Gomaa Softwaremodellinganddesign
Gomaa Softwaremodellinganddesign
Gomaa Softwaremodellinganddesign
This book provides all you need to know for modeling and design of soft-
ware applications, from use cases to software architectures in UML. It
shows you how to apply the COMET UML-based modeling and design
method to real-world problems. The author describes architectural pat-
terns for various architectures, such as broker, discovery, and transaction
patterns for service-oriented architectures, and layered patterns for soft-
ware product line architectures, and addresses software quality attributes,
including maintainability, modifiability, testability, traceability, scalabil-
ity, reusability, performance, availability, and security.
Complete case studies illustrate design issues for different software
architectures: a banking system for client/server architectures, an online
shopping system for service-oriented architectures, an emergency moni-
toring system for component-based software architectures, and an auto-
mated guided vehicle system for real-time software architectures.
Organized as an introduction followed by several self-contained chap-
ters, the book is perfect for senior undergraduate or graduate courses in
software engineering and for experienced software engineers who want a
quick reference at each stage of the analysis, design, and development of
large-scale software systems.
Hassan Gomaa
George Mason University, Fairfax, Virginia
cambridge university press
Cambridge, New York, Melbourne, Madrid, Cape Town,
Singapore, São Paulo, Delhi, Tokyo, Mexico City
Cambridge University Press
32 Avenue of the Americas, New York, NY 10013-2473, USA
www.cambridge.org
Information on this title: www.cambridge.org/9780521764148
C Hassan Gomaa 2011
A catalog record for this publication is available from the British Library.
Cambridge University Press has no responsibility for the persistence or accuracy of URLs for external
or third-party internet websites referred to in this publication and does not guarantee that any content
on such websites is, or will remain, accurate or appropriate.
To Gill, William and Neela, Alex,
Amanda and Neil, and Edward
Contents
Preface page xv
Annotated Table of Contents xix
Acknowledgments xxv
PART I Overview
1 Introduction 3
1.1 Software Modeling 3
1.2 Object-Oriented Methods and the Unified Modeling
Language 3
1.3 Software Architectural Design 5
1.4 Method and Notation 5
1.5 COMET: A UML-Based Software Modeling and Design
Method for Software Applications 6
1.6 UML as a Standard 6
1.7 Multiple Views of Software Architecture 7
1.8 Evolution of Software Modeling and Design Methods 8
1.9 Evolution of Object-Oriented Analysis and Design Methods 9
1.10 Survey of Concurrent, Distributed, and Real-Time
Design Methods 11
1.11 Summary 12
Exercises 12
vii
viii Contents
7 Static Modeling 94
7.1 Associations between Classes 95
7.2 Composition and Aggregation Hierarchies 100
7.3 Generalization/Specialization Hierarchy 102
7.4 Constraints 103
7.5 Static Modeling and the UML 103
7.6 Static Modeling of the System Context 104
7.7 Categorization of Classes Using UML Stereotypes 106
7.8 Modeling External Classes 107
7.9 Static Modeling of Entity Classes 111
7.10 Summary 113
Exercises 114
Glossary 523
Answers to Exercises 537
Bibliography 539
Index 547
Preface
OVERVIEW
This book describes a use case–driven UML-based method for the modeling and
design of software architectures, including object-oriented software architectures,
client/server software architectures, service-oriented architectures, component-
based software architectures, concurrent and real-time software architectures, and
software product line architectures. The book provides a unified approach to design-
ing software architectures and describes the special considerations for each cate-
gory of software architecture. In addition, there are four case studies, a client/server
banking system, a service-oriented architecture for an online shopping system, a
distributed component-based emergency monitoring system, and a real-time auto-
mated guided vehicle system.
This book describes a UML-based software modeling and design method called
COMET (Collaborative Object Modeling and Architectural Design Method).
COMET is a highly iterative object-oriented software development method that
addresses the requirements, analysis, and design modeling phases of the object-
oriented development life cycle.
The book is intended to appeal to readers who wish to design software architec-
tures using a systematic UML-based method that starts from requirements modeling
with use cases, through static and dynamic modeling, to software design based on
architectural design patterns.
xv
xvi Preface
described using the UML 2 notation, the latest version of the standard. In particu-
lar, this book:
■ Provides a comprehensive treatment of the application of the UML-based
object-oriented concepts to requirements modeling, analysis modeling, and
design modeling. Requirements modeling addresses use case modeling to des-
cribe functional requirements with extensions to describe nonfunctional require-
ments. Analysis modeling addresses static modeling and dynamic modeling
(both interaction and state machine modeling). Design modeling addresses
important architectural issues, including a systematic approach for integrating
use case–based interaction diagrams into an initial software architecture and
applying architectural and design patterns for designing software architectures.
■ Provides a common approach for requirements and analysis modeling and then
addresses specific design issues (in a separate chapter for each category of soft-
ware architecture) for designing the software architecture for object-oriented
software systems, client/server systems, service-oriented systems, component-
based systems, real-time systems, and software product lines.
■ Describes how software architectures are designed by first considering software
architectural patterns relevant for that category of software architecture, such as
client/service patterns for client/server and component-based software architec-
ture; brokering, discovery, and transaction patterns for service-oriented architec-
tures; real-time control patterns for real-time software architecture; and layered
patterns for software product line architectures.
■ Describes software quality attributes, which can have a profound effect on the
quality of a software product. Many of these attributes can be addressed and
evaluated at the time the software architecture is developed. The software qual-
ity attributes covered include maintainability, modifiability, testability, traceabil-
ity, scalability, reusability, performance, availability, and security.
■ Presents four detailed case studies. Case studies are presented by software
architecture area, including a banking system for client/server architectures, an
online shopping system for service-oriented architecture, an emergency mon-
itoring system for component-based software architecture, and an automated
guided vehicle system for the real-time software architecture.
■ Appendices include a glossary, a bibliography, and a catalog of architectural
design patterns. There is also be an appendix on teaching considerations for
teaching academic and industrial courses based on this book. Exercises follow
most chapters.
INTENDED AUDIENCE
This book is intended for both academic and professional audiences. The academic
audience includes senior undergraduate- and graduate-level students in computer
science and software engineering, as well as researchers in the field. The profes-
sional audience includes analysts, software architects, software designers, program-
mers, project leaders, technical managers, program managers, and quality-assurance
specialists who are involved in the analysis, design, and development of large-scale
software systems in industry and government.
Preface xvii
PART I: OVERVIEW
Chapter 1: Introduction
This chapter presents an introduction to software modeling and design, a discussion
of software design issues, an introduction to software architecture, and an overview
of object-oriented analysis and design with UML.
xix
xx Annotated Table of Contents
I gratefully acknowledge the reviewers of earlier drafts of the manuscript for their
constructive comments, including Rob Pettit, Kevin Mills, Bran Selic, and the
anonymous reviewers. I am very grateful to the students in my software design
and reusable software architecture courses at George Mason University for their
enthusiasm, dedication, and valuable feedback. Many thanks are also due to Koji
Hashimoto, Erika Olimpiew, Mohammad Abu-Matar, Upsorn Praphamontripong,
and Sylvia Henshaw for their hard work and careful attention producing the figures.
I am also very grateful to the Cambridge University Press editorial and production
staff, including Heather Bergman, Lauren Cowles, David Jou, Diane Lamsback,
and the production staff at Aptara, without whom this book would not have seen
the light of day.
I gratefully acknowledge the permission given to me by Pearson Education, Inc.,
to use material from my earlier textbooks, Designing Concurrent, Distributed, and
Real-Time Applications with UML, C 2000 Hassan Gomaa, Reproduced by permis-
sion of Pearson Education, Inc., and Designing Software Product Lines with UML,
C 2005 Hassan Gomaa, Reproduced by permission of Pearson Education, Inc.
Last, but not least, I would like to thank my wife, Gill, for her encouragement,
understanding, and support.
xxv
PART I
Overview
1
Introduction
3
4 Overview
and hence are more modifiable and maintainable. Inheritance provides an approach
for adapting a class in a systematic way.
With the proliferation of notations and methods for the object-oriented analysis
and design of software applications, the Unified Modeling Language (UML) was
developed to provide a standardized graphical language and notation for describ-
ing object-oriented models. However, because UML is methodology-independent,
it needs to be used together with an object-oriented analysis and design method.
Because the UML is now the standardized graphical language and notation for
describing object-oriented models, this book uses the UML notation throughout.
Modern object-oriented analysis and design methods are model-based and use
a combination of use case modeling, static modeling, state machine modeling, and
object interaction modeling. Almost all modern object-oriented methods use the
UML notation for describing software requirements, analysis, and design mod-
els (Booch, Rumbaugh, and Jacobson 2005; Fowler 2004; Rumbaugh, Booch, and
Jacobson 2005).
In use case modeling, the functional requirements of the system are defined in
terms of use cases and actors. Static modeling provides a structural view of the sys-
tem. Classes are defined in terms of their attributes, as well as their relationships
with other classes. Dynamic modeling provides a behavioral view of the system. The
use cases are realized to show the interaction among participating objects. Object
interaction diagrams are developed to show how objects communicate with each
other to realize the use case. The state-dependent aspects of the system are defined
with statecharts.
Introduction 5
During a given design step, the method might provide a set of structuring criteria to
help the designer in decomposing the system into its components.
The Collaborative Object Modeling and Design Method, or COMET, uses the
UML notation to describe the design. COMET is based on the design concepts
of information hiding, classes, inheritance, and concurrent tasks. It uses a design
strategy of concurrent object design, which addresses the structuring of a software
system into active and passive objects and defines the interfaces between them. It
provides structuring criteria to help structure the system into objects during analy-
sis, and additional criteria to determine the subsystems and concurrent tasks during
design.
■ Use case view. This view is a functional requirements view, which is an input
to develop the software architecture. Each use case describes the sequence of
interactions between one or more actors (external users) and the system.
■ Static view. The architecture is depicted in terms of classes and relationships,
which can be associations, whole/part relationships (compositions or aggrega-
tions), or generalization/specialization relationships. Depicted on UML class
diagrams.
■ Dynamic interaction view. This view describes the architecture in terms of
objects as well as the message communication between them. This view can also
be used to depict the execution sequence of specific scenarios. Depicted on UML
communication diagrams.
8 Overview
■ Dynamic state machine view. The internal control and sequencing of a control
component can be depicted using a state machine. Depicted on UML statechart
diagrams.
■ Structural component view. The software architecture is depicted in terms of
components, which are interconnected through their ports, which in turn support
provided and required interfaces. Depicted on UML structured class diagrams.
■ Dynamic concurrent view. The software architecture is viewed as concurrent
components, executing on distributed nodes, and communicating by messages.
Depicted on UML concurrent communication diagrams.
■ Deployment view. This depicts a specific configuration of the distributed archi-
tecture with components assigned to hardware nodes. Depicted on UML deploy-
ment diagrams.
data structures and then designing the program structures based on the data struc-
tures. The two principal design methods to use this strategy were Jackson Structured
Programming (Jackson 1983) and the Warnier/Orr method.
In the database world, the concept of separating logical and physical data was
key to the development of database management systems. Various approaches were
advocated for the logical design of databases, including the introduction of entity-
relationship modeling by Chen.
Parnas (1972) made a great contribution to software design with his advocacy
of information hiding. A major problem with early systems, even in many of those
designed to be modular, resulted from the widespread use of global data, which
made these systems prone to error and difficult to change. Information hiding pro-
vided an approach for greatly reducing, if not eliminating, global data.
A major contribution for the design of concurrent and real-time systems came
in the late 1970s with the introduction of the MASCOT notation and later the
MASCOT design method. Based on a data flow approach, MASCOT formalized the
way tasks communicate with each other, either through channels for message com-
munication or through pools (information-hiding modules that encapsulate shared
data structures). The data maintained by a channel or pool are accessed by a task
only indirectly by calling access procedures provided by the channel or pool. The
access procedures also synchronize access to the data, typically using semaphores,
so that all synchronization issues are hidden from the calling task.
There was a general maturation of software design methods in the 1980s, and
several system design methods were introduced. Parnas’s work with the Naval Re-
search Lab (NRL), in which he explored the use of information hiding in large-
scale software design, led to the development of the Naval Research Lab Software
Cost Reduction Method (Parnas, Clements, and Weiss 1984). Work on applying
Structured Analysis and Structured Design to concurrent and real-time systems led
to the development of Real-Time Structured Analysis and Design (RTSAD) (see
Gomaa [1993] for an overview) and the Design Approach for Real-Time Systems
(DARTS) (Gomaa 1984) methods.
Another software development method to emerge in the early 1980s was Jackson
System Development (JSD) (Jackson 1983). JSD views a design as being a simula-
tion of the real world and emphasizes modeling entities in the problem domain by
using concurrent tasks. JSD was one of the first methods to advocate that the design
should model reality first and, in this respect, predated the object-oriented analysis
methods. The system is considered a simulation of the real world and is designed
as a network of concurrent tasks, in which each real-world entity is modeled by
means of a concurrent task. JSD also defied the then-conventional thinking of top-
down design by advocating a middle-out behavioral approach to software design.
This approach was a precursor of object interaction modeling, an essential aspect of
modern object-oriented development.
Booch, Wirfs-Brock, Wilkerson, and Wiener (1990), Rumbaugh et al. (1991), Shlaer
and Mellor (1988, 1992), and Coad and Yourdon (1991, 1992). The emphasis in
these methods was on modeling the problem domain, information hiding, and
inheritance.
Parnas advocated using information hiding as a way to design modules that were
more self-contained and therefore could be changed with little or no impact on
other modules. Booch introduced object-oriented concepts into design initially with
information hiding, in the object-based design of Ada-based systems and later
extended this to using information hiding, classes, and inheritance in object-oriented
design. Shlaer and Mellor (1988), Coad and Yourdon (1991), and others introduced
object-oriented concepts into analysis. It is generally considered that the object-
oriented approach provides a smoother transition from analysis to design than the
functional approach.
Object-oriented analysis methods apply object-oriented concepts to the analysis
phase of the software life cycle. The emphasis is on identifying real-world objects
in the problem domain and mapping them to software objects. The initial attempt
at object modeling was a static modeling approach that had its origins in informa-
tion modeling, in particular, entity-relationship (E-R) modeling or, more generally,
semantic data modeling, as used in logical database design. Entities in E-R modeling
are information-intensive objects in the problem domain. The entities, the attributes
of each entity, and relationships among the entities, are determined and depicted
on E-R diagrams; the emphasis is entirely on data modeling. During design, the
E-R model is mapped to a database, usually relational. In object-oriented analy-
sis, objects in the problem domain are identified and modeled as software classes,
and the attributes of each class, as well as the relationships among classes, are
determined (Coad 1991; Rumbaugh et al. 1991; Shlaer and Mellor 1988).
The main difference between classes in static object-oriented modeling and entity
types in E-R modeling is that classes have operations but entity types do not have
operations. In addition, whereas information modeling only models persistent enti-
ties that are to be stored in a database, other problem domain classes are also
modeled in static object modeling. The advanced information modeling concepts of
aggregation and generalization/specialization are also used. The most widely used
notation for static object modeling before UML was the Object Modeling Tech-
nique (OMT) (Rumbaugh et al. 1991).
Static object modeling was also referred to as class modeling and object modeling
because it involves determining the classes to which objects belong and depicting
classes and their relationships on class diagrams. The term domain modeling is also
used to refer to static modeling of the problem domain (Rosenberg and Scott 1999;
Shlaer and Mellor 1992).
The early object-oriented analysis and design methods emphasized the structural
aspects of software development through information hiding and inheritance but
neglected the dynamic aspects. A major contribution by the OMT (Rumbaugh et al.
1991) was to clearly demonstrate that dynamic modeling was equally important. In
addition to introducing the static modeling notation for the object diagrams, OMT
showed how dynamic modeling could be performed with statecharts for showing the
state-dependent behavior of active objects and with sequence diagrams to show the
sequence of interactions between objects. Rumbaugh et al. (1991) used statecharts,
Introduction 11
which are hierarchical state transition diagrams originally conceived by Harel (1988,
1998), for modeling active objects. Shlaer and Mellor (1992) also used state transi-
tion diagrams for modeling active objects. Booch initially used object diagrams to
show the instance-level interactions among objects and later sequentially numbered
the interactions to more clearly depict the communication among objects.
Jacobson (1992) introduced the use case concept for modeling the system’s
functional requirements. Jacobson also used the sequence diagram to describe the
sequence of interactions between the objects that participate in a use case. The use
case concept was fundamental to all phases of Jacobson’s object-oriented software
engineering life cycle. The use case concept has had a profound impact on modern
object-oriented software development.
Prior to UML, there were earlier attempts to unify the various object-oriented
methods and notations, including Fusion (Coleman et al. 1993) and the work of
Texel and Williams (1997). The UML notation was originally developed by Booch,
Jacobson, and Rumbaugh to integrate the notations for use case modeling, static
modeling, and dynamic modeling (using statecharts and object interaction model-
ing), as described in Chapter 2. Other methodologists also contributed to the devel-
opment of UML. An interesting discussion of how UML has evolved and how it is
likely to evolve in the future is given in Cobryn [1999] and Selic (1999).
1.11 SUMMARY
This chapter introduced object-oriented methods and notations, software archi-
tectural design, and UML. The chapter briefly described the evolution of soft-
ware design methods, object-oriented analysis and design methods, and concurrent,
distributed, and real-time design methods. Chapter 2 provides an overview of the
UML notation. Chapter 3 describes software life cycles and methods. Chapter 4
describes software design and architecture concepts. Chapter 5 describes the use
case–based software life cycle for the COMET method.
EXERCISES
5. What is a software design concept?
Multiple-choice questions: For each ques- (a) A graphical or textual description
tion, choose one of the answers. of the software.
1. What is software modeling? (b) Documentation of the software.
(a) Developing models of software. (c) A fundamental idea that can be
(b) Designing software applications applied to designing a system.
before coding. (d) A systematic approach for produc-
(c) Developing software diagrams. ing a design.
(d) Developing software prototypes. 6. What is a software design strategy?
2. What is the Unified Modeling Lan- (a) A graphical or textual description
guage? of the software.
(a) A programming language for des- (b) A fundamental idea that can be
cribing object-oriented models. applied to designing a system.
(b) A diagramming tool for drawing (c) A systematic approach for produc-
object-oriented models. ing a design.
(c) A graphical language for describing (d) An overall plan and direction for
object-oriented models. developing a design.
(d) A standardized graphical language 7. What are software structuring criteria?
and notation for describing object- (a) Fundamental ideas that can be
oriented models. applied to designing a system.
3. What is a software architecture? (b) Systematic approaches for produc-
(a) The software inside a building. ing a design.
(b) The structure of a client/server sys- (c) Guidelines used to help in structur-
tem. ing a software system into its com-
(c) The overall structure of a software ponents.
system. (d) Overall plans for developing a
(d) The software classes and their rela- design.
tionships. 8. What is a software design method?
4. What is a software design notation? (a) A systematic approach for produc-
(a) Notes about the software design. ing a design.
(b) A graphical or textual description (b) Guidelines used to help in structur-
of the software. ing a software system into its com-
(c) Documentation of the software. ponents.
(d) A systematic approach for produc- (c) An overall plan for developing a
ing a design. design.
Introduction 13
The notation used for the COMET method is the Unified Modeling Language
(UML). This chapter provides a brief overview of the UML notation. The UML
notation has evolved since it was first adopted as a standard in 1997. A major
revision to the standard was made in 2003, so the current version of the standard
is UML 2. The previous versions of the standard are referred to as UML
1.x.
The UML notation has grown substantially over the years, and it supports many
diagrams. The approach taken in this book is the same as Fowler’s (2004), which
is to use only those parts of the UML notation that provide a distinct benefit.
This chapter describes the main features of the UML notation that are particu-
larly suited to the COMET method. The purpose of this chapter is not to be a
full exposition of UML, because several detailed books exist on this topic, but
rather to provide a brief overview. The main features of each of the UML dia-
grams used in this book are briefly described, but lesser-used features are omitted.
The differences between UML 2 notation and UML 1.x notation are also briefly
explained.
14
Overview of the UML Notation 15
Use Case
Actor
Use Case A
«extend» «extend»
Use Case C
Use Case B
Use Case X
«include» «include»
Use Case Z
Use Case Y
Chapters 6 through 19 describe how these UML diagrams are used by the COMET
method.
Class Class
Class
attributes attributes
Objects
compartment of the box holds the class name, the middle compartment holds the
attributes, and the bottom compartment holds the operations.
To distinguish between a class (the type) and an object (an instance of the type),
an object name is shown underlined. An object can be depicted in full with the
object name separated by a colon from the class name – for example, anObject :
Class. Optionally, the colon and class name may be omitted, leaving just the object
name – for example, anObject. Another option is to omit the object name and depict
just the class name after the colon, as in : Class. Classes and objects are depicted on
various UML diagrams, as described in Section 2.4.
2.4.1 Associations
An association is a static, structural relationship between two or more classes. An
association between two classes, which is referred to as a binary association, is
depicted as a line joining the two class boxes, such as the line connecting the ClassA
box to the ClassB box in Figure 2.3a. An association has a name and optionally a
small black arrowhead to depict the direction in which the association name should
be read. On each end of the association line joining the classes is the multiplicity of
the association, which indicates how many instances of one class are related to an
instance of the other class. Optionally, a stick arrow may also be used to depict the
direction of navigability.
The multiplicity of an association specifies how many instances of one class may
relate to a single instance of another class (see Figure 2.3a, right). The multiplicity
Overview of the UML Notation 17
a) Associations
1
Class Exactly one
ClassA
0..1
Class Optional (zero or one)
1 Association
Association * Class Many (zero or more)
1..*
0..1 Class Many (one or more)
*
ClassB ClassC m..n
Class Numerically specified
of an association can be exactly one (1), optional (0..1), zero or more (∗ ), one or
more (1..∗ ), or numerically specified (m..n), where m and n have numeric values.
2.4.4 Visibility
Visibility refers to whether an element of the class is visible from outside the class,
as depicted in Figure 2.4. Depicting visibility is optional on a class diagram. Public
visibility, denoted with a + symbol, means that the element is visible from outside
the class. Private visibility, denoted with a – symbol, means that the element is vis-
ible only from within the class that defines it and is thus hidden from other classes.
Protected visibility, denoted with a # symbol, means that the element is visible from
within the class that defines it and within all subclasses of the class.
18 Overview
Superclass
ClassName
# protectedClassAttributes
- privateClassAttributes
+ publicClassOperations
- privateClassOperations
SubclassA1 SubclassA2
- privateClassAttributes - privateClassAttributes
1: Input Message
objectA
2: Internal Message
: Actor
objectB1 : ClassB
anObject
4[Condition]: Conditional
Message
: ClassC
: Actor
1: Input Message
2: Internal Message
3: Another Message
4: Request Message
Initial State
Event
composite state A
Event / Action
Final State
Figure 2.7. UML notation for a state machine: composite state with
sequential substates
composite state B
orthogonal region BC
Event 2
Substate B1 Substate B2
Event 1 Event 4
State C
Event 3
Substate B3 Substate B4
Figure 2.8. UML notation for a state machine: composite state with orthog-
onal substates
Overview of the UML Notation 21
«system»
SystemPackage
«subsystem» «subsystem»
Subsystem Subsystem
PackageA PackageB
substate is further decomposed into sequential substates. Thus, when the composite
B is initially entered, each of the substates B1 and B3 is also entered.
2.7 PACKAGES
In UML, a package is a grouping of model elements – for example, to represent
a system or subsystem. A package is depicted by a folder icon, a large rectangle
with a small rectangle attached on one corner, as shown in Figure 2.9. Packages may
also be nested within other packages. Possible relationships between packages are
dependency (shown in Figure 2.9) and generalization/specialization relationships.
Packages may be used to contain classes, objects, or use cases.
«synchronous message»
message-name (argument list)
c2) Option 2:
«reply»
1: inputMessage
«active object»
objectA
2: asynchronousMessage
: Actor
«active object»
objectB
3: synchronousMessage
«active object»
objectC
4: synchronousMessage 5: reply
«active object»
objectD
2.10.1 Stereotypes
A stereotype defines a new building block that is derived from an exist-
ing UML modeling element but tailored to the modeler’s problem (Booch,
24 Overview
Server1 Server2
Rumbaugh, and Jacobson 2005). This book makes extensive use of stereo-
types. Several standard stereotypes are defined in UML. In addition, a mod-
eler may define new stereotypes. This chapter includes several examples of
stereotypes, both standard and COMET-specific. Stereotypes are indicated by
guillemets (« »).
Figure 2.9 shows the stereotypes «system» and «subsystem» to distinguish
between two different kinds of packages. Figure 2.11 uses stereotypes to distinguish
among different kinds of messages.
In UML 1.3, a UML modeling element could be depicted only with one stereo-
type. However, UML 1.4 onward extended the stereotype concept to allow a mod-
eling element to be depicted by more than one stereotype. Therefore, different,
possibly orthogonal, characteristics of a modeling element can now be depicted
with different stereotypes. The COMET method takes advantage of this additional
functionality.
The UML stereotype notation allows a modeler to tailor a UML modeling ele-
ment to a specific problem. In UML, stereotypes are enclosed in guillemets usu-
ally within the modeling element (e.g., class or object), as depicted in Figure 2.14a.
However, UML also allows stereotypes to be depicted as symbols. One of the most
common such representations was introduced by Jacobson (1992) and is used in the
Unified Software Development Process (USDP) (Jacobson, Booch, and Rumbaugh
1999). Stereotypes are used to represent «entity» classes, «boundary» classes, and
«control» classes. Figure 2.14b depicts the Process Plan «entity» class, the Elevator
Control «control» class, and the Sensor Interface «boundary» class using the USDP’s
stereotype symbols.
Overview of the UML Notation 25
2.10.3 Constraints
A constraint specifies a condition that must be true. In UML, a constraint is an
extension of the semantics of a UML element to allow the addition of new rules or
modifications to existing rules (Booch, Rumbaugh, and Jacobson 2005). For exam-
ple, for the Account class depicted in Figure 2.15, the constraint on the attribute bal-
ance is that the balance can never be negative, depicted as {balance >=0}. Option-
ally, UML provides the Object Constraint Language (Warmer and Kleppe 1999) for
expressing constraints.
«entity»
Account
{version = 1.0, author = Gill}
-accountNumber : integer
-balance : real {balance >= 0}
font. In the body of the text, however, examples are shown in a different font to
distinguish them from the regular Times Roman font. Some specific additional con-
ventions used in the book vary depending on the phase of the project. For example,
the conventions for capitalization are different in the analysis model (which is less
formal) than in the design model (which is more formal).
Classes
Classes are shown with an uppercase initial letter. In the figures, there are no spaces
in multiword names – for example, CheckingAccount. In the text, however, spacing
is introduced to improve the readability – for example, Checking Account.
Attributes are shown with a lowercase initial letter – for example, balance. For
multiword attributes, there are no spaces between the words in figures, but spaces
are introduced in the text. The first word of the multiword name has an initial lower-
case letter; subsequent words have an initial uppercase letter – for example, account-
Number in figures, and account Number in text.
The type of the attribute has an initial uppercase letter – for example, Boolean,
Integer, or Real.
Objects
Objects may be depicted in various ways, as described next:
■ An individual named object. In this case, the first letter of the first word is
lowercase, and subsequent words have an uppercase first letter. In figures, the
objects appear as, for example, aCheckingAccount and anotherCheckingAccount.
In the text, these objects appear as a Checking Account and another Checking
Account.
■ An individual unnamed object. Some objects are shown in the figures as class
instances without a given object name – for example, : CheckingAccount. In the
text, this object is referred to as Checking Account. For improved readability, the
colon is removed, and a space is introduced between the individual words of a
multiword name.
This means that, depending on how the object is depicted in a figure, it will
appear in the text sometimes with a first word in which the initial letter is upper-
case and sometimes with a first word in which the initial letter is lowercase.
Overview of the UML Notation 27
Messages
In the analysis model, messages are always depicted as simple messages (see Fig-
ure 2.11 and Section 2.8.1) because no decision has yet been made about the message
type. Messages are depicted with an uppercase initial letter. Multiword messages are
shown with spaces in both figures and text – for example, Simple Message Name.
Statecharts
In both figures and text, states, events, conditions, actions, and activities are all
shown with initial letter uppercase and spaces in multiword names – for example,
the state Waiting for PIN, the event Cash Dispensed, and the action Dispense Cash.
Messages
In the design model, the first letter of the first word of the message is lowercase, and
subsequent words have an uppercase first letter. In both the figures and text, there
is no space between words, as in alarmMessage.
Message parameters are shown with a lowercase initial letter – for example,
speed. For multiword attributes, there are no spaces between the words in both
the figures and text. The first word of the multiword name has a lowercase ini-
tial letter, and subsequent words have an uppercase initial letter – for example,
cumulativeDistance– in both figures and text.
Operations
The naming conventions for operations (also known as methods) follow the conven-
tions for messages in both figures and text. Thus, the first letter of the first word of
both the operation and the parameter is lowercase, and subsequent words have an
uppercase first letter. There is no space between words – for example, validatePass-
word (userPassword).
2.12 SUMMARY
This chapter briefly described the main features of the UML notation and the main
characteristics of the UML diagrams used in this book.
For further reading on UML 2 notation, Fowler (2004) and Ambler (2005)
provide introductory material. More detailed information can be found in Booch,
28 Overview
Rumbaugh, and Jacobson (2005) and Eriksson et al. (2004). A comprehensive and
detailed reference to UML is Rumbaugh, Booch, and Jacobson (2005).
29
30 Overview
systems have been developed using a software life cycle. The first widely used soft-
ware life cycle model, often referred to as the waterfall model, is shown in Figure
3.1. It is generally considered the conventional or “classical” software life cycle. The
waterfall model is an idealized process model in which each phase is completed
before the next phase is started, and a project moves from one phase to the next
without iteration or overlap.
Architectural
Design
Detailed
Design
Coding
Unit Testing
Integration
Testing
System &
Acceptance
Testing
31
32
Requirements
Analysis &
Specification
Architectural
Design
Detailed
Design
Coding
Unit Testing
Integration
Testing
System &
Acceptance
Testing
Architectural
Design
Throwaway
Prototyping
Detailed
Design
Coding
Unit Testing
Integration
Testing
System &
Acceptance
Testing
33
34 Overview
The biggest problem it helped overcome was the communications barrier that
existed between the users and the developers.
Throwaway prototypes can also be used for experimental prototyping of the
design (Figure 3.4). This can be used to determine if certain algorithms are logically
correct or to determine if they meet their performance goals.
Architectural
Design
Incremental
Component
Construction
Throwaway
Prototyping
Incremental System
Integration
System &
Acceptance Testing
35
36
Requirements
Analysis &
Specification
Architectural
Design
Incremental
Component
Construction
Incremental System
Integration
Architectural
Design
Throwaway Incremental
Prototyping Component
Construction
Incremental System
Integration
Figure 3.6. Combined throwaway prototyping with incremental development software life cycle model
37
38 Overview
cycle – in particular, the waterfall model. The spiral model is intended to encompass
other life cycle models, such as the waterfall model, the incremental development
model, and the throwaway prototyping model.
In the spiral model, the radial coordinate represents cost, and the angular coor-
dinate represents progress in completion of a cycle of the model. The spiral model
consists of the following four quadrants, as shown in Figure 3.7:
1. Define objectives, alternatives, and constraints. Detailed planning for this
cycle: identify goals and alternative approaches to achieving them.
2. Analyze risks. Detailed assessment of current project risks; plan activities to
be performed to alleviate these risks.
3. Develop product. Work on developing product, such as requirements analy-
sis, design, or coding.
4. Plan next cycle. Assess progress made on this cycle and start planning for next
cycle.
Each cycle of the spiral model iterates through these four quadrants, although the
number of cycles is project-specific. The descriptions of the activities in each quad-
rant are intended to be general enough that they can be included in any cycle.
The goal of the spiral model is to be risk-driven, so the risks in a given cycle are
determined in the “analyze risks” quadrant. To manage these risks, certain addi-
tional project-specific activities may be planned to address the risks, such as require-
ments prototyping if the risk analysis indicates that the software requirements are
not clearly understood. These project-specific risks are termed process drivers. For
any process driver, one or more project-specific activities need to be performed to
manage the risk (Boehm and Belz 1990).
An example of identifying a project-specific risk is to determine that the ini-
tial software requirements are not well understood. A project-specific activity per-
formed to manage the risk is to develop a throwaway prototype, with the goal of
getting feedback from the users in order to help clarify the requirements.
Software Life Cycle Models and Processes 39
Phases
Requirements
Analysis
Design
Implementation
Test
Iterations
Figure 3.8. Unified Software Development Process
(Jacobson et al, THE UNIFIED SOFTWARE DEVELOPMENT PROCESS, Figure 1.5
“Unified Software Development Process” p. 11, c 1999 Pearson Educa-
tion, Inc. Reproduced by permission of Pearson Education, Inc.)
Like the spiral model, the USDP is a risk-driven process. The life cycle phases
of the USDP are as follows (Jacobson, Booch, and Rumbaugh 1999; Kruchten
2003):
1. Inception. During the inception phase, the seed idea is developed to a suffi-
cient level to justify entering the elaboration phase.
2. Elaboration. During the elaboration phase, the software architecture is
defined.
3. Construction. During the construction phase, the software is built to the point
at which it is ready for release to the user community.
4. Transition. During the transition phase, the software is turned over to the user
community.
3.3.4 Coding
During the coding phase, each component is coded in the programming language
selected for the project. Usually a set of coding and documentation standards have
to be adhered to.
■ Performance testing. To test that the system meets its response time require-
ments.
3.5 SUMMARY
This chapter has taken a software life cycle perspective on software development.
Various software life cycle models, also referred to as software process models
(including the spiral model and the Unified Software Development Process) were
briefly described and compared. The roles of design verification and validation and
of software testing were discussed. Chapter 5 describes the use case–based software
life cycle for the COMET method.
EXERCISES
4. Which of the following approaches can
Multiple-choice questions: For each ques- overcome the limitation in the previous
tion, choose one of the answers. question?
1. What is a software life cycle? (a) Phased software development
(a) The life of the software (b) Throwaway prototyping
(b) A cyclic approach to developing (c) Evolutionary prototyping
software (d) Incremental development
(c) A phased approach to developing 5. What is evolutionary prototyping?
software (a) Phased software development
(d) The life of software developed in (b) Throwaway prototyping
cycles (c) Risk-driven development
2. What is the waterfall life cycle model? (d) Incremental development
(a) Software developed under a water- 6. What approach does the spiral model
fall emphasize?
(b) A process model in which each (a) Phased software development
phase is completed before the next (b) Throwaway prototyping
phase is started (c) Risk-driven development
(c) A process model in which phases (d) Incremental development
are overlapped 7. What is the goal of software valida-
(d) A process model in which phases tion?
are cyclic (a) Building the system
3. Which of the following is a limitation of (b) Building the right system
the waterfall life cycle model? (c) Building the system right
(a) Software is developed in phases. (d) Testing the system
(b) Each phase is completed before the 8. What is the goal of software verifica-
next phase is started. tion?
(c) Software development is cyclic. (a) Building the system
(d) Software requirements are not (b) Building the right system
properly tested until a working sys- (c) Building the system right
tem is available. (d) Testing the system
44 Overview
This chapter describes key software design concepts that have shown their value
over the years for the design of software architectures. First, object-oriented con-
cepts are introduced, and objects and classes are described. Then there is a discus-
sion of the role of information hiding in object-oriented design and an introduc-
tion to the concept of inheritance. Next, the concurrent processing concept and the
concept of concurrent objects in concurrent applications are introduced. This is fol-
lowed by an overview of software design patterns, software architecture, and the
main characteristics of component-based systems. Finally, the concept of software
quality attributes is discussed. Examples in this chapter are described in UML. An
overview of the UML notation is given in Chapter 2.
Section 4.1 provides an overview of object-oriented concepts. Section 4.2
describes information hiding. Section 4.3 describes inheritance and generalization/
specialization relationships. Section 4.4 provides an overview of concurrent pro-
cessing. Section 4.5 gives an overview of software design patterns, with the actual
patterns described in subsequent chapters. Section 4.6 provides an overview of soft-
ware architecture and the main characteristics of component-based systems. Finally,
Section 4.7 gives an introduction to software quality attributes.
45
46 Overview
An attribute is a data value held by an object in a class. Each object has a specific
value of an attribute. Figure 4.2 shows a class with attributes. The class Account has
two attributes: account Number and balance. Two objects of the Account class are
shown: an Account and another Account. Each account has specific values of the
attributes. For example, the value of account Number of the object an Account is
1234, and the value of account Number of the object another Account is 5678. The
value of balance of the former object is $525.36, and the value of balance of the latter
is $1,897.44. An attribute name is unique within a class, although different classes
may have the same attribute name; for example, both the Customer and Employee
classes have attributes name and address.
An operation is the specification of a function performed by an object. An object
has one or more operations. The operations manipulate the values of the attributes
maintained by the object. Operations may have input and output parameters. All
objects in the same class have the same operations. For example, the class Account
has the operations read Balance, credit, debit, open, and close. Figure 4.3 shows the
Account class with its operations.
An object is an instance of a class. Individual objects are instantiated as required
at execution time. Each object has a unique identity, which is the characteristic
that distinguishes it from other objects. In some cases, this identity may be an
attribute (e.g., an account number or a customer name), but it does not need to be
an attribute. Consider two blue balls: they are identical in every respect; however,
they have different identities.
Stack implemented
Push Pop
as array
N Max Size = N
X Index
Stack array
Max Size
X Index
Stack
information
hiding object
Stack array
■ The data structure is defined. In the case of the stack, for example, a one-
dimensional array is defined. A variable is defined to refer to the top of the
stack, and another variable has the value of the size of the array.
■ Other objects are not permitted to access the data structure. They can call the
object’s operations to push an item onto the stack or pop an item off the stack.
Now assume that the design of the stack is changed from an array to a linked
list. Consider its impact on the functional and information hiding solutions. In both
cases, the data structure for the stack has to change. However, in the functional
solution, the stack is implemented as a global data structure, so every module that
accesses the stack also has to change because it operates directly on the data struc-
ture. Instead of manipulating array indexes, the module has to manipulate the point-
ers of the linked list (Figure 4.6).
In the information hiding solution, in addition to the internal stack data structure
changing drastically, the internals of the information hiding object’s operations have
to change because they now access a linked list instead of an array (Figure 4.7).
However, the external interface of the object, which is what is visible to the other
# Entries Top
Bottom
Max Size
objects, does not change. Thus, the objects that use the stack are not affected by
the change; they continue to call the object’s operations without even needing to be
aware of the change.
The same concepts can be applied to designing a stack class, which is a template
for creating stack objects. A stack class is defined, which hides the data structure
to be used for the stack and specifies the operations that manipulate it, as shown in
Figure 4.8. Individual stack objects are instantiated as required by the application.
Each stack object has its own identity. It also has its own local copy of the stack
data structure, as well as a local copy of any other instance variables required by the
stack’s operations.
are classified as mammals, fish, reptiles, and so on. Cats and dogs have common
properties that are generalized into the properties of mammals. However, they also
have unique properties (e.g., a dog barks and a cat mews).
Inheritance is a mechanism for sharing and reusing code between classes. A child
class inherits the properties (encapsulated data and operations) of a parent class. It
can then adapt the structure (i.e., encapsulated data) and behavior (i.e., operations)
of its parent class. The parent class is referred to as a superclass or base class. The
child class is referred to as a subclass or derived class. The adaptation of a par-
ent class to form a child class is referred to as specialization. Child classes may be
further specialized, allowing the creation of class hierarchies, also referred to as
generalization/specialization hierarchies.
Class inheritance is a mechanism for extending an application’s functionality by
reusing the functionality specified in parent classes. Thus, a new class can be incre-
mentally defined in terms of an existing class. A child class can adapt the encapsu-
lated data (referred to as instance variables) and operations of its parent class. It
adapts the encapsulated data by adding new instance variables. It adapts the oper-
ations by adding new operations or by redefining existing operations. It is also pos-
sible for a child class to suppress an operation of the parent; however, such sup-
pression is not recommended, because in that case the subclass no longer shares the
interface of the superclass.
Consider the example of bank accounts given in Figure 4.9. Checking accounts
and savings accounts have some attributes in common and others that are differ-
ent. The attributes that are common to all accounts – namely, account Number and
balance – are made attributes of an Account superclass. Attributes specific to a
savings account, such as cumulative Interest (in this bank, checking accounts do
not accumulate any interest), are made attributes of the subclass Savings Account.
Attributes specific to a checking account, such as last Deposit Amount, are made
attributes of the subclass Checking Account.
# accountNumber : Integer
# balance : Real = 0
+ readBalance () : Real
+ credit (amount : Real)
+ debit (amount : Real)
+ open (accountNumber : Integer)
+ close ()
For each of the subclasses, new operations are added. For the Savings Account
subclass, the new operations are read Cumulative Interest to read cumulative Interest,
and add Interest to add the daily interest. For the Checking Account subclass, the
new operation is read Last Deposit Amount. This example is treated in more detail in
Chapter 14.
1. The mutual exclusion problem occurs when concurrent objects need to have
exclusive access to a resource, such as shared data or a physical device. A vari-
ation on this problem, in which the mutual exclusion constraint can sometimes
be relaxed, is the multiple readers and writers problem.
2. The synchronization problem occurs when two concurrent objects need to
synchronize their operations with each other.
3. The producer/consumer problem occurs when concurrent objects need to
communicate with each other in order to pass data from one concurrent object
to another. Communication between concurrent objects is often referred to as
interprocess communication (IPC).
After being awakened, the pick-and-place robot removes the part. Each robot exe-
cutes a loop, because the robots repetitively perform their operations. The solution
is as follows (see also Figure 4.10):
Pick-and-Place Robot
while workAvailable do
Pick up part
Move part to work location
Release part
Move robot arm to safe position
signal (partReady)
wait (partCompleted)
Pick up part
Remove part from work location
Place part
end while;
Drilling Robot
while workAvailable do
wait (partReady)
Move robot arm to work location
Drill four holes
Move robot arm to safe position
signal (partCompleted)
end while;
data before the consumer can consume it. If the consumer is ready to receive the
data but the producer has not yet produced it, then the consumer must wait for
the producer. If the producer has produced the data before the consumer is ready
to receive it, then either the producer has to be held up or the data needs to be
buffered for the consumer, thereby allowing the producer to continue.
A common solution to this problem is to use message communication between
the producer and consumer concurrent objects. Message communication between
concurrent objects serves two purposes:
1. Transfer of data from a producer (source) concurrent object to a consumer
(destination) concurrent object.
2. Synchronization between producer and consumer. If no message is available,
the consumer has to wait for the message to arrive from the producer. In some
cases, the producer waits for a reply from the consumer.
Message communication between concurrent objects may be asynchronous or
synchronous. The concurrent objects may reside on the same node or be distributed
over several nodes in a distributed application. With asynchronous message com-
munication, the producer sends a message to the consumer and continues without
waiting for a response. With synchronous message communication, the producer
sends a message to the consumer and then immediately waits for a response.
aProducer aConsumer
1: sendSynchronousMessageWithReply
(in message, out response)
aProducer aConsumer
the reply. The producer and consumer then both continue. The consumer is sus-
pended if no message is available. For a given producer/consumer pair, no message
queue develops between the producer and the consumer. It is also possible to have
synchronous message communication without replydesing pattern as described in
Chapter 12.
An example of synchronous message communication with reply is given in Fig-
ure 4.12 in which the producer sends a message to the consumer; after receiving the
message, the consumer sends a reply to the producer.
■ Design patterns. In a widely cited book (Gamma et al. 1995), design patterns
were described by four software designers – Erich Gamma, Richard Helm,
Ralph Johnson, and John Vlissides – who were named in some quarters as the
“gang of four.” A design pattern is a small group of collaborating objects.
58 Overview
4.6.2 Connectors
In addition to defining the components, a software architecture must define the
connectors that join the components. A connector encapsulates the intercon-
nection protocol between two or more components. Different kinds of message
Software Design and Architecture Concepts 59
4.8 SUMMARY
This chapter described key concepts in software design and important concepts for
developing component-based software architectures. The object-oriented concepts
introduced here form the basis of several of the forthcoming chapters. Chapter 7
describes how static modeling is applied to modeling software systems. Chapters 9,
10, and 11 describe how dynamic modeling is applied to modeling software systems.
Chapters 9 and 11 describe dynamic modeling between objects using object interac-
tion modeling, and Chapter 10 focuses on dynamic modeling within an object using
finite state machines.
60 Overview
EXERCISES
(b) The operation’s function or sub-
Multiple-choice questions: For each ques- routine
tion, choose one of the answers. (c) The operation’s name, parameters,
1. Which of the following are object- and return value
oriented concepts? (d) The object’s interface
(a) Modules and interfaces 6. What is the interface of a class?
(b) Modules and information hiding (a) The signature of a class
(c) Classes, information hiding, and (b) The specification of operations pro-
inheritance vided by the class
(d) Concurrency and information hid- (c) The internals of the class
ing (d) The implementation of the class
2. Which of the following is a characteris- 7. What is an attribute?
tic of an object? (a) A description of a class
(a) A function or subroutine (b) An internal property of a class
(b) A module (c) A data item held by a class
(c) Groups data and procedures that (d) A parameter of a class
operate on the data 8. What is information hiding in software
(d) Groups a function and an algorithm design?
3. What is a class? (a) Hiding information so that it can-
(a) An object instance not be found
(b) The implementation of the object (b) Hiding a design decision that is con-
(c) A collection of objects with the sidered likely to change
same characteristics (c) Hiding information to make it
(d) A collection of objects with differ- secure
ent characteristics (d) Encapsulating data in a class
4. What is an operation (also known as 9. What is data abstraction?
method) of a class? (a) Another name for information hid-
(a) Specification and the implementa- ing
tion of a function performed by a (b) Encapsulating data so that its struc-
class ture is hidden
(b) Specification and the implementa- (c) Storing data in a database
tion of a subroutine provided by a (d) Storing data in a data structure
class 10. What is inheritance?
(c) Specification and the implementa- (a) A mechanism for inheriting charac-
tion of a function or procedure pro- teristics from a parent
vided by a class (b) A mechanism for sharing and re-
(d) Specification and the implementa- using code between classes
tion of an interface provided by a (c) A mechanism for sharing data be-
class tween classes
5. What is the signature of an operation? (d) A mechanism for hiding informa-
(a) The operation’s name tion between classes
5
The software modeling and design method described in this book is called COMET
(Collaborative Object Modeling and Architectural Design Method), which uses the
UML notation. COMET is an iterative use case–driven and object-oriented method
that specifically addresses the requirements, analysis, and design modeling phases
of the software development life cycle. This chapter considers the COMET method
from a software life cycle perspective. The development process for the COMET
method is a use case–based software process, which is compatible with the Unified
Software Development Process (USDP) (Jacobson, Booch, and Rumbaugh 1999)
and the spiral model (Boehm 1988). This chapter presents the COMET use case–
based software life cycle and describes how the COMET method may be used with
the USDP or the spiral model. It then outlines the main activities of the COMET
method and concludes with a description of the steps in using COMET.
Section 5.1 describes the COMET use case–based software life cycle, and Section
5.2 compares COMET with other software processes. Section 5.3 gives an overview
of the requirements, analysis, and design modeling activities in COMET. Section 5.4
gives an overview of the design of different kinds of software architectures covered
in this textbook.
