Evidential diagnosis of inconsistencies in object oriented designs

Evidential Diagnosis of Inconsistencies in Object-Oriented Designs
George Spanoudakis Kuriakos Kasis Flora Dragazi
Department of Computing
City University,
Northampton Square, London EC1V 0HB, UK
E–mail (of contact author): gespan@soi.city.ac.uk
Abstract
This paper presents a diagnostic framework for assessing the significance of
inconsistencies (i.e., violations of consistency rules) in software design models
expressed in the Unified Modeling Language (UML). The assessment is based on
significance criteria that software designers can specify and associate with specific
consistency rules. These criteria define characteristics that the model elements involved
in the violation of a rule should have for the inconsistency to be significant, and they are
specified in a formal language derived from the Object Constraint Language (OCL). The
satisfiability of the criteria by individual model elements is measured by belief functions
defined by the framework. The measures generated by these functions are used to rank
the inconsistencies caused by different model elements. The presented framework has
been evaluated through a set of experiments. The results of these experiments show that
criteria definable in the framework can be used to produce relatively elaborate
significance-rankings of inconsistencies.
Keywords: diagnosis of inconsistencies, object-oriented design, software metrics,
beliefs, Dempster-Shafer theory
1. Introduction
This paper presents a diagnostic framework for assessing the significance of
1

inconsistencies in object-oriented design models of software systems expressed in the
Unified Modeling Language (UML)1
. Inconsistencies occur as violations of specific
consistency rules [7, 27]. As an example consider a UML design model with a set of
object interaction diagrams (i.e. sequence and/or collaboration diagrams), and a
consistency rule requiring that the messages which are dispatched in the execution of an
operation in one interaction diagram of the model must be the same with the messages
which are dispatched in the execution of the same operation in any other interaction
diagram of it. In this example, an inconsistency would arise if the execution of the same
operation dispatches different sets of messages in different interaction diagrams.
Inconsistencies are inevitable in software development [22]. And, although they should
be settled eventually, they may need to be tolerated temporarily to give designers a
chance to work independently developing different parts of a model without the need for
continual reconciliation. Thus, in settings providing freedom for groupwork, it is important
to be able to diagnose the significance of an inconsistency in order to decide when and
with what degree of priority it has to be settled [7, 13, 27].
In the diagnostic framework described in this paper, the significance of an inconsistency
is assessed based on the impact that it may have to different parts of a design model.
This impact is indicated by particular characteristics of the elements of the model that
have caused the inconsistency and which make possible the propagation of its effects
from these elements to other parts of the model. For instance, an inconsistency in the
specification of an operation that has arisen as a violation of the rule described above
may be considered to be significant only if the operation is inherited by many classes of
the system or, equivalently in terms of our framework, if it is defined in a class that has
the characteristic of genericity (see Section 3.1 below).
1
This framework has been developed as part of a semi-automatic method for managing inconsistencies in object-oriented
software models called "reconciliation". A full description of this method can be found in [25]. An account of the framework at
an earlier stage of its development may also be found in [26].
2

The diagnostic framework identifies characteristics of the main kinds of elements in UML
design models (i.e., classes, association ends, operations and messages) which can
propagate the impact of inconsistencies involving these elements to other elements of
the model. These characteristics are the genericity and coordination capacity of classes,
the functional essentiality of association ends, the charactericity of operations, and the
functional dominance and coordinating capacity of messages. The framework allows
software designers to specify significance criteria determining the characteristic (or
logical combination of characteristics) that should be taken into account in assessing the
significance of inconsistencies which arise as violations of specific consistency rules.
These criteria are specified using a formal language derived from the Object Constraint
Language (OCL) [17], called "S-expressions". The consistency rules are specified in
OCL.
The satisfaction of a significance criterion by the model elements which have caused a
set of inconsistencies is based on the computation of beliefs according to functions which
satisfy the axiomatic foundation of Dempster−Shafer basic probability assignments [23]
and have been defined in the framework for this purpose. These beliefs are used to rank
and prioritize the inconsistencies.
The rest of the paper is structured as follows. In Section 2, we overview the
representation scheme assumed by the significance diagnosis framework. In Section 3,
we introduce the characteristics of model elements used by the framework and define
the belief functions associated with these characteristics. In Section 4, we establish a
scheme for expressing consistency rules and significance criteria, and for evaluating the
significance of rule violations according to these criteria. In Section 5, we overview the
tool that we have developed to implement the framework. In Section 6, we present the
results of a set of experiments that we have conducted to evaluate the framework. In
Section 7, we give an overview of related work, and in Section 8 we present conclusions
and discuss directions for further work. The paper has also three appendices (Appendix
3

A, B and C). Appendix A provides an overview of the Dempster-Shafer theory of
evidence (referred to as "D-S theory" in the following). Appendix B provides the proofs for
theorems which establish properties of these functions and combine them to obtain
beliefs for significance criteria. Appendix C provides the grammar for S-expressions.
2. Representation framework
Our significance diagnosis framework is defined in reference to the meta-model of UML
[18]. A complete description of this meta-model is beyond the scope of this paper and
may be found in [18]. In this section, we only give an overview of the parts of the meta-
model which are used in the definitions of the framework and refer to classes,
associations, operations, object interactions and messages (see Fig. 1).
Fig. 1. Elements of UML class models (adapted from Figures 2-5, 2-6, 2-16, 2-20 and 2-
22 in [18])
4
Class
isActive : Boolean
GeneralizableElement
BehavioralFeature
Param eter
*
0..1
+parameter
*{ordered}
0..1
StructuralFeature
Generalization
discriminator : Name
*
1
+generalization *+child
1
*
1
+specialization *+parent
1
Attribute
AssociationEnd
isNavigable : Boolean
ordering : OrderingKind
aggregation : AggregationKind
targetScope : ScopeKind
multiplicity : Multiplicity
changeability : ChangeableKind
visibility : VisibilityKind
Interaction
(from Collaborations)
Feature
Classifier
*
0..1
+feature
*
+owner
0..1
1
*
+type 1
*
1
*
+type 1
*
*
1
*
+type 1
ModelElement
name : Name
ClassifierRole
Association
2..*
1
+connection 2..*
1
AssociationRole
Action
Message
(from Collaborations)
*
0..1
*
+activator
0..1
*
*
+predecessor *
*
1..*
1
+m essage 1..*
1
1
*
+sender
1
**
1
*
+receiver
1
0..1
*
+com municationConnection0..1
*
+action
*
1
*
1
CallAction
(from Common Behavior)
Operation
0..*
1
0..*
+call1
Calls

More specifically, as shown in Fig. 1, in the UML meta-model:
• Classes are represented as instances of the meta-class Class and are associated
with the operations, attributes and methods that they own via the association end
feature.
• Operations are represented as instances of the meta-class Operation.
• Associations are represented as instances of the meta-class Association. An
association has two or more association ends which are attached to the classes
related by it. These association ends are represented as instances of the meta-class
AssociationEnd. The classes which are attached to association ends are called the
types of these ends and are related to them via the association end type. In a binary
association between two classes c1 and c2, the end attached to c2 (c1) is called
"opposite association end" of c1 (c2).
• Generalisation (Isa) relationships between classes are represented as instances of
the meta-class Generalisation.
• Object interactions are represented as instances of the meta-class Interaction and
are associated with the messages that they include by the association end message.
• Messages are represented as instances of the meta-class Message. A message m is
associated with: (1) the class of the object that dispatches it (via the opposite
association end sender), (2) the class of the object that receives it (via the opposite
association end receiver), (3) the association that is used to obtain a reference to the
object that receives the message (via the opposite association end
communicationConnection), (4) the message that invokes the operation in the
execution of which m is dispatched (via the opposite association end activator), (5)
the messages which must be dispatched before m in the execution of the operation
that dispatches m (via the opposite association end predecessor), and (6) the action
that invokes the operation that m is meant to invoke (via the opposite association end
action).
3. Characteristics of model elements
3.1 Class genericity
5

In the diagnosis framework, a class is said to be "generic" if it has numerous subclasses.
Generic classes normally abstract operations for groups of services which have to be
implemented by their subclasses. They also specify the internal state of the instances of
these subclasses which is required to implement the operations. Thus, generic classes
provide a basis for specifying clients of services without being aware of the exact class
that provides them. Class genericity is identified as a characteristic in our framework
because inconsistencies in the specifications of generic classes may affect not only
these classes but also their subclasses, and the classes that use their operations.
Fig. 2. A generalisation hierarchy of command classes
A generic class in our framework is denoted by the special predicate generic(c). The
belief function associated with this predicate is defined as follows:
Definition 1: The belief in whether or not a class c in a model M is generic is measured
by the function:
m1(generic(c)) = |c.Sub*| / | M.Classes − {c}|
m1(¬generic(c)) = 1 − m1(generic(c))
6
Command
execute()
SearchByAuthor
execute()
SearchByTitle
execute()
DeleteItemCommand
execute()
InsertItemCommand
execute()
SearchCommand
execute()
Keyword+key
SearchByKeyword
execute()
SearchForm
+sform
DatabaseCommand
execute()
DBHandler+imp
getImp()

where (i) c.Sub* is the set of the direct and indirect subclasses of c, and (ii) M.Classes is
the set of classes of the model M (the expression |s| denotes the cardinality of the set s).
According to m1, the degree of belief in the genericity of a class is 1 if every class in the
model of c is a subclass of it. Furthermore, m1 is a D-S basic probability assignment (see
Theorem 1 in Appendix A).
Example: Fig. 2 shows various commands for using a library system which are modeled
as a generalisation hierarchy of command classes following the command pattern in [10].
The degrees of belief in the genericity of the command classes Command,
SearchCommand, and SearchByKeyword in this hierarchy generated by m1 are:
m1(generic(Command)) = 0.7, m1(generic(SearchCommand)) = 0.3, and
m1(generic(SearchByKeyword)) = 0
3.2 Coordinating capacity of classes
In a software design model, some classes exist to coordinate interactions between other
classes. In our framework, these classes are said to have a coordinating capacity in the
set of interactions that they coordinate. The need for coordinating classes is evident from
numerous design patterns, including the mediator, observer, facade [10], and
rendezvous [4]. Such classes encapsulate the protocols of interactions between other
classes and therefore an inconsistency involving them can have an impact on both the
classes and the interactions coordinated by them. Despite differences in the structure
and behaviour of coordinating classes in different coordination patterns, a common
characteristic of them is that they send messages to or receive messages from all the
classes that they coordinate. Drawing upon this observation, the belief function
associated with the predicate coordinating-c(c,S), which denotes the coordinating
capacity of a class c in the interaction S, is defined as follows:
7

Definition 2: The belief in whether or not a class c has a coordinating capacity in a set of
object interactions S is measured by the function:
m2(coordinating-c(c,S)) = |Com(c,S)| / |Classes(S) − {c}|
m2(¬coordinating-c(c,S)) = 1 − m2(coordinating-c(c,S))
where
• S is a set of interactions
• Com(c,S) is the set of the classes whose instances send messages to or receive
messages from the instances of c in the interactions of the set S excluding c, defined
as: Com(c,S) = {v | (v ε M.Classes) ∧ (∃ I, m): (I ε S) ∧ (m ε I.message) ∧ ((m.sender
= v) ∧ (m.receiver = c)) ∨ ((m.sender = c) ∧ (m.receiver = v)) ∧ (v ≠ c)}
• Classes(S) is the set of the classes which are the receivers or senders of messages
in the interactions of S defined as: Classes(S) = {w | (∃ I, m): (I ε S) ∧ (m ε I.message)
∧ ((m. receiver = w) ∨ (m. sender = w))}
According to the definition of m2, the more the classes whose instances send messages
to or receive messages from the instances of a class c in a set of interactions S the
higher the degree of belief in the coordinating capacity of c in S. This degree of belief
becomes equal to 1, when the instances of c in the interactions of S send a message to,
or receive a message from an instance of every other class in these interactions.
Furthermore, m2 is a D-S basic probability assignment (see Theorem 2 in Appendix B).
Example: As an example of using m2 to measure the coordinating capacity of classes
consider the sequence diagrams of Fig. 3. These diagrams specify interactions that
support the search for books in a library system. As shown in the diagram I1 of Fig. 3, a
search menu (SearchMenu) is used to activate one of the three different search options
offered by the system (i.e., searching by keywords, author name or title). These options
are realised by the command classes SearchByKeyword, SearchByAuthor and
SearchByTitle, respectively. The diagram I2 in the same figure shows the interaction that
realises the first of these options (i.e., searching by keywords).
8

