the scope of this paper andmay be found in [18]. In this section, we only give an overview of the parts of the meta-model which are used in the definitions of the framework and refer to classes,associations, operations, object interactions and messages (see Fig. 1).Fig. 1. Elements of UML class models (adapted from Figures 2-5, 2-6, 2-16, 2-20 and 2-22 in [18])4ClassisActive : BooleanGeneralizableElementBehavioralFeatureParam eter*0..1+parameter*{ordered}0..1StructuralFeatureGeneralizationdiscriminator : Name*1+generalization *+child1*1+specialization *+parent1AttributeAssociationEndisNavigable : Booleanordering : OrderingKindaggregation : AggregationKindtargetScope : ScopeKindmultiplicity : Multiplicitychangeability : ChangeableKindvisibility : VisibilityKindInteraction(from Collaborations)FeatureClassifier*0..1+feature*+owner0..11*+type 1*1*+type 1**1*+type 1ModelElementname : NameClassifierRolemultiplicity : MultiplicityAssociation2..*1+connection 2..*1AssociationRolemultiplicity : MultiplicityActionMessage(from Collaborations)*0..1*+activator0..1**+predecessor **1..*1+m essage 1..*11*+sender1**1*+receiver10..1*+com municationConnection0..1*+action*1*1CallAction(from Common Behavior)Operation0..*10..*+call1Calls
  5. 5. More specifically, as shown in Fig. 1, in the UML meta-model:• Classes are represented as instances of the meta-class Class and are associatedwith the operations, attributes and methods that they own via the association endfeature.• Operations are represented as instances of the meta-class Operation.• Associations are represented as instances of the meta-class Association. Anassociation has two or more association ends which are attached to the classesrelated by it. These association ends are represented as instances of the meta-classAssociationEnd. The classes which are attached to association ends are called thetypes of these ends and are related to them via the association end type. In a binaryassociation between two classes c1 and c2, the end attached to c2 (c1) is called"opposite association end" of c1 (c2).• Generalisation (Isa) relationships between classes are represented as instances ofthe meta-class Generalisation.• Object interactions are represented as instances of the meta-class Interaction andare associated with the messages that they include by the association end message.• Messages are represented as instances of the meta-class Message. A message m isassociated with: (1) the class of the object that dispatches it (via the oppositeassociation end sender), (2) the class of the object that receives it (via the oppositeassociation end receiver), (3) the association that is used to obtain a reference to theobject that receives the message (via the opposite association endcommunicationConnection), (4) the message that invokes the operation in theexecution of which m is dispatched (via the opposite association end activator), (5)the messages which must be dispatched before m in the execution of the operationthat dispatches m (via the opposite association end predecessor), and (6) the actionthat invokes the operation that m is meant to invoke (via the opposite association endaction).3. Characteristics of model elements3.1 Class genericity5
  6. 6. In the diagnosis framework, a class is said to be "generic" if it has numerous subclasses.Generic classes normally abstract operations for groups of services which have to beimplemented by their subclasses. They also specify the internal state of the instances ofthese subclasses which is required to implement the operations. Thus, generic classesprovide a basis for specifying clients of services without being aware of the exact classthat provides them. Class genericity is identified as a characteristic in our frameworkbecause inconsistencies in the specifications of generic classes may affect not onlythese classes but also their subclasses, and the classes that use their operations.Fig. 2. A generalisation hierarchy of command classesA generic class in our framework is denoted by the special predicate generic(c). Thebelief function associated with this predicate is defined as follows:Definition 1: The belief in whether or not a class c in a model M is generic is measuredby the function:m1(generic(c)) = |c.Sub*| / | M.Classes − {c}|m1(¬generic(c)) = 1 − m1(generic(c))6Commandexecute()SearchByAuthorexecute()SearchByTitleexecute()DeleteItemCommandexecute()InsertItemCommandexecute()SearchCommandexecute()Keyword+keySearchByKeywordexecute()SearchForm+sformDatabaseCommandexecute()DBHandler+impgetImp()
  7. 7. where (i) c.Sub* is the set of the direct and indirect subclasses of c, and (ii) M.Classes isthe set of classes of the model M (the expression |s| denotes the cardinality of the set s).According to m1, the degree of belief in the genericity of a class is 1 if every class in themodel of c is a subclass of it. Furthermore, m1 is a D-S basic probability assignment (seeTheorem 1 in Appendix A).Example: Fig. 2 shows various commands for using a library system which are modeledas a generalisation hierarchy of command classes following the command pattern in [10].The degrees of belief in the genericity of the command classes Command,SearchCommand, and SearchByKeyword in this hierarchy generated by m1 are:m1(generic(Command)) = 0.7, m1(generic(SearchCommand)) = 0.3, andm1(generic(SearchByKeyword)) = 03.2 Coordinating capacity of classesIn a software design model, some classes exist to coordinate interactions between otherclasses. In our framework, these classes are said to have a coordinating capacity in theset of interactions that they coordinate. The need for coordinating classes is evident fromnumerous design patterns, including the mediator, observer, facade [10], andrendezvous [4]. Such classes encapsulate the protocols of interactions between otherclasses and therefore an inconsistency involving them can have an impact on both theclasses and the interactions coordinated by them. Despite differences in the structureand behaviour of coordinating classes in different coordination patterns, a commoncharacteristic of them is that they send messages to or receive messages from all theclasses that they coordinate. Drawing upon this observation, the belief functionassociated with the predicate coordinating-c(c,S), which denotes the coordinatingcapacity of a class c in the interaction S, is defined as follows:7
  8. 8. Definition 2: The belief in whether or not a class c has a coordinating capacity in a set ofobject interactions S is measured by the function:m2(coordinating-c(c,S)) = |Com(c,S)| / |Classes(S) − {c}|m2(¬coordinating-c(c,S)) = 1 − m2(coordinating-c(c,S))where• S is a set of interactions• Com(c,S) is the set of the classes whose instances send messages to or receivemessages from the instances of c in the interactions of the set S excluding c, definedas: Com(c,S) = {v | (v ε M.Classes) ∧ (∃ I, m): (I ε S) ∧ (m ε I.message) ∧ ((m.sender= v) ∧ (m.receiver = c)) ∨ ((m.sender = c) ∧ (m.receiver = v)) ∧ (v ≠ c)}• Classes(S) is the set of the classes which are the receivers or senders of messagesin the interactions of S defined as: Classes(S) = {w | (∃ I, m): (I ε S) ∧ (m ε I.message)∧ ((m. receiver = w) ∨ (m. sender = w))}According to the definition of m2, the more the classes whose instances send messagesto or receive messages from the instances of a class c in a set of interactions S thehigher the degree of belief in the coordinating capacity of c in S. This degree of beliefbecomes equal to 1, when the instances of c in the interactions of S send a message to,or receive a message from an instance of every other class in these interactions.Furthermore, m2 is a D-S basic probability assignment (see Theorem 2 in Appendix B).Example: As an example of using m2 to measure the coordinating capacity of classesconsider the sequence diagrams of Fig. 3. These diagrams specify interactions thatsupport the search for books in a library system. As shown in the diagram I1 of Fig. 3, asearch menu (SearchMenu) is used to activate one of the three different search optionsoffered by the system (i.e., searching by keywords, author name or title). These optionsare realised by the command classes SearchByKeyword, SearchByAuthor andSearchByTitle, respectively. The diagram I2 in the same figure shows the interaction thatrealises the first of these options (i.e., searching by keywords).8
  9. 9. The class SearchByKeyword has a coordinating capacity in I2 as it displays a searchform, gets keywords from this form, formulates a database query and forwards this queryto another class to execute it. Unlike it, the class SearchMenu does not have acoordinating capacity in I2. SearchMenu merely handles an event indicating the usersrequest for searching by keywords, and sends the message execute() to the commandclass that is meant to realise this request (i.e., SearchByKeyword). The degrees of beliefthat m2 generates for the coordinating capacity of these classes reflects this differenceas: m2(coordinating-c(SearchByKeyword,{I2})) = 0.8, and m2(coordinating-c(SearchMenu,{I2})) = 0.2.: SearchByKeyword: SearchMenu: SearchByAuthor : SearchByTitle: User1: selects_search_option2: execute( )3: execute( )4: execute( )[ option = "search by keyword" ][ option = "search by author" ][ option = "search by title" ]: SearchMenu : SearchForm : DBHandler : Statement: TextField: SearchByKeyword1: execute( ) 2: setVisible(boolean)3: getKeywords() 4: getText()5: formulateQuery()6: executeQuery(String,OCollection)7: executeQuery()8: toObjCollection(result)I1 −Interaction for selecting among search optionsI2 −Interaction for searching by keywords9