61
62
Requirements
User
Modeling
Analysis
Modeling
Design
Modeling
Throwaway
Prototyping
Incremental
Software
Construction
Incremental
Software
Integration
Incremental System
Prototyping Testin g
Customer
5.2.2 Comparison of the COMET Life Cycle with the Spiral Model
The COMET method can also be used with the spiral model (Boehm 1988). Dur-
ing the project planning for a given cycle of the spiral model, the project manager
decides what specific technical activity should be performed in the third quadrant,
which is the product development quadrant. The selected technical activity, such as
requirements modeling, analysis modeling, or design modeling, is then performed
in the third quadrant. The risk analysis activity, performed in the second quadrant,
and cycle planning, performed in the fourth quadrant, determine how many itera-
tions are required through each of the technical activities.
■ Use case modeling. Define actors and black box use cases. The functional
requirements of the system are described in terms of use cases and actors. The
use case descriptions are a behavioral view; the relationships among the use cases
give a structural view. Use case modeling is described in Chapter 6.
■ Addressing nonfunctional requirements is also important at the requirements
phase. The UML notation does not address this. However, the use case mod-
eling approach can be supplemented to address nonfunctional requirements, as
described in Chapter 6.
classes). Design the operations of each class and the parameters of each oper-
ation. This is described in Chapter 14.
■ Make decisions about how to structure the distributed application into dis-
tributed subsystems, in which subsystems are designed as configurable
components, and define the message communication interfaces between the
components. This is described in Chapters 13, 15, 16, and 17.
■ Make decisions about the characteristics of objects, particularly whether they
are active or passive. For each subsystem, structure the system into concur-
rent tasks (active objects). During task structuring, tasks are structured using
the task-structuring criteria, and task interfaces are defined. This is described in
Chapter 18.
■ Make decisions about the characteristics of messages, particularly whether they
are asynchronous or synchronous (with or without reply). Architectural commu-
nication patterns are described in Chapters 12, 13, 15, 16, 17, and 18.
COMET emphasizes the use of structuring criteria at certain stages in the anal-
ysis and design process. Object structuring criteria are used to help determine the
objects in the system, subsystem structuring criteria are used to help determine the
subsystems, and concurrent object structuring criteria are used to help determine
the concurrent (active) objects in the system. UML stereotypes are used through-
out to clearly show the use of the structuring criteria.
5.5 SUMMARY
This chapter described the COMET use case–based software life cycle for the de-
velopment of UML-based object-oriented software applications. It compared the
COMET life cycle with the USDP and the spiral model, and described how the
COMET method can be used with either the USDP or the spiral model. The chapter
then described the main activities of the COMET method and concluded with a
description of the steps in using COMET. Each of the steps in the COMET method
is described in more detail in the subsequent chapters of this textbook.
For software intensive systems, in which the software is one component of a
larger hardware/software system, systems modeling can be carried out before soft-
ware modeling. A dialect of UML called SysML is a general purpose modeling lan-
guage for systems engineering applications (Friedenthal et al 2009).
Software Modeling
6
The requirements of a system describe what the user expects from the system – in
other words, what the system will do for the user. When defining the requirements
of a system, the system should be viewed as a black box, so that only the exter-
nal characteristics of the system are considered. Both functional and nonfunctional
requirements need to be considered. Requirements modeling consists of require-
ments analysis and requirements specification.
Use case modeling is an approach for describing the functional requirements of
the system, as described in this chapter. The system’s data requirements in terms of
the information that needs to be stored by the system are determined using static
modeling, as described in Chapter 7. The inputs to the system and the outputs from
the system are described initially in the use case models and then specified in more
detail during static modeling.
This chapter gives an overview of software requirements analysis and specifica-
tion in Section 6.1. It then goes on to describe the use case approach to defining
functional requirements, as well as how to extend use cases to describe nonfunc-
tional requirements. This chapter describes the concepts of actors and use cases,
and then goes on to describe use case relationships, in particular, the include and
extend relationships. Section 6.2 gives an overview of use case modeling followed
by an example of a simple use case. Section 6.3 then describes actors and their
role in use case modeling. The important topic of how to identify use cases is cov-
ered in Section 6.4. Section 6.5 describes how to document use cases. Section 6.6
gives some examples of use case descriptions. Section 6.7 then describes use case
relationships. Modeling with the include relationship is described in Section 6.8;
modeling with the extend relationship is described in Section 6.9. Use case
guidelines are described in Section 6.10, specifying nonfunctional requirements is
described in Section 6.11, use case packages are described in Section 6.12, and
how to describe use cases more precisely using activity diagrams is described in
Section 6.13.
71
72 Software Modeling
needs to output to the external environment, and what stored information the sys-
tem reads or updates. For example, for a functional requirement to view the bal-
ance of a bank account, the user would need to input the account number, and the
system would need to read the balance from the customer account and output the
balance.
A nonfunctional requirement, sometimes referred to as a quality attribute, refers
to a quality-of-service goal that the system must fulfill. Examples of nonfunctional
requirements are a performance requirement specifying a system response time
of 2 seconds, an availability requirement specifying a system must be operational
for 99% of the time, or a security requirement, such as protection from system
penetration.
Withdraw Funds
ATM Customer
customer and the system; the use case starts when the customer inserts an ATM
card into the card reader, then responds to the system’s prompt for the PIN, and
eventually receives the cash dispensed by the ATM machine.
View Alarms
Monitoring Operator
6.3 ACTORS
An actor characterizes an external user (i.e., outside the system) that interacts with
the system (Rumbaugh et al. 2005). In the use case model, actors are the only exter-
nal entities that interact with the system; in other words, actors are outside the sys-
tem and not part of it.
Generate Monitoring
Data
Generate Alarm
Remote Sensor
The Report Timer actor initiates the Display Daily Report use case, which periodically
(e.g., at noon every day) prepares a daily report and displays it to the user. In this
example, the timer is the primary actor and the user is the secondary actor. In use
cases in which a timer is the primary actor, it is usually the secondary actor (the user
in this example) who gains value from the use case.
If it is possible for a human user to play two or more independent roles, this
is represented by a different actor for each role. For example, the same user might
play, at different times, both an ATM Operator role (when replenishing the ATM cash
dispenser with cash) and an ATM Customer role (when withdrawing cash) and thus
be modeled by two actors.
In some systems, different actors might have some roles in common but other
roles that are different. In this situation, the actors can be generalized, so that the
common part of their roles is captured as a generalized actor and the different parts
by specialized actors. As an example, consider the Emergency Response System
(Chapter 23), in which two actors, a Monitoring Sensor actor and a Remote System
actor, behave in a similar way by monitoring remote sensors and sending sensor data
and alarms to the system. This similar behavior can be modeled by a generalized
actor, Remote Sensor, which represents the common role (i.e., the behavior that is
common to both the specialized actors), as shown in Figure 6.6.
Withdraw Funds
Query Account
ATM Customer
Transfer Funds
of interactions between the actor and the system. In this way, the functional
requirements of the system are described in terms of the use cases, which consti-
tute a functional specification of a system. However, when developing use cases, it
is important to avoid a functional decomposition in which several small use cases
describe small individual functions of the system rather than describe a sequence of
events that provides a useful result to the actor.
Let us consider the banking example again. In addition to withdrawing cash from
the ATM, the ATM Customer actor is also allowed to query an account or transfer
funds between two accounts. Because these are distinct functions initiated by the
customer with different useful results, the query and transfer functions should be
modeled as separate use cases, rather than being part of the original use case. Thus,
the customer can initiate three use cases, as shown in Figure 6.7: Withdraw Funds,
Query Account, and Transfer Funds.
The main sequence of the use case describes the most common sequence of inter-
actions between the actor and the system. There may also be branches off the main
sequence of the use case that describe less frequent interactions between the actor
and the system. These alternative sequences are deviations from the main sequence
that are executed only under certain circumstances – for example, if the actor makes
an incorrect input to the system. Depending on the application requirements, an
alternative sequence through the use case can sometimes join up later with the main
sequence. The alternative sequences are also described in the use case.
In the Withdraw Funds use case, the main sequence is the sequence of steps for
successfully achieving a withdrawal. Alternative sequences are used to address var-
ious error cases, such as when the customer enters the wrong PIN and must be re-
prompted, when an ATM card is not recognized or has been reported stolen, and so
on.
Each sequence through the use case is called a scenario. A use case usu-
ally describes several scenarios, one main sequence and a number of alternative
sequences. Note that a scenario is a complete sequence through the use case, so a
scenario could start out executing the main sequence and then follow an alterna-
tive branch at the decision point. For example, one of the Withdraw Funds scenarios
starts with the main sequence of the customer inserting the ATM card into the card
80 Software Modeling
reader, entering the PIN number in response to the prompt but then receiving an
error message because the PIN was incorrect, and then entering the correct PIN.
Browse Catalog
Make Order
Request
Customer
View
Order Status
diagram for the customer-initiated use cases in the Online Shopping System. There
is one actor – namely, the Customer, who browses a catalog and requests to purchase
items – and three use cases that are the major functions initiated by the actor, which
are Browse Catalog, to browse the catalog and select items, Make Order Request, to
provide the account and credit card information for the purchase, and View Order,
to view the status of the order. In the main sequence of the Make Order Request use
case, the customer makes an order request to purchase items from an online catalog
and has sufficient credit to pay for the items. The alternative sequences deal with
other situations, which occur less frequently: the customer has no account and has
to create one, or the customer has an invalid credit card.
Alternative sequences:
Step 2: If customer does not have account, the system creates an account.
Step 3: If the customer’s credit card request is denied, the system prompts
the customer to enter a different credit card number. The customer can
either enter a different credit card number or cancel the order.
Postcondition: System has created a delivery order for the customer.
Validate PIN
Withdraw Transfer
Query Account Funds
Funds
ATM Customer
An inclusion use case is executed in conjunction with a base use case, which
includes and, hence, executes the inclusion use case. In programming terms, an
inclusion use case is analogous to a library routine, and a base use case is analo-
gous to a program that calls the library routine.
An inclusion use case might not have a specific actor. The actor is, in fact, the
actor of the base use case that includes the inclusion use case. Because different
base use cases use the inclusion use case, it is possible for the inclusion use case to
be used by different actors.
The main parts of the use case descriptions are given for the inclusion use case,
Validate PIN, and a base use case, Withdraw Funds, that includes the Validate PIN use
case:
Validate PIN Inclusion Use Case
Process Part at
Receive Part High-Volume Ship Part
Workstation
Production
Manager
Manufacturing
Robot
Figure 6.10. Example of multiple inclusion use cases and include relationships
actor(s) and system. An example of this is the Manufacture High-Volume Part use
case (Figure 6.10), which describes the sequence of interactions in manufacturing
a part. This process involves receiving the raw material for the part to be manu-
factured (described in the Receive Part use case), executing a manufacturing step
at each factory workstation (described in the Process Part at High-Volume Worksta-
tion use case), and shipping the manufactured part (described in the Ship Part use
case).
■ To show a conditional part of the base use case that is executed only under cer-
tain circumstances
■ To model complex or alternative paths.
It is important to note that the base use case does not depend on the extension
use case. The extension use case, on the other hand, depends on the base use case
and executes only if the condition in the base use case that causes it to execute is
true. Although an extension use case usually extends only one base use case, it is
86 Software Modeling
possible for it to extend more than one. A base use case can be extended by more
than one extension use case.
Checkout
Customer
payment
Supermarket «extend»
«extend» (payment)
Customer (payment) «extend» [debit card
[cash payment] (payment) payment]
[credit card
payment]
In this base use case description, at step 6 «payment» is a placeholder that identi-
fies the location at which the appropriate extension use case is executed. For the Pay
by Cash extension use case, the extension condition is a selection condition called
[cash payment]. This extension use case is executed if the condition [cash payment]
is true.
Pay by Cash Extension Use Case
For the Pay by Credit Card extension use case, the selection condition is called
[credit card payment] (see Figure 6.11). This extension use case is executed if the
[credit card payment] condition is true, meaning that the user chose to pay by credit
card. Of course, if the user chose instead to pay by cash, then the Pay by Cash use
case would be executed instead.
Pay by Credit Card Extension Use Case
The use case description for the Pay by Debit Card extension use case is handled
in a similar way, except that the customer also needs to enter a PIN. Pay by Cash has
a selection condition called [debit card payment].
see the forest (the overall sequence of interactions) for the trees (the individual
functions)!
Security requirement: System shall encrypt ATM card number and PIN.
Performance requirement: System shall respond to actor inputs within 5
seconds.
View Alarms
Monitoring
Operator Generate Alarm
A use case model can also be described using an activity diagram. How-
ever, to depict a use case, a subset of the activity diagram capabilities is suf-
ficient. In particular, it is not necessary to model concurrent activities for use
cases.
An activity diagram can be used to represent the sequential steps of a use case,
including the main sequence and all the alternative sequences. An activity diagram
can therefore be used to provide a more precise description of the use case, because
it shows exactly where in the sequence and what the condition is for an alterna-
tive sequence to diverge from the main sequence. An activity node can be used to
represent one or more sequential steps of the use case. A high-level activity node
can be used to represent a use case, which can then be decomposed into a separate
activity diagram. Activity diagrams can also be used to depict sequencing among use
cases.
For depicting a use case, an activity diagram uses activity nodes, decision
nodes, arcs to join sequential activity nodes, and loops. An activity node is used
to depict one or more steps in the use case description. A decision node is used
to depict a situation in which, based on the result of the decision, an alterna-
tive sequence could branch off from the main sequence. Depending on the use
case, the alternative sequence could rejoin the main sequence – for example, by
looping back to a previous activity node or rejoining the main sequence further
down.
Activity nodes can be aggregate nodes that are hierarchically decomposed to
give a lower-level activity diagram. This concept can be used to depict inclusion
and extension use cases. Thus, an activity node in a base use case can be used to
Use Case Modeling 91
Receive
Order Request
[account exists]
Create Get
New Account Account Information
Authorize
Credit Card
[invalid]
[valid]
Display Create
Invalid Credit Card New Delivery Order
represent a link to an inclusion (or extension) use case, which is then depicted on a
separate lower-level activity diagram.
An example of an activity diagram is given in Figure 6.13 for the Make Order
Request use case of the Online Shopping System (see Section 6.6). This use case
consists of a main sequence in which the customer makes an order request to pur-
chase items from an online catalog and has sufficient credit to pay for the items. The
alternative sequences are for creating a new customer account and for an invalid
credit card. Each decision point that results in an alternative scenario is explicitly
depicted. In the example, the customer enters the order request information, system
gets account information (with an alternative sequence to create a new account),
and requests credit card authorization. If the credit card is valid, the system creates
a new delivery order and displays the order. If the credit card is invalid, the system
displays an invalid credit card prompt.
92 Software Modeling
6.14 SUMMARY
This chapter provided an overview of requirements analysis and specification and
described the use case approach to defining the functional requirements of the sys-
tem. It described the concepts of actor and use cases. It also described use case
relationships, particularly the extend and include relationships.
The use case model has a strong influence on subsequent software development;
thus, use cases are realized in the analysis model during dynamic interaction model-
ing, as described in Chapters 9 and 11. For each use case, the objects that participate
in the use case are determined by using the object structuring criteria described in
Chapter 8, and the sequence of interactions between the objects is defined. Software
can be incrementally developed by selecting the use cases to be developed in each
phase of the project, as described in Chapter 5. Integration and system test cases
should also be based on use cases. Statecharts can also be used to depict the states
and transitions for a state-dependent use case, as described in Chapter 10.
Static Modeling
The static model addresses the static structural view of a problem, which does not
vary with time. A static model describes the static structure of the system being
modeled, which is considered less likely to change than the functions of the system.
In particular, a static model defines the classes in the system, the attributes of the
classes, the relationships between classes, and the operations of each class. In this
chapter, static modeling refers to the modeling process and the UML class diagram
notation is used to depict the static model.
The concepts of objects, classes, and class attributes are described in Chapter 4.
This chapter describes the relationships between classes. Three types of relation-
ships are described: associations, whole/part (composition and aggregation) rela-
tionships, and generalization/specialization (inheritance) relationships. In addition,
this chapter addresses special considerations in static modeling of the problem
domain, including static modeling of the total system context and software system
context, as well as static modeling of entity classes. Design of class operations is
deferred to the design phase, and is addressed during class design, as described in
Chapter 14.
Static models are depicted on class diagrams, as described in this chapter. Sec-
tion 7.1 describes the different kinds of associations between classes. Section 7.2
describes whole/part relationships, particularly composition and aggregation hier-
archies. Section 7.3 describes generalization/specialization hierarchies. Section 7.4
provides an overview of constraints. Section 7.5 describes static modeling with
UML, in which the initial emphasis is on modeling the physical classes and entity
classes. The next topic, covered in Section 7.6, is static modeling of the scope of
the total system (hardware and software) and the scope of the software system in
order to determine the border between the total system and the external environ-
ment, and then the border between the software system and the external environ-
ment. Section 7.7 describes the categorization of classes using UML stereotypes,
and Section 7.8 describes how UML stereotypes can be applied to modeling exter-
nal classes. Static modeling of the entity classes, which are data-intensive classes, is
described in Section 7.9.
94
Static Modeling 95
Company
name: String
address: String
businessSector: String
1
Is led by
1
CEO
name: String
employeeId: String
address: String
phoneNumber: Integer
Bank
bankName: String
bankAddress: String
Administers
1..*
Account
accountNumber: Integer
balance: Real
Car
modelName: String
manufacturer: String
modelYear: Date
Is entered through
2, 4
Door
height: Real
width: Real
depth: Real
windowArea: Real
material: String
cards, one credit card, or many credit cards, as shown in Figure 7.5. Note that
in both these examples, the association in the opposite direction is one-to-one
(e.g., Credit Card Owned by Customer).
■ Many-to-many association. A many-to-many association is an association be-
tween two classes with a one-to-many association in each direction. For exam-
ple, in the association Course Is attended by Student, Student Enrolls in Course,
there is a one-to-many association between a course and the students who attend
it, because a course is attended by many students. There is also a one-to-many
association in the opposite direction, because a student could enroll in many
courses. This is illustrated in Figure 7.6, which shows the association in each
direction.
An example of classes and their associations in a banking application is given
in Figure 7.7. The Bank class has a one-to-many association with the Customer class
and with the Debit Card class. Thus, a bank provides a service for many customers
Customer
customerName: String
customerId: String
customerAddress: String
Owns
0..1
DebitCard
cardId: Integer
PIN: String
startDate: Date
expirationDate: Date
status: Integer
limit: Real
total: Real
Customer
customerName: String
customerId: String
customerAddress: String
Owns
0..*
CreditCard
cardType: Integer
cardId: Integer
startDate: Date
expirationDate: Date
status: Integer
Course
courseId: String
courseName: String
section#: Integer
semester: String
Enrolls in Is attended by
1..*
Student
studentName: String
studentId: String
studentAddress: String
studentType: String
Managed by
1 1 1 Provides service for
President Bank
1..*
1 Owns
Customer
1
Administers 1..*
Owns
President
and administers many debit cards. Customer has a many-to-many association with
Account, so a customer might own more than one account, and an account could
be a joint account belonging to more than one customer. Customer has an optional
association with Debit Card, so a given customer might or might not own a debit card,
but a debit card must belong to a customer. Bank has a one-to-one association with
President, so a bank can have only one president, and a president can be president
of only one bank. The attributes of these classes are shown in Figure 7.8.
Buyer Seller
name: String name: String
Negotiates
address: String price address: String
phoneNumber: Integer phoneNumber: Integer
movingDateTarget: String sellingPrice: Integer
homePriceTarget: Integer
Agent
name: String
address: String
company: String
workPhoneNumber: String
homePhoneNumber: String
Is child of
Person
Is child of Person (Figure 7.10), Person Is married to Person, and Employee Is boss of
Employee.
Employee Project
ATM
1 1 1
1
ATMCustomer
CardReader CashDispenser ReceiptPrinter
KeypadDisplay
College
collegeName: String
dean: String
1 1..* 1..*
Account
accountNumber: Integer
balance: Real
CheckingAccount SavingsAccount
reader, cash dispenser, and customer keypad/display, which are part of the ATM
composite class.
Account
accountNumber: Integer
balance: Real
accountType
CheckingAccount SavingsAccount
7.4 CONSTRAINTS
A constraint specifies a condition or restriction that must be true (Rumbaugh,
Booch, and Jacobson 2005). A constraint is expressed in any textual language. The
UML also provides a constraint language, the Object Constraint Language (OCL)
(Warmer and Kleppe 1999), which can optionally be used.
One kind of constraint is a restriction on the possible values of an attribute.
Consider the following: in the banking example, it might be stipulated that accounts
are not allowed to have a negative balance. This can be expressed as a constraint on
the attribute balance of the Account class to state that the balance is not allowed to
be negative, {balance >= 0}. On a class diagram, the constraint on the attribute is
shown next to the attribute to which it applies, as illustrated in Figure 7.16.
Another kind of constraint is a restriction on an association link. Usually objects
on the “many” side of an association have no order. However, in some cases, objects
in the problem domain might have an explicit order that is desirable to model. Con-
sider, for example, the one-to-many association Account Modified by ATM Trans-
action. In this association, ATM transactions are ordered by time; hence, the con-
straint can be expressed as {ordered by time}. This constraint can be depicted on a
class diagram, as shown in Figure 7.17.
Account
accountNumber: Integer
balance: Real {balance >= 0}
Account
accountNumber: Integer
balance: Real
1
Modified by
* {ordered by time}
ATMTransaction
transactionId: Integer
cardId: Integer
PIN: String
date: Date
time: Time
status: Integer
Bank
1
Provides service for
1..*
Maintains
ATM
1 1
ATM Operator
1 1 1
1
ATMCustomer
CardReader CashDispenser ReceiptPrinter
KeypadDisplay
1 1 1 1
Interacts through
1 1
1
1
ATM Customer
Context modeling explicitly identifies what is inside the system and what is outside.
Context modeling can be done at the total system (hardware and software) level
or at the software system (software only) level. A diagram that explicitly shows the
border between the system (hardware and software), which is treated as a black box,
and the external environment is called a system context diagram. A diagram that
explicitly shows the border between the software system, also treated as a black
box, and the external environment (which now includes the hardware) is called a
software system context diagram. These views of the border around the system are
more detailed than those usually provided by a use case diagram.
In developing the system context diagram, it is helpful to consider the context of
the total hardware/software system (i.e., both hardware and software) before con-
sidering the context of the software system. This is particularly useful in situations in
which hardware/software tradeoffs need to be made. In considering the total hard-
ware/software system, only users (i.e., human actors) and external systems are out-
side the system. I/O devices are part of the hardware of the system and therefore
appear inside the total system.
As an example, consider the total hardware/software system for the Banking
System. From a total hardware/software system perspective, the ATM Customer and
ATM Operator actors, shown in Figure 7.18, are outside the system, as shown in Figure
7.19. All the others entities shown in Figure 7.18, in particular the I/O devices, which
include the card reader, cash dispenser, receipt printer, and the ATM Customer
keypad/display, are part of the total hardware/software system (Figure 7.19).
From the total system perspective – that is, both hardware and software – the
ATM Customer and ATM Operator actors are external to the system, as shown in
106 Software Modeling
Interacts
Interacts with
1..* with 1
«system» 1 1..*
Banking
System
ATM
ATM Operator
Customer
Figure 7.19. Banking hardware/software system context class diagram
Figure 7.19. The ATM Operator interacts with the system via a keypad and display.
The ATM Customer actor interacts with the system via four I/O devices, which are
the card reader, cash dispenser, receipt printer, and ATM Customer keypad/display.
From a total hardware/software system perspective, these I/O devices are part of the
system. From a software perspective, the I/O devices are external to the software
system. On the software system context class diagram, the I/O devices are modeled
as external classes, as shown on Figure 7.20.
The software system context class diagram can be determined by static mod-
eling of the external classes that connect to the system. In particular, the physi-
cal classes described in the previous section are often I/O devices that are exter-
nal classes to the software system. Alternatively, the software system context class
diagram can be determined from the use cases by considering the actors and what
devices they use to interface to the system. Both approaches are described in
Section 7.8.
CardReader
1 1..*
Outputs
Inputs to
to
1 1 ATM
Outputs
1..* to Operator
1 1 ReceiptPrinter 1 1
Interacts
1 with
Interacts 1 1..*
1 with 1 Banking Operator
1 System
1 1..*
ATM ATMCustomer 1
Customer KeypadDisplay
Outputs to
1..*
1
CashDispenser
essentially tactical in nature. Thus, classifying the Account class into a Checking
Account and a Savings Account is a good idea because Checking Account and Sav-
ings Account have some attributes and operations in common and others that differ.
Categorization, however, is a strategic classification – a decision to organize classes
into certain groups because most software systems have these kinds of classes and
because categorizing classes in this way helps to better understand the system being
developed.
In UML, stereotypes are used to distinguish among the various kinds of classes.
A stereotype is a subclass of an existing modeling element (e.g., an application or
external class) that is used to represent a usage distinction (e.g., the kind of applica-
tion or external class). In the UML notation, a stereotype is enclosed by guillemets,
like this: «entity». In software applications, a class is categorized by the role it plays
in the application. Application classes are categorized according to their role in the
application, such as «entity» class or «boundary» class, as will be described in
Chapter 8. External classes are categorized on the basis of their characteristics in
the external environment, such as «external system» or «external user», as will be
described in Section 7.8.
Examples shown in Figure 7.21 from the Banking System are the external I/O
device Card Reader, the external output devices Cash Dispenser and Receipt Printer,
and the entity classes Account and Customer.
«external class»
«external
«external user» «external system» «external timer»
device»
system; thus, Figure 7.22 classifies external classes from the perspective of the soft-
ware system.
As depicted in Figure 7.22, an external device is classified further as follows:
■ External input device. A device that only provides input to the system – for
example, a sensor
■ External output device. A device that only receives output from the system – for
example, an actuator
■ External I/O device. A device that both provides input to the system and receives
output from the system – for example, an ATM card reader
A human user often interacts with the software system by means of standard I/O
devices such as a keyboard/display and mouse. The characteristics of these standard
I/O devices are of no interest because they are handled by the operating system.
The interface to the user is of much greater interest in terms of what information
is being output to the user and what information is being input by the user. For
this reason, an external user interacting with the software system via standard I/O
devices is depicted as an «external user».
A general guideline is that a human user should be represented as an external
user class only if the user interacts with the system via standard I/O devices. On the
other hand, if the user interacts with the software system via application-specific I/O
devices, these I/O devices should be represented as external device I/O classes.
For a real-time embedded system, it is desirable to identify low-level external
classes that correspond to the physical I/O devices to which the software system
must interface. These external classes are depicted with the stereotype «external
I/O device». Examples are the Arrival Sensor external input device and the Motor
external output device in the Automated Guided Vehicle System.
An «external system» class is needed when the system interfaces to other sys-
tems, to either send data or receive data. Thus, in the Automated Guided Vehi-
cle System, the software system interfaces to two external systems: the Supervisory
System and the Display System.
An «external timer» class is used if the application needs to keep track of time
and/or if it needs external timer events to initiate certain actions in the system.
External timer classes are most frequently needed in real-time systems. An example
Static Modeling 109
from the Automated Guided Vehicle System is the Clock. It is needed because the
software system needs external timer events to initiate various periodic activities.
Sometimes the need for periodic activities only becomes apparent during design.
The associations between the software system aggregate class and the external
classes are depicted on the software system context class diagram, showing in partic-
ular the multiplicity of the associations. The standard association names on software
system context class diagrams are Inputs to, Outputs to, Communicates with, Inter-
acts with, and Signals. These associations are used as follows:
«external I/O
device»
1 1..*
CardReader
Outputs
Inputs to
to
1 1 ATM
Outputs
«external output to Operator
1..*
1 1 device» 1 1
ReceiptPrinter Interacts
1 with
Interacts «software system»
1 1..* «external user»
1 with 1 Banking
Operator
1
System
1 «external user» 1..*
ATM 1
ATMCustomer
Customer
KeypadDisplay
Outputs to
1..*
1 «external output
device»
CashDispenser
Figure 7.23. Banking System software context class diagram with stereotypes
system has six external classes: there are two external systems (Supervisory System
and Display System), one external input device (Arrival Sensor), two external output
devices (Robot Arm and Motor), and one external timer (Clock).
■ An I/O device actor is equivalent to an external I/O device class. This means the
I/O device actor interfaces to the system via an external I/O device class.
■ An external system actor is equivalent to an external system class.
1
«software 1
system»
«external input 1 Inputs to 1 Automated
device»
Guided Vehicle 1
ArrivalSensor 1 Outputs to
System
1
Signals 1 «external output
Communicates with device»
1 Motor
«external timer»
Clock
1
«external system»
Display
System
■ A timer actor interfaces to the system via an external timer class, which provides
timer events to the system.
■ A human user actor has the most flexibility. In the simplest case, the user actor
interfaces to the system via standard user I/O devices, such as keyboard, visual
display, and mouse. The external class is given the name of its user actor because
what is of interest is the logical information coming from the user. However, in
more complex use cases, it is possible for a human actor to interface with the
system through a variety of external classes. An example of this is the customer
actor in the Banking System, in which the actor interfaces with the system via
several external I/O devices, as described in Section 7.8.3.
Stored in
Provides
«entity» «entity»
«entity» Supplier
Inventory Catalog
supplierId : Integer
itemID : Integer itemId : Integer supplierName: String
itemDescription : String itemDescription : String address : String
quantity : Integer unitCost : Real telephoneNumber : String
price : Real supplierId : Integer faxNumber : String
reorderTime : Date itemDetails : linkType email : EmailType
«entity»
CustomerAccount
accountId : Integer
cardId : String
cardType : String
expirationDate: Date
Consider the attributes of the entity classes that are shown in Figure 7.26. Each
class has several attributes that provide information that distinguishes this class from
other classes. Furthermore, each instance of the class has specific values of these
attributes to differentiate it from other instances of the class. Thus, the Customer
class is characterized by attributes that describe the information needed to identify
an individual customer, including a customer Id, the customer’s name, address, tele-
phone number, fax number, and email address. On the other hand, the Customer
Account class contains attributes that provide details of the account.
7.10 SUMMARY
This chapter described some of the basic concepts of static modeling, includ-
ing the relationships between classes. Three types of relationships have been
described: associations, composition/aggregation relationships, and generalization/
specialization relationships. In addition, this chapter described how static modeling
is used to model the structural views of the problem domain. This consists of static
modeling of the total system context, which depicts the classes external to the total
hardware/software system; static modeling of the software system context, which
depicts the classes external to the software system; and static modeling of the entity
classes, which are conceptual data-intensive classes.
Static modeling of the solution domain is deferred to the design phase. Although
static modeling also includes defining the operations of each class, it is easier
to determine the operations of a class after dynamic modeling. Because of this,
114 Software Modeling
After defining the use cases and developing a static model of the problem domain,
the next step is to determine the software objects in the system. At this stage,
the emphasis is on software objects that model real-world objects in the problem
domain.
Software objects are determined from the use cases and from the static model
of the problem domain. This chapter provides guidelines on how to determine the
objects in the system. Object structuring criteria are provided, and the objects are
categorized by using stereotypes. The emphasis is on problem domain objects to be
found in the real world and not on solution domain objects, which are determined
at design time.
The static modeling described in Chapter 7 was used to determine the exter-
nal classes, which were then depicted on a software system context class diagram.
These external classes are used to help determine the software boundary classes,
which are the software classes that interface to and communicate with the external
environment. The entity classes and their relationships were also determined dur-
ing static modeling. In this chapter, the objects and classes needed in the software
system are determined and categorized. In particular, the focus is on the additional
software objects and classes that were not determined during the static modeling of
the problem domain.
The static relationship between classes is considered in the static model, as
described in the previous chapter, and the dynamic relationship between the objects
is considered in the dynamic model, as described in Chapters 9, 10, and 11.
Section 8.1 gives an overview of object and class structuring, and Section 8.2
describes modeling application classes and objects. Section 8.3 presents an overview
of object and class structuring categories. Section 8.4 describes external classes
(first introduced in Chapter 7) and their relationship to software boundary classes,
whereas Section 8.5 describes the different kinds of boundary classes and objects.
Section 8.6 describes entity classes and objects, which were first introduced in
Chapter 7. Section 8.7 describes the different kinds of control classes and objects.
Section 8.8 describes application logic classes and objects.
115
116 Software Modeling
«application class»
«application
«boundary» «entity» «control» logic»
classes. Because an object is an instance of a class, an object has the same stereotype
as the class from which it is instantiated. Thus, the categorization described in this
section applies equally to classes and objects.
In Figure 8.1, each box represents a different category of application class, and
the relationships between them are inheritance relationships. Therefore, an appli-
cation class is classified as an entity class, a boundary class, a control class, or an
application logic class. These stereotypes are classified further, as shown in Figure
8.1 and described here.
This classification process is analogous to classifying books in a library, with
major classes such as fiction and nonfiction, and further classification of fiction into
classics, mysteries, adventure, and so on, and nonfiction into biography, autobiogra-
phy, travel, cooking, history, and other categories. It is also analogous to the taxon-
omy of the animal kingdom, which is divided into major categories (mammal, bird,
fish, reptile, and so on) that are further divided into subclasses (e.g., cat, dog, and
monkey are subclasses of mammal).
4. Application logic object. Software object that contains the details of the
application logic. Needed when it is desirable to hide the application logic
separately from the data being manipulated because it is considered likely
that the application logic could change independently of the data. For infor-
mation systems, application logic objects are usually business logic objects,
whereas for real-time, scientific, or engineering applications, they are usually
algorithm objects. Another category is service objects, which provide services
for client objects, typically in service-oriented architectures and applications.
In most cases, what category an object fits into is usually obvious. However, in
some cases, it is possible for an object to satisfy more than one of the aforemen-
tioned criteria. For example, an object could have characteristics of both an entity
object, in that it encapsulates some data, and an algorithm object, in that it executes
a significant algorithm. In such cases, allocate the object to the category it seems to
fit best. Note that it is more important to determine all the objects in the system than
to be unduly concerned about how to categorize a few borderline cases.
For each object structuring criterion, there is an object behavioral pattern, which
describes how the object interacts with its neighboring objects. It is useful to under-
stand the object’s typical pattern of behavior, because when this category of object
is used in an application, it is likely to interact with the same kinds of neighboring
objects in a similar way. Each behavioral pattern is depicted on a UML communi-
cation diagram.
■ An external user class interfaces to and interacts with a user interaction class.
■ An external system class interfaces to and communicates with a proxy class.
■ An external device class provides input to and/or receives output from a device
I/O boundary class. Continuing with this classification:
r An external input device class provides input to an input class.
r An external output device class receives output from an output class.
r An external I/O device class provides input to and receives output from an I/O
class.
■ An external timer class signals to a software timer class.
Object and Class Structuring 119
An external device class represents an I/O device type. An external I/O device
object represents a specific I/O device, that is, an instance of the device type. In
the next section, we consider the internal objects that interface to and communicate
with the external objects.
a)
«user interaction»
Operator
Interaction
b) 1: Operator 2: Sensor
Command Request
«user interaction» «entity»
: Operator : SensorData
Interaction Repository
4: Display 3: Sensor Data
: Operator Data
a) «proxy»
Pick&Place
Robot
Proxy
b)
1: Pick & Place
Robot Command «external
«proxy»
system»
: Pick&Place
: External
Robot
Pick&Place
Proxy 2: Pick & Place Robot
Robot Response
Real-world
Software object
external system
System boundary
(Note: the dashed line for the system boundary is for illustrative purpose only and
does not conform to the UML notation.)
a)
«input»
Temperature
Sensor
Interface
b)
1: Temperature
«external input Sensor Input «input»
device»
aTemperature
aReal-World
Sensor
Temperature
Interface
Sensor
Real-world
Software object
hardware object
Hardware / software boundary
(Note: the dashed line for the hardware/software boundary is for illustrative purpose
only and does not conform to the UML notation.)
because they interact with the software system. On the other hand, the vehicle chas-
sis and wheels are not relevant real-world objects, because they do not interact with
the software system. In the software system, the relevant real-world physical objects
are modeled by means of software objects, such as the vehicle motor and arm soft-
ware objects.
Real-world physical objects usually interface to the system via sensors and actu-
ators. These real-world objects provide inputs to the system via sensors or receive
outputs from the system via actuators. Thus, to the software system, the real-world
objects are actually I/O devices that provide inputs to and receive outputs from
the system. Because the real-world objects correspond to I/O devices, the software
objects that interface to them are referred to as device I/O boundary objects.
For example, in the Automated Guided Vehicle System, the station arrival indi-
cator is a real-world object that has a sensor (input devices) that provides inputs to
the system. The motor and arm are real-world objects that are controlled by means
of actuators (output devices) that receive outputs from the system.
An input object is a device I/O boundary object that receives input from an
external input device. Figure 8.4 shows an example of an input class Temperature
Sensor Interface and an instance of this class, an input object, on a communication
diagram. An input object, a Temperature Sensor Interface object, receives tempera-
ture sensor input from an external real-world hardware object, a Real-World Temper-
ature Sensor input device. Figure 8.4 also shows the hardware/software boundary, as
well as the stereotypes for the hardware «external input device» and the software
«input» objects. Thus, the input object provides the software system interface to the
external hardware input device.
An output object is a device I/O boundary object that sends output to an external
output device. Figure 8.5 shows an example of an output class called Red Light Inter-
face, as well as an instance of this class, the Red Light Interface object, which sends
outputs to an external real-world object, the Red Light Actuator external output
device. The Red Light Interface software object sends On and Off Light commands
to the hardware Red Light Actuator. Figure 8.5 also shows the hardware/software
boundary.
122 Software Modeling
a)
«output»
RedLight
Interface
b)
1: Light Command
«external output
«output»
device»
: RedLight
: RedLight
Interface
Actuator
(Note: the dashed line for the hardware/software boundary is for illustrative purpose
only and does not conform to the UML notation.)
A hardware I/O device can also be a device that both sends inputs to the sys-
tem and receives outputs from the system. The corresponding software class is an
I/O class, and a software object that is instantiated from this class is an I/O object.
An input/output (I/O) object is a device I/O boundary object that receives input
from and sends output to an external I/O device. This is the case with the ATM Card
Reader Interface class shown in Figure 8.6a and its instance, the ATM Card Reader
Interface object (see Figure 8.6b), which receives ATM card input from the external
I/O device, the ATM Card Reader. In addition, ATM Card Reader Interface sends eject
and confiscate output commands to the card reader.
In some applications, there are many real-world objects of the same type. These
are modeled by means of one device I/O object for each real-world object, in which
all the objects are instances of the same class. For example, the Factory Automation
System, which controls many automated guided vehicles, has many vehicle motors
of the same type and many robotic arms of the same type. There is one instance
of the Motor Interface class and one instance of the Arm Interface class for each
automated guided vehicle.
a)
«input/output»
ATMCardReader
Interface
b)
1: Card Reader
«external input/ Input
«input/output»
output device»
: ATMCardReader
: ATMCard
Interface
Reader 2: Card Reader
Output
Real-world
Software object
hardware object
Hardware / software boundary
(Note: the dashed line for the hardware/software boundary is for illustrative purpose
only and does not conform to the UML notation.)
«software system»
BankingSystem
Inputs to
«external I/O «input/output»
1 1
1 device» CardReader
CardReader Interface
Outputs to
1 1 ATM
Outputs to Operator
1 «external output «output» 1
1 1 1
1 device» ReceiptPrinter Interacts
ReceiptPrinter Interface «user interaction» with
ATM 1 1 1 «external user»
Operator
Customer Interacts Operator
1 Interaction
with
«external user» «user interaction»
1 1
ATMCustomer Customer
KeypadDisplay Interaction
Outputs to
1 «external output «output»
1 1
device» CashDispenser
CashDispenser Interface
«entity»
Account «entity»
accountNumber: Integer anAccount
balance: Real
«entity»
SensorData «entity»
temperature
sensorName: String SensorData
sensorValue: Real
upperLimit: Real
lowerLimit: Real
alarmStatus: Boolean
a)
«coordinator»
BankCoordinator
b)
«subsystem»
: ATMClient
«coordinator»
: BankCoordinator
a)
«state dependent
control»
ATMControl
b) «output»
1: Dispense Cash : CashDispenser
Interface
2: Cash Dispensed
«state dependent
control»
: ATMControl 3: Print Receipt
«output»
: ReceiptPrinter
4: Receipt Printed Interface
in Chapter 10. This section gives only a brief overview of state-dependent control
objects, which are described in much more detail in Chapters 10 and 11.
A state-dependent control object receives incoming events that cause state tran-
sitions and generates output events that control other objects. The output event gen-
erated by a state-dependent control object depends not only on the input received
by the object but also on the current state of the object. An example of a state-
dependent control object is the ATM Control object (Figure 8.11), which is defined by
means of the ATM Control statechart. In the example, ATM Control is shown control-
ling two other output boundary objects, Receipt Printer Interface and Cash Dispenser
Interface.
In a control system, there are usually one or more state-dependent control
objects. It is also possible to have multiple state-dependent control objects of the
same type. Each object executes an instance of the same finite state machine
(depicted as a statechart), although each object is likely to be in a different state. An
example of this is the Banking System, which has several ATMs, where each ATM
has an instance of the state-dependent control class, ATM Control, which is also shown
in Figure 8.11. Each ATM Control object executes its own instance of the ATM Control
statechart and keeps track of the state of the local ATM. Another example is from
the Automated Guided Vehicle System, in which the control and sequencing of the
vehicle is modeled by means of a state-dependent control object, Vehicle Control,
and defined by means of a statechart. Consequently, each vehicle has a vehicle
control object. More information about state-dependent control objects is given in
Chapter 11.
a)
«timer»
ReportTimer
b)
1: Timer Event
«external timer» «timer»
: DigitalClock : ReportTimer
2: Prepare
«entity»
: WeeklyReport
a)
«business logic»
Withdrawal
TransactionManager
b)
«coordinator»
: BankCoordinator
«business logic»
: Withdrawal
TransactionManager
7: Log Transaction
4: Debit 2: Check
(Account#, Amount) Daily Limit
(Card Id, Amount), 3: Daily Limit
6: Update Response
Daily Total
(Card Id, Amount)
5: Balance
«entity»
«entity» «entity» : Transaction
: Account : DebitCard Log
It encapsulates the business rules for processing an ATM withdrawal request. For
example, the first business rule is that the customer must have a minimum balance
of $50 after the withdrawal takes place; the second business rule is that the cus-
tomer is not allowed to withdraw more than $250 per day with a debit card. The
Withdrawal Transaction Manager object accesses an Account object to determine if
the first business rule will be satisfied. It accesses the Debit Card object, which main-
tains a running total of the amount withdrawn by an ATM customer on this day, to
determine if the second business rule will be satisfied. If either business rule is not
satisfied, the withdrawal request is rejected.
A business logic object usually has to interact with entity objects in order to
execute its business rules. In this way, it resembles a coordinator object. However,
unlike a coordinator object, whose main responsibility is to supervise other objects,
the prime responsibility of a business logic object is to encapsulate and execute the
business rules.
a)
«algorithm»
Cruiser
b)
«entity»
: Cruising
Speed
7: Motor Value
6: Speed «output»
Adjustment : ElectricMotor
Interface
are usually operations of an entity object that operate on the data encapsulated in
the entity. In many scientific and engineering domains, algorithms are refined iter-
atively because they are improved independently of the data they manipulate (e.g.,
for improved performance or accuracy).
An example from a Train Control System is the Cruiser algorithm class. An
instance of this class, the Cruiser object, calculates what adjustments to the speed
should be made by comparing the current speed of the train with the desired cruis-
ing speed (Figure 8.14). The algorithm is complex because it must provide gradual
accelerations or decelerations of the train when they are needed, so as to have min-
imal effect on the passengers.
An algorithm object frequently encapsulates data it needs for computing its algo-
rithm. These data may be initialization data, intermediate result data, or threshold
data, such as maximum or minimum values.
An algorithm object frequently has to interact with other objects in order to
execute its algorithm (e.g., Cruiser). In this way, it resembles a coordinator object.
Unlike a coordinator object, however, whose main responsibility is to supervise
other objects, the prime responsibility of an algorithm object is to encapsulate and
execute the algorithm.
a) «service»
CatalogService
b)
2: Catalog Request
1: Customer Input
«service»
: CatalogService
they are used in other architectures as well, such as client/server architectures and
component-based software architectures. A service object might encapsulate the
data it needs to service client requests or access another entity object(s) that encap-
sulate the data.
An example of a service class is the Catalog Service class given in Figure 8.15a. An
example of executing an instance of this class, the Catalog Service object, is shown
in Figure 8.15b. The Catalog Service object provides support for viewing various cat-
alog items from the supplier’s catalog and selecting items from the catalog. The
Customer Coordinator assists the Customer Interaction object in finding a supplier cat-
alog, provided by the Catalog Service object, and making selections from the catalog.
In addition to service classes and objects, coordinator classes and objects are also
frequently used in service-oriented architectures and applications, as described in
Chapter 16.
8.9 SUMMARY
This chapter described how to determine the software objects and classes in the sys-
tem. Object and class structuring criteria were provided, and the objects and classes
were categorized by using stereotypes. The emphasis is on problem domain objects
and classes, which are to be found in the real world, and not on solution domain
objects, which are determined at design time. The object and structuring criteria
are usually applied to each use case in turn during dynamic interaction modeling,
as described in Chapters 9 and 11, to determine the objects that participate in each
use case. The sequence of interaction among the objects is then determined. Sub-
system structuring criteria are described in Chapter 13. The design of the operations
provided by each class is described in Chapter 14.
Dynamic modeling provides a view of a system in which control and sequencing are
considered, either within an object (by means of a finite state machine) or between
objects (by analysis of object interactions). This chapter addresses dynamic interac-
tion between objects.
Dynamic interaction modeling is based on the realization of the use cases devel-
oped during use case modeling. For each use case, it is necessary to determine how
the objects that participate in the use case dynamically interact with each other.
The object structuring criteria described in Chapter 8 are applied to determine the
objects that participate in each use case. This chapter describes how, for each use
case, an interaction diagram is developed to depict the objects that participate in
the use case and the sequence of messages passed between them. The interaction
is depicted on either a communication diagram or a sequence diagram. A narrative
description of the object interaction is also provided in a message sequence descrip-
tion. Please note that all references to system in this chapter are to the software
system.
This chapter first describes object interaction modeling using communication
diagrams and sequence diagrams before describing how they are used in dynamic
interaction modeling. It then describes the details of the dynamic interaction model-
ing approach for determining how objects collaborate with each other. This chapter
describes stateless dynamic interaction modeling, also referred to as basic dynamic
interaction modeling. Chapter 11 describes state-dependent dynamic interaction
modeling, which, unlike stateless dynamic interaction modeling, involves state-
dependent communication controlled by a statechart.
Section 9.1 presents an overview of object interaction modeling and describes
the two kinds of interaction diagrams, communication and sequence diagrams.
Section 9.2 describes message sequence numbering on interaction diagrams. Sec-
tion 9.3 introduces dynamic interaction modeling, and Section 9.4 describes state-
less dynamic interaction modeling. Section 9.5 provides two examples of stateless
dynamic interaction modeling.
