Goal-OrientedRequirementsEngineering:AGuidedTour
AxelvanLamsweerde
Départementd’IngénierieInformatique
UniversitécatholiquedeLouvain
B-1348Louvain-la-Neuve(Belgium)
avl@
Abstract
Goalscapture,atdifferentlevelsofabstraction,thevarious
objectivesthesystemunderconsiderationshouldachieve.
Goal-orientedrequirementngineeringisconcernedwith
theuofgoalsforeliciting,elaborating,structuring,spec-
ifying,analyzing,negotiating,documenting,andmodifying
eahasreceivedincreasingattention
overthepastfewyears.
Thepaperreviewsvariousrearcheffortsundertaken
umentsinfavorofgoal
erthencom-
paresthemainapproachestogoalmodeling,goalspecifi-
cationandgoal-badreasoninginthemanyactivitiesof
thediscus-
sionmoreconcrete,arealcastudyisudtosuggest
whatagoal-orientedrequirementngineeringmethod
encewithsuchapproachesandtool
supportarebrieflydiscusdaswell.
uction
Goalshavelongbeenrecognizedtobeesntialcompo-
nentsinvolvedintherequirementngineering(RE)pro-
andSchomanstatedintheirminalpaper,
“requirementsdefinitionmustsaywhyasystemisneeded,
badoncurrentorforeenconditions,whichmaybe
saywhat
mustsayhowthesystemistobeconstructed”[Ros77].
Manyinformalsystemdevelopmentmethodologiesfrom
thegoodoldtimesincludedsomeformofgoal-badanaly-
sis,calledcontextanalysiis[Ros77],definitionstudy
[Hic74],participativeanalysis[Mun81],-
cally,thecurrentsystemunderconsiderationisanalyzedin
itsorganizational,operationalandtechnicaltting;prob-
lemsarepointedoutandopportunitiesareidentified;high-
levelgoalsarethenidentifiedandrefinedtoaddresssuch
problemsandmeettheopportunities;requirementsarethen
turalpracticehasled
requirementsdocumentationstandardstorequireaspecific
documentctiondevotedtotheobjectivesthesystem
shouldmeet(e,e.g.,theIEEE-Std-830/1993standards).
Surprisinglyenough,goalshavebeenlargelyignoredboth
fromtheliteratureonsoftwaremodelingandspecification
andfromtheliteratureonobject-orientedanalysis(one
notableexceptionis[Rub92]).UMLadvocatessometimes
confesstheneedforhigher-levelabstractions:“Inmywork,
Ifocusonurgoalsfirst,andthenIcomeupwithu
castosatisfythem;bytheendoftheelaborationperiod,I
expecttohaveatleastonetofsysteminteractionu
casforeachurgoalIhaveidentified”[Fow97,p.45]).
Theprominenttendencyinsoftwaremodelingrearchhas
beentoabstractprogrammingconstructsuptorequirements
levelratherthanpropagaterequirementsabstractionsdown
toprogramminglevel[Myl99].
Requirementngineeringrearchhasincreasinglyrecog-
nizedtheleadingroleplayedbygoalsintheREprocess
[Yue87,Rob89,Ber91,Dar91,Myl92,Jar93,Zav97b].
Suchrecognitionhasledtoawholestreamofrearchon
goalmodeling,goalspecification,andgoal-badreasoning
formultiplepurpos,suchasrequirementlaboration,
verificationorconflictmanagement,andundermultiple
forms,frominformaltoqualitativetoformal.
Theobjectiveofthispaperistoprovideabriefbuthope-
fullycomprehensivereviewofthemajoreffortsundertaken
n2firstprovidessome
backgroundmaterialonwhatgoalsare,whattheyareuful
for,wheretheyarecomingfrom,andwhentheyshouldbe
n3discussthe
majoreffortsinmodelinggoalsintermsoffeaturesand
-
tion4reviewsthemajortechniquesudforspecifying
n5ongoal-badreasoningreviewshowgoals
areudinbasicactivitiesoftheREprocesssuchas
requirementlicitation,elaboration,verification,valida-
tion,explanation,andnegotiation,andinparticularfordif-
ficultaspectsofthatprocesssuchasconflictmanagement,
requirementsdeidealization,-
tion6thensuggestswhatagoal-orientedREmethodmay
looklikebyenactingitonarealcastudyofasafety-criti-
turallyleadstoabrief
review,inSection7,ofindustrialprojectsinwhichtheu
ofsuchmethodswasfeltconclusive;thesupportingtools
-
tion8justopenssomefairlyrecentpiecesofgoal-bad
workbeyongrequirementngineering.
kgroundpicture
Reviewingthecurrentstateoftheartingoal-orientedRE
wouldnotmakemuchnwithoutfirstaddressingthe
what,why,whereandwhenquestionsaboutthisareaof
rearch.
Invitedmini-tutorialpaper,appearedin
RequirementsEngineering,Toronto,August2001,249-263.