  10. 10. Fig. 3. Interactions for a library systemNote, however, that SearchMenu has a coordinating capacity in I1 as in this interaction, itaccepts a user request and decides which is the appropriate command class to forward itto. The belief in its coordinating capacity in I1 is m2(coordinating-c(SearchMenu,{I1})) = 1.The differences in the coordinating capacity of the same class in different interactionsshown in this example indicate that it may also be useful to assess this capacity acrossmore than one interaction. By virtue of its definition, m2 can be used for this purpose. Inour previous examples, for instance, the beliefs in the coordinating capacity ofSearchMenu and SearchByKeyword across I1 and I2 are:m2(coordinating-c(SearchMenu, {I1,I2})) = 0.428, and m2(coordinating-c(SearchByKeyword, {I1, I2})) = 0.428.3.3 Functional essentiality of association endsIf an object oi needs to send a message m to another object oj, it may get a reference toit through: (1) a local variable in the operation that dispatches m, (2) one of theparameters of the activator of m, or (3) an opposite association end of it that is attachedto oj. In case (3), the existence of the association end that is used to get the reference tooj is essential for sending the message m. In our framework, such association ends aresaid to be "functionally essential" as they enable instances of classes to send messages.As the way of obtaining a reference to the recipient of a message may not be specified ina UML interaction diagram, the functional essentiality of association ends in a designmodel cannot always be established with certainty. It is, however, possible to measurethe probability of using an opposite association end a of a class c to obtain a reference tothe recipient of at least one of the messages sent by the instances of c in the interactionsof a model or, equivalently, the probability of the association end a be functionally10
  11. 11. essential for c. This probability can be measured assuming that when an object sends amessage m: (a) it may use any of the ways (1)-(3) above to obtain a reference to therecipient of m with equal chance (Assumption 1), and (b) that the use of an associationend a in obtaining a reference to the recipient of m is independent from the use of a inobtaining a reference to the recipient of any other message (Assumption 2).Based on these two assumptions the function for measuring the probability of using anassociation end a to obtain a reference to the recipient of at least one of the messagessent by the instances of a class c can be derived as follows. Suppose that in theinteractions of a model there are k messages sent by the instances of c and received byinstances of the class attached to its opposite association end a. Let also Mi (i=1,…,k) bepropositions denoting that the association end a is used to get a reference to therecipient of the message i. Then, if a is defined to be functionally essential for c if andonly if it is used to get a reference to the recipient of at least one of these messages, theprobability of the functional essentiality of a for c is:Prob(OR i=1,…,kMi) = 1 − Prob(¬ (OR i=1,…,kMi)) = 1 − Prob(AND i=1,…,k ¬Mi) = (due toAssumption 2)1 − Π i=1,…,k Prob(¬Mi) = 1 − Π i=1,…,k (1 − Prob(Mi))Then, if Rel(a,c) is the set of the opposite association ends defined in or inherited by theclass c that have the same type as a and n(i,a) is the number of the parameters of themessage i that have the same type as a, Prob(Mi) becomes equal to 1/(|Rel(a,c)| + n(i,a)+ 1) due to Assumption 1 above (1 is added to the denominator of the formula forProb(Mi) in order to account for the possibility of using a local variable for identifying therecipient of a message). Thus, Prob(OR i=1,…,kMi) = 1 − Π i=1,…,k (1 − 1/(|Rel(a,c)| + n(i,a) +1)). Drawing upon this result, we define the belief function associated with the predicatefessential-a(a,c), which denotes that the association end a is functionally essential for c,as follows:11
  12. 12. Definition 3: The degree of belief in whether or not an opposite association end a isfunctionally essential for a class c of a model M is measured by the function:m3(fessential-a(a,c)) = 1− Π m ε Mes(a,c,M) (1− 1/(|Rel(a,c)| + n(m,a) + 1))if Mes(a,c,M) ≠ ∅m3(fessential-a(a,c) ) = 0 if Mes(a,c,M) = ∅m3(¬fessential-a(a,c)) = 1 − m3(fessential-a(a,c))where• Mes(a,c,M) is the set of messages sent by the instances of c (or its subclasses) toinstances of the type of the association end a in M: Mes(a,c,M) = {k | (∃ I): (I εM.Interactions) ∧ (k ε I.message) ∧ (k.sender ε (c.Sub* ∪ {c})) ∧ (k.receiver = a.type)}• M.Interactions is the set of interactions of the model M• n(m,a) is the number of the parameters of the message m that have the same type asa• Rel(a,c) is the set of the opposite association ends defined in or inherited by c thathave the same type as a:Rel(a,c) = {o | ((o ε M.AssociationEnd) ∧ (∃ e, r): (r ε M.Association) ∧ (o ε r.connection)∧ (e ε r.connection) ∧ (e ≠ o) ∧ (e.type ε (c.Isa* ∪ {c})) ∧ (a.type = o.type))}• M.AssociationEnd and M.Association are the sets of the association ends andassociations of M, respectively• c.Isa* is the set of the direct and indirect superclasses of c.As we prove in Appendix B, m3 is a D-S basic probability assignment (see Theorem 3 inthis appendix).Example: Given the messages of the interaction diagram I2 in Fig. 3, the degrees ofbelief in the functional essentiality of the opposite association ends key, imp, and sformof the class SearchByKeyword in Fig. 2 are: m3(key,SearchByKeyword) = 0,m3(imp,SearchByKeyword) = 0.5, and m3(sform,SearchByKeyword) = 0.75. According tothese belief measures, the association end sform is more likely to be functionallyessential for the class SearchByKeyword than the end imp. This is because12
  13. 13. SearchByKeyword sends two messages to instances of the type of sform but only onemessage to instances of the type of imp. Thus, it is more likely for sform to have beenused for obtaining a reference to the recipient of any of the former two messages thanimp to have been used for obtaining a reference to the recipient of the latter message.3.4 Charactericity of operationsAn operation that is overridden by most of the classes in its "scope" (i.e., the set of theclasses which introduce or inherit it) is significant for the design of a system as it oftenconstitutes a basic kind of behaviour which must be available in objects of different typeseven if it is realised in different ways by these objects. In our framework, we refer to suchoperations as "characteristic" operations and denote them using the special predicatecharacteristic-o(o). Examples of characteristic operations are often found in classlibraries of object-oriented programming languages. In Java’s abstract windows toolkitlibrary (AWT) [28], the operation processEvent() that is defined in the class Component(i.e. the root of the component class hierarchy) is characteristic as it is overridden in allthe classes that represent the different kinds of user interface components in the libraryto provide an implementation suitable for handling events relevant to them.Based on the above observations, the belief function associated with the predicatecharacteristic-o(o) is defined as follows:Definition 4: The degree of belief in whether or not an operation o is characteristic ismeasured by the function:m4(characteristic-o(o)) = Πc ε Oclasses(o) |Ov(o,c)∪{c}| / | c.Sub*∪{c}|m4(¬characteristic-o(o)) = 1 − m4(characteristic-o(o))where• Oclasses(o) is the set of the most general superclasses of the class of o which definean operation with the same signature as o, called original classes of o: Oclasses(o) ={ c | ((c ε o.owner.Isa* ∪ {o.owner}) ∧ (∃x): (x ε M.Operation) ∧ (x.owner = c) ∧13
  14. 14. (x.name = o.name) ∧ (∀p): ((p ε x.parameter[i]) → (∃q): ((q ε o.parameter[i]) ∧ (p.type= q.type))) ∧ (∀q) : ((q ε o.parameter[i]) → (∃p): ((p ε x.parameter[i]) ∧ (p.type =q.type))) ∧ (¬ (∃ c,o): ((o ε M.Operation) ∧ (c = o.owner) ∧ (o.name = o.name) ∧ (cε c.Isa*) ∧ (∀p): ((p ε o.parameter[i]) → (∃q): ((q ε o.parameter[i]) ∧ (p.type =q.type))) ∧ (∀q): ((q ε o.parameter[i]) → (∃p): ((p ε o.parameter[i]) ∧ (p.type =q.type))))) }• M.Operation is the set of the operations of the model M• z.parameter[i] denotes the i-th parameter of the operation z• Ov(o,c) is the set of the subclasses of c which override o: Ov(o,c) = { c | ((c ε c.Isa*)∧ (∃o): ((o ε M.Operation) ∧ (o.owner = c) ∧ (∀p): ((p ε o.parameter[i]) → (∃q): (q εo.parameter[i]) ∧ (p.type = q.type))) ∧ (∀q): ((q ε o.parameter[i]) → (∃p): ((p εo.parameter[i]) ∧ (p.type = q.type)))) }According to m4, the more the classes in the scope of an operation o which override it thehigher the belief that o is a characteristic operation. This belief becomes 1 if o isoverridden by every class in its scope. Furthermore, m4 is a D-S basic probabilityassignment (see Theorem 4 in Appendix B).Example: m4 generates the following beliefs in the charactericity of the operationsCommand.execute() and DatabaseCommand.getImp() in Fig. 2:m4(Command.execute()) = 1 and m4(DatabaseCommand.getImp()) = 0.14. Thedifference in the beliefs in the charactericity of Command.execute() andDatabaseCommand.getImp() reflects the fact that the former operation is overridden byall command classes in order to trigger the execution of the functionality realised by thecommand while the latter operation fetches the object attached to an association end.3.5 Coordinating capacity of messagesMessages invoke operations which may: (a) provide part of the internal functionality of aclass, or (b) coordinate the interaction of a group of other objects by invoking operations14
  15. 15. in them, combining the data that these operations may generate, and eventually notifyingthe combined outcome of the interaction to the sender of the message that invokedthem. The operations of the latter kind have the most significant role in the design of asystem as they encapsulate the coordination of complex interactions among otherobjects and, thus, make it possible to separate the internal functionality of these objectsfrom the functionality required to realise their interactions. Consequently, aninconsistency involving a coordinating operation is likely to have a significant impact in amodel.In a design, what characterises coordinating operations is the fact that most of the otheroperations which need to be executed in different objects to deliver their functionality aredirectly invoked by them. In UML design models, however, the only evidence about theoperations which are invoked by an operation o comes from the messages which aredispatched by the message that invokes o in the interactions of the models. Based onsuch evidence, it may − for instance − be concluded that the operation invoked by themessage executeQuery(String,OCollection) in the interaction diagram I2 of Fig. 3 is acoordinating operation. This is because executeQuery(String,OCollection) invokesdirectly all the operations that are needed to provide its functionality, namely theoperations executeQuery() and toObjCollection(result).In our framework, we attribute the coordinating capacity of operations to the messagesthat invoke them (and can in turn be used to assess it). This capacity is signified by thespecial predicate coordinating-m(m,S) (the meaning of this predicate is that the messagem has a coordinating capacity in the set of interactions S) which is associated with thefollowing belief function:Definition 5: The belief in whether or not a message has a coordinating capacity in a setof object interactions S of a model M is measured by the function:m5(coordinating-m(m, S)) = |Dsig(m, S)| / |Asig(m, S)| if Asig(m, S) ≠ ∅15