132
Dynamic Interaction Modeling 133
View Alarms
Monitoring
Operator
Figure 9.1. Use case diagram for the View Alarms use case
A1: Operator
Request
«user interaction»
: OperatorInteraction
A1.1: Alarm
Request A1.2: Alarm
«service»
: AlarmService
Figure 9.2. Communication diagram for the View Alarms use case
134 Software Modeling
consists of only two objects: a user interaction object and a service object. The user
interaction object is called Operator Interaction. The service object is called Alarm
Service.
The communication diagram for this use case depicts the user interaction object,
Operator Interaction, making a request to the service object, Alarm Service and receiv-
ing a response (see Figure 9.2).
: Monitoring
Operator «user interaction»
«service»
: Operator
: AlarmService
Interaction
A1.2: Alarm
Figure 9.3. Sequence diagram for the View Alarms use case
Dynamic Interaction Modeling 135
By using a sequence diagram with loops and branches, it is also possible to depict
the interaction sequence of the whole use case consisting of the main sequence and
all the alternative sequences. This is described in more detail in Section 9.5.
where the sequence expression consists of the message sequence number and an
indicator of recurrence.
The first optional letter sequence is an optional use case ID and identifies a spe-
cific concrete use case or abstract use case. The first letter is an uppercase letter and
might be followed by one or more upper- or lowercase letters if a more descriptive
use case ID is desired.
The simplest form of message sequencing is to use a sequence of whole num-
bers, such as M1, M2, and M3. However, in an interactive system with several exter-
nal inputs from the actor, it is often helpful to include a numeric sequence that
includes decimal numbers – that is, to number the external events as whole num-
bers followed by decimal numbers for the ensuing internal events. For example, if
138 Software Modeling
the actor’s inputs were designated as A1, A2, and A3, the full message sequence
depicted on the communication diagram would be A1, A1.1, A1.2, A1.3, . . . , A2,
A2.1, A2.2, . . . , and A3, A3.1, A3.2, . . . .
An example is V1, where the letter V identifies the use case and the number
identifies the message sequence within the communication diagram supporting the
use case. The object sending the first message – V1 – is the initiator of the use case–
based communication. Thus, in the communication and sequence diagram examples
in Figures 9.2 and 9.3, respectively, the input from the actor is V1. Subsequent mes-
sage numbers following this input message are V1.1, V1.2, and V1.3. If the dialog
were to continue, the next input from the actor would be V2.
1. Develop use case model. This step is described in Chapter 6. For dynamic
modeling, consider each interaction between the primary actor and the sys-
tem. Remember that the actor starts the interaction with the system through
an external input. The system responds to this input with some internal exe-
cution and then typically provides a system output. The sequence of actor
inputs and system responses is described in the use case. Start by developing
the communication sequence for the scenario described in the main path of
the use case. Consider each interaction in sequence between the actor and the
system.
2. Determine objects needed to realize use case. This step requires applying the
object structuring criteria (see Chaper 8) to determine the software objects
needed to realize the use case, both boundary objects (2a below) and internal
software objects (2b below).
2a. Determine boundary object(s). Consider the actor (or actors) that partici-
pates in the use case; determine the external objects (external to the sys-
tem) through which the actor communicates with the system, and the software
objects that receive the actor’s inputs.
140 Software Modeling
Start by considering the inputs from the external objects to the system.
For each external input event, consider the software objects required to pro-
cess the event. A software boundary object (such as an input object or user
interaction object) is needed to receive the input from the external object. On
receipt of the external input, the boundary object does some processing and
typically sends a message to an internal object.
2b. Determine internal software objects. Consider the main sequence of the use
case. Using the object structuring criteria, make a first attempt at determining
the internal software objects that participate in the use case, such as control
or entity objects.
3. Determine message communication sequence. For each input event from the
external object, consider the communication required between the boundary
object that receives the input event and the subsequent objects – entity or
control objects – that cooperate in processing this event. Draw a communica-
tion diagram or sequence diagram showing the objects participating in the use
case and the sequence of messages passing between them. This sequence typ-
ically starts with an external input from the actor (external object), followed
by a sequence of internal message between the participating software objects,
through to an external output to the actor (external object). Repeat this pro-
cess for each subsequent interaction between the actor(s) and the system. As a
result, additional objects may be required to participate, and additional mes-
sage communication, along with message sequence numbering, will need to
be specified.
4. Determine alternative sequences. Consider the different alternatives, such as
error handling, which are described in the Alternatives section of the use case.
Then consider what objects need to participate in executing the alternative
branches and the sequence of message communication among them.
A1: The Monitoring Operator requests an alarm handling service – for exam-
ple, to view alarms or to subscribe to receive alarm messages of a specific
type. The request is sent to Operator Interaction.
A1.1: Operator Interaction sends the alarm request to Alarm Service.
A1.2: Alarm Service performs the request – for example, reads the list of
current alarms or adds the name of this user interaction object to the
subscription list – and sends a response to the Operator Interaction object.
A1.3: Operator Interaction displays the response – for example, alarm infor-
mation – to the operator.
Customer
Figure 9.4. Use case diagram for the Make Order Request use case
«service» «service»
: DeliveryOrderService : EmailService
Figure 9.5. Communication diagram for the Make Order Request use case: main sequence
The communication diagram for the Make Order Request use case is depicted in
Figure 9.5. The message descriptions are as follows:
The sequence diagram for the same scenario, namely, the main sequence of the
Make Order Request use case, is depicted in Figure 9.6, which shows the message
sequence from top to bottom of the page.
4. Determine Alternative Sequences
Alternative scenarios for this use case are that the customer does not have an
account, in which case a new account will be created, or that the credit card autho-
rization is denied, in which case the customer has the option of selecting a different
card. Both of these alternative scenarios are analyzed.
The new account alternative scenario is depicted in Figure 9.7. This scenario
diverges from the main scenario at step M4A. The alternative response to the
account request of step M3 is M4A [no account]: Account does not exist. M4A is a
conditional message, which is only sent if the Boolean condition [no account] con-
dition is true. The message sequence for this alternative scenario is M4A through
M4A.8, which is described as follows:
Figure 9.6. Sequence diagram for the Make Order Request use case: main sequence
145
146 Software Modeling
[No account]
Figure 9.7. Sequence diagram for the Make Order Request use case: alternative sequence for
Create New Account
The credit card denied alternative scenario is depicted in Figure 9.8. This sce-
nario diverges from the main scenario at step M6A. The alternative response to the
authorize credit card request of step M5 is M6A [denied]: Credit card denied. M6A
is a conditional message, which is only sent if the Boolean condition [denied] is true.
The message sequence for this alternative scenario is M6A through M6A.2, which
is described as follows:
aCustomer
M2: Order Request M6A.1: Credit Card Denied
Figure 9.8. Communication diagram for the Make Order Request use case: alternative
sequence for Credit Card Denied
M1: Order Request
M4A.3: Account Input
«user interaction»
: Customer
Interaction
M4A.2, M4A.8, M6A.2, M10:
Customer Output M4A.1: Account Required
aCustomer
M2: Order Request M4A.7: Account Confirmation
M4A.4: Account Info M6A.1: Credit Card Denied
M9: Order Confirmation
M3: Account Request
M5: Authorize Credit Card Request M4A.5: Create Account
«service»
«coordinator» «service»
: CreditCard
aCustomerCoordinator : CustomerAccountService
Service
M6 [Approved]: Credit Card Approved M4 [Account exists]: Account Info
M6A [Denied]: Credit Card Denied M4A [No account]: Account Not Exist
M4A.6: Account Created
M9a: Send Order
M7: Store Order M8: Order Confirmation Confirmation Email
«service» «service»
: DeliveryOrderService : EmailService
Figure 9.9. Generic communication diagram for the Make Order Request use case: main and alternative sequences
147
148 Software Modeling
The sequence diagram in Figure 9.6 and the communication diagrams in Figures
9.5, 9.7, and 9.8 all depict individual scenarios (main or alternative) of the Make Order
Request use case. It is possible to combine several scenarios onto a generic inter-
action diagram. Figure 9.9 depicts a generic communication diagram for the three
scenarios depicted on Figure 9.5 (main sequence) and Figures 9.7 and 9.8 (alterna-
tive sequences). Note the use of alternative message sequence numbering for the
different scenarios. The alternatives to the M3 account request message are the two
alternatives given by M4 [account exists] and M4A [no account]. The alternatives to
the M5 authorize credit card request message are the two alternatives given by M6
[approved] and M6A [denied].
The same three scenarios of the Make Order Request use case are depicted
on the generic sequence diagram in Figure 9.10. The sequence diagram depicts
the two alternative sequences for account creation and the other for credit card
approval. The first alt segment depicts the two alternatives of [account exists] and
[no account]. The second alt segment depicts the two alternatives of [approved]
and [denied]. In each case, a dashed line is the separator between the alternatives.
The message sequence numbering is optional on the sequence diagram; however,
it is explicitly depicted to illustrate the correspondence with the communication
diagram.
9.6 SUMMARY
This chapter discussed dynamic modeling, in which the objects that participate in
each use case are determined, as well as the sequence of their interactions. This
chapter first described communication diagrams and sequence diagrams before
explaining how they are used in dynamic modeling. It then described the details
of the dynamic interaction modeling approach for determining how objects collab-
orate with each other. State-dependent dynamic interaction modeling involves a
state-dependent communication controlled by a statechart (as described in Chapter
11), and stateless dynamic interaction modeling does not.
During design, the communication diagrams corresponding to each use case
are synthesized into an integrated communication diagram, which represents the
first step in developing the software architecture of the system, as described in
Chapter 13. During analysis, all message interactions are depicted as simple mes-
sages, because no decision has yet been made about the characteristics of the mes-
sages. During design, the message interfaces are defined as described in Chapters 12
and 13.
[No account]
Alt [Approved]
M6: Credit Card Approved
[Denied]
Figure 9.10. Generic sequence diagram for the Make Order Request use case: main and alternative sequences
149
150 Software Modeling
(b) An actor can provide input to or (d) Depicts all classes and their associ-
receive output from a boundary ations with each other
object. 7. During dynamic interaction modeling,
(c) An actor can provide input to or use cases are realized as follows:
receive output from a boundary (a) Determine objects that participate
class. in each use case and the sequence
(d) An instance of an actor can provide of interactions among them.
input to or receive output from a (b) Determine external objects and the
boundary object. sequence in which they provide
3. What does a sequence diagram depict? inputs to and receive outputs from
(a) The sequence of external objects each use case.
communicating with each other (c) Determine sequence of interac-
(b) Classes and their relationships tions among use cases.
(c) Software objects and the sequence (d) Determine how a use case is
of their interactions depicted through internal states
(d) The external objects communicat- and transitions between them.
ing with the system 8. Which of the following interactions
4. What does a communication diagram could happen on an interaction dia-
depict? gram?
(a) The sequence of external objects (a) An external user sends a message
communicating with each other to a user interaction object.
(b) Classes and their relationships (b) An external user sends a message
(c) Software objects and the sequence to an entity object.
of their interactions (c) An external user sends a message
(d) The external objects communicat- to an I/O object.
ing with the system (d) An external user sends a message
5. What is the instance form of an interac- to a printer object.
tion diagram? 9. Which of the following interactions is
(a) Depicts several object instances NOT likely to happen on an interaction
interacting with each other diagram?
(b) Depicts one possible sequence (a) A user interaction object sends a
of interactions among object message to an entity object.
instances (b) An input object sends a message to
(c) Depicts all possible interactions a state-dependent control object.
among object instances (c) An input object sends a message to
(d) Depicts all object instances and a printer object.
their links to each other (d) A user interaction object sends a
6. What is the generic form of an interac- message to a proxy object.
tion diagram? 10. What kind of object would be the first
(a) Depicts several objects interacting object to receive an input from an
with each other external object?
(b) Depicts one possible sequence of (a) A user interaction object
interactions among objects (b) A proxy object
(c) Depicts all possible interactions (c) An entity object
among objects (d) A boundary object
10
Finite state machines are used for modeling the control and sequencing view of a sys-
tem or object. Many systems, such as real-time systems, are highly state-dependent;
that is, their actions depend not only on their inputs but also on what has previously
happened in the system. Notations used to define finite state machines are the state
transition diagram, statechart, and state transition table. In highly state-dependent
systems, these notations can help greatly by providing insight into understanding
the complexity of these systems.
In the UML notation, a state transition diagram is referred to as a state machine
diagram. The UML state machine diagram notation is based on Harel’s statechart
notation (Harel 1988; Harel and Politi 1998). In this book, the terms statechart and
state machine diagram are used interchangeably. We refer to a traditional state tran-
sition diagram, which is not hierarchical, as a flat statechart and use the term hierar-
chical statechart to refer to the concept of hierarchical state decomposition. A brief
overview of the statechart notation is given in Chapter 2 (Section 2.6).
This chapter starts by considering the characteristics of flat statecharts and then
describes hierarchical statecharts. To show the benefits of hierarchical statecharts,
this chapter starts with the simplest form of flat statechart and gradually shows how
it can be improved upon to achieve the full modeling power of hierarchical state-
charts. Several examples are given throughout the chapter from two case studies,
the Automated Teller Machine and Microwave Oven finite state machines.
Section 10.1 describes events and states in finite state machines. Section 10.2
introduces the statechart examples. Section 10.3 describes events and guard condi-
tions, and Section 10.4 describes statechart actions. Section 10.5 describes hierar-
chical statecharts. Section 10.6 provides guidelines for developing statecharts. The
process of developing statecharts from use cases is then described in Section 10.7.
151
152 Software Modeling
response to an input event, the finite state machine might transition to a different
state. Alternatively, the event might have no effect, in which case the finite state
machine remains in the same state. The next state depends on the current state, as
well as on the input event. Optionally, an output action might result from the state
transition.
Although a whole system can be modeled by means of a finite state machine,
in object-oriented analysis and design, a finite state machine is encapsulated inside
one object. In other words, the object is state-dependent and is always in one of the
states of the finite state machine. The object’s finite state machine is depicted by
means of a statechart. In an object-oriented model, the state-dependent view of a
system is defined by means of one or more finite state machines, in which each finite
state machine is encapsulated inside its own object. This section describes the basic
concepts of events and states before giving some examples of statecharts.
10.1.1 Events
An event is an occurrence at a point in time; it is also known as a discrete event,
discrete signal, or stimulus. An event is an atomic occurrence (not interruptible) and
conceptually has zero duration. Examples of events are Card Inserted, Pin Entered,
and Door Opened.
Events can depend on each other. For example, the event Card Inserted always
precedes Pin Entered for a given sequence of events. In this situation, the first event
(Card Inserted) causes a transition into the state (Waiting for PIN), whereas the next
event (Pin Entered) causes the transition out of that state; the precedence of the two
events is reflected in the state that connects them, as shown in Figure 10.1.
Idle
Card Inserted
PIN Entered
Validating PIN
Valid PIN
Waiting for
Customer Choice
An event can originate from an external source, such as Card Inserted (which is
the result of the user inserting the card into the card reader), or can be internally
generated by the system, such as Valid PIN.
10.1.2 States
A state represents a recognizable situation that exists over an interval of time.
Whereas an event occurs at a point in time, a finite state machine is in a given state
over an interval of time. The arrival of an event at the finite state machine usually
causes a transition from one state to another. Alternatively, an event can have a null
effect, in which case the finite state machine remains in the same state. In theory, a
state transition is meant to take zero time to occur. In practice, the time for a state
transition to occur is negligible compared to the time spent in the state.
Some states represent the state machine waiting for an event from the external
environment; for example, the state Waiting for PIN is the state in which the state
machine is waiting for the customer to enter the PIN, as shown in Figure 10.1. Other
states represent situations in which the state machine is waiting for a response from
another part of the system. For example, Validating PIN is the state in which the
customer PIN is being checked by the system; the next event will indicate whether
the validation succeeded or not.
The initial state of a state machine is the state that is entered when the state
machine is activated. For example, the initial state in the ATM statechart is the
Idle state, as identified in UML by the arc originating from the small black circle in
Figure 10.1.
Idle
Card Inserted
Valid PIN
Waiting for
Customer Choice
transition to the Waiting for Customer Choice state. If the PIN numbers do not match,
the ATM makes the Invalid PIN transition to re-enter the Waiting for PIN state and
prompts the customer to enter a different PIN number. If the customer-entered PIN
is invalid after the third attempt, the ATM makes the Third Invalid PIN transition
to the Confiscating state, which results in the card being confiscated. The ATM also
transitions to the same state if the ATM card is reported lost or stolen during card
validation, or if the card has expired.
In some cases, it is also possible for the same event to occur in different states and
have the same effect; an example is given in Figure 10.3. The customer may decide
to enter Cancel in any of the three states Waiting for PIN, Validating PIN, or Waiting
for Customer Choice, which results in the statechart entering the Ejecting state, the
ATM card being ejected, and the transaction terminated.
It is also possible for the same event to occur in a different state and have a dif-
ferent effect. For example, if the PIN Entered event arrives in Idle state, it is ignored.
Next consider the case in which, after successful PIN validation, the customer
decides to withdraw cash from the ATM, as shown in Figure 10.4. From the Waiting
for Customer Choice state, the customer makes a selection – for example, the cus-
tomer selects withdrawal. The statechart then receives a Withdrawal Selected event,
upon which the Processing Withdrawal state is entered. If the withdrawal is approved,
the statechart goes into the Dispensing state, where the cash is dispensed. When the
Cash Dispensed event arrives, the ATM transitions to the Printing state to print the
receipt. When the receipt is printed, the Ejecting state is entered. When the card has
been ejected, as indicated by the Card Ejected event, the Terminating state is entered.
Finite State Machines 155
Idle
Card Inserted
Cancel
Waiting for PIN
Cancel
Valid PIN
Waiting for
Customer Choice
Cancel
Card Inserted
Terminating
PIN Entered
Ejecting
Validating PIN
Receipt Printed
Valid PIN
Printing
Waiting for
Customer Choice
Cash Dispensed
Processing
Dispensing
Withdrawal
Withdrawal Selected Withdrawal Approved
Door Opened
Door Open
With Item
Door Opened
Ready To Cook
From the Terminating state, a timer event causes a transition back to the Idle
state. The timer event is depicted by after (Elapsed Time), where Elapsed Time is the
time spent in the Terminating state (from entry into the state until exit from the state
caused by the timer event).
Door Open
Door Open
with Item
Door Opened
Door Shut
with Item
Ready To Cook
10.4 ACTIONS
Associated with a state transition is an optional output action. An action is a com-
putation that executes as a result of a state transition. Whereas an event is the cause
of a state transition, an action is the effect of the transition. An action is triggered at
a state transition. It executes and then terminates itself. The action executes instan-
taneously at the state transition; thus conceptually an action is of zero duration.
In practice, the duration of an action is very small compared to the duration of a
state.
Actions can be depicted on state transitions, as described in Section 10.4.1. Cer-
tain actions can be depicted more concisely as being associated with the state rather
than with the transition into or out of the state. These are entry and exit actions.
Entry actions are triggered when the state is entered, as described in Section 10.4.2,
and exit actions are triggered on leaving the state, as described in Section 10.4.3.
Idle
Card Inserted /
Get PIN
PIN Entered /
Validate PIN
Validating PIN
Valid PIN /
Display Menu
Waiting for
Customer Choice
PIN. This example is shown in Figure 10.7, which shows the partial statechart for
the ATM (originally shown in Figure 10.1) with the actions added. In the Waiting
for PIN state, the ATM is waiting for the customer to input the PIN. When the PIN
Entered event arrives, the ATM transitions to the Validating PIN state and the action
Validate PIN is executed. This state transition is labeled PIN entered / Validate PIN. In
the Validating PIN state, the system determines whether the customer-entered PIN
matches the stored PIN for this card, and whether the ATM card has been reported
lost or stolen. Assuming that the card and PIN validation is successful (event Valid
PIN), the ATM transitions into Waiting for Customer Choice state.
More than one action can be associated with a transition. Because the actions
all execute simultaneously, there must not be any interdependencies between the
actions. For example, it is not correct to have two simultaneous actions such as Com-
pute Change and Display Change. Because there is a sequential dependency between
the two actions, the change cannot be displayed before it has been computed. To
avoid this problem, introduce an intermediate state called Computing Change. The
Compute Change action is executed on entry to this state, and the Display Change
action is executed on exit from this state.
An example of a statechart with alternative actions is shown in Figure 10.8. Many
actions are possible as a result of PIN validation. If the PIN is valid, the statechart
transitions to the Waiting for Customer Choice state and the action is to display the
selection menu. If the PIN is invalid, the statechart transitions back to the Waiting
for PIN state and the action is the Invalid PIN Prompt. If the PIN is invalid for the
third time, or the card is stolen or has expired, then the statechart transitions to the
Confiscating state and the action is to confiscate the card. Another situation is that
Idle
Card Inserted /
Get PIN
Valid PIN /
Display Menu
Waiting for
Customer Choice
Idle
Card Inserted /
Get PIN
Cancel / Eject
Waiting for PIN
Cancel / Eject
Valid PIN /
Display Menu
Waiting for
Customer Choice
Cancel / Eject
Figure 10.9. Example of same event and action on different state transitions
the same event can cause transitions out of several states, with the same action in
each case. An example of this is given in Figure 10.9. In any of the three states, Wait-
ing for PIN, Validating PIN, and Waiting for Customer Choice, the customer may decide
to enter Cancel, which results in the system ejecting the ATM card and entering
Ejecting state.
In this situation, the action is only depicted once inside the state box, instead of on
each transition into the state. On the other hand, if an action is only performed on
some transitions into the state and not others, then the entry action should not be
used. Instead, transition actions should be used on the relevant state transitions.
Finite State Machines 161
Minute Pressed /
Start Cooking, Door Shut with
Start Minute Item
Cooking
Start /
Start Cooking, Ready to Cook
Start Timer
(a)
Minute Pressed/
Start Minute Door Shut with
Item
Cooking
Entry /
Start Cooking
Figure 10.10. Example of entry action: (a) Actions on state transitions (b) Entry actions.
Door Opened /
Stop Cooking,
Door Open with
Stop Timer
Item
Cooking
Door Opened /
Stop Timer Door Open with
Item
Cooking
Exit /
Stop Cooking
Figure 10.11. Example of exit action. (a) Actions on state transitions. (b) Exit actions
as exit/Action inside the state box. Whereas transition actions (actions explicitly
depicted on state transitions) can always be used, exit actions should only be used
in certain situations. The best time to use an exit action is when the following
occur:
■ There is more than one transition out of a state.
■ The same action needs to be performed on every transition out of the state.
■ The action is performed on exit from this state and not on entry into the next
state.
In this situation, the action is only depicted once inside the state box, instead of on
each transition out of the state. On the other hand, if an action is only performed on
some transitions out of the state and not others, then the exit action should not be
used. Instead, transition actions should be used on the relevant state transitions.
An example of an exit action is given in Figure 10.11. In Figure 10.11a, actions
are shown on the state transitions out of Cooking state. Consider the action Stop
Cooking. If the timer expires, the microwave oven transitions from the Cooking state
to the Door Shut with Item state and the action Stop Cooking is executed (Figure
10.11a). If the door is opened, the oven transitions out of the Cooking state into Door
Open with Item state. In this transition, two actions are executed – Stop Cooking and
Stop Timer. Thus, in both transitions out of Cooking state (Figure 10.11a), the action
Stop Cooking is executed. However, when the door is opened and the transition is to
Door Open with Item state, there is an additional Stop Timer action. An alternative
design is shown in Figure 10.11b, in which an exit action Stop Cooking is depicted.
This means that whenever there is a transition out of Cooking state, the exit action
Stop Cooking is executed. In addition, in the transition to Door Open with Item state,
the transition action Stop Timer will also be executed. Having the Stop Cooking action
Finite State Machines 163
as an exit action instead of an action on the state transition is more concise, as shown
in Figure 10.11b. The alternative of having transition actions, as shown in Figure
10.11a, would require the Stop Cooking action to be explicitly depicted on each of the
state transitions out of the Cooking state. Figures 10.11a and 10.11b are semantically
equivalent to each other but Figure 10.11b is more concise.
Idle
Entry /
Card Inserted / Display Welcome
Get PIN
Cancel /
Processing
Eject
Customer Input
Ejecting
Waiting for PIN
Valid PIN /
Display Menu
Waiting for
Customer Choice
(a)
Idle
Entry /
Card Inserted / Display Welcome
Get PIN
Cancel /
Eject
Ejecting
Processing
Customer Input
Thus, there is one state transition into the Processing Customer Input composite state
and two transitions out of it, as shown in Figures 10.12a and 10.12b.
Each transition into the composite state Processing Customer Input is, in fact, a
transition into one (and only one) of the substates on the lower-level statechart.
Each individual transition out of the composite state has to actually originate from
one (and only one) of the substates on the lower-level statechart. Thus. the input
event Card Inserted causes a transition to the Waiting for PIN substate within the
Finite State Machines 165
Processing Customer Input composite state, as shown in Figure 10.12a. The tran-
sition out of the Processing Customer Input composite state into the Confiscat-
ing state actually originates from the Validating PIN substate, as shown in Fig-
ure 10.12a. The case of the Cancel transition into Ejecting state is described in the
next section.
ATM Sequencing
ATM
Sequencing
Composite State
Startup Closedown
The use of orthogonal statecharts to depict conditions can be seen in the ATM
example. This case is illustrated in Figure 10.13, where the statechart for the ATM
Machine, ATM Control, is now decomposed into two orthogonal statecharts, one for
ATM Sequencing and one for Closedown Request Condition. The two statecharts are
depicted on a high-level statechart, with a dashed line separating them. The ATM
Sequencing statechart is in fact the main statechart of the ATM, which depicts the
states the ATM goes through while processing a customer request.
Note that, at any one time, the ATM Control composite state is in one of the
substates of the ATM Sequencing statechart and one of the substates of the Closedown
Request Condition statechart. Closedown Request Condition is a simple statechart with
two states reflecting whether closedown has been requested or not, with Closedown
Not Requested as the initial state. The Closedown event causes a transition to the
state Closedown Was Requested, and the Startup event causes a transition back to
Closedown Not Requested. The ATM Control statechart is the union of the Closedown
Request Condition and the ATM Sequencing statecharts. The Closedown Was Requested
and Closedown Not Requested states of the Closedown Request Condition statechart
(see Figure 10.13) are the conditions checked on the ATM Sequencing statechart,
when the after (Elapsed Time) event is received in Terminating state (Figure 10.17).
Note that the Closed Down state is actually a state on the ATM Sequencing statechart.
on top of the same state on the first statechart. This can be repeated as necessary,
depending on how many partial statecharts need to be integrated.
Given the complete flat statechart, the next step is to develop hierarchical state-
charts where possible. There are actually two main approaches to developing hier-
archical statecharts. The first approach is a top-down approach to determine major
high-level states, sometimes referred to as modes of operation. For example, in an
airplane control statechart, the modes might be Taking Off, In Flight, and Landing.
Within each mode, there are several states, some of which might in turn be com-
posite states. This approach is more likely to be used in complex real-time systems,
which are frequently highly state-dependent. The second approach is to first develop
a flat statechart and then identify states that can be aggregated into composite states,
as described in Section 10.8.4.
Idle
Entry /
Card Inserted /
Display Welcome
Get PIN
PIN Entered /
Validate PIN
Validating PIN
Valid PIN /
Display Menu,
Update Status
Waiting for
Customer Choice
Figure 10.14. Statechart for ATM Control: Validate PIN use case
170 Software Modeling
Terminating
Card Ejected /
Display Ejected
Ejecting
Receipt Printed /
Eject
Waiting for
Customer Choice
Printing
Withdrawal Selected /
Cash Dispensed /
Request Withdrawal,
Print Receipt,
Display Wait
Display Cash Dispensed,
Confirm Cash Dispensed
Processing
Dispensing
Withdrawal Withdrawal Approved /
Dispense Cash,
Update Status
Figure 10.15. Statechart for ATM Control: Withdraw Funds use case
shows the statechart for the main sequence of the Validate PIN use case depicting
the scenario in which the PIN is valid, as described in Section 10.4.1. This statechart
starts in Idle state and ends in Waiting for Customer Choice state.
Figure 10.15 shows the statechart for the Withdraw Funds use case correspond-
ing to the main scenario of the use case. This statechart starts in Waiting for Customer
Choice state. In the main scenario, withdrawal is selected (resulting in transition
into Processing Withdrawal state), withdrawal is approved (resulting in transition to
Dispensing state), cash is dispensed (resulting in transition to Printing state), a receipt
is printed (resulting in transition to Ejecting state), the card is ejected, transition into
Terminating state for a fixed period, and finally return to Idle state, when the period
elapses.
In this example, the states of the ATM statechart are all externally visible; that
is, the actor is aware of each of these states. In fact, the states depict consequences
of actions taken by the actor, either directly or indirectly.
Terminating
Card Ejected /
Display Ejected
Ejecting
Printing
Withdrawal Selected /
Request Withdrawal,
Display Wait Cash Dispensed /
Print Receipt,
Display Cash Dispensed,
Confirm Cash Dispensed
Processing
Dispensing
Withdrawal Withdrawal Approved /
Dispense Cash,
Update Status
Insufficient Cash /
Eject
Closed Down
Entry / Display
System Down
Figure 10.16. Statechart for ATM Control: Withdraw Funds use case with alternatives
addition to the main sequence for the scenario in which cash is dispensed, there are
two additional scenarios: withdrawal transaction rejected (transition directly from
Processing Withdrawal state to Ejecting State) and insufficient cash in ATM (transi-
tion from Dispensing state to Closed Down State).
Cancel / Eject
Cancel/Eject
Invalid PIN /
PIN Entered / Invalid PIN Prompt Terminating
Validate PIN Card Confiscated /
Card Stolen, Display Confiscated
Card Ejected /
Card Expired / Display Ejected
Confiscate,
Update Status
Validating PIN Confiscating
Ejecting
Third Invalid PIN/
Confiscate
Valid PIN /
Cancel / Eject
Display Menu Receipt Printed /
Cancel / Eject
Eject
Waiting for
Customer Choice Printing
Processing
Dispensing
Withdrawal Withdrawal Approved /
Dispense Cash,
Update Status Insufficient Cash /
Eject
Closed Down
Entry / Display
System Down
Figure 10.17. Statechart for ATM Control: integrated statechart for Validate PIN and Withdraw
Funds use case with alternatives
Startup Closedown
Card Inserted /
Get PIN
Idle After(Elapsed Time)
[Closedown Not Requested]
Entry / Display
Welcome
Rejected /
Eject,
Display Apology
Transfer Selected /
Request Transfer, Transfer Approved /
Display Wait Print Receipt,
Update Status
Query Selected /
Request Query, Display Wait Query Approved /
Processing Print Receipt,
Withdrawal Selected/
Transaction Update Status
Request Withdrawal,
Display Wait
Withdrawal Approved/
Dispense Cash,
Update Status
Card Inserted /
Get PIN
Idle
Entry / Display
Welcome
Processing
Customer
Input Cancel / Eject,
Waiting for Display Cancel
PIN Ejecting
Invalid PIN/
PIN Entered/
Invalid PIN Prompt
Validate PIN Card Stolen, Card Expired /
Confiscate, Update Status
Waiting for
Customer
Choice Transfer Selected /
Request Transfer,
Display Wait
Processing Transaction
Figure 10.19. Statechart for ATM Control: Processing Customer Input composite state
174 Software Modeling
Rejected /
Eject,
Display Apology
Transfer Selected / Processing Transaction Ejecting
Request Transfer,
Transfer Approved /
Display Wait
Print Receipt, Update Status
Processing
Transfer
Query Selected /
Query Approved /
Request Query,
Print Receipt,
Waiting for Display Wait
Update Status
Processing
Customer Printing
Query
Choice
Withdrawal Selected / Withdrawal Approved /
Request Withdrawal, Dispense Cash,
Display Wait Update Status
Processing
Dispensing
Withdrawal
Figure 10.20. Statechart for ATM Control: Processing Transaction composite state
Closed Down
Entry / Display After(Elapsed Time)[Closedown Was Requested]
System Down
Terminating
Card Confiscated /
Display Confiscated
Stolen Card, Expired Card /
Confiscate, Update Status
Third Invalid PIN / Card Ejected /
Confiscating Display Ejected
Processing Confiscate
Customer
Input Cancel / Eject,
Display Cancel
Receipt Printed /
Transfer Approved / Insufficient
Eject
Print Receipt, Cash /
Update Status Eject,
Processing Query Approved / Abort
Print Receipt, Cash
Transaction Printing
Update Status Dispensed
Cash Dispensed /
Print Receipt,
Display Cash Dispensed,
Confirm Cash Dispensed
Withdrawal Approved /
Dispense Cash,
Update Status
Dispensing
Figure 10.21. Statechart for ATM Control: Terminating Transaction composite state
Finite State Machines 175
aggregated from a transition out of each substate to a transition out of the composite
state. In the case of the Terminating Transaction composite state, it contains substates
that deal with finishing the transaction, such as dispensing cash, printing the receipt,
and ejecting the ATM card. It also has substates for canceling the transaction
and terminating the transaction. This statechart is described in more detail in
Section 21.6.
10.9 SUMMARY
This chapter described the characteristics of flat statecharts and hierarchical state-
charts. Guidelines for developing statecharts were given. The process of developing
a statechart from a use case was then described in detail. It is possible for a state-
chart to support several use cases, with each use case contributing to some subset
of the statechart. Such cases can also be addressed by considering the statechart in
conjunction with the object interaction model, in which a state-dependent control
object executes the statechart, as described in Chapter 11. Examples of statecharts
are also given in the Banking System and Automated Guided Vehicle System case
studies.
(c) A transition into none of the sub- (b) Composite states are composed
states into substates.
(d) A transition into any one of the (c) A composite state transitions to a
substates substate.
8. What is a state transition out of a com- (d) A substate transitions to a compos-
posite state equivalent to? ite state.
(a) A transition out of only one of the 10. If two actions are shown on a given
substates state transition, which of the following
(b) A transition out of each of the sub- is true?
states (a) The two actions are dependent on
(c) A transition out of none of the sub- each other.
states (b) The two actions are independent of
(d) A transition out of any one of the each other.
substates (c) One action provides an input to the
9. How does a composite state relate to a other action.
substate? (d) The second action executes when
(a) A composite state is decomposed the first action completes execu-
into substates. tion.
11
State-Dependent Dynamic
Interaction Modeling
177
178 Software Modeling
■ The objects that provide the actions and activities, which are triggered by the
control object as a result of the state transitions
■ Any other objects that participate in realizing the use case
1. Determine the boundary object(s). Consider the objects that receive the
inputs sent by the external objects in the external environment.
2. Determine the state-dependent control object. There is at least one control
object, which executes the statechart. Others might also be required.
3. Determine the other software objects. These are software objects that interact
with the control object or boundary objects.
4. Determine object interactions in the main sequence scenario. Carry out this
step in conjunction with step 5 because the interaction between the state-
dependent control object and the statechart it executes needs to be deter-
mined in detail.
5. Determine the execution of the statechart.
6. Consider alternative sequence scenarios. Perform the state-dependent
dynamic analysis on scenarios described by the alternative sequences of the
use case.
To ensure that the communication diagram and statechart are consistent with
each other, the equivalent communication diagram message and statechart event
must be given the same name. Furthermore, for a given state-dependent scenario
it is necessary to use the same message-numbering sequence on both diagrams.
Using the same sequence ensures that the scenario is represented accurately on both
diagrams and can be reviewed for consistency. These issues are illustrated in the
following section.
«subsystem»
: BankingService
«subsystem»
1: Card
: ATMClient 2.7 [Valid]:
Reader 2.6: Validate PIN
Input Valid PIN
(PIN Validation Transaction)
«external I/O «I/O» (Account #s)
device» : CardReader
: CardReader Interface 1.2: Card Inserted
Figure 11.1. Communication diagram for Validate PIN use case: Valid PIN scenario
sd PIN Validation
2: PIN Input
Figure 11.2. Sequence diagram for Validate PIN use case: Valid PIN scenario
State-Dependent Dynamic Interaction Modeling 181
Idle
Entry /
1.2: Card Inserted /
Display Welcome
1.3: Get PIN
Validating PIN
Waiting for
Customer Choice
followed by card data stored (1.1), sending the card inserted event to the ATM Con-
trol object (1.2), which results in the state change and the Get PIN action (1.3) sent to
Customer Interaction, which outputs the PIN prompt to the customer display (1.4).
The message sequence from 2 to 2.9 starts with the user entering the PIN (message
2) to Customer Interaction, followed by retrieving card data (2.1, 2.2), preparing PIN
Validation transaction (2.3, 2.4), and sending the transaction to ATM Control (2.5)
and from there to Banking Service (2.6). The message sequence from 1 through 2.6
is grouped into a PIN Validation segment on the sequence diagram (shown in the
box entitled sd PIN Validation) in Figure 11.2 for future reference. In this scenario,
the Banking Service sends a Valid PIN response (message 2.7) to ATM Control, which
eventually leads to Customer Interaction displaying the selection menu to the cus-
tomer (2.8 and 2.9).
A message arriving at the ATM Control object causes a state transition on the
ATM Control statechart (Figure 11.3). For example, Card Reader Interface sends the
Card Inserted message (message 1.2 in Figures 11.1 and 11.2) to ATM Control. As a
result of this Card Inserted event (event 1.2 corresponds to message 1.2 in Figures
11.1 and 11.2, with the number 1.2 emphasizing the correspondence between the
message and the event), the ATM Control statechart transitions from Idle state (the
initial state) to Waiting for PIN state. The output event associated with this transition
is Get PIN (event 1.3). This output event corresponds to message 1.3, Get PIN, sent by
ATM Control to Customer Interaction.
A concurrent sequence is shown in Figure 11.1 with messages 2.8 and 2.8a. ATM
Control sends these two messages at the same state transition, so the two message
sequences may execute concurrently, one to Customer Interaction and the other to
ATM Transaction.
182 Software Modeling
The message sequence description, which describes the messages on the commu-
nication diagram (see Figure 11.1) and the messages on the sequence diagram (see
Figure 11.2), is described in the Banking System case study in Section 21.5.
Figure 11.4. Sequence diagram for Validate PIN use case: Invalid PIN scenario
is Pin Valid and the guard condition [Valid] is true. The message sequence from 2.7
to 2.9 at the bottom of Figure 11.4 is the same as that shown in Figure 11.2.
2.7B.1: Confiscate
2.7B.2: Confiscate Card
Figure 11.5. Sequence diagram for Validate PIN use case: Third invalid PIN scenario
Figure 11.6. Sequence diagram for Validate PIN use case: Stolen or expired card scenario
State-Dependent Dynamic Interaction Modeling 185
Service sends the Card stolen or Card expired message (2.7C) to ATM Control, which
in turn sends a Confiscate message (2.7C.1) to Card Reader Interface, which results in
the confiscation of the ATM card.
«subsystem»
1: Card Reader : ATMClient 2.7 [Valid]: Valid PIN,
2.6, 2.7A.11:
Input 2.7A* [Invalid]: Invalid PIN,
Validate PIN
2.7C [Stolen OR Expired]:
«external I/O «I/O» (PIN Validation Transaction)
Card Stolen, Card Expired
device» : CardReader
: CardReader Interface 1.2: Card Inserted
2.7B.2, 2.7C.2:
Confiscate Card,
1.1[Card
1.1A [Card not recognized]:
recognized]:
Eject Card, 2.7B.1, 2.7C.1: «state dependent
2A.3: Eject Card Card Input Data
Confiscate, control»
2A.2: Eject : ATMControl
«entity»
: ATMCard 2.5, 2.7A.10: PIN Entered 2.7A.1,
(PIN Validation Transaction), 2.7C.1a,
2A.1: Cancel 2.8a:
Update
2.2, 2.7A.2 [Invalid]:
Status
2.7A.7: 2.1, Invalid PIN,
Card Id, 2.7A.6: 1.3: Get PIN, 2.7B [ThirdInvalid]:
Start Date, Card Request 2.7A.3: Invalid PIN Third Invalid PIN
1.4: PIN Prompt, Expiration Date Prompt,
2.7A.4: Invalid PIN Prompt, 2.8: Display Menu,
2.9: Selection Menu, 2A.2a: Display Cancel
2.3, 2.7A.8:
2A.2a.1: Cancel Prompt Card Id, Start Date,
«external user» «user interaction» Expiration Date, PIN
: ATMCustomer : Customer
«entity»
KeypadDisplay Interaction
: ATMTransaction
2, 2.7A.5: PIN Input, 2.4, 2.7A.9:
2A: Cancel Input PIN Validation Transaction
Figure 11.7. Communication diagram for Validate PIN use case: generic form showing alternatives
State-Dependent Dynamic Interaction Modeling 187
Idle
Entry /
1.2: Card Inserted / Display Welcome
1.3: Get PIN
2A.1: Cancel /
Processing 2A.2: Eject,
Customer Input 2A.2a: Display Cancel
Ejecting
Waiting for PIN
Waiting for
Customer Choice
Figure 11.8. Statechart for ATM Control for Validate PIN use case, showing alternatives
Display Menu and 2.8a: Update Status, which result from the Valid Pin state transition
(see Figure 11.8), execute concurrently, as also depicted in Figure 11.7.
11.4 SUMMARY
This chapter described state-dependent interaction modeling, in which object inter-
actions are state-dependent. A state-dependent interaction involves at least one
Waiting for
PIN
Validating
PIN
2.7B: Third Invalid PIN /
2.7A: Invalid PIN / 2.7B.1: Confiscate
Validating PIN 2.7A.1: Update Status Checking PIN
2.7C: Card Stolen, Card Expired /
Confiscating
and Card Status
2.7C.1: Confiscate,
2.7C.1a: Update Status
Waiting for
Customer
Choice
Figure 11.9. Statechart for ATM Control Validating PIN composite state
188 Software Modeling
10. In a system in which a client object exe- (b) The service has a state-dependent
cutes a state machine and communi- control object but the client does
cates with a service, which of the follow- not.
ing is true? (c) Both the client and the service have
(a) The client has a state-dependent state-dependent control objects.
control object but the service does (d) Neither the client nor the ser-
not. vice has a state-dependent control
object.
PART III
Architectural Design
12
The software architecture separates the overall structure of the system, in terms of
subsystems and their interfaces, from the internal details of the individual subsys-
tems. A software architecture is structured into subsystems, in which each subsys-
tem should be relatively independent of other subsystems. This chapter presents an
overview of software architecture, which is also referred to as a high- level design.
The concepts of software architecture and multiple views of a software architecture
were first introduced in Chapter 1. The concepts of design patterns, components,
and interfaces were introduced in Chapter 4.
In this chapter, Section 12.1 describes the concepts of software architecture and
component-based software architecture. Section 12.2 then describes how having
multiple views of a software architecture helps with both its design and understand-
ing. Section 12.3 introduces the concept of software architectural patterns as a basis
for developing software architectures, whereas Section 12.4 describes how to docu-
ment such patterns. Section 12.5 describes the concept of software components and
interfaces. Finally, Section 12.6 provides an overview of designing software archi-
tectures, as described in Chapters 14 through 20.
193
194 Architectural Design
1 «external user»
«external output Operator
device» 1
ReceiptPrinter
«software system»
BankingSystem
1 1 Requests Service
From
«external I/O 1 1 «client» 1..* 1 «service»
device» «subsystem» «subsystem»
CardReader ATMClient BankingService
1
«external user»
1 ATMCustomer
stereotype, client or service, and the second is the architectural structuring stereo-
type, which, in this example, is subsystem for both.
«external I/O
device»
: CardReader
cardReaderInput cardReaderOutput
«software system»
: BankingSystem
customerInput
«external user»
ATMTransaction «service»
: ATMCustomer «client»
KeypadDisplay «subsystem»
«subsystem»
display : Banking
: ATMClient
Information Service
bankResponse
operator
Input dispenser
printer Output
Output
operator
«external user» Information
: Operator
«external output «external output
device» device»
: ReceiptPrinter : CardDispenser
Banking
Service
{server node}
can invoke services at more than one layer below (e.g., layer 3 could directly invoke
services provided by layer 1).
The Layers of Abstraction architectural pattern is used in the TCP/IP, which is
the most widely used protocol on the Internet (Comer 2008). Each layer deals with
a specific characteristic of network communication and provides an interface, as a
set of operations, to the layer above it. For each layer on the sender node, there is
an equivalent layer on the receiver node. TCP/IP is organized into five conceptual
layers, as shown in Figure 12.4 and enumerated here:
Layer 1: Physical layer. Corresponds to the basic network hardware, including
electrical and mechanical interfaces, and the physical transmission medium.
Layer 2: Network interface layer. Specifies how data are organized into frames
and how frames are transmitted over the network.
Layer 3: Internet layer, also referred to as the Internet Protocol (IP) layer. Spec-
ifies the format of packets sent over the Internet and the mechanisms for for-
warding packets through one or more routers from a source to a destination
(Figure 12.5). The router node in Figure 12.5 is a gateway that interconnects a
local area network to a wide area network.
Layer 4: Transport layer (TCP). Assembles packets into messages in the order
they were originally sent. The Transmission Control Protocol, or TCP, uses
the IP network protocol to carry messages. It provides a virtual connection
Node 1 Node 2
Application Application
Layer 5 Layer 5
Layer Layer
Transport Transport
Layer 4 Layer Layer 4 Layer
(TCP) (TCP)
Physical Physical
Layer 1 Layer 1 Physical Layer Layer 1
Layer Layer
Router
Node
Figure 12.5. Layers of Abstraction architectural pattern: Internet communication with TCP/IP
Overview of Software Architecture 201
the unchanged services provided by the lower layers. Another interesting charac-
teristic of the layered architecture is shown in Figure 12.5. The router node uses the
lower three layers of the TCP/IP protocol, whereas the application nodes use all five
layers.
An example of a strict layered software architecture from one of the case studies
in the book is the Online Shopping System described in Chapter 22 and depicted in
Figure 12.6. At the lowest layer is the Service Layer, which provides services that are
used by higher layers. The top layer is a User Layer consisting of user interaction
objects. The middle layer is a Coordination Layer that coordinates user requests to
the services.
«layer»
Coordination Layer
«layer»
Service Layer
callingObject
invokeOperation(in inputParameter,
out outputParameter)
calledObject
: Withdrawal
: Transfer
Transaction
Transaction
Manager
Manager
debit(account#,
amount),
credit(account#, debit(account#,
amount), amount),
readBalance credit(account#,
amount),
readBalance
debit(account#, debit(account#,
amount), amount),
: Checking credit(account#, credit(account#, : Savings
Account amount), amount), Account
readBalance readBalance
message is available when the consumer requests one, the consumer is suspended.
The consumer is then reawakened when a message arrives. In distributed environ-
ments, the Asynchronous Message Communication pattern is used wherever possi-
ble for greater flexibility. This approach can be used if the sender does not need a
response from the receiver.
Figure 12.8 is a UML instance communication diagram because it shows a par-
ticular scenario consisting of a producer sending an asynchronous message to a con-
sumer. On UML communication diagrams such as Figure 12.8, the Asynchronous
Message Communication pattern uses the UML notation for asynchronous commu-
nication (arrow with stick arrowhead).
An example of the Asynchronous Message Communication pattern in a dis-
tributed environment is given on the generic communication diagram depicted in
Figure 12.9 for the Automated Guided Vehicle System, in which all communication
aProducer aConsumer
: SupervisorySystem : ArrivalSensor
Proxy Component
arriving (station#)
moveToStation
(station#)
: VehicleControl
between the components is asynchronous. Both the Supervisory System Proxy and
the Arrival Sensor Component send asynchronous messages to Vehicle Control, which
are queued first-in-first-out. Vehicle Control has one input message queue from which
it receives whichever message arrives first, move message or arriving message.