ProceedingsRE’01,5thIEEEInternationalSymposiumon
2
Whataregoals?
Agoalisanobjectivethesystemunderconsiderationshould
rmulationsthusrefertointendedproperties
tobeensured;theyareoptativestatementsasoppodto
indicativeones,andboundedbythesubjectmatter[Jac95,
Zav97a].
Goalsmaybeformulatedatdifferentlevelsofabstraction,
rangingfromhigh-level,strategicconcerns(suchas“rve
morepasngers”foratraintransportationsystemor“pro-
videubiquitouscashrvice”foranATMnetworksystem)
tolow-level,technicalconcerns(suchas“accelerationcom-
manddeliveredontime”foratraintransportationsystemor
“cardkeptafter3wrongpasswordentries”foranATMsys-
tem).
Goalsalsocoverdifferenttypesofconcerns:functionalcon-
cernsassociatedwiththervicestobeprovided,andnon-
functionalconcernsassociatedwithqualityofrvice--such
assafety,curity,accuracy,performance,andsoforth.
Thesystemwhichagoalreferstomaybethecurrentoneor
thesystem-to-be;bothofthemareinvolvedintheREpro-
-
tem-to-beisinesncecomposite;itcomprisboththe
softwareanditnvironment,activecompo-
nentssuchashumans,dto
passiveones,activecomponentshavechoiceofbehavior
[Fea87,Yue87,Fic92];henceforthwewillcallthemagents.
Unlikerequirements,agoalmayingeneralrequirethecoop-
erationofahybridcombinationofmultipleagentstoachieve
it[Dar93].Inatraintransportationsystem,forexample,the
high-levelgoalofsafetransportationwilltypicallyrequire
thecooperationofonboardtraincontrollers,thetraintrack-
ingsystem,stationcomputers,thecommunicationinfra-
structure,pasngers,Msystem,the
goalofprovidingcashtoeligibleurswillrequirethecoop-
erationoftheATMsoftware,nsors/actuators,thecus-
tomer,heimportantoutcomesoftheREprocess
isthedecisiononwhatpartsofthesystemwillbeautomated
nderresponsibilityofasin-
gleagentinthesoftware-to-bebecomesarequirement
whereasagoalunderresponsibilityofasingleagentinthe
environmentofthesoftware-to-bebecomesanassumption
[Lam98b,Lam98c].Unlikerequirements,assumptionscan-
notbeenforcedbythesoftware-to-be;theywillhopefullybe
satisfiedthankstoorganizationalnormsandregulations,
physicallaws,etc.
Whyaregoalsneeded?
Therearemanyreasonswhygoalsaresoimportantinthe
REprocess.
•AchievingrequirementscompletenessisamajorREcon-
cern..Goalsprovideaprecicriterionforsufficientcom-
pletenessofarequirementsspecification;thespecification
iscompletewithrespecttoatofgoalsifallthegoals
canbeprovedtobeachievedfromthespecificationand
thepropertiesknownaboutthedomainconsidered
[Yue87].
•AvoidingirrelevantrequirementsisanothermajorREcon-
rovideaprecicriterionforrequirements
pertinence;arequirementispertinentwithrespecttoat
ofgoalsinthedomainconsideredifitsspecificationis
udintheproofofonegoalatleast[Yue87].
•Explainingrequirementstostakeholdersisanotherimpor-
rovidetherationaleforrequirements,in
awaysimilartodesigngoalsindesignprocess[Mos85,
Lee91].Arequirementappearsbecauofsomeunderly-
inggoalwhichprovidesabaforit[Ros77,Dar91,
Som97].Moreexplicitly,agoalrefinementtreeprovides
traceabilitylinksfromhigh-levelstrategicobjectivesto
icular,forbusi-
nessapplicationsystems,goalsmaybeudtorelatethe
software-to-betoorganizationalandbusinesscontexts
[Yu93].
•Goalrefinementprovidesanaturalmechanismforstruc-
turingcomplexrequirementsdocumentsforincread
readability.(Thisatleasthasbeenourexperienceinall
industrialprjectswehavebeeninvolvedin,eSection7.)
•Requirementngineersarefacedwithmanyalternatives
tobeconsideredduringtherequirementlaborationpro-
ensiveexperiencerevealedthatalternative
goalrefinementsprovidetherightlevelofabstractionat
whichdecisionmakerscanbeinvolvedforvalidating
choicesbeingmadeorsuggestingotheralternativesover-
ativegoalrefinementsallowalterna-
tivesystemproposalstobeexplored[Lam00c].
•Managingconflictsamongmultipleviewpointsisanother
majorREconcern[Nus94].Goalshavebeenrecognizedto
providetherootsfordetectingconflictsamongrequire-
mentsandforresolvingthemeventually[Rob89,
Lam98b].