  16. 16. m5(coordinating-m(m, S)) = 0 if Asig(m, S) = ∅m5(¬coordinating-m(m, S)) = 1 − m5(coordinating-m(m, S))where• S is a set of interactions• Dsig(m, S) is the set of the signatures of the messages directly dispatched by m inthe interactions of S, formally defined as: Dsig(m, S) = {sig(v) | (v ε Dmes(m,S)}• Dmes(m, S) is the set of the messages directly dispatched by m in the interactions ofS, formally defined as:Dmes(m, S) = {v | (∃ I): (I ε S) ∧ (m ε I.message) ∧ (v ε I.message) ∧ (v.activator = m)}• sig(v) is an ordered tuple that we call "signature" of v and define as:- sig(v) = <r, n, t1, …, tk > if v.action is an operation calling action- sig(v) = <r, n> if v.action is not an operation calling action- r = v.receiver, n = v.name, and ti = v.action.operation.parameter[i].type- two signatures: sig(v) = <r,n, t1,…,tk > and sig(v) = <r,n,t1,…,tk> are defined to beequal if and only if:(r = r) and (n = n) and (ti = ti ) for all i=1,…,k• Asig(m,S) is the set of the signatures of the messages which are directly ortransitively dispatched by m in the interactions of S, formally defined as: Asig(m, S) ={sig(v) | (v ε Dmes(m,S)} ∪(v ε Dmes(m,S)) Asig(v,S)According to Definition 5, the more the messages which are directly dispatched by m inrelation to the total number of messages which are dispatched (directly or indirectly) bym the higher the degree of belief in the coordinating capacity of m. m5 establishes thetransitive closure of the messages dispatched by a message m with respect to all theinteractions in a given set of interactions S. Thus, it is not sensitive to cases wheredifferent sets of messages appear to be dispatched by the same message m in differentinteractions of a model. Furthermore, m5 is a D-S basic probability assignment (seeTheorem 5 in Appendix B).Examples: The beliefs in the coordinating capacity of the messages execute(),16
  17. 17. executeQuery(String,Ocollection) and setVisible(boolean) in I2 are: m5(coordinating-m(execute(),{I2})) = 0.57, m5(coordinating-m(executeQuery(String,Ocollection),I2)) = 1,and m5(coordinating-m(setVisible(boolean),{I2})) = 0.3.6 Functional dominance of messagesIn an interaction, there may be messages invoking operations which trigger directly ortransitively operations that realise substantial parts of it. In interaction I2 of Fig. 3, forinstance, the message execute() transitively invokes all the operations which realise it. Inour framework, such messages are said to be "functionally dominant". An inconsistencyin the specification of a functionally dominant message is significant since it may preventthe entire interaction from taking place. The functional dominance of a message m in aninteraction I is denoted by the special predicate fdominant-m(m,I). The belief functionassociated with this predicate is defined as:Definition 6: The belief in whether or not a message m is functionally dominant in anobject interaction I is measured by the function:m6(fdominant-m(m,I)) = (|Ames(m, {I})| + 1)/ |I.message – {m}|m6(¬fdominant-m(m,I)) = 1 − m6(fdominant-m(m,I))where (i) Ames(m, {I}) is as defined in Definition 5, and (ii) I.message is the set of all themessages of the interaction I.According to Definition 6, the more the messages which are dispatched by a message min an interaction I in relation to the total number of messages dispatched in I, the higherthe belief that m6 generates for the functional dominance of m. Furthermore, m6 is a D-Sbasic probability assignment (see Theorem 6 in Appendix B).Example: The degrees of belief generated by m6 in the functional dominance of themessages execute() and executeQuery(String, Ocollection) and setVisible(boolean) inthe interaction I2 of Fig. 3 are: m6(fdominant-m(execute(), I2)) = 1.0, m6(fdominant-17
  18. 18. m(executeQuery(String, Ocollection), I2)) = 0.28, and m6(fdominant-m(setVisible(Boolean), I2)) = 0. The above beliefs reflect the fact that execute() invokesdirectly or transitively all the operations of the interaction, executeQuery(String,Ocollection) invokes directly the operations which realise only one part of the interaction(i.e., the retrieval of data), and setVisible(boolean) invokes only one operation.4. Assessment of the significance of inconsistencies4.1 Specification of consistency rules and significance criteriaIn our framework, an inconsistency is defined as a violation of a specific consistency rule.To assess the significance of inconsistencies, we introduce a scheme for specifyingsignificance criteria and associating them with consistency rules. These criteria definethe characteristics that the elements involved in the violation of a rule should have for theviolation to be significant. Fig. 4 shows a conceptual meta-meta-model (M2 model) of thescheme for specifying consistency rules and significance criteria. According to thisscheme, a consistency rule is specified as an instance of the meta-meta classConsistency Rule and must be associated with exactly one class in the UML meta-modelthat is referred to as its context. A consistency rule is evaluated against the instances ofits context (e.g., a consistency rule whose context is the meta-class Class is evaluatedagainst all the classes of a UML model).Consistency rules are specified by expressions of the Object Constraint Language (OCL)[17]. OCL expressions are specified using the logical operators "and", "or", "implies" and"not" (these operators have the same semantics as the logical conjunction, disjunctionimplication and negation in predicate calculus, respectively) and the set operators "forall"and "exists". The latter operators quantify a condition over the elements of the set theyapply to and their semantics are the same as the semantics of the universal andexistential quantifier of predicate calculus. Thus, an expression of the form set->forall(x |18
  19. 19. OCL-condition-over-x) becomes true if OCL-condition-over-x is true for all the elementsof set. Similarly, an expression of the form set->exists(x | OCL-condition-over-x) becomestrue if OCL-condition-over-x is true for at least one of the elements of set.Fig. 4. A conceptual model of the scheme for specifying consistency rules andsignificance criteriaAn example of a consistency specified in OCL is Rule-1 below2:Rule-1: context: MessageOCL-expression:self.action.oclIsTypeOf(CallAction) impliesself.sender.feature−>exists(a: Attribute  a.type = self.receiver) orAssociation.allInstances−>exists(r  r.connection−>exists(e1, e2  (e1 <> e2)and (e1.type = self.sender) and (e2.type = self.receiver) and (e2.isNavigable =True)))Rule-1 requires there must be either an association or an attribute between the senderand receiver classes of every message in an interaction of a UML model that is navigablefrom the former to the latter class.According to the scheme of Fig. 4, a consistency rule may be associated with zero ormore significance criteria which are used to evaluate the significance of its violations. Asignificance criterion is defined by an S-expression specifying a logical combination ofcharacteristics which the model elements that have caused the violation of the rule (orother model elements related to them) must have for the violation to be significant. S-expressions can be either atomic (i.e., expressions that contain only one of the2In the OCL and S-expressions appearing in this paper strings in bold typeface and Italics are reserved OCL keywords andnames established in the UML meta-model, respectively. self in these expressions refers to an instance of the class that isthe context of the involved consistency rule and significance criterion.19UMLMetaModelClassConsistencyRuleS-expression : OCL_Expression1..10..*SignificanceCriterionS-Expression : S-expressionName : Let-expression0..*1..1+context 1..10..*0..*+criterion+rule1..1{ordered}
  20. 20. predicates that designate the characteristics defined in Sections 3.1-3.6) or non atomic(i.e., expressions that specify logical combinations of atomic S-expressions).Table 1 summarises the syntactic forms of both kinds of S-expressions and the typingconditions that they have to satisfy to be valid. As shown in the table, the atomic S-expression generic(elem_ref_name), for instance, is valid only if the type of the modelelement denoted by elem_ref_name is the meta-class Class. An S-expression has thesame context as the consistency rule it is associated with and can, therefore, referenceany named feature in the transitive closure of the features of this context. The namesused to refer to model elements in an S-expression are defined by Let-expressions whichare specified as part of a significance criterion. The grammar for specifying Let-expressions and S-expressions is given in Appendix C.Examples of significance criteria defined to assess the significance of the violations ofRule-1 are Criterion-i and Criterion-j below:Criterion-i: S-expression: coordinating-m(n1, n2); Name [1]: let n1 = self; Name[2]: let n2= self.interactionCriterion-j: S-expression: fdominant-m(n1, n2) and coordinating-m(n1, n2); Name [1]: letn1 = self;Name[2]: let n2 = self.interactionAtomic S-expression Condition of validityGeneric(elem_ref_name) elem_ref_name.type = ClassFessential-a(elem_ref_name) elem_ref_name.type = Attribute ORelem_ref_name.type = AssociationEndCharacteristic-o(elem_ref_name) elem_ref_name.type = OperationCoordinating-c(elem_ref_name1, elem_ref_name2)elem_ref_name1.type = Class ANDelem_ref_name2.type = Set (Interaction)Coordinating-m(elem_ref_name1,elem_ref_name2)elem_ref_name1.type = Message ANDelem_ref_name2.type = Set (Interaction)20