It is also possible to have peer-to-peer communication between two compo-
nents, which send asynchronous messages to each other. This kind of communica-
tion is referred to as bidirectional asynchronous communication and is depicted in
Figure 12.10. Examples of bidirectional asynchronous communication are given in
Chapters 16 and 18.
aProducer aConsumer
1: sendSynchronousMessagewithReply
(in message, out response)
aClient aService
Account
- accountNumber : Integer
- balance : Real
+ readBalance () : Real
+ credit (amount : Real)
+ debit (amount : Real)
+ open (accountNumber : Integer)
+ close ()
Figure 12.12. Example of class with public interface and private attributes
Overview of Software Architecture 207
OperatorInteraction
OperatorInteraction e) requiring component uses
interface of providing component
IBasicAlarmService
IBasicAlarmService
IBasicAlarmService
BasicAlarm
IBasicAlarmService
Service
BasicAlarm
Service
Interface: IBasicAlarmService
Operations provided:
r alarmRequest (in request, out alarmData)
r post (in alarm)
The component that realizes the interface is called BasicAlarmService, which pro-
vides the implementation of the interface. In UML, the realization relationship is
depicted as shown in Figure 12.13c (dashed arrow with a triangular arrowhead),
which shows the component BasicAlarmService realizing the IBasicAlarmService inter-
face. A required interface is depicted with a small semicircle notation with the inter-
face name next to it. The class or component that requires the interface is con-
nected to the semicircle, as shown in Figure 12.13d. To show that a component
with a required interface uses a component with a provided interface, the semicir-
cle (sometimes referred to as a socket) with the required interface is drawn around
the circle (sometimes referred to as a ball) with the provided interface, as shown in
Figure 12.13e.
12.7 SUMMARY
This chapter presented an overview of software architecture. It described the mul-
tiple views of a software architecture, particularly the static, dynamic, and deploy-
ment views. In designing the overall software architecture, it helps to consider apply-
ing the software architectural patterns, both architectural structure patterns and
architectural communication patterns. Architectural structure patterns are applied
to the design of the overall structure of the software architecture, which addresses
how the system is structured into subsystems. One architectural structure pattern,
the Layers of Abstraction pattern, was described. Architectural communication pat-
terns address the ways in which subsystems communicate with each other. Three
architectural communication patterns, the Call/Return pattern, the Asynchronous
Message Communication pattern, and the Synchronous Message Communication
with Reply pattern, were described. Each subsystem is designed such that its inter-
face is explicitly defined in terms of the operations it provides, as well as the oper-
ations it uses. Communication between distributed subsystems can be synchronous
or asynchronous.
During software design modeling, design decisions are made relating to the char-
acteristics of the software architecture. Chapter 13 describes the transition from
analysis to design and the structuring of the system into subsystems. Chapter 14
describes object-oriented design using the concepts of information hiding, classes,
and inheritance. Chapter 15 describes the design of client/server software architec-
tures, in which a typical design consists of one server and multiple clients. Chap-
ter 16 describes the design of service-oriented architectures, which typically consist
of multiple distributed autonomous services that can be composed into distributed
software applications. Chapter 17 describes the design of component-based soft-
ware architectures, including the design of component interfaces, with component
210 Architectural Design
ports that have provided and required interfaces, and connectors that join compati-
ble ports. Chapter 18 describes the design of real-time software architectures, which
are concurrent architectures usually having to deal with multiple streams of input
events. Chapter 19 describes the design of software product line architectures, which
are architectures for families of products that need to capture both the commonality
and variability in the family.
Chapter 20 describes the software quality attributes of a software architecture
and how they are used to evaluate the quality of the software architecture. Chapters
21 to 24 provide case study examples of applying COMET/UML to the modeling
and design of different software architectures.
(b) A calling operation in the calling (c) The producer goes to sleep.
object invokes an operation (a.k.a. (d) The producer waits for a timeout.
method) in the called object. 10. A producer sends a message to a con-
(c) The calling object waits for a res- sumer. Which one of the following
ponse from the called object. is synchronous message communication
(d) The calling object does not wait for with reply?
a response from the called object. (a) The producer waits for a response
9. A producer sends a message to a con- from the consumer.
sumer. Which one of the following is (b) The producer does not wait for a
asynchronous message communication? response from the consumer.
(a) The producer waits for a response (c) The producer goes to sleep.
from the consumer. (d) The producer waits for a time-
(b) The producer does not wait for a out.
response from the consumer.
13
During analysis modeling, the problem is analyzed by breaking it down and studying
it on a use case–by–use case basis. During design modeling, the solution is synthe-
sized by designing a software architecture that defines the structural and behavioral
properties of the software system. To successfully manage the inherent complexity
of a large-scale software system, it is necessary to provide an approach for decom-
posing the system into subsystems and developing the overall software architecture
of the system. After performing this decomposition, each subsystem can then be
designed independently, as described in subsequent chapters.
Section 13.1 describes issues in software architectural design. To design the soft-
ware architecture, it is necessary to start with the analysis model. Several decisions
need to be made in designing the software architecture:
■ Integrate the use case–based interaction models into an initial software architec-
ture, as described in Section 13.2.
■ Determine the subsystems using separation of concerns and subsystem structur-
ing criteria, as described in Sections 13.3 and 13.4, respectively.
■ Determine the precise type of message communication among the subsystems,
as described in Section 13.5.
212
Software Subsystem Architectural Design 213
sendATMTransaction
(in transaction, out response)
«client» «service»
«subsystem» «subsystem»
: ATMClient : BankingService
distribution involves clients and services, which are allocated to different subsys-
tems: a client subsystem and a service subsystem. Thus, the software architecture of
the Banking System illustrated in Figure 13.1 consists of a client subsystem called
ATM Client, which is located at each ATM machine, and a service subsystem called
Bank Service. This is an example of geographical subsystem structuring, in which the
geographical distribution of the system is given in the problem description. In such
cases, subsystem structuring can be done early in the design process.
In other applications, it is not so obvious how to structure the system into sub-
systems. Because one of the goals of subsystem structuring is to have objects that
are functionally related and highly coupled in the same subsystem, a good place to
start is with the use cases. Objects that participate in the same use case are candi-
dates to be grouped into the same subsystem. Because of this, subsystem structuring
is often done after the interaction among the constituent objects of each use case
has been determined during dynamic modeling (see Chapter 9). In particular, it can
be carried out early in the design phase, as described in this chapter.
A subsystem provides a larger-grained information hiding solution than an
object. To structure the system into subsystems, start with the use cases. Objects
that realize the same use case have higher coupling because they communicate
with each other (as depicted on the use case–based interaction diagram) and have
lower (or no) coupling with objects in other use cases. Whereas an object can par-
ticipate in more than one use case, it can only be part of one subsystem; thus, an
object that participates in more than one use case needs to be allocated to a sin-
gle subsystem, usually the subsystem with which it is most highly coupled. In some
cases, a subsystem might incorporate the objects from more than one use case, most
probably when the use cases share common objects because they are functionally
related. However, there are also situations in which objects that participate in the
same use case need to be assigned to different subsystems (e.g., because they are
located in separate geographical locations). These issues are addressed further in
Section 13.3.
In the analysis model, at least one communication diagram is developed for each
use case. The integrated communication diagram is a synthesis of all the communi-
cation diagrams developed to support the use cases. The integrated communication
diagram is, in effect, a merger of the communication diagrams, and its development
is described next.
Frequently, there is a precedence order in which use cases are executed. The
order of the synthesis of the communication diagrams should correspond to the
order in which the use cases are executed. From a visual perspective, the integra-
tion is done in the following manner. Start with the communication diagram for the
first use case and superimpose the communication diagram for the second use case
on top of the first to form a integrated diagram. Next, superimpose the third dia-
gram on top of the integrated diagram of the first two, and so on. In each case, add
new objects and new message interactions from each subsequent diagram onto the
integrated diagram, which gradually gets bigger as more objects and message inter-
actions are added. Objects and message interactions that appear on more than one
communication diagram are only shown once.
It is important to realize that the integrated communication diagram must show
all message communication derived from the individual use case–based communi-
cation diagrams. Communication diagrams often show the main sequence through
a use case, but not all the alternative sequences. In the integrated communication
diagram, it is necessary to show the messages that are sent as a result of executing
the alternative sequences in addition to the main sequence through each use case.
An example was given in Chapter 11 of interaction diagrams supporting the main
sequence and several alternative sequences for the Validate PIN use case in the
Banking System. All these additional messages need to appear on the integrated
communication diagram, which is intended to be a complete description of all mes-
sage communication among objects.
The integrated communication diagram is a synthesis of all relevant use case–
based communication diagrams showing all objects and their interactions. The inte-
grated communication diagram is represented as a generic UML communication
diagram (see Section 12.2.2), which means that it depicts all possible interactions
between the objects. On the integrated communication diagram, objects and mes-
sages are shown, but the message sequence numbering does not need to be shown
because this would only add clutter. As with the use case–based communication dia-
grams, messages on the integrated communication diagram are depicted as simple
messages, before the decision on type of message communication (synchronous or
asynchronous) is made, as described in Section 13.5.
An example of an integrated communication diagram for the ATM Client subsys-
tem of the Banking System is given in Figure 13.2. This consists of the integration of
the communication diagrams that realize the seven use cases of the Banking System,
including the main and alternative sequences for each use case. The integrated com-
munication diagram is a generic diagram, so the object names are not underlined.
The integrated communication diagram can get very complicated for a large
system; therefore, it is necessary to have ways to reduce the amount of informa-
tion. One way to reduce the amount of information on the diagram is to aggregate
the messages – that is, if one object sends several individual messages to another,
«service»
«subsystem»
: BankingService
ATM
Transactions Bank
Responses
«client»
Dispenser
«subsystem»
«output» Output «external
: ATMClient
: Cash output device»
Card Dispenser : Cash
Reader Interface Dispenser
Card Inserted, Dispense Cash
Input Card Ejected,
«external I/O «I/O» (Cash details) Cash
Card Confiscated Withdrawal Cash
device» : CardReader Response
: CardReader Interface Amount
Card
Reader Cash «entity»
Output Eject, Dispensed : ATMCash
Confiscate
Card «state dependent
Input Customer control» Start Up, Cash
Data Events : ATMControl Closedown Added
(Transaction Operator
details) «user Information
«entity» interaction» «external user»
: ATMCard Display
: Operator : Operator
Prompts
Interaction
Operator
Update Input
Receipt
Card Card Transaction Printed
Data Request Status
(Cash details),
Update Print
PIN Status Receipt
215
216 Architectural Design
instead of showing all these messages on the diagram, use one aggregate mes-
sage. The aggregate message is a useful way of grouping messages to reduce clut-
ter on the diagram. It does not represent an actual message sent from one object
to another; rather, it represents messages sent at different times between the same
pair of objects. For example, the messages sent by the ATM Control object to the
Customer Interaction object in Figure 13.2 can be aggregated into an aggregate mes-
sage called Display Prompts. A message dictionary is then used to define the contents
of Display Prompts, as shown in Table 13.1. Other examples of aggregate message
names in Figure 13.2 are ATM Transactions, Bank Responses, and Customer Events.
This example of the integrated communication diagram is described in more detail
in the Banking System case study in Chapter 21.
Furthermore, showing all the objects on one diagram might not be practical. A
solution to this problem is to develop integrated communication diagrams for each
subsystem and develop a higher-level subsystem communication diagram to show
the interaction between the subsystems, as described next.
The dynamic interactions between subsystems can be depicted on a subsys-
tem communication diagram, which is a high-level integrated communication dia-
gram, as shown in Figure 13.1 for the Banking System. The structure of an indi-
vidual subsystem can be depicted on an integrated communication diagram, which
shows all the objects in the subsystem and their interconnections, as depicted in
Figure 13.2.
ATM
1 1 1
1
ATMCustomer
CardReader CashDispenser ReceiptPrinter
KeypadDisplay
«layer»
UserLayer
«user interaction»
«component» {Layer 3}
Operator
Presentation
«layer»
MonitoringLayer
«input» «proxy»
«component» «component» {Layer 2}
MonitoringSensor RemoteSystem
Component Proxy
«layer»
ServiceLayer
{Layer 1}
«service»
«service»
Monitoring
AlarmService
DataService
Figure 13.4. Layered architecture with aggregate and composite subsystems: Emergency
Monitoring System
Operator
Presentation
«wide area network» {1 node per
operator}
Monitoring Data
Alarm Service Service
{1 node} {1 node}
«user interaction»
«component»
OperatorPresentation
1 «external user»
«external output device» 1 Operator
ReceiptPrinter
«software system»
BankingSystem
1 1 Requests Service
From
«external input/output 1 1 «client» 1..* 1 «service»
device» «subsystem» «subsystem»
CardReader ATMClient BankingService
1
«external user»
1 ATMCustomer
Control object within the ATM Client Subsystem, shown in Figures 13.2, which pro-
vides the overall control of the objects in the ATM Client subsystem, including sev-
eral internal I/O objects (such as Card Reader Interface and Cash Dispenser Interface),
user interaction objects (such as Customer Interaction), and entity objects (such as
ATM Transaction).
Alarm Request
alarmRequest
(in request, Event Request
out alarmData)
: Monitoring
«user interaction» Event Info Operator
: EventMonitoring
Window
«service»
: AlarmService
monitoringRequest
(in request,
out monitoringData)
«service»
: MonitoringData
Service
subsystem has one internal user interaction object to display alarms in an Alarm
Window and a second internal user interaction object to display monitoring status in
an Event Monitoring Window.
{Layer 3}
«user interaction»
«component»
: Operator
Presentation
alarmRequest
(in request, out alarmData)
«input» «proxy»
«component» «component» {Layer 2}
: MonitoringSensor : RemoteSystem
Component Proxy
post (event)
monitoringRequest
(in request,
post (alarm) post (event) out monitoringData)
post (alarm)
«service»
«service» {Layer 1}
: Monitoring
: AlarmService
DataService
respectively. Monitoring Data Service receives new sensor data from the Monitoring
Sensor and Remote System Proxy subsystems. Sensor data are requested by other
subsystems, such as the Operator Presentation subsystem, which displays the data.
«coordinator»
«subsystem»
: SupervisorySystem
Vehicle Status
«control»
«user interaction»
«subsystem»
«subsystem»
: AutomatedGuidedVehicle
: DisplaySystem
System
commands from a Supervisory System and controls the motor component (to start
and stop moving along the track) and the arm component (to load and unload parts),
as described in more detail in Chapter 24. Automated Guided Vehicle System sends
vehicle acknowledgements to the Supervisory System and vehicle status to the Display
System.
«user interaction»
«component»
: Customer
Interaction
Customer
Customer Coordinator
Request Response
«coordinator»
«component»
: Customer
Coordinator
Send
Authorization
Request Authorization
Response Store,
Query,
Update,
Select
Request
Account
Catalog
Info
Info
«service»
«service» «service» «service»
: Customer
: CreditCard : Email : Catalog
Account
Service Service Service
Service
(a) Analysis Model - before decisions about concurrency and message communication
(1) Unidirectional message communication between producer and
consumer
Message
aProducer aConsumer
Transaction
aClient aService
Response
(b) Design Model - after decisions about concurrency and message communication
aProducer aConsumer
aClient aService
Figure 13.12b shows the result of two design decisions. First, the four analysis
model objects in Figure 13.12a are designed as concurrent subsystems in Figure
13.12b. Second, the design decision is made about the type of message commu-
nication between the subsystems. Figure 13.12b depicts the decision to use asyn-
chronous message communication between the producer and consumer, and syn-
chronous message communication between the client and service. In addition, the
precise name and parameters of each message are determined. The asynchronous
message (in UML 2, the stick arrowhead means asynchronous communication)
has the name send Asynchronous Message and content called message. The syn-
chronous message (in UML 2, the black arrowhead means synchronous communi-
cation) has the name send Asynchronous Message With Reply, with the input content
called message and the service’s reply called response.
The aforementioned decisions concerning asynchronous and synchronous com-
munication are formalized into architectural communication patterns, as described
in Chapter 12. Thus, the Asynchronous Message Communication pattern is applied
to the unidirectional message between the producer and consumer and the Syn-
chronous Message Communication with Reply pattern is applied to the message
and response between the client and service.
228 Architectural Design
13.6 SUMMARY
This chapter described software architectural design. The overall design of the soft-
ware architecture was described, including the design decisions that need to be
made when in the transition from analysis modeling to design modeling. Subsys-
tems are categorized according to the roles they play in the software architecture.
Several examples of such architectures will be given in the case studies described in
Chapters 21 through 24.
In designing the overall software architecture, it helps to consider applying the
software architectural patterns, both architectural structure patterns and architec-
tural communication patterns. Architectural structure patterns are applied to design
of the overall structure of the software architecture, which addresses how the system
is structured into subsystems. Architectural communication patterns address the
ways in which subsystems communicate with each other. Each subsystem is designed
such that its interface is explicitly defined in terms of the operations it provides, as
well as the operations it uses. Communication between distributed subsystems can
be synchronous or asynchronous.
During software design modeling, design decisions are made relating to the
characteristics of the software architecture. Chapter 14 describes object-oriented
design using the concepts of information hiding, classes, and inheritance. Chap-
ter 15 describes the design of client/server software architectures, in which a typ-
ical design consists of one service and multiple clients. Chapter 16 describes the
design of service-oriented architectures, which typically consist of multiple dis-
tributed autonomous services that can be composed into distributed software appli-
cations. Chapter 17 describes the design of component-based software architectures,
including the design of component interfaces, with component ports that have pro-
vided and required interfaces, and connectors that join compatible ports. Chapter 18
describes the design of real-time software architectures, which are concurrent archi-
tectures usually having to deal with multiple streams of input events. Chapter 19
describes the design of software product line architectures, which are architectures
for families of products that need to capture both the commonality and variability
in the family.
Designing Object-Oriented
Software Architectures
230
Designing Object-Oriented Software Architectures 231
■ Entity classes. Classes determined in the analysis model that encapsulate data.
On class diagrams, they are depicted with the stereotype «entity». Entity objects,
which are instances of entity classes, are usually long-lasting objects that store
information. For database-intensive applications, it is likely that, in some cases,
the encapsulated data will need to be stored in a database. In this situation,
the entity class will actually provide an interface to the database rather than
encapsulating the data. Thus, during class design, entity classes are further cat-
egorized as data abstraction classes, which encapsulate data structures, and
wrapper classes. A wrapper class hides the details of how to interface to an
existing system or legacy system, which might be to access data stored in a file
management system or a database management system. A database wrapper
class hides how data is accessed if it is stored in a database, usually a relational
database. A wrapper class can also hide the details of how to interface to a legacy
system. Wrapper classes are described in Chapter 15.
■ Boundary classes. Communicate with and interface to the external environment.
Boundary classes, such as device I/O classes and proxy classes, are often active
(concurrent) classes and are therefore described in Chapter 18. One passive
boundary class described in this section is the graphical user interaction class,
which interfaces to human users and presents information to them.
232 Architectural Design
■ Control classes. Provide the overall coordination for a collection of objects. Con-
trol classes are often active (concurrent) classes and are therefore also described
in Chapter 18. One passive control class described in this chapter is the state-
machine class, which encapsulates a finite state machine. Coordinator classes and
timer classes are assumed to be active classes (tasks) and so are not discussed in
this section.
■ Application logic classes. Encapsulate application-specific logic and algorithms.
Categorized as business logic classes, service classes, or algorithm classes. Busi-
ness logic classes are described in this chapter. Service classes are described in
Chapter 16 on service-oriented architectures. Algorithm classes are often active
and are described in Chapter 18.
(a) (b)
«I/O» «I/O»
: CardReader : CardReader
Interface Interface
«entity» «data
: ATMCard abstraction»
: ATMCard
R1.1: Card Id, Start Date, R1: read(out cardId, out startDate,
R1: Card Request Expiration Date out expirationDate)
(c)
«data abstraction»
ATMCard
- atmCardId: String
- atmStartDate: Date
- atmExpirationDate: Date
Figure 14.1. Example of data abstraction class: (a) Analysis model: com-
munication diagram. (b) Design model: communication diagram. (c) Design
model: class diagram
Thus, Figure 14.1c depicts the ATM Card data abstraction class. The attributes are
encapsulated in the ATM Card class. They are depicted as private attributes; there-
fore, they are not visible outside the class. These attributes are stored by the write
operation and accessed by the read operation. The class interface is defined in terms
of the public read and write operations and the parameters of each operation.
«output» «output»
: CashDispenser : CashDispenser
Interface Interface
(c)
«data abstraction»
ATMCash
- cashAvailable: Integer = 0
- fives: Integer = 0
- tens: Integer = 0
- twenties: Integer = 0
+ addCash (in fivesAdded, in tensAdded, in twentiesAdded)
+ withdrawCash (in cashAmount, out fivesToDispense, out
tensToDispense, out twentiesToDispense)
In addition to knowing what messages are sent to ATM Cash, it is also impor-
tant to know the sequence in which the messages are sent. Thus, in the analysis
model, when ATM Cash receives a Cash Withdrawal Amount message from the Cash
Dispenser Interface object, containing the amount in dollars to be dispensed, it needs
to compute how many bills of each denomination need to be dispensed to satisfy
the request. In the analysis model, ATM Cash sends this information in a response
message, Cash Response.
ATM Cash receives another kind of message from the Operator Interaction object.
The real-world ATM operator replenishes the ATM cash dispenser with new dollar
bills of each denomination. This information needs to be stored in ATM Cash. After
adding the cash to the dispenser, the operator confirms this to the Operator Interac-
tion object, which then sends a Cash Added message to the ATM Cash object, as shown
in Figure 14.2a.
From the previous discussion, the operations of the ATM Cash class can be spec-
ified, as depicted in the Design Model communication diagram shown in Figure
14.2b. Two operations are needed to addCash and withdrawCash. The operation with-
drawCash has one input parameter, cashAmount, and three output parameters to
identify the number of bills of each denomination: fivesToDispense, tensToDispense,
and twentiesToDispense. Correspondingly, the addCash operation has three input
parameters to indentify the number of bills of each denomination added: fivesAdded,
tensAdded, and twentiesAdded. The class interface (depicted in Figure 14.2c) consists
of the public operations, addCash and withdrawCash,and the parameters of the oper-
ations:
An invariant maintained by objects of this class is that the total cash available
for dispensing is equal to the sum of the value of the number of five dollar bills, the
number of ten dollar bills, and the number of twenty dollar bills:
∗ ∗ ∗
cashAvailable = 5 fives + 10 tens + 20 twenties
Insufficient cash is an error case that needs to be detected. Such error situations
are usually handled as exceptions.
«state machine»
ATMStateMachine
designing the operations of a state-machine class is to have one operation for each
incoming event. This means that each state-machine class is designed explicitly for
a particular statechart. However, it is desirable to make a state-machine class more
reusable.
A reusable state-machine class hides the contents of the state transition table
as before; however, it provides two reusable operations that are not application-
specific, processEvent and currentState. The processEvent operation is called when
there is a new event to process, with the new event passed in as an input parameter.
The currentState operation is optional; it returns the ATM control state and is only
needed in applications in which the current state needs to be known by clients of the
state-machine class. The two operations are
When called to process a new event, the processEvent operation looks up the
state transition table to determine the impact of this event, given the current state of
the state machine and any specified conditions that must hold. The table identifies
what the new state is (if any) and whether any actions are to be performed. The
processEvent operation then changes the state of the object and returns the actions
to be performed as an output parameter.
A state-machine class is a reusable class in that it can be used to encapsulate
any state transition table. The contents of the table are application-dependent and
are defined at the time the state-machine class is instantiated and/or initialized. The
initial value of the current state of the state machine (which is set to the ATM initial
state) is also defined at initialization time.
An example of a state-machine class from the Banking System is the ATM State
Machine state-machine class, shown in Figure 14.3. The class encapsulates the ATM
state transition table (which is mapped from the ATM statechart, as depicted in
Chapters 10 and 21) and provides the processEvent and currentState operations.
«coordinator»
: BankTransaction Withdraw,
Coordinator Confirm,
Abort
withdraw ( in accountNumber, in amount, out response),
confirm (accountNumber, amount),
Withdraw Response abort (accountNumber, amount)
(c)
«business logic»
WithdrawalTransactionManager
+ initialize ()
+ withdraw (in accountNumber, in amount, out response)
+ confirm (accountNumber, amount)
+ abort (accountNumber, amount)
Figure 14.5. Example of business logic class: (a) Analysis model: communication diagram. (b) Design model: communication
diagram. (c) Design model: class diagram
Designing Object-Oriented Software Architectures 241
bound up with the implementation of the parent class, which can lead to ripple-
effect problems with deep inheritance hierarchies. Thus, an error made to a class
high up in the inheritance hierarchy will be inherited by its descendent classes at all
lower levels in the hierarchy. For this reason, it is advisable to limit the depth of class
hierarchies.
Account
accountNumber: Integer
balance: Real
CheckingAccount SavingsAccount
described in Chapter 7, which depicts the Account superclass and the two subclasses,
Checking Account and Savings Account. The next step is to design the class opera-
tions.
An abstract class is designed called Account, which encapsulates the two general-
ized attributes that are needed by all accounts: accountNumber and balance. Because
it is necessary to be able to open and close accounts, read the account balance, and
credit and debit the account, the following generalized operations are specified for
the Account class:
■ open (accountNumber : Integer)
■ close ()
■ readBalance () : Real
■ credit (amount : Real)
■ debit (amount : Real)
Initially, the Banking System handles two types of accounts: checking accounts
and savings accounts. Account is a good candidate for using inheritance, with a gen-
eralized account superclass and specialized subclasses for checking account and sav-
ings account. At this stage, we need to ask these questions: What should be the
generalized operations and attributes of the account superclass? What are the spe-
cialized operations and attributes of the checking account and savings account sub-
classes? Should the account class be an abstract class; that is, which of the operations
should be abstract, if any?
Before we can answer these questions, we need to understand in what ways
checking and savings accounts are similar and in what ways they differ. First con-
sider the attributes. It is clear that both checking and saving accounts need account-
Number and balance attributes, so these attributes can be generalized and made
attributes of the Account class, to be inherited by both the Checking Account and
Savings Account subclasses. One requirement for checking accounts is that it is
desirable to know the last amount deposited in the account. Checking Account thus
needs a specialized attribute called lastDepositAmount. On the other hand, in this
bank, savings accounts accrue interest but checking accounts do not. We need to
know the accumulated interest on a savings account, so the attribute cumulativeIn-
terest is declared as an attribute of the Savings Account subclass. In addition, only
three debits are allowed per month from a savings account without a bank charge,
so the attribute debitCount is also declared as an attribute of the Savings Account
subclass.
Two additional static class attributes are declared for Savings Account; these are
attributes for which only one value exists for the whole class, which is accessible
to all objects of the class. The static attributes are maxFreeDebits (the maximum
number of free debits, which is initialized to 3) and bankCharge (the amount the
bank charges for every debit over the maximum number of free debits, which is
initialized to $2.50).
Both Checking Account and Savings Account will need the same operations as
the Account class – namely, open, close, readBalance, credit, and debit. The interface
of these operations is defined in the Account superclass, so the two subclasses will
inherit the same interface from Account. The open and close operations are done
in the same way on checking and savings accounts, so the implementation of these
Designing Object-Oriented Software Architectures 243
operations can also be defined in Account and then inherited. The credit and debit
operations are handled differently for checking and savings accounts. For this rea-
son, the credit and debit operations are designed as abstract operations with the
interface for the operations specified in the superclass but the implementations of
the operations deferred to the subclasses.
In the case of the Checking Account subclass, the implementation of the debit
operation needs to deduct amount from balance. The implementation of the credit
operation needs to increment balance by amount and then set lastDepositAmount
equal to amount. For Savings Account, the implementation of the credit operation
needs to increment balance by amount. The implementation of the debit operation
must, in addition to debiting the balance of the savings account, increment debit-
Count and deduct bankCharge for every debit in excess of maxFreeDebits. There is
also a need for an additional clearDebitCount operation, which reinitializes debit-
Count to zero at the end of each month.
At first glance, the read operations for checking and savings accounts appear
to be identical; however, a more careful examination reveals that this is not the
case. When we read a checking account, we wish to read the balance and the last
deposit amount. When we read a savings account, we wish to read the balance and
the accumulated interest. The solution is to have more than one read operation. The
generalized read operation is the readBalance operation, which is inherited by both
Checking Account and Savings Account. A specialized read operation, readCumula-
tiveInterest, is then added in the Savings Account subclass; and a specialized read
operation, readLastDepositAmount, is added to the Checking Account subclass.
The design of the Account generalization/specialization hierarchy is depicted in
Figure 14.7 and described next. This figure uses the UML convention of depicting
abstract class names in italics.
«entity»
Account {abstract}
# accountNumber : Integer
# balance : Real = 0
+ open (accountNumber : Integer)
# credit (amount : Real) {abstract}
# debit (amount : Real) {abstract}
+ readBalance () : Real
+ close ()
«entity» «entity»
CheckingAccount SavingsAccount
- lastDepositAmount : Real = 0 - cumulativeInterest : Real = 0
+ credit (amount : Real) - debitCount : Integer = 0
+ debit (amount : Real) - maxFreeDebits : Integer = 3
+ readLastDepositAmount() : Real - bankCharge : Real = 2.50
+ credit (amount : Real)
+ debit (amount : Real)
+ clearDebitCount()
+ addInterest (interestRate : Real)
+ readCumulativeInterest () : Real
begin;
end.
r close ()
begin; close the account; end.
■ readBalance () : Real
Designing Object-Oriented Software Architectures 247
readLastDepositAmount () : Real
begin;
return value of lastDepositAmount;
end.
begin
end.
r Inherit specification and redefine implementation:
begin
end.
r readCumulativeInterest () : Real
begin
private anAccount: Account;
Prompt customer for account type and withdrawal amount
if customer responds checking
then – assign customer’s checking account to anAccount
...
anAccount := customerCheckingAccount;
...
elseif customer responds savings
then – assign customer’s savings account to anAccount
...
anAccount := customerSavingsAccount;
...
endif;
...
– debit an Account, which is a checking or savings account
anAccount.debit (amount);
...
end;
14.4.1. As shown below, after the declaration of the public class name comes the
declaration of the private variables, the amount of cash available, the number of
five-, ten-, and twenty-dollar bills, all of which are initialized to zero. This is fol-
lowed by the declaration of the public methods, addCash and withdrawCash.
The addCash method has three integer input parameters – the number five-, ten-,
and twenty-dollar bills to be added. In the implementation, the count of new bills of
each denomination is added to the bill counts already stored in the ATM. The value
of the cashAvailable variable is then computed by adding the total cash value of the
bills of each denomination.
In the withdrawCash method, the amount desired to withdraw is the first param-
eter cashAmount. The second parameter is the integer array in which are returned
the number of five-, ten-, and twenty-dollar bills to dispense.
14.13 SUMMARY
This chapter described the design of object-oriented software architectures using the
concepts of information hiding, classes, and inheritance. This chapter described the
design of information hiding classes, from which the passive objects are instantiated.
These classes were originally determined during the object and class structuring
step in analysis modeling, as described in Chapter 8. This chapter also described the
design of the operations of each class and the design of the class interfaces, as well
as the use of inheritance in software design. For more information on the design of
classes and inheritance and on the use of preconditions, postconditions, and invari-
ants in software construction, an excellent reference is Meyer (2000). Another infor-
mative reference that describes these topics from a UML perspective is Page-Jones
(2000).
The object-oriented design concepts described in this chapter result in the design
of a sequential object-oriented software architecture, which would be implemented
Designing Object-Oriented Software Architectures 251
(b) Different classes may have the same (a) Invoke operation of different names
interface name. on the same objects.
(c) Different classes may have the same (b) Invoke operations of different
superclass name. names on different objects.
(d) Different classes may have the same (c) Invoke an operation of the same
operation name. name on the same object.
12. With polymorphism and dynamic bind- (d) Invoke an operation of the same
ing, an object can: name on different objects.
15
This chapter describes the design of software architectures for client/server systems.
In these systems, a client is a requester of services and a server is a provider of
services. Typical servers are file servers, database servers, and line printer servers.
Client/server architectures are based on client/service architectural patterns, the
simplest of which consists of one service and multiple clients. This pattern has sev-
eral variations, which will be described in this chapter. In addition, certain deci-
sions need to be considered about the design of client/server architectures, such as
whether the server should be designed as a sequential or concurrent subsystem, what
architectural structure patterns to use for the design of the client/server architecture,
and what architectural communication patterns to use for interaction between the
clients and the services.
This chapter differentiates between a server and a service. A server is a hard-
ware/software system that provides one or more services for multiple clients. A ser-
vice in a client/server system is an application software component that fulfills the
needs of multiple clients. Because services execute on servers, there is sometimes
confusion between the two terms, and the two terms are sometimes used inter-
changeably. Sometimes, a server will support just one service or perhaps more than
one; on the other hand, a large service might span more than one server node. In
client/server systems, the service executes on a fixed server node(s) and the client
has a fixed connection to the server.
Section 15.1 describes concepts, architectures, and patterns for client/server
architectures. Sections 15.2 and 15.3 describe client/service software architectural
patterns, and Section 15.4 provides an overview of middleware technology in
client/server systems. Section 15.5 describes the design of sequential service subsys-
tems and concurrent service subsystems. Because servers are frequently database-
intensive, Section 15.6 describes wrapper classes, which leads into the discussion
of the database wrapper classes. This is followed by a description of the logical
database design for client/server systems in Section 15.7.
253
254 Architectural Design
Service
{1 server node}
1 «external user»
«external output device» 1 Operator
ReceiptPrinter
«software system»
BankingSystem
1 1 Requests Service
From
«external input/output 1 1 «client» 1..* 1 «service»
device» «subsystem» «subsystem»
CardReader ATMClient BankingService
1
«external user»
1 ATMCustomer
Figure 15.2. Example of Multiple Client/Single Service architectural pattern: Banking System
256 Architectural Design
which send synchronous messages to the Banking Service. Each client is tightly cou-
pled with the service, because it sends a message and then waits for a response.
After receiving the message, the service processes the message, prepares a reply,
and sends the reply to the client. After receiving the response, the client resumes
execution.
Service1
{1 server node} Service2
{1 server node}
Sunrise Bank
Service Sunset Bank
{1 server node} Service
{1 server node}
Banking Federation System shown in Figure 15.5. Continuing with the ATM exam-
ple, besides several ATM clients accessing the same bank service, it is possible for
one ATM client to access multiple bank services. This feature allows customers to
access their own bank service from a different bank’s ATM client. In this example,
ATM customers from Sunrise bank can withdraw funds from Sunset bank in addi-
tion to their own Sunrise bank, and vice versa. Figure 15.5 depicts the two bank
services, Sunrise Bank Service and Sunset Bank Service, as well as two instances of
each of the clients, Sunrise ATM Client and Sunset ATM Client.
2: sendATMTransaction
(in transaction, out response)
«client»
: ATMClient
1: sendAsynchronousMessage
( in message, in callbackHandle)
aClient aService
2: sendCallbackResponse ( in response)
Server
Client node
node
«network»
With the callback pattern, the client sends a remote reference or handle, which is
then used by the service to respond to the client. A variation on the callback pattern
is for the service to delegate the response to another component by forwarding to it
the callback handle.
calls from clients. The server receives a request from a client, invokes the appropri-
ate procedure, and returns a reply to the client.
(a)
aClient
1: serviceRequest
2: serviceResponse
(in inputParam)
aService
aClient
aService
1: serviceRequest 3: serviceRequest
6: serviceResponse 4: serviceResponse
(in inputParam) (in inputParam)
aClientProxy aServiceProxy
2: requestMessage 5: responseMesage
«network»
persistent data are stored. Section 15.7 describes the design of relational databases,
and Section 15.6 describes the design of wrapper classes to provide an object-
oriented interface to the database.
A simple service does not initiate any requests for services but responds to
requests from clients. There are two kinds of service components: sequential and
concurrent.
«service»
«subsystem»
: BankingService «coordinator»
: BankTransaction validatePIN(in cardId, in PIN, out v_response)
transfer(in fromAccount#,
Coordinator
in toAccount#, in amount,
out t_response)
withdraw(in account#,
in amount, out w_response), «business logic»
query(in account#, confirm(account#, amount), : PINValidation
out q_response) abort(account#, amount) Transaction
Manager
«business logic» «business logic»
«business logic»
readBalance, : Query : Withdrawal
: Transfer
readLast Transaction Transaction
Transaction Deposit read(in cardId,
Manager Manager
Manager Amount checkDailyLimit out account#)
debit(account#,
amount), (cardId, amount),
credit(account#, updateDailyTotal
amount), (cardId, amount)
readBalance log readBalance,
(in transaction) read log
Cumulative (in transaction)
Interest
debit(account#,
log validate(in cardID,
amount),
(in in PIN,
credit(account#,
transaction) out status)
amount),
debit(account#, readBalance
debit(account#,
«database amount), amount), «database «database
wrapper» «database credit(account#, wrapper» «database wrapper»
credit(account#,
: Checking amount), wrapper» amount), : Savings wrapper» : Card
Account readBalance : TransactionLog readBalance Account : DebitCard Account
«service»
«subsystem» withdrawal
Response «demand» validation
: BankingService Response
«coordinator»
: BankTransaction validatePIN(in cardId, in PIN)
query Coordinator
Response
transfer
Response transfer(in fromAccount#, withdraw(in account#, «demand»
in toAccount#, in amount) in amount), «business logic»
query(in account#) confirm(account#, amount) , : PINValidation
abort(account#, amount)
Transaction
Manager
«demand» «demand» «demand»
«business logic» «business logic» «business logic»
: Transfer : Query : Withdrawal
Transaction Transaction Transaction
Manager Manager Manager
Figure 15.13. Example of concurrent object-oriented software architecture for Banking Service
265
266 Architectural Design
and each transaction manager is designed as a separate concurrent object. The Bank
Transaction Coordinator delegates individual transactions to the individual trans-
action managers to allow concurrent processing of transactions. More than one
instance of each transaction manager could also be executed. Access to the database
wrapper objects (not shown) also needs to be synchronized.
In this example, the clients communicate with the service by using the Asyn-
chronous Message Communication with Callback pattern (see Section 15.2.1). This
means that the clients do not wait and can do other things before receiving the ser-
vice response. In this case, the service response is handled as a callback. With the
callback approach, the client sends an operation handle with the original request.
The service uses the handle to remotely call the client operation (the callback)
when it finishes servicing the client request. In the example illustrated in Fig-
ure 15.13, Bank Transaction Coordinator passes the ATM Client’s callback handle to
the appropriate transaction manager. On completion, the transaction manager con-
current object remotely invokes the callback, which is depicted as the appropriate
service response message sent to the ATM client.
wrapper classes, which hide how the data are accessed if stored in a database, and
they are described in this section. In client/server systems, data abstraction classes
are more likely to be designed on the client side, but they might also be needed
on the server side. However database wrapper classes are much more likely to be
designed on the server side, because that is where the database support is provided.
Most databases in use today are relational databases, so the database wrapper
class provides an object-oriented interface to the database. If a relational database
is being used, any entity class defined in the static model that is to be mapped to
a relational database needs to be determined and designed as a database wrapper
class. Sometimes, data retrieved from a database via a database wrapper class are
stored temporarily in a data abstraction class.
The attributes of the analysis model entity class are mapped to a database rela-
tional table (as described in Section 15.7), and the operations to access the attributes
are mapped to a database wrapper class.
The database wrapper class hides the details of how to access the data main-
tained in the relational table, so it hides all the SQL statements. A database wrapper
class usually hides the details of access to one relational table. However, a database
wrapper class might also hide a database view; that is, a SQL join of two or more
relations (Silberschatz, Korth, and Sudarshan 2010).
(a)
«entity»
DebitCard
cardID : String
PIN : String
startDate : Date
expirationDate : Date
status : Integer
limit : Real
total : Real
(b)
«database wrapper»
DebitCard
+ create (cardID)
+ validate (in cardID, in PIN, out status)
+ updatePIN (cardID, PIN)
+ checkDailyLimit (cardID, amount)
+ updateDailyTotal (cardID, amount)
+ updateExpirationDate (cardID, expirationDate)
+ updateCardStatus (cardID, status)
+ updateDailyLimit (cardID, newLimit)
+ clearTotal (cardID)
+ read (in cardID, out PIN, out expirationDate, out status, out limit, out total)
+ delete (cardID)
Figure 15.14. Example of database wrapper class: (a) Analysis model. (b) Design model
268 Architectural Design
table and a database wrapper class. For example, consider the Debit Card entity class
as depicted in the analysis model in Figure 15.14a. As the debit card data will actu-
ally be stored in a relational database, from a database perspective, the entity class
is mapped to a relational table. The attributes of the entity class are mapped to the
attributes of the relation.
It is also necessary to design the Debit Card database wrapper class (Fig-
ure 15.14b), which has the following operations: create, validate, checkDailyLimit,
clearTotal, update, read, and delete. These operations encapsulate the SQL state-
ments for accessing the Debit Card relational table. Note that because the class
attributes can be updated separately, different update operations are provided for
each of the attributes that are updated, such as the daily limit and the card status. A
call to each of the operations results in execution of a SQL statement.
With this notation, Account is the name of the table, and accountNumber and
balance are the attributes. The primary key is underlined. Thus, in the Account
table, accountNumber is the primary key.
In some tables, it is necessary to have a primary key that is a combination of more
than one attribute. For example, if the Account table stores both checking accounts
and savings accounts (with overlapping account numbers), a second attribute (the
account type) would also be needed as part of the primary key, to uniquely locate an
individual account. In this example, the primary key is a concatenated key consisting
of the attributes accountNumber and accountType.
Customer
customerName: String
customerId: String
customerAddress: String
Owns
1..*
Account
accountNumber: Integer
balance: Real
Account table. The Account table is then depicted as follows with the primary key
underlined and the foreign key in italics.
In this way, it is possible to navigate from a row in the Account table ( e.g.,
where the customerId foreign key is 26537) to the row in the Customer table where
the same customerId is the primary key, in order to retrieve more data about the
customer, as shown in Table 15.2.
Because it is possible for a customer not to have a debit card (optional rela-
tionship), making cardId a foreign key in the Customer table would result in some
customers having a null value for card id. On the other hand, because each debit
card is always owned by a customer (one-to-one relationship), making customerId
a foreign key in the Debit Card table is a better solution because it would never
have a null value. customerId is therefore chosen as foreign key in Debit Card, as it
represents the association between Customer and Debit Card tables:
Customer
customerName: String
customerId: String
customerAddress: String
Owns
0..1
DebitCard
cardId: Integer
PIN: String
startDate: Date
expirationDate: Date
status: Integer
limit: Real
total: Real
In this example, because every account has one customer (one-to-one re-
lationship), there will always be one value for the foreign key customerId. If the
foreign key was accountNumber in the Customer table, the foreign key would need
to be a list, because each customer can have many accounts (one-to-many relation-
ship). An attribute array within a relational table is not allowed, because it would
necessitate a hierarchy, which would violate the flat (nonhierarchical) table rule for
relational databases.
Employee Project
formed from the primary key of each relational table that participates in the associ-
ation.
For example, in the static model in Figure 15.17, the Hours association class rep-
resents the association between the Project and Employee classes. The Hours class
has one attribute, hoursWorked, which is an attribute of the association, because it
represents the time worked by an individual employee on a specific project.
Each entity class is mapped to a relational table, including the Hours associa-
tion class, which is designed as the association table called Hours. In the relational
database design, projectId is selected as the primary key of the Project table and
employeeId is selected as the primary key of the Employee table. These two pri-
mary keys form a concatenated primary key (projectId, employeeId) of the Hours
association table. Each of these two attributes is also a foreign key: projectId allows
navigation from the Hours table to the Project table, whereas employeeId allows
navigation from the Hours table to the Employee table. The tables are designed
as follows:
■ The primary key of the part table, in the case of a one-to-one association
between the whole class and the part class
■ Part of a concatenated primary key of the part table, in the case of a one-to-many
association between the whole class and the part class
■ A foreign key in the part table, if a concatenated primary key is not needed to
uniquely identify a row in the part table, in the case of a one-to-many association
between the whole class and the part class
Designing Client/Server Software Architectures 273
College
collegeName: String
dean: String
1 1..* 1..*
College (collegeName)
Admin Office (collegeName, location)
Department (departmentName, collegeName, location)
Account
accountNumber: Integer
balance: Real
accountType
CheckingAccount SavingsAccount
is accessed, one of the subclass tables will also need to be accessed (to access the
subclass attributes), thereby doubling the number of accesses to the database.
In addition, the discriminator, which is an attribute that identifies which property
is abstracted in the generalization relationship, is made an explicit attribute of the
superclass table. Although the static model does not explicitly use the discriminator
as an attribute, it is needed in the superclass table to determine which subclass table
to navigate to.
Consider the example of an Account superclass with Checking Account and
Savings Account subclasses, as shown in the Static Model (Figure 15.19). In the
relational database design, the attributes of the Account superclass become attri-
butes of the Account table, with the primary key of the Account table chosen to
be accountNumber. In addition, discriminator attribute accountType becomes an
attribute of the Account table. The primary key attribute of the superclass table is
also added to each subclass table and becomes the primary key of these tables. Thus,
both the Checking Account and Savings Account tables have the same primary key
attribute, accountNumber, as the Account table. Note that this solution assumes
that the account number is unique.
15.8 SUMMARY
This chapter described the design of client/server software architectures. These
architectures are based on client/service architectural patterns, the simplest of which
consists of one service and multiple clients. There are several variations of this
pattern, which have been described in this chapter. In addition, there are design
decisions to be considered about the design of the client/server architecture, such
as whether a service should be designed as a sequential or concurrent subsystem,
and what communication patterns to use between the client and service subsystems.
Client/server architectures have been incorporated into service-oriented architec-
tures, as described in Chapter 16, and component-based software architectures,
as described in Chapter 17. A case study of the design of a client/server software
architecture, namely, the Banking System, is presented in Chapter 21. This chapter
has also described how static models are mapped to database wrapper classes and
276 Architectural Design
(c) The primary key of the aggregate (a) The superclass and each subclass
table is a foreign key of the part are designed as relational tables.
table. (b) Only subclasses are designed as
(d) The primary key of the part table is relational tables.
a foreign key of the aggregate table. (c) The aggregate and part classes are
10. When mapping a generalization/spe- designed as relational tables.
cialization relationship to a relational (d) Only the superclass is designed as a
database, which of the following is NOT relational table.
possible?
16
278
Designing Service-Oriented Architectures 279
aBroker
R2:
registrationAck
R1:
register
Service
aService
required – for example, to withdraw cash from a given bank. The broker receives
the client request, determines the location of the service (the ID of the node the
service resides on), and forwards the message to the service at the specific location.
The message arrives at the service, and the requested service is invoked. The bro-
ker receives the service response and forwards it back to the client. The pattern is
depicted in Figure 16.2 and consists of the following message sequence:
The Broker Forwarding pattern provides an intermediary for every message sent
between a client and a service. This pattern potentially provides a high level of secu-
rity because each message can be vetted. However, this security comes at the cost
of performance compared with the basic Client/Service pattern (see Section 15.1)
because the message traffic is doubled, with four messages required for communi-
cation from the client to the service via the broker, compared to two messages for
direct communication between the client and the service.
aBroker
1: serviceRequest 2: forwardedRequest
3:serviceReply
4: forwardedReply
aServiceRequester aService
aBroker
B1: serviceRequest
B2: serviceHandle
B3: serviceRequestWithHandle
aServiceRequester aService
B4: serviceReply
B1: The client (service requester) sends a service request to the broker.