•Separatingstablefrommorevolatileinformationis
anotherimportantconcernformanagingrequirements
rementreprentsoneparticularwayof
achievingsomespecificgoal;therequirementistherefore
morelikelytoevolve,towardsanotherwayofachieving
thatsamegoal,herlevelagoal
is,havemadethatsame
obrvation[Ant94].Itturnsoutthatdifferentsystemver-
sionsoftenshareacommontofhigh-levelgoals;the
currentsystemandthesystem-to-becorrespondtoalterna-
tiverefinementsofcommongoalsinthegoalrefinement
graph,andcanthereforebeintegratedintoonesinglegoal
model(eSection3).
•Lastbutnotleast,goalsdrivetheidentificationofrequire-
mentstosupportthem;theyhavebeenshowntobeamong
thebasicdrivingforces,togetherwithscenarios,forasys-
tematicrequirementlaborationprocess[Dar91,Rub92,
Dar93,Ant98,Dub98,Kai00,Lam00c].Wewillcome
backtothisinSections5and6.
Wherearegoalscomingfrom?
Goalidentificationisnotnecessarilyaneasytask[Lam95,
Ant98,Hau98,Rol98].Sometimestheyareexplicitlystated
bystakehokdersorinpreliminarymaterialavailableto
tentheyareimplicitsothat
goalelicitationhastobeundertaken.
Thepreliminaryanalysisofthecurrentsystemisanimpor-
alysisusually
resultsinalistofproblemsanddeficienciesthatcanbefor-
3
ngthoformulationsyieldsafirst
listofgoalstobeachievedbythesystem-to-be.
Inourexperience,goalscanalsobeidentifiedsystematically
byarchingforintentionalkeywordsinthepreliminary
documentsprovided,interviewtranscripts,etc.[Lam00c].
Onceapreliminarytofgoalsandrequirementsisobtained
andvalidatedwithstakeholders,manyothergoalscanbe
identifiedbyrefinementandbyabstraction,justbyasking
HOWandWHYquestionsaboutthegoals/requirements
alreadyavailable,respectively[Lam95,Lam00c].
Moresophisticatedtechniquesforgoalrefinementand
abstraction(notably,fromscenarios)willbereviewedin
oalsareidentifiedbyresolvingconflicts
amonggoalsorobstaclestogoalachievement,eSection5
too.
Acommonmisunderstandingaboutgoal-oriented
approachesisthattheyareinherentlytop-down;thisisbyno
meansthecaasitshouldhopefullybeclearnowfromthe
discussionabove.
Whenshouldgoalsbemadeexplicit?
Itisgenerallyarguedthatgoalmodelsarebuiltduringthe
earlyphasoftheREprocess[Dar93,Yu97,Dub98].The
basisfortheargumentisthedrivingroleplayedbygoalsin
thatprocess;thesoonestagoalisidentifiedandvalidated,
esnotimplyanysortofwaterfall-like
requirementlaborationprocess,irements
"implement"goalsmuchthesamewayasprogramsimple-
mentdesignspecifications,thereissomeinevitableinter-
twiningofgoalidentificationandrequirementlaboration
[Lam95,Swa82].Goalsmaythussometimesbeidentified
fairlylatelyintheREprocess--especiallywhenWHYques-
tionsabouttechnicaldetailsorscenarios,initiallytakenfor
granted,areraidlatelyintheprocess.
nggoals
Thebenefitofgoalmodelingistosupportheuristic,qualita-
tiveorformalreasoningschemesduringrequirementngi-
neering(eSection5).Goalsaregenerallymodelledby
intrinsicfeaturessuchastheirtypeandattributes,andby
theirlinkstoothergoalsandtootherelementsofarequire-
mentsmodel.
anbeofdifferenttypes.
Severalclassificationaxeshavebeenpropodinthelitera-
ture.
Functionalgoalsunderliervicesthatthesystemis
expectedtodeliverwhereasnon-functionalgoalsreferto
expectedsystemqualitiessuchascurity,safety,perfor-
mance,usability,flexibility,customizability,interoperability,
andsoforth[Kel90].Thistypologyisoverlygeneralandcan
mple,satisfactiongoalsarefunctional
goalsconcernedwithsatisfyingagentrequests;information
goalsarefunctionalgoalsconcernedwithkeepingsuch
agentsinformedaboutobjectstates[Dar93].Non-functional
mple,accu-
racygoalsarenon-functionalgoalsrequiringthestateof
softwareobjectstoaccuratelyreflectthestateofthecorre-
spondingmonitored/controlledobjectsintheenvironment
[Myl92,Dar93]--suchgoalsareoftenoverlookedintheRE
process;theirviolationmayberesponsibleformajorfailures
[Lam00a].Performancegoalsarespecializedintotimeand
spaceperformancegoals,theformerbeingspecializedinto
respontimeandthroughputgoals[Nix93].Securitygoals
arespecializedintoconfidentiality,integrityandavailability
goals[Amo94];thelattercanbespecializedinturnuntil
axonomy
fornon-functionalgoalscanbefoundin[Chu00].
