Vous êtes sur la page 1sur 18

# Ren Witte

Introduction

Foundations

Functions
Relations

## SOEN 6481, Winter 2015/16 Specification with Z

Data Schemas
Operation Schemas
Reasoning
BirthdayBook Example
Strengthening the
Specification
Combining Schemas

Conclusions

## Notes and Further

Ren Witte
Department of Computer Science
and Software Engineering
Concordia University
10.1

## Key Points Ren Witte

Key Points

Introduction

Foundations
Sets
Functions
State-based Specification Relations

Specification with Z
Z is a well-known formal specification language Data Schemas
Operation Schemas
model-based specification Reasoning
BirthdayBook Example

describe legal system states through pre-/post-conditions and invariants Strengthening the
Specification

## mathematical foundations are (typed) sets, relations, and functions; as well as

Combining Schemas

Conclusions
first-order predicate logic and lambda calculus Notes and Further
ISO Standard (2002) 13568

10.2

## Outline Ren Witte

1 Introduction
Key Points

Introduction
2 Foundations Foundations
Sets Sets
Functions
Functions Relations

## Relations Specification with Z

Data Schemas
Operation Schemas

3 Specification with Z
Reasoning
BirthdayBook Example

Specification

## Operation Schemas Combining Schemas

Reasoning Conclusions

## Strengthening the Specification

Combining Schemas

4 Conclusions

## 5 Notes and Further Reading

10.3
Requirements Specification & Documentation Ren Witte

Key Points

Introduction

Foundations
Sets
Functions
Relations

Specification with Z
Data Schemas
Operation Schemas
Reasoning
BirthdayBook Example
Strengthening the
Specification
Combining Schemas

Conclusions

10.4

Key Points

Introduction

Foundations
Sets

## Specify State of a System at defined Snapshots Functions

Relations

Logic-based specification for requirements, assumptions, and domain properties: Specification with Z
Data Schemas
Pre-Condition: Must hold before an operation can be applied Operation Schemas
Reasoning
Post-Condition: Must hold after executing an operation BirthdayBook Example
Strengthening the

Invariant: Must always hold (at defined snapshots) during an operation Specification
Combining Schemas

Core idea: define a system through a set of types (a schema) and operations Conclusions

10.5

## Z Schema Definition Key Points

The BirthdayBook schema defines the state space of the birthday book system: Introduction

Foundations

[NAME, DATE]
Sets
Functions
Relations
BirthdayBook Specification with Z
known : PNAME Data Schemas
Operation Schemas
birthday : NAME
7 DATE Reasoning
BirthdayBook Example

## known = dom birthday Strengthening the

Specification
Combining Schemas

Conclusions

## Given Sets: here NAME and DATE (basic types)

Schema Name: here BirthdayBook
State Variables: here known and birthday
Site Invariant: here known= dom birthday

10.6
Example System State Ren Witte

## Schema Definition Key Points

Introduction

BirthdayBook Foundations
Sets
known : PNAME Functions

birthday : NAME
7 DATE
Relations

Specification with Z
Data Schemas
known = dom birthday Operation Schemas
Reasoning
BirthdayBook Example
Strengthening the

## known: set of names for which we store the birthday Specification

Combining Schemas

birthday: function; when applied to a name, gives the corresponding birthday Conclusions

## State (at a certain snapshot)

known = { David, Judy, Robert } PNAME
birthday = { David 7 24-June, Judy 7 26-August, Robert 7 8-July }
The invariant is satisfied: known = dom birthday (because birthday records the date
for exactly the names in known)

10.7

## Features Ren Witte

Key Points

Introduction

Foundations
Observations Sets
Functions
There is: Relations

Specification with Z
No limit on the number of entries Data Schemas
Operation Schemas
No implied order of entries Reasoning
BirthdayBook Example
No restriction on format Strengthening the
Specification

## But there is a precise statement that: Combining Schemas

Conclusions
Each person has only one birthday Notes and Further
Two people may share a birthday
Some people may not be in the database

10.8

## Outline Ren Witte

Key Points

1 Introduction Introduction

Foundations
Sets

2 Foundations
Functions
Relations

## Sets Specification with Z

Functions
Data Schemas
Operation Schemas

Relations Reasoning
BirthdayBook Example
Strengthening the
Specification

3 Specification with Z
Combining Schemas

Conclusions

4 Conclusions

## 5 Notes and Further Reading

10.9
Set membership Ren Witte

Key Points

Introduction
x S denotes that x is contained in S. Foundations
Sets
Functions
Relations