The class SearchByKeyword has a coordinating capacity in I2 as it displays a search
form, gets keywords from this form, formulates a database query and forwards this query
to another class to execute it. Unlike it, the class SearchMenu does not have a
coordinating capacity in I2. SearchMenu merely handles an event indicating the user's
request for searching by keywords, and sends the message execute() to the command
class that is meant to realise this request (i.e., SearchByKeyword). The degrees of belief
that m2 generates for the coordinating capacity of these classes reflects this difference
as: m2(coordinating-c(SearchByKeyword,{I2})) = 0.8, and m2(coordinating-c(SearchMenu,
{I2})) = 0.2.
: SearchByKeyword: Search
Menu
: SearchByAuthor : SearchByTitle
: User
1: selects_search_option
2: execute( )
3: execute( )
4: execute( )
[ option = "search by keyword" ]
[ option = "search by author" ]
[ option = "search by title" ]
: SearchMenu : SearchForm : DBHandler : Statement: TextField: SearchByKeyword
1: execute( ) 2: setVisible(boolean)
3: getKeywords() 4: getText()
5: formulateQuery()
6: executeQuery(String,OCollection)
7: executeQuery()
8: toObjCollection(result)
I1 −
Interaction for selecting among search options
I2 −
Interaction for searching by keywords
9

Fig. 3. Interactions for a library system
Note, however, that SearchMenu has a coordinating capacity in I1 as in this interaction, it
accepts a user request and decides which is the appropriate command class to forward it
to. The belief in its coordinating capacity in I1 is m2(coordinating-c(SearchMenu,{I1})) = 1.
The differences in the coordinating capacity of the same class in different interactions
shown in this example indicate that it may also be useful to assess this capacity across
more than one interaction. By virtue of its definition, m2 can be used for this purpose. In
our previous examples, for instance, the beliefs in the coordinating capacity of
SearchMenu and SearchByKeyword across I1 and I2 are:
m2(coordinating-c(SearchMenu, {I1,I2})) = 0.428, and m2(coordinating-
c(SearchByKeyword, {I1, I2})) = 0.428.
3.3 Functional essentiality of association ends
If an object oi needs to send a message m to another object oj, it may get a reference to
it through: (1) a local variable in the operation that dispatches m, (2) one of the
parameters of the activator of m, or (3) an opposite association end of it that is attached
to oj. In case (3), the existence of the association end that is used to get the reference to
oj is essential for sending the message m. In our framework, such association ends are
said to be "functionally essential" as they enable instances of classes to send messages.
As the way of obtaining a reference to the recipient of a message may not be specified in
a UML interaction diagram, the functional essentiality of association ends in a design
model cannot always be established with certainty. It is, however, possible to measure
the probability of using an opposite association end a of a class c to obtain a reference to
the recipient of at least one of the messages sent by the instances of c in the interactions
of a model or, equivalently, the probability of the association end a be functionally
10

essential for c. This probability can be measured assuming that when an object sends a
message m: (a) it may use any of the ways (1)-(3) above to obtain a reference to the
recipient of m with equal chance (Assumption 1), and (b) that the use of an association
end a in obtaining a reference to the recipient of m is independent from the use of a in
obtaining a reference to the recipient of any other message (Assumption 2).
Based on these two assumptions the function for measuring the probability of using an
association end a to obtain a reference to the recipient of at least one of the messages
sent by the instances of a class c can be derived as follows. Suppose that in the
interactions of a model there are k messages sent by the instances of c and received by
instances of the class attached to its opposite association end a. Let also Mi (i=1,…,k) be
propositions denoting that the association end a is used to get a reference to the
recipient of the message i. Then, if a is defined to be functionally essential for c if and
only if it is used to get a reference to the recipient of at least one of these messages, the
probability of the functional essentiality of a for c is:
Prob(OR i=1,…,kMi) = 1 − Prob(¬ (OR i=1,…,kMi)) = 1 − Prob(AND i=1,…,k ¬Mi) = (due to
Assumption 2)
1 − Π i=1,…,k Prob(¬Mi) = 1 − Π i=1,…,k (1 − Prob(Mi))
Then, if Rel(a,c) is the set of the opposite association ends defined in or inherited by the
class c that have the same type as a and n(i,a) is the number of the parameters of the
message i that have the same type as a, Prob(Mi) becomes equal to 1/(|Rel(a,c)| + n(i,a)
+ 1) due to Assumption 1 above (1 is added to the denominator of the formula for
Prob(Mi) in order to account for the possibility of using a local variable for identifying the
recipient of a message). Thus, Prob(OR i=1,…,kMi) = 1 − Π i=1,…,k (1 − 1/(|Rel(a,c)| + n(i,a) +
1)). Drawing upon this result, we define the belief function associated with the predicate
fessential-a(a,c), which denotes that the association end a is functionally essential for c,
as follows:
11

Definition 3: The degree of belief in whether or not an opposite association end a is
functionally essential for a class c of a model M is measured by the function:
m3(fessential-a(a,c)) = 1− Π m ε Mes(a,c,M) (1− 1/(|Rel(a,c)| + n(m,a) + 1))
if Mes(a,c,M) ≠ ∅
m3(fessential-a(a,c) ) = 0 if Mes(a,c,M) = ∅
m3(¬fessential-a(a,c)) = 1 − m3(fessential-a(a,c))
where
• Mes(a,c,M) is the set of messages sent by the instances of c (or its subclasses) to
instances of the type of the association end a in M: Mes(a,c,M) = {k | (∃ I): (I ε
M.Interactions) ∧ (k ε I.message) ∧ (k.sender ε (c.Sub* ∪ {c})) ∧ (k.receiver = a.type)}
• M.Interactions is the set of interactions of the model M
• n(m,a) is the number of the parameters of the message m that have the same type as
a
• Rel(a,c) is the set of the opposite association ends defined in or inherited by c that
have the same type as a:
Rel(a,c) = {o | ((o ε M.AssociationEnd) ∧ (∃ e, r): (r ε M.Association) ∧ (o ε r.connection)
∧ (e ε r.connection) ∧ (e ≠ o) ∧ (e.type ε (c.Isa* ∪ {c})) ∧ (a.type = o.type))}
• M.AssociationEnd and M.Association are the sets of the association ends and
associations of M, respectively
• c.Isa* is the set of the direct and indirect superclasses of c.
As we prove in Appendix B, m3 is a D-S basic probability assignment (see Theorem 3 in
this appendix).
Example: Given the messages of the interaction diagram I2 in Fig. 3, the degrees of
belief in the functional essentiality of the opposite association ends key, imp, and sform
of the class SearchByKeyword in Fig. 2 are: m3(key,SearchByKeyword) = 0,
m3(imp,SearchByKeyword) = 0.5, and m3(sform,SearchByKeyword) = 0.75. According to
these belief measures, the association end sform is more likely to be functionally
essential for the class SearchByKeyword than the end imp. This is because
12

SearchByKeyword sends two messages to instances of the type of sform but only one
message to instances of the type of imp. Thus, it is more likely for sform to have been
used for obtaining a reference to the recipient of any of the former two messages than
imp to have been used for obtaining a reference to the recipient of the latter message.
3.4 Charactericity of operations
An operation that is overridden by most of the classes in its "scope" (i.e., the set of the
classes which introduce or inherit it) is significant for the design of a system as it often
constitutes a basic kind of behaviour which must be available in objects of different types
even if it is realised in different ways by these objects. In our framework, we refer to such
operations as "characteristic" operations and denote them using the special predicate
characteristic-o(o). Examples of characteristic operations are often found in class
libraries of object-oriented programming languages. In Java’s abstract windows toolkit
library (AWT) [28], the operation processEvent() that is defined in the class Component
(i.e. the root of the component class hierarchy) is characteristic as it is overridden in all
the classes that represent the different kinds of user interface components in the library
to provide an implementation suitable for handling events relevant to them.
Based on the above observations, the belief function associated with the predicate
characteristic-o(o) is defined as follows:
Definition 4: The degree of belief in whether or not an operation o is characteristic is
measured by the function:
m4(characteristic-o(o)) = Πc ε Oclasses(o) |Ov(o,c)∪{c}| / | c.Sub*∪{c}|
m4(¬characteristic-o(o)) = 1 − m4(characteristic-o(o))
where
• Oclasses(o) is the set of the most general superclasses of the class of o which define
an operation with the same signature as o, called original classes of o: Oclasses(o) =
{ c | ((c ε o.owner.Isa* ∪ {o.owner}) ∧ (∃x): (x ε M.Operation) ∧ (x.owner = c) ∧
13

(x.name = o.name) ∧ (∀p): ((p ε x.parameter[i]) → (∃q): ((q ε o.parameter[i]) ∧ (p.type
= q.type))) ∧ (∀q) : ((q ε o.parameter[i]) → (∃p): ((p ε x.parameter[i]) ∧ (p.type =
q.type))) ∧ (¬ (∃ c',o'): ((o' ε M.Operation) ∧ (c' = o'.owner) ∧ (o'.name = o.name) ∧ (c'
ε c.Isa*) ∧ (∀p'): ((p' ε o'.parameter[i]) → (∃q'): ((q' ε o.parameter[i]) ∧ (p'.type =
q'.type))) ∧ (∀q'): ((q' ε o.parameter[i]) → (∃p'): ((p' ε o'.parameter[i]) ∧ (p'.type =
q'.type))))) }
• M.Operation is the set of the operations of the model M
• z.parameter[i] denotes the i-th parameter of the operation z
• Ov(o,c) is the set of the subclasses of c which override o: Ov(o,c) = { c' | ((c ε c'.Isa*)
∧ (∃o'): ((o' ε M.Operation) ∧ (o'.owner = c') ∧ (∀p'): ((p' ε o'.parameter[i]) → (∃q'): (q' ε
o.parameter[i]) ∧ (p'.type = q'.type))) ∧ (∀q'): ((q' ε o.parameter[i]) → (∃p'): ((p' ε
o'.parameter[i]) ∧ (p'.type = q'.type)))) }
According to m4, the more the classes in the scope of an operation o which override it the
higher the belief that o is a characteristic operation. This belief becomes 1 if o is
overridden by every class in its scope. Furthermore, m4 is a D-S basic probability
assignment (see Theorem 4 in Appendix B).
Example: m4 generates the following beliefs in the charactericity of the operations
Command.execute() and DatabaseCommand.getImp() in Fig. 2:
m4(Command.execute()) = 1 and m4(DatabaseCommand.getImp()) = 0.14. The
difference in the beliefs in the charactericity of Command.execute() and
DatabaseCommand.getImp() reflects the fact that the former operation is overridden by
all command classes in order to trigger the execution of the functionality realised by the
command while the latter operation fetches the object attached to an association end.
3.5 Coordinating capacity of messages
Messages invoke operations which may: (a) provide part of the internal functionality of a
class, or (b) coordinate the interaction of a group of other objects by invoking operations
14

in them, combining the data that these operations may generate, and eventually notifying
the combined outcome of the interaction to the sender of the message that invoked
them. The operations of the latter kind have the most significant role in the design of a
system as they encapsulate the coordination of complex interactions among other
objects and, thus, make it possible to separate the internal functionality of these objects
from the functionality required to realise their interactions. Consequently, an
inconsistency involving a coordinating operation is likely to have a significant impact in a
model.
In a design, what characterises coordinating operations is the fact that most of the other
operations which need to be executed in different objects to deliver their functionality are
directly invoked by them. In UML design models, however, the only evidence about the
operations which are invoked by an operation o comes from the messages which are
dispatched by the message that invokes o in the interactions of the models. Based on
such evidence, it may − for instance − be concluded that the operation invoked by the
message executeQuery(String,OCollection) in the interaction diagram I2 of Fig. 3 is a
coordinating operation. This is because executeQuery(String,OCollection) invokes
directly all the operations that are needed to provide its functionality, namely the
operations executeQuery() and toObjCollection(result).
In our framework, we attribute the coordinating capacity of operations to the messages
that invoke them (and can in turn be used to assess it). This capacity is signified by the
special predicate coordinating-m(m,S) (the meaning of this predicate is that the message
m has a coordinating capacity in the set of interactions S) which is associated with the
following belief function:
Definition 5: The belief in whether or not a message has a coordinating capacity in a set
of object interactions S of a model M is measured by the function:
m5(coordinating-m(m, S)) = |Dsig(m, S)| / |Asig(m, S)| if Asig(m, S) ≠ ∅
15