Anotherdistinctionoftenmadeintheliteratureisbetween
softgoals,whosatisfactioncannotbeestablishedina
clear-cutn[Myl92],and(hard)goalswhosatisfaction
canbeestablishedthroughverificationtechniques[Dar93,
Dar96].Softgoalsareespeciallyufulforcomparingalter-
nativegoalrefinementsandchosingonethatcontributesthe
“best”tothem,ebelow.
Anotherclassificationaxisisbadontypesoftemporal
behaviourprescribedbythegoal.[Dar93].Achieve(resp.
cea)goalsgeneratesystembehaviours,inthattheyrequire
sometargetpropertytobeeventuallysatisfiedinsomefuture
state();maintain()goalsretrict
behaviours,inthattheyrequiresometargetpropertytobe
permanentlysatisfiedineveryfuturestate()
zegoalscompare
behaviourstofavorthowhichbetterensuresomesofttar-
getproperty.
Inasimilarvein,[Sut93]proposaclassificationaccording
todesiredsystemstates(e.g.,positive,negative,alternative,
feedback,orexception-repair)andtogoallevel(e.g.,policy
level,functionallevel,domainlevel).[Ant94]makesadis-
tinctionbeweenobjectivegoals,thatrefertoobjectsinthe
system,andadverbialgoals,thatrefertowaysofachieving
objectivegoals.
Goaltypesandtaxonomiesareudtodefineheuristicsfor
goalacquisition,goalrefinement,requirementsderivation,
andmi-formalconsistency/completenesschecking[Dar93,
Sut93,Ant98,Chu00,Ant01],ortoretrievegoalspecifica-
tionsinthecontextofspecificationreu[Mas97].
theirtype,goalscanalsobeintrinsi-
callycharacterizedbyattributessuchastheirnameandtheir
specification(eSection4).Priorityisanotherimportant
attributethatcanbeattachedtogoals[Dar93].Qualitative
valuesforthisattributeallowmandatoryoroptionalgoalsto
ties
areoftenudforresolvingconflictsamonggoals[Rob89,
Lam98b].Othergoalattributesthathavebeenpropod
includegoalutilityandfeasibility[Rob89].
fferenttypesoflinkshavebeenintro-
ducedintheliteraturetorelategoals(a)witheachotherand
(b)nks
ussinter-
goallinksfirst,andthenlinksbetweengoalsandotherele-
mentsofrequirementsmodelssuchasagents,scenarios,or
operations.
Linksbetweengoalsareaimedatcapturingsituationswhere
ly
borrowedfromproblemreductionmethodsinArtificial
4
Intelligence[Nil71],AND/ORgraphsmaybeudtocap-
turegoalrefinementlinks[Dar91,Dar93].AND-refinement
linksrelateagoaltoatofsubgoals(calledrefinement);
thismeansthatsatisfyingallsubgoalsintherefinementis
-refinementlinks
relateagoaltoanalternativetofrefinements;thismeans
thatsatisfyingoneoftherefinementsissufficientforsatisfy-
framework,aconflictlink
betweentwogoalsisintroducedwhenthesatisfactionof
oneofthemmaypreventtheotherfrombeingsatisfied.
Tholinktypesareudtocapturealternativegoalrefine-
mentsandpotentialconflicts,andtoprovethecorrectnessof
goalrefinements(eSection5).
Weakerversionsoftholinktypeshavebeenintroducedto
relatesoftgoals[Rob89,Myl92,Chu00]asthelattercan
dof
goalsatisfaction,goalsatisficingisintroducedtoexpress
thatsubgoalsareexpectedtoachievetheparentgoalwithin
acceptablelimits,alisthen
saidtocontributepartiallytotheparentgoal,regardlessof
othersubgoals;itmaycontributepositivelyornegatively.
lisAND-
decompodintosubgoalsandallsubgoalsaresatisficed,
thentheparentgoalissatisficeable;butifasubgoalisdenied
lcontributesnega-
tivelytoanothergoalandtheformerissatisficed,thenthe
ulesareudforqualitativereason-
ingaboutgoalsatisficing(eSection5).
Besideinter-goallinks,goalsareingeneralalsolinkedto
troduces
AND/ORoperationalizationlinkstorelategoalstotheoper-
ationswhichensurethemthroughcorrespondingrequired
pre-,post-,andtriggerconditions[Lam98c,Lam00c](the
oldernotionofoperationalization[Dar91,Dar93]was
revidandsimplifiedfrompracticalexperience).Others
haveudsimilarlinksbetweengoalsandoperations,e.g.,
[Ant94,Ant98,Kai00].In[Myl92],theinter-goalcontribu-
tionlinktypesareextendedtocapturethepositive/negative
contributionofrequirementstogoals;argumentationlinks
arealsointroducedtoconnectsupportingargumentstocon-
tributionlinks.