Specification with Z
Data Schemas
Operation Schemas
Reasoning
BirthdayBook Example
Strengthening the
Specification
Combining Schemas

Conclusions

## Listing elements of a set: S = {x1 , x2 , . . . , xn }

Denoting defining property of a set: {x S | x has property p}

10.10

Key Points

## A B means ( x)(x A x B). Introduction

Foundations
Sets
Functions
Relations

Specification with Z
Data Schemas
Operation Schemas
Reasoning
BirthdayBook Example
Strengthening the
Specification
Combining Schemas

Conclusions

For example,
N Z Q R.

10.11

## Identities from propositional logic Ren Witte

Key Points
The inference rules for propositional logic give identities for set theory. For example, Introduction

p pq
Sets
Functions
Relations

## AAB Data Schemas

Operation Schemas
Reasoning

## in set theory. BirthdayBook Example

Strengthening the
Specification
Combining Schemas
Proof Conclusions

## Notes and Further

[Proof that A A B] Let x A. By the addition rule, (x A)
(x B). By the definition of set union, x A B, as required.

10.12
Union and Intersection Ren Witte

## Definition of set union: A B = {x | (x A) (x B)}.

In predicate logic: ( x)(x A B (x A) (x B)) Key Points

Introduction

Foundations
Sets
Functions
Relations

Specification with Z
Data Schemas
Operation Schemas
Reasoning
BirthdayBook Example
Strengthening the
Specification
Combining Schemas

10.13

## Define: A0 = {x U | x 6 A}. Introduction

Foundations
Sets
Functions
Relations

Specification with Z
Data Schemas
Operation Schemas
Reasoning
BirthdayBook Example
Strengthening the
Specification
Combining Schemas

Conclusions
Note that we could also write A0 = {x U | (x A)} to make the use of the Notes and Further

De Morgans Laws
Let A and B be sets. Then
1 (A B)0 = A0 B 0
2 (A B)0 = A0 B 0

10.14

## Cartesian products and power sets Ren Witte

Key Points

Introduction
Cartesian Product Foundations

The Cartesian product A B of two sets A and B is the set of all ordered pairs Sets
Functions

where the first item comes from the first set and the second item comes from the Relations

## second set. Formally, Specification with Z

Data Schemas
Operation Schemas

## A B = {(a, b) | a A and b B}. Reasoning

BirthdayBook Example
Strengthening the
Specification
Combining Schemas

## Power Set Conclusions

The power set P(S) of the set S is the set of all subsets of S: Notes and Further

P(S) = {X | X S}.

(Note: the power set of S is written as PS in the van Lamsweerde [vL09] textbook).

10.15
Function Ren Witte

Key Points

Introduction

Foundations
Sets
Functions
Definition Relations

A function from a set X to a set Y is a well-defined rule that assigns a single Specification with Z
Data Schemas
element of Y to every element of X . If f is such a function, we write Operation Schemas
Reasoning
BirthdayBook Example
f : X Y Strengthening the
Specification
Combining Schemas

and we denote the element of Y assigned to x X by f (x). The set X is called the Conclusions

domain of the function (written dom), and the set Y is called the codomain or range Notes and Further
(written ran).

10.16

Key Points

Introduction

Foundations

## A simple function and its diagram

Sets
Functions

Let X = {1, 2, 3} and Y = {1, 2, 3, 4}. The formula f (x) = x + 1 defines a function Relations

Specification with Z
f : X Y . For this function, f (1) = 2, f (2) = 3 and f (3) = 4. Data Schemas
Operation Schemas
Reasoning
BirthdayBook Example
Strengthening the
Specification
Combining Schemas

Conclusions

10.17

## Relations Ren Witte

Key Points

Introduction

Foundations
Sets
Functions
Relations

Specification with Z
Definition Data Schemas

Reasoning

## If R is a relation on S, we say that a is related to b if (a, b) R, which we BirthdayBook Example

Strengthening the

## sometimes write as a R b. Specification

Combining Schemas

6 b. Conclusions

## Notes and Further

10.18
Relations (II) Ren Witte

Key Points

Introduction
Examples of Relations Foundations
Sets

The symbols =, <, >, , all define relations on Z (or on any set of numbers). Functions
Relations

For example, if S = {1, 2, 3}, then the relation on S defined by < is the set Specification with Z