m5(coordinating-m(m, S)) = 0 if Asig(m, S) = ∅
m5(¬coordinating-m(m, S)) = 1 − m5(coordinating-m(m, S))
where
• S is a set of interactions
• Dsig(m, S) is the set of the signatures of the messages directly dispatched by m in
the interactions of S, formally defined as: Dsig(m, S) = {sig(v) | (v ε Dmes(m,S)}
• Dmes(m, S) is the set of the messages directly dispatched by m in the interactions of
S, formally defined as:
Dmes(m, S) = {v | (∃ I): (I ε S) ∧ (m ε I.message) ∧ (v ε I.message) ∧ (v.activator = m)}
• sig(v) is an ordered tuple that we call "signature" of v and define as:
- sig(v) = <r, n, t1, …, tk > if v.action is an operation calling action
- sig(v) = <r, n> if v.action is not an operation calling action
- r = v.receiver, n = v.name, and ti = v.action.operation.parameter[i].type
- two signatures: sig(v) = <r,n, t1,…,tk > and sig(v') = <r',n',t'1,…,t'k> are defined to be
equal if and only if:
(r = r') and (n = n') and (ti = t'i ) for all i=1,…,k
• Asig(m,S) is the set of the signatures of the messages which are directly or
transitively dispatched by m in the interactions of S, formally defined as: Asig(m, S) =
{sig(v) | (v ε Dmes(m,S)} ∪(v ε Dmes(m,S)) Asig(v,S)
According to Definition 5, the more the messages which are directly dispatched by m in
relation to the total number of messages which are dispatched (directly or indirectly) by
m the higher the degree of belief in the coordinating capacity of m. m5 establishes the
transitive closure of the messages dispatched by a message m with respect to all the
interactions in a given set of interactions S. Thus, it is not sensitive to cases where
different sets of messages appear to be dispatched by the same message m in different
interactions of a model. Furthermore, m5 is a D-S basic probability assignment (see
Theorem 5 in Appendix B).
Examples: The beliefs in the coordinating capacity of the messages execute(),
16

executeQuery(String,Ocollection) and setVisible(boolean) in I2 are: m5(coordinating-
m(execute(),{I2})) = 0.57, m5(coordinating-m(executeQuery(String,Ocollection),I2)) = 1,
and m5(coordinating-m(setVisible(boolean),{I2})) = 0.
3.6 Functional dominance of messages
In an interaction, there may be messages invoking operations which trigger directly or
transitively operations that realise substantial parts of it. In interaction I2 of Fig. 3, for
instance, the message execute() transitively invokes all the operations which realise it. In
our framework, such messages are said to be "functionally dominant". An inconsistency
in the specification of a functionally dominant message is significant since it may prevent
the entire interaction from taking place. The functional dominance of a message m in an
interaction I is denoted by the special predicate fdominant-m(m,I). The belief function
associated with this predicate is defined as:
Definition 6: The belief in whether or not a message m is functionally dominant in an
object interaction I is measured by the function:
m6(fdominant-m(m,I)) = (|Ames(m, {I})| + 1)/ |I.message – {m}|
m6(¬fdominant-m(m,I)) = 1 − m6(fdominant-m(m,I))
where (i) Ames(m, {I}) is as defined in Definition 5, and (ii) I.message is the set of all the
messages of the interaction I.
According to Definition 6, the more the messages which are dispatched by a message m
in an interaction I in relation to the total number of messages dispatched in I, the higher
the belief that m6 generates for the functional dominance of m. Furthermore, m6 is a D-S
basic probability assignment (see Theorem 6 in Appendix B).
Example: The degrees of belief generated by m6 in the functional dominance of the
messages execute() and executeQuery(String, Ocollection) and setVisible(boolean) in
the interaction I2 of Fig. 3 are: m6(fdominant-m(execute(), I2)) = 1.0, m6(fdominant-
17

m(executeQuery(String, Ocollection), I2)) = 0.28, and m6(fdominant-
m(setVisible(Boolean), I2)) = 0. The above beliefs reflect the fact that execute() invokes
directly or transitively all the operations of the interaction, executeQuery(String,
Ocollection) invokes directly the operations which realise only one part of the interaction
(i.e., the retrieval of data), and setVisible(boolean) invokes only one operation.
4. Assessment of the significance of inconsistencies
4.1 Specification of consistency rules and significance criteria
In our framework, an inconsistency is defined as a violation of a specific consistency rule.
To assess the significance of inconsistencies, we introduce a scheme for specifying
significance criteria and associating them with consistency rules. These criteria define
the characteristics that the elements involved in the violation of a rule should have for the
violation to be significant. Fig. 4 shows a conceptual meta-meta-model (M2 model) of the
scheme for specifying consistency rules and significance criteria. According to this
scheme, a consistency rule is specified as an instance of the meta-meta class
Consistency Rule and must be associated with exactly one class in the UML meta-model
that is referred to as its context. A consistency rule is evaluated against the instances of
its context (e.g., a consistency rule whose context is the meta-class Class is evaluated
against all the classes of a UML model).
Consistency rules are specified by expressions of the Object Constraint Language (OCL)
[17]. OCL expressions are specified using the logical operators "and", "or", "implies" and
"not" (these operators have the same semantics as the logical conjunction, disjunction
implication and negation in predicate calculus, respectively) and the set operators "forall"
and "exists". The latter operators quantify a condition over the elements of the set they
apply to and their semantics are the same as the semantics of the universal and
existential quantifier of predicate calculus. Thus, an expression of the form set->forall(x |
18

OCL-condition-over-x) becomes true if OCL-condition-over-x is true for all the elements
of set. Similarly, an expression of the form set->exists(x | OCL-condition-over-x) becomes
true if OCL-condition-over-x is true for at least one of the elements of set.
Fig. 4. A conceptual model of the scheme for specifying consistency rules and
significance criteria
An example of a consistency specified in OCL is Rule-1 below2
:
Rule-1: context: Message
OCL-expression:self.action.oclIsTypeOf(CallAction) implies
self.sender.feature−>exists(a: Attribute  a.type = self.receiver) or
Association.allInstances−>exists(r  r.connection−>exists(e1, e2  (e1 <> e2)
and (e1.type = self.sender) and (e2.type = self.receiver) and (e2.isNavigable =
True)))
Rule-1 requires there must be either an association or an attribute between the sender
and receiver classes of every message in an interaction of a UML model that is navigable
from the former to the latter class.
According to the scheme of Fig. 4, a consistency rule may be associated with zero or
more significance criteria which are used to evaluate the significance of its violations. A
significance criterion is defined by an S-expression specifying a logical combination of
characteristics which the model elements that have caused the violation of the rule (or
other model elements related to them) must have for the violation to be significant. S-
expressions can be either atomic (i.e., expressions that contain only one of the
2
In the OCL and S-expressions appearing in this paper strings in bold typeface and Italics are reserved OCL keywords and
names established in the UML meta-model, respectively. self in these expressions refers to an instance of the class that is
the context of the involved consistency rule and significance criterion.
19
UMLMetaModelClass
ConsistencyRule
S-expression : OCL_Expression
1..1
0..*
SignificanceCriterion
S-Expression : S-expression
Name : Let-expression
0..*
1..1
+context 1..1
0..*
0..*
+criterion
+rule
1..1
{ordered}

predicates that designate the characteristics defined in Sections 3.1-3.6) or non atomic
(i.e., expressions that specify logical combinations of atomic S-expressions).
Table 1 summarises the syntactic forms of both kinds of S-expressions and the typing
conditions that they have to satisfy to be valid. As shown in the table, the atomic S-
expression generic(elem_ref_name), for instance, is valid only if the type of the model
element denoted by elem_ref_name is the meta-class Class. An S-expression has the
same context as the consistency rule it is associated with and can, therefore, reference
any named feature in the transitive closure of the features of this context. The names
used to refer to model elements in an S-expression are defined by Let-expressions which
are specified as part of a significance criterion. The grammar for specifying Let-
expressions and S-expressions is given in Appendix C.
Examples of significance criteria defined to assess the significance of the violations of
Rule-1 are Criterion-i and Criterion-j below:
Criterion-i: S-expression: coordinating-m(n1, n2); Name [1]: let n1 = self; Name[2]: let n2
= self.interaction
Criterion-j: S-expression: fdominant-m(n1, n2) and coordinating-m(n1, n2); Name [1]: let
n1 = self;
Name[2]: let n2 = self.interaction
Atomic S-expression Condition of validity
Generic(elem_ref_name) elem_ref_name.type = Class
Fessential-a(elem_ref_name) elem_ref_name.type = Attribute OR
elem_ref_name.type = AssociationEnd
Characteristic-o(elem_ref_name) elem_ref_name.type = Operation
Coordinating-c(elem_ref_name1, elem_ref
_name2)
elem_ref_name1.type = Class AND
elem_ref_name2.type = Set (Interaction)
Coordinating-m(elem_ref_name1,
elem_ref_name2)
elem_ref_name1.type = Message AND
20

Fdominant-m(elem_ref_name1,
elem_ref_name2)
elem_ref_name1.type = Message AND
Non atomic S-Expression Condition of validity
Non quantified
S-expressions
p1 and p2 and…and pn pi : valid atomic S-expression (forall i=1,
…,n)
p1 or p2 or…or pn pi : valid atomic S-expression (forall i=1,
…,n)
Quantified
S-expressions
(qse)
elem_ref->exists(x |
OCL-expression-over-x
and se(x)) *
elem_ref.type = Set(ModelElement) AND
se(x): is a valid non quantified
S-expression over x
elem_ref ->forall(x |
OCL-expression-over-x
and se(x)) *
elem_ref.type = Set(ModelElement) AND
se(x): is a valid non quantified
S-expression over x
*
If elem_ref has a single object o as its value, we treat it as a singleton set with o as its
only element.
Table 1. Syntactic forms of and typing conditions for valid S-Expressions
According to Criterion-i a message that violates Rule-1 must have a coordinating
capacity in the interaction it belongs to for the violation to be significant. According to
Criterion-j, a violation of Rule-1 is significant only if it is caused by messages which are
functionally dominant and have coordinating capacity in their interaction.
In cases where more than one significance criteria are associated with the same
consistency rule, the order of their application must be specified (see the constraint
{ordered} of the association end criterion in Fig. 4). Thus, to use the coordinating
capacity of the receiver of a message as a secondary criterion for ordering violations of
Rule-1 that have been caused by messages of the same coordination capacity, a
designer can specify the significance criterion:
Criterion-k: S-expression: coordinating-c(n1, n2); Name [1]: let n1 = self.receiver;
and then associate Rule-1 with Criterion-i and Criterion-k in this very order.
21

4.2 Computation of beliefs for the satisfiability of significance criteria
To assess the significance of the violations of a consistency rule, we compute beliefs in
the satisfiability of the criteria associated with it by the elements of the model which are
involved in these violations and rank the violations in descending order of these beliefs.
The computation of these beliefs depends on whether a criterion is defined by an atomic
or a non-atomic S-expression. In the former case, the belief in the satisfiability of the
criterion is computed according the following theorem (see Appendix B for a proof):
Theorem 7: The belief function induced by the each of the basic probability assignments
mi (i=1,…,6) has the following form: Bel(P) = mi(Pi) if Pi → P andBel(P) = 0
otherwise
where Pi is the predicate associated with mi or the negation of this predicate.
Following Theorem 7, the belief in the satisfiability of a criterion defined by an atomic S-
expression is the belief that is generated by the basic probability assignment that is
associated with the predicate used in this expression. For example, the belief in the
atomic S-expression of Criterion-k in Section 4.1 is computed by the formula:
Bel(coordinating-c(self.receiver, self.interaction)) = m2(coordinating-c(self.receiver,
self.interaction)).
The belief in the satisfiability a criterion that is specified by a non-atomic S-expressions is
computed according to the following theorems (the proofs of these theorems are given in
Appendix B):
Theorem 8: Let p1,…, pn be predicates of atomic S-expressions referring to
characteristics of elements of a model M, and m1,…, mn be the basic probability
assignments associated with each of these predicates, respectively. The belief in a non
quantified S-expression p1 and p2 and …and pn is measured by the function:
22