  21. 21. Fdominant-m(elem_ref_name1,elem_ref_name2)elem_ref_name1.type = Message ANDelem_ref_name2.type = Set (Interaction)Non atomic S-Expression Condition of validityNon quantifiedS-expressionsp1 and p2 and…and pn pi : valid atomic S-expression (forall i=1,…,n)p1 or p2 or…or pn pi : valid atomic S-expression (forall i=1,…,n)QuantifiedS-expressions(qse)elem_ref->exists(x |OCL-expression-over-xand se(x)) *elem_ref.type = Set(ModelElement) ANDse(x): is a valid non quantifiedS-expression over xelem_ref ->forall(x |OCL-expression-over-xand se(x)) *elem_ref.type = Set(ModelElement) ANDse(x): is a valid non quantifiedS-expression over x*If elem_ref has a single object o as its value, we treat it as a singleton set with o as itsonly element.Table 1. Syntactic forms of and typing conditions for valid S-ExpressionsAccording to Criterion-i a message that violates Rule-1 must have a coordinatingcapacity in the interaction it belongs to for the violation to be significant. According toCriterion-j, a violation of Rule-1 is significant only if it is caused by messages which arefunctionally dominant and have coordinating capacity in their interaction.In cases where more than one significance criteria are associated with the sameconsistency rule, the order of their application must be specified (see the constraint{ordered} of the association end criterion in Fig. 4). Thus, to use the coordinatingcapacity of the receiver of a message as a secondary criterion for ordering violations ofRule-1 that have been caused by messages of the same coordination capacity, adesigner can specify the significance criterion:Criterion-k: S-expression: coordinating-c(n1, n2); Name [1]: let n1 = self.receiver;Name[2]: let n2 = self.interactionand then associate Rule-1 with Criterion-i and Criterion-k in this very order.21
  22. 22. 4.2 Computation of beliefs for the satisfiability of significance criteriaTo assess the significance of the violations of a consistency rule, we compute beliefs inthe satisfiability of the criteria associated with it by the elements of the model which areinvolved in these violations and rank the violations in descending order of these beliefs.The computation of these beliefs depends on whether a criterion is defined by an atomicor a non-atomic S-expression. In the former case, the belief in the satisfiability of thecriterion is computed according the following theorem (see Appendix B for a proof):Theorem 7: The belief function induced by the each of the basic probability assignmentsmi (i=1,…,6) has the following form: Bel(P) = mi(Pi) if Pi → P andBel(P) = 0otherwisewhere Pi is the predicate associated with mi or the negation of this predicate.Following Theorem 7, the belief in the satisfiability of a criterion defined by an atomic S-expression is the belief that is generated by the basic probability assignment that isassociated with the predicate used in this expression. For example, the belief in theatomic S-expression of Criterion-k in Section 4.1 is computed by the formula:Bel(coordinating-c(self.receiver, self.interaction)) = m2(coordinating-c(self.receiver,self.interaction)).The belief in the satisfiability a criterion that is specified by a non-atomic S-expressions iscomputed according to the following theorems (the proofs of these theorems are given inAppendix B):Theorem 8: Let p1,…, pn be predicates of atomic S-expressions referring tocharacteristics of elements of a model M, and m1,…, mn be the basic probabilityassignments associated with each of these predicates, respectively. The belief in a nonquantified S-expression p1 and p2 and …and pn is measured by the function:22
  23. 23. Bel(andi=1,…,n pi) = Πi=1,…,n mi(pi) if pi ≠ pj and pi ≠ ¬pj (∀i, j: i ≠ j), and Bel(andi=1,…,n pi) = 0otherwiseTheorem 9: Let p1,…, pn be predicates of atomic S-expressions referring tocharacteristics of elements of a model M, and m1,…, mn be the basic probabilityassignments associated with each of these predicates, respectively. The belief in a nonquantified S-expression p1 or p2 or …or pn is measured by the function:Bel(ori=1,…,npi) = ΣJ⊆{1,…,n} and J≠∅(-1)|J|+1Bel(andiεJpi) if pi ≠ pj and pi ≠ ¬pj (∀i,j: i ≠ j), andBel(ori=1,…,npi) = 1 otherwiseTheorem 10: Given a set of elements S and a non quantified S-expression se(x) referringto a model element x, the belief in a quantified S-Expression of the form S->exists(x |OCL-expression-over-x and se(x)) is measured by the function:Bel(S->exists(x |OCL-expression-over-x and se(x))) = ΣJ⊆S and J≠∅ (-1)|J| + 1Bel (andxεJse(x)) if S ≠ ∅Bel(S->exists(x |OCL-expression-over-x and se(x))) = 0 if S= ∅where S is the subset of the elements of S for which OCL-expression-over-x is true.Theorem 11: Given a set of elements S and a non quantified S-expression se(x) referringto a model element x, the belief in a quantified S-Expression of the form S->forall(x |OCL-expression-over-x and se(x)) is measured by the function:Bel(S->forall(x |OCL-expression-over-x and se(x))) = Πx ε S Bel(se(x)) if S= SBel(S->forall(x |OCL-expression-over-x and se(x))) = 0 if S ≠ Swhere S is the subset of the elements of S for which OCL-expression-over-x is true.Examples: Assuming that there are no attributes and associations defined between theclasses SearchMenu and SearchByKeyword, between the classes SearchByKeywordand SearchForm, and between the classes SearchByKeyword and DBHandler which23
  24. 24. appear in the interaction I2 of Fig. 3, the messages: execute(), setVisible(boolean),getKeywords(), executeQuery(String, Ocollection), and executeQuery() in I2 violate Rule-1. If the significance of these inconsistencies is assessed according to Criterion-i inSection 4.1, then the inconsistencies caused by the messages getKeywords() andexecuteQuery(String,Ocollection) have the highest significance and the inconsistenciescaused by the messages execute(), setVisible(boolean), and executeQuery() are lesssignificant by the same criterion. This ranking results from the following degrees of beliefin the satisfiability of Criterion-i by each of these messages:• Bel(cordinating-m(getKeywords(),{I2})) = m5(cordinating-m(getKeywords(),{I1})) = 1• Bel(cordinating-m(executeQuery(String,OCollection),{I2})) =m5(cordinating-m(executeQuery(String,OCollection),{I2}))=1• Bel(cordinating-m(execute(),{I2})) = m5(cordinating-m(execute(),{I2})) = 0.57• Bel(cordinating-m(setVisible(boolean),{I2})) = m5(cordinating-m(setVisible(boolean),{I2}))= 0• Bel(cordinating-m(executeQuery(),{I2})) = m5(cordinating-m(executeQuery(),{I2})) = 0If the significance of the same inconsistencies is assessed by Criterion-i followed byCriterion-k (see Section 4.1), the inconsistencies are ranked in descending order ofsignificance as follows:1) The inconsistencies caused by getKeywords() and executeQuery(String,OCollection)since:Bel(coordinating-m(getKeywords(),{I2})) = Bel(coordinating-m(executeQuery(String,OCollection),{I2})) = 1and Bel(coordinating-c(SearchForm,{I1})) = Bel(coordinating-c(DBHandler,{I2})) = 0.42) The inconsistency caused by execute() since Bel(coordinating-m(execute(),{I2})) =0.573) The inconsistency caused by setVisible(boolean) since:Bel(coordinating-m(setVisible(boolean),{I2})) = 0 and Bel(coordinating-c(SearchForm,{I2})) = 0.44) The inconsistency caused by executeQuery() since:24
  25. 25. Bel(coordinating-m(executeQuery(),{I2})) = 0 and Bel(coordinating-c(Statement,{I2})) =0.2Note that in this case, the use of Criterion-k as a secondary criterion of significancebreaks the tie between the inconsistencies caused by the messages setVisible(boolean)and executeQuery() but not the tie between the inconsistencies caused by of themessages getKeywords() and executeQuery(String,Ocollection).5. Tool supportA prototype implementing the framework introduced in this paper has been developed asa client of the CASE tool Rational Rose [20]. This prototype incorporates a graphical,syntax-directed editor that supports the specification of significance criteria (see Fig. 5)and can evaluate them against groups of UML model elements that violate specificconsistency rules.Fig. 5. Prototype for Diagnostic FrameworkThe evaluation of a criterion uses a representation of a model structured according to theUML meta-model and is incremental. Initially, the prototype retrieves the sets of theelements that are referenced by the names used in the S-expression of a criterion. Then,25
  26. 26. it uses the retrieved model elements to calculate beliefs in the satisfaction of the atomicS-expressions of the criterion based on the formulas established by Theorem 7.Subsequently, if the criterion is defined by a non-atomic S-expression, it calculates thebelief in the satisfaction of this expression using the formulas established by Theorems8-11. A full description of the prototype and the criteria evaluation algorithm is given in[5].6. Experimental resultsTo evaluate our framework, we have conducted a series of experiments. The objective ofthese experiments was to check whether the satisfiability measures calculated forsignificance criteria definable in the framework are of sufficient diversity for producingelaborate rankings of inconsistencies3. In the experiments, we used 20 UML modelsspecified by postgraduate students at City University. Measures of the size of thesemodels and an indication of the system described by each of them are shown in Table 2.MODELSize 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20No. of 40 77 37 31 47 67 25 32 10 42 17 37 51 41 56 54 10 73 14 10No. of Seq. 3 4 4 2 4 3 12 9 8 8 3 3 12 13 6 12 23 18 22 31No. of 68 24 32 43 51 44 15 92 87 11 65 36 13 18 18 12 48 43 35 19No. of 58 25 49 29 25 42 79 78 14 75 59 86 21 94 23 12 22 17 81 89Producer a a a a a a a a a a a a a b a a b b b bSystem 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 2 2 2 2Key Producera single System 1 web-based bankingb group of 2 course recruitmentTable 2. Size of models used in experimental evaluationEach of the models was checked against the following consistency rules:(i) Rule-1 that was defined in Section 4.(ii) Rule-2 which requires the class of the receiver of a message in an interaction todefine or inherit an operation with the same signature as the message. This rule isdefined in OCL as follows:Rule-2: context: MessageOCL-expression: self.action.oclIsTypeOf(CallAction) implies3The results of another set of experiments whose objective was to evaluate whether the significance-orders of inconsistenciesproduced by the framework comply with significance-orders produced by humans are reported in [26].26