## {(1, 2), (1, 3), (2, 3)}. Data Schemas

Operation Schemas

Let P be the set of all people, living or dead. For any a, b P, let a R b if a and Reasoning
BirthdayBook Example

b are (or were) siblings. Then R is a relation on P, and the ordered pair Strengthening the
Specification

## (Luke, Leia) R. Combining Schemas

Conclusions
Let W be the set of all web pages. Then Notes and Further

10.19

## Operations on Relations Ren Witte

Key Points

Introduction
Domain and Range Foundations
Sets
dom R Functions
Relations

## ran R Specification with Z

Data Schemas

If R is a binary relation between X and Y , then the domain of R (dom R) is the set of Operation Schemas
Reasoning
all members of X which are related to at least one member of Y by R. BirthdayBook Example

The range of R (ran R) is the set of all members of Y to which at least one member
Strengthening the
Specification

of X is related by R.
Combining Schemas

Conclusions

## Notes and Further

(| |) Relational image
The relational image R(| S |) of a set S through a relation R is the set of all objects y
to which R relates some member x of S.

10.20

## Domain and Range Restrictions Ren Witte

Key Points
Restriction Introduction

Sets

## B Range restriction Functions

Relations

The domain restriction S C R of a relation R to a set S relates x to y if and only if R Specification with Z
Data Schemas

## relates x to y and x is a member of S. The range restriction R B T of R to a set T Operation Schemas

Reasoning
relates x to y if and only if R relates x to y and y is a member of T . BirthdayBook Example
Strengthening the
Specification

## Anti-Restriction Combining Schemas

Conclusions
C Domain anti-restriction
Notes and Further
B Range anti-restriction

These two operations are the complemented counterparts of the restriction
operations C and B. An object x is related to an object y by the relation S C R if
and only if x is related to y by R and x is not a member of S. Similarly, x is related
B T if and only if x is related to y by R and y is not a member of T .
to y by R

10.21
Outline Ren Witte

## 1 Introduction Key Points

Introduction

Foundations
2 Foundations Sets
Functions
Relations

Specification with Z
3 Specification with Z Data Schemas

Reasoning

## Operation Schemas BirthdayBook Example

Strengthening the
Reasoning Specification
Combining Schemas
BirthdayBook Example Conclusions
Strengthening the Specification Notes and Further

4 Conclusions

10.22

## Specification with Z Ren Witte

Key Points

Introduction
Z Specification Foundations

Functions

## each schema, we have Relations

Specification with Z
Declaration Part: variables used in the schema are declared Data Schemas
Operation Schemas
Assertion Part: contains assertions constraining state space Reasoning
BirthdayBook Example
Strengthening the
Specification
Z Schema Types Combining Schemas

## Notes and Further

Data Schema: Systems state space, defined by state variables and invariants Reading

Operation Schema: Systems operations, each with input and output variables and
pre- and post-conditions
Additionally, initialization schemas define initial system state.

10.23

Key Points

## General Format Introduction

Foundations

SchemaName Sets
Functions

declarations Relations

Specification with Z

## stateinvariant Data Schemas

Operation Schemas
Reasoning
BirthdayBook Example
Strengthening the
Specification

Conclusions

## BirthdayBook Notes and Further

known : PNAME
birthday : NAME
7 DATE
known = dom birthday

10.24
Operation Schemas Ren Witte

Operations
A state transition of a system is also described by a schema: Key Points

Introduction

SchemaName Foundations
Sets
State Functions

## input/output declarations Relations

Specification with Z

## preconditions Data Schemas

Operation Schemas

postconditions Reasoning
BirthdayBook Example
Strengthening the
Specification
Combining Schemas

Conclusions
Example: Add a birthday
Notes and Further

BirthdayBook
name? : NAME
date? : DATE
name? 6 known
birthday 0 = birthday {name? 7 date?}

10.25

## AddBirthday Key Points

Foundations
BirthdayBook Sets

## name? : NAME Functions

Relations
date? : DATE Specification with Z
Data Schemas
name? 6 known Operation Schemas

## birthday 0 = birthday {name? 7 date?}

Reasoning
BirthdayBook Example
Strengthening the
Specification
Combining Schemas

Conclusions
Z Syntax Notes and Further
prefix modifier: indicates an operation that changes (some) state variables
in a schema
prefix observer: indicates read-only operation (query state) of a schema
? suffix input variable, e.g., name?
! suffix output variable, e.g., date!
suffix used in postconditions to indicate state change, e.g., birthday 0