Bel(andi=1,…,n pi) = Πi=1,…,n mi(pi) if pi ≠ pj and pi ≠ ¬pj (∀i, j: i ≠ j), and Bel(andi=1,…,n pi) = 0
otherwise
quantified S-expression p1 or p2 or …or pn is measured by the function:
Bel(ori=1,…,npi) = ΣJ⊆{1,…,n} and J≠∅(-1)|J|+1
Bel(andiεJpi) if pi ≠ pj and pi ≠ ¬pj (∀i,j: i ≠ j), and
Bel(ori=1,…,npi) = 1 otherwise
Theorem 10: Given a set of elements S and a non quantified S-expression se(x) referring
to a model element x, the belief in a quantified S-Expression of the form S->exists(x |
OCL-expression-over-x and se(x)) is measured by the function:
Bel(S->exists(x |OCL-expression-over-x and se(x))) = ΣJ⊆S' and J≠∅ (-1)|J| + 1
Bel (andxεJ
se(x)) if S' ≠ ∅
Bel(S->exists(x |OCL-expression-over-x and se(x))) = 0 if S'
= ∅
where S' is the subset of the elements of S for which OCL-expression-over-x is true.
Theorem 11: Given a set of elements S and a non quantified S-expression se(x) referring
to a model element x, the belief in a quantified S-Expression of the form S->forall(x |
OCL-expression-over-x and se(x)) is measured by the function:
Bel(S->forall(x |OCL-expression-over-x and se(x))) = Πx ε S' Bel(se(x)) if S'
= S
Bel(S->forall(x |OCL-expression-over-x and se(x))) = 0 if S' ≠ S
Examples: Assuming that there are no attributes and associations defined between the
classes SearchMenu and SearchByKeyword, between the classes SearchByKeyword
and SearchForm, and between the classes SearchByKeyword and DBHandler which
23

appear in the interaction I2 of Fig. 3, the messages: execute(), setVisible(boolean),
getKeywords(), executeQuery(String, Ocollection), and executeQuery() in I2 violate Rule-
1. If the significance of these inconsistencies is assessed according to Criterion-i in
Section 4.1, then the inconsistencies caused by the messages getKeywords() and
executeQuery(String,Ocollection) have the highest significance and the inconsistencies
caused by the messages execute(), setVisible(boolean), and executeQuery() are less
significant by the same criterion. This ranking results from the following degrees of belief
in the satisfiability of Criterion-i by each of these messages:
• Bel(cordinating-m(getKeywords(),{I2})) = m5(cordinating-m(getKeywords(),{I1})) = 1
• Bel(cordinating-m(executeQuery(String,OCollection),{I2})) =
m5(cordinating-m(executeQuery(String,OCollection),{I2}))=1
• Bel(cordinating-m(execute(),{I2})) = m5(cordinating-m(execute(),{I2})) = 0.57
• Bel(cordinating-m(setVisible(boolean),{I2})) = m5(cordinating-m(setVisible(boolean),{I2}))
= 0
• Bel(cordinating-m(executeQuery(),{I2})) = m5(cordinating-m(executeQuery(),{I2})) = 0
If the significance of the same inconsistencies is assessed by Criterion-i followed by
Criterion-k (see Section 4.1), the inconsistencies are ranked in descending order of
significance as follows:
1) The inconsistencies caused by getKeywords() and executeQuery(String,OCollection)
since:
Bel(coordinating-m(getKeywords(),{I2})) = Bel(coordinating-
m(executeQuery(String,OCollection),{I2})) = 1
and Bel(coordinating-c(SearchForm,{I1})) = Bel(coordinating-c(DBHandler,{I2})) = 0.4
2) The inconsistency caused by execute() since Bel(coordinating-m(execute(),{I2})) =
0.57
3) The inconsistency caused by setVisible(boolean) since:
Bel(coordinating-m(setVisible(boolean),{I2})) = 0 and Bel(coordinating-c(SearchForm,
{I2})) = 0.4
4) The inconsistency caused by executeQuery() since:
24

Bel(coordinating-m(executeQuery(),{I2})) = 0 and Bel(coordinating-c(Statement,{I2})) =
0.2
Note that in this case, the use of Criterion-k as a secondary criterion of significance
breaks the tie between the inconsistencies caused by the messages setVisible(boolean)
and executeQuery() but not the tie between the inconsistencies caused by of the
messages getKeywords() and executeQuery(String,Ocollection).
5. Tool support
A prototype implementing the framework introduced in this paper has been developed as
a client of the CASE tool Rational Rose [20]. This prototype incorporates a graphical,
syntax-directed editor that supports the specification of significance criteria (see Fig. 5)
and can evaluate them against groups of UML model elements that violate specific
consistency rules.
Fig. 5. Prototype for Diagnostic Framework
The evaluation of a criterion uses a representation of a model structured according to the
UML meta-model and is incremental. Initially, the prototype retrieves the sets of the
elements that are referenced by the names used in the S-expression of a criterion. Then,
25

it uses the retrieved model elements to calculate beliefs in the satisfaction of the atomic
S-expressions of the criterion based on the formulas established by Theorem 7.
Subsequently, if the criterion is defined by a non-atomic S-expression, it calculates the
belief in the satisfaction of this expression using the formulas established by Theorems
8-11. A full description of the prototype and the criteria evaluation algorithm is given in
[5].
6. Experimental results
To evaluate our framework, we have conducted a series of experiments. The objective of
these experiments was to check whether the satisfiability measures calculated for
significance criteria definable in the framework are of sufficient diversity for producing
elaborate rankings of inconsistencies3
. In the experiments, we used 20 UML models
specified by postgraduate students at City University. Measures of the size of these
models and an indication of the system described by each of them are shown in Table 2.
MODEL
Size 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
No. of 40 77 37 31 47 67 25 32 10 42 17 37 51 41 56 54 10 73 14 10
No. of Seq. 3 4 4 2 4 3 12 9 8 8 3 3 12 13 6 12 23 18 22 31
No. of 68 24 32 43 51 44 15 92 87 11 65 36 13 18 18 12 48 43 35 19
No. of 58 25 49 29 25 42 79 78 14 75 59 86 21 94 23 12 22 17 81 89
Producer a a a a a a a a a a a a a b a a b b b b
System 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 2 2 2 2
Key Produce
r
a single System 1 web-based banking
b group of 2 course recruitment
Table 2. Size of models used in experimental evaluation
Each of the models was checked against the following consistency rules:
(i) Rule-1 that was defined in Section 4.
(ii) Rule-2 which requires the class of the receiver of a message in an interaction to
define or inherit an operation with the same signature as the message. This rule is
defined in OCL as follows:
Rule-2: context: Message
OCL-expression: self.action.oclIsTypeOf(CallAction) implies
3
The results of another set of experiments whose objective was to evaluate whether the significance-orders of inconsistencies
produced by the framework comply with significance-orders produced by humans are reported in [26].
26

self.receiver.feature −> exists(o:Operation | (self.action.operation = o))
(iii) Rule-3 which requires that the lower multiplicity bound of an association end attached
to a class whose instances receive at least one message from instances of the class
attached to the other end of the association must be greater or equal to 1. This rule is
specified in OCL as follows:
Rule-3: context: AssociationEnd
OCL-expression: self.association−>exists(a:Association|
a.connection−>exists(e1, e2 | (e1 = self) and (e1 <> e2) and (e1.type = c1)
and (c1.oclIsTypeOf(Classifier)) and (e2.type = c2) and
(c2.oclIsTypeOf(Classifier)) and (c2.message−>exists(m: Message |
m.receiver = c1 )))) implies (self.mutliplicity.range.lower >= 1)
The significance of the violations of Rule-1 was subsequently assessed using the criteria
1 and 2 in Table 3. The significance of the violations of Rule-2 was assessed using the
criteria 2, 3, 4 and 5 in Table 3. The significance of the violations of Rule-3 was assessed
using the criterion 6 in Table 3. The beliefs we computed in the satisfiability of these
criteria by the inconsistencies in the different models were used to rank the
inconsistencies as we did in the example of Section 4. More specifically, the
inconsistencies caused by elements believed to satisfy a criterion to the same extent (i.e.
giving rise to equal belief measures) were classified in the same category. The different
categories of inconsistencies were then ranked in descending order of the beliefs
computed for their elements.
Criteri
on
S-Expression Meaning
Criterio
n 1
S-Expression: fdomimant-m(n1, n2)
Name[1]: let n1 = self
The message has functional
dominance in the sequence
diagram it appears.
Criterio
n 2
S-Expression: coordinating-m(n1, n2)
The message has a coordinating
capacity in the sequence diagram it
appears.
Criterio S-Expression: coordinating-c(n1, n2) The receiver class of a message
27

n 3 Name[1]: let n1 = self.receiver
has a coordinating capacity in the
specific sequence diagram that
includes the message.
Criterio
n 4
S-Expression: coordinating-c(n1, n2)
Name[1]: let n1 = self.sender
The sender class of a message
has a coordinating capacity in the
specific sequence diagram that
includes the message.
Criterio
n 5
S-Expression: coordinating-m(n1, n2)
or
coordinating-c(n3, n2)
or
coordinating-c(n4, n2)
Name[3]: let n3 = self.receiver
Name[4]: let n4 = self.sender
The message or its receiver class
or its sender class has a
coordinating capacity in the
specific sequence diagram.
Criterio
n 6
S-Expression: fessential-a(n1, n2)
Name[2]: let n2 =
self.association.oppositeend.type
The association end is functionally
essential for the class attached to
the other end of its association.
Table 3. Criteria used to assess the significance of the violations of rules 1, 2, and 3.
Tables 4, 5 and 6 present statistics about the inconsistencies and beliefs in the
satisfiability of different criteria by the model elements that violated the three rules. The
shown statistics include the number of the inconsistencies detected with respect to each
rule in each model (Ninc) and for each criterion: (1) the number of the different categories
of significance generated by it (Nc), (2) the completeness ratio of the ranking generated
by it RC = Nc/Ninc, (3) the mean (Mb) and median (MDb) values of the beliefs in the
satisfiability of the criterion, (4) the standard deviation of the beliefs in the satisfiability of
the criterion (sb), (5) the standard deviation of the number of inconsistencies in each
category of the ranking (sic), and (6) the relative variability of the beliefs in the satisfiability
of the criterion (sb/mb).
Rule 1 MODEL
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Ninc 20 2 7 5 34 19 82 39 32 16 18 6 49 111 41 38 17
3
22
4
54 73
28

Criteri
on 1
Nc 5 2 4 4 9 6 21 11 16 12 7 2 10 30 13 10 41 13 13 4
RC 0.
25
1 0.
57
0.
8
0.
26
0.3
2
0.
26
0.
28
0.
5
0.
75
0.
39
0.
33
0.2
0
0.2
7
0.3
2
0.2
6
0.2
4
0.0
6
0.2
4
0.05
Mb 0.
06
0.
15
0.
19
0.
1
0.
2
0.1
1
0.
08
0.
4
0.
17
0.
28
0.
07
0.
02
0.0
5
0.1
1
0.0
7
0.1
4
0.0
6
0.0
8
0.2
1
0.08
MDb 0.
04
0.
15
0.
17
0.
05
0.
08
0.0
8
0.
04
0.
38
0.
09
0.
18
0.
04
0 0 0 0.0
3
0 0 0 0 0
sb 0.
04
0.
07
0.
1
0.
09
0.
29
0.1
3
0.
04
0.
29
0.
14
0.
26
0.
06
0.
04
0.1
2
0.2
3
0.1 0.2
5
0.1
5
0.2
5
0.3
0
0.23
sic 3.
08
0 0.
5
0.
5
2.
99
2.5
6
4.
32
2.
46
1.
55
0.
49
2.
44
2.
82
10.
27
13.
66
2.8
2
7.5
1
18.
54
54.
14
8.5
3
27.2
8
sb / Mb 0.
64
0.
47
0.
54
0.
88
1.
46
1.1
4
0.
53
0.
73
0.
81
0.
93
0.
92
2 2.4 2.0
9
1.4
3
1.7
9
2.5 3.1
6
1.4
1
2.88
Criteri
on 2
Nc 2 1 2 3 6 2 6 9 8 5 4 2 6 11 5 2 41 6 9 2
RC 0.
1
0.
5
0.
29
0.
6
0.
18
0.1
1
0.
07
0.
23
0.
25
0.
31
0.
22
0.
33
0.1
2
0.1 0.1
2
0.0
5
0.2
4
0.0
3
0.1
6
0.02
Mb 0.
1
0 0.
29
0.
25
0.
2
0.2
6
0.
24
0.
49
0.
29
0.
53
0.
19
0.
17
0.2
7
0.2
7
0.7 0.3
4
0.2
4
0.1
0
0.2
1
0.19
MDb 0 0 0 0 0 0 0 0.
5
0 0.
5
0 0 0 0 1 0 0 0 0 0
sb 0.
31
0 0.
49
0.
43
0.
37
0.4
5
0.
38
0.
39
0.
39
0.
44
0.
34
0.
4
0.4
4
0.4
3
0.4
1
0.4
8
0.4
1
0.3
0
0.2
8
0.39
sic 11
.3
0 2.
12
1.
15
9.
54
6.3
6
20
.8
4.
66
5.
81
2.
28
5.
69
2.
82
13.
27
22.
72
9.3
1
8.4
8
30.
38
78.
79
9.7
5
31.8
1
sb / Mb 3.
08
0 1.
71
1.
73
1.
9
1.7
2
1.
59
0.
8
1.
34
0.
82
1.
82
2.
35
1.6
3
1.5
9
0.5
8
1.4
1
1.7
1
2.8
9
1.3
4
2.07
Table 4. Statistics for the rankings of the violations of Rule-1
The measure used to evaluate the ability of the different criteria to produce elaborate
rankings of inconsistencies was the ranking completeness ratio (RC). The mean value of
the RC-ratios across models with more than one violations of the same consistency rule
in our experiments was MRC= 0.334
. In other words, the criteria used produced distinct
categories of significance with 3.03 (= 1/MRC) inconsistencies in each category on
4
In estimating the mean RC-value we excluded models with only one inconsistency since in their cases there was no
need for ranking inconsistencies.
29