  27. 27. self.receiver.feature −> exists(o:Operation | (self.action.operation = o))(iii) Rule-3 which requires that the lower multiplicity bound of an association end attachedto a class whose instances receive at least one message from instances of the classattached to the other end of the association must be greater or equal to 1. This rule isspecified in OCL as follows:Rule-3: context: AssociationEndOCL-expression: self.association−>exists(a:Association|a.connection−>exists(e1, e2 | (e1 = self) and (e1 <> e2) and (e1.type = c1)and (c1.oclIsTypeOf(Classifier)) and (e2.type = c2) and(c2.oclIsTypeOf(Classifier)) and (c2.message−>exists(m: Message |m.receiver = c1 )))) implies (self.mutliplicity.range.lower >= 1)The significance of the violations of Rule-1 was subsequently assessed using the criteria1 and 2 in Table 3. The significance of the violations of Rule-2 was assessed using thecriteria 2, 3, 4 and 5 in Table 3. The significance of the violations of Rule-3 was assessedusing the criterion 6 in Table 3. The beliefs we computed in the satisfiability of thesecriteria by the inconsistencies in the different models were used to rank theinconsistencies as we did in the example of Section 4. More specifically, theinconsistencies caused by elements believed to satisfy a criterion to the same extent (i.e.giving rise to equal belief measures) were classified in the same category. The differentcategories of inconsistencies were then ranked in descending order of the beliefscomputed for their elements.CriterionS-Expression MeaningCriterion 1S-Expression: fdomimant-m(n1, n2)Name[1]: let n1 = selfName[2]: let n2 = self.interactionThe message has functionaldominance in the sequencediagram it appears.Criterion 2S-Expression: coordinating-m(n1, n2)Name[1]: let n1 = selfName[2]: let n2 = self.interactionThe message has a coordinatingcapacity in the sequence diagram itappears.Criterio S-Expression: coordinating-c(n1, n2) The receiver class of a message27
  28. 28. n 3 Name[1]: let n1 = self.receiverName[2]: let n2 = self.interactionhas a coordinating capacity in thespecific sequence diagram thatincludes the message.Criterion 4S-Expression: coordinating-c(n1, n2)Name[1]: let n1 = self.senderName[2]: let n2 = self.interactionThe sender class of a messagehas a coordinating capacity in thespecific sequence diagram thatincludes the message.Criterion 5S-Expression: coordinating-m(n1, n2)orcoordinating-c(n3, n2)orcoordinating-c(n4, n2)Name[1]: let n1 = selfName[2]: let n2 = self.interactionName[3]: let n3 = self.receiverName[4]: let n4 = self.senderThe message or its receiver classor its sender class has acoordinating capacity in thespecific sequence diagram.Criterion 6S-Expression: fessential-a(n1, n2)Name[1]: let n1 = selfName[2]: let n2 =self.association.oppositeend.typeThe association end is functionallyessential for the class attached tothe other end of its association.Table 3. Criteria used to assess the significance of the violations of rules 1, 2, and 3.Tables 4, 5 and 6 present statistics about the inconsistencies and beliefs in thesatisfiability of different criteria by the model elements that violated the three rules. Theshown statistics include the number of the inconsistencies detected with respect to eachrule in each model (Ninc) and for each criterion: (1) the number of the different categoriesof significance generated by it (Nc), (2) the completeness ratio of the ranking generatedby it RC = Nc/Ninc, (3) the mean (Mb) and median (MDb) values of the beliefs in thesatisfiability of the criterion, (4) the standard deviation of the beliefs in the satisfiability ofthe criterion (sb), (5) the standard deviation of the number of inconsistencies in eachcategory of the ranking (sic), and (6) the relative variability of the beliefs in the satisfiabilityof the criterion (sb/mb).Rule 1 MODEL1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20Ninc 20 2 7 5 34 19 82 39 32 16 18 6 49 111 41 38 17322454 7328
  29. 29. Criterion 1Nc 5 2 4 4 9 6 21 11 16 12 7 2 10 30 13 10 41 13 13 4RC 0.251 0.570.80.260.320.260.280.50.750.390.330.200.270.320.260.240.060.240.05Mb 0.060.150.190.10.20.110.080.40.170.280.070.020.050.110.070.140.060.080.210.08MDb 0.040.150.170.050.080.080.040.380.090.180.040 0 0 0.030 0 0 0 0sb 0.040.070.10.090.290.130.040.290.140.260.060.040.120.230.1 0.250.150.250.300.23sic 3.080 0.50.52.992.564.322.461.550.492.442.8210.2713.662.827.5118.5454.148.5327.28sb / Mb 0.640.470.540.881.461.140.530.730.810.930.922 2.4 2.091.431.792.5 3.161.412.88Criterion 2Nc 2 1 2 3 6 2 6 9 8 5 4 2 6 11 5 2 41 6 9 2RC 0.10.50.290.60.180.110.070.230.250.310.220.330.120.1 0.120.050.240.030.160.02Mb 0.10 0.290.250.20.260.240.490.290.530.190.170.270.270.7 0.340.240.100.210.19MDb 0 0 0 0 0 0 0 0.50 0.50 0 0 0 1 0 0 0 0 0sb 0.310 0.490.430.370.450.380.390.390.440.340.40.440.430.410.480.410.300.280.39sic 11.30 2.121.159.546.3620.84.665.812.285.692.8213.2722.729.318.4830.3878.799.7531.81sb / Mb 3.080 1.711.731.91.721.590.81.340.821.822.351.631.590.581.411.712.891.342.07Table 4. Statistics for the rankings of the violations of Rule-1The measure used to evaluate the ability of the different criteria to produce elaboraterankings of inconsistencies was the ranking completeness ratio (RC). The mean value ofthe RC-ratios across models with more than one violations of the same consistency rulein our experiments was MRC= 0.334. In other words, the criteria used produced distinctcategories of significance with 3.03 (= 1/MRC) inconsistencies in each category on4In estimating the mean RC-value we excluded models with only one inconsistency since in their cases there was noneed for ranking inconsistencies.29
  30. 30. average. This indicates that the criteria used were capable of producing relativelyelaborate rankings of significance. Our experiments also showed that the use of non-atomic S-expressions as criteria of significance produces more elaborate rankings ofinconsistencies: the mean value of the RC-ratios resulted from experiments where suchS-expressions were used (see experiments for Rule 2 and Criterion 5) was 0.45.The distribution of the RC-ratios (excluding cases where Ninc = 1) is graphically shown inFig. 6. This distribution was positively skewed with a degree of skewness equal to 1.15, amedian (MDRC) of 0.27 and a standard deviation (sRC) of 0.23. As sRC was found to berelatively high with respect to MRC, we had to explore the factors underpinning thegeneration of rankings with different levels of elaboration.Rule 2 MODEL1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20Ninc 8 11 1 7 26 35 90 39 7 14 65 0 16 30 13140 87 69 97 44Criterion 2Nc 1 4 1 3 9 4 9 4 7 3 14 0 8 11 13 7 14 6 2 9RC 0.130.361 0.430.350.110.1 0.1 1 0.210.220 0.5 0.370.1 0.180.160.080.020.2Mb 0 0.240 0.440.170.3 0.110.020.410.130.330 0.570.210.390.4 0.250.5 0.040.05MDb 0 0 0 0.090 0 0 0 0.380 0.110 0.750.170.4 0.370 0.510 0Sb 0 0.370 0.520.320.450.260.050.3 0.330.4 0 0.460.170.410.4 0.330.490.2 0.16Sic 0 2.870 1.154.9410.423 16.80 6.357.990 2.452.0516.95.8211.7916.2664.33.72Sb / Mb 0 1.520 1.191.861.492.343.220.732.561.2 0 0.810.811.051 1.320.994.863.31Criterion 3Nc 3 3 1 3 11 7 15 6 5 5 9 0 6 8 14 9 22 12 14 10RC 0.380.271 0.430.420.2 0.170.150.710.360.140 0.370.270.110.230.250.170.140.2330
  31. 31. Mb 0.170.260.290.210.250.290.210.280.390.270.220 0.420.380.280.190.250.640.160.17MDb 0.110.170.290.250.180.290.150.250.420.290.180 0.430.370.250 0.270.830.120.12Sb 0.130.160 0.070.190.160.160.2 0.080.130.120 0.100.1 0.210.290.140.380.140.16Sic 2.081.710 2.311.753.115.635.750.551.925.450 3.142.5311.47.743.648.8 7.264Sb / Mb 0.720.6 0 0.310.730.540.770.730.220.5 0.530 0.240.260.751.530.570.590.920.95Criterion 4Nc 3 3 1 3 11 8 17 8 5 7 8 0 6 8 13 8 49 9 12 11RC 0.380.271 0.430.420.230.190.210.710.5 0.120 0.370.270.1 0.2 0.580.130.120.25Mb 0.330.290.140.270.480.470.420.570.2 0.6 0.310 0.220.220.460.690.4 0.840.4 0.78MDb 0.440.250.140.250.560.570.460.630.080.580.270 0.170.140.5 0.860.4 1 0.4 0.87Sb 0.160.140 0.150.220.180.2 0.170.260.250.150 0.100.2 0.230.4 0.2 0.250.150.28Sic 2.081.530 2.311.913.934.956.270.551.914.120 2.652.768.165.951.8614.6512.33.68Sb / Mb 0.470.490 0.550.460.390.460.291.290.410.470 0.450.910.5 0.580.510.3 0.370.35Criterion 5Nc 4 8 1 4 17 14 36 11 7 8 33 0 9 22 31 8 66 9 17 11RC 0.5 0.731 0.570.650.4 0.4 0.281 0.570.510 0.560.730.240.2 0.760.130.180.25Mb 0.460.6 0.390.690.680.720.580.690.750.770.630 0.730.5 0.530.960.740.940.490.87MDb 0.510.630.390.620.720.720.590.720.680.880.590 0.9 0.480.621 0.691 0.460.89Sb 0.190.250 0.310.2 0.220.220.150.140.180.250 0.3 0.170.360.080.3 0.160.180.15Sic 0.820.520 0.961.072.412.244.2 0 1.042.360 2.330.797.2 9.391.1417.576.2 3.75Sb / Mb 0.4 0.420 0.450.280.3 0.370.220.190.240.390 0.410.340.680.080.4 0.170.370.17Table 5. Statistics for the rankings of the violations of Rule-231
  32. 32. Rule 3 MODEL1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20Ninc 1 10 5 9 1 2 9 8 12 9 14 5 23 7 15 1 2 24 33 2Criterion 6Nc 1 3 3 5 1 2 4 3 6 2 5 3 8 3 6 1 2 6 12 2RC 1 0.3 0.6 0.551 1 0.440.380.5 0.220.360.6 0.350.430.4 1 1 0.250.361Mb 0.990.410.550.580.5 0.930.6 0.620.700.720.640.640.700.660.780.5 0.750.930.670.72MDb 0.990.440.550.550.5 0.930.580.5 0.700.750.5 0.5 0.750.750.750.5 0.750.940.5 0.72Sb 0 0.110.260.190 0.080.090.190.200.080.200.200.230.160.190 0.350.100.210.30Sic 0 0.570.570.440 0 0.952.081.554.952.391.152.361.151.380 0 4.654.820Sb / Mb 0 0.270.470.330 0.080.150.310.280.110.310.310.330.240.240 0.460.110.310.42Table 6. Statistics for the rankings of the violations of Rule-3Fig. 6. Distribution of RC-ratio values.A preliminary investigation of these factors was carried out by correlating the RC-ratios inthe conducted experiments with: (i) measures of the size of the used models includingthe number of the classes (NCl), associations (NAss) and messages (NMes) in them, (ii) thenumber of the inconsistencies detected in different models (Ninc), and (iii) the relativevariability of criteria satisfiability measures (Sb/Mb). The coefficients of these correlations,which are shown in Table 7, indicate that the RC-ratio correlates negatively with thenumber of inconsistencies Ninc (the correlation coefficient between these two measureswas −0.44 and was statistically significant at α = 0.5). This finding indicated that the32Histogram01020304000.20.40.60.81RC-ratioFrequencyFrequency
  33. 33. ability of the framework to produce elaborate rankings of significance deteriorates as thenumber of the inconsistencies in a model increases.NCl NMes NAss Ninc Sb/Mb RCNCl 1NMes 1NAss 1Ninc 0.22 0.64 0.22 1Sb/Mb 0.08 0.16 0.16 1RC 0 -0.17 -0.15 -0.44 -0.34 1Table 7. Correlation of RC-ratios with model size, inconsistency and belief variabilitymeasuresBased on our correlation analysis, we can say that this phenomenon is likely to havebeen the result of the effect of the size of models to the number of detectedinconsistencies (Ninc) and the variability of the belief measures generated for significancecriteria (Sb/Mb). More specifically as observed in our experiments, larger models give riseto more inconsistencies (the correlation coefficients between Ninc and NCl, NMes, and NAsswere 0.22, 0.64, and 0.22, respectively), and criteria satisfiability measures of highervariability (the correlation coefficients between Sb/Mb and NCl, NAssoc and NMes were 0.08,0.16 and 0.16, respectively). However, these two effects are not of the same magnitude.More specifically, the variability of satisfiability measures increases along with incrementsin the size of models but not proportionally to the number of inconsistencies. Model 17,for example, was four times as big as Model 16 in terms of the number of messages thatit contained (488 vs. 122) and had more than twice as many violations of Rule-2 asModel 16. The variability of the satisfiability measures for criterion 2 by elements involvedin the violations of Rule-2 in these two models were 1.32 and 1, respectively (see Table5). Clearly, the difference in the Sb/Mb measures in these two models was notproportional to the difference in the number of inconsistencies with respect to Rule-2. Asa consequence of this phenomenon, in large models the satisfiability measures are not of33