10.26

## Operation Pre- and Post-Conditions Ren Witte

Key Points

Introduction
Pre-Condition
Foundations
A necessary condition on input variables Sets
Functions
captures operations applicability Relations

## must hold before the operation can be applied Specification with Z

Data Schemas

In SRS, we are interested in the least restrictive applicability condition (i.e., the
Operation Schemas
Reasoning

## weakest pre-condition) BirthdayBook Example

Strengthening the
Specification
Combining Schemas
Post-Condition Conclusions
Condition on output variables if the operation is applied Notes and Further
captures the operations effects
must hold in the state after the operation has been applied
In SRS, we are interested in the most complete effect condition (i.e., the strongest
post-condition).

10.27
Pre- and Postcondition Example Ren Witte

Key Points

Foundations
Functions
BirthdayBook Relations

## date? : DATE Data Schemas

Operation Schemas
Reasoning

## name? 6 known BirthdayBook Example

Strengthening the
birthday 0 = birthday {name? 7 date?} Specification
Combining Schemas

Conclusions

## Notes and Further

Precondition
name? 6 known

Postcondition
birthday 0 = birthday {name? 7 date?}

10.28

## Mind your Postconditions! Ren Witte

Key Points
BirthdayBook Foundations

Functions

## date? : DATE Relations

Specification with Z
name? 6 known Data Schemas
Operation Schemas
birthday 0 = birthday {name? 7 date?} Reasoning
BirthdayBook Example
Strengthening the
Specification
Combining Schemas

## Notes and Further

BirthdayBook
name? : NAME
date? : DATE
name? 6 known
{name? 7 date?} birthday 0

10.29

Key Points

Sets
Functions

## birthday = birthday {name? 7 date?}

0 Relations

Specification with Z
Data Schemas
But what about known? Shouldnt we add Operation Schemas
Reasoning
BirthdayBook Example

## known0 = known {name?} Strengthening the

Specification
Combining Schemas

as well? Conclusions

## Notes and Further

BirthdayBook Schema
Remember the BirthdayBook schema invariant

## known = dom birthday

10.30
Deriving change of known Ren Witte

## known0 = known {name?} Introduction

Foundations
Sets
Proof using invariant Functions
Relations

## known0 = dom birthday 0 Specification with Z

Data Schemas
= dom(birthday {name? 7 date?}) Operation Schemas

## = dom birthday dom {name? 7 date?} Reasoning

BirthdayBook Example

Specification

Conclusions

## Useful Facts about dom

Used in this proof:

## dom(f g) = (dom f ) (dom g)

dom{a 7 b} = {a}.

10.31

## BirthdayBook: Initial State Ren Witte

Key Points

Introduction

Foundations
Sets
InitBirthdayBook Functions
Relations
This InitBirthdayBook specifies the initial state of the birthday book system. Specification with Z
Data Schemas

InitBirthdayBook
Operation Schemas
Reasoning

## BirthdayBook BirthdayBook Example

Strengthening the
Specification

Conclusions

## Notes and Further

It does not say explicitly that birthday is empty, but that is implicit, because its
domain is empty.

10.32

## Operations Ren Witte

Key Points

Foundations
Next we have several operation schemas to define the normal (non-error) behaviour Sets

## of the system. Functions

Relations

Specification with Z
Operation Schemas
BirthdayBook Reasoning

## name? : NAME BirthdayBook Example

Strengthening the

## date? : DATE Specification

Combining Schemas

Conclusions
name? 6 known Notes and Further
birthday 0 = birthday {name? 7 date?} Reading

Z Notation
indicates an operation that changes the state of the variables

10.33
More Operations Ren Witte

## FindBirthday and Remind

Key Points

Introduction
FindBirthday
Foundations
BirthdayBook Sets

Relations

Data Schemas

Reasoning

## date! = birthday (name?) BirthdayBook Example

Strengthening the
Specification

Remind
Combining Schemas

Conclusions
BirthdayBook Notes and Further
today ? : DATE Reading

cards! : PNAME
cards! = {n : known | birthday (n) = today ?}

Z Notation
indicates an operation that does not change the state.
10.34

## Non-Deterministic Operations Ren Witte

Key Points

Introduction

Foundations

RemindOne Sets
Functions

RemindOne reminds us of just one person who has a birthday on the given day. Relations

Specification with Z
Data Schemas
RemindOne Operation Schemas
Reasoning
BirthdayBook BirthdayBook Example

Specification

Conclusions

## card! known Notes and Further

birthday (card!) = today ?