B2: The broker looks up the location of the service and returns a service
handle to the client.
B3: The client uses the service handle to make the request to the appropri-
ate service.
B4: The service executes the request and sends the reply directly to the
client.
This approach is more efficient than Broker Forwarding if the client and service
are likely to have a dialog that results in the exchange of several messages. The
reason is that with Broker Handle, the interaction with the broker is only done once
at the start of the dialog instead of every time, as with Broker Forwarding. Most
commercial object brokers use a Broker Handle design. With this approach, it is the
responsibility of the client to discard the handle after the dialog is over. Using an
old handle is liable to fail because the service might have moved in the interval. If
the service does move, it needs to inform the broker so that the broker can update
the name table.
aBroker
1: queryServices
3: select 2: serviceList
aService
4: service
Handle
5: serviceRequestWithHandle
aService
aService
Requester
6: serviceReply
white page brokering. A different brokering pattern is yellow page brokering, anal-
ogous to the yellow pages of the telephone directory, in which the client knows the
type of service required but not the specific service. This pattern, which is shown
in Figure 16.4, is also known as the Service Discovery pattern because it allows
the client to discover new services. The client sends a query request to the bro-
ker, requesting all services of a given type. The broker responds with a list of all
services that match the client’s request. The client, possibly after consultation with
the user, selects a specific service. The broker returns the service handle, which the
client uses for communicating directly with the service. The pattern interactions, in
which a yellow pages request is followed by a white pages request, are described in
more detail as follows:
1. The client (service requester) sends a yellow pages request to the broker
requesting information about all services of a given type.
2. The broker looks up this information and returns a list of all services that
satisfy the query criteria.
3. The client selects one of the services and sends a white pages request to the
broker.
4. The broker looks up the location of the service and returns a service handle
to the client.
5. The client uses the service handle to request the appropriate service.
6. The service executes the request and sends the response directly to the client.
aWebService
aWebService
Requester
1: webService 2: webService
Request Response
«network»
Figure 16.5. Web client and Web service in a World Wide Web services
application
Designing Service-Oriented Architectures 285
Web Service
Web Service Web Services Broker
Requester node
Provider node node
aWebService aWebServices
aWebService
Requester Broker
«network»
to as publishing or registering the service. Most brokers, such as CORBA and Web
service brokers, provide a registration service. For Web services, a service registry is
provided to allow services to be published and located via the World Wide Web. Ser-
vice providers register their services together with service descriptions in a service
registry. Clients searching for a service can look up the service registry to find a suit-
able service. The Web Services Description Language (WSDL) is an XML-based
language used to describe what a service does, where it resides, and how to invoke it.
are needed to begin the transaction, commit the transaction, or abort the transac-
tion. Transactions are typically used for updates to a distributed database that needs
to be atomic – for example, transferring funds from an account at one bank to an
account at a different bank. With this approach, updates to the distributed database
are coordinated such that they are either all performed (commit) or all rolled back
(abort).
A transaction must be completed in its entirety or not at all. Consider an inter-
bank electronic funds transfer. For a transaction to be considered complete, all its
operations must be performed successfully. If any operation of the transaction can-
not be performed, the transaction must be aborted. This means that individual oper-
ations that have been completed need to be undone, so the effect of an aborted
transaction is as if it never occurred.
Transactions have the following properties, sometimes referred to as ACID
properties:
One way to achieve this result is to use the Two-Phase Commit Protocol, which
synchronizes updates on different nodes in distributed applications. The result of the
Two-Phase Commit Protocol is that either the transaction is committed (in which
Designing Service-Oriented Architectures 287
: CommitCoordinator
firstBankService secondBankService
fromAccount toAccount
Figure 16.7. Example of the first phase of the Two-Phase Commit Protocol:
bank transfer
case all updates succeed) or the transaction is aborted (in which case all updates
fail).
Coordination of the transaction is provided by the Commit Coordinator. There is
one participant service for each node. There are two participants in the bank trans-
fer transaction: first Bank Service, which maintains the account from which money
is being transferred (from Account), and second Bank Service, which maintains the
account to which money is being transferred (to Account). In the first phase of the
Two-Phase Commit Protocol (Figure 16.7), Commit Coordinator sends a prepare To
Commit message (1a, 1b) to each participant service. Each participant service locks
the record (1a.1, 1b.1), performs the debit or credit update (1a.2, 1b.2), and then
sends a ready To Commit message (1a.3, 1b.3) to Commit Coordinator. If a participant
service is unable to perform the update, it sends a refuse To Commit message. Commit
Coordinator waits to receive responses from all participants.
When all participant services have responded, Commit Coordinator proceeds to
the second phase of the Two-Phase Commit Protocol (Figure 16.8). If all partici-
pants have sent ready To Commit messages, Commit Coordinator sends the commit
message (2a, 2b) to each participant service. Each participant service makes the
update permanent (2a.1, 2b.1), unlocks the record (2a.2, 2b.2), and sends a commit
Completed message (2a.3, 2b.3), to Commit Coordinator. Commit Coordinator waits for
all commit Completed messages.
If a participant service responds to the prepare To Commit message with a ready
To Commit message, it is committed to completing the transaction. The participant
service must then complete the transaction even if a delay occurs (e.g., even if it
goes down after it has sent the ready To Commit message). If, on the other hand,
any participant service responds to the prepare To Commit message with a refuse To
Commit message, the Commit Coordinator sends an abort message to all participants.
The participants then roll back the update.
288 Architectural Design
: CommitCoordinator
2b.3: Commit
2a: Commit Completed
firstBankService secondBankService
fromAccount toAccount
Figure 16.8. Example of the second phase of the Two-Phase Commit Pro-
tocol: bank transfer
airline
ReservationService
1: flightReservation
2: flightConfirmation
3: hotelReservation
hotel
worldWide
ReservationService
TravelAgent
4: hotelConfirmation
5: carReservation
6: carConfirmation
vehicle
RentalService
unifiedAirlines
1a: ReservationService
flightQuery
1a.1:
response
2: reserve
3:
reject 1b: 4:
query reserve
worldWide brittanicAirways
TravelAgent 1b.1: 5: confirm ReservationService
response
1c: query
1c.1:
response
virtualAtlantic
ReservationService
■ Propose a service. The client agent proposes a service to the service agent. This
proposed service is negotiable, meaning that the client agent is willing to consider
counteroffers.
■ Request a service. The client agent requests a service from the service agent. This
requested service is nonnegotiable, meaning that the client agent is not willing to
consider counteroffers.
■ Reject a service offer. The client agent rejects an offer made by the service agent.
The service agent, who acts on behalf of the service, may do any of the following:
unifiedAirlines
ReservationService
2a: flightQuery
2c.1: response
virtualAtlantic
ReservationService
1. The Client Agent uses the propose service to propose the trip to London with
the stipulated constraints.
2. The world Wide Travel Agent determines that three airlines, Britannic Airways
(BA), Unified Airlines (UA), and Virtual Atlantic (VA), service the Wash-
ington D.C.-to-London route. It sends a flight Query to the three respective
services – UA Service (2a), BA Service (2b), and VA Service (2c) – for flights on
those dates. It receives responses from all three services with the times and
prices of the flights.
3. The world Wide Travel Agent sends an offer message to the Client Agent con-
sisting of the available flights at the proposed price. If only more expensive
flights are available, the world Wide Travel Agent offers the cheapest it can
find. In this case, it determines that the two best offers for the proposed dates
are from UA for $750 and BA for $775. There is no flight below $700, so it
292 Architectural Design
offers the available flight that come closest to the proposed price. It therefore
sends the offer message for the UA flight at $750 to the Client Agent.
4. The Client Agent displays the choice to the user. The Client Agent may then
request a service (i.e., request one of the choices offered by the service agent).
Alternatively, the Client Agent may reject the service offer if the user does not
like any of the options and propose a service on a different date. In this case,
the user selects the UA offer and the Client Agent sends the request UA flight
message to the world Wide Travel Agent.
5. The world Wide Travel Agent makes a reserve request to the UA Service.
6. Assuming the flight is no longer available, the UA Service rejects the reser-
vation.
7. Since the flight is no longer available, the world Wide Travel Agent responds to
the Client Agent’s request with a reject message.
8. The Client Agent makes a request for the next best offer, the BA flight at $775,
and sends the request BA flight message to the world Wide Travel Agent.
9. The world Wide Travel Agent makes a reserve request to the BA Service.
10. Assuming the flight is still available, the BA Service confirms the reser-
vation.
11. The world Wide Travel Agent responds to the Client Agent’s request with an
accept message.
In this example, note that the world Wide Travel Agent plays a service role when
communicating with the Client Agent and a client role when communicating with the
airline services.
«service»
: Inventory
Service
«service»
: DeliveryOrder
Service
Figure 16.12. Communication diagram for the Process Delivery Order use case
«service»
: Inventory
Service
IInventoryService
PInventoryService
«interface»
IInventoryService «service»
Inventory
checkInventory (in itemId, in amount, out inventoryStatus) Service
update (in itemId, in amount)
reserveInventory (in itemId, in amount, out inventoryStatus)
commitInventory (in itemId, in amount, out inventoryStatus)
abortInventory (in itemId, in amount, out inventoryStatus)
(see Chapter 17) called PInventoryService, which supports the provided interface
called IInventoryService. A similar analysis would be used to determine the opera-
tions of the other services. The full case study description is given in Chapter 22.
«interface»
ISupplierCoordinator
Coordinator provides the overall control and sequencing, which is also referred to as
the workflow.
Supplier Coordinator receives supplier requests from Supplier Interaction via the
provided interface called ISupplierCoordinator. Supplier Coordinator is a client of the
Inventory Service and thus has a required interface IInventoryService (Figure 16.14),
and a client of Delivery Order Service. The requests Supplier Coordinator receives from
Supplier Interaction are to:
Customer Supplier
Customer Supplier Coordinator
Coordinator
Request Request Response
Response
Request
Account Commit
Info
Send
Invoice Select,
Authorization Delivery
Authorization Update
Request Order
Response Store,
Charge Query,
Update,
Committed Select
Request Check,
Send Inventory Reserve,
Catalog Delivery
Account Info Info Commit
Info Order
«service»
«service» «service» «service» «service» «service»
: Customer
: CreditCard : Email : Catalog : DeliveryOrder : Inventory
Account
Service Service Service Service Service
Service
Figure 16.16. Concurrent communication diagram for the Online Shopping System
Designing Service-Oriented Architectures 297
ICreditCardService
PCreditCardService
«interface»
ICreditCardService «service»
CreditCard
authorizeCharge (in creditcardId, in amount, out authorizationResponse) Service
commitCharge (in creditcardId, in amount, out chargeResponse)
abortCharge (in creditcardId, in amount, out chargeResponse)
IEmailService
PEmailService
«interface»
IEmailService «service»
Email
sendEmail (in emailId, in emailText) Service
Figure 16.17. Service interfaces for Credit Card Service and Email Service
In the online shopping system, two external services are reused, namely, the
Credit Card Service and the Email Service. The Email Service is the simpler of the
two, with only one operation invoked to send an email. The operation invoked is
sendEmail (recipient, message). In the case of the Credit Card Service, two operations
need to be invoked and follow a predefined sequence, first to authorize the transac-
tion (authorizeCharge) and second to charge the transaction (commitCharge). There
is a third operation to abort the transaction, abortCharge.
16.10 SUMMARY
This chapter described how to design SOAs, including how to design services and
then how to reuse services. This chapter also briefly described technology support
for SOA but concentrated on architectural concepts, methods, and patterns for
designing SOA – the technology is changing rapidly, but the concepts last longer.
Services can also be designed to be part of a distributed component-based software
architecture, as described in the next chapter. A case study of designing a SOA, the
online shopping system, is given in Chapter 22.
7. Yellow pages brokering is useful when (b) The compound transaction is ato-
a service requester: mic.
(a) Needs to discover the location of (c) The compound transaction is de-
the service composed into atomic transac-
(b) Knows the type of service required tions.
but not the specific service (d) The compound transaction is de-
(c) Knows the specific service required composed into subatomic transac-
but not the type of service tions.
(d) Needs to discover the broker 10. With a Negotiation pattern, which of
8. What is a transaction? the following is NOT true?
(a) Consists of two or more operations (a) The client agent can propose a ser-
(b) Consists of one operation vice.
(c) Consists of two or more operations (b) The service agent can offer a ser-
that are indivisible vice in response to a client agent
(d) Consists of two or more operations proposal.
that are divisible (c) The client agent can request a ser-
9. What is a compound transaction? vice.
(a) The compound transaction is indi- (d) The service agent can offer a ser-
visible. vice in response to a client agent
request.
17
Designing Component-Based
Software Architectures
300
Designing Component-Based Software Architectures 301
«user interaction»
«component»
OperatorPresentation
«interface»
IAlarmService
«interface»
IAlarmStatus
«interface»
IAlarmNotification
RAlarmService PAlarm
RAlarmStatus Notification
IAlarmService
IAlarm IAlarm
Status Notification
Key:
Port
Provided Interface
IAlarmStatus IAlarmService IAlarmNotification
Required Interface
PAlarmStatus PAlarm RAlarm
Concurrent Service Notification
Component
«service»
Alarm
Service
Figure 17.3. Examples of component ports, with provided and required interfaces
through which alarm status messages are sent. The port PAlarmService provides the
main interface through which clients request alarm services (provided interface
IAlarmService). Alarm Service sends alarm notifications through its RAlarmNotifica-
tion port.
«user interaction»
«component»
Operator Alarm
Presentation
RAlarmService
PAlarm
Notification
«input»
«component»
MonitoringSensor
Component
RAlarmStatus
PAlarm
Service RAlarm
PAlarmStatus Notification
«service»
Alarm
Service
interface connected to the provided interface of the same name. The third connec-
tor is also unidirectional and joins Alarm Service’s RAlarmNotification required port to
Operator Alarm Presentation’s PAlarmNotification provided port and is through which
alarm notifications are sent via the IAlarmNotification interface.
«control»
«component»
DisplayProducer
RDisplay
PDisplay
«output»
«component»
Display PDisplay
RDisplayPrompt
«entity»
«output»
DisplayPrompts
DisplayInterface PDisplayPrompt
can any component that directly invokes the operations of a passive component; in
that situation, only the composite component (which contains the passive compo-
nent) can be deployed. Thus, in Figure 17.5, only the Display composite component
can be deployed. By a COMET convention, only the deployable components are
depicted with the component stereotype.
«proxy»
«component»
RemoteSystem
Proxy
RMonitoring
Status
REvent PMonitoring
PMonitoring Notification Service
Status
«service»
Monitoring
DataService
«coordinator»
«component»
SupervisorySystem
RAGVSystem
PAGVSystem
component, Vehicle Control, which receives move commands from a Supervisory Sys-
tem Proxy component, and controls the Motor Component, to start and stop moving
along the track, and Arm Component, to load and unload parts. It also receives inputs
from an Arrival Sensor Component, to indicate arrival at a station.
17.5.3 Performance
If a time-critical function is provided within a node, better and more-predictable
component performance can often be achieved. In a given distributed application, a
real-time component can perform a time-critical service at a given node, with non–
real-time or less time-critical services performed elsewhere. An example of a com-
ponent that satisfies this criterion is the Automated Guided Vehicle System component
in Figure 17.7.
PAGVSystem
«proxy» «input»
«component» «component»
SupervisorySystem ArrivalSensor
Proxy Component
RAGVCtrl RAGVCtrl
PAGVCtrl
RAGVStatus
«control»
«component»
Vehicle Control
RArm RMotor
PArm PMotor
«output» «output»
«component «component»
Arm Motor
Component Component
local autonomy and consist of the hardware plus the software that interfaces to and
controls the device. An I/O component typically consists of one or more device
interface objects, and it may also contain control objects to provide localized con-
trol and entity objects to store local data.
I/O component is a general name given to components that interact with the
external environment; they include input components, output components, I/O
components (which provide both input and output), network interface components,
and system interface components.
In the Automated Guided Vehicle example illustrated in Figure 17.8, Arrival Sen-
sor Component is an example of an input component; and Arm Component and Motor
Component are examples of output components.
«user interaction»
«component»
firstOperatorInteraction
B2a: alarmBroadcast
«user interaction»
«service» «component»
: AlarmHandlingService secondOperatorInteraction
B2b: alarmBroadcast
B1: alarm
Service sends alarm Broadcast messages to all instances of the Operator Interaction
component. Each recipient must decide whether it wishes to take action in response
to the alarm or to ignore the message. The pattern interactions are described in
more detail as follows:
«user interaction»
«component»
S1: subscribe firstOperatorInteraction
N2a: alarmNotify
N1: alarm
s3: subscribe
the Alarm Handling Service receives a new alarm message of this type, it multicasts
the alarm Notification message to all subscriber Operator Interaction components.
The pattern interactions are described in more detail as follows:
S1, S2, S3: Operator Interaction components subscribe to receive alarm noti-
fications.
N1: Event Monitor sends an alarm message to Alarm Handling Service.
N2a, N2b, N2c: Alarm Handling Service looks up the list of subscribers who
have requested to be notified of alarms of this type. It multicasts the
alarm Notification message to the appropriate subscriber Operator Inter-
action components. Each recipient takes appropriate action in response
to the alarm notification.
«service»
aConcurrentNewsService
E7: eventNotification
instances of services, including News Archive Service and News Update Service, and
provides a subscription/notification service to its clients. Subscription Service main-
tains a subscription list of clients that wish to be notified of news events. When a
Correspondent posts a news event, News Update Service updates a news archive and
informs Notification Service of the event arrival. Notification Service queries the Sub-
scription List to determine the clients who have subscribed to receive events of this
type, and then notifies those clients of the news event.
The concurrent communication diagram in Figure 17.11 shows three separate
interactions: a simple query interaction, a news event subscription interaction, and a
news event notification interaction. In the query interaction (which does not involve
a subscription),a client makes a request to News Service Coordinator, which in turn
sends a news archive query to News Archive Service. The latter queries the News
Archive and sends the response directly to Client. Because multiple services could be
accessing the news archive and subscription list concurrently, access synchroniza-
tion would need to be provided, either through the underlying database or by the
services that access the data.
The three event sequences are given different prefixes to differentiate them:
Query interaction (Q prefix):
E1: A news correspondent client sends a news update request to News Ser-
vice Coordinator.
E2: News Service Coordinator forwards the update request to News Update
Service.
E3, E4: News Update Service updates the News Archive and sends an event
Arrival message to Notification Service.
314 Architectural Design
E5, E6: Notification Service queries Subscription List to get the list of event
subscribers (i.e., clients that have subscribed to receive events of this
type).
E7: Notification Service multicasts an event Notification message to all
clients that have subscribed for this event.
■ Define instances of the component. For each component that can have multiple
instances, it is necessary to define the instances desired. For example, in a dis-
tributed Emergency Monitoring System, it is necessary to define the number of
instances of components required in the target application. It is also necessary
to define one Monitoring Sensor Component instance for each sensor, one Remote
System Proxy instance for each remote system, and one instance of the Operator
Interaction component for each operator. Each component instance must have
a unique name so that it can be uniquely identified. For components that are
parameterized, the parameters for each instance need to be defined. Examples
of component parameters are instance name (such as remote proxy Id or opera-
tor Id), sensor names, sensor limits, and alarm names.
■ Interconnect component instances. The application architecture defines how
components communicate with one another. At this stage, the component ins-
tances are connected. In the distributed Emergency Monitoring System in Fig-
ure 17.12, for example, each instance of the Monitoring Sensor Component is con-
nected to the Alarm Service and the Monitoring Data Service. When Alarm Service
sends an alarm notification message to Operator Presentation, it must identify to
which operator it is sending the message.
■ Map the component instances to physical nodes. For example, two components
could be deployed such that each one could run on a separate physical node.
Alternatively, they could both run on the same physical node. The physical con-
figuration of the target application is depicted on a deployment diagram.
«user interaction»
«component» {Layer 3}
: Operator
Presentation
alarmRequest
(in request, out alarmData)
alarmSubscribe (in request,
in notificationHandle, out ack)
«input» «proxy»
«component» «component» {Layer 2}
: MonitoringSensor : RemoteSystem
Component Proxy
post (alarm)
alarmNotify (alarm)
«service»
«service» {Layer 1}
: Monitoring
: AlarmService
DataService
Operator
Presentation
«wide area network» {1 node per
operator}
Monitoring Data
Alarm Service Service
{1 node} {1 node}
17.8 SUMMARY
This chapter described the design of component-based software architectures. It
described the component structuring criteria for designing components that can be
deployed to execute on distributed platforms in a distributed configuration. Also
discussed was the design of component interfaces, with component ports that have
provided and required interfaces, and connectors that join compatible ports. The
component-based software architecture was depicted with the UML 2 notation for
composite structure diagrams. Considerations and tradeoffs in component design
were also discussed. A case study of designing a component-based software archi-
tecture, the Emergency Monitoring System, is given in Chapter 23. Distributed com-
ponents can also be integrated into service-oriented architectures, as described in
the Online Shopping System case study in Chapter 22.
6. What does a delegation connector join? (b) A message sent to a specific recipi-
(a) An outer provided port to an inner ent
provided port (c) A message sent to all recipients
(b) An outer provided port to an inner (d) A message sent to recipients who
required port have joined a group
(c) An outer required port to an inner 9. During application deployment:
provided port (a) The application is executed.
(d) An outer provided port to an outer (b) Component instances are executed.
required port (c) Component instances are assigned
7. What is broadcast message communica- to hardware nodes.
tion? (d) Component instances are instanti-
(a) A message sent to several recipi- ated.
ents 10. What is an advantage of localized
(b) A message sent to a specific recipi- autonomy in component-based design?
ent (a) If a component goes down, other
(c) A message sent to all recipients components can continue to exe-
(d) A message sent to recipients who cute.
are members of a group (b) Components execute concurrently.
8. What are the communication character- (c) Components are distributed.
istics of subscription/notification? (d) Components communicate using
(a) A message sent to several recipients messages.
18
This chapter describes the design of concurrent and real-time software architectures.
Real-time software architectures are concurrent architectures that usually have to
deal with multiple streams of input events. They are typically state-dependent, with
either centralized or decentralized control. Thus, the design of finite state machines,
as described in Chapter 10, state-dependent interaction modeling, as described in
Chapter 11, and the control patterns, as described in this chapter, are very important
in the design of real-time software architectures.
Section 18.1 describes concepts, architectures, and patterns for designing concur-
rent and real-time software architectures. Section 18.2 describes the characteristics
of real-time systems. Section 18.3 describes control patterns for real-time software
architectures. Section 18.4 describes the concurrent task structuring criteria. Sec-
tion 18.5 describes the I/O task structuring criteria, and Section 18.6 describes the
internal task structuring criteria. Section 18.7 describes the steps in developing the
concurrent task architecture. Section 18.8 describes designing the task interfaces
using task communication and synchronization. Section 18.9 describes documenting
task interface and behavior specifications. Section 18.10 describes concurrent task
implementation in Java using threads.
318
Designing Concurrent and Real-Time Software Architectures 319
a simple component, as described in Chapter 17, and the two terms are used inter-
changeably in this chapter.
During concurrent software design, a concurrent software architecture is devel-
oped in which the system is structured into concurrent tasks, and the interfaces
and interconnections between the concurrent tasks are defined. To help determine
the concurrent tasks, concurrent task structuring criteria are provided to assist in
mapping an object-oriented analysis model of the system to a concurrent software
architecture. These criteria are a set of heuristics, also referred to as guidelines,
that capture expert designer knowledge in the software design of concurrent
and real-time systems. Concurrent tasks also participate in software architectural
patterns; thus, they can participate in patterns already described, such as Layered
patterns (Chapter 12) and Client/Service patterns (Chapter 15), in which both
the client and service could be designed as concurrent software architectures. In
addition, it is possible for concurrent tasks to participate in various control patterns,
as described in Section 18.3.
Real-Time
System
the order of incoming events is not predictable. Also, the input load might vary
significantly and unpredictably with time.
Real-time systems are frequently classified as hard real-time systems or soft real-
time systems. A hard real-time system has time-critical deadlines that must be met
to prevent a catastrophic system failure. In a soft real-time system, missing deadlines
occasionally is considered undesirable but not catastrophic, so it can be tolerated.
«input» «input»
«component» «component» «input»
: DoorComponent «component»
: WeightComponent
: KeypadComponent
sendControlRequest
(doorEvent) sendControlRequest
(weightEvent)
sendControlRequest(keypadEvent)
«control»
«component»
: MicrowaveControl
displayPrompt(promptId)
displayTime(time)
startCooking(level)
stopCooking()
«output»
«output» «component»
«component» : MicrowaveDisplay
: HeatingElementComponent
component in overall control. To notify each other of important events, the control
components communicate through peer-to-peer communication. They also interact
with the external environment as in the Centralized Control pattern (see Section
12.2.6).
An example of the Distributed Control pattern is given in Figure 18.3, in which
the control is distributed among the several distributed controller components. Each
distributed controller executes a state machine, receiving inputs from the external
environment through sensor components and controlling the external environment
by sending outputs to actuator components. Each distributed controller communi-
cates with the other distributed controller components by means of messages con-
taining events.
«coordinator»
«component»
: Hierarchical
Controller
command
command
command response
response response
«control» «control «control»
«component» component» «component»
: Distributed : Distributed : Distributed
Controller Controller Controller
for each control component and communicating that information directly to the
control component. The coordinator also receives status information from the con-
trol components.
One example of the Hierarchical Control pattern is given in Figure 18.4, in which
the Hierarchical Controller sends high-level commands to each of the distributed
controllers. The distributed controllers provide the low-level control, interacting
with sensor and actuator components, and respond to the Hierarchical Controller
when they have finished. They may also send progress reports to the Hierarchical
Controller.
stereotypes: the first is the object role criterion, which is determined during object
structuring, as described in Chapter 8; and the second stereotype is used to depict
the type of concurrency. During concurrent task structuring, if an object in the anal-
ysis model is determined to be active, it is categorized further to show its concurrent
task characteristics. For example, an active «I/O» object is concurrent and is cate-
gorized further using a second stereotype as one of the following: an «event driven»
task, a «periodic» task, or a task activated on «demand». Stereotypes are also used
to depict the kinds of devices to which the concurrent tasks interface. Thus, an
«external input device» is further classified, depending on its characteristics, into
an «event-driven» external input device or a «passive» external input device.
1: doorInterrupt
«event driven» (doorInput) 2: doorRequest
«event driven»
«external input : Microwave
«input»
device» Control
: DoorSensorInterface
: DoorSensor
(Note: the dashed line for the hardware/software boundary is for illustrative purposes only and does not conform to
the UML notation.)
Figure 18.5. Example of event driven I/O task: (a) Analysis model: communication
diagram. (b) Design model: concurrent communication diagram
an internal format, and sends it as a Door Request message to the Microwave Control
task. In the design model, the interrupt is depicted as an asynchronous event.
2: Current
1: Temperature Temperature
«external input Input «input»
device» : Temperature : Temperature
: Temperatur e Sensor Data
Sensor Interface
«external timer»
: DigitalClock
0: timerEvent
1: read 2: update (in current
«passive» (out temperatureInput) Temperature)
«periodic»
«external input
«input» : Temperature
device»
: Temperature Data
: Temperature
SensorInterface
Sensor
(Note: the dashed line for the hardware/software boundary is for illustrative purposes only and does not conform to
the UML notation.)
Figure 18.6. Example of a periodic I/O task: (a) Analysis model: communication
diagram. (b) Design model: concurrent communication diagram
2: temperature
1: read (out andPressure 3: sensor
sensorData) «demand» Statistics «passive»
«demand» Statistics
«entity» «algorithm» «external
«output»
: SensorData : Sensor output
: SensorStatistics
Repository Statistics device»
DisplayInterface
Algorithm : Display
(Note: the dashed line for the hardware/software boundary is for illustrative purposes only and does not conform to
the UML notation.)
Figure 18.7. Example of a demand driven output task: (a) Analysis model: commu-
nication diagram. (b) Design model: concurrent communication diagram
desirable to overlap computation with I/O. A demand driven I/O task is used in
such a situation to interface to the passive I/O device. Consider the following cases:
■ In the case of input, overlap the input from the passive device with the compu-
tational task that receives and consumes the data. This is achieved by using a
demand driven input task to read the data from the input device when requested
to do so.
■ In the case of output, overlap the output to the device with the computational
task that produces the data. This is achieved by using a demand driven output
task to output to the device when requested to do so, usually via a message.
Demand driven I/O tasks are used more often with output devices than with
input devices, because the output can be overlapped with the computation more
often, as shown in the following example. Usually, if the I/O and computation are
to be overlapped for a passive input device, a periodic input task is used.
Consider a demand driven output task that receives a message from a producer
task. A demand driven task is depicted with the stereotype «demand». Overlap-
ping computation and output is achieved as follows: the consumer task outputs the
data contained in the message to the passive output device, the display, while the
producer is preparing the next message. This case is shown in Figure 18.7. The Sen-
sor Statistics Display Interface is a demand driven output task. It accepts a mes-
sage to display from the Sensor Statistics Algorithm task, and it displays the sensor
statistics while the Sensor Statistics Algorithm task is computing the next set of values
to display; thus, the computation is overlapped with the output. The Sensor Statistics
Display Interface task is depicted on the concurrent communication diagram with the
stereotypes «demand» «output» task.
Designing Concurrent and Real-Time Software Architectures 327
3: Timer
1: Timer Event Expired
«timer»
«external timer» : Microwave
: Microwave
: DigitalClock Control
Timer
«entity»
: OvenData
(a)
3: timer
1: timerEvent «periodic» Expired
«external timer» «timer» : Microwave
: DigitalClock : Microwave Control
Timer
2: decrementTime
(out timeLeft)
«entity»
: OvenData
(b)
Timer task is depicted on the concurrent communication diagram with the stereo-
type «periodic» task. Oven Data is a passive object. The timer event is depicted as an
asynchronous event.
«entity»
: GasPrice
«output»
4: Display Total Gallons, : PumpDisplay
Price Interface
(a)
«entity»
: GasPrice
2: read
(out gasPrice)
3: read(out currentGasFlow)
1: pump «entity»
«state dependent Command «demand» : GasFlow
control» «algorithm»
: PumpControl : GasFlow
Algorithm
«output»
: PumpDisplay
4: display(gallons, price) Interface
(b)
Figure 18.9. Example of a demand driven task: (a) Analysis model: commu-
nication diagram. (b) Design model: concurrent communication diagram
Designing Concurrent and Real-Time Software Architectures 329
to read the current gas flow and the gas price and compute the total gallons pumped
and total price, which are then sent to the Pump Display Interface object (Figure
18.9a). In the design model, the Gas Flow Algorithm object is structured as a demand
driven algorithm task with the same name, which is activated by the arrival of a
Pump Command message. The Gas Flow Algorithm task is depicted on the concurrent
communication diagram with the stereotypes «demand» «algorithm» task (Figure
18.9b). The Pump Control and Pump Display Interface objects are also structured as
tasks. The Gas Flow and Gas Price entity objects are passive objects.
2: Microwave
1: Door Request «state dependent Command
«input» : Heating
control»
: DoorSensor Element
: Microwave
Interface Interface
Control
(a)
2: microwave
«demand» Command
«event driven» 1: doorRequest
«state dependent : Heating
«input»
control» Element
: DoorSensor
: Microwave Interface
Interface
Control
(b)
Figure 18.10. Example of a control task: (a) Analysis model: communica-
tion diagram. (b) Design model: concurrent communication diagram
330 Architectural Design
«demand»
«state dependent «state dependent
control» control»
: Elevator : Elevator
Control Control
(a) (b)
Figure 18.11. Example of multiple control tasks of same type: (a) Analysis
model: control object (multiple instances). (b) Design model: one task for
each elevator
1: Operator 2: Sensor
Command «user Request
«entity»
interaction»
: SensorData
: Operator
Repository
3: Display Interaction
: Operator Data 2.1: Sensor Data
(a)
1: operator 2: read(out
Command «event driven» sensorData)
«user «entity»
interaction» : SensorData
: Operator Repository
3: display Interaction
: Operator Data
(b)
2: read(out
«event driven» factoryStatus)
«user «entity»
1: factoryStatusQuery
interaction» : FactoryStatus
: FactoryStatus Repository
Window
3: statusDisplayData
1A: alarmQuery
: Operator 2A: read(out
«event driven» alarmStatus)
3A: alarmDisplayData «user «entity»
interaction» : FactoryAlarm
: FactoryAlarm Repository
Window
(c)
Figure 18.12. Example of a user interaction task: (a) Analysis model:
communication diagram. (b) Design model: concurrent communication
diagram with one task. (c) Design model: concurrent communication
diagram with two tasks.
Table 18.1. Mapping from analysis model objects to design model tasks
Analysis model (Object) Design model (Task)
User interaction Event driven user interaction
Input/Output (input, output, I/O) Event driven I/O (input, output, I/O)
Periodic I/O (input, output, I/O)
Demand driven I/O (usually output)
Proxy Event driven proxy
Timer Periodic timer
State-dependent control Demand driven state-dependent control
Coordinator Demand driven coordinator
Algorithm Demand driven algorithm
Periodic algorithm
1. I/O tasks. Start with the device I/O objects that interact with the outside
world. Determine whether the object should be structured as an event driven
I/O task, a periodic I/O task, or a demand driven I/O task.
2. Control tasks. Analyze each state-dependent control object and coordinator
object. Structure this object as a (usually demand driven) state-dependent
control or coordinator task.
3. Periodic tasks. Analyze the internal periodic activities, which are structured
as periodic tasks.
4. Other internal tasks. For each internal task activated by an internal event,
structure this task as a demand driven task.
The guidelines for mapping analysis model objects to design model tasks are sum-
marized in Table 18.1.
ATM Bank
Transactions Responses
«client»
«subsystem» Dispenser
Output «passive»
: ATMClient «demand»
«external output
«output»
device»
Card : CashDispenser
: Cash
Reader Interface
Card Inserted, Dispenser
«event driven» Input Dispense Cash
«event driven» Card Ejected, Cash
«external I/O (Cash details) Cash
«I/O» Card Confiscated Withdrawal
device» : CardReader Response
Amount
: CardReader Interface
Card
«data
Reader Cash abstraction»
Output «demand» Dispensed
Eject, : ATMCash
Card «state
Confiscate dependent
Input Start Up, Cash
Data control» Closedown Added
Customer Operator
: ATMControl
Events «event driven» Information «event driven»
«data (Transaction «user
abstraction» details) Display «external
interaction»
: ATMCard Prompts user»
: Operator
: Operator
Interaction Operator
Update Input
Transaction Receipt
Card Card Printed
Status
Data Request
(Cash details),
Update
Print
PIN Status
Receipt
Figure 18.13. Task architecture: example of initial concurrent communication diagram for ATM Client subsystem
333
334 Architectural Design
1: microwave
Request «demand»
«event driven»
«state dependent
«input»
control»
: DoorSensor
: Microwave
Interface
Control
the preliminary concurrent communication diagram for the design model, all com-
munication is shown using simple messages. In this step of the design modeling,
the task interfaces are defined and depicted on revised concurrent communication
diagrams.
Message interfaces between tasks are either asynchronous (loosely coupled) or
synchronous (tightly coupled), as introduced in Chapter 4 and described in more
detail in Chapter 12. For synchronous message communication, two possibilities
exist: synchronous message communication with reply and synchronous message
communication without reply.
«demand» 1: startMotor
«demand»
«state dependent
«output»
control»
: MotorInterface
: AGVControl 2: started
1: temperature
andPressure
«demand» Statistics
«demand»
«algorithm»
«output»
: Sensor
: SensorStatistics
Statistics
DisplayInterface
Algorithm
the revised concurrent communication diagram (Figure 18.16). The Sensor Statistics
Algorithm computes the statistics, sends the message, and then waits for the accep-
tance of the message by the Sensor Statistics Display Interface before resuming exe-
cution. The Sensor Statistics Algorithm is held up until the Sensor Statistics Display
Interface finishes displaying the previous message. As soon as the Sensor Statistics
Display Interface accepts the new message, the Sensor Statistics Algorithm is released
from its wait and computes the next set of statistics while the Sensor Statistics Dis-
play Interface displays the previous set. By this means, computation of the statistics
(a compute-bound activity) can be overlapped with displaying of the statistics (an
I/O bound activity), while preventing an unnecessary message queue build-up of
statistics at the display task. Thus, the synchronous interface between the two tasks
acts as a brake on the producer task.
1: doorInterrupt
«event driven» (doorInput)
«event driven»
«external input
«input»
device»
: DoorSensorInterface
: DoorSensor
(Note: the dashed line for the hardware/software boundary is for illustrative
purposes only and does not conform to the UML notation.)
1: timerEvent «periodic»
«external timer» «timer»
: DigitalClock : Microwave
Timer
Internal event synchronization is used when two tasks need to synchronize their
actions without communicating data between the tasks. The source task signals the
event. The destination task waits for the event and is suspended until the event is
signaled. It is not suspended if the event has previously been signaled. The event
signal is depicted in UML by an asynchronous message that does not contain any
data. An example of this is shown in Figure 18.19, in which the pick-and-place robot
task signals the event partReady. This awakens the drilling robot, which operates on
the part and then signals the event partCompleted, which the pick-and-place robot is
waiting to receive.
respond to or accept the producer’s message, as shown in Figures 18.15 and 18.16.
The synchronous message notation between a task and a passive object represents
an operation call, as shown in Figures 18.20.
ATM bank
Transaction Response
«client»
«subsystem» dispense dispenser «passive»
: ATMClien t (cashAmount) «demand» Output «external
«output» output
card : CashDispenser device»
Reader Interface : Cash
Input cardInserted, Dispenser
«event driven» «event driven» cardEjected, withdrawCash
«external I/O «I/O» cardConfiscated (in cashAmount,
device» : CardReader
: CardReader Interface out fivesToDispense ,
card out tensToDispense ,
Reader out twentiesToDispense)
Output «demand»
eject, «state
write «data
confiscate dependent startUp,
(card abstraction»
control» closedown
Data) customer : ATMCash
Event : ATMContro l
addCash
«data (transaction
(in fivesAdded,
abstraction» Details) display in tensAdded,
: ATMCard Prompts in twentiesAdded) operator
«event driven» Information «event
read update «user driven»
(out Transaction interaction» «external
card Status : Operator user»
Data) (cashDetails), Interaction operator : Operator
updateCustomerInfo updatePINStatus print Input
(cardData, PIN), (status), (receiptInfo)
updateCustomerSelection printer
Customer (in selection, read(out transaction Output
«event driven» «passive»
«event driven» Input out transactionDetails) «data Data) «demand»
«user «external
«external user» abstraction» «output»
interaction» output device»
: ATMCustomer : AT M : ReceiptPrinter
: Customer : Receipt
KeypadDisplay Display Transaction Interface
Interaction Printer
Information
Figure 18.21. Task architecture: example of revised concurrent communication diagram for ATM Client subsystem
339
340 Architectural Design
typical passive class. The TIS is defined as follows, with the first five items identical
to the class interface specification:
■ Name
■ Information hidden
■ Structuring criteria: For class structuring criteria, only the role criterion (e.g.,
input) is used; for concurrent tasks, the concurrency criterion (e.g., event driven)
needs to be added.
■ Assumptions
■ Anticipated changes
■ Task interface: The task interface should include a definition of
r Messages inputs and outputs. For each message interface (input or output)
there should be a description of
◦ Type of interface: asynchronous, synchronous with reply, or synchronous
without reply
◦ For each message type supported by this interface: message name and mes-
sage parameters
r Events signaled (input and output), name of event, type of event: external,
internal, timer
r External inputs or outputs. Define the inputs from and outputs to the external
environment.
r Passive objects referenced
■ Errors detected by this task
This section describes the possible errors that could be detected during execution
of this task.
The TBS describes the task’s event sequencing logic, which is how the task
responds to each of its message or event inputs, in particular, what output is gen-
erated as a result of each input. The event sequencing logic is defined during the
detailed software design step. Examples of task event sequencing logic are given in
the Banking System case study in Chapter 21.
Messages:
r validatePIN
18.11 SUMMARY
During the task structuring phase, the system is structured into concurrent tasks and
the task interfaces are defined. To help determine the concurrent tasks, task struc-
turing criteria are provided to assist in mapping an object-oriented analysis model of
the system to a concurrent tasking architecture. The task communication and syn-
chronization interfaces are also defined. Each task is determined by using the task
structuring criteria. A case study of designing a real-time software architecture is
given for the Automated Guided Vehicle System described in Chapter 24. In addi-
tion, an example of concurrent software design is the design of the ATM Client
subsystem in the Banking System case study in Chapter 21.
More information on UML modeling for real-time and embedded systems is
given in MARTE, the UML profile for Modeling and Analysis of Real-Time and
Embedded Systems (Espinoza et al 2009). More information about designing real-
software architectures is given in Gomaa (2000). To make concurrent task design
more efficient (i.e., less demanding of resources), a group of related tasks can be
combined into one clustered task by applying task clustering criteria, such as sequen-
tial, temporal, or control clustering (Gomaa 2000).
Designing Concurrent and Real-Time Software Architectures 343
A software product line (SPL) consists of a family of software systems that have
some common functionality and some variable functionality (Clements and Northop
2002; Parnas 1979; Weiss and Lai 1999). Software product line engineering involves
developing the requirements, architecture, and component implementations for a
family of systems, from which products (family members) are derived and config-
ured. The problems of developing individual software systems are scaled upwards
when developing SPLs because of the increased complexity due to variability
management.
As with single systems, a better understanding of a SPL can be obtained by consi-
dering the multiple views, such as requirements models, static models, and dynamic
models of the product line. A graphical modeling language such as UML helps in
developing, understanding, and communicating the different views. A key view in
the multiple views of a SPL is the feature modeling view. The feature model is cru-
cial for managing variability and product derivation because it describes the product
line requirements in terms of commonality and variability, and defines the product
line dependencies. Furthermore, it is desirable to have a development approach that
promotes software evolution, such that original development and subsequent main-
tenance are both treated using feature-driven evolution.
This chapter gives an overview of designing SPL architectures using the Prod-
uct Line UML-based Software) engineering (PLUS) method. PLUS builds on the
COMET method by considering the added dimension of variability in each of the
modeling views. Designing SPLs is covered in considerable detail in the author’s
book on this topic (Gomaa 2005a). Section 19.1 describes the evolutionary software
process model for SPL Engineering. Section 19.2 describes use case modeling and
feature modeling for SPLs. Section 19.3 describes static and dynamic modeling for
SPLs. Section 19.4 describes how variability is handled in statecharts. Section 19.5
describes variability management in design models.
344
Designing Software Product Line Architectures 345
Product Line
Engineer
Application Executable
Requirements Software Application
Application
Engineering
Application
Engineer Customer
Figure 19.1. Evolutionary software process model for software product lines
«kernel»
Validate PIN
«include» «include»
«include» «include» «include» [deposit [ministatement
option] option]
«kernel» «kernel» «optional» «optional»
«kernel»
Withdraw Query Deposit Print
Transfer Funds
Funds Account Funds Statement
(i.e., different versions of the use case are required by different members of the fam-
ily). In UML, the use cases are labeled with the stereotype «kernel», «optional» or
«alternative» (Gomaa 2005a). In addition, variability can be inserted into a use case
through variation points, which specify locations in the use case where variability
can be introduced (Gomaa 2005a; Jacobson, Griss, and Jonsson 1997; Webber and
Gomaa 2004).
Examples of kernel and optional product line use cases for a Banking SPL are
given in Figure 19.2. The kernel of this SPL consists of the use cases that allow a
customer to validate PIN, withdraw funds, query balance of account, and transfer
funds between accounts (as described in Chapters 6 and 21). Optional use cases
are provided for printing a statement (Print Statement) and cash deposit (Deposit
Funds). Additional optional use cases are the ATM operator maintenance use cases
to Startup, Shutdown, and Add Cash to the ATM (although not shown in Figure 19.2,
these use cases are described in the case study in Chapter 21).
Variation points are provided for both the kernel and optional use cases. One
variation point concerns the display prompt language. Since the Banking System
family members will be deployed in different countries, a given bank can choose the
prompt language. The default language is English, with alternative languages being
French, Spanish, and German. An example of a variation point is for all steps that
involve displaying information to the customer in the Validate PIN use case. This
variation point is of type mandatory alternative, which means that a selection among
the alternative choices must be made.
optional features (only required in some product line members), alternative fea-
tures (a choice of feature is available), and prerequisite features (dependent upon
other features). The emphasis in feature modeling is capturing the product line vari-
ability, as given by optional and alternative features, because these features differ-
entiate one member of the product family from the others.
Features are used widely in product line engineering but are not typically used
in UML. In order to effectively model product lines, it is necessary to incorporate
feature modeling concepts into UML. Features are incorporated into UML in the
PLUS method using the meta-class concept, in which features are modeled using
the UML static modeling notation and given stereotypes to differentiate between
«common feature», «optional feature», and «alternative feature» (Gomaa 2005a).
Feature dependencies are depicted as associations with the name requires (e.g., the
Greeting feature requires the Language feature). Furthermore, feature groups, which
place a constraint on how certain features can be selected for a product line member,
such as mutually exclusive features, are also modeled using meta-classes and given
stereotypes (e.g., «zero-or-one-of feature group» or «exactly-one-of feature group»)
(Gomaa 2005a). A feature group is modeled as an aggregation of features, because
a feature is part of a feature group.
The feature model for the Banking SPL is shown in Figure 19.3. The common
feature is the Banking System Kernel, which provides the core functionality of the
ATM corresponding to the four kernel use cases in Figure 19.2. The Deposit fea-
ture, which corresponds to the optional Deposit Funds use case in Figure 19.2, is
an optional feature that requires the kernel feature. Similarly, Statement is also an
optional feature that corresponds to the optional Print Statement use case. Lan-
guage is an exactly-one-of feature group, which corresponds to the Language vari-
ation point in the use case model. This feature group consists of the default feature
English and the alternative features of Spanish, French, or German. There is a param-
eterized feature for Max PIN Attempts, which sets the maximum number of invalid
«optional feature»
requires
Statement
requires
ire
s
requires «exactly-one-of
«optional feature» feature group» «optional feature»
Greeting Language Maintenance
PIN attempts at an ATM and has a default value of 3. Another optional feature
is the Greeting feature, which depends on the Language feature and corresponds to
the Greeting variation point. The ATM can output an optional greeting message to
customers that needs to be displayed in the appropriate language.
In single systems, use cases are used to determine the functional requirements
of a system; they can also serve this purpose in product families. Griss (Griss,
Favaro, and d’Alessandro 1998) has pointed out that the goal of the use case analysis
is to get a good understanding of the functional requirements, whereas the goal of
feature analysis is to enable reuse. Use cases and features complement each other;
thus, optional and alternative use cases are mapped to optional and alternative fea-
tures, respectively, whereas use case variation points are also mapped to features
(Gomaa 2005a).