Therehasbeenamassiveamountofworkonlinkinggoals
andscenariostogether--e.g.,[Fic92,Dar93,Pot95,Lei97,
Sut98,Ant98,Hau98,Lam98b,Rol98,Kai00,Ant01].The
obviousreasonisthatscenariosandgoalshavecomplemen-
tarycharacteristics;theformerareconcrete,narrative,proce-
dural,andleaveintendedpropertiesimplicit;thelatterare
abstract,declarative,andmakeintendedpropertiexplicit.
Scenariosandgoalsthuscomplementeachothernicelyfor
argethelink
betweenagoalandascenarioisacoveragelink;themain
differencesbetweenthevariousmodelingproposalsliein
thefactthatascenariomaybetype-levelorinstance-level,
maybeanexampleoracounter-exampleofdesiredbehav-
ior,andmayexerciagoaloranobtsacletogoalachieve-
ment.
Goalmodelsmayalsoberelatedtoobjectmodelsasgoal
formulationsrefertospecificobjects,e.g.,entities,relation-
shipsoragents[Dar93].Thislinktypeallowspertinent
objectmodelstobesystematicallyderivedfromgoalmodels
[Lam00c].
Variousproposalshavealsobeenmadetorelategoalsto
,responsibilitylinksareintroducedtorelate
aybeassignedto
alternativeagentsthroughORresponsibilitylinks;this
allowsalternativeboundariestobeexploredbetweenthe
software-to-beanditnvironment.“Responsibility”means
thattheagentiscommittedtorestrictitsbehaviorbyper-
formingtheoperationsitisassignedtoonlyunderrestricted
conditions,namely,thoprescribedbytherequiredpre-,
post-,andtriggerconditions[Dar93].Thisnotionofrespon-
sibilityderivesfrom[Fea87,Fin87];itisstudiedindepthin
[Let01].Wishlinksarealsosometimesudinheuristicsfor
agentassignment[Dar91];e.g.,oneshouldavoidassigninga
goaltoanagentwishingothergoalsinconflictwiththat
goal..
Inthei*framework[Yu93,Yu97],varioustypesofagent
dependencylinksaredefinedtomodelsituationswherean
agentdependsonanotherforagoaltobeachieved,ataskto
beachieved,htype
ofdependencyanoperatorisdefined;operatorsmaybecom-
binedtodefineplansthatagentsmayutoachievegoals.
Thepurpoofthismodellingistosupportvariouskindsof
checkssuchastheviabilityofanagent'splanorthefulfil-
ghinitially
conceivedformodelingtheorganizationalenvironmentof
thesoftware-to-be,theTROPOSprojectiscurrentlyaiming
atpropagatingthisframeworktolaterstagesofthesoftware
lifecycle,notably,formodelingagent-orientedsoftware
architectures.
Variousauthorshavealsosuggestedreprentingthelinks
betweengoalsandorganizationalpolicies,e.g.,[Sib93,
Fea93,Sut93].
Attheprocesslevel,itmaybeufulfortraceabilitypurpo
[Got95]torecordwhichactorownswhichgoalorsome
viewofit[Lam98b].
yinggoals
Goalsmustobviouslybespecifiedprecilytosupport
requirementlaboration,verification/validation,conflict
management,negotiation,explanationandevolution.
Aninformal(butpreci)specificationshouldalwaysbe
giventomakeitpreciwhatthegoalnamedesignates
[Zav97a].
Semi-formalspecificationsgenerallydeclaregoalsinterms
oftheirtype,attribute,andlinks(eSection3).Suchdecla-
rationsmayingeneralbeprovidedalternativelyusingatex-
tualoragraphicalsyntax(e,e.g.,[Dar98]).IntheNFR
framework[Myl92],agoalisspecifiedbythemostspecific
subtypeitisaninstanceof,parametersthatdenotetheobject
attributesitrefersto,andthedegreeofsatisficing/denialby
-formalspecificationsoftenincludekey-
mple,
Achieve,MaintainandAvoidverbsinKAOSspecifyatempo-
rallogicpatternforthegoalnameappearingasparameter
[Dar93];theyimplicitlyspecifythatacorrespondingtarget
conditionshouldholdsometimeinthefuture,alwaysinthe
5
futureunlesssomeotherconditionholds,orneverinthe
entistoprovidealightweightalternativeto
fullformalizationofthegoalformulation,stillamenableto
sicthasbeenextendedwith
qualitativeverbssuchasImprove,Increa,Reduce,Make,
andsoforth[Ant98].Inasimilarspirit,goalsin[Rol98]are
reprentedbyverbswithdifferentparametersplayingdif-
ferentroleswithrespecttotheverb--e.g.,targetentities
affectedbythegoal,beneficiaryagentsofthegoalachieve-
ment,resourceentitiesneededforgoalachievement,source
ordestinationofacommunicationgoal,etc.