average. This indicates that the criteria used were capable of producing relatively
elaborate rankings of significance. Our experiments also showed that the use of non-
atomic S-expressions as criteria of significance produces more elaborate rankings of
inconsistencies: the mean value of the RC-ratios resulted from experiments where such
S-expressions were used (see experiments for Rule 2 and Criterion 5) was 0.45.
The distribution of the RC-ratios (excluding cases where Ninc = 1) is graphically shown in
Fig. 6. This distribution was positively skewed with a degree of skewness equal to 1.15, a
median (MDRC) of 0.27 and a standard deviation (sRC) of 0.23. As sRC was found to be
relatively high with respect to MRC, we had to explore the factors underpinning the
generation of rankings with different levels of elaboration.
Rule 2 MODEL
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Ninc 8 11 1 7 26 35 90 39 7 14 65 0 16 30 13
1
40 87 69 97 44
Criteri
on 2
Nc 1 4 1 3 9 4 9 4 7 3 14 0 8 11 13 7 14 6 2 9
RC 0.1
3
0.3
6
1 0.4
3
0.3
5
0.1
1
0.1 0.1 1 0.2
1
0.2
2
0 0.5 0.3
7
0.1 0.1
8
0.1
6
0.0
8
0.0
2
0.2
Mb 0 0.2
4
0 0.4
4
0.1
7
0.3 0.1
1
0.0
2
0.4
1
0.1
3
0.3
3
0 0.5
7
0.2
1
0.3
9
0.4 0.2
5
0.5 0.0
4
0.0
5
MDb 0 0 0 0.0
9
0 0 0 0 0.3
8
0 0.1
1
0 0.7
5
0.1
7
0.4 0.3
7
0 0.5
1
0 0
Sb 0 0.3
7
0 0.5
2
0.3
2
0.4
5
0.2
6
0.0
5
0.3 0.3
3
0.4 0 0.4
6
0.1
7
0.4
1
0.4 0.3
3
0.4
9
0.2 0.1
6
Sic 0 2.8
7
0 1.1
5
4.9
4
10.
4
23 16.
8
0 6.3
5
7.9
9
0 2.4
5
2.0
5
16.
9
5.8
2
11.
79
16.
26
64.
3
3.7
2
Sb / Mb 0 1.5
2
0 1.1
9
1.8
6
1.4
9
2.3
4
3.2
2
0.7
3
2.5
6
1.2 0 0.8
1
0.8
1
1.0
5
1 1.3
2
0.9
9
4.8
6
3.3
1
Criteri
on 3
Nc 3 3 1 3 11 7 15 6 5 5 9 0 6 8 14 9 22 12 14 10
RC 0.3
8
0.2
7
1 0.4
3
0.4
2
0.2 0.1
7
0.1
5
0.7
1
0.3
6
0.1
4
0 0.3
7
0.2
7
0.1
1
0.2
3
0.2
5
0.1
7
0.1
4
0.2
3
30

Mb 0.1
7
0.2
6
0.2
9
0.2
1
0.2
5
0.2
9
0.2
1
0.2
8
0.3
9
0.2
7
0.2
2
0 0.4
2
0.3
8
0.2
8
0.1
9
0.2
5
0.6
4
0.1
6
0.1
7
MDb 0.1
1
0.1
7
0.2
9
0.2
5
0.1
8
0.2
9
0.1
5
0.2
5
0.4
2
0.2
9
0.1
8
0 0.4
3
0.3
7
0.2
5
0 0.2
7
0.8
3
0.1
2
0.1
2
Sb 0.1
3
0.1
6
0 0.0
7
0.1
9
0.1
6
0.1
6
0.2 0.0
8
0.1
3
0.1
2
0 0.1
0
0.1 0.2
1
0.2
9
0.1
4
0.3
8
0.1
4
0.1
6
Sic 2.0
8
1.7
1
0 2.3
1
1.7
5
3.1
1
5.6
3
5.7
5
0.5
5
1.9
2
5.4
5
0 3.1
4
2.5
3
11.
4
7.7
4
3.6
4
8.8 7.2
6
4
Sb / Mb 0.7
2
0.6 0 0.3
1
0.7
3
0.5
4
0.7
7
0.7
3
0.2
2
0.5 0.5
3
0 0.2
4
0.2
6
0.7
5
1.5
3
0.5
7
0.5
9
0.9
2
0.9
5
Criteri
on 4
Nc 3 3 1 3 11 8 17 8 5 7 8 0 6 8 13 8 49 9 12 11
RC 0.3
8
0.2
7
1 0.4
3
0.4
2
0.2
3
0.1
9
0.2
1
0.7
1
0.5 0.1
2
0 0.3
7
0.2
7
0.1 0.2 0.5
8
0.1
3
0.1
2
0.2
5
Mb 0.3
3
0.2
9
0.1
4
0.2
7
0.4
8
0.4
7
0.4
2
0.5
7
0.2 0.6 0.3
1
0 0.2
2
0.2
2
0.4
6
0.6
9
0.4 0.8
4
0.4 0.7
8
MDb 0.4
4
0.2
5
0.1
4
0.2
5
0.5
6
0.5
7
0.4
6
0.6
3
0.0
8
0.5
8
0.2
7
0 0.1
7
0.1
4
0.5 0.8
6
0.4 1 0.4 0.8
7
Sb 0.1
6
0.1
4
0 0.1
5
0.2
2
0.1
8
0.2 0.1
7
0.2
6
0.2
5
0.1
5
0 0.1
0
0.2 0.2
3
0.4 0.2 0.2
5
0.1
5
0.2
8
Sic 2.0
8
1.5
3
0 2.3
1
1.9
1
3.9
3
4.9
5
6.2
7
0.5
5
1.9
1
4.1
2
0 2.6
5
2.7
6
8.1
6
5.9
5
1.8
6
14.
65
12.
3
3.6
8
Sb / Mb 0.4
7
0.4
9
0 0.5
5
0.4
6
0.3
9
0.4
6
0.2
9
1.2
9
0.4
1
0.4
7
0 0.4
5
0.9
1
0.5 0.5
8
0.5
1
0.3 0.3
7
0.3
5
Criteri
on 5
Nc 4 8 1 4 17 14 36 11 7 8 33 0 9 22 31 8 66 9 17 11
RC 0.5 0.7
3
1 0.5
7
0.6
5
0.4 0.4 0.2
8
1 0.5
7
0.5
1
0 0.5
6
0.7
3
0.2
4
0.2 0.7
6
0.1
3
0.1
8
0.2
5
Mb 0.4
6
0.6 0.3
9
0.6
9
0.6
8
0.7
2
0.5
8
0.6
9
0.7
5
0.7
7
0.6
3
0 0.7
3
0.5 0.5
3
0.9
6
0.7
4
0.9
4
0.4
9
0.8
7
MDb 0.5
1
0.6
3
0.3
9
0.6
2
0.7
2
0.7
2
0.5
9
0.7
2
0.6
8
0.8
8
0.5
9
0 0.9 0.4
8
0.6
2
1 0.6
9
1 0.4
6
0.8
9
Sb 0.1
9
0.2
5
0 0.3
1
0.2 0.2
2
0.2
2
0.1
5
0.1
4
0.1
8
0.2
5
0 0.3 0.1
7
0.3
6
0.0
8
0.3 0.1
6
0.1
8
0.1
5
Sic 0.8
2
0.5
2
0 0.9
6
1.0
7
2.4
1
2.2
4
4.2 0 1.0
4
2.3
6
0 2.3
3
0.7
9
7.2 9.3
9
1.1
4
17.
57
6.2 3.7
5
Sb / Mb 0.4 0.4
2
0 0.4
5
0.2
8
0.3 0.3
7
0.2
2
0.1
9
0.2
4
0.3
9
0 0.4
1
0.3
4
0.6
8
0.0
8
0.4 0.1
7
0.3
7
0.1
7
31

Rule 3 MODEL
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Ninc 1 10 5 9 1 2 9 8 12 9 14 5 23 7 15 1 2 24 33 2
Criterio
n 6
Nc 1 3 3 5 1 2 4 3 6 2 5 3 8 3 6 1 2 6 12 2
RC 1 0.3 0.6 0.5
5
1 1 0.4
4
0.3
8
0.5 0.2
2
0.3
6
0.6 0.3
5
0.4
3
0.4 1 1 0.2
5
0.3
6
1
Mb 0.9
9
0.4
1
0.5
5
0.5
8
0.5 0.9
3
0.6 0.6
2
0.7
0
0.7
2
0.6
4
0.6
4
0.7
0
0.6
6
0.7
8
0.5 0.7
5
0.9
3
0.6
7
0.7
2
MDb 0.9
9
0.4
4
0.5
5
0.5
5
0.5 0.9
3
0.5
8
0.5 0.7
0
0.7
5
0.5 0.5 0.7
5
0.7
5
0.7
5
0.5 0.7
5
0.9
4
0.5 0.7
2
Sb 0 0.1
1
0.2
6
0.1
9
0 0.0
8
0.0
9
0.1
9
0.2
0
0.0
8
0.2
0
0.2
0
0.2
3
0.1
6
0.1
9
0 0.3
5
0.1
0
0.2
1
0.3
0
Sic 0 0.5
7
0.5
7
0.4
4
0 0 0.9
5
2.0
8
1.5
5
4.9
5
2.3
9
1.1
5
2.3
6
1.1
5
1.3
8
0 0 4.6
5
4.8
2
0
Sb / Mb 0 0.2
7
0.4
7
0.3
3
0 0.0
8
0.1
5
0.3
1
0.2
8
0.1
1
0.3
1
0.3
1
0.3
3
0.2
4
0.2
4
0 0.4
6
0.1
1
0.3
1
0.4
2
Fig. 6. Distribution of RC-ratio values.
A preliminary investigation of these factors was carried out by correlating the RC-ratios in
the conducted experiments with: (i) measures of the size of the used models including
the number of the classes (NCl), associations (NAss) and messages (NMes) in them, (ii) the
number of the inconsistencies detected in different models (Ninc), and (iii) the relative
variability of criteria satisfiability measures (Sb/Mb). The coefficients of these correlations,
which are shown in Table 7, indicate that the RC-ratio correlates negatively with the
number of inconsistencies Ninc (the correlation coefficient between these two measures
was −0.44 and was statistically significant at α = 0.5). This finding indicated that the
32
Histogram
0
10
20
30
40
0
0
.2
0
.4
0
.6
0
.8
1
RC-ratio
Frequency
Frequency

ability of the framework to produce elaborate rankings of significance deteriorates as the
number of the inconsistencies in a model increases.
NCl NMes NAss Ninc Sb/Mb RC
NCl 1
NMes 1
NAss 1
Ninc 0.22 0.64 0.22 1
Sb/Mb 0.08 0.16 0.16 1
RC 0 -0.17 -0.15 -0.44 -0.34 1
Table 7. Correlation of RC-ratios with model size, inconsistency and belief variability
measures
Based on our correlation analysis, we can say that this phenomenon is likely to have
been the result of the effect of the size of models to the number of detected
inconsistencies (Ninc) and the variability of the belief measures generated for significance
criteria (Sb/Mb). More specifically as observed in our experiments, larger models give rise
to more inconsistencies (the correlation coefficients between Ninc and NCl, NMes, and NAss
were 0.22, 0.64, and 0.22, respectively), and criteria satisfiability measures of higher
variability (the correlation coefficients between Sb/Mb and NCl, NAssoc and NMes were 0.08,
0.16 and 0.16, respectively). However, these two effects are not of the same magnitude.
More specifically, the variability of satisfiability measures increases along with increments
in the size of models but not proportionally to the number of inconsistencies. Model 17,
for example, was four times as big as Model 16 in terms of the number of messages that
it contained (488 vs. 122) and had more than twice as many violations of Rule-2 as
Model 16. The variability of the satisfiability measures for criterion 2 by elements involved
in the violations of Rule-2 in these two models were 1.32 and 1, respectively (see Table
5). Clearly, the difference in the Sb/Mb measures in these two models was not
proportional to the difference in the number of inconsistencies with respect to Rule-2. As
a consequence of this phenomenon, in large models the satisfiability measures are not of
33

sufficient diversity to produce as elaborate rankings of inconsistencies as in the case of
small models. A possible way to obtain higher RC-ratios in cases where larger numbers
of inconsistencies are detected is to define more complex criteria of significance or to
define additional criteria of significance for the same rule and use them for breaking ties
in rankings produced by other criteria. Note, however, that the ability of this strategy to
improve the RC ratios of rankings needs to be confirmed by further experimentation.
7. Related Work
There are two main bodies of literature relevant to the work reported in this paper: the
literature on managing inconsistency in software engineering and the literature on
software metrics.
7.1 Inconsistency management
The term "inconsistency management" has been used in the software engineering
literature to denote a group of activities related to the detection and settlement of
inconsistencies which arise between software system and/or process specifications [6,
13, 27]. These activities include the detection of overlaps and inconsistencies between
specifications, the diagnosis of the importance of the inconsistencies detected, and the
settlement of these inconsistencies. The most substantial body of research relevant to
these activities has emerged from the area of requirements engineering where the
phenomenon of inconsistencies between requirements specifications is more prominent
due to different stakeholder perspectives and goals [30]. One strand of work in this area
focuses on the detection of inconsistencies [24, 9, 30, 12, 21]. Another strand of work
focuses on the settlement of inconsistencies either in general [22, 30, 21, 6] or in
particular cases where the inconsistencies involve specific kinds of requirements
specifications such as quality [1, 19] and safety requirements [16]. Also there is work
concerned with inconsistencies in software process specifications [3].
34