The relationship between use cases and features can be explicitly depicted in a
feature/use case relationship table, as shown in Table 19.1. For each feature, the
use case it relates to is depicted. In the case of a feature derived from a variation
point, the variation point name is listed. The Banking System Kernel feature is related
to the Validate PIN, Query Account, Transfer Funds, and Withdraw Funds kernel use
cases. The Deposit and Statement optional features correspond to the Deposit Funds
and Print Statement optional use cases, respectively. The Maintenance feature cor-
responds to the ATM operator maintenance use cases to Startup, Shutdown, and
Add Cash to the ATM. The optional Greeting feature and the parameterized Max
PIN Attempts feature correspond to variation points in the Validate PIN use case.
The English, French, German, and Spanish alternative language features are associ-
ated with the Language variation point in all use cases of the Banking System SPL.
This variation point affects all display prompts of an ATM.
«kernel»
«I/O»
CardReader «optional» «kernel»
Interface «user «state dependent
interaction» control»
Operator ATMControl
«kernel» Interaction «kernel»
«output» «entity»
ReceiptPrinter «kernel»
Interface DisplayPrompts
«user interaction»
Customer
«kernel» Interaction
«kernel» «entity»
«output» ATMCard
CashDispenser
Interface
«kernel»
«entity»
«optional» ATMCash «default» «variant» «variant» «variant»
«input» «entity» «entity» «entity» «entity»
CashReader
«optional» English French Spanish German
«entity» DisplayPrompts DisplayPrompts DisplayPrompts DisplayPrompts
ATMGreeting
by every member for the product line. For each kernel use case, a communication
diagram is developed depicting the objects needed to realize the use case (using
the approach described in Chapters 9 and 11). The kernel system is determined by
integrating the kernel use case–based communication diagrams (using the approach
described in Chapter 13) to depict all the objects in the kernel system and the mes-
sage communication between them. The next step is to determine the classes from
which these objects are instantiated.
The software product line evolution approach starts with the kernel system and
considers the impact of optional and/or alternative features (Gomaa 2005a). This
results in the addition of optional or variant objects to the product line architec-
ture. This analysis is done by considering the variable (optional and alternative) use
cases, as well as any variation points in the kernel or variable use cases. For each
optional or alternative use case, an interaction diagram is developed consisting of
new optional or variant objects. The variant objects are kernel or optional objects
that are impacted by the variable scenarios and therefore need to be adapted.
An example of evolutionary dynamic analysis for the ATM client side of the
Banking SPL is given in Figure 19.5. Figure 19.5a depicts two of the software objects
that realize the Validate PIN use case (ATM Control and Customer Interaction). Con-
sider the impact of the Greeting and Language features on the use case–based com-
munication diagram for Validate PIN (Figure 19.5b). The optional ATM Greeting entity
object is added, as is the appropriate variant Display Prompts entity object (e.g.,
French Display Prompts). Both of these objects are accessed by the Customer Inter-
action object. ATM Control sends Customer Interaction the prompt name. Customer
(a)
«subsystem»
: ATMClient
G2: Greeting Output
G:1 Display Greeting
P2: Prompt Output
P1: Get PIN
«external user» «user interaction» «state dependent
: ATMCustomer : Customer control»
KeypadDisplay Interaction : ATMControl
(b)
«subsystem»
: ATMClient
«entity» «entity»
: ATMGreeting : FrenchPrompts
Interaction then requests the prompt text from the Display Prompts object, which
it then displays to the customer. For the prompt greeting, Customer Interaction will
request the greeting text from the ATM Greeting object and display the greeting when
the ATM is idle.
The relationship between features and the classes can be depicted on a feature/
class dependency table, which shows for each feature the classes that realize the fea-
ture, as well as the class reuse category (kernel, optional, or variant), and, in the case
of a parameterized class, the class parameter. This table is developed after the
dynamic impact analysis has been carried out using evolutionary dynamic analysis.
352 Architectural Design
Start/ Ready to
Start Timer Cook
«interface»
IDisplayPrompt «variant» «variant»
«output device interface» «output device interface»
initialize (in language) CustomerInteraction CustomerInteraction
read (in promptId, out promptText)
addPrompt (in promptId, in RDisplayPrompt
promptText) RDisplayPrompt
IDisplayPrompt
PDisplayPrompt
Each default or variant component, such as English Display Prompts or French Dis-
play Prompts, that realizes the interface inherits the component interface from the
abstract Display Prompts component and provides the language specific implemen-
tation.
It is possible for a component to connect to different components and have dif-
ferent interconnections such that in one case it communicates with one component
and in a different case it communicates with two different components. This flexibil-
ity helps in evolving the software architecture. When plug-compatible components
are not practical, an alternative component design approach is component interface
inheritance. Consider a component architecture that evolves in such a way that the
interface through which the two components communicate needs to be specialized
to allow for additional functionality. In this case, both the component that provides
the interface and the component that requires the interface have to be modified –
the former to realize the new functionality, and the latter to request it. The above
approaches can be used to complement compositional approaches for developing
component-based software architectures.
discovered and invoked by clients. New clients can be added that discover services
provided by one or more service providers.
An architectural pattern that is worth considering because of its desirable prop-
erties for SPLs is the Layered architectural pattern (see Chapter 12). A layered
architectural pattern allows for ease of extension and contraction because compo-
nents can be added to or removed from higher layers, which use the services pro-
vided by components at lower layers of the architecture.
In addition to the aforementioned architectural structure patterns, certain archi-
tectural communication patterns also encourage evolution. In SPLs, it is often desir-
able to decouple components. The Broker, Discovery, and Subscription/Notification
patterns encourage such decoupling. With the Broker patterns (see Chapter 16), ser-
vices register with brokers, and clients can then discover new services; thus, a prod-
uct line can evolve with the addition of new clients and services. A new version of a
service can replace an older version and register itself with the broker. Clients com-
municating via the broker would automatically be connected to the new version of
the service. The Subscription/Notification pattern (see Chapter 17) also decouples
the original sender of the message from the recipients of the message.
19.6 SUMMARY
This chapter presented an overview of designing SPL architectures. It described how
use case modeling, static modeling, dynamic interaction modeling, dynamic state
machine modeling, and design modeling can be extended and applied to modeling
SPLs. It was also noted that feature modeling is the unifying model for relating vari-
ability in requirements to variability in the SPL architecture. For more information
on this topic, considerable detail is provided in the author’s book on designing SPLs
with UML (Gomaa 2005a).
Software quality attributes (Bass, Clements, and Kazman 2003) refer to the non-
functional requirements of software, which can have a profound effect on the quality
of a software product. Many of these attributes can be addressed and evaluated at
the time the software architecture is developed. Software quality attributes include
maintainability, modifiability, testability, traceability, scalability, reusability, perfor-
mance, availability, and security. An introduction to software quality attributes is
given in Section 4.6. This section describes each of these attributes and discusses
how they are supported by the COMET design method.
Some software quality attributes are also system quality attributes because they
need both the hardware and software to achieve high quality. Examples of these
quality attributes are performance, availability, and security. Other software quality
attributes are purely software in nature because they rely entirely on the quality of
the software. Examples of these quality attributes are maintainability, modifiability,
testability, and traceability.
20.1 MAINTAINABILITY
Maintainability is the extent to which software is capable of being changed after
deployment. Software may need to be modified for the following reasons:
■ Fix remaining errors. These are errors that were not detected during testing of
the software prior to deployment.
■ Address performance issues. Performance problems may not become apparent
until after the software application has been deployed and is operational in the
field.
■ Changes in software requirements. The biggest reason for software change is
changes in software requirements.
In many cases, software maintenance is actually a misnomer for software evolu-
tion. In particular, unanticipated changes in software requirements necessitate mod-
ifications to the software that could be extensive. To cope with future evolution,
software should be designed for change and adaptability. Quality must be built into
357
358 Architectural Design
the original product to make it maintainable, which means using a good software
development process and providing comprehensive documentation of the product.
The documentation should be kept up to date as the software is modified. Design
rationale should be provided to explain the design decisions that were made. Other-
wise, maintainers will have no option but to work with undocumented code, which
might well be poorly structured.
COMET supports maintainability by providing comprehensive documentation
of the design. Design decisions are actually captured in the design through the use
of stereotypes, which allow design structuring decisions to be included in the design.
With the use case–based development approach, the effect of a change to a require-
ment can be traced from use case to software design and implementation. In addi-
tion, the COMET support for modifiability and testability greatly assists in the main-
tainability of the product.
As an example of how maintainability is provided in COMET, consider a change
in requirements that necessitates that the Banking System become available in
South America, Europe, and Africa. In particular, this requires that prompts be dis-
played in different languages. Every use case that provides prompts to the customer
is potentially affected by this change. An analysis of the design reveals that the only
object that interfaces to the customer is Customer Interaction. A good design solution
would attempt to limit the design change to a minimum. A change to achieve this
goal is that all prompts sent by the ATM Control object to the Customer Interaction
object have a prompt Id instead of the prompt text. If Customer Interaction already
has the prompt messages hardcoded, the prompts would need to be removed and
placed in a prompt table. The prompt table would have one column for prompt
Ids and a second column for the corresponding prompt text. A simple table lookup
would, given the prompt Id, return the prompt text. At system initialization time, the
prompt table for the desired language would be loaded. The default prompt table
would be in English. For the South American market (apart from Brazil) and for
the Spanish market, the Spanish prompt table would be loaded. For France, Que-
bec, and large parts of West Africa, the French prompt table would be loaded at
initialization time. An example of a prompt table with English prompts is given in
Table 20.1.
20.2 MODIFIABILITY
Modifiability is the extent to which software is capable of being modified during and
after initial development. A modular design consisting of modules with well-defined
interfaces is essential. Parnas advocated design for change based on the information
hiding concept, in which change is anticipated and managed by each information
hiding module hiding a secret that could change independently of other parts of the
software. Information hiding is a fundamental design concept (see Chapter 4) and
forms the basis of object-oriented design (see Chapter 14).
COMET supports modifiability by providing support for information hiding at
the class and component levels, and providing support for separation of concerns at
the subsystem level. Decisions such as encapsulating (a) each finite state machine
within a separate state machine class, (b) each interface to a separate external
device, system, or user within a separate boundary class, and (c) each separate
data structure within a separate data abstraction class, assist with modifiability. At
the architecture level, the COMET component-based software architectural design
approach leads to the design of components that can be deployed to different dis-
tributed nodes at software deployment time, so that the same architecture can be
deployed to many different configurations in support of different instances of the
application.
To continue with the prompt table example, using COMET, the design of the
prompt table would affect the static and dynamic models. For a start, the prompt
table would be encapsulated in a prompt class. Because support for different lan-
guages is required, a good approach is to design a superclass called Display Prompts
and design subclasses for each language. The initial requirement is for English
(default), French, Italian, Spanish, and German language prompts (Figure 20.1);
however, the design should allow for extension to other languages. The solution
is to design the Display Prompts class as an abstract class with a common interface
consisting of a read operation to read prompts from the prompt table and an update
operation, in order to update the prompt table and add a new prompt. The language-
specific prompt subclasses would inherit the interface unchanged and then provide
the language-specific implementation. An alternative solution to this problem using
software product line concepts is described in Chapter 19.
«entity»
DisplayPrompts
20.3 TESTABILITY
Testability is the extent to which software is capable of being tested. It is impor-
tant to develop a software test plan early in the software life cycle and to plan on
developing test cases in parallel with software development. The following para-
graphs describe how the different stages of software testing can be integrated with
the COMET method. A comprehensive description of software testing is given by
Ammann and Offutt (2008).
During the requirements phase, it is necessary to develop functional (black box)
test cases. These test cases can be developed from the use case model, particularly
the use case descriptions. Because the use case descriptions describe the sequence
of user interactions with the system, they describe the user inputs that need to be
captured for the test cases and the expected system output. A test case needs to be
developed for each use case scenario, one for the main sequence and one for each
alternative sequence of the use case. Using this approach, a test suite can be deve-
loped to test the functional requirements of the system.
During software architectural design, it is necessary to develop integration test
cases, which test the interfaces between the components that communicate with
each other. A testing approach called scenario-based testing can be used to test the
software using a sequence of scenarios that correspond to the realization of the use
case scenarios on interaction models (diagrams), which show the sequence of objects
communicating with each other and messages passed between the objects. Thus, an
integration test case(s) would be developed for each object interaction scenario.
During detailed design and coding, in which the internal algorithms for each
component are developed, white box test cases can be developed that test the com-
ponent internals using well-known coverage criteria such as executing every line of
code and the outcome of every decision. By this means, it is possible to develop unit
test cases to test the individual units, such as components.
An example of a black box test case based on the Validate PIN use case in the
Banking System would consist of inserting the card, prompting for the PIN, and
validating the card Id/PIN combination. Initially, a test stub object could be devel-
oped that simulates the card reader and provides the inputs read off the simulated
card: card Id, start date, and expiration date. The system then prompts for the PIN
(another test stub simulating the user provides the PIN Id), and then sends the card
and PIN information to the Banking Service subsystem (or server stub during devel-
opment). A test environment could be set up with the Debit Card entity class imple-
mented as a relational table. This would allow the main sequence of the use case
(valid PIN) as well as all the alternative sequences to be tested (invalid PIN, third
invalid PIN, card lost or stolen, etc.).
20.4 TRACEABILITY
Traceability is the extent to which products of each phase can be traced back to
products of previous phases. Requirements traceability is used to ensure that each
software requirement has been designed and implemented. Each requirement is
traced to the software architecture and to the implemented code modules. Require-
ments traceability tables are a useful tool during software architecture reviews for
Software Quality Attributes 361
analyzing whether the software architecture has addressed all the software require-
ments.
It is possible to build traceability into the software development method, as is the
case with the COMET method. COMET is a use case–based development approach
that starts with use cases and then determines the objects required to realize each
use case. Each use case described in the software requirements is elaborated into
a use case–based interaction diagram, which describes the sequence of object com-
munication resulting from an external input, as described in the use case, through
to system output. These interaction diagrams are integrated into the software archi-
tecture. This means that each requirement can be traced from use case to software
design and implementation. The impact of a change to a requirement can therefore
be determined by following the trace from requirement through to design.
As an example of traceability, consider the Validate PIN use case from the Bank-
ing System. This is realized in the dynamic model by the Validate PIN communication
diagram. The change required by the addition of the prompt language requirement
(see section 20.1) can be determined by an impact analysis, which reveals that the
prompt object would need to be accessed by the Customer Interaction object prior
to displaying the prompt, as shown in Figure 20.2. Figure 20.2a shows the original
design with Customer Interaction outputting directly to the display, whereas Figure
20.2b shows the modified design with Customer Interaction reading the prompt text
from the Display Prompts object before outputting to the display. An alternative solu-
tion to this problem using software product line concepts is described in Chapter 19.
20.5 SCALABILITY
Scalability is the extent to which the system is capable of growing after its initial
deployment. There are system and software factors to consider in scalability. From
a system perspective, there are issues of adding hardware to increase the capacity
of the system. In a centralized system, the scope for scalability is limited, such as
adding more memory, disk, or an additional CPU. A distributed system offers much
more scope for scalability, by adding more nodes to the configuration.
From a software perspective, the application needs to be designed in such a way
that it is capable of growth. A distributed component-based software architecture is
much more capable of scaling upwards than a centralized design. Components are
designed such that multiple instances of each component can be deployed to differ-
ent nodes in a distributed configuration. An elevator control system that supports
multiple elevators and multiple floor can have an elevator component and a floor
component, such that there is one instance for each elevator and one instance for
each floor. Such a software architecture can be deployed to execute in a small build-
ing, in a large hotel, or in a skyscraper. A service-oriented architecture can scaled
up by adding more services or additional instances of existing services. New clients
can be added to the system as needed. Clients can discover new services and take
advantage of their offerings.
COMET addresses scalability by providing the capability of designing dis-
tributed component-based software architectures and service-oriented architectures
that can be scaled up after deployment. For example, the Emergency Monitoring
System can be expanded by adding more remote sensors, in the form of additional
362
«subsystem»
: ATMClient
P2: Prompt Output
P1: Get PIN
a) before change
«subsystem»
: ATMClient
«entity»
: DisplayPrompts
Figure 20.2. Traceability analysis before and after change to introduce Display Prompts object
Software Quality Attributes 363
Operator
Presentation
«wide area network» {1 node per
operator}
Monitoring Data
Alarm Service Reporting Service Service
{1 node per {1 node} {1 node per
region} region}
20.6 REUSABILITY
Software reusability is the extent to which software is capable of being reused. In
traditional software reuse, a library of reusable code components is developed – for
example, a statistical subroutine library. This approach requires the establishment
of a library of reusable components and of an approach for indexing, locating, and
distinguishing between similar components (Prieto-Diaz and Freeman 1987). Prob-
lems with this approach include managing the large number of components that
such a reuse library is likely to contain and distinguishing among similar, though not
identical, components.
When a new design is being developed, the designer is responsible for design-
ing the software architecture – that is, the overall structure of the program and the
overall flow of control. Having located and selected a reusable component from
the library, the designer must then determine how this component fits into the new
architecture.
Instead of reusing an individual component, it is much more advantageous to
reuse a whole design or subsystem that consists of the components and their inter-
connections. This means reuse of the control structure of the application. Archi-
tecture reuse has much greater potential than component reuse because it is large-
grained reuse, which focuses on reuse of requirements and design.
The most promising approach for architecture reuse is to develop a software
product line architecture (Gomaa 2005a) which explicitly captures the commonal-
ity and variability in the family of systems that constitutes the product line. The
364 Architectural Design
architecture for a software product line, which is the architecture for a family of
products, needs to describe both the commonality and variability in the family.
Depending on the development approach used (functional or object-oriented), the
product line commonality is described in terms of common modules, classes, or com-
ponents, and the product line variability is described in terms of optional or variant
modules, classes, or components.
The term application engineering refers to the process of tailoring and configur-
ing the product family architecture and components to create a specific application,
which is a member of the product family.
PLUS is an extension of COMET to design software product line architectures.
An overview of PLUS is given in Chapter 19, with a complete and detailed descrip-
tion given in Gomaa (2005a). The example of how the Display Prompts superclass
and language-specific subclasses could be designed using a software product line
approach is described in Chapter 19.
20.7 PERFORMANCE
Performance is also an important consideration in many systems. Performance mod-
eling of a system at design time is important to determine whether the system
will meet its performance goals, such as throughput and response times. Perfor-
mance modeling methods include queuing modeling (Gomaa and Menasce 2001;
Menasce and Gomaa 2000) and simulation modeling. Performance modeling is par-
ticularly important in real-time systems, in which failing to meet a deadline could
be catastrophic. Real-time scheduling in conjunction with event sequence modeling
is an approach for modeling real-time designs that are executing on given hardware
configurations.
In COMET/RT, performance analysis of software designs is achieved by apply-
ing real-time scheduling theory. Real-time scheduling is an approach that is par-
ticularly appropriate for hard real-time systems that have deadlines that must be
met (Gomaa 2000). With this approach, the real-time design is analyzed to deter-
mine whether it can meet its deadlines. A second approach for analyzing the per-
formance of a design is to use event sequence analysis and to integrate this with the
real-time scheduling theory. Event sequence analysis is used to analyze scenarios
of communicating tasks and annotate them with the timing parameters for each of
the participating tasks, in addition to considering system overhead for interobject
communication and context switching (Gomaa 2000).
Consider the Banking System described in Chapter 21 and depicted on the
deployment diagram in Figure 20.4, which has the Banking Service executing on
a server node. Performance measurements for a banking service would include
response time to ATM Client requests and the transaction-processing rate in trans-
actions per second. A queuing model could be developed to estimate the perfor-
mance of the Banking System under different ATM transaction workloads and,
hence, to plan for the capacity required for the server, in terms of CPU, main
memory, and secondary storage, as well as the network bandwidth required. Esti-
mates can also be made for the amount of disk space required based on estimates
of the number and size of customer and account records. Performance comparisons
Software Quality Attributes 365
: BankingService
{1 server node}
20.8 SECURITY
Security is an important consideration in many systems. There are many potential
threats to distributed application systems, such as electronic commerce and banking
systems. There are several textbooks that address computer, information, and net-
work security, including Bishop (2004) and Pfleeger (2006). Some of the potential
threats are as follows:
COMET extends the use case descriptions to allow the description of nonfunc-
tional requirements, which include security requirements. An example of the exten-
sion of use cases to allow nonfunctional requirements is given in Chapter 6.
366 Architectural Design
The following list describes how these potential threats can be addressed for
the Banking System (note that not all of these threats can be addressed solely by
software means):
20.9 AVAILABILITY
Availability addresses system failure and its impact on users or other systems. There
are times when the system is not available to users for scheduled system mainte-
nance; this planned unavailability is not usually counted in measures of availabil-
ity. However, unplanned system maintenance necessary as a result of system fail-
ure is always counted. Some systems need to be operational at all times; thus, the
effect of a system failure on a system controlling an airplane or spacecraft could be
catastrophic.
Fault-tolerant systems have recovery built into them so that the system can
recover from failure automatically. However, such systems are typically very expen-
sive, requiring such capabilities as triple redundancy and voting systems. Other less
expensive solutions are possible, such as a hot standby, which is a machine ready
for usage very soon after the failure of the system. The hot standby could be for a
server in a client/server system. It is possible to design a distributed system without
a single point of failure, such that the failure of one node results in reduced service,
with the system operational in a degraded mode. This is usually preferable to having
no service whatsoever.
From a software design perspective, support for availability necessitates the
design of systems without single points of failure. COMET supports availability by
providing an approach for designing distributed component-based software archi-
tectures that can be deployed to multiple nodes with distributed control, data, and
services, so that the system does not fail if a single node goes down but can operate
in a degraded mode.
Software Quality Attributes 367
Operator
Presentation
«wide area network» {1 node per
operator}
Monitoring Data
Alarm Service Service
{1 node per {1 node per
region} region}
For the case study examples, the hot standby could be used for the Banking
System, which is a centralized client/server system in which the Bank Server is a
single point of failure (Figure 20.4). A hot standby is a backup server that can be
rapidly deployed if the main server goes down. An example of a distributed system
without a single hardware point of failure is the Emergency Monitoring System, in
which the user I/O components, the monitoring and alarm services, and the operator
interaction components can all be replicated. There are several instances of each of
the client components, so if a component goes down, the system can still operate.
The services can be replicated so that there are multiple instances of Monitoring
Data Service and Alarm Service. This is illustrated in the deployment diagram in
Figure 20.5. It is assumed that the network used is the Internet, in which there might
be local failures but not a global failure, so that individual nodes or even regional
subnets might be unavailable at times but other regions would still be operational.
20.10 SUMMARY
This chapter described the software quality attributes of a software architecture and
how they are used to evaluate the quality of the software architecture. The soft-
ware quality attributes described in this chapter include maintainability, modifia-
bility, testability, traceability, scalability, reusability, performance, availability, and
security. Software quality attributes are described in more detail in Bass, Clements,
and Kazman (2003) and Taylor, Medvidovic, and Dashofy (2009).
Case Studies
21
This chapter describes how the COMET/UML software modeling and design
method is applied to the design of a client/server software architecture (see Chapter
15): a Banking System. In addition, the design of the ATM Client is an example of
concurrent software design (see Chapter 18), and the design of the Banking Service
is an example of sequential object-oriented software design (see Chapter 14).
The problem description is given in Section 21.1. Section 21.2 describes the use
case model for the Banking System. Section 21.3 describes the static model, covering
static modeling of both the system context and entity classes. Section 21.4 describes
how to structure the system into objects. Section 21.5 describes dynamic model-
ing, in which interaction diagrams are developed for each of the use cases. Section
21.6 describes the ATM statechart. Sections 21.7 through 21.14 describe the design
model for the Banking System.
371
372 Case Studies
the system determines that sufficient funds exist in the requested account, that the
maximum daily limit will not be exceeded, and that there are sufficient funds at the
local cash dispenser. If the transaction is approved, the requested amount of cash is
dispensed, a receipt is printed that contains information about the transaction, and
the card is ejected. Before a transfer transaction can be approved, the system deter-
mines that the customer has at least two accounts and that there are sufficient funds
in the account to be debited. For approved query and transfer requests, a receipt
is printed and the card ejected. A customer may cancel a transaction at any time;
the transaction is terminated, and the card is ejected. Customer records, account
records, and debit card records are all maintained at the server.
An ATM operator may start up and close down the ATM to replenish the ATM
cash dispenser and for routine maintenance. It is assumed that functionality to open
and close accounts and to create, update, and delete customer and debit card records
is provided by an existing system and is not part of this problem.
Withdraw Funds
«include»
«include»
Query Account Validate PIN
ATM
Customer
«include»
Transfer Funds
Add Cash
Startup
ATM Operator
Shutdown
However, by comparing the three use cases, it can be seen that the first part of
each use case – namely, reading the ATM card and validating the customer’s PIN –
is common to all three use cases. This common part of the three use cases is factored
out as an inclusion use case called Validate PIN.
The Withdraw Funds, Query Account, and Transfer Funds use cases can then each
be rewritten more concisely as concrete use cases that include the Validate PIN inclu-
sion use case. The relationship between the use cases is shown in Figure 21.1. The
concrete Withdraw Funds use case starts by including the description of the Vali-
date PIN inclusion use case and then continues with the Withdraw Funds description.
The concrete Transfer Funds use case also starts with the description of the Validate
PIN inclusion use case, but then continues with the Transfer Funds description. The
revised concrete Query Account use case is similarly organized. The inclusion use
case and concrete use cases are described next.
The main sequence of the Validate PIN use case deals with reading the ATM
card, validating the customer’s PIN and card. If validation is successful, the system
prompts the customer to select a transaction: withdrawal, query, or transfer. The
alternative branches deal with all the possible error conditions, such as the customer
enters the wrong PIN and must be re-prompted, or an ATM card is not recognized
or has been reported stolen, and so on. Because these can be described quite simply
in the alternative sequences, splitting them off into separate extension use cases is
not necessary.
374 Case Studies
Main sequence:
1. Include Validate PIN use case.
2. Customer selects Withdrawal, enters the amount, and selects the
account number.
3. System checks whether customer has enough funds in the account
and whether the daily limit will not be exceeded.
4. If all checks are successful, system authorizes dispensing of cash.
5. System dispenses the cash amount.
6. System prints a receipt showing transaction number, transaction type,
amount withdrawn, and account balance.
7. System ejects card.
8. System displays Welcome message.
Alternative sequences:
Step 3: If the system determines that the account number is invalid, then it
displays an error message and ejects the card.
Step 3: If the system determines that there are insufficient funds in the
customer’s account, then it displays an apology and ejects the card.
Step 3: If the system determines that the maximum allowable daily with-
drawal amount has been exceeded, it displays an apology and ejects the
card.
Step 5: If the ATM is out of funds, the system displays an apology, ejects
the card, and shuts down the ATM.
Postcondition: Customer funds have been withdrawn.
Bank
1
Provides
service for
1..*
Maintains
ATM
1 1
ATM Operator
1 1 1 1
ATMCustomer
CardReader CashDispenser ReceiptPrinter
KeypadDisplay
1 1
1 1
Inserts Dispenses
card into cash to
Prints
Interacts
receipt for
through 1
1 1
1
ATM
Customer
Figure 21.2. Conceptual static model for problem domain
«external I/O
device»
1 1..*
CardReader
Outputs
Inputs to
to
1 1 ATM Operator
Outputs
«external output to
1..*
1 1 device» 1 1
ReceiptPrinter Interacts
1 with
Interacts
«software system»
1 1..* «external user»
1 with 1 Banking
Operator
1
System
1 «external user» 1..*
ATM 1
ATMCustomer
Customer
KeypadDisplay
Outputs to
1..*
1 «external output
device»
CashDispenser
1..*
Administers
«entity» Identifies
1 Customer
Owns
1..*
Owns
1..* 0..1
Provides 1..*
*
Access to
«entity»
CardAccount
Figure 21.4. Conceptual static model for Banking System: entity classes
379
380 Case Studies
Figure 21.5. Conceptual static model for Banking System: class attributes
«entity»
ATMTransaction
bankId: String
ATMId: String
date: Date
time: Time
transactionType: String
cardId: String
PIN: String
status: Integer
Figure 21.6. Conceptual static model for Banking System: class attributes (continued)
«entity» «entity»
CardAccount ATMInfo
cardId: String bankId: String
accountNumber: String ATMId: String
accountType: String ATMLocation: String
ATMAddress: String
«entity» «entity»
ATMCash ATMCard
cashAvailable: Integer cardId: String
fives: Integer startDate: Date
tens: Integer expirationDate: Date
twenties: Integer
Figure 21.7. Conceptual static model for Banking System: class attributes (continued)
Client/Server Software Architecture Case Study 381
Account. The attributes of Card Account are Card Id, account Number, and account
Type.
Entity classes are also required to model other information described in Sec-
tion 21.2. These include ATM Card, which represents the information read off the
magnetic strip on the plastic card. ATM Cash holds the amount of cash maintained
at an ATM, in five-, ten-, and twenty-dollar bills. The Receipt holds information
about a transaction, and because it holds similar information to the Transaction class
described earlier, a separate entity class is unnecessary.
«external user»
1 Operator
«external output
device» 1
ReceiptPrinter «software system»
BankingSystem
1
1
«client» Requests service from
«service»
«external I/O «subsystem»
1 1 1..* 1 «subsystem»
device» ATMClient
BankingService
CardReader Subsystem
1 Subsystem
«external output 1
device»
CashDispenser
1 «external user»
ATMCustomer
KeypadDisplay
«software system»
BankingSystem
Inputs to
«external I/O «input/output»
1 1
1 device» CardReader
CardReader Interface
Outputs to
1 1 ATM
Outputs to Operator
1 «external output «output» 1
1 1 1
1 device» ReceiptPrinter Interacts
ReceiptPrinter Interface «user interaction» with
ATM 1 1 1 «external user»
Operator
Customer Interacts Operator
1 Interaction
with
«external user» «user interaction»
1 1
ATMCustomer Customer
KeypadDisplay Interaction
Outputs to
1 «external output «output»
1 1
device» CashDispenser
CashDispenser Interface
system is given in the problem description. Both subsystems are depicted as aggre-
gate classes, with a one-to-many association between the Banking Service Subsystem
and the ATM Client Subsystem. All the external classes interface to and communicate
with the ATM Client Subsystem.
determine the need for the Card Reader Interface object to read the ATM card. The
information read off the ATM card needs to be stored, so we identify the need for
an entity object to store the ATM Card information. The Customer Interaction object
is used for interacting with the customer via the keyboard/display, in this case to
prompt for the PIN. The information to be sent to the Banking Service Subsystem for
PIN validation is stored in an ATM Transaction. For PIN validation, the transaction
information needs to contain the PIN number and the ATM Card number. To con-
trol the sequence in which actions at the ATM take place, we identify the need for
a control object, ATM Control.
Next consider the objects in the Withdraw Funds use case, which is entered if
the PIN is valid and the customer selects withdrawal. In this use case, the cus-
tomer enters the amount to be withdrawn and the account to be debited, the sys-
tem checks whether the withdrawal should be authorized, and if positive, dispenses
the cash, prints the receipt, and ejects the card. For this use case, additional objects
are needed. The information about the customer withdrawal, including the account
number and withdrawal amount, needs to be stored in the ATM Transaction object.
To dispense the cash, a Cash Dispenser Interface object is needed. We also need to
maintain the amount of cash in the ATM, so we identify the need for an entity
object called ATM Cash, which is decremented every time there is a cash withdrawal.
Finally, we need a Receipt Printer Interface object to print the receipt. As before, the
ATM Control object controls the sequencing of the use case.
Inspecting the other use cases reveals that one additional object is needed,
namely, the Operator Interaction object, which participates in all use cases initiated
by the Operator actor. The Operator Interaction object needs to send startup and shut-
down events to ATM Control, because operator maintenance and ATM customer
activities are mutually exclusive.
Given the preceding analysis, Figure 21.10 shows the classes in the ATM Client
Subsystem, which is depicted as an aggregate class. In addition to the three device
«client»
«subsystem»
ATMClient
«state dependent
«I/O»
control»
CardReader
ATMControl
Interface «user
interaction»
Operator
«output» «entity» Interaction
ReceiptPrinter ATMTransaction
Interface
«user interaction»
Customer
Interaction
«entity»
«output»
ATMCard
CashDispenser
Interface
«entity»
ATMCash
I/O classes and two user interaction classes depicted in Figure 21.9, there are also
three entity classes and one state-dependent control class.
Account use cases on the ATM client, as well as for the use cases initiated by the
operator.
The Validate PIN and Withdraw Funds communication diagrams for the ATM
client are state-dependent. The state-dependent parts of the interactions are defined
by the ATM Control object, which executes the ATM statechart. The state-dependent
dynamic analysis approach is used to determine how the objects interact with each
other. Statecharts are shown for the two use cases in Figures 21.13 and 21.18, respec-
tively. The dynamic analysis for these two client-side use cases is described in Sec-
tions 21.5.1 and 21.5.3, respectively.
The Banking Service processes transactions from multiple ATMs in the order it
receives them. The processing of each transaction is self-contained; thus, the bank-
ing service part of the use cases is not state-dependent. Consequently, a stateless
dynamic analysis is needed for these use cases. The communication diagrams for
the server side Validate PIN and Withdraw Funds use cases are given in Figures 21.14
and 21.19. The dynamic analysis for these two server-side use cases is given in Sec-
tions 21.5.2 and 21.5.4, respectively.
Consider how the objects interact with each other. A detailed example is given
for the Validate PIN and Withdraw Funds use cases. On the client side, both commu-
nication diagram and sequence diagrams are shown. The same message sequence
numbering and message sequence description applies to both the sequence diagram
and the communication diagram.
1: The ATM Customer actor inserts the ATM card into the Card Reader. The
Card Reader Interface object reads the card input.
386 Case Studies
«subsystem»
: BankingService
«client»
1: Card «subsystem»
Reader : ATMClient 2.7 [Valid]:
2.6: Validate PIN
Input Valid PIN
(PIN Validation Transaction)
«external I/O «I/O» (Account #s)
device» : CardReader
: CardReader Interface 1.2: Card Inserted
Figure 21.11. Communication diagram: ATM client Validate PIN use case
1.1: The Card Reader Interface object sends the card input data, containing
Card Id, Start Date, Expiration Date to the entity object ATM Card.
1.2: Card Reader Interface sends the Card Inserted message to ATM Control.
The equivalent Card Inserted event causes the ATM Control statechart to
transition from Idle state (the initial state) to Waiting for PIN state. The
output event associated with this transition is Get PIN.
1.3: ATM Control sends the Get PIN message to Customer Interaction.
1.4: Customer Interaction displays the PIN Prompt to the ATM Customer
actor.
2: ATM Customer inputs the PIN number to the Customer Interaction object.
2.1: Customer Interaction requests card data from ATM Card.
2.2: ATM Card provides the card data to the Customer Interaction.
2.3: Customer Interaction sends Card Id, PIN, Start Date, Expiration Date, to
the ATM Transaction entity object.
2.4: ATM Transaction entity object sends the PIN Validation Transaction to
Customer Interaction.
2.5: Customer Interaction sends the PIN Entered (PIN Validation Transaction)
message to ATM Control. The PIN Entered event causes the ATM Control
statechart to transition from Waiting for PIN state to Validating PIN state.
The output event associated with this transition is Validate PIN.
2.6: ATM control sends a Validate PIN (PIN Validation Transaction) request to
the Banking Service.
2.7: Banking Service validates the PIN and sends a Valid PIN response to ATM
Control. As a result of this event, ATM Control transitions to Waiting for
«external I/O «external «I/O» «state dependent «user interaction»
«entity»
device» user» : CardReader : Customer «entity» «subsystem»
: ATMCard control»
: CardReader : ATM Interface Interaction : ATMTransaction : BankingService
: ATMControl
Customer
Keypad
Display
2: PIN Input
Figure 21.12. Sequence diagram: ATM client Validate PIN use case
387
388 Case Studies
Idle
Entry /
1.2: Card Inserted /
Display Welcome
1.3: Get PIN
Validating PIN
Waiting for
Customer Choice
Figure 21.13. Statechart for ATM Control: Validate PIN use case
Customer Choice state. The output events for this transition are Display
Menu and Update Status, which correspond to the output messages sent
by ATM Control.
2.8: ATM Control sends the Display Menu message to Customer Interaction.
2.8a: ATM Control sends an Update Status message to the ATM Transaction.
2.9: Customer Interaction displays a menu showing the Withdraw, Query,
and Transfer options to the ATM Customer.
«client»
«subsystem»
: ATMClient
«service»
«subsystem»
: BankingService V1: Validate PIN V7: Valid PIN
(PIN ValidationTransaction) (Account #s)
«business logic»
: PINValidation
TransactionManage r
V2: Validat e
(Card Id, PIN) V6: Log
V4: Read
V5: Account #s Transaction
(Card Id)
V3: Valid PI N
Figure 21.14. Communication diagram: Banking Service Validate PIN use case
In addition, each transaction has a business logic object that encapsulates the
business application logic to manage the execution of the transaction. The business
logic object receives the transaction request from the ATM Control object at the client
and then interacts with the entity objects to determine what response to return to
ATM Control. For example, the business logic object for the PIN Validation transac-
tion is the PIN Validation Transaction Manager.
The following message sequence description for the server side Validate PIN
interaction diagram corresponds to the communication diagram shown in Fig-
ure 21.14 and the sequence diagram shown in Figure 21.15.
V5: Account #s
Figure 21.15. Sequence diagram: Banking Service Validate PIN use case
390 Case Studies
V1: ATM Client sends the incoming Validate PIN request to the PIN Validation
Transaction Manager. The PIN Validation Transaction Manager contains the
business logic to determine whether the customer-entered PIN matches
the PIN stored in the Banking Service database.
V2: PIN Validation Transaction Manager sends a Validate (Card Id, PIN)
message to the Debit Card entity object, requesting it to validate this cus-
tomer’s debit card, given the card Id and customer-entered PIN.
V3: Debit Card checks that customer-entered PIN matches the Debit Card
record PIN, that card Status is okay (not reported missing or stolen), and
that Expiration Date has not passed. If card passes all checks, Debit Card
sends PIN Validation Transaction Manager a Valid PIN response.
V4: If validation is positive, PIN Validation Transaction Manager sends a mes-
sage to the Card Account entity object requesting it to return the account
numbers that may be accessed for this card Id.
V5: Card Account responds with the valid account numbers.
V6: PIN Validation Transaction Manager logs the transaction with the Trans-
action Log.
V7: PIN Validation Transaction Manager sends a Valid PIN response to the
ATM Client. If the PIN validation checks are satisfactory, the account
numbers are also sent.
«entity»
: ATMCash
3.15: Receipt
Printed
3.4a.1: Wait 3.11: Print
Prompt, 3.4a: Display Wait, Receipt
3.11a: Display Cash 3.6a: Update
3.11a.1: Cash
Dispensed, Status
Dispensed
3.19: Display Ejected (Amount, Balance)
Prompt,
3.20: Card Ejected 3.14: Printer
«external 3.12: Transaction Output
Prompt 3.1: Withdraw,
user» «user Request
: ATM interaction» Account #, Amount
Customer : Customer «entity» «output» «external output
Keypad Interface : ATM : ReceiptPrinter device»
3: Withdraw, Transaction Interface : ReceiptPrinter
Display Account #, 3.2: Withdrawal Transaction 3.13: Transaction
Amount Data
Figure 21.16. Communication diagram: ATM client Withdraw Funds use case
391
392
«external «external «I/O» «state «user «entity»
I/O device» : Card interaction» «output» «entity» «output» «subsystem»
user» dependent : ATM : CashDispenser
: Card Reader : Customer : ATMCash : ReceiptPrinter : Banking
: ATM control» Transaction Interface
Reader Interface Interface Interface Service
Customer : ATMControl
Keypad
Display
3: Withdraw, Account #, Amount 3.1: Withdraw,
Account #, Amount
3.3: Withdrawal
3.2: Withdrawa l
Selected
Transactio n
(Withdrawal Transaction)
3.4: Request Withdrawal (Withdrawal Transaction )
Figure 21.17. Sequence diagram: ATM client Withdraw Funds use case
Client/Server Software Architecture Case Study 393
Terminating
Ejecting
Processing
Dispensing
Withdrawal
3.5: Withdrawal Approved /
3.6: Dispense Cash,
3.6a: Update Status
Figure 21.18. Statechart for ATM Control: Withdraw Funds use case
W1: ATM Client sends the Request Withdrawal request to the Withdrawal
Transaction Manager, which contains the business logic for determin-
ing whether a withdrawal can be allowed. The incoming withdrawal
Client/Server Software Architecture Case Study 395
«client
«subsystem»
: ATMClient
«service»
«subsystem»
: BankingService
W1: Request Withdrawal W8: Withdrawal Approved
(Withdrawal Transaction) (Amount, Balance)
«business logic»
: Withdrawal
TransactionManager
W3: Status
Figure 21.20. Sequence diagram: Banking Service Withdraw Funds use case
396 Case Studies
exceeded for this card Id. Debit Card determines if: Total Withdrawn
Today + Amount Requested ≤ Daily Limit
W3: Debit Card responds to Withdrawal Transaction Manager with a positive
or negative Daily Limit Response.
W4: If the response is positive, Withdrawal Transaction Manager sends a
message to Account (which is an instance of either Checking Account or
Savings Account), requesting it to debit the customer’s account if there
are sufficient funds in the account. Account determines whether there
are sufficient funds in the account:
Account Balance – Amount Requested ≥ 0
If there are sufficient funds, Account decrements the balance by the
Amount Requested.
W5: Account responds to Withdrawal Transaction Manager with either With-
drawal Approved (Amount, Balance) or Withdrawal Denied.
W6: If the account was debited satisfactorily, the Withdrawal Transaction
Manager sends an Update Daily Total (Card Id, Amount) to Debit Card so it
increments the total withdrawn today by the amount requested.
W7: Withdrawal Transaction Manager logs the transaction with the Transac-
tion Log.
W8: Withdrawal Transaction Manager returns Withdrawal Approved
(Amount, Balance) or Withdrawal Denied to the ATM Client.
Startup Closedown
Card Inserted /
Get PIN
Idle After(Elapsed Time)
[Closedown Not Requested]
Entry / Display
Welcome
Rejected /
Eject,
Display Apology
Transfer Selected /
Request Transfer, Transfer Approved /
Display Wait Print Receipt,
Update Status
Query Selected /
Request Query, Display W ait Query Approved /
Processing Print Receipt,
Withdrawal Selected /
Transaction Update Status
Request Withdrawal,
Display Wait
Withdrawal Approved /
Dispense Cash,
Update Status
Card Inserted /
Get PIN
Idle
Entry / Display
Welcome
Processing
Customer
Input Cancel / Eject,
Waiting for Display Cancel
PIN Ejecting
Invalid PIN /
PIN Entered/
Invalid PIN Prompt
Validate PIN Card Stolen, Card Expired /
Confiscate, Update Status
Waiting for
Customer
Choice Transfer Selected /
Request Transfer,
Display Wait
Processing Transactio n
(a)
Waiting for
PIN
Validating
PIN
Third Invalid PIN /
Invalid PIN/ Confiscate
Validating PIN Update Status Checking PIN
Confiscating
and Card Status
Card Stolen, Card Expired /
Confiscate, Update Status
Valid PIN /
Display Menu,
Update Status
Waiting for
Customer
Choice
(b)
Figure 21.22. Statechart for ATM Control: Processing Customer Input composite state
Client/Server Software Architecture Case Study 399
to the customer. When the customer enters the PIN number, the PIN Entered event
causes a transition to the Validating PIN substate, during which the Banking Service
determines whether the customer-entered PIN matches the PIN stored by the Bank-
ing System for this particular card. There are three possible state transitions out
of the Validating PIN state. If the two PIN numbers match, the Valid PIN transition
is taken to the Waiting for Customer Choice state. If the PIN numbers do not match,
the Invalid PIN transition is taken to re-enter the Waiting for PIN state and allow
the customer to enter a different PIN number. If the customer-entered PIN is still
invalid after the third attempt, the Third Invalid transition is taken to the Confiscating
substate of the Terminating Transaction composite state.
The Validating PIN substate is itself a composite state consisting of two substates:
Validating PIN and Card as well as Checking PIN Status (see Figure 21.22b). In the first
substate, the card Id (read off card) and PIN (entered by customer) combination are
validated by comparing them with the card Id/PIN combination stored in the Card
Account entity object. In addition, the card Id is checked to ensure that the card is
not lost or stolen. If the validation is successful, the ATM transitions to Waiting for
Customer Choice. If the card is lost or stolen, the ATM transitions to Confiscating
state. However, if the PIN is invalid, an additional check needs to be made to deter-
mine whether this is the third time that the PIN is incorrect. It is better to store the
Invalid PIN count at the client rather than the server, because this is a local ATM
concern. An invalid PIN count is therefore stored in ATM Transaction. This count is
updated and checked after each invalid PIN response from the server – if the count
is less than three, then the ATM transitions back to Waiting for PIN. If the count is
Third Invalid PIN, then the ATM transitions to Confiscating state.
The customer can also press the Cancel button on the ATM machine in any of
the three Processing Customer Input substates. The Cancel event transitions the ATM
to the Ejecting substate of the Terminating Transaction composite state. Because the
Cancel event can occur in any of the three substates of the Processing Customer Input
composite state, it is more concise to show the Cancel transition leaving the compos-
ite state.
Closed Down
Entry / Display After(Elapsed Time)[Closedown Was Requested]
System Down
Terminatin g
Card Confiscated /
Display Confiscated
Stolen Card, Expired Card /
Confiscate, Update Status
Third Invalid PIN / Card Ejected /
Confiscating Display Ejected
Processing Confiscate
Customer
Input Cancel / Eject,
Display Cancel
Receipt Printed /
Transfer Approved / Insufficient
Eject
Print Receipt, Cash /
Update Status Eject,
Processing Query Approved / Abort
Print Receipt, Cash
Transaction Printing
Update Status Dispensed
Cash Dispensed /
Print Receipt,
Display Cash Dispensed,
Confirm Cash Dispensed
Withdrawal Approved /
Dispense Cash,
Update Status
Dispensing
Figure 21.24. Statechart for ATM Control: Terminating Transaction composite state
and Processing Query. Depending on the customer’s selection – for example, with-
drawal – the appropriate substate within Processing Transaction – for example, Pro-
cessing Withdrawal – is entered, during which the customer’s request is processed.
From Waiting for Customer Choice state, the customer may select Withdraw,
Query, or Transfer and enter the appropriate substate within the Processing
Transaction composite state (see Figure 21.23) – for example, Processing Withdrawal.
When a Withdrawal transaction is completed, the event Withdrawal Approved is
issued if the customer has enough funds, and the Dispensing substate of the Ter-
minating Transaction composite state is entered (Figure 21.24). Alternatively, if the
customer has insufficient funds or has exceeded the daily withdrawal limit, a Rejected
event is issued.
The actions associated with the transition to Dispensing state are to Dispense Cash
and Update Status. After the Cash Dispensed event has taken place, the ATM tran-
sitions to Printing state to print the receipt. The action Print Receipt is executed at
the transition. When the receipt is printed, the state Ejecting is entered and the Eject
action is executed. When the card has been ejected (event Card Ejected), the Termi-
nating state is entered.
For the Query and Transfer transactions, the sequence of states following
approval of the transaction is similar, except that no cash is dispensed, as can be
seen on the ATM statecharts.