Formalspecificationsasrtthegoalformulationinafully
,suchasr-
tionsarewritteninareal-timelineartemporallogicheavily
inspiredfrom[Man92,Koy92]withtheusualoperatorsover
pastandfuturestates,boundbytimevariables;mantically,
theycapturemaximaltsofdesiredbehaviors[Dar93,
Let01].TheKAOSlanguageis“2-button”inthattheformal
asrtionlayerisoptional;itisudtypicallyforcritical
aspectsofthesystemonly.
Moreformalspecificationsyieldmorepowerfulreasoning
schemesatthepriceofhigherspecificationeffortandlower
usabilitybynon-experts;thevarioustechniquesbriefly
reviewedhereshouldthusbeenascomplementarymeans
ratherthanalternativeones;theirsuitabilitymayheavily
dependonthespecifictypeofsystembeingconsidered.
ingaboutgoals
Theultimatepurpoofgoalmodellingandspecificationis
tosuportsomeformofgoal-badreasoningforREsubpro-
cesssuchasrequirementlaboration,consistencyand
completenesschecking,alternativelection,evolutionman-
agement,andsoforth.
5.1Goalverification
Oneofthebenefitsofgoal-orientedREisthatonecanverify
thattherequirementntailthegoalsidentified,andcheck
thatthetofrequirementsspecifiedissufficientlycomplete
forthetofgoalsidentified[Yue87].Moreprecily,ifR
denotesthetofrequirements,Asthetofenvironmental
assumptions,Dthetofdomainproperties,andGthetof
goals,thefollowingsatisfactionrelationmustholdforeach
goalginG::
R,As,D
|==gwithR,As,D|=/=fal
Thismaybecheckedinformally,orformallyifthegoal
temporallogicspecificationsonemayrelyontheproofthe-
oryoftemporallogicandutoolssuchas,e.g.,STeP
[Man96].
Alightweightalternativeistouformalrefinementpatterns
foAchieve,MaintainandAvoidgoals[Dar96].Suchpatterns
areprovedcorrectandcompleteonceforall;refinementsin
thegoalgrapharethenverifiedbymatchingthemtoone
hematicalproof
entlyudpatternis
thedecomposition-by-milestonepatternthatrefinesaparent
Achievegoal
P⇒◊Q
intotwosubgoals:
P⇒◊R,R⇒◊Q
wherethe“◊“temporaloperatormeans“sometimeinthe
future”.Anotherfrequentlyudpatternisthedecomposi-
tion-by-capatternthatrefinesthesameparentAchieve
goalintothreesubgoals:
P∧R⇒◊Q,P⇒◊R,P⇒PWQ
wherethe“W“temporaloperatormeans“alwaysinthe
futureunless”.
Thetechniquesabovecanbeudforgoalsthatcanbesaid
tgoals,thequal-
itativereasoningprocedureprovidedbytheNFRframework
isparticularlyappropriate[Myl92].Thisproceduredeter-
minesthedegreetowhichagoalissatisficed/deniedby
lower-levelgoals/rlinkinthegoal
graphislabelledS(satisficed)ifitissatisficeableandnot
deniable;D(denied)ifitisdeniablebutnotsatisficeable;C
(conflicting)ifitisbothsatisficeableanddeniable;andU
(undetermined)
generalideaistopropagatesuchlabelsalongsatisficedlinks
bottom-up,fromlower-levelnodes(ements)to
higher-levelnodes().Additionallabelvaluescan
beassignedatintermediatestagesoftheprocedure,namely,
U
+
(inconclusivepositivesupport),U
-
inconclusivenegative
support,and?(requiringurinterventiontospecifyan
appropriatelabelvalue).Rulesforbottom-uppropagationof
leofapplica-
tionofthisframeworktoperformancegoalscanbefoundin
[Nix93].
5.2Goalvalidation
Goalscanbevalidatedbyidentifyingorgeneratingscenar-
iosthatarecoveredbythem[Hau98].Onemayeventhinkof
enactingsuchscenariostoproduceanimations[Hey98].The
scenarioidentificationprocessisgenerallybadonheuris-
tics[Sut98,Ant98].
In[And89],plan-badtechniquesareudtotentatively
generatescenariosshowingthatagoalcanbeachievedwith-
,prohibitedcondi-
tionsandoperationsarespecifiedformallybysimplestate
matedplannerfirstproducesatrialsce-
nariotoachievethegoalcondition;itthenchecksforfaults
inthepropodscenariobylookingforscenariosachieving
theprohibitedconditions;finallyitassiststhespecifierin
modifyingthetofoperationsincafaultsarefound.
[Fic92]exploresthisdeficiency-drivenparadigmfurther.
Thesystemisspecifiedbyatofgoals,formalizedinsome
restrictedtemporallogic,atofscenarios,expresdina
Petrinet-likelanguage,andatofagentsproducing
restrictedscenariostoachievethegoalstheyareassignedto.