  34. 34. sufficient diversity to produce as elaborate rankings of inconsistencies as in the case ofsmall models. A possible way to obtain higher RC-ratios in cases where larger numbersof inconsistencies are detected is to define more complex criteria of significance or todefine additional criteria of significance for the same rule and use them for breaking tiesin rankings produced by other criteria. Note, however, that the ability of this strategy toimprove the RC ratios of rankings needs to be confirmed by further experimentation.7. Related WorkThere are two main bodies of literature relevant to the work reported in this paper: theliterature on managing inconsistency in software engineering and the literature onsoftware metrics.7.1 Inconsistency managementThe term "inconsistency management" has been used in the software engineeringliterature to denote a group of activities related to the detection and settlement ofinconsistencies which arise between software system and/or process specifications [6,13, 27]. These activities include the detection of overlaps and inconsistencies betweenspecifications, the diagnosis of the importance of the inconsistencies detected, and thesettlement of these inconsistencies. The most substantial body of research relevant tothese activities has emerged from the area of requirements engineering where thephenomenon of inconsistencies between requirements specifications is more prominentdue to different stakeholder perspectives and goals [30]. One strand of work in this areafocuses on the detection of inconsistencies [24, 9, 30, 12, 21]. Another strand of workfocuses on the settlement of inconsistencies either in general [22, 30, 21, 6] or inparticular cases where the inconsistencies involve specific kinds of requirementsspecifications such as quality [1, 19] and safety requirements [16]. Also there is workconcerned with inconsistencies in software process specifications [3].34
  35. 35. Although the diagnosis of the significance of inconsistencies has been acknowledged asan important task in the activity of managing inconsistencies, there has been relativelyless research work focusing on it. Notable exception is the work of Emmerich et al [7]who have developed a framework for managing the compliance of softwaredocumentation artefacts with consistency rules which realise document representationstandards. In their framework, software designers can implement diagnostic checks andassociate them with consistency rules. These checks are meant to assess theimportance and the difficulty of making a document compliant with the rule it violates.Hunter and Nuseibeh have also dealt with the diagnosis problem in their work onmanaging inconsistencies between formal system specifications [13]. In their work,diagnosis has been realised as the identification of parts of specifications which are notaffected by an inconsistency and therefore are safe to reason from. As far as we know,the framework described in this paper is the only other strand of work which addressesthe inconsistency diagnosis problem. The main difference between the approach realisedby our framework and the approaches referenced above is that the former assesses thesignificance of inconsistencies on the basis of the impact that they have in a softwaremodel while the latter assess this significance on the basis of the parts of the models thathave caused them.7.2 Software MetricsThe metrics defined in our framework are assessment metrics measuring externalfeatures of software products following Fentons metric classification taxonomy [8].Metrics similar to some of them have been proposed in the literature. More specifically,the depth of inheritance tree (DIT [2]) and class hierarchy nesting level [15] are similar tom1, and class coupling (CBO [1]) and number of collaborating classes (NCC [14]) aresimilar to m2. In addition, the functional essentiality of attributes and association ends35
  36. 36. (belief function m3) is similar to the method-to-variable connection matrix (MVCM [29]).The main difference between m3 and MVCM is that m3 establishes the potential of usingan attribute/association end to identify the receiver of a message dispatched in a methodas opposed to using its value in any possible way in a method. However, the mainnovelty of our approach with respect to other work in the field of software metrics is theuse of metrics as a means of assessing the significance of inconsistencies in softwaremodels.8. Conclusions and future workIn this paper we have presented a framework for assessing the significance ofinconsistencies in design models of software systems expressed in UML based oncriteria that software designers can specify to establish the characteristics that the modelelements involved in an inconsistency should have for the inconsistency to be significant.These criteria can be defined in a formal language established by the framework and areassociated with consistency rules. The framework incorporates a formal scheme, basedon the Dempster-Shafer theory of evidence [23], for computing beliefs in the satisfiabilityof the criteria by model elements, and uses these beliefs to assess the significance of theinconsistencies caused by these elements.A prototype tool that implements the framework has been developed. Furthermore, theframework has been tested in a series of experiments which have shown the ability ofthe criteria definable in it to produce elaborate rankings of inconsistencies of differentsignificance. On going work focuses on further experimental evaluation of the frameworkagainst industrial models and an investigation of the possibility of expanding it with morecharacteristics of model elements.References36
  37. 37. 1. Boehm B., In H. "Identifying Quality Requirements Conflicts", IEEE Software, March1996, pp. 25-35.2. Chidamber S., Kemerer C., "A metrics Suite for Object Oriented Design", IEEETransactions on Software Engineering, 20(6), 1994, pp. 476-493.3. Cugola G., "Tolerating Deviations in Process Support Systems Via FlexibleEnactment of Process Models", IEEE Transactions on Software Engineering, 24 (11).1998.4. Douglas B.P., "Real-Time UML: developing Efficient Objects for Embedded Systems",Addisson-Wesley,1998.5. Dragazi F., "Implementation of a Graphical Editor and an Evaluator for S-Expressions", BSc Project Report, Department of Computing, City University, 2001.6. Easterbrook S. and Nuseibeh B. "Managing Inconsistencies in an EvolvingSpecification", Proc. of the 2ndInt. Conference on Requirements Engineering, York,England, IEEE Computer Society Press, 1995, pp. 48-55.7. Emmerich W., et al., "Managing Standards Compliance", IEEE Transactions onSoftware Engineering, 25(6), 1999, pp. 836-851.8. Fenton N.,. "Software Measurement: A Necessary Scientific Basis", IEEETransactions on Software Engineering, 30(3), 1994, pp. 199-206.9. Finkelstein A. et al., "Inconsistency Handling in Multi-Perspective Specifications",IEEE Transactions on Software Engineering, 20(8), 1994, pp. 569-57810.Gamma E., et al., "Design Patterns: Elements of Reusable Object-OrientedSoftware", Addison Wesley, 1995.11. Hays, W., 1969. "Statistics", 3rd Edition, Holt International, SBN 03 910025.12.Heitmeyer, C., Labaw, B. and Kiskis D., "Consistency Checking of SCR-StyleRequirements Specifications", Proc. of the 2ndInt. Symposium on RequirementsEngineering, IEEE CS Press, 1995, pp. 56-63.13.Hunter A. and Nuseibeh B., "Managing Inconsistent Specifications: Reasoning,Analysis and Action", ACM Transactions in Software Engineering and Methodology,7(4), 1998, pp. 335-36714.Jacobson I., "Object-Oriented Software Engineering: A Use Case Driven Approach",37
  38. 38. Addison-Wesley, 1995.15.Lorenz M., "Object-Oriented Software Development: A Practical Guide", Prentice Hall,1993.16.McDermid A.J., Vickers S.P., and Wilson. "Managing Analytical Complexity of SafetyCritical Systems using Viewpoints", Joint Proceedings of the Viewpoints 96, SanFrancisco, USA, 1996, pp. 272-27417.OMG, Object Constraint Language Specification, Available as part of [18] from :ftp://ftp.omg.org/pub/docs/ad/99-06-08.pdf, 1999.18.OMG, "OMG Unified Modeling Language Specification", V. 1.3a. Available from :ftp://ftp.omg.org/pub/docs/ad/99-06-08.pdf, 199919.Palmer J. and Fields A, "An Integrated Environment for Requirements Engineering",IEEE Software, March 1992, pp. 80-85.20.Rational, "Rational Rose 98: Extensibility Reference Manual", See also:http://www.rational.com/products/rose/index.jtmpl, 1998.21.Robinson, W. and Fickas, S., "Supporting Multiple Perspective RequirementsEngineering", Proc. of the 1stInt. Conference on Requirements Engineering, IEEEComputer Society Press, 1994, pp.206-215.22.Schwanke R.W., Kaiser G.E., "Living with Inconsistency in Large Systems", Proc. ofthe Int. Workshop on Software Version and Configuration Control, pp. 98-11823.Shafer G., "A Mathematical Theory of Evidence", Princeton University Press, 1975.24.Spanoudakis G., Finkelstein A.,. "Reconciling requirements: a method for managinginterference, inconsistency and conflict", Annals of Software Engineering, 3, 1997, pp.433-45725.Spanoudakis G., Kim H., Evidential Management of Inconsistencies in ObjectOriented Software Models, Technical Report, Department of Computing, CityUniversity, 200126.Spanoudakis G., Kim H., Diagnosis of the Significance of Inconsistencies in SoftwareDesigns: A Framework and Its Experimental Evaluation, Journal of Systems andSoftware, 64(1), 2002, pp. 3-22.27.Spanoudakis G., Zisman A., "Inconsistency Management in Software Engineering:38