«client» Dispenser
«subsystem» Output
: ATMClient «output» «external
: Cash output device»
Card Dispenser : Cash
Reader Interface Dispenser
Card Inserted, Dispense Cash
Input
Card Ejected, (Cash details)
«external I/O «I/O» Cash
Card Confiscated Cash
device» : CardReader Withdrawal
: CardReader Interface Amount Response
Card
Reader
Cash «entity»
Output Eject,
Dispensed : ATMCash
Confiscate
Card «state dependent
Customer Start Up, Cash
Input control»
Events Closedown Added
Data : ATMControl
(Transaction Operator
details) Information
«user
«entity» interaction» «external user»
: ATMCard Display
: Operator : Operator
Prompts
Interaction
Operator
Update Input
Receipt
Card Card Transaction Printed
Data Request Status
(Cash details),
Update Print
PIN Status Receipt
Customer Customer Info., Transaction Printer
Input Customer Selection Data Output
«user «output» «external output
«external user» «entity»
interaction» : Receipt device»
: ATMCustomer : ATM
: Customer Printer : Receipt
KeypadDisplay Transaction
Interaction Interface Printer
Display Transaction Transaction
Information Details Request
«client»
«subsystem»
: ATMClient
ATM Bank
Transactions Responses
«service»
«subsystem»
«coordinator»
: BankingService
: BankTransaction
Coordinator
Transfer
Transaction
Query Query
Withdraw, PIN Validation
Transaction Response
Confirm, Request
Withdraw Abort
Transfer PIN
Response
Response Validation
«business logic» Response
«business logic» «business logic» «business logic»
: Query
: Transfer : Withdrawal : PINValidation
Transaction
Transaction Transaction Transaction
Account Manager
Manager Manager Manager
Data Read Account Log
Data
Account Card
Data Account Data
Data Read
Debit, Debit,
Credit, Account
Credit,
Read Read Check, Numbers
Read Account
Debit, Account Update
Credit, Data
Data Log
Read Log Daily Validate
Limit
Log Debit, Response
«database wrapper» Credit, «database «database
«database «database
: Checking Read wrapper» wrapper»
wrapper» wrapper»
Account : Savings : Card
: TransactionLog : DebitCard
Account Account
Now consider the Banking Service Subsystem. Figures 21.14 and 21.19 are the
communication diagrams for the server-side Validate PIN and Withdraw Funds use
cases. Additional communication diagrams are needed for the server-side Transfer
Funds and Query Account use cases. The integrated communication diagram for the
Banking Service Subsystem is shown in Figure 21.26. For each transaction, there is a
transaction manager object that encapsulates the business logic for the transaction.
These are the PIN Validation Transaction Manager, Withdrawal Transaction Manager,
Query Transaction Manager, and Transfer Transaction Manager objects. In addition,
it is decided at design time that there is a need for a coordinator object, the Bank
Transaction Coordinator, which receives client requests and delegates them to the
appropriate transaction manager, as described in Chapter 15.
«external I/O
device»
: CardReader
cardReaderInput cardReaderOutput
«software system»
: BankingSystem
«external I/O
device»
: CardReader
cardReaderInput cardReaderOutput
«software system»
customer : BankingSystem
Input
«external user» ATMTransaction
: ATMCustomer «client» «service»
KeypadDisplay «subsystem» «subsystem»
display : ATMClient : BankingService
Information bankResponse
operator
Input
dispenser
printer Output
«external user» operator
Output
: Operator Information
task design described in this section leads to the concurrent communication diagram
shown in Figure 21.29.
ATM Bank
Transactions Responses
«client»
«subsystem» Dispenser
: ATMClient «demand» Output «passive»
«output» «output device»
Card : CashDispenser : Cash
Reader Interface Dispenser
Input Card Inserted, Dispense Cash
«event driven» «event driven» Cash
Card Ejected, (Cash Amount) Cash
«external I/O «I/O» Withdrawal
Card Confiscated Response
device» : CardReader Amount
: CardReader Interface
Card
Reader «data
Output abstraction»
Eject, «demand» : ATMCash
Card Confiscate «state dependent
Input control» Start Up, Cash
Data : ATMControl Closedown Added
Customer Operator
Events «event driven» Information
«data (Transaction «user
abstraction» details) Display «external user»
interaction»
: ATMCard Prompts : Operator
: Operator
Interaction Operator
Update Input
Receipt
Transaction
Card Card Printed
Status
Data Request
(Amount, Balance),
Update Print
PIN Status Receipt
Figure 21.29. Task architecture: initial concurrent communication diagram for ATM client subsystem
Client/Server Software Architecture Case Study 407
receives the PIN, reads the card information from ATM Card, and then writes the
card and PIN information to ATM Transaction, which is also a passive data abstrac-
tion object. Because the ATM Card and ATM Transaction data abstraction objects are
each accessed by more than one task, they are both placed outside any task.
Next, consider the communication diagram supporting the Withdraw Funds use
case, which has many of the same objects as the Validate PIN communication dia-
gram. The additional objects are Receipt Printer Interface, Cash Dispenser Interface,
and ATM Cash.
The external Cash Dispenser is a passive output device, so it does not need an
event driven output task. Instead, the Cash Dispenser Interface object is structured as
a demand driven output task, which is activated on demand by message arrival from
ATM Control. Similarly, the Receipt Printer Interface object is structured as a demand
driven output task, which is activated by message arrival from the ATM Control task.
The Operator Interaction user interaction object (see Figure 21.24), which partic-
ipates in the three operator-initiated use cases, is also mapped to an event driven
user interaction task (see Figure 21.29). The ATM Cash entity object is a passive data
abstraction object and thus does not need a separate thread of control, which is
accessed by both the Cash Dispenser Interface and Operator Interaction tasks.
To summarize, there is one event driven I/O task, Card Reader Interface, one
demand driven state-dependent control task, ATM Control, two demand driven out-
put tasks, Cash Dispenser Interface and Receipt Printer Interface, and two event driven
user interaction tasks, Customer Interaction and Operator Interaction. There are three
passive entity objects, ATM Card, ATM Transaction, and ATM Cash, which are all cate-
gorized further as data abstraction objects.
ATM bank
Transaction Response
«client»
«subsystem» dispense dispenser «demand»
: ATMClient (cashAmount) «demand» Output «external
«output» output
card : CashDispenser device»
Reader Interface : Cash
Input cardInserted, Dispenser
«event driven» «event driven» cardEjected, withdrawCash
«external I/O «I/O» cardConfiscated (in cashAmount,
device» : CardReader
: CardReader card Interface out fivesToDispense,
Reader out tensToDispense,
Output out twentiesToDispense)
write «demand»
(cardId, eject, «state «data
startDate, confiscate dependent abstraction»
expiration control» : ATMCash
Date) customer
: ATMControl
Event addCash
«data (transaction startUp, (in fivesAdded,
abstraction» Details) display closedown in tensAdded,
: ATMCard Prompts in twentiesAdded)
operator
read «event driven» Information
(out update «user «external
cardId, Transaction interaction» user»
out Status : Operator : Operator
Interaction operator
startDate, (amount, balance),
updateCustomerInfo Input
out updatePINStatus print
expiration (cardData, PIN), (inout status), (receiptInfo)
Date) updateCustomerSelection printer
Customer (in selection, Output
«event driven» read(out transaction «demand»
«event driven» Input out transactionDetails) «data «demand»
«user Data) «external
«external user» abstraction» «output»
interaction» output device»
: ATMCustomer : AT M : ReceiptPrinter
: Customer : Receipt
KeypadDisplay Display Transaction Interface
Interaction Printer
Information
Figure 21.30. Task architecture: revised concurrent communication diagram for ATM client subsystem
Client/Server Software Architecture Case Study 409
Consider the interface between Customer Interaction and ATM Control. Should it
be asynchronous or synchronous? First, consider a synchronous with response sce-
nario. Customer Interaction sends a Withdrawal request to ATM Control, which then
sends the transaction to the Banking Service. After receiving the Server’s response,
ATM Control sends a display prompt to Customer Interaction. In the meantime, it
is not possible for Customer Interaction to have any interaction with the customer,
because it is suspended, waiting for the response from the ATM Control. This is unde-
sirable from the customer’s viewpoint. Consider, instead, an asynchronous inter-
face, as shown in Figure 21.30. With this approach, Customer Interaction sends the
Withdrawal request to ATM Control and does not wait for a response. In this case,
Customer Interaction can respond to customer inputs such as a Cancel request before
a response is received from the server. Customer Interaction receives responses from
ATM Control as a separate asynchronous message interface. Customer Interaction is
designed to be capable of receiving inputs from either the customer or ATM Control.
It processes whichever input comes first.
The Operator Interaction task’s interface is also asynchronous. The operator
actor’s requests are independent of the customer’s requests, so messages from the
customer and the operator could arrive in any order at ATM Control. To allow for
this, ATM Control receives all incoming messages on a message queue and processes
them on a FIFO basis.
The two output tasks, Cash Dispenser Interface and Receipt Printer Interface, are
activated by messages arriving from ATM Control on demand. In each case, the out-
put task is idle prior to the arrival of the message, so a synchronous interface is
acceptable because it will not hold up ATM Control. In Figure 21.30, the concur-
rent communication diagram is updated to show the task interfaces.
read. The first two operations are invoked by the Customer Interaction task. The next
two operations are invoked by the ATM Control task. The read operation is invoked
by the Receipt Printer Interface task prior to printing the receipt.
There is one state-machine class, namely, ATM State Machine, which is internal
to the ATM Control task and encapsulates the ATM statechart, which is implemented
as a state transition table. The operations are process Event and current State, which
are standard operations for a state-machine class.
The design of the classes is shown in more detail in Figure 21.31, which shows
the attributes and operations of the classes.
«data abstraction»
ATMTransaction
«state machine»
- transactionId: String ATMStateMachine
- cardId: String
- PIN: String + processEvent (in event, out action)
- date: Date + currentState () : state
- time: Time
- amount: Real
- balance: Real
- PINCount: Integer
- status: Integer
+ createTransaction ()
+ updateCustomerInfo (cardData, PIN)
+ updateCustomerSelection (in selection, out
transactionData)
+ updatePINStatus (inout status)
+ updateTransactionStatus (amount, balance)
+ read (out transactionData)
411
412
ATM
Transaction
«client»
«subsystem»
: ATMClient
bank
Response
«service»
«subsystem»
: BankingService
«coordinator»
: BankTransaction
Coordinator
Transfer
Transaction
Query
Query Response Withdraw, PIN Validation
Transaction Confirm, Request
Withdraw Abort
Transfer PIN
Response
Response Validation
«business logic» Response
«business logic» «business logic» «business logic»
: Query
: Transfer : Withdrawal : PINValidation
Transaction
Transaction Transaction Transaction
Account Manager
Manager Manager Manager
Data Read Account
Log
Data
Account
Data Card
Account
Data
Data Debit, Check, Read
Debit, Credit, Update Account
Credit, Read Read Numbers
Read Account
Debit, Account
Credit, Data Data
Read Log Daily Validate
Log
Limit
Log Debit, Response
«database wrapper» Credit, «database «database
«database «database
: Checking Read wrapper» wrapper»
wrapper» wrapper»
Account : Savings : Card
: TransactionLog : DebitCard
Account Account
Figure 21.32. Initial concurrent communication diagram for Banking Service subsystem
Client/Server Software Architecture Case Study 413
«database wrapper»
Account {abstract}
«business logic»
QueryTransactionManager
+ initialize ()
+ query (in accountNumber,
out q_response)
«business logic»
TransferTransactionManager
+ initialize ()
+ transfer (in fromAccountNumber,
in toAccountNumber, in amount,
out t_response)
«business logic»
PinValidationTransactionManager
+ initialize ()
+ validatePIN (in cardID, in PIN,
out v_response)
«business logic»
WithdrawalTransactionManager
+ initialize ()
+ withdraw (in accountNumber, in amount,
out w_response)
+ confirm (accountNumber, amount)
+ abort (accountNumber, amount)
Manager, the Query Transaction Manager, and the Transfer Transaction Manager, as
shown in Figure 21.34. Each transaction manager handles an atomic transaction.
For example, the Withdrawal Transaction Manager provides a withdraw operation,
which is called to handle a customer request to withdraw funds, as well as two other
operations. The confirm operation is called when an ATM Client confirms that the
cash was dispensed to the client. The abort operation is called when an ATM Client
aborts the transaction, for example, because the cash dispenser failed to dispense
the cash or the customer cancelled the transaction.
The Bank Transaction Coordinator actually receives the messages FIFO from the
ATM Clients. For each message, it determines the type of the transaction and then
delegates the transaction processing to the appropriate transaction manager. Each
transaction is processed to completion, with the response returned to the Bank Trans-
action Coordinator, which in turn sends the response to the appropriate ATM Client.
The Bank Transaction Coordinator then processes the next transaction message.
Figure 21.32 shows the initial design of the Banking Service Subsystem In the ini-
tial concurrent communication diagram for the Banking Service, all interfaces are
simple messages. Figure 21.35 shows the final version of the Banking Service Sub-
system concurrent communication diagram. Communication between the multiple
instances of the ATM Client and the Banking Service is synchronous with reply. All
internal interaction within the Banking Service is between passive objects; hence,
all internal interfaces are defined in terms of operation calls (depicted by using the
synchronous message notation).
«service»
«subsystem»
: BankingService «coordinator»
: BankTransaction validatePIN(in cardId, in PIN, out v_response)
transfer(in fromAccount#,
Coordinator
in toAccount#, in amount,
out t_response)
withdraw(in account#,
in amount, out w_response), «business logic»
query(in account#, confirm(account#, amount), : PINValidation
out q_response) abort(account#, amount) Transaction
Manager
«business logic» «business logic»
«business logic»
readBalance, : Query : Withdrawal
: Transfer log
readLast Transaction Transaction
Transaction Deposit (in transaction) read(in cardId,
Manager Manager
Manager Amount out account#)
debit(account#,
amount), checkDailyLimit
credit(account#, (cardId, amount),
amount), updateDailyTotal
readBalance log readBalance, (cardId, amount)
read log
(in transaction)
Cumulative (in transaction)
Interest
debit(account#,
log amount), validate(in cardID,
(in credit(account#, in PIN,
transaction) amount), out status)
debit(account#, readBalance
debit(account#,
«database amount), amount), «database «database
wrapper» «database credit(account#, wrapper» «database wrapper»
credit(account#,
: Checking amount), wrapper» amount), : Savings wrapper» : Card
Account readBalance : TransactionLog readBalance Account : DebitCard Account
Figure 21.35. Revised concurrent communication diagram for Banking Service subsystem
Client/Server Software Architecture Case Study 417
Id, which consists of a concatenated key: bankId, ATMId, date, time. bankId
and ATMId are also foreign keys because they allow navigation to the Bank and
ATMInfo tables. ATMInfo has a concatenated primary key consisting of bankId,
ATMId, with bankId also a foreign key. The attributes date and time provide a time
stamp to uniquely identify a transaction.
: BankingService
{1 server node}
«service»
«subsystem» withdrawal
Response «demand» validation
: BankingService Response
«coordinator»
: BankTransaction validatePIN(in cardId, in PIN)
query Coordinator
Response
transfer
Response transfer(in fromAccount#, withdraw(in account#, «demand»
in toAccount#, in amount) in amount), «business logic»
query(in account#) confirm(account#, amount) , : PINValidation
abort(account#, amount)
Transaction
Manager
«demand» «demand» «demand»
«business logic» «business logic» «business logic»
: Transfer : Query : Withdrawal
Transaction Transaction Transaction
Manager Manager Manager
Figure 21.37. Alternative design for Banking Service: concurrent service design for Banking System
Client/Server Software Architecture Case Study 419
Dispensed. The event sequencing logic is given below, which describes most of the
actions executed by ATM Control. After the execution of each action case, the next
execution step is a transfer to the end of the pseudocode case block (for brevity,
the transfer is not explicitly shown below). The pseudocode for the ATM Control task
follows:
loop
-- Messages from all senders are received on Message Queue
Receive (ATMControlMessageQ, message);
-- Extract the event name and any message parameters
-- Given the incoming event, lookup state transition table;
-- change state if required; return action to be performed;
newEvent = message.event
outstandingEvent = true;
while outstandingEvent do
ATMStateMachine.processEvent (in newEvent, out action);
outstandingEvent = false;
-- Execute action(s) as given on ATM Control statechart
case action of
Get PIN: -- Prompt for PIN;
send (promptMessageQueue, displayPINPrompt);
Validate PIN: --Validate customer entered PIN at Banking Service;
send (Banking Service, in validatePIN, out
validationResponse);
newEvent = validationResponse; outstandingEvent = true;
Display Menu: -- Display selection menu to customer;
send (promptMessageQueue,displayMenu);
ATMTransaction.updatePINStatus (valid);
Invalid PIN Action: -- Display Invalid PIN prompt;
send (promptMessageQueue, displayInvalidPINPrompt);
ATMTransaction.updatePINStatus (invalid);
Request Withdrawal: -- Send withdraw request to Banking
Service;
send (promptMessageQueue, displayWait);
send (Banking Service, in withdrawalRequest, out
withdrawalResponse);
newEvent = withdrawalResponse; outstandingEvent = true;
Request Query: -- Send query request to Banking Service;
send (promptMessageQueue, displayWait);
send (Banking Service, in queryRequest, out queryResponse);
newEvent = queryResponse; outstandingEvent = true;
Request Transfer: -- Send transfer request to Banking Service;
send (promptMessageQueue, displayWait);
send (Banking Service, in transferRequest, out
transferResponse);
newEvent = transferResponse; outstandingEvent = true;
422 Case Studies
loop
receive (ATMClientMessageQ, message) from Banking Service Message Queue;
Extract message name and message parameters from message;
case Message of
Validate PIN:
-- Check that ATM Card is valid and that PIN entered by
-- customer matches PIN maintained by Server;
PINValidationTransactionManager.ValidatePIN
(in CardId, in PIN, out validationResponse);
-- If successful, validation Response is valid and return
-- Account Numbers accessible by this debit card;
Client/Server Software Architecture Case Study 423
The Online Shopping System case study is a highly distributed World Wide Web–
based system that provides services for purchasing items such as books or clothes.
The solution uses a service-oriented architecture with multiple services; coordina-
tor objects are used to facilitate the integration of the services. In addition, object
brokers are used to provide service registration, brokering, and discovery. Services
include a catalog service, an inventory service, a customer account service, a delivery
order service, an email service, and a credit card authorization service.
The problem is described in Section 22.1. Section 22.2 describes the use case
model for the Online Shopping System. Section 22.3 describes the static model,
which includes the system context model that depicts the boundary between the
system and the external environment. This section also describes the use of broker
technology in this system before going on to describe static modeling of the entity
classes. Section 22.4 describes how to structure the system into objects. Section 22.5
describes dynamic modeling, in which communication diagrams are developed for
each of the use cases. Section 22.6 describes the design model for the system, which
is designed as a layered architecture based on the Layers of Abstraction pattern
consisting of services and components.
424
Service-Oriented Architecture Case Study 425
Confirm
Make Order Shipment
Request and Bill
Customer Customer
Supplier
View Order
alternative sequences of the use case, depicting exactly how they diverge from each
other.
The activity diagram describing the sequence of use case activities for Browse
Catalog, which corresponds to the preceding description of the main sequence of
the use case, is depicted in Figure 22.2.
Request
Catalog Information
Request
Catalog Items
Display Catalog
Items
Request Items
from Catalog
Select Items
from Catalog
Receive
Order Request
[account exists]
Create Get
New Account Account Information
Authorize
Credit Card
[invalid]
[valid]
Display Create
Invalid Credit Card New Delivery Order
Figure 22.3. Activity diagram for Make Order Request use case
The activity diagram for Make Order Request (Figure 22.3) depicts the activities
that correspond to the main sequence of the use case, for making an order and
authorizing the credit card, as well as the two alternatives that deal with creating a
new account and denying credit card authorization.
Main sequence:
1. Supplier requests next delivery order.
2. System retrieves and displays delivery order.
3. Supplier requests inventory check on items for delivery order.
4. System determines that items are available in inventory to satisfy
delivery order and reserves items.
5. System displays inventory information to Supplier and confirms that
items are reserved.
Alternative sequence: Step 4: If item is out of stock, system displays warn-
ing message.
Postcondition: System has reserved inventory items for delivery order.
The activity diagram for Process Delivery Order (Figure 22.4) depicts the activ-
ities corresponding to the main sequence of the use case, for viewing and reserving
inventory items, as well the alternative sequence dealing with inventory item(s) out
of stock.
Receive
Delivery Order
Request
Check Inventory
for Order Items
[items available]
Display Reserve
Items Out of Stock Order Items
Display
Inventory Information
Figure 22.4. Activity diagram for Process Delivery Order use case
430 Case Studies
22.2.4 Use Case Description for Confirm Shipment and Bill Customer
Summary: Supplier prepares the shipment manually and then confirms that
the delivery order is ready for shipment. System notifies customer that
order is being shipped. System charges customer’s credit card for purchase
and commits inventory items removal.
Actor: Supplier
Precondition: Inventory items have been reserved for customer delivery
order.
Main sequence:
1. Supplier prepares shipment manually and identifies that delivery
order is ready to ship.
2. System retrieves customer account information, including the
invoice and customer’s credit card details.
3. System updates inventory to confirm purchase.
4. System charges customer’s credit card for purchase and creates a
credit card charge confirmation number.
5. System updates delivery order information with credit card charge
confirmation.
6. System sends email confirmation to customer.
7. System displays confirmation to the supplier to complete shipment
of the delivery order.
Postcondition: System has committed inventory, charged customer, and
sent confirmation.
The activity diagram for Confirm Shipment and Bill Customer (Figure 22.5)
depicts the activities corresponding to the main sequence of the use case.
Receive
Delivery Order
is Ready
Retrieve
Customer Information
Update
Inventory
Charge
Credit Card
Update Delivery
Order
Figure 22.5. Activity diagram for Confirm Shipment and Bill Customer use case
is very similar to the use case diagram because the external classes correspond to the
actors on the use case diagram.
Receive
Order Status
Request
Retrieve
Order Information
Display
Order Information
«software system»
Interacts with Interacts with
Online
Shopping
System
Customer Supplier
Figure 22.7. Online Shopping System Software System Context class diagram
Uses Authorizes
«entity» «entity» «entity»
Customer CustomerAccount DeliveryOrder
1 1 1 1..*
*
Views
1 1..*
0..1
1
Stored in
Provides
Figure 22.8. Conceptual static model for Online Shopping System entity classes
Service-Oriented Architecture Case Study 433
«entity» «entity»
«entity» Supplier
Inventory Catalog
supplierId : Integer
itemID : Integer itemId : Integer supplierName: String
itemDescription : String itemDescription : String address : String
quantity : Integer unitCost : Real telephoneNumber : String
price : Real supplierId : Integer faxNumber : String
reorderTime : Date itemDetails : linkType email : EmailType
«entity»
CustomerAccount
accountId : Integer
cardId : String
cardType : String
expirationDate: Date
«service» «service»
DeliveryOrderService InventoryService
«service» «service»
CatalogService CustomerAccountService
Figure 22.10. Service and entity classes for the Online Shopping System
434 Case Studies
Account and Customer entity classes. Delivery Order Service uses the Delivery Order
and Item entity classes. The Inventory Service uses the Inventory entity class.
There is also a service class, Credit Card Service, which deals with credit card
authorization and charging. In this way, the credit card billing is integrated with the
customer purchasing and supplier delivery. Another service class is Email Service,
which enables the Online Shopping System to send email messages to customers.
User interaction classes are needed to interact with the external users – in partic-
ular, Customer Interaction and Supplier Interaction, which correspond to the actors
in the use cases. In addition, to coordinate and sequence the customer and supplier
access to the online shopping services, two coordinator objects, Customer Coordina-
tor and Supplier Coordinator, are provided,. A third autonomous coordinator, Billing
Coordinator, is needed to deal with billing customers. The classes in the Online Shop-
ping System are depicted in Figure 22.11.
435
436 Case Studies
«service»
: CatalogService
Figure 22.12. Communication diagram for the Browse Catalog use case
«service» «service»
: DeliveryOrderService : EmailService
Figure 22.13. Communication diagram for the Make Order Request use case
Service-Oriented Architecture Case Study 437
«service»
: Inventory
Service
«service»
: DeliveryOrder
Service
Figure 22.14. Communication diagram for the Process Delivery Order use case
M5: Customer Coordinator sends the customer’s credit card information and
charge authorization request to Credit Card Service (this is equivalent to
a Prepare to Commit message).
M6: Credit Card Service sends a credit card approval to Customer Coordinator
(this is equivalent to a Ready to Commit message).
M7, M8: Customer Coordinator sends order request to Delivery Order Service.
M9, M9a: Customer Coordinator sends the order confirmation to Customer
Interaction and sends an email of the order confirmation to the customer
via the Email Service.
M10: Customer Interaction outputs the order confirmation to the customer
Alternative scenarios for this use case are that the customer does not have an
account, in which case a new account will be created, or that the credit card autho-
rization is denied, in which case the customer has the option of selecting a different
card. These alternative scenarios are described in Chapter 9.
An alternative scenario for this use case (not shown in figure) is that the item is
out of stock, in which case Inventory Service returns an Out of Stock message, which
is then displayed to the supplier.
«service»
: Inventory
Service
Figure 22.15. Communication diagram for the Confirm Shipment and Bill Customer use case
S8, S8a, S8b, S8c: Billing Coordinator sends Commit Charge message to Credit
Card Service, Commit Payment message to Delivery Order Service, confirma-
tion email to customer through Email Service, and Account Billed message
to Supplier Coordinator.
S9, S10: Supplier Coordinator sends Commit Inventory message to Inventory
Service, which responds that commit is completed.
S11, S12: Supplier Coordinator sends confirmation response to Supplier
Interaction, which in turn sends the shipping confirmation message to
the supplier.
V1, V2: The customer makes an order invoice request via Customer Inter-
action.
V3: Customer Coordinator makes an order request to Delivery Order Service.
440 Case Studies
V6: Customer Output «user V5: Order Invoice V4: Order Invoice
«coordinator» «service»
interaction»
aCustomer : DeliveryOrder
: Customer
Coordinator Service
V1: Customer Input Interaction V2: Order Request V3: Order Request
aCustomer
Figure 22.16. Communication diagram for the View Order use case
V4: Delivery Order Service sends order invoice information to Customer Coor-
dinator.
V5: Customer Coordinator forwards the information to Customer Interac-
tion.
V6: Customer Interaction displays the order information to the customer.
type. The client can then choose a service and make a white pages request to the
broker.
The Online Shopping System is designed as a layered architecture based on the
Layers of Abstraction architecture pattern. The software architecture consists of
three layers – a service layer, a coordinator layer, and a user interaction layer. Fur-
thermore, because this system needs to be highly flexible and distributed, the deci-
sion is made to design a service-oriented architecture, in which distributed compo-
nents can discover services and communicate with them.
Each component is depicted with the component stereotype (what kind of com-
ponent it is, as specified by the component structuring criteria). The design of the
component and service interfaces are determined by analysis of the communication
diagrams for each use case.
Layer 1: Service Layer. There are six services ; four are part of the application,
and two are external services. The application services are Catalog Service,
Delivery Order Service, Inventory Service, and Customer Account Service. The
external services are Credit Card Service (one for each credit card company,
such as Mastercard and Visa), which is used for charging customer purchases,
and Email Service, for sending email messages to customers.
Layer 2: Coordination Layer. There are three coordinator components: Supplier
Coordinator, Customer Coordinator, and Billing Coordinator.
Layer 3: User Layer. There are two user interaction components: Supplier Inter-
action and Customer Interaction.
«layer»
CoordinationLayer
«layer»
ServiceLayer
Customer Supplier
Customer Supplier Coordinator
Coordinator
Request Request Response
Response
Request
Account Commit
Info
Send
Invoice Select,
Authorization Delivery
Authorization Update
Request Order
Response Store,
Charge Query,
Update,
Committed Select
Request Check,
Send Inventory Reserve,
Catalog Delivery
Account Info Info Commit
Info Order
«service»
«service» «service» «service» «service» «service»
: Customer
: CreditCard : Email : Catalog : DeliveryOrder : Inventory
Account
Service Service Service Service Service
Service
ICatalogService
PCatalogService
«service»
Catalog
Service
IDeliverOrderService
PDOService
«service»
DeliveryOrder
Service
IInventoryService
PInventoryService
«service»
Inventory
Service
ICustomerAccountService
PCustAccountService
«service»
CustomerAccountService
The Catalog Service has operations to request to view a catalog and to select
catalog items (Figure 22.20). These operations access data maintained in the
Catalog Info and Item Info entity classes. The access needs are determined from
the Browse Catalog communication diagram (see Figure 22.7) and static model (see
Figures 22.3 and 22.4). The requestCatalog operation returns catalog items of a given
type and is determined from message B3 in Figure 22.12. The catalog information
returned is given by the attributes of the Catalog entity class shown on Figures 22.9
and 22.20. The requestSelection operation is determined from message B9 in Figure
22.12, which returns (determined from message B10) the item information for the
specific item.
The Customer Account Service has operations to create a new account, update
the account, and read an account (Figure 22.21). These operations access data main-
tained in the Customer Account and Customer entity classes. The operations are deter-
mined from the Make Order Request communication diagram (see Figure 22.13).
The requestAccount operation corresponds to message M3 in Figure 22.13 and
message S6 in the Confirm Shipment and Bill Customer communication diagram
(see Figure 22.15). The createAccount and updateAccount operations correspond
446 Case Studies
ICatalogService
PCatalogService
«interface»
ICatalogService «service»
Catalog
requestCatalog (in catalogType, out catalogInfo) Service
requestSelection (in itemId, out itemInfo)
«entity» «enumeration»
CatalogInfo CatalogType
1..*
«entity»
ItemInfo
itemId : Integer
itemDescription : String
unitCost : Real
supplierId : Integer
itemDetails : URL
ICustomerAccountService
PCustAccountService
«interface»
ICustomerAccountService
«service»
requestAccount (in accountId, out account) CustomerAccountService
createAccount (in cardId, in cardType, in expirationDate,
out accountld)
updateAccount (in accountId, in cardId, in cardType, in
expirationDate)
«entity» «entity»
CustomerAccount Customer
«interface»
IDeliverOrderService
IDeliveryOrderService
store (in order, out orderId)
select(in supplierId, out order) PDOService
update(in orderId, in order, out orderStatus)
orderShipped (in orderId, out orderStatus) «service»
confirmPayment (in orderId, in amount, out orderStatus) DeliveryOrder
read (in orderId, out order) Service
requestInvoice (in orderId, out invoice)
prepareToCommitOrder (in orderId, out order)
commit (in orderId)
abort (in orderId)
«entity»
DeliveryOrder
orderId : Integer «entity» «enumeration»
orderStatus : OrderStatus Item OrderStatus
accountId : Integer 1..* itemId : Integer NotYetShipped
amountDue: Real unitCost : Real PreparedForShipment
authorizationId: Integer quantity : Integer Shipped
supplierId : Integer
creationDate : Date
plannedShipDate : Date
actualShipDate : Date «entity»
paymentDate: Date Invoice
orderId : Integer
accountId : Integer
amountDue : Real
actualShipDate : Date
authorizationId : Integer
IInventoryService
PInventoryService
«interface»
IInventoryService «service»
Inventory
checkInventory (in itemId, out inventoryStatus) Service
update (in itemId, in amount)
reserveInventory (in itemId, in amount)
commitInventory (in itemId, in amount)
abortInventory (in itemId, in amount)
«entity» «entity»
Inventory InventoryStatus
itemID : Integer
itemDescription : String itemID : Integer
quantity : Integer currentAmount: Integer
quantityReserved: Integer quantityAfterShipped: Integer
price : Real reorderTime : Date
reorderTime : Date
inventory. The abort operation is invoked if the order is cancelled and inventory
released prior to shipment. The updateInventory service operation is needed when
the inventory is replenished. This example is described in more detail in Chapter 16,
Section 16.6.
Figure 22.15 shows the service interfaces for the external services: Credit Card
Service and Email Service. Both external services have provided interfaces in the
same way as the application services. The Credit Card Service supports one provided
interface consisting of two operations – one for authorizing a credit card purchase
(message M5 in Make Order Request) and the other for charging the credit card
(message S8a in Confirm Shipment and Bill Customer). The Email Service has one
provided interface with one operation to send an email message (message M9a in
Make Order Request and message S8c in Confirm Shipment and Bill Customer).
ICreditCardService
PCreditCardService
«interface»
ICreditCardService «service»
CreditCard
authorizeCharge (in creditcardId, in amount, out authorizationResponse) Service
commitCharge (in creditcardId, in amount, out chargeResponse)
abortCharge (in creditcardId, in amount, out chargeResponse)
IEmailService
PEmailService
«interface»
IEmailService «service»
Email
sendEmail (in emailId, in emailText) Service
Figure 22.24. Service interfaces for Credit Card and Email services
Service-Oriented Architecture Case Study 449
RCustomerCoordinator RSupplierCoordinator
PSupplierCoordinator
PCustomerCoordinator
«coordinator» «coordinator»
RInterCoordinator
«component» «component»
«coordinator» Billing Supplier
«component» Coordinator PInterCoordinator Coordinator
Customer RDOService
Coordinator RCreditCard
RDOService RDOService RInventoryService
Service REmail
RCustAccount RCustAccount
RCreditCard REmail RCatalog Service Service Service
Service Service Service
PCreditCardService
PEmailService PCatalogService PCustAccountService PDOService PInventoryService
«service»
CreditCard «service» «service» «service» «service» «service»
Service Email Catalog CustomerAccount DeliveryOrder Inventory
Service Service Service Service Service
Figure 22.25. Service-oriented software architecture for the Online Shopping System
Service-Oriented Architecture Case Study 451
«user interaction
«user interaction component»
component» Supplier
CustomerInteraction Interaction
RCustomerCoordinator RSupplierCoordinator
ICustomerCoordinator ISupplierCoordinator
ICustomerCoordinator
«interface»
ICustomerCoordinator PCustomerCoordinator
«coordinator»
requestCatalog(in selectedCatalog, out catalogInfo) «component»
requestSelectionFromCatalog(in itemId, out itemInfo) Customer
requestPurchase(in purchaseInfo, out orderInfo) Coordinator
RDOService
requestAccount(in accountId, out accountInfo)
requestOrderStatus(in orderId, out orderInfo) IDeliveryOrderService
REmail RCatalog
Service Service
RCreditCard RCustAccount
Service Service
ICreditCard IEmail ICatalog ICustomerAccount
Service Service Service Service
ISupplierCoordinator
PSupplierCoordinator
«interface»
ISupplierCoordinator «coordinator»
IShipment «component»
confirmShipment (in orderId)
requestOrder (in supplierId, out orderId) Supplier
RInterCoordinator Coordinator
checkInventory (in orderId, out inventoryInfo)
reserveInventory (in orderId, out inventoryInfo)
RDOService RInventoryService
IDeliveryOrderService IInventoryService
Figure 22.28. Component ports and interfaces for Supplier Coordinator
PInterCoordinator
«coordinator» IShipment
«interface»
«component»
IShipment
Billing
Coordinator
orderReadyForShipment (in orderId, in
orderStatus)
REmail RCustAccount
Service Service
RCreditCard RDOService
Service
IDeliveryOrderService
ICreditCard IEmail ICustomerAccount
Service Service Service
Online Shopping System, such as Catalog Service, Delivery Order Service, and Inven-
tory Service.
In a business to business (B2B) system, for example, instead of using customer
accounts, contracts would be established between business customers and suppliers.
Each contract would be between a specific business customer and a specific supplier,
would be of a specified duration, and would have a maximum fiscal amount in a
specified currency. A business customer would select items from the catalog, specify
the contract that should be used, and then send the delivery order. Once the order
shipment had been made, the payment to the supplier would be made through an
electronic funds transfer from the business customer bank to the supplier bank.
The B2B system would necessitate the creation of additional services as well
as different versions of the Customer and Supplier Coordinators. The Catalog, Deliv-
ery Order, and Inventory Services would be reused. However, new services would
be required for Contract Service, Invoice Service, and Accounts Payable Service. A
reusable service-oriented architecture for an Electronic Commerce software prod-
uct line, consisting of kernel, optional, and variant components and services, is
described in (Gomaa 2005a).
23
This chapter describes how the COMET software modeling and architectural design
method is applied to the design of a component-based software architecture: an
Emergency Monitoring System.
The problem description is given in Section 23.1. Section 23.2 describes the use
case model for the Emergency Monitoring System. Section 23.3 describes the Emer-
gency Monitoring System static model, covering static modeling of both the system
context and entity classes. Section 23.4 describes dynamic modeling, in which com-
munication diagrams are developed for each of the use cases. Section 23.5 describes
the design model for the Emergency Monitoring System, which is designed as a
layered architecture based on the Layers of Abstraction pattern combined with
the client/service pattern and several architectural communication patterns. Section
23.6 describes software component deployment.
453
454 Case Studies
View
Alarms
Generate Alarm
Remote
Sensor
Monitoring Remote
Sensor System
external system actor, the Remote System. Both these actors behave in a similar way
by monitoring remote sensors and sending sensor data and alarms to the system.This
similar behavior can be modeled by a generalized actor, Remote Sensor, which repre-
sents the common role – that is, the behavior that is common to both the specialized
actors, Monitoring Sensor and Remote System. The actors are depicted in Figure 23.1.
Remote Sensor is the primary actor for two of the use cases.
All four use cases involve Monitoring Operator, as either primary or secondary
actor, as depicted in Figure 23.1. An overview of the use cases is presented in the
following list:
1. View Alarms. The Monitoring Operator actor views outstanding alarms and
acknowledges that the cause of an alarm is being addressed. The operator
may also subscribe or unsubscribe to receive notification of alarms of a given
type.
2. View Monitoring Data. The Monitoring Operator actor requests to view the cur-
rent status of one or more sensors. Operator requests are made on demand.
The operator may also subscribe or unsubscribe to receive notification of
changes in monitoring status.
3. Generate Monitoring Data. Monitoring data are generated on an ongoing
basis by the generalized actor, Remote Sensor. Operators are notified of mon-
itoring status events to which they have subscribed.
4. Generate Alarm. If an alarm condition is detected by the Remote Sensor,
an alarm is generated. Operators are notified of alarms to which they have
subscribed.
Component-Based Software Architecture Case Study 455
Main sequence:
1. The Remote Sensor sends new monitoring data to the system.
2. The system updates the monitoring status as follows: Sensor status
for each sensor (value, upper limit, lower limit, alarm status).
3. The system sends new monitoring status to monitoring operators
who have subscribed to receive status updates.
Alternative sequence:
Step 2: Emergency situation. System displays emergency warning message
to operator.
Postcondition: Monitoring status has been updated.
MonitoringOperator
Interacts with
«software system»
EmergencyMonitoring
System 1
1
Inputs to
Communicates
with
«external input device»
1..*
1..* MonitoringSensor
«external system»
RemoteSystem
external class, each of the external classes has a one-to-many association with the
Emergency Monitoring System in Figure 23.2. The common behavior of Remote
System and Monitoring Sensor is captured by means of a generalized external class,
Remote Sensor, although it is not necessary to explicitly depict this in Figure 23.2.
Monitoring Data Repository, since there is a need to store both alarm data and mon-
itoring data. However, the entity classes are encapsulated inside services that are
accessed by various clients. For this reason, on the communication diagrams, the
entity objects are within the services: Alarm Service, and Monitoring Data Service.
For each of the human actors there needs to be a user interaction class. For this
system, there is one human actor, Monitoring Operator, and a corresponding user
interaction class, Operator Interaction. Because the operator uses a multi-windowing
interface, there are two supporting user interaction classes to display status and
alarm information that is updated dynamically, Event Monitoring Window and Alarm
Window, respectively (See section 23.5).
In addition, there is an input object, Monitoring Sensor Component, which receives
sensor inputs from the external monitoring sensors and sends status data to the Mon-
itoring Data Service object and alarms to the Alarm Service object. There is a proxy
object, Remote System Proxy, which receives sensor data from the external remote
systems and also sends status data to the Monitoring Data Service object and alarms
to the Alarm Service object. Finally, there is a boundary superclass, Remote Sen-
sor Component, which captures the common behavior of two boundary subclasses:
Monitoring Sensor Component and Remote System Proxy. The class structuring for
the Emergency Monitoring System is shown in Figure 23.3, which shows the classes
from which the objects are instantiated.
«external input
«external system»
device»
RemoteSystem
MonitoringSensor
1 1 Communicates with
Inputs to
«software system»
EmergencyMonitoring
System
1 1
«input» «proxy»
MonitoringSensor RemoteSystem
Component Proxy
«service»
«service»
MonitoringData
AlarmService
Service
«boundary»
«external»
RemoteSensor
RemoteSensor
Component
S1: Operator
Request
«user interaction»
: OperatorInteraction
S1.1: Alarm
Request S1.2: Alarm Info
«service»
: AlarmService
Figure 23.4. Communication diagram for the View Alarms use case
V1: Operator
Request
«user interaction»
: OperatorInteraction
«service»
: MonitoringDataService
Figure 23.5. Communication diagram for the View Monitoring Data use case
«external»
: RemoteSensor
«boundary»
: RemoteSensorComponent
M2: Alarm
«service»
: AlarmService
: MonitoringOperator
Figure 23.6. Communication diagram for the Generate Alarm use case
client objects (in this example, Alarm Window) of new events that they previously
subscribed to receive. The message sequence is as follows:
M1: Remote Sensor Component receives sensor input from the external sen-
sor, indicating an alarm condition.
M2: Remote Sensor Component sends an alarm to Alarm Service.
M3: Alarm Service sends a multicast message containing the alarm to all
subscribers registered to receive messages of this type.
M4: Alarm Window receives the alarm notification and displays the infor-
mation to the monitoring operator.
«external»
: RemoteSensor
«boundary»
: RemoteSensorComponent
N2: Monitoring
Data
«service»
: MonitoringData
Service
N3: Event
Notification
: MonitoringOperator
Figure 23.7. Communication diagram for the Generate Monitoring
Status use case
objects (in this example, Event Monitoring Window) of new events that they previ-
ously subscribed to receive. The message sequence is as follows:
N1: Remote Sensor Component receives sensor input from the external
remote system, indicating a change in monitoring status.
N2: Remote Sensor Component sends a monitoring data message to Monitor-
ing Data Service.
N3: Monitoring Data Service sends a multicast message containing the new
event notification to all subscribers registered to receive messages of this
type.
N4: Event Monitoring Window receives the event notification message and
displays the information to the monitoring operator.
«software system»
«user interaction»
EmergencyMonitoringSystem
: Operator
Sensor Input Presentation
Sensor Input «user interaction»
: AlarmWindow
Display Info
«input» «proxy»
: MonitoringSensor : RemoteSystemProxy
Component
Alarm Notification Alarm Request Operator Request
Monitoring «user interaction»
Data : OperatorInteraction
Display Info
Monitoring Data
: Monitoring
Operator
Alarm Display Info
«user interaction»
: EventMonitoring
Window
Monitoring
Alarm
Status
Request
Monitoring
Info
Event Notification
Alarm Info
«service»
«service»
: MonitoringData
: AlarmService
Service
«layer»
UserLayer
«user interaction»
«component» {Layer 3}
Operator
Presentation
«layer»
MonitoringLayer
«input» «proxy»
«component» «component» {Layer 2}
MonitoringSensor RemoteSystem
Component Proxy
«layer»
ServiceLayer
{Layer 1}
«service»
«service»
Monitoring
AlarmService
DataService
Layer 3: User Layer. This layer consists of the user interaction component Oper-
ator Presentation and the components it contains.
If two layers do not depend on each other, such as layers 2 and 3 in the preceding
list, the choice of which layer should be higher is a design decision. In addition to
the Layers of Abstraction architectural patterns, one other architectural structure
pattern is also used:
«user interaction»
«component» {Layer 3}
: Operator
Presentation
alarmRequest
(in request, out alarmData)
alarmSubscribe (in request,
in notificationHandle, out ack)
«input» «proxy»
«component» «component» {Layer 2}
: MonitoringSensor : RemoteSystem
Component Proxy
post (alarm)
alarmNotify (alarm)
«service»
«service» {Layer 1}
: Monitoring
: AlarmService
DataService
Figure 23.10. Concurrent communication diagram for the Emergency Monitoring System
to post alarms and monitoring status on a regular basis; they need to continue
executing without delay, and they do not need a response.
■ Broker Handle. Broker patterns are used during system initialization. Services
register service information with the broker. The Broker Handle pattern allows
clients to query the broker to determine the services to which they should be
connected.
■ Service Discovery. The Service Discovery pattern is used to allow clients to dis-
cover services, which would also permit the system to evolve after deployment.
■ Subscription/Notification (Multicast). Operator Presentation has two patterns of
communication with Alarm Service and Monitoring Data Service (see Figure 23.10).
The first is the usual communication pattern in client/service situations, namely,
Synchronous message Communication with Reply pattern, which is used to
make alarm requests and receive responses. The second pattern is the Subscrip-
tion/Notification pattern, in which Operator Presentation subscribes to receive
alarms of a certain type (e.g., high-priority alarms). When the Monitoring Sensor
Component or Remote System Proxy posts an alarm of that type to Alarm Service,
the service notifies all subscriber Operator Presentation components of the new
alarm. The same approach is used for communication with Monitoring Data Ser-
vice, in which the client is notified of monitoring events.
«user interaction»
«component»
Operator
Presentation
«input» «proxy»
«component» «component»
MonitoringSensor RemoteSystem
Component Proxy
«interface»
IAlarmService
«interface»
IAlarmNotification
■ The Operator Presentation component (see Figure 23.11) uses the IAlarmService
required interface (see Figure 23.12) via the RAlarmService required port to send
alarm requests and subscription requests to Alarm Service.
■ Remote System Proxy and Monitoring Sensor Component (see Figure 23.11) use
the IAlarmStatus required interface via the RAlarmStatus required port (e.g., see
Figure 23.12) to post new alarms at Alarm Service.
■ The Alarm Service (see Figures 23.11 and 23.12) sends alarm notifications to the
Operator Presentation component by using its IAlarmNotification required inter-
face via the RAlarmNotification required port (see Figure 23.12).
The Monitoring Data Service (Figure 23.13) is designed in a similar way to the
Alarm Service. It has two provided interfaces, one of which is connected to the
required interfaces of the client Monitoring Sensor Component and Remote System
Proxy components to receive new events; the other is connected to the required
interface of the Operator Presentation component to receive monitoring requests.
It has one required interface, which is connected to the provided interface of the
Operator Presentation component to send notification events.
Figure 23.14 depicts the three client components. Both Remote System Proxy and
Monitoring Sensor Component have two required ports, each with a required inter-
face, that are used to post events with the Monitoring Data Service and alarms with
the Alarm Service. Operator Presentation has two provided ports and two required
ports. The two required ports are used to communicate with the two services, Mon-
itoring Data Service and Alarm Service. The two provided ports receive event and
alarm notifications from Monitoring Data Service and Alarm Service, respectively.
470 Case Studies
«interface»
IMonitoringService
«interface»
IEventNotification
«user interaction»
«component»
OperatorPresentation
«proxy» «input»
«component» «component»
RemoteSystem MonitoringSensor
Proxy Component
«user interaction»
«component»
OperatorPresentation
Operator
Presentation
«wide area network» {1 node per
operator}
Monitoring Data
Alarm Service Service
{1 node} {1 node}
The Automated Guided Vehicle (AGV) System case study is an example of a real-
time system. Taken in conjunction with the other systems with which it interfaces,
the Supervisory System and the Display System, it is also an example of a distributed
system of systems. The Supervisory System and the Display System are existing sys-
tems to which the AGV System must interface.