Thegeneralapproachconsistsof(a)tryingtodetectincon-
sistenciesbetweenscenariosandgoals,and(b)applying
operatorsthatmodifythespecificationtoremovetheincon-
(a)iscarriedoutbyaplannerthatarches
rators
offeredtotheanalystinStep(b)encodeheuristicsforspeci-
ficationdebugging--e.g.,introduceanagentwhorespon-
sibilityistopreventthestatetransitionsthatarethelaststep
6
reoperatorsforintroducingnew
typesofagentswithappropriateresponsibilities,splitting
existingtypes,introducingcommunicationandsynchroniza-
tionprotocolsbetweenagents,weakeningidealizedgoals,
eatedapplicationofdeficiencydetectionand
debuggingoperatorsallowstheanalysttoexplorethedesign
spaceandhopefullyconvergetowardsasatisfactoryspecifi-
cation.
5.3Goal-badrequirementlaboration
Thetechniquejustsketchedaboveisafirststeptowards
makingverification/validationcontributetotherequirements
nreasonforgoal-orientedRE
afterallistoletgoalshelpelaboratingtherequirementssup-
-badelaborationtypicallyconsistsof
ahybridoftop-downandbottom-upprocess,plusaddi-
tionalprocessdrivenbythehandlingofpossibleabnormal
agentbehaviors,themanagementofconflictinggoals,the
recognitionofanalogicalsituationsfromwhichspecifica-
tionscanbetranspod,,however,thatfor
explanatorypurpotheresultingrequirementsdocumentis
ingeneralbetterprentedinatop-downway.
Goal/requirementelicitationbyrefinement
Anobvious(buteffective)informaltechniqueforfindingout
subgoalsandrequirementsistokeepaskingHOWquestions
aboutthegoalsalreadyidentified[Lam95,Lam00c].
Formalgoalrefinementpatternsmayalsoproveeffective
whengoalspecificationsareformalized;typically,theyhelp
findingoutsubgoalsthatwereoverlookedbutareneededto
erasimpletraincontrolsys-
tem,forexample,andthefunctionalgoaloftrainprogress
throughconcutiveblocks:
GoalAchieve[TrainProgress]
FormalDef(∀t:rTrain,b:Block)[On(tr,b)⇒◊On(tr,b+1)]
Aparticularcathatcomesdirectlytomindiswhenblock
b+1’ssignalistto‘go’.Twosubgoalscomingnaturallyto
mindarethefollowing:
GoalAchieve[ProgressWhenGoSignal]
FormalDef∀tr:Train,b:Block
On(tr,b)∧Go[b+1]⇒◊On(tr,b+1)
GoalAchieve[SignalSetToGo]
FormalDef∀tr:Train,b:Block
On(tr,b)⇒◊Go[b+1]
Thistentativerefinementmatchesthedecomposition-by-
capatterninSection5.1andthereforeallowsthefollow-
ingmissingsubgoaltobepointedout:
GoalMaintain[TrainWaiting]
FormalDef∀tr:Train,b:Block
On(tr,b)⇒On(tr,b)WOn(tr,b+1)
Anothereffectivewayofdrivingtherefinementprocessis
badonthedeterminationthatanagentcandidatetogoal
assignmentcannotrealizethegoal,e.g.,becauitcannot
monitorthevariablesappearinginthegoalantecedentor
controlthevariablesappearinginthegoalconquent.
[Let01]givesatofconditionsforgoalunrealizability;this
tisprovedcompleteandprovidesthebasisforarich,sys-
tematictofagent-drivenrefinementstacticsforgenerating
realizablesubgoalsandauxiliaryagents.
Goal/requirementelicitationbyabstraction
Anobvious(buteffective)informaltechniqueforfindingout
moreabstract,parentgoalsistokeepaskingWHYquestions
aboutoperationaldescriptionsalreadyavailable[Lam95,
Lam00c].
Moresophisticatedtechniqueshavebeendevidtoelicit
nabidirectionalcoupling
betweentype-levelscenariosandgoalverbtemplatesasdis-
cusdinSection4,[Rol98]proposheuristicrulesfor
findingoutalternativegoalscoveringascenario(corre-
spondingtoalternativevaluesfortheverbparameters),
missingcompaniongoals,orsubgoalsofthegoalundercon-
eformalside,[Lam98c]describesan
inductivelearningtechniquethattakesscenariosaxam-
plesandcounterexamplesofintendedbehaviorandgener-
atesgoalspecificationsintemporallogicthatcoverallthe
positivescenariosandexcludeallthenegativeones.
Notealsothatrefinementpatternswhenappliedinthe
reverwaycorrespondtoabstractionpatternsthatmaypro-
ducemorecoar-grainedgoals.
Goaloperationalization
Afeweffortshavebeenmadetosupporttheprocessof
derivingpre-,post-,andtriggerconditionsonsoftwareoper-
ationssoastoensuretheterminalgoalsintherefinement
ncipleistoapplyderivationruleswho
premimatchthegoalunderconsideration[Dar93,Let01].