  39. 39. Survey and Open Research Issues", Handbook of Software Engineering andKnowledge Engineering, (ed) Chang S. K., Vol. 1, World Scientific, 2001, pp. 329-380.28.Sun Microsystems, "JDKTM 1.1.8 Documentation", available from: WWW URL:http://java.sun.com/products/jdk/1.1/docs/29.Tegarden, P., Sheetz, S., Monarchi, D, "A Software Complexity Model of Object-Oriented Systems", Decision Support Systems, 13, 1995, pp. 241-262.30.van Lamsweerde A., Darimont A., Letier E., "Managing Conflicts in Goal-DrivenRequirements Engineering", IEEE Transactions on Software Engineering, 24(11),1998, pp. 908-92631.POCRES Specification, available from:http://www.soi.city.ac.uk/~gespan/gp/gp_brief.html#S7Appendix A: Overview of the Dempster-Shafer Theory of EvidenceIn the Dempster-Shafer theory, a "basic probability assignment" is a function(a1) m: ℘(θ) → [0…1]where ℘(θ) is the powerset of a set of mutually exclusive propositions θ called "frame ofdiscernment". m provides a measure of the belief in the truth of the disjunction of thepropositions in a subset of θ that cannot be split to any of its own subsets, and obeys thefollowing axioms: (a2) m(∅) = 0, and (a3) ΣP⊆θ m(P) = 1The subsets P of θ for which m(P) > 0 are called "focals" of m and the union of thesesubsets is called "core" of m. Each basic probability assignment m induces a unique"belief" function Bel defined as:(a4) Bel: ℘(θ) → [0…1], and (a5) Bel(A) = ΣB ⊆ A m(B)Bel measures the total belief committed to the set of propositions P by accumulating thebeliefs committed to its own subsets and obeys the following axioms:(a6) Bel(∅) = 0(a7) Bel(θ) = 139
  40. 40. (a8) ΣI ⊆ {1,...,n}, and I ≠ θ (–1)|I|+1Bel(∩ i ε I Pi) ≤ Bel(∪i=1, …, n Pi) where n = |℘(θ)| and P ⊆ θ , (i=1,…,n)Two basic probability assignments m1 and m2 can be combined according to the rule ofthe "orthogonal sum":(a9) m1 ⊕ m2 (P) = (ΣX ∩ Y = P m1(X) × m2(Y)) / (1 – k0) where k0 = ΣV ∩ W = ∅ and V ⊆ θ and W ⊆ θm1(V) × m2(W)k0 in this formula is a normalising parameter used to increase the belief assigned to thenon-empty intersections of the focals of m1 and m2 in proportion to the belief that wouldbe assigned to the empty intersections of these focals.Appendix B: Proofs of TheoremsThe degree of belief in the satisfiability of an S-expression is computed from the degreesof belief computed for the characteristics of the individual model elements that the S-expression refers to. This requires the combination of the belief functions introduced inSections 3.1-3.6 based on the rules of the D-S theory. And this combination requires thedefinition of what the D-S theory terms as a (common) "frame of discernment" for thesefunctions. In the following, we introduce a frame of discernment for the belief functionsintroduced in Sections 3.1-3.6 and then we show how these belief functions can becombined on the basis of this frame using the rules of the D-S theory.B.1 Frame of discernment for diagnosis frameworkThe purpose of introducing a frame of discernment is to define a set of propositionswhich express the applicability of the characteristics of our framework to elements of aUML model M. The definition of the frame assumes the following mappings:• An isomorphism g which assigns a unique identifier in the range [1,…,n] to each of40
  41. 41. the elements of M• A function f giving the number of characteristics applicable to a model element g-1(i)5.f is defined as follows:- f(i) = 1 + k if g-1(i).type = Class (k is the cardinality of the powerset of theinteractions of M)- f(i) = 1 if g-1(i).type = Attribute or AssociationEnd or Operation- f(i) = 2k if g-1(i).type = Message• An isomorphism h that assigns a unique number in the range [1,…,k] to each of thesets that can be formulated from the distinct interactions of a model.Given the above mappings, each proposition in θ is represented as a vector of booleanvariables Vif(i):[V11,…,V1f(1),V21,…,V2f(2),…,Vn1,…,Vnf(n)]The truth value of each variable Vij (1 ≤ i ≤ n and 1 ≤ j ≤ f(i)) represents whether themodel element g-1(i) has the characteristic j. The vector [V11,…,V1f(1),…,Vi1,…,Vif(i),…,Vn1,…,Vnf(n)] represents the conjunction of the propositions expressed by its elements. Giventhe isomorphisms g and h, the denotations of the variables Vij are as follows:• If g-1(i).type = Class then Vi1 = True if g-1(i) is a generic class and Vi1 = False if g-1(i) isnot a generic class.• If g-1(i).type = Class then Vij (j = 2,…k+1) denotes the coordinating capacity of theclass g-1(i) in a set of interactions S such that j = h(S) + 1: Vij is True if g-1(i) has acoordinating capacity in S, and False if it does not.• If g-1(i).type = Attribute or g-1(i).type = AssociationEnd then Vi1 is True if g-1(i) is afunctionally essential attribute or association end, and False if it is not.• If g-1(i).type = Operation then Vi1 is True if g-1(i) is a characteristic operation, and Falseif it is not.• If g-1(i).type = Message then Vij (j = 1,…,k) denotes the functional dominance of g-1(i)in a set of interactions S (j = h(S)): Vij is True if g-1(i) is a functionally dominantmessage in S, and False if it is not.5g-1(i) denotes the inverse of mapping g, that is it returns for each unique identifier the model element identified by it.41
  42. 42. • If g-1(i).type = Message then Vij (j = k+1,…,2k) denotes the coordinating capacity of g-1(i) in a set of interactions S ( j = h(S) + k): Vij is True if g-1(i) has a coordinatingcapacity in S, and False if it does not.θ includes vectors [V11,…,V1f(1),V21,…,V2f(2),…,Vn1,…,Vnf(n)] to represent all the differentcombinations of the truth-values of the variables Vij. A set of vectors [V11,…,V1f(1),V21,…,V2f(2),…,Vn1,…,Vnf(n)] (that is a subset of θ) represents the disjunction of the propositionsexpressed by its elements.Given these denotations, the predicates introduced in sections 3.1-3.6 correspond to thefollowing subsets of θ:• generic(g-1(i)) = {[V11,…,V1f(1),…,Vi1,…,Vif(i),…,Vn1,…,Vnf(n)] |(g-1(i).type = Class) and (Vi1 =True)}• coordinating-c(g-1(i),S) = {[V11,…,V1f(1),…,Vi1,…,Vif(i),…,Vn1,…,Vnf(n)] | (g-1(i).type = Class)and (j = h(S)+1) and (Vij = True)}• fessential-a(g-1(i)) = {[V11,…,V1f(1),…,Vi1,…,Vif(i),…,Vn1,…,Vnf(n)] | ((g-1(i).type = Attribute) or(g-1(i).type = AssociationEnd)) and (Vi1 = True)}• characteristic-o(g-1(i)) = {[V11,…,V1f(1),…,Vi1,…,Vif(i),…,Vn1,…,Vnf(n)] | (g-1(i).type =Operation) and (Vi1 = True)}• fdominant-m(g-1(i), S) = {[V11,…,V1f(1),…,Vi1,…,Vif(i),…,Vn1,…,Vnf(n)] | g-1(i).type = Message)and (j = h(S)) and (Vij = True)}• coordinating-m(g-1(i), S) = {[V11,…,V1f(1),…,Vi1,…,Vif(i),…,Vn1,…,Vnf(n)] |(g-1(i).type =Message) and (j = h(S) + k) and (Vi2 = True)}Note that, since each subset X of θ is viewed as a logical proposition (P) the complementset of it with respect to θ, X, denotes the negation of this proposition (¬P). Thus, forexample, the negation of the predicate generic (¬ generic(g-1(i))) corresponds to thefollowing subset of θ:generic (g-1(i)) = {[V11,…,V1f(1),…,Vi1,…,Vif(i),…,Vn1,…,Vnf(n)] | (g-1(i).type = Class) and (Vi1 =False)}42
  43. 43. Note also that the basic probability assignments m1, …, m6 are assumed to assign abelief equal to 0 to any subset of θ that is not referenced in their definition in Sections3.1-3.6.B.2 Proofs of theoremsTheorem 1: m1 is a D-S basic probability assignment.Proof: To prove that m1 is a basic probability assignment we must prove that it satisfiesthe axioms a1-a3.(a1): This axiom is satisfied since c.Sub* ⊆ M.Classes − {c}.(a2): Since θ ≠ generic(c) and θ ≠ generic(c) for any c by Definition 1 we have: m1(θ) = 0.(a3): It is satisfied since: ΣP⊆θ m1(P) = ΣP⊆θ and P≠generic(c) and P≠generic(c) m1(P) + m1(generic(c)) +m1(generic(c))= 0 + m1(generic(c)) + 1 − m1(generic(c)) = 1. ♦Theorem 2: m2 is a D-S basic probability assignment.Proof: To prove that m2 is a basic probability assignment we must prove that it satisfiesthe axioms a1-a3.(a1): It is satisfied since by Definition 2 we have that, Com(c,S) ⊆ Classes(S) − {c}, andfor any subset P of θ such that P≠coordinating-c(c,S) and P≠coordinating-c(c,S) thatm2(P) is equal to 0.(a2): Since θ≠coordinating-c(c,S) and θ≠coordinating-c(c,S) for any c and S byDefinition 2 we have: m2(θ) = 0.(a3): It is satisfied since, ΣP⊆θm2(P) = ΣP⊆θ and P≠coordinating-c(c,S) and P≠coordinating-c(c,S)m2(P)+m2(coordinating-c(c,S)) + m2(coordinating-c(c,S)) = 0 + m2(coordinating-c(c,S)) + 1 −m2(coordinating-c(c,S)) = 1. ♦Theorem 3: m3 is a D-S basic probability assignment.Proof: To prove that m3 is a basic probability assignment we must prove that it satisfies43
  44. 44. the axioms a1-a3.(a1): It is satisfied since by definitions 3 and 6, 0 ≤ |Rel(a,c)| and 0 ≤ |Mes(a,c,M)|. Alsoby Definition 3, for any subset P of θ such that P≠fessential-a(a,c) and P≠fessential-a(a,c), m3(P) = 0.(a2): Since θ ≠ fessential-a(a,c) and θ ≠ fessential-a(a,c) for any a and c by Definition 3we have: m3(θ) = 0.(a3): It is satisfied since: ΣP⊆θ m3(P) = ΣP⊆θ and P≠fessential-a(a,c) and P≠fessential-a (a,c) m3(P) +m3(fessential-a(a,c)) + m3(fessential-a(a,c)) = 0 + m3(fessential-a(a,c)) + 1 −m3(fessential-a(a,c)) = 1. ♦Theorem 4: m4 is a D-S basic probability assignment.Proof: To prove that m4 is a basic probability assignment we must prove that it satisfiesthe axioms a1-a3.(a1): It is satisfied since by Definition 4, for any operation o and a class c such that c εOclasses(o) we have: Ov(o,c) ∪ {c}) ⊆ (c.Sub* ∪ {c}). Also by Definition 4, for any subsetP of θ such that P≠characteristic-o(o) and P≠characteristic-o(o), m4(P) = 0.(a2): Since θ ≠ characteristic-o(o) and θ ≠ characteristic-o(o) for any o by Definition 4 wehave: m4(θ) = 0(a3): It is satisfied since: ΣP⊆θ m4(P) = ΣP⊆θ and P≠characteristic-o(o) and P≠characteristic-o(o)m4(P) +m4(characteristic-o(o)) + m4(characteristic-o(o)) = 0 + m4(characteristic-o(o)) + 1 −m4(characteristic-o(o)) = 1. ♦Theorem 5: m5 is a D-S basic probability assignment.Proof: To prove that m5 is a basic probability assignment we must prove that it satisfiesthe axioms a1-a3.(a1): It is satisfied since by Definition 5 for any m and S we have that: (i) Dsig(m,S) ⊆Asig(m,S), and (ii) for any subset P of θ such that P≠coordinating-m(m,S) andP≠coordinating-m(m,S), m5(P) is equal to 0.(a2): Since θ ≠ coordinating-m(m,S) and θ ≠ coordinating-m(m,S) for any m and S byDefinition 5, m5(θ)=0.44
