Integrating Z and Cleanroom

We describe an approach to integrating the Z specification notation into Cleanroom-style specification and verification. In a previous attempt, a group at IBM used formal refinement of the Z in their development. They concluded that this was not cost-effective in a commercial environment, and the attempt was not judged successful. The current approach avoids formal refinement, and instead begins by converting the Z to a fully constructive form, expressing all state changes using an assignment notation. The development then proceeds in Cleanroom style, with sections of the Z specification simply distributed among the program components to serve as their specifications. In a pilot project, this approach was found to work quite well, with development proceeding smoothly and predictably as normally expected with Cleanroom methods. 1 History of the problem In the early 1990s, a group of technical staff at the IBM laboratory at Hursley Park (near Winchester, England) attempted to integrate two software engineering technologies which IBM had previously used separately with considerable success: the Z specification notation and the Cleanroom method. The Z notation [15] [6] [13] [17] [18] is based on set theory and other basic elements of discrete mathematics, and incorporates novel structuring constructs (schemas and the schema calculus). Z technology also includes methods for the formal refinement of specifications into designs and code. The core of the Cleanroom method [10] [8] [16] is formal or semiformal specification, and corresponding verification done by a development group in review meetings. Other elements of the method include notations and techniques for stepwise refinement, testing based on expected usage patterns, statistical analysis of test results to predict product quality, and incremental development. IBM had had considerable experience with both technologies. The Cleanroom method was developed largely at IBM, by Harlan Mills and his colleagues in the Federal Systems Division. By the time of the Hursley experiment, it had been used successfully on a number of industrial-sized projects at IBM and elsewhere. The results were striking: very low levels of defects in the products, with no net loss and often a net gain in productivity [8] [3]. IBM had just finished a substantial development project at Hursley using Z, in collaboration with its developers at Oxford University [5]. The project was a major new release of the CICS transaction processing system: 268,000 lines of new and modified code, of which 37,000 lines were specified and designed using Z and another 11,000 lines were partially specified in Z. For the parts produced using Z, IBM reported a higher percentage of defects eliminated early in the development, a lower level of defects in the final product, and an estimated 9% reduction in development costs. IBM and Oxford were jointly given the Queen’s Award for Technological Achievement for 1992 on the basis of this work. The CICS group at Hursley hoped that Z and Cleanroom methods could be used together, and would complement each other to produce products of even higher quality than with either separately. The approach that they took was to write specifications in Z initially; to proceed with formal refinement steps as normally done in Z; to write the correctness criteria for these refinements as mathematical theorems; and to prove these theorems in review meetings, as normally done in Cleanroom.