10.35

## RemoveBirthday Key Points

Introduction
Write the Z specification for RemoveBirthday Foundations
input variable is the name to be removed Sets
Functions
Relations

Specification with Z
Solution Data Schemas
Operation Schemas
Reasoning
RemoveBirthday BirthdayBook Example
Strengthening the
BirthdayBook Specification

Conclusions

## name? known Notes and Further

birthday 0 = birthday \ {name? 7 birthday (name?)}

## Note: \ is the set difference (sometimes written as ).

For two sets A and B,
A \ B = {x A : x 6 B}

10.36
Error Handling Ren Witte

Key Points

Sets

Relations

Data Schemas

Reasoning

## ignore the operation? BirthdayBook Example

Strengthening the
Specification
Might result in unexpected behavior later! Combining Schemas

Conclusions

## Solution Notes and Further

Add error handling to the specification
Define error schemas
Combine operations with error schemas
Z provides an elegant way of combining schemas through logical combinations.

10.37

## Strengthening the Specification Ren Witte

Key Points

Introduction

Foundations
Adding Error Handling Sets
Functions
Now we strengthen the specification by adding error handling. Relations

Specification with Z

## REPORT ::= ok | already known | not known Data Schemas

Operation Schemas
Reasoning
BirthdayBook Example
First, we define auxiliary schemas that capture various success and error cases: Strengthening the
Specification
Combining Schemas

Success Conclusions

result! = ok

10.38

## AlreadyKnown and NotKnown

Key Points

Introduction
BirthdayBook Sets
Functions
name? : NAME Relations

## result! : REPORT Specification with Z

Data Schemas
Operation Schemas
name? known Reasoning

## result! = already known BirthdayBook Example

Strengthening the
Specification
Combining Schemas

Conclusions

## NotKnown Notes and Further

BirthdayBook
name? : NAME
result! : REPORT
name? 6 known
result! = not known

10.39
Robust Operations Ren Witte

## Operations with added Error Handling Key Points

Introduction
Finally, we define robust versions of all the operations by specifying how errors are
Foundations
handled. For illustration purposes, we leave the RemindOne operation non-robust. Sets
Functions

Specification with Z
RFindBirthday = (FindBirthday Success) NotKnown Data Schemas

## RRemind = Remind Success Operation Schemas

Reasoning
BirthdayBook Example
Strengthening the
Specification
Schema Combination Combining Schemas

Note how we defined a new schema (e.g., RAddBirthday ) through logical Conclusions

combination of existing schemas (e.g., (AddBirthday Success) AlreadyKnown). Notes and Further

## This is a particular strength of Z

Allows to build complex specifications from simpler ones
and provides a re-use mechanism for schemas
Now he have to examine how this combination works.

10.40

## Lets combine AddBirthday and Success:

AddBirthday Success Key Points
BirthdayBook result! : REPORT Introduction
name? : NAME Foundations
result! = ok
date? : DATE Sets
Functions
Relations
name? 6 known Specification with Z
birthday 0 = Data Schemas

## birthday {name? 7 date?} Operation Schemas

Reasoning
BirthdayBook Example

## AddBirthday Success Strengthening the

Specification
Combining Schemas
BirthdayBook Notes and Further

## name? : NAME Reading

date? : DATE
result! : REPORT
name? 6 known
birthday 0 = birthday {name? 7 date?}
result! = ok

10.41

## Combining Schemas Ren Witte

Key Points
General Approach Introduction

Sets

Relations

## 2 Join all assertions with the logical connective(s) Specification with Z

Data Schemas
Operation Schemas

Example
Reasoning
BirthdayBook Example

For NewSchema = (Schema1 Schema2) Schema3 we obtain the specification Strengthening the
Specification
Combining Schemas

NewSchema Conclusions

## Notes and Further

All declarations from Schema1, Schema2, Schema3 Reading

(AssertionSchema1 AssertionSchema2)
AssertionSchema3

## where AssertionSchema represents the conjunction from all assertions in Schema.

10.42
Outline Ren Witte

Key Points

Introduction

1 Introduction Foundations
Sets
Functions
Relations

## 2 Foundations Specification with Z

Data Schemas
Operation Schemas

3 Specification with Z
Reasoning
BirthdayBook Example
Strengthening the
Specification
Combining Schemas
4 Conclusions Conclusions