Although the diagnosis of the significance of inconsistencies has been acknowledged as
an important task in the activity of managing inconsistencies, there has been relatively
less research work focusing on it. Notable exception is the work of Emmerich et al [7]
who have developed a framework for managing the compliance of software
documentation artefacts with consistency rules which realise document representation
standards. In their framework, software designers can implement diagnostic checks and
associate them with consistency rules. These checks are meant to assess the
importance and the difficulty of making a document compliant with the rule it violates.
Hunter and Nuseibeh have also dealt with the diagnosis problem in their work on
managing inconsistencies between formal system specifications [13]. In their work,
diagnosis has been realised as the identification of parts of specifications which are not
affected by an inconsistency and therefore are safe to reason from. As far as we know,
the framework described in this paper is the only other strand of work which addresses
the inconsistency diagnosis problem. The main difference between the approach realised
by our framework and the approaches referenced above is that the former assesses the
significance of inconsistencies on the basis of the impact that they have in a software
model while the latter assess this significance on the basis of the parts of the models that
have caused them.
7.2 Software Metrics
The metrics defined in our framework are assessment metrics measuring external
features of software products following Fenton's metric classification taxonomy [8].
Metrics similar to some of them have been proposed in the literature. More specifically,
the depth of inheritance tree (DIT [2]) and class hierarchy nesting level [15] are similar to
m1, and class coupling (CBO [1]) and number of collaborating classes (NCC [14]) are
similar to m2. In addition, the functional essentiality of attributes and association ends
35

(belief function m3) is similar to the method-to-variable connection matrix (MVCM [29]).
The main difference between m3 and MVCM is that m3 establishes the potential of using
an attribute/association end to identify the receiver of a message dispatched in a method
as opposed to using its value in any possible way in a method. However, the main
novelty of our approach with respect to other work in the field of software metrics is the
use of metrics as a means of assessing the significance of inconsistencies in software
models.
8. Conclusions and future work
In this paper we have presented a framework for assessing the significance of
inconsistencies in design models of software systems expressed in UML based on
criteria that software designers can specify to establish the characteristics that the model
elements involved in an inconsistency should have for the inconsistency to be significant.
These criteria can be defined in a formal language established by the framework and are
associated with consistency rules. The framework incorporates a formal scheme, based
on the Dempster-Shafer theory of evidence [23], for computing beliefs in the satisfiability
of the criteria by model elements, and uses these beliefs to assess the significance of the
inconsistencies caused by these elements.
A prototype tool that implements the framework has been developed. Furthermore, the
framework has been tested in a series of experiments which have shown the ability of
the criteria definable in it to produce elaborate rankings of inconsistencies of different
significance. On going work focuses on further experimental evaluation of the framework
against industrial models and an investigation of the possibility of expanding it with more
characteristics of model elements.
References
36

1. Boehm B., In H. "Identifying Quality Requirements Conflicts", IEEE Software, March
1996, pp. 25-35.
2. Chidamber S., Kemerer C., "A metrics Suite for Object Oriented Design", IEEE
Transactions on Software Engineering, 20(6), 1994, pp. 476-493.
3. Cugola G., "Tolerating Deviations in Process Support Systems Via Flexible
Enactment of Process Models", IEEE Transactions on Software Engineering, 24 (11).
1998.
4. Douglas B.P., "Real-Time UML: developing Efficient Objects for Embedded Systems",
Addisson-Wesley,1998.
5. Dragazi F., "Implementation of a Graphical Editor and an Evaluator for S-
Expressions", BSc Project Report, Department of Computing, City University, 2001.
6. Easterbrook S. and Nuseibeh B. "Managing Inconsistencies in an Evolving
Specification", Proc. of the 2nd
Int. Conference on Requirements Engineering, York,
England, IEEE Computer Society Press, 1995, pp. 48-55.
7. Emmerich W., et al., "Managing Standards Compliance", IEEE Transactions on
Software Engineering, 25(6), 1999, pp. 836-851.
8. Fenton N.,. "Software Measurement: A Necessary Scientific Basis", IEEE
Transactions on Software Engineering, 30(3), 1994, pp. 199-206.
9. Finkelstein A. et al., "Inconsistency Handling in Multi-Perspective Specifications",
IEEE Transactions on Software Engineering, 20(8), 1994, pp. 569-578
10.Gamma E., et al., "Design Patterns: Elements of Reusable Object-Oriented
Software", Addison Wesley, 1995.
11. Hays, W., 1969. "Statistics", 3rd Edition, Holt International, SBN 03 910025.
12.Heitmeyer, C., Labaw, B. and Kiskis D., "Consistency Checking of SCR-Style
Requirements Specifications", Proc. of the 2nd
Int. Symposium on Requirements
Engineering, IEEE CS Press, 1995, pp. 56-63.
13.Hunter A. and Nuseibeh B., "Managing Inconsistent Specifications: Reasoning,
Analysis and Action", ACM Transactions in Software Engineering and Methodology,
7(4), 1998, pp. 335-367
14.Jacobson I., "Object-Oriented Software Engineering: A Use Case Driven Approach",
37

Addison-Wesley, 1995.
15.Lorenz M., "Object-Oriented Software Development: A Practical Guide", Prentice Hall,
1993.
16.McDermid A.J., Vickers S.P., and Wilson. "Managing Analytical Complexity of Safety
Critical Systems using Viewpoints", Joint Proceedings of the Viewpoints 96, San
Francisco, USA, 1996, pp. 272-274
17.OMG, Object Constraint Language Specification, Available as part of [18] from :
ftp://ftp.omg.org/pub/docs/ad/99-06-08.pdf, 1999.
18.OMG, "OMG Unified Modeling Language Specification", V. 1.3a. Available from :
ftp://ftp.omg.org/pub/docs/ad/99-06-08.pdf, 1999
19.Palmer J. and Fields A, "An Integrated Environment for Requirements Engineering",
IEEE Software, March 1992, pp. 80-85.
20.Rational, "Rational Rose '98: Extensibility Reference Manual", See also:
http://www.rational.com/products/rose/index.jtmpl, 1998.
21.Robinson, W. and Fickas, S., "Supporting Multiple Perspective Requirements
Engineering", Proc. of the 1st
Int. Conference on Requirements Engineering, IEEE
Computer Society Press, 1994, pp.206-215.
22.Schwanke R.W., Kaiser G.E., "Living with Inconsistency in Large Systems", Proc. of
the Int. Workshop on Software Version and Configuration Control, pp. 98-118
23.Shafer G., "A Mathematical Theory of Evidence", Princeton University Press, 1975.
24.Spanoudakis G., Finkelstein A.,. "Reconciling requirements: a method for managing
interference, inconsistency and conflict", Annals of Software Engineering, 3, 1997, pp.
433-457
25.Spanoudakis G., Kim H., Evidential Management of Inconsistencies in Object
Oriented Software Models, Technical Report, Department of Computing, City
University, 2001
26.Spanoudakis G., Kim H., Diagnosis of the Significance of Inconsistencies in Software
Designs: A Framework and Its Experimental Evaluation, Journal of Systems and
Software, 64(1), 2002, pp. 3-22.
27.Spanoudakis G., Zisman A., "Inconsistency Management in Software Engineering:
38

Survey and Open Research Issues", Handbook of Software Engineering and
Knowledge Engineering, (ed) Chang S. K., Vol. 1, World Scientific, 2001, pp. 329-
380.
28.Sun Microsystems, "JDKTM 1.1.8 Documentation", available from: WWW URL:
http://java.sun.com/products/jdk/1.1/docs/
29.Tegarden, P., Sheetz, S., Monarchi, D, "A Software Complexity Model of Object-
Oriented Systems", Decision Support Systems, 13, 1995, pp. 241-262.
30.van Lamsweerde A., Darimont A., Letier E., "Managing Conflicts in Goal-Driven
Requirements Engineering", IEEE Transactions on Software Engineering, 24(11),
1998, pp. 908-926
31.POCRES Specification, available from:
http://www.soi.city.ac.uk/~gespan/gp/gp_brief.html#S7
Appendix A: Overview of the Dempster-Shafer Theory of Evidence
In the Dempster-Shafer theory, a "basic probability assignment" is a function
(a1) m: ℘(θ) → [0…1]
where ℘(θ) is the powerset of a set of mutually exclusive propositions θ called "frame of
discernment". m provides a measure of the belief in the truth of the disjunction of the
propositions in a subset of θ that cannot be split to any of its own subsets, and obeys the
following axioms: (a2) m(∅) = 0, and (a3) ΣP⊆θ m(P) = 1
The subsets P of θ for which m(P) > 0 are called "focals" of m and the union of these
subsets is called "core" of m. Each basic probability assignment m induces a unique
"belief" function Bel defined as:
(a4) Bel: ℘(θ) → [0…1], and (a5) Bel(A) = ΣB ⊆ A m(B)
Bel measures the total belief committed to the set of propositions P by accumulating the
beliefs committed to its own subsets and obeys the following axioms:
(a6) Bel(∅) = 0
(a7) Bel(θ) = 1
39

(a8) ΣI ⊆ {1,...,n}, and I ≠ θ (–1)|I|+1
Bel(∩ i ε I Pi) ≤ Bel(∪i=1, …, n Pi) where n = |℘(θ)| and P ⊆ θ , (i=1,
…,n)
Two basic probability assignments m1 and m2 can be combined according to the rule of
the "orthogonal sum":
(a9) m1 ⊕ m2 (P) = (ΣX ∩ Y = P m1(X) × m2(Y)) / (1 – k0) where k0 = ΣV ∩ W = ∅ and V ⊆ θ and W ⊆ θ
m1(V) × m2(W)
k0 in this formula is a normalising parameter used to increase the belief assigned to the
non-empty intersections of the focals of m1 and m2 in proportion to the belief that would
be assigned to the empty intersections of these focals.
Appendix B: Proofs of Theorems
The degree of belief in the satisfiability of an S-expression is computed from the degrees
of belief computed for the characteristics of the individual model elements that the S-
expression refers to. This requires the combination of the belief functions introduced in
Sections 3.1-3.6 based on the rules of the D-S theory. And this combination requires the
definition of what the D-S theory terms as a (common) "frame of discernment" for these
functions. In the following, we introduce a frame of discernment for the belief functions
introduced in Sections 3.1-3.6 and then we show how these belief functions can be
combined on the basis of this frame using the rules of the D-S theory.
B.1 Frame of discernment for diagnosis framework
The purpose of introducing a frame of discernment is to define a set of propositions
which express the applicability of the characteristics of our framework to elements of a
UML model M. The definition of the frame assumes the following mappings:
• An isomorphism g which assigns a unique identifier in the range [1,…,n] to each of
40

the elements of M
• A function f giving the number of characteristics applicable to a model element g-1
(i)5
.
f is defined as follows:
- f(i) = 1 + k if g-1
(i).type = Class (k is the cardinality of the powerset of the
interactions of M)
- f(i) = 1 if g-1
(i).type = Attribute or AssociationEnd or Operation
- f(i) = 2k if g-1
(i).type = Message
• An isomorphism h that assigns a unique number in the range [1,…,k] to each of the
sets that can be formulated from the distinct interactions of a model.
Given the above mappings, each proposition in θ is represented as a vector of boolean
variables Vif(i):
[V11,…,V1f(1),V21,…,V2f(2),…,Vn1,…,Vnf(n)]
The truth value of each variable Vij (1 ≤ i ≤ n and 1 ≤ j ≤ f(i)) represents whether the
model element g-1
(i) has the characteristic j. The vector [V11,…,V1f(1),…,Vi1,…,Vif(i),…,Vn1,
…,Vnf(n)] represents the conjunction of the propositions expressed by its elements. Given
the isomorphisms g and h, the denotations of the variables Vij are as follows:
• If g-1
(i).type = Class then Vi1 = True if g-1
(i) is a generic class and Vi1 = False if g-1
(i) is
not a generic class.
• If g-1
(i).type = Class then Vij (j = 2,…k+1) denotes the coordinating capacity of the
class g-1
(i) in a set of interactions S such that j = h(S) + 1: Vij is True if g-1
(i) has a
coordinating capacity in S, and False if it does not.
• If g-1
(i).type = Attribute or g-1
(i).type = AssociationEnd then Vi1 is True if g-1
(i) is a
functionally essential attribute or association end, and False if it is not.
• If g-1
(i).type = Operation then Vi1 is True if g-1
(i) is a characteristic operation, and False
if it is not.
• If g-1
(i).type = Message then Vij (j = 1,…,k) denotes the functional dominance of g-1
(i)
in a set of interactions S (j = h(S)): Vij is True if g-1
(i) is a functionally dominant
message in S, and False if it is not.
5
g-1
(i) denotes the inverse of mapping g, that is it returns for each unique identifier the model element identified by it.
41