The problem is described in Section 24.1. Section 24.2 describes the use case
model for the AGV System. Section 24.3 describes the static model, which includes
the system context model that depicts the boundary between the system and the
external environment. Section 24.4 describes the object structuring for the AGV
System. Section 24.5 describes dynamic state machine modeling, and Section 24.6
describes dynamic interaction modeling in which communication diagrams are
developed for each of the use cases. Section 24.7 describes the design model for the
AGV System, which involves the design of a component-based real-time software
architecture.
472
Real-Time Software Architecture Case Study 473
Move to Station
indicating that is has started moving, passed a station, or stopped at a station. The
AGV system also sends vehicle status to an external Display System every 30 sec-
onds.
It is given that the arrival sensor is an event-driven input device and that the
motor and arm are passive I/O devices. It is also given that the AGV system com-
municates with the Supervisory System and Display System by means of messages.
5. The arrival sensor notifies the AGV System that it has arrived at
factory station (#).
6. The AGV System determines that this station is the destination sta-
tion and commands the motor to stop moving.
7. The motor notifies the AGV System that the vehicle has stopped
moving.
8. The AGV System commands the robot arm to load the part.
9. The arm notifies the AGV System that the part has been loaded.
10. The AGV System sends an Arrived message to the Supervisory Sys-
tem.
Alternative sequences:
Step 6: If the vehicle arrives at a different station from the destination sta-
tion, the vehicle passes the station without stopping and sends a “Passed
factory station (#) without stopping” message to the Supervisory System.
Steps 8, 9: If the Supervisory System requests the AGV to move to a factory
station and unload a part, the AGV will unload the part after it arrives at
the destination station.
Postcondition: AGV has completed its mission and is at the destination
station.
1 1 1 1
«input device»
«output device» «output device» «timer»
Arrival
Motor RobotArm Clock
Sensor
Figure 24.2. Conceptual static model for the Automated Guided Vehicle
System
1 1
«software
«external input 1 Inputs to 1 system»
device» Automated
ArrivalSensor Guided Vehicle 1 Outputs to
1
System
1
Signals 1 «external output
Communicates with
device»
1 Motor
«external timer» 1
Clock
«external system»
Display
System
Figure 24.3. Software system context class diagram for Automated Guided
Vehicle System
476 Case Studies
«external input
«external system» «external timer»
device»
SupervisorySystem Clock
ArrivalSensor
«software system» 1 1 1
Automated Guided
Vehicle System «proxy» «input»
«timer»
SupervisorySystem ArrivalSensor
VehicleTimer
Proxy Interface
«state dependent
«entity»
control»
VehicleStatus
VehicleControl
«output» «output»
«proxy»
Arm Motor
DisplayProxy
Interface Interface
1 1 1
Figure 24.4. Object structuring for the Automated Guided Vehicle System
There is one external input device class, Arrival Sensor, and two external output
device classes, Motor and Robot Arm.
Load Command /
Stop Motor
Loaded /
Arrived,
Clear
Unload Command /
Stopped / Load
Stopping to Stop Motor
Part Loading
Load
Unloaded /
Arrived, Clear
Stopped / Unload
Stopping to
Part Unloading
Unload
477
478 Case Studies
part, and then restarting. The states are determined by following the main sequence
textually described in the Move to Station use case, and are as follows:
■ Idle. This is the initial state, in which the AGV is idle, waiting for a command
from the Supervisory System.
■ Starting. This state is entered when the AGV has received a Move to Station mes-
sage from the Supervisory System and has sent a start command to the motor.
■ Moving. The AGV is moving to the next station.
■ Checking Destination. The AGV has arrived at a station and is checking to
determine whether this is its destination.
■ Stopping to Load. This station is the destination, and the AGV is to load a part.
The AGV commands the motor to stop on entry to this state.
■ Part Loading. This robot arm is loading the part onto the AGV.
■ Stopping to Unload. This station is the destination, and the AGV is to unload a
part. The AGV commands the motor to stop on entry to this state.
■ Part Unloading. This robot arm is unloading the part off the AGV.
Note that the Stopping to Load and the Stopping to Unload states are kept
separate because the actions leaving these states are different (Load and Unload,
respectively).
«software
system» «proxy» «input»
: Automated : SupervisorySystem : ArrivalSensor
GuidedVehicle Proxy Interface
1.6: Departed,
System
2.4: Passed,
3.12: Arrived 2.1, 3.1: Arrived at Station
3.9: Arm Output 3.10: Arm Ack 1.3: Start Motor Output, 1.4: Started Ack,
3.5: Stop Motor Output 3.6: Stopped Ack
«external
«external output
output device»
device»
: Arm
: Motor
Figure 24.6. Communication diagram for the Move to Station use case
479
480 Case Studies
The messages into and out of Vehicle Control correspond to the events and
actions depicted on the statechart in Figure 24.7 and follow the same scenario given
in the preceding message sequence description.
Vehicle Control
2.3: No / 2.4: Passed
1.1: Move to station /
1.2: Start Motor,
1.5: Started /
1.2a: Store Destination
1.6: Departed
Checking
Idle Starting Moving
Destination
3.11: Loaded /
3.12: Arrived,
3.12a: Clear
Unload Command /
3.7: Stopped / 3.8: Load
Stopping to Stop Motor
Part Loading
Load
Unloaded /
Arrived, Clear
Stopped / Unload
Stopping to
Part Unloading
Unload
Figure 24.7. Event and Action sequence numbering on Vehicle Control statechart
481
482 Case Studies
«external timer»
: Clock
«software
system» 1: Timer Event
: Automated
GuidedVehicle
System
«timer»
1.1: Read : VehicleTimer
1.2: Status
«proxy»
: DisplayProxy
«external system»
: DisplaySystem
receiving inputs from the Supervisory System and the Arrival Sensor, and control-
ling the external environment by means of the Motor and Arm. When viewed from
the larger perspective of a factory automation system, the architecture is a based
around a hierarchical control pattern, with several instances of the AGV System
(each instance controlling an individual vehicle) operating under the overall direc-
tion of a Supervisory System, which provides hierarchical control of the individual
AGVs by sending move commands to each vehicle.
«software
system» «proxy» «input»
: Automated : SupervisorySystem : ArrivalSensor
GuidedVehicle Proxy Interface
Departed, «timer»
System
Passed, : VehicleTimer
Arrived Arrived at Station Read
Store Destination,
Check Destination, Status
Clear
Move to Station
«state dependent «entity»
control» : Vehicle
: VehicleControl Status Update Status
Load,
Started, No,
Unload
Stopped Load Command,
Unload Command
«external
«external output
output device» «external system»
device»
: Arm : DisplaySystem
: Motor
Figure 24.9. Integrated communication diagram for Automated Guided Vehicle System
Real-Time Software Architecture Case Study 485
«component»
«coordinator»
: SupervisorySystem
AGV Status
«component»
«component»
«control»
«user interaction»
: AutomatedGuided
: DisplaySystem
VehicleSystem
«component»
«coordinator»
SupervisorySystem
RAGVSystem
PAGVSystem
«component»
«coordinator»
SupervisorySystem
RAGVSystem
ISupervisorySystem IAGVSystem
ISupervisorySystem IAGVSystem
PAGVSystem
«component»
IDisplaySystem PDisplaySystem «component»
«control»
«user interaction»
AutomatedGuided
IDisplaySystem DisplaySystem
VehicleSystem RDisplaySystem
Figure 24.12. Composite component ports and interfaces for Factory Automation System
SupervisorySystem
{1 node}
AutomatedGuided DisplaySystem
VehicleSystem
{1 node}
{1 node per AGV}
■ Input tasks. Concurrent input tasks receive inputs from the external environ-
ment and send corresponding messages to the control task. Arrival Sensor Compo-
nent (Figure 24.14) is designed as an event-driven input task, which is awakened
by the arrival of an arrival sensor input. The input task consists of the individual
input device interface object depicted in the analysis model (see Figure 24.9):
Arrival Sensor Interface.
■ Proxy tasks. Supervisory System Proxy acts on behalf of the Supervisory System,
from which it receives Move commands that are forwarded to Vehicle Control,
and it sends AGV acknowledgements to Supervisory System. Supervisory System
Proxy is designed as an event-driven task, which is awakened by messages from
either the external Supervisory System or the internal Vehicle Control. Note that
if a task receives both external and internal messages, it is categorized as an
event driven task and not a demand driven task. Display Proxy acts on behalf of
the Display System, to which it forwards AGV status messages. Display Proxy
is designed as a demand driven task, awakened on demand by the arrival of a
message from Vehicle Timer.
■ Control task. Vehicle Control is the centralized state dependent control task for
the AGV system. It executes the Vehicle Control state machine and receives mes-
sages from other tasks that contain events, causing Vehicle Control to change state
and send action messages to other tasks. Vehicle Control is designed as a demand
driven task, which is awakened by arrival of a message from either Supervisory
System Proxy or Arrival Sensor Component.
■ Output tasks. The Arm Component interfaces to the external Arm. The Arm Inter-
face object from the analysis model is mapped to this output task (see Figures
24.9 and 24.14). Similarly, the Motor Component interfaces to the external Motor
and is designed from the analysis model Motor Interface object. Both of the out-
put tasks are designed as demand driven tasks, which are awakened on demand
by arrival of a message from Vehicle Control.
moveCommand
AGVAck (status) arrivalSensorInput timerEvent
(command)
«external
«external output
output device» «external system»
device»
: Arm : DisplaySystem
: Motor
Figure 24.14. Concurrent communication diagram for Automated Guided Vehicle System
Real-Time Software Architecture Case Study 489
The messages to be sent between the tasks in the AGV system are determined
from the integrated communication diagram in Figure 24.9. The actual type of mes-
sage communication – synchronous or asynchronous – still needs to be determined.
To handle the variety of communication between the tasks in the AGV System, four
communication patterns are applied:
PAGVCtrl
RAGVStatus
«state dependent
control» PAGVStatus
VehicleControl
«data
RArm RMotor abstraction»
VehicleStatus
PDisplay
PArm PMotor
«proxy»
«output» «output» DisplayProxy
Arm Motor
Component Component RDisplaySystem
RDisplaySystem
other is a passive data abstraction object (Vehicle Status). The seven simple concur-
rent components correspond to the tasks determined in Section 24.7.4 and depicted
on the concurrent communication diagram of Figure 24.14.
Figure 24.15 shows the decomposition of the Automatic Guided Vehicle Sys-
tem component into the seven simple concurrent components and the passive data
abstraction object described in the previous paragraph. The provided port of the
composite Automatic Guided Vehicle System component is connected directly to the
provided port of the simple Supervisory System Proxy component, and both ports
are given the same name (PAGV System) because they provide the same interface.
The connector joining the two ports is actually a delegation connector, meaning that
the outer port provided by Automatic Guided Vehicle System forwards each message
it receives to the inner port provided by Supervisory System Proxy. The required
ports of the Display Proxy component is also connected to the required port of the
composite Automatic Guided Vehicle System component, via delegation connectors.
Vehicle Control, which executes the vehicle state machine, has one provided
port, which supports a provided interface that receives all incoming messages from
Supervisory System Proxy and Arrival Sensor Component. In this way, Vehicle Con-
trol receives all incoming messages on a FIFO basis. Vehicle Status also has one
provided port and provided interface. Because Vehicle Status is passive, it provides
operations, which are invoked by Vehicle Control and Vehicle Timer. Vehicle Control
also has two required ports through which it communicates with Arm Component and
Motor Component.
Because the two producer components (Supervisory System Proxy and Arrival
Sensor Component) send messages to the Vehicle Control component in Figure 24.14,
each producer component is designed to have an output port, referred to as a
required port, which is joined by means of a connector to the control component’s
input port, referred to as a provided port, as shown in Figure 24.15. The name of the
required port on each producer component is RAGVCtrl; by a COMET convention,
the first letter of the port name is R to emphasize that the component has a required
port. The name of the provided port for Vehicle Control is PAGVCtrl; the first letter of
the port name is P to emphasize that the component has a provided port. Connec-
tors join the required ports of the two producer components to the provided port of
the control component.
RAGVCtrl RAGVCtrl
ISupervisorySystem IAGVCtrl IAGVCtrl «periodic»
IAGVStatus «timer»
VehicleTimer
RAGVStatus
ISupervisorySystem IAGVCtrl
RDisplay
PAGVCtrl IDisplay
IAGVStatus
«demand»
«state dependent PAGVStatus
IAGVStatus
control»
VehicleControl RAGVStatus «data
RArm RMotor abstraction»
VehicleStatus IDisplay
IArm IMotor
PDisplay
«demand» «demand»
«output» «output»
Arm Motor
Component Component
Figure 24.16. Automated Guided Vehicle System component ports and interfaces
(Arm Component and Motor Component), and it invokes operations on Vehicle Status
data abstraction object through its provided port.
The output components do not require a software interface because their out-
puts go directly to external hardware output devices. However, they need to provide
an interface to receive messages sent by the control component. Figure 24.16 depicts
the ports and provided interfaces for the two output components of the AGV Sys-
tem. Figure 24.17 also shows the specifications of the interfaces in terms of the oper-
ations they provide. The Arm Component and Motor Component output components
each have a provided port:
The Display Proxy component has a provided port called PDisplay, which in turn
provides an interface called IDisplay, as shown in Figure 24.16. Figure 24.17 shows
the specification of the interface.
Some components, such as control components, need to provide interfaces for
the producer components to use and require interfaces that are provided by output
components. The Vehicle Control component has several ports – one provided port
and three required ports – as shown in Figure 24.16. Each required port is used to
interface to a different consumer component and is given the prefix R – for exam-
ple, RArm. The provided port, which is called PAGVControl, provides the interface
IAGVControl, which is required by the producer components.
The Vehicle Control component (see Figures 24.14 and 24.15), which conceptu-
ally executes the AGV statechart, receives asynchronous control request messages
from two producer components. The provided interface IAGVControl is specified in
Real-Time Software Architecture Case Study 493
«interface»
«interface»
IAGVStatus
IAGVControl
update (in destination, in loadUnload)
moveToStation (in destination, in load/Unload)
check (in currentStation#, out response)
arrivingAtStation (in station#)
read (out AGVid, out location,
out destination, out loadUnload)
clear ()
«interface» «interface»
IArm IMotor «interface»
IDisplay
initialize () initialize ()
load () startMotor () displayAGVStatus (in
unload () stopMotor () AGVStatus)
«data abstraction»
VehicleStatus
- AGVid : Integer = 0
- destination : Integer = 0
- location : Integer = 0
- loadUnload : Boolean = unload
+ update (in destination, in loadUnload)
+ check (in currentStation#, out response)
+ read (out AGVid, out location
out destination,out loadUnload)
+ clear ()
«state machine»
VehicleStateMachine
Figure 24.18. Vehicle Status data abstraction class and Vehicle State Machine class
494 Case Studies
The port and interface of the passive data abstraction object (Vehicle Status)
are shown in Figures 24.16 and 24.17. Vehicle Status provides one interface with
three operations. The update operation stores the next AGV destination and the
command to be executed there (load or unload). The check operation receives the
current station number and returns whether this is the destination or not; if it is
the destination, it also returns whether the station command is load or unload. The
read operation returns the location, destination, and load/unload command. The
attributes of the Vehicle Status data abstraction class are given in Figure 24.18. This
figure also depicts the state machine class design for Vehicle State Machine, which is
encapsulated inside the Vehicle Control component.
APPENDIX A
A template for describing a pattern typically addresses the following items from the
perspective of the prospective user of the pattern:
■ Pattern name
■ Aliases. Other names by which this pattern is known.
■ Context. The situation that gives rise to this problem.
■ Problem. Brief description of the problem.
■ Summary of solution. Brief description of the solution.
■ Strengths of solution. Use to determine if the solution is right for your design
problem.
■ Weaknesses of solution. Use to determine if the solution is wrong for your design
problem.
■ Applicability. Situations in which you can use the pattern.
■ Related patterns. Other patterns to consider for your solution.
■ Reference. Where you can find more information about the pattern.
The architectural structure patterns, architectural communication patterns, and
architectural transaction patterns are documented with this template in Sec-
tions A.1, A.2, and A.3, respectively. The patterns are summarized in the follow-
ing tables:
495
496 Appendix A: Catalog of Software Architectural Patterns
1..*
Client
1..*
Requests Service
Broker
From
Registers with
1..*
1
Service
«input» «input»
«component» «input»
«component»
: DoorComponent «component»
: WeightComponent
: KeypadComponent
sendControlRequest
(doorEvent) sendControlRequest
(weightEvent)
sendControlRequest(keypadEvent)
«control»
«component»
: MicrowaveControl
displayPrompt(promptId)
displayTime(time)
startCooking(level)
stopCooking()
«output»
«output» «component»
«component» : MicrowaveDisplay
: HeatingElementComponent
Figure A.2. Centralized Control pattern: Microwave Oven Control System example
Appendix A: Catalog of Software Architectural Patterns 499
«coordinator»
«component»
: Hierarchical
Controller
command
command
command response
response response
«control» «control» «control»
«component» «component» «component»
: Distributed : Distributed : Distributed
Controller Controller Controller
sensor actuator sensor actuator actuator
Output sensor
Input Input Output Output
Input
Transport Layer
Layer 4
(TCP)
Internet Layer
Layer 3
(IP)
Network Interface
Layer 2
Layer
Service1
{1 server node} Service2
{1 server node}
1 «external user»
Operator
«external output device» 1
ReceiptPrinter
«software system»
BankingSystem
1 1 Requests Service
From
«external input/output 1 1 «client» 1..* 1 «service»
device» «subsystem» «subsystem»
CardReader ATMClient BankingService
1
«external user»
1 ATMCustomer
aProducer aConsumer
1: sendAsynchronousMessage
(in message, in callbackHandle)
aClient aService
aProducer aConsumer
«user interaction»
«component»
firstOperatorInteraction
B2a: alarmBroadcast
«user interaction»
«service» «component»
: AlarmHandlingService secondOperatorInteraction
B2b: alarmBroadcast
B1: alarm
aBroker
1: serviceRequest 2: forwardedRequest
3:serviceReply
4: forwardedReply
aServiceRequester aService
aBroker
B1: serviceRequest
B2: serviceHandle
B3: serviceRequestWithHandle
aServiceRequester aService
B4: serviceReply
: Calling Object
invokeOperation(in inputParameter,
out outputParameter)
: Called Object
unifiedAirlines
ReservationService
2a: flightQuery
2c.1: response
Virtual Atlantic
ReservationService
aBroker
1: queryServices
3: select 2: serviceList
aService
4: service
Handle
5: serviceRequestWithHandle
aService
aService
Requester
6: serviceReply
Figure A.17. Service Discovery pattern
514 Appendix A: Catalog of Software Architectural Patterns
aBroker
R2:
registrationAck
R1:
register
Service
aService
«user interaction»
«component»
S1: subscribe firstOperatorInteraction
N2a: alarmNotify
N1: alarm
s3: subscribe
1: sendSynchronousMessagewithReply
(in message, out response)
aClient aService
aProducer aConsumer
airline
ReservationService
1: flightReservation
2: flightConfirmation
3: hotelReservation
hotel
worldWide
ReservationService
TravelAgent
4: hotelConfirmation
5: carReservation
6: carConfirmation
vehicle
RentalService
unifiedAirlines
1a: ReservationService
flightQuery
1a.1:
response
2: reserve
3:
reject 1b: 4:
query reserve
worldWide brittanicAirways
TravelAgent 1b.1: 5: confirm ReservationService
response
1c: query
1c.1:
response
virtualAtlantic
ReservationService
: CommitCoordinator
firstService secondService
: CommitCoordinator
2b.3: Commit
2a: Commit Completed
firstService secondService
Teaching Considerations
B.1 OVERVIEW
The material in this book may be taught in different ways depending on the time
available and the knowledge level of the students. This appendix describes possible
academic and industrial courses that could be based on this book.
A prerequisite of these courses is an introductory course on software engineering
that covers the software life cycle and the main activities in each phase of the life
cycle. This prerequisite course would cover the material described in introductory
books on software engineering, such as Pressman (Pressman 2009), or Sommerville
(Sommerville 2010).
Each of these courses has three parts: description of the method, presentation of
at least one case study using the method, and a hands-on design exercise for students
to apply the method to a real-world problem.
521
522 Appendix B: Teaching Considerations
abstract class A class that cannot be directly instantiated (Booch, Rumbaugh, and
Jacobson 2005). Compare concrete class.
abstract data type A data type that is defined by the operations that manipulate it
and thus has its representation details hidden.
abstract interface specification A specification that defines the external view of the
information hiding class – that is, all the information required by the user of the
class.
abstract operation An operation that is declared in an abstract class but not imple-
mented.
action A computation that executes as a result of a state transition.
active object See concurrent object.
Activity diagram A UML diagram depicting the flow of control and sequencing
among activities.
actor An outside user or related set of users who interact with the system
(Rumbaugh, Booch, and Jacobson 2005).
aggregate class A class that represents the whole in an aggregation relationship
(Booch, Rumbaugh, and Jacobson 2005).
aggregate subsystem A logical grouping of lower-level subsystems and/or objects.
aggregation A weak form of whole/part relationship. Compare composition.
algorithm object An object that encapsulates an algorithm used in the problem
domain.
alternative feature A feature that can be chosen in place of a different feature in
the same software product line. Compare common feature and optional feature.
alternative use case A use case that can be chosen in place of a different use case
in the same software product line. Compare kernel use case and optional use case.
analog data Continuous data that can, in principle, have an infinite number of
values.
analysis modeling A phase of the COMET use case–based software life cycle in
which static modeling and dynamic modeling are performed. Compare design
modeling and requirements modeling.
523
524 Glossary
deployment diagram A UML diagram that shows the physical configuration of the
system in terms of physical nodes and physical connections between the nodes,
such as network connections.
design concept A fundamental idea that can be applied to designing a system.
design method A systematic approach for creating a design. The design method
helps identify the design decisions to be made, the order in which to make them,
and the criteria used in making them.
design modeling A phase of the COMET use case–based software life cycle in
which the software architecture of the system is designed. Compare analysis mod-
eling and requirements modeling.
design notation A graphical, symbolic, or textual means of describing a design.
design pattern A description of a recurring design problem to be solved, a solution
to the problem, and the context in which that solution works.
design strategy An overall plan and direction for developing a design.
device interface object An information hiding object that hides the characteristics
of an I/O device and presents a virtual device interface to its users.
device I/O boundary object A software object that receives input from and/or out-
puts to a hardware I/O device.
discrete data Data that arrive at specific time intervals.
distributed A system or application that is concurrent in nature and executes in an
environment consisting of multiple nodes, which are in geographically different
locations.
distributed application An application that executes in a distributed environment.
distributed component See component.
distributed kernel The nucleus of an operating system that supports distributed
applications.
distributed processing environment A system configuration in which several geo-
graphically dispersed nodes are interconnected by means of a local area or wide
area network.
distributed service A service with functionality that is spread over several server
nodes.
domain analysis Analysis of a software product line.
domain engineering See software product line engineering.
domain modeling Modeling of a software product line.
domain-specific pattern A software pattern that is specific to a given software
product line.
domain-specific software architecture See software product line architecture.
dynamic analysis A strategy to help determine how the objects that participate in
a use case interact. Also referred to as behavioral analysis.
dynamic model A view of a problem or system in which control and sequencing
are considered, either within an object by means of a finite state machine, or by
consideration of the sequence of interaction among objects.
dynamic modeling The process of developing the dynamic model of a system.
EJB See Enterprise JavaBeans.
encapsulation See information hiding.
Enterprise JavaBeans (EJB) A Java-based component technology.
528 Glossary
entity class A class, in many cases persistent, whose instances are objects that
encapsulate information.
entity object A software object, in many cases persistent, which encapsulates infor-
mation.
entry action An action that is performed on entry into a state. Compare exit action.
event (1) In concurrent processing, an external or internal stimulus used for syn-
chronization purposes; it can be an external interrupt, a timer expiration, an inter-
nal signal, or an internal message. (2) On an interaction diagram, a stimulus that
arrives at an object at a point in time. (3) On a statechart, the occurrence of a
stimulus that can cause a state transition on a statechart.
event driven I/O device An input/output device that generates an interrupt when
it has produced some input or when it has finished processing an output operation.
event driven task A task that is activated by an external event, such as an inter-
rupt.
event sequencing logic A description of how a task responds to each of its message
or event inputs; in particular, what output is generated as a result of each input.
event synchronization Control of concurrent object activation by means of signals.
Three types of event synchronization are possible: external interrupts, timer expi-
ration, and internal signals from other concurrent objects.
event trace A time-ordered description of each external input and the time at
which it occurred.
exactly-one-of feature group A group of features from which one feature must
always be selected for a given product line member. Also referred to as one-and-
only-one-of feature group.
exit action An action that is performed on exit from a state. Compare entry action.
Extensible Markup Language (XML) A technology that allows different systems
to interoperate through exchange of data and text.
external class A class that is outside the system and part of the external environ-
ment.
external event An event from an external object, typically an interrupt from an
external I/O device. Compare internal event.
explicit feature A feature that can be selected individually for a given application
member of the software product line. Compare implicit feature.
family of systems See software product line.
feature A functional requirement; a reusable product line requirement or charac-
teristic. A requirement or characteristic that is provided by one or more members
of the software product line.
feature-based impact analysis A means of assessing the impact of a feature on the
software product line, usually through dynamic modeling.
feature/class dependency The relationship in which one or more classes support
a feature of a software product line (i.e., realize the functionality defined by the
feature).
feature/class dependency analysis A means of assessing features and classes in
order to determine feature/class dependency.
feature group A group of features with a particular constraint on their usage in a
software product line member.
Glossary 529
feature modeling The process of analyzing and specifying the features and feature
groups of a software product line.
finite state machine A conceptual machine with a finite number of states and state
transitions that are caused by input events. The notation used to represent a finite
state machine is a state transition diagram, statechart, or state transition table. Also
referred to simply as state machine.
formal method A software engineering method that uses a formal specification
language – that is, a language with mathematically defined syntax and semantics.
generalization/specialization A relationship in which common attributes and oper-
ations are abstracted into a superclass (generalized class) and are then inherited
by subclasses (specialized classes).
idiom A low-level pattern that describes an implementation solution specific to a
given programming language.
implicit feature A feature that is not allowed to be selected individually. Compare
explicit feature.
incremental software development See iterative software development.
information hiding The concept of encapsulating software design decisions in
objects in such a way that the object’s interface reveals only what its users need to
know. Also referred to as encapsulation.
information hiding class A class that is structured according to the information
hiding concept. The class hides a design decision that is considered likely to
change.
information hiding class specification A specification of the external view of an
information hiding class, including its operations.
information hiding object An instance of an information hiding class.
inheritance A mechanism for sharing and reusing code between classes.
input object A software device I/O boundary object that receives input from an
external input device.
input/output (I/O) object A software device I/O boundary object that receives
input from and sends output to an external I/O device.
integrated communication diagram A synthesis of several communication dia-
grams depicting all the objects and interactions shown on the individual diagrams.
Also referred to as a consolidated collaboration diagram.
interaction diagram A UML diagram that depicts a dynamic view of a system in
terms of objects and the sequence of messages passed between them. Commu-
nication diagrams and sequence diagrams are the two main types of interaction
diagrams. Compare class diagram.
interface Specifies the externally visible operations of a class, service, or com-
ponent without revealing the internal structure (implementation) of the opera-
tions.
internal event A means of synchronization between two concurrent objects. Com-
pare external event.
I/O task structuring criteria A category of the task structuring criteria that ad-
dresses how device I/O objects are mapped to I/O tasks and when an I/O task
is activated.
iterative software development An incremental approach to developing software
in stages. Also referred to as incremental software development.
530 Glossary
object An instance of a class that contains both hidden data and operations on that
data.
object-based design A software design method based on the concept of informa-
tion hiding.
object broker See broker.
object-oriented analysis An analysis method that emphasizes identifying real-
world objects in the problem domain and mapping them to software objects.
object-oriented design A software design method based on the concept of objects,
classes, and inheritance.
object request broker See broker.
object structuring criteria A set of heuristics for assisting a designer in structuring
a system into objects. Also referred to as class stucturing criteria.
one-and-only-one-of feature group See exactly-one-of feature group.
operation A specification of a function performed by a class. An access procedure
or function provided by a class.
optional class A class that is required by some members of the software product
line. Compare kernel class and variant class.
optional component A component that is required by some members of the soft-
ware product line. Compare kernel component and variant component.
optional feature A feature that is required by some members of the software prod-
uct line. Compare common feature and alternative feature.
optional object An object that is required by some members of the software prod-
uct line; an instance of an optional class. Compare kernel object and variant object.
optional use case A use case that is required by some members of the software
product line. Compare kernel use case and alternative use case.
output object A software device I/O boundary object that sends output to an
external output device
package A grouping of UML model elements.
parameterized feature A feature that defines a software product line parameter
whose value needs to be defined for a given product line member.
part component A component within a composite component.
passive I/O device A device that does not generate an interrupt on completion of
an input or output function. The input from a passive input device needs to be
read either on a polled basis or on demand.
passive object An object that has no thread of control; an object with operations
that are invoked directly or indirectly by concurrent objects.
performance analysis A quantitative analysis of a software design conceptually
executing on a given hardware configuration with a given external workload
applied to it.
performance model An abstraction of the real computer system behavior, devel-
oped for the purpose of gaining greater insight into the performance of the sys-
tem, whether or not the system actually exists.
periodic task A concurrent object that is activated periodically (i.e., at regular,
equally spaced intervals of time) by a timer event.
PLUS See Product Line UML-Based Software Engineering.
port A connection point through which a component communicates with other
components.
532 Glossary
core assets in a prescribed way (Clements and Northrop 2002). Also referred to
as family of systems, software product family, product family, or product line.
software product line architecture The architecture for a family of products, which
describes the kernel, optional, and variable components in the software prod-
uct line, and their interconnections. Also referred to as domain-specific software
architecture.
software product line engineering A process for analyzing the commonality and
variability in a software product line, and developing a product line use case model,
product line analysis model, software product line architecture, and reusable com-
ponents. Also referred to as software product family engineering, product family
engineering, or product line engineering.
software system context class diagram A class diagram that depicts the relation-
ships between the software system (depicted as one aggregate class) and the exter-
nal classes outside the software system. Compare system context class diagram.
software system context model A model of a software system boundary that is
depicted on a software system context class diagram. Compare system context
model.
spiral model A risk-driven software process model.
state A recognizable situation that exists over an interval of time.
statechart A hierarchical state transition diagram in which the nodes represent
states and the arcs represent state transitions.
statechart diagram UML 1.x name for state machine diagram.
state-dependent control object An object that hides the details of a finite state
machine; that is, the object encapsulates a statechart, a state transition diagram,
or the contents of a state transition table.
state machine See finite state machine.
state machine diagram A UML depiction of a finite state machine or statechart.
state transition A change in state that is caused by an input event.
state transition diagram A graphical representation of a finite state machine in
which the nodes represent states and the arcs represent transitions between states.
state transition table A tabular representation of a finite state machine.
static modeling The process of developing a static, structural view of a problem,
system, or software product line.
stereotype A classification that defines a new building block that is derived from
an existing UML modeling element but is tailored to the modeler’s problem
(Booch, Rumbaugh, and Jacobson 2005).
subscription/notification A form of group communication in which subscribers
receive event notifications. Also referred to as multicast communication.
substate A state that is part of a composite state.
subsystem A significant part of the whole system; a subsystem provides a subset of
the overall system functionality.
subsystem communication diagram A high-level communication diagram depict-
ing the subsystems and their interactions.
superstate A composite state.
synchronous message communication A form of communication in which a pro-
ducer component (or concurrent task) sends a message to a consumer component
(or concurrent task) and then immediately waits for an acknowledgment. Also
Glossary 535
use case diagram A UML diagram that shows a set of use cases and actors and
their relationships (Booch, Rumbaugh, and Jacobson 2005).
use case model A description of the functional requirements of the system in
terms of actors and use cases.
use case modeling The process of developing the use cases of a system or software
product line.
use case package A group of related use cases.
user interaction object A software object that interacts with and interfaces to a
human user.
variability The functionality that is provided by some, but not all, members of the
software product line. Compare commonality.
variant class A class that is similar to, but not identical to, another class; a subclass
that is similar to, but not identical to, another subclass of the same superclass.
Compare kernel class and optional class.
variant component A component that is similar to, but not identical to, another
component. Compare kernel component and optional component.
variant object An object that is similar to, but not identical to, another object; an
instance of a variant class. Compare kernel object and optional object.
variation point A location at which change can occur in a software product line
artifact (e.g., in a use case or class).
visibility The characteristic that defines whether an element of a class is visible
from outside the class.
Web service Business functionality provided by a service provider over the Inter-
net to users of the World Wide Web.
white page brokering A pattern of communication between a client and a broker
in which the client knows the service required but not the location. Compare
yellow page brokering.
whole/part relationship A composition or aggregation relationship in which a
whole class is composed of part classes.
wrapper component A distributed component that handles the communication
and management of client requests to legacy applications (Mowbray and Ruh
1997).
XML See Extensible Markup Language.
yellow page brokering A pattern of communication between a client and a broker
in which the client knows the type of service required but not the specific service.
Compare white page brokering.
zero-or-more-of feature group A feature group consisting of optional features.
zero-or-one-of feature group A feature group in which all features are mutually
exclusive.
Answers to Exercises
Bold numbers indicate questions and alphabets within parenthesis indicate answers.
CHAPTER 1: INTRODUCTION
1. (b) 2. (d) 3. (c) 4. (b) 5. (c) 6. (d) 7. (c) 8. (a) 9. (b) 10. (c)
1. (b) 2. (a) 3. (c) 4. (a) 5. (a) 6. (b) 7. (c) 8. (d) 9. (d) 10. (c)
1. (c) 2. (b) 3. (d) 4. (b) 5. (d) 6. (c) 7. (b) 8. (c) 9. (c) 10. (d)
1. (c) 2. (c) 3. (c) 4. (c) 5. (c) 6. (b) 7. (c) 8. (b) 9. (b) 10. (b)
1. (c) 2. (c) 3. (b) 4. (c) 5. (b) 6. (c) 7. (d) 8. (d) 9. (a) 10. (c)
1. (d) 2. (c) 3. (a) 4. (d) 5. (c) 6. (b) 7. (d) 8. (c) 9. (c) 10. (b)
1. (c) 2. (c) 3. (d) 4. (c) 5. (c) 6. (c) 7. (a) 8. (a) 9. (a) 10. (b)
537
538 Answers to Exercises
1. (c) 2. (d) 3. (c) 4. (c) 5. (b) 6. (c) 7. (a) 8. (a) 9. (c) 10. (d)
1. (a) 2. (a) 3. (d) 4. (a) 5. (b) 6. (c) 7. (a) 8. (b) 9. (a) 10. (b)
1. (c) 2. (c) 3. (a) 4. (b) 5. (b) 6. (d) 7. (b) 8. (a) 9. (a) 10. (a)
1. (c) 2. (b) 3. (b) 4. (d) 5. (c) 6. (a) 7. (a) 8. (b) 9. (b) 10. (a)
1. (b) 2. (a) 3. (b) 4. (b) 5. (a) 6. (c) 7. (b) 8. (c) 9. (d) 10. (a)
1. (b) 2. (b) 3. (d) 4. (c) 5. (d) 6. (d) 7. (d) 8. (d) 9. (c) 10. (b)
11. (d) 12. (d)
1. (d) 2. (b) 3. (d) 4. (b) 5. (a) 6. (b) 7. (c) 8. (a) 9. (d) 10. (c)
1. (b) 2. (c) 3. (a) 4. (d) 5. (a) 6. (b) 7. (b) 8. (c) 9. (c) 10. (d)
1. (d) 2. (a) 3. (a) 4. (b) 5. (c) 6. (a) 7. (c) 8. (d) 9. (c) 10. (a)
1. (d) 2. (c) 3. (b) 4. (b) 5. (b) 6. (c) 7. (b) 8. (a) 9. (c) 10. (d)
1. (a) 2. (c) 3. (b) 4. (a) 5. (b) 6. (c) 7. (d) 8. (c) 9. (b) 10. (c)
1. (b) 2. (b) 3. (c) 4. (b) 5. (a) 6. (b) 7. (b) 8. (c) 9. (c) 10. (b)
Bibliography
Alexander, C. 1979. The Timeless Way of Building. New York: Oxford University Press.
Ammann, P., and J. Offutt. 2008. Introduction to Software Testing. New York: Cam-
bridge University Press.
Ambler, S. 2005. The Elements of UML 2.0 Style. New York: Cambridge University
Press.
Atkinson, C., J. Bayer, O. Laitenberger, et al. 2002. Component-Based Product Line
Engineering with UML. Boston: Addison-Wesley.
Awad, M., J. Kuusela, and J. Ziegler. 1996. Object-Oriented Technology for RealTime
Systems: A Practical Approach Using OMT and Fusion. Upper Saddle River, NJ:
Prentice Hall.
Bacon, J. 2003. Concurrent Systems: An Integrated Approach to Operating Systems,
Database, and Distributed Systems, 3rd ed. Reading, MA: Addison-Wesley.
Bass, L., P. Clements, and R. Kazman. 2003. Software Architecture in Practice, 2nd ed.
Boston: Addison-Wesley.
Beizer, B., 1984. Software System Testing and Quality Assurance. New York: Van Nos-
trand.
Berners-Lee, T., R. Cailliau, A. Loutonen, et al. 1994. “The World-Wide Web.”
Communications of the ACM 37: 76–82.
Bjorkander, M., and C. Kobryn. 2003. “Architecting Systems with UML 2.0.” IEEE Soft-
ware 20(4): 57–61.
Blaha, J. M., and W. Premerlani. 1998. “Object-Oriented Modeling and Design for
Database Applications. Upper Saddle River, NJ: Prentice Hall.
Blaha, J. M., and J. Rumbaugh. 2005. “Object-Oriented Modeling and Design with UML,
2nd ed. Upper Saddle River, NJ: Prentice Hall.
Boehm, B. 1981. Software Engineering Economics. Upper Saddle River, NJ: Prentice
Hall.
Boehm, B. 1988. “A Spiral Model of Software Development and Enhancement.” IEEE
Computer 21(5): 61–72.
Boehm, B., and F. Belz. 1990. “Experiences with the Spiral Model as a Process Model
Generator.” In Proceedings of the 5th International Software Process Workshop: Expe-
rience with Software Process Models, Kennebunkport, Maine, USA, October 10–13,
1989, D. E. Perry (ed.), pp. 43–45. Los Alamitos, CA: IEEE Computer Society Press.
539
540 Bibliography
Boehm, B. 2006. “A view of 20th and 21st century software engineering.” In Proceedings
of the International Conference on Software Engineering, May 20–26, 2006, Shanghai,
China, pp. 12–29. Los Alamitos, CA: IEEE Computer Society Press.
Booch, G., R. A. Maksimchuk, M. W. Engel, et al. 2007. Object-Oriented Analysis and
Design with Applications, 3rd ed. Boston: Addison-Wesley.
Booch, G., J. Rumbaugh, and I. Jacobson. 2005. The Unified Modeling Language User
Guide, 2nd ed. Boston: Addison-Wesley.
Bosch, J. 2000. Design & Use of Software Architectures: Adopting and Evolving a
Product-Line Approach. Boston: Addison-Wesley.
Brooks, F. 1995. The Mythical Man-Month: Essays on Software Engineering, anniversary
ed. Boston: Addison-Wesley.
Brown, A. 2000. Large-Scale, Component-Based Development. Upper Saddle River, NJ:
Prentice Hall.
Budgen, D. 2003. Software Design, 2nd ed. Boston: Addison-Wesley.
Buhr, R. J. A., and R. S. Casselman. 1996. Use Case Maps for Object-Oriented Systems.
Upper Saddle River, NJ: Prentice Hall.
Buschmann, F., R. Meunier, H. Rohnert, et al. 1996. Pattern-Oriented Software Archi-
tecture: A System of Patterns. New York: Wiley.
Cheesman, J., and J. Daniels. 2001. UML Components. Boston: Addison-Wesley.
Clements, P., and Northrop, L. 2002. Software Product Lines: Practices and Patterns.
Boston: Addison-Wesley.
Coad, P., and E. Yourdon. 1991. Object-Oriented Analysis. Upper Saddle River, NJ:
Prentice Hall.
Coad, P., and E. Yourdon. 1992. Object-Oriented Design. Upper Saddle River, NJ: Pren-
tice Hall.
Coleman, D., P. Arnold, S. Bodoff, et al. 1993. Object-Oriented Development: The Fusion
Method. Upper Saddle River, NJ: Prentice Hall.
Comer, D. E. 2008. Computer Networks and Internets, 5th ed. Upper Saddle River, NJ:
Pearson/Prentice Hall.
Dollimore J., T. Kindberg, and G. Coulouris. 2005. Distributed Systems: Concepts and
Design, 4th ed. Boston: Addison-Wesley.
Dahl, O., and C. A. R. Hoare. 1972. “Hierarchical Program Structures.” In Structured
Programming, O. Dahl, E. W. Dijkstra, and C. A. R. Hoare (eds.), pp. 175–220.
London: Academic Press.
Davis, A. 1993. Software Requirements: Objects, Functions, and States, 2nd ed. Upper
Saddle River, NJ: Prentice Hall.
Dijkstra, E. W. 1968. “The Structure of T. H. E. Multiprogramming System.” Commu-
nications of the ACM 11: 341–346.
Douglass, B. P. 1999. Doing Hard Time: Developing Real-Time Systems with UML,
Objects, Frameworks, and Patterns. Reading, MA: Addison-Wesley.
Douglass, B. P. 2002. Real-Time Design Patterns: Robust Scalable Architecture for Real-
Time Systems. Boston: Addison-Wesley.
Douglass, B. P. 2004. Real Time UML: Advances in the UML for Real-Time Systems,
3rd ed. Boston: Addison-Wesley.
Eeles, P., K. Houston, and W. Kozaczynski. 2002. Building J2EE Applications with the
Rational Unified Process. Boston: Addison-Wesley.
Eriksson, H. E., M. Penker, B. Lyons, et al. 2004. UML 2 Toolkit. Indianapolis, IN:
Wiley.
Bibliography 541
Orfali, R., D. Harkey, and J. Edwards. 1999. Essential Client/Server Survival Guide,
3rd ed. New York: Wiley.
Page-Jones, M. 2000. Fundamentals of Object-Oriented Design in UML. Boston:
Addison-Wesley.
Parnas, D. 1972. “On the Criteria to Be Used in Decomposing a System into Modules.”
Communications of the ACM 15: 1053–1058.
Parnas, D. 1974. “On a ‘Buzzword’: Hierarchical Structure.” In Proceedings of IFIP
Congress 74, Stockholm, Sweden, pp. 336–339. Amsterdam: North Holland.
Parnas, D. 1979. “Designing Software for Ease of Extension and Contraction.” IEEE
Transactions on Software Engineering 5(2): 128–138.
Parnas, D., and D. Weiss. 1985. “Active Design Reviews: Principles and Practices.”
In Proceedings, 8th International Conference on Software Engineering, August 28–
30, 1985, London, UK, pp. 132–136. Los Alamitos, CA: IEEE Computer Society
Press.
Parnas, D., P. Clements, and D. Weiss. 1984. “The Modular Structure of Complex Sys-
tems.” In Proceedings of the 7th International Conference on Software Engineering,
March 26–29, 1984, Orlando, Florida, pp. 408–419. Los Alamitos, CA: IEEE Com-
puter Society Press.
Pettit, R., and H. Gomaa. 2006. “Modeling Behavioral Design Patterns of Concurrent
Objects.” In Proceedings of the IEEE International Conference on Software Engi-
neering, May 2006, Shanghai, China. Los Alamitos, CA: IEEE Computer Society
Press.
Pettit, R., and H. Gomaa. 2007. “Analyzing Behavior of Concurrent Software Designs
for Embedded Systems.” In Proceedings of the 10th IEEE International Symposium on
Object and Component-Oriented Real-Time Distributed Computing, Santorini Island,
Greece, May 2007.
Pitt, J., M. Anderton, and R. J. Cunningham. 1996. “Normalized Interactions between
Autonomous Agents: A Case Study in Inter-Organizational Project Management.”
Computer Supported Cooperative Work: The Journal of Collaborative Computing 5:
201–222.
Pree, W., and E. Gamma. 1995. Design Patterns for Object-Oriented Software Develop-
ment. Reading, MA: Addison-Wesley.
Pressman, R. 2009. Software Engineering: A Practitioner’s Approach, 7th ed. New York:
McGraw-Hill.
Prieto-Diaz, R. 1987. “Domain Analysis for Reusability.” In Compsac ’87: Eleventh
International Computer Software and Applications Conference Proceedings, pp. 23–
29. Los Alamitos, CA: IEEE Computer Society Press.
Prieto-Diaz, R., and P. Freeman. 1987. “Classifying Software for Reusability.” IEEE
Software 4(1): 6–16.
Pyster, A. 1990. “The Synthesis Process for Software Development.” In Systems and
Software Requirements Engineering, R. J. Thayer and M. Dorfman (eds.), pp. 528–
538. Los Alamitos, CA: IEEE Computer Society Press.
Quatrani, T. 2003. Visual Modeling with Rational Rose 2002 and UML. Boston: Addison-
Wesley.
Rosenberg, D., and K. Scott. 1999. Use Case Driven Object Modeling with UML: A Prac-
tical Approach. Reading, MA: Addison-Wesley.
Rumbaugh, J., M. Blaha, W. Premerlani, et al. 1991. Object-Oriented Modeling and
Design. Upper Saddle River, NJ: Prentice Hall.
Rumbaugh, J., G. Booch, and I. Jacobson. 2005. The Unified Modeling Language Refer-
ence Manual, 2nd ed. Boston: Addison-Wesley.
546 Bibliography
abstract unary, 99
class, 241 asynchronous message communication, 56, 227,
data type, 46 334
operation, 241 Pattern, 201
acceptance testing, 43 with Callback pattern, 259
ACID transaction properties, 286 atomic, 285
action, 20, 158 attribute, 47, 113
entry, 160 autonomy, 308
exit, 161 availability, 366
transition, 158
active object, 21, 53 base use case, 82
activity diagram, 89 black box testing, 64
actor, 76 boundary
external system, 77 class, 118, 119
human, 77 object, 119
input device, 77 Broadcast Message Communication Pattern, 310
primary, 76 Broker
secondary, 76 Forwarding Pattern, 280
timer, 77 Handle Pattern, 282
aggregate subsystem, 217 pattern, 280
aggregation business logic
hierarchy, 101 class, 232, 239
relationship, 17, 101 object, 127
algorithm
class, 232 Call/Return pattern, 201
object, 128 callback, 266
analysis modeling, 63, 349 categorization of classes, 107, 116
application Centralized Control Architectural Pattern, 320
deployment, 314 choreography, 294
logic object, 118, 127 class, 46
architectural design, 231–239
communication patterns, 258 diagram, 16, 95
design, 41 hierarchies, 52, 239
association, 16, 95 interface specification, 245
class, 100, 271 operations, 232–234
many-to-many, 97 structuring, 117
multiplicity of, 96 structuring criteria, 116
numerically specified, 96 client subsystem, 221
one-to-many, 96 client/server
one-to-one, 96 architecture, 254
optional, 96 configuration, 260
ternary, 99 systems, 253
547
548 Index