Consider,forexample,thefollowinggoal:
GoalMaintain[DoorsClodWhileMoving]
FormalDef∀tr:Train,loc,loc’:Location
At(tr,loc)∧oAt(tr,loc’)∧loc<>loc’
⇒='clod'∧o(='clod')
wherethe“o“temporaloperatormeans“inthenextstate”.
Applyingthefollowingderivationrule
G:P∧(P1∧oP2⇒Q1∧oQ2),DomPre:P1,DomPost:P2
---------------------------------------------------------------------
ReqPreforG:Q1,ReqPostforG:Q2
wederivethefollowingoperationalization:
OperationMove
Inputtr:Train;loc,loc’:Location;OutputAt
DomPreAt(tr,loc)∧loc<>loc’
DomPostAt(tr,loc’)
RequiredPreforDoorsClodWhileMoving:='clod'
RequiredPostforDoorsClodWhileMoving:='clod'
Analogicalreu
Goal-badspecificationscanalsobeacquiredbyretrieving
structurallyandmanticallyanalogspecificationsina
repositoryofreusablespecificationcomponents,andthen
transposingthespecificationsfoundaccordingtothestruc-
turalandmanticmatchingrevealedbytheretrievalpro-
cess[Mas97].
Obstacle-drivenelaboration
First-sketchspecificationsofgoals,requirementsand
assumptionsareoftentooideal;theyarelikelytobeviolated
fromtimetotimeintherunningsystemduetounexpected
kofanticipationofexceptional
behaviorsmayresultinunrealistic,unachievableand/or
incompleterequirements.
7
Suchexceptionalbehaviorsarecapturedbyasrtionscalled
acleOissaidto
obstructagoalGinadomainDomiff
{O,Dom}|=¬Gobstruction
Dom|=/=¬Odomainconsistency
ObstaclesthusneedtobeidentifiedandresolvedatREtime
inordertoproducerobustrequirementsandhencemorereli-
ionofobstaclewasjustmentionedin
[Yue87].Itwalaboratedfurtherin[Pot95]wherescenarios
areshowntobeagoodvehicleforidentifyinggoalobstruc-
uristicsforidentifyingobstaclescanbefound
in[Pot95]and[Ant98].Moreformaltechniquesare
describedin[Lam98a]andthen[Lam00a]for:
•theabductivegenerationofobstaclesfromgoalspecifica-
tionsanddomainproperties,
•thesystematicgenerationofvarioustypesofobstaclereso-
lution,e.g.,goalsubstitution,agentsubstitution,goal
weakening,goalrestoration,obstaclemitigation,orobsta-
cleprevention.
Obstaclescanalsoberesolvedatruntimeinsomecas,e
[Fea98].
5.4Conflictmanagement
Requirementngineersliveinaworldwhereconflictsare
therule,nottheexception[Eas94].Conflictsgenerallyari
frommultipleviewpointsandconcerns[Nus94].Theymust
bedetectedandeventuallyresolvedeventhoughtheymay
betemporarilyufulforelicitingfurtherinformation
[Hun98].Variousformsofconflictarestudiedin[Lam88b],
inparticular,aweakformcalleddivergencewhichoccurs
frequentlyinpractice.
ThegoalsG
1
,...,G
n
aresaidtobedivergentiffthereexistsa
non-trivialboundaryconditionBsuchthat:
{B,∀iG
i
,Dom}|=falinconsistency
{B,∀
j≠i
Gj,Dom}|=/=falminimality
(“Non-trivial”meansthatBisdifferentfromthebottomfal
andthecomplement¬∀iG
i
).Notethatthetraditionalca
ofconflict,inthenoflogicalinconsistency,amountsto
aparticularcaofdivergence.
DivergencesneedtobeidentifiedandresolvedatREtimein
andheuristictechniquesaredescribedin[Lam98b]for:
•theabductivegenerationofboundaryconditionsfromgoal
specificationsanddomainproperties,
•thesystematicgenerationofvarioustypesofdivergence
resolution.
Aqualitativeprocedureissuggestedin[Rob89]forhandling
aistodetectthematrequirementslevel
r
oftheprocedurefirstidentifiestherequirementlements
thatcorrespondtoeachotherinthevariousviewpointsat
hand;conflictdetectionisthencarriedoutbymappingsyn-
tacticdifferencesbetweenthecorrespondingrequirements
elementstodifferencesinvaluesofvariablesinvolvedinthe
ctresolutionis
attemptednextbyappealingtocompromis(e.g.,through
compensationsorrestrictionspecialization),orgoalsubstitu-
y,theconflictresolutionatgoallevelisdown
propagatedtotherequirementslevel.
5.5Goal-badnegotiation
Conflictresolutionoftenrequiresnegotiation.[Boe95]pro-
posaniterative3-