• If g-1
(i).type = Message then Vij (j = k+1,…,2k) denotes the coordinating capacity of g-
1
(i) in a set of interactions S ( j = h(S) + k): Vij is True if g-1
(i) has a coordinating
capacity in S, and False if it does not.
θ includes vectors [V11,…,V1f(1),V21,…,V2f(2),…,Vn1,…,Vnf(n)] to represent all the different
combinations of the truth-values of the variables Vij. A set of vectors [V11,…,V1f(1),V21,
…,V2f(2),…,Vn1,…,Vnf(n)] (that is a subset of θ) represents the disjunction of the propositions
expressed by its elements.
Given these denotations, the predicates introduced in sections 3.1-3.6 correspond to the
following subsets of θ:
• generic(g-1
(i)) = {[V11,…,V1f(1),…,Vi1,…,Vif(i),…,Vn1,…,Vnf(n)] |(g-1
(i).type = Class) and (Vi1 =
True)}
• coordinating-c(g-1
(i),S) = {[V11,…,V1f(1),…,Vi1,…,Vif(i),…,Vn1,…,Vnf(n)] | (g-1
(i).type = Class)
and (j = h(S)+1) and (Vij = True)}
• fessential-a(g-1
(i)) = {[V11,…,V1f(1),…,Vi1,…,Vif(i),…,Vn1,…,Vnf(n)] | ((g-1
(i).type = Attribute) or
(g-1
(i).type = AssociationEnd)) and (Vi1 = True)}
• characteristic-o(g-1
(i)) = {[V11,…,V1f(1),…,Vi1,…,Vif(i),…,Vn1,…,Vnf(n)] | (g-1
(i).type =
Operation) and (Vi1 = True)}
• fdominant-m(g-1
(i), S) = {[V11,…,V1f(1),…,Vi1,…,Vif(i),…,Vn1,…,Vnf(n)] | g-1
(i).type = Message)
and (j = h(S)) and (Vij = True)}
• coordinating-m(g-1
(i), S) = {[V11,…,V1f(1),…,Vi1,…,Vif(i),…,Vn1,…,Vnf(n)] |(g-1
(i).type =
Message) and (j = h(S) + k) and (Vi2 = True)}
Note that, since each subset X of θ is viewed as a logical proposition (P) the complement
set of it with respect to θ, X'
, denotes the negation of this proposition (¬P). Thus, for
example, the negation of the predicate generic (¬ generic(g-1
(i))) corresponds to the
following subset of θ:
generic (g-1
(i))' = {[V11,…,V1f(1),…,Vi1,…,Vif(i),…,Vn1,…,Vnf(n)] | (g-1
(i).type = Class) and (Vi1 =
False)}
42

Note also that the basic probability assignments m1, …, m6 are assumed to assign a
belief equal to 0 to any subset of θ that is not referenced in their definition in Sections
3.1-3.6.
B.2 Proofs of theorems
Theorem 1: m1 is a D-S basic probability assignment.
Proof: To prove that m1 is a basic probability assignment we must prove that it satisfies
the axioms a1-a3.
(a1): This axiom is satisfied since c.Sub* ⊆ M.Classes − {c}.
(a2): Since θ ≠ generic(c) and θ ≠ generic(c)' for any c by Definition 1 we have: m1(θ) = 0.
(a3): It is satisfied since: ΣP⊆θ m1(P) = ΣP⊆θ and P≠generic(c) and P≠generic(c)' m1(P) + m1(generic(c)) +
m1(generic(c)')
= 0 + m1(generic(c)) + 1 − m1(generic(c)) = 1. ♦
the axioms a1-a3.
(a1): It is satisfied since by Definition 2 we have that, Com(c,S) ⊆ Classes(S) − {c}, and
for any subset P of θ such that P≠coordinating-c(c,S) and P≠coordinating-c(c,S)' that
m2(P) is equal to 0.
(a2): Since θ≠coordinating-c(c,S) and θ≠coordinating-c(c,S)' for any c and S by
Definition 2 we have: m2(θ) = 0.
(a3): It is satisfied since, ΣP⊆θm2(P) = ΣP⊆θ and P≠coordinating-c(c,S) and P≠coordinating-c(c,S)'m2(P)
+m2(coordinating-c(c,S)) + m2(coordinating-c(c,S)') = 0 + m2(coordinating-c(c,S)) + 1 −
m2(coordinating-c(c,S)) = 1. ♦
43

the axioms a1-a3.
(a1): It is satisfied since by definitions 3 and 6, 0 ≤ |Rel(a,c)| and 0 ≤ |Mes(a,c,M)|. Also
by Definition 3, for any subset P of θ such that P≠fessential-a(a,c) and P≠fessential-
a(a,c)', m3(P) = 0.
(a2): Since θ ≠ fessential-a(a,c) and θ ≠ fessential-a(a,c)' for any a and c by Definition 3
we have: m3(θ) = 0.
(a3): It is satisfied since: ΣP⊆θ m3(P) = ΣP⊆θ and P≠fessential-a(a,c) and P≠fessential-a (a,c)' m3(P) +
m3(fessential-a(a,c)) + m3(fessential-a(a,c)') = 0 + m3(fessential-a(a,c)) + 1 −
m3(fessential-a(a,c)) = 1. ♦
the axioms a1-a3.
(a1): It is satisfied since by Definition 4, for any operation o and a class c such that c ε
Oclasses(o) we have: Ov(o,c) ∪ {c}) ⊆ (c.Sub* ∪ {c}). Also by Definition 4, for any subset
P of θ such that P≠characteristic-o(o) and P≠characteristic-o(o)', m4(P) = 0.
(a2): Since θ ≠ characteristic-o(o) and θ ≠ characteristic-o(o)' for any o by Definition 4 we
have: m4(θ) = 0
(a3): It is satisfied since: ΣP⊆θ m4(P) = ΣP⊆θ and P≠characteristic-o(o) and P≠characteristic-o(o)'m4(P) +
m4(characteristic-o(o)) + m4(characteristic-o(o)') = 0 + m4(characteristic-o(o)) + 1 −
m4(characteristic-o(o)) = 1. ♦
the axioms a1-a3.
(a1): It is satisfied since by Definition 5 for any m and S we have that: (i) Dsig(m,S) ⊆
Asig(m,S), and (ii) for any subset P of θ such that P≠coordinating-m(m,S) and
P≠coordinating-m(m,S)', m5(P) is equal to 0.
(a2): Since θ ≠ coordinating-m(m,S) and θ ≠ coordinating-m(m,S)' for any m and S by
Definition 5, m5(θ)=0.
44

(a3): It is satisfied since: ΣP⊆θ m5(P) = ΣP⊆θ and P≠coordinating-m(m,S) and P≠coordinating-m(m,S)' m5(P) +
m5(coordinating-m(m,S)) + m5(coordinating-m(m,S)') = 0 + m5(coordinating-m(m,S)) + 1 −
m5(coordinating-m(m,S)) = 1. ♦
the axioms a1-a3.
(a1): It is satisfied since by Definition 6 we have that: (i) Ames(m,{I}) ⊆ I.messages and
(ii) for any subset P of θ such that P≠fdominant-m(m,{I}) and P≠fdominant-m (m,{I})',
m6(P) is equal to 0.
(a2): Since θ≠fdominant-m(m,{I}) and θ≠fdominant-m(m,{I})' for any m and I by Definition
6 we have: m6(θ) = 0
(a3): It is satisfied since: ΣP⊆θ m6(P) = ΣP⊆θ and P≠fdominant-m(m,{I}) and P≠fdominant-m(m,{I})' m6(P) +
m6(fdominant-m(m,{I})) + m6(fdominant-m(m,{I})') = 0 + m6(fdominant-m(m,{I})) + 1 −
m6(fdominant-m(m,{I})) = 1. ♦
Theorem 7: The belief function induced by the each of the basic probability assignments
mi (i=1,…,6) has the following form: Bel(P) = mi(Pi) if Pi → P andBel(P) = 0
otherwise
where Pi is the predicate associated with mi or the negation of this predicate.
Proof: Let Fi be the subset of θ that corresponds to the predicate PI and F the subset of
θ that corresponds to P. Since Pi → P we will have that Fi ⊆ F. Then this theorem is a
consequence of axiom (a5) and the definitions of m1,…, m6. ♦
Lemma 1: Let p1, p2, …, pn be atomic S-expressions referring to the elements of a model
M and m1, m2, …,mn be the basic probability assignments associated with the predicate
used in each of these expressions. Suppose also that Si and Si' are the focals of mi (i =
1,…, n), and that for any i and j such that i ≠ j we have that Si ≠ Sj and Si ≠ Sj'. If m is
the function resulting from the combination of m1, m2, …,mn, then m has the following
45

functional form:
m(X) = ΠiεImi(Si) × ΠjεI'mj(Sj') if X = ∩iεISi ∩jεI'Sj' (for any I ⊆ {1,2,…,n})
m(X) = 0 if X ≠ ∩iεISi ∩jεI'Sj' (for any I ⊆ {1,2,…,n})
Proof: The core of each mi is Ci = Si ∪ Si' where each Si corresponds to one of the
subsets of the frame of discernment θ constructed for the model M as described In B.1
and Si' corresponds to the complement of Si with respect to θ. Thus, Ci = θ for all i and
∩i=1,…,nCi = θ ≠ ∅ (L1.1)
From (L1.1) and Theorem 3.2 in [23, p. 61] it follows that the basic probability
assignments mi can be combined. Note also that since we have assumed that Si ≠ Sj
'
(for
any i and j such that i ≠ j) it also holds that
for any I ⊆ {1,2,…,n} ∩iεISi ≠ ∅ (L1.2)
for any i and j such that i ≠ j, Si ⊄ Sj and Sj ⊄ Si (L1.3)
From (L1.2), we have that:
Σi,j, i ≠ jΣSi ∩ Sj=∅ mi(Si) × mj(Sj) = 0 (L1.4)
Thus, according to Theorem 3.1 in [23, p.60], the basic probability assignments mi can be
combined using the rule of the orthogonal sum (defined by axiom (a9) in Appendix A).
The rule in this case is simplified to the following formula (since k0 = 0 due to (L1.4)):
m(P) = mi ⊕ mj (P) = Σ X ∩ Y = P mi(X) × mj(Y) (L1.5)
The functional form of m = m1 ⊕ m2 ⊕ … ⊕ mn is proved by induction as follows.
For n=2: It follows from (L1.5) that m(P) ≠ 0 only if P = S1 ∩ S2, P = S1 ∩ S2', P = S1' ∩ S2,
or P = S1' ∩ S2' since for any pair of subsets of θ, X and Y, such that X and/or Y is not one
of the sets S1, S1' and/or Y is not one of the sets S2, S2' it will be that m1(X)=0 and/or
m2(Y)=0. Furthermore, from (L1.5) we have that: m(S1 ∩ S2) = m1(S1) × m2(S2), m(S1' ∩
S2) = m1(S1') × m2(S2), m(S1 ∩ S2') = m1(S1) × m2(S2'), and m(S1' ∩ S2') = m1(S1') × m2(S2').
For n=k: Let m' = m1 ⊕ m2 ⊕ … ⊕ mk and suppose that:
m'(X) = ΠiεImi(Si) × ΠjεI'mj(Sj') if X = ∩iεISi ∩jεI'Sj' (for any I ⊆ {1,2,…,k})
m'(X) = 0 if X ≠ ∩iεISi ∩jεI'Sj' (for any I ⊆ {1,2,…,k}) (L1.6)
46