  45. 45. (a3): It is satisfied since: ΣP⊆θ m5(P) = ΣP⊆θ and P≠coordinating-m(m,S) and P≠coordinating-m(m,S) m5(P) +m5(coordinating-m(m,S)) + m5(coordinating-m(m,S)) = 0 + m5(coordinating-m(m,S)) + 1 −m5(coordinating-m(m,S)) = 1. ♦Theorem 6: m6 is a D-S basic probability assignment.Proof: To prove that m6 is a basic probability assignment we must prove that it satisfiesthe axioms a1-a3.(a1): It is satisfied since by Definition 6 we have that: (i) Ames(m,{I}) ⊆ I.messages and(ii) for any subset P of θ such that P≠fdominant-m(m,{I}) and P≠fdominant-m (m,{I}),m6(P) is equal to 0.(a2): Since θ≠fdominant-m(m,{I}) and θ≠fdominant-m(m,{I}) for any m and I by Definition6 we have: m6(θ) = 0(a3): It is satisfied since: ΣP⊆θ m6(P) = ΣP⊆θ and P≠fdominant-m(m,{I}) and P≠fdominant-m(m,{I}) m6(P) +m6(fdominant-m(m,{I})) + m6(fdominant-m(m,{I})) = 0 + m6(fdominant-m(m,{I})) + 1 −m6(fdominant-m(m,{I})) = 1. ♦Theorem 7: The belief function induced by the each of the basic probability assignmentsmi (i=1,…,6) has the following form: Bel(P) = mi(Pi) if Pi → P andBel(P) = 0otherwisewhere Pi is the predicate associated with mi or the negation of this predicate.Proof: Let Fi be the subset of θ that corresponds to the predicate PI and F the subset ofθ that corresponds to P. Since Pi → P we will have that Fi ⊆ F. Then this theorem is aconsequence of axiom (a5) and the definitions of m1,…, m6. ♦Lemma 1: Let p1, p2, …, pn be atomic S-expressions referring to the elements of a modelM and m1, m2, …,mn be the basic probability assignments associated with the predicateused in each of these expressions. Suppose also that Si and Si are the focals of mi (i =1,…, n), and that for any i and j such that i ≠ j we have that Si ≠ Sj and Si ≠ Sj. If m isthe function resulting from the combination of m1, m2, …,mn, then m has the following45
  46. 46. functional form:m(X) = ΠiεImi(Si) × ΠjεImj(Sj) if X = ∩iεISi ∩jεISj (for any I ⊆ {1,2,…,n})m(X) = 0 if X ≠ ∩iεISi ∩jεISj (for any I ⊆ {1,2,…,n})Proof: The core of each mi is Ci = Si ∪ Si where each Si corresponds to one of thesubsets of the frame of discernment θ constructed for the model M as described In B.1and Si corresponds to the complement of Si with respect to θ. Thus, Ci = θ for all i and∩i=1,…,nCi = θ ≠ ∅ (L1.1)From (L1.1) and Theorem 3.2 in [23, p. 61] it follows that the basic probabilityassignments mi can be combined. Note also that since we have assumed that Si ≠ Sj(forany i and j such that i ≠ j) it also holds thatfor any I ⊆ {1,2,…,n} ∩iεISi ≠ ∅ (L1.2)for any i and j such that i ≠ j, Si ⊄ Sj and Sj ⊄ Si (L1.3)From (L1.2), we have that:Σi,j, i ≠ jΣSi ∩ Sj=∅ mi(Si) × mj(Sj) = 0 (L1.4)Thus, according to Theorem 3.1 in [23, p.60], the basic probability assignments mi can becombined using the rule of the orthogonal sum (defined by axiom (a9) in Appendix A).The rule in this case is simplified to the following formula (since k0 = 0 due to (L1.4)):m(P) = mi ⊕ mj (P) = Σ X ∩ Y = P mi(X) × mj(Y) (L1.5)The functional form of m = m1 ⊕ m2 ⊕ … ⊕ mn is proved by induction as follows.For n=2: It follows from (L1.5) that m(P) ≠ 0 only if P = S1 ∩ S2, P = S1 ∩ S2, P = S1 ∩ S2,or P = S1 ∩ S2 since for any pair of subsets of θ, X and Y, such that X and/or Y is not oneof the sets S1, S1 and/or Y is not one of the sets S2, S2 it will be that m1(X)=0 and/orm2(Y)=0. Furthermore, from (L1.5) we have that: m(S1 ∩ S2) = m1(S1) × m2(S2), m(S1 ∩S2) = m1(S1) × m2(S2), m(S1 ∩ S2) = m1(S1) × m2(S2), and m(S1 ∩ S2) = m1(S1) × m2(S2).For n=k: Let m = m1 ⊕ m2 ⊕ … ⊕ mk and suppose that:m(X) = ΠiεImi(Si) × ΠjεImj(Sj) if X = ∩iεISi ∩jεISj (for any I ⊆ {1,2,…,k})m(X) = 0 if X ≠ ∩iεISi ∩jεISj (for any I ⊆ {1,2,…,k}) (L1.6)46
  47. 47. For n=k+1: Let m = m1 ⊕ m2 ⊕ … ⊕ mk ⊕ mk+1. From Theorem 3.3 in [23, p.61] we havethat: m = (m1 ⊕ m2 ⊕ … ⊕ mk) ⊕ mk+1 = m ⊕ mk+1. Also according to (L1.5) the focals ofm will be the pairwise intersections of the focals of m and the focals of mk+1 which byvirtue of (L1.6) are the sets ∩iεISi ∩jεISj ∩ Sk+1 and∩iεISi ∩jεISj ∩ Sk+1 (for any I ⊆ {1,2,…,k}) or, equivalently, the sets X = ∩iεISi ∩jεISj (for anyI ⊆ {1,2,…, k+1}).Furthermore, for each of these sets X by (L1.5) and (L1.6) we have that,(a) If X = ∩iεI Si ∩jεI Sj ∩ Sk+1:m ⊕ mk+1(X) = m(∩iεISi ∩jεISj) × mk+1(Sk+1) = ΠiεImi(Si) × ΠjεImj(Sj) × mk+1(Sk+1)= ΠiεI∪{k+1} mi(Si) × ΠjεI mj(Sj) (L1.7)(b) If X = ∩iεISi ∩jεI Sj ∩ Sk+1 :m ⊕ mk+1(X) = m(∩iεISi ∩jεISj) × mk+1(Sk+1) = ΠiεI mi(Si) × ΠjεImj(Sj) × mk+1(Sk+1)= ΠiεI mi(Si) × ΠjεI ∪{k+1} mj(Sj) (L1.8)From (L1.7) and (L1.8), it follows that: m(P) = ΠiεImi(Si) × ΠjεI mj(Sj) (for any I ⊆ {1,2,…,k+1}). ♦Theorem 8: Let p1,…, pn be predicates of atomic S-expressions referring tocharacteristics of elements of a model M, and m1,…, mn be the basic probabilityassignments associated with each of these predicates, respectively. The belief in a nonquantified S-expression p1 and p2 and …and pn is measured by the function:Bel(andi=1,…,n pi) = Πi=1,…,n mi(pi) if pi ≠ pj and pi ≠ ¬pj (∀i, j: i ≠ j), and Bel(andi=1,…,n pi) = 0otherwise.Proof: Let S1, S2, …, Sn be the subsets of the frame of discernment θ constructed for Mwhich represent the predicates p1, p2, …, pn , respectively.(a) If pi ≠ pj and pi ≠ ¬pj: In this case we have that for all i and j such that i ≠ j Si ≠ Sj andSi ≠ Sj. Thus, the conditions about the focals of the basic probability assignments m1, m2,…, mn required by Lemma 1 are satisfied and, therefore, as shown in that lemma theassignments mi (i=1,…,n) can be combined in any possible order. Let m be the basic47
  48. 48. probability assignment resulting from their combination, that is m = m1 ⊕ m2 ⊕ … ⊕ mn.Then, it follows from the definition of a frame of discernment θ for a model M and axiom(a5) that,Bel(andi=1,…,n pi) = Bel(∩i=1,…,nSi) = ΣX⊆ ∩i=1,…,nSi m(X).However, as we show in Lemma 1, the only subset of θ X such that m(X) > 0 and X ⊆∩i=1,…,nSi is the set ∩i=1,…,n Si itself. Thus, Bel(∩i=1,…,nSi) = m(∩i=1,…,nSi) and as aconsequence of the same lemma, we have that: Bel(∩i=1,…,nSi) = Πi=1,…,nmi(Si).(b) In the case where there is one a pair i and j, such that Si = Sjand for any other u andw such that u≠w Su ≠ Swwe will have that pi = not pj and mi = mj. Without loss ofgenerality, suppose that i=1 and j=2 and let p be the conjunction of pi and pj (p = pi andpj). Then, the subset of the frame of discernment corresponding to p will be:S = Si ∩ Sj= ∅. Also,Bel(p1 and p2 and …and pn) = Bel(p and p3 and …and pn)(T8.1)In this case, Bel is induced from a basic probability assignment m that results from thecombination of the basic probability assignments m1,m3,…,mn , that is m = m1 ⊕ m3 ⊕ …⊕ mn. As the conditions of (a) above are satisfied in this case, we have (as alreadyproved) that:Bel(p and p3 and …and pn) = m1(S) Πi=1,…,nmi(Si) = m1(S) Πi=1,…,nmi(Si) (T8.2)However, as we proved in Theorems 1-6, for any basic probability assignment m in ourframework, m(∅)=0. Thus, from (T8.1) and (T8.2) we have that: Bel(p1 and p2 and …andpn) = 0. ♦Theorem 9: Let p1,…, pn be predicates of atomic S-expressions referring tocharacteristics of elements of a model M, and m1,…, mn be the basic probabilityassignments associated with each of these predicates, respectively. The belief in a nonquantified S-expression p1 or p2 or …or pn is measured by the function:Bel(ori=1,…,npi) = ΣJ⊆{1,…,n} and J≠∅(-1)|J|+1Bel(andiεJpi) if pi ≠ pj and pi ≠ ¬pj (∀i,j: i ≠ j), and48
  49. 49. Bel(ori=1,…,npi) = 1 otherwiseProof: Let S1, S2, …, Sn be the subsets of the frame of discernment θ constructed for Mwhich represent the predicates p1, p2, …, pn , respectively.(a) If pi ≠ pj and pi ≠ ¬pj: In this case we have that for all i and j such that i ≠ j Si ≠ Sj andSi ≠ Sj. Thus, as a consequence of the definition of θ in B.1 and axiom (a5) we have that:Bel(p1 or p2 or …or pn) = Bel(∪i=1,…,nSi) = ΣX⊆ ∪i=1,…,n Si m(X) (T9.1)Note, however, that m = m1 ⊕ m2 ⊕ … ⊕ mn (mi is the basic probability assignmentassociated with the predicate of the atomic S-expression pi) and by virtue of Lemma 1 theonly subsets of ∪i=1,…,nSi for which m > 0 are the sets: ∩iεISi ∩jεISj (for all I ⊆ {1,2,…,n} andI ≠ ∅). Therefore, Bel(∪i=1,…,nSi) = ΣI⊆{1,2,…,n} and I ≠ ∅ m(∩iεISi ∩jεISj) and by Lemma 1:Bel(∪i=1,…,nSi) = ΣI⊆{1,2,…,n} and I ≠ ∅ ΠiεI mi(Si) × ΠjεI mj(Sj). (T9.2)From (T9.1) and (T9.2), we have that,Bel(p1 or p2 or …or pn) = ΣI⊆{1,2,…,n} and I ≠ ∅ ΠiεI mi(Si) × ΠjεI mj(Sj) (T9.3)Note also that due to Theorem 2.1 in [23]: ΣI ⊆{1,…,n} and I≠∅ (-1)|I| + 1Bel (∩iεI Si) = Σi=1,…,nΣB⊆Sim(B)However, by virtue of Lemma 1 it also holds thatΣi=1,…,nΣB⊆Si m(B) = Σi=1,…,n ΣI⊆N and N={1,2,…,n} − {i} m(Si ∩uεISu ∩wεISw) = ΣI⊆{1,2,…,n} and I≠∅ m(∩uεISu∩wεISw)= ΣI⊆{1,2,…,n} and I≠∅ΠuεI mu(Su) × ΠwεI mw(Sw)Thus, ΣI ⊆{1,…,n} and I≠∅ (-1)|I| + 1Bel (∩iεI Si) = ΣI⊆{1,2,…,n} and I≠∅ ΠuεI mu(Su) × ΠwεI mw(Sw)(T9.4)As a consequence of (T9.3) and (T9.4), we have that Bel(p1 or p2 or …or pn) = ΣI ⊆{1,…,n} andI≠∅ (-1)|I| + 1Bel (∩iεI Si)and therefore, as shown in Theorem 8: Bel(p1 or p2 or …or pn) = ΣJ⊆{1,…,n} and J ≠ ∅ (-1)|J| + 1Bel(andiεJ pi).(b) Suppose that there is one pair i and j, such that Si = Sj. From Si = Sjwe have that pi =not pj and mi = mj. Without loss of generality, suppose that i=1 and j=2 and let p be thedisjunction of pi and pj (p = pi or pj). Then, the subset of the frame of discernment49
  50. 50. corresponding to p will be: S = Sj∪ Sj = θ. Thus, Bel((p1 or p2 or p3 or … or pn) = Bel((p1or (not p1)) or p3 or … or pn) = Bel(θ ∪ S3 ∪… ∪ Sn ) = Bel(θ). However by axiom (a7),Bel(θ) = 1 and therefore, Bel(p1 or p2 or p3 or … or pn) = 1. ♦Theorem 10: Given a set of elements S and a non quantified S-expression se(x)referring to a model element x, the belief in a quantified S-Expression of the form S->exists(x |OCL-expression-over-x and se(x)) is measured by the function:Bel(S->exists(x |OCL-expression-over-x and se(x))) = ΣJ⊆S and J≠∅ (-1)|J| + 1Bel (andxεJse(x)) if S ≠ ∅Bel(S->exists(x |OCL-expression-over-x and se(x))) = 0 if S= ∅where S is the subset of the elements of S for which OCL-expression-over-x is true.Proof: The truth value of the expression S->exists(x | OCL-expression-over-x) in OCL isTrue if the expression OCL-expression-over-x is True for at least one of the elements x ofS and False otherwise (see p. 6-23 in [17]). Since and in OCL is defined as the normalboolean conjunction operator the truth value of the expressionS->exists(x | OCL-expression-over-x and se(x))(T10.1)is equal to the truth value of the expressionS->exists(x | se(x)) where S = {x | (x ε S) and OCL-expression-over-x = True}(T10.2)If S ≠ ∅, assuming that e1, e2, …, en are the elements of S the truth value of theexpression (T10.2) is equivalent to the truth value of the expression: se(e1) or se(e2) or… or se(en). However, for any i and j such that i ≠ j we also have that ei ≠ ej (since ei andej are members of the same set). Thus, if Si and Sj are the subsets of the frame ofdiscernment θ constructed for the model to represent se(ei) and se(ej), we will have thatSi ≠ Sj, Si ≠ Sj, Si ⊄ Sj and Sj ⊄ SI, and by Theorem 9,Bel(se(e1) or se(e2) or…or se(en)) = ΣJ⊆{1,…,n} and J≠∅ (-1)|J|+1Bel(andiεJ se(ei)) = ΣW⊆S and W≠∅(-1)|W|+1Bel(andxεW se(x))50

×