## Notes and Further

5 Notes and Further Reading

10.43

## Z Summary Ren Witte

Key Points

Introduction

Foundations
Sets
Functions
Features Relations

## Z is a simple mathematical framework in which to: Specification with Z

Data Schemas

describe systems (as state machines) abstractly yet precisely Operation Schemas
Reasoning

## compose a system out of small pieces BirthdayBook Example

Strengthening the
Specification
use old specifications to build new specifications Combining Schemas

Conclusions
reason about properties of a system
Notes and Further
relate views of a system Reading

10.44

## Tools Support Ren Witte

Z Tools
Lack of (good) tool support has been a major hindrance to wider adoption of Z.
Key Points
Z proof environment Isabelle/HOL-Z Introduction

## Z Community Tools (ZCT) Foundations

Sets
Java Framework, Z XML Specification Functions

## End-User Tools (e.g., Eclipse, jEdit plug-ins) Relations

Specification with Z
Data Schemas
Operation Schemas
Reasoning
BirthdayBook Example
Strengthening the
Specification
Combining Schemas

Conclusions

## Notes and Further

10.45
Z Community Tools (CZT): BirthdayBook Example in Eclipse Ren Witte

Key Points

Introduction

Foundations
Sets
Functions
Relations

Specification with Z
Data Schemas
Operation Schemas
Reasoning
BirthdayBook Example
Strengthening the
Specification
Combining Schemas

Conclusions

10.46

## Z Community Tools (CZT): BirthdayBook Example in jEdit Ren Witte

Key Points

Introduction

Foundations
Sets
Functions
Relations

Specification with Z
Data Schemas
Operation Schemas
Reasoning
BirthdayBook Example
Strengthening the
Specification
Combining Schemas

Conclusions

## Notes and Further

10.47
Copyright P. Malik and M. Utting, A Framework for Z Tools, http://czt.sourceforge.net/

## Z Community Tools (CZT) Architecture Ren Witte

Key Points

Introduction

Foundations
Sets
Functions
Relations

Specification with Z
Data Schemas
Operation Schemas
Reasoning
BirthdayBook Example
Strengthening the
Specification
Combining Schemas

Conclusions

## Copyright P. Malik and M. Utting, A Framework for Z Tools 10.48

Application Example Ren Witte

Key Points

Introduction
W3C Standard WSDL
Foundations
The World Wide Web Consortium (W3C) standard for the Web Services Description Sets

## Language (WSDL) contains specifications in Z: Functions

Relations

Specification with Z
Data Schemas
Operation Schemas
Reasoning
BirthdayBook Example
Strengthening the
Specification
Combining Schemas

Conclusions

## Notes and Further

(see http://www.w3.org/TR/wsdl20/wsdl20-z.html)

10.49

## Outline Ren Witte

Key Points

Introduction

1 Introduction Foundations
Sets
Functions
Relations

## 2 Foundations Specification with Z

Data Schemas
Operation Schemas

3 Specification with Z
Reasoning
BirthdayBook Example
Strengthening the
Specification
Combining Schemas
4 Conclusions Conclusions

## Notes and Further

5 Notes and Further Reading

10.50

## Reading Material Ren Witte

Key Points

Introduction

Foundations
Sets

Required Functions
Relations

## [vL09, Chapter 4.4.3] Specification with Z

Data Schemas
Operation Schemas
Reasoning
BirthdayBook Example
Supplemental Strengthening the
Specification

## [Spi] (Z Reference Card)

Combining Schemas

Conclusions
[Spi92, Chapter 1: Tutorial Introduction] Notes and Further
[czt, The Community Z Tools (CZT) project]

10.51
References Ren Witte

Key Points

## [czt] The Community Z Tools (CZT) project. Introduction

http://czt.sourceforge.net. Foundations
Sets
Functions

Data Schemas

## http://spivey.oriel.ox.ac.uk/mike/fuzz/refcard-3up.pdf. Operation Schemas

Reasoning
BirthdayBook Example
[Spi92] J. M. Spivey. Strengthening the
Specification
The Z Notation: A Reference Manual. Combining Schemas

## [vL09] Axel van Lamsweerde.

Requirements Engineering: From System Goals to UML Models to
Software Specifications.
John Wiley & Sons, 2009.

10.52