For n=k+1: Let m = m1 ⊕ m2 ⊕ … ⊕ mk ⊕ mk+1. From Theorem 3.3 in [23, p.61] we have
that: m = (m1 ⊕ m2 ⊕ … ⊕ mk) ⊕ mk+1 = m' ⊕ mk+1. Also according to (L1.5) the focals of
m will be the pairwise intersections of the focals of m' and the focals of mk+1 which by
virtue of (L1.6) are the sets ∩iεISi ∩jεI'Sj' ∩ Sk+1 and
∩iεISi ∩jεI'Sj' ∩ Sk+1' (for any I ⊆ {1,2,…,k}) or, equivalently, the sets X = ∩iεISi ∩jεI'Sj' (for any
I ⊆ {1,2,…, k+1}).
Furthermore, for each of these sets X by (L1.5) and (L1.6) we have that,
(a) If X = ∩iεI Si ∩jεI' Sj' ∩ Sk+1:
m' ⊕ mk+1(X) = m'(∩iεISi ∩jεI'Sj') × mk+1(Sk+1) = ΠiεImi(Si) × ΠjεI'mj(Sj') × mk+1(Sk+1)
= ΠiεI∪{k+1} mi(Si) × ΠjεI' mj(Sj') (L1.7)
(b) If X = ∩iεISi ∩jεI' Sj' ∩ Sk+1' :
m' ⊕ mk+1(X) = m'(∩iεISi ∩jεI'Sj') × mk+1(Sk+1') = ΠiεI mi(Si) × ΠjεI'mj(Sj') × mk+1(Sk+1')
= ΠiεI mi(Si) × ΠjεI' ∪{k+1} mj(Sj') (L1.8)
From (L1.7) and (L1.8), it follows that: m(P) = ΠiεImi(Si) × ΠjεI' mj(Sj') (for any I ⊆ {1,2,…,
k+1}). ♦
quantified S-expression p1 and p2 and …and pn is measured by the function:
Bel(andi=1,…,n pi) = Πi=1,…,n mi(pi) if pi ≠ pj and pi ≠ ¬pj (∀i, j: i ≠ j), and Bel(andi=1,…,n pi) = 0
otherwise.
Proof: Let S1, S2, …, Sn be the subsets of the frame of discernment θ constructed for M
which represent the predicates p1, p2, …, pn , respectively.
(a) If pi ≠ pj and pi ≠ ¬pj: In this case we have that for all i and j such that i ≠ j Si ≠ Sj and
Si ≠ Sj
'
. Thus, the conditions about the focals of the basic probability assignments m1, m2,
…, mn required by Lemma 1 are satisfied and, therefore, as shown in that lemma the
assignments mi (i=1,…,n) can be combined in any possible order. Let m be the basic
47

probability assignment resulting from their combination, that is m = m1 ⊕ m2 ⊕ … ⊕ mn.
Then, it follows from the definition of a frame of discernment θ for a model M and axiom
(a5) that,
Bel(andi=1,…,n pi) = Bel(∩i=1,…,nSi) = ΣX⊆ ∩i=1,…,nSi m(X).
However, as we show in Lemma 1, the only subset of θ X such that m(X) > 0 and X ⊆
∩i=1,…,nSi is the set ∩i=1,…,n Si itself. Thus, Bel(∩i=1,…,nSi) = m(∩i=1,…,nSi) and as a
consequence of the same lemma, we have that: Bel(∩i=1,…,nSi) = Πi=1,…,nmi(Si).
(b) In the case where there is one a pair i and j, such that Si = Sj
'
and for any other u and
w such that u≠w Su ≠ Sw
'
we will have that pi = not pj and mi = mj. Without loss of
generality, suppose that i=1 and j=2 and let p' be the conjunction of pi and pj (p' = pi and
pj). Then, the subset of the frame of discernment corresponding to p' will be:
S' = Si ∩ Sj
'
= ∅. Also,
Bel(p1 and p2 and …and pn) = Bel(p' and p3 and …and pn)
(T8.1)
In this case, Bel is induced from a basic probability assignment m that results from the
combination of the basic probability assignments m1,m3,…,mn , that is m = m1 ⊕ m3 ⊕ …
⊕ mn. As the conditions of (a) above are satisfied in this case, we have (as already
proved) that:
Bel(p' and p3 and …and pn) = m1(S') Πi=1,…,nmi(Si) = m1(S') Πi=1,…,nmi(Si) (T8.2)
However, as we proved in Theorems 1-6, for any basic probability assignment m in our
framework, m(∅)=0. Thus, from (T8.1) and (T8.2) we have that: Bel(p1 and p2 and …and
pn) = 0. ♦
quantified S-expression p1 or p2 or …or pn is measured by the function:
Bel(ori=1,…,npi) = ΣJ⊆{1,…,n} and J≠∅(-1)|J|+1
Bel(andiεJpi) if pi ≠ pj and pi ≠ ¬pj (∀i,j: i ≠ j), and
48

Bel(ori=1,…,npi) = 1 otherwise
Proof: Let S1, S2, …, Sn be the subsets of the frame of discernment θ constructed for M
which represent the predicates p1, p2, …, pn , respectively.
(a) If pi ≠ pj and pi ≠ ¬pj: In this case we have that for all i and j such that i ≠ j Si ≠ Sj and
Si ≠ Sj
'
. Thus, as a consequence of the definition of θ in B.1 and axiom (a5) we have that:
Bel(p1 or p2 or …or pn) = Bel(∪i=1,…,nSi) = ΣX⊆ ∪i=1,…,n Si m(X) (T9.1)
Note, however, that m = m1 ⊕ m2 ⊕ … ⊕ mn (mi is the basic probability assignment
associated with the predicate of the atomic S-expression pi) and by virtue of Lemma 1 the
only subsets of ∪i=1,…,nSi for which m > 0 are the sets: ∩iεISi ∩jεI'Sj' (for all I ⊆ {1,2,…,n} and
I ≠ ∅). Therefore, Bel(∪i=1,…,nSi) = ΣI⊆{1,2,…,n} and I ≠ ∅ m(∩iεISi ∩jεI'Sj') and by Lemma 1:
Bel(∪i=1,…,nSi) = ΣI⊆{1,2,…,n} and I ≠ ∅ ΠiεI mi(Si) × ΠjεI' mj(Sj'). (T9.2)
From (T9.1) and (T9.2), we have that,
Bel(p1 or p2 or …or pn) = ΣI⊆{1,2,…,n} and I ≠ ∅ ΠiεI mi(Si) × ΠjεI' mj(Sj') (T9.3)
Note also that due to Theorem 2.1 in [23]: ΣI ⊆{1,…,n} and I≠∅ (-1)|I| + 1
Bel (∩iεI Si) = Σi=1,…,nΣB⊆Si
m(B)
However, by virtue of Lemma 1 it also holds that
Σi=1,…,nΣB⊆Si m(B) = Σi=1,…,n ΣI⊆N and N={1,2,…,n} − {i} m(Si ∩uεISu ∩wεI'Sw') = ΣI⊆{1,2,…,n} and I≠∅ m(∩uεISu
∩wεI'Sw')
= ΣI⊆{1,2,…,n} and I≠∅ΠuεI mu(Su) × ΠwεI' mw(Sw')
Thus, ΣI ⊆{1,…,n} and I≠∅ (-1)|I| + 1
Bel (∩iεI Si) = ΣI⊆{1,2,…,n} and I≠∅ ΠuεI mu(Su) × ΠwεI' mw(Sw')
(T9.4)
As a consequence of (T9.3) and (T9.4), we have that Bel(p1 or p2 or …or pn) = ΣI ⊆{1,…,n} and
I≠∅ (-1)|I| + 1
Bel (∩iεI Si)
and therefore, as shown in Theorem 8: Bel(p1 or p2 or …or pn) = ΣJ⊆{1,…,n} and J ≠ ∅ (-1)|J| + 1
Bel(andiεJ pi).
(b) Suppose that there is one pair i and j, such that Si = Sj
'
. From Si = Sj
'
we have that pi =
not pj and mi = mj. Without loss of generality, suppose that i=1 and j=2 and let p' be the
disjunction of pi and pj (p' = pi or pj). Then, the subset of the frame of discernment
49

corresponding to p' will be: S' = Sj
'
∪ Sj = θ. Thus, Bel((p1 or p2 or p3 or … or pn) = Bel((p1
or (not p1)) or p3 or … or pn) = Bel(θ ∪ S3 ∪… ∪ Sn ) = Bel(θ). However by axiom (a7),
Bel(θ) = 1 and therefore, Bel(p1 or p2 or p3 or … or pn) = 1. ♦
Theorem 10: Given a set of elements S and a non quantified S-expression se(x)
referring to a model element x, the belief in a quantified S-Expression of the form S-
>exists(x |OCL-expression-over-x and se(x)) is measured by the function:
Bel(S->exists(x |OCL-expression-over-x and se(x))) = ΣJ⊆S' and J≠∅ (-1)|J| + 1
Bel (andxεJ
se(x)) if S' ≠ ∅
Bel(S->exists(x |OCL-expression-over-x and se(x))) = 0 if S'
= ∅
Proof: The truth value of the expression S->exists(x | OCL-expression-over-x) in OCL is
True if the expression OCL-expression-over-x is True for at least one of the elements x of
S and False otherwise (see p. 6-23 in [17]). Since and in OCL is defined as the normal
boolean conjunction operator the truth value of the expression
S->exists(x | OCL-expression-over-x and se(x))
(T10.1)
is equal to the truth value of the expression
S'->exists(x | se(x)) where S' = {x | (x ε S) and OCL-expression-over-x = True}
(T10.2)
If S' ≠ ∅, assuming that e1, e2, …, en are the elements of S' the truth value of the
expression (T10.2) is equivalent to the truth value of the expression: se(e1) or se(e2) or
… or se(en). However, for any i and j such that i ≠ j we also have that ei ≠ ej (since ei and
ej are members of the same set). Thus, if Si and Sj are the subsets of the frame of
discernment θ constructed for the model to represent se(ei) and se(ej), we will have that
Si ≠ Sj, Si ≠ Sj
'
, Si ⊄ Sj and Sj ⊄ SI, and by Theorem 9,
Bel(se(e1) or se(e2) or…or se(en)) = ΣJ⊆{1,…,n} and J≠∅ (-1)|J|+1
Bel(andiεJ se(ei)) = ΣW⊆S' and W≠∅(-1)|
W|+1
Bel(andxεW se(x))
50

If S' = ∅, according to the definition of the operation exists in OCL, (T10.2) is always
False which corresponds to the empty set of any frame of discernment θ. Thus, by axiom
(a6): Bel(S->exists(x | se(x))) = Bel(∅) = 0. ♦
Theorem 11: Given a set of model elements S and a non quantified S-expression se(x)
referring to a model element x, the belief in a quantified S-Expression of the form S-
>forall(x |OCL-expression-over-x and se(x)) is measured by the function:
Bel(S->forall(x |OCL-expression-over-x and se(x))) = Πx ε S' Bel(se(x)) if S' = S
Bel(S->forall(x |OCL-expression-over-x and se(x))) = 0 if S' ≠ S
Proof: The truth value of the expression S->forall(x | OCL-expression-over-x) in OCL is
True if the expression OCL-expression-over-x is True for all the elements x of S and
False otherwise (see p. 6-23 in [17]). Thus, if S' is a subset of S that including the
elements of it for which the expression OCL-expression-over-x is True (i.e., S' = {x | (x ε
S) and OCL-expression-over-x = True}) the truth value of the expression
S->forall(x | OCL-expression-over-x and se(x)) (T11.1)
is equal to the truth value of the expression
(S = S') and S'->forall(x | se(x)) (T11.2)
If S' = S, assuming that e1, e2, …, en are the elements of S', the truth value of the
expression (T11.2) is equivalent to the truth value of the expression: se(e1) and se(e2)
and … and se(en). However, for any i and j such that i ≠ j we also have that ei ≠ ej (since
ei and ej are members of the same set). Thus, if Si and Sj are the subsets of the frame of
discernment θ constructed for the model that represent se(ei) and se(ej), we will have
that: Si ≠ Sj, Si ≠ Sj
'
, Si ⊄ Sj and Sj ⊄ SI, and by Theorem 8: Bel(se(e1) and se(e2) and …
and se(en)) = Πi=1,…,nmi(Si) = Πx ε S mi(Si)
If S' ≠ S then the formula (T11.2) is always False which corresponds to the empty subset
of any frame of discernment θ. Thus, by virtue of axiom (a6), Bel(S->forall(x | se(x))) =
Bel(False) = Bel(∅) = 0. ♦
51

Appendix C: Grammar for S-expressions
S-expressions can be specified according to the following EBNF grammar (in this
grammar "|" means choice, "?" means optionality, "*" means zero or more times, and "+"
means one or more times):
s_expression := non_quantified_expression | quantified_expression
non_quantified_expression := atomic_expression ( s_logical_operator
atomic_expression)*
atomic_expression := unary_criterion "(" elem_ref ")" | binary_criterion "(" elem_ref ","
elem_ref ")"
unary_criterion := "generic" | "characteristic-o"
binary_criterion := "coordinating-c" | "fessential-a" | "coordinating-m" | "fdominant-m"
quantified_expression := elem_ref "−>" set_operator "(" name "|"
logical_expression "and" non_quantified_expression ")"
s_logical_operator := "and" | "or"
set_operator := "forall" | "exists"
elem_ref := name ( "." name )*
name := ["a" - "z"] (["a" - "z"] | ["A" - "Z"] | ["0" - "9"] | "_" )*
logical_expression := relational_expression (logical_operator
relational_expression)*
relational_expression := unary_expression (relational_operator unary_expression)?
unary_expression := (unary_operator elem_ref) | elem_ref
logical_operator := "and" | "or" | "implies"
unary_operator := "not"
relational_operator := "=" | "<>" | ">" | "<" | "<=" | ">="
let_expression := "let" name "=" elem_ref
52

Evidential diagnosis of inconsistencies in object oriented designs

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (19)

En vedette

En vedette (18)

Similaire à Evidential diagnosis of inconsistencies in object oriented designs

Similaire à Evidential diagnosis of inconsistencies in object oriented designs (20)

Dernier

Dernier (20)

Evidential diagnosis of inconsistencies in object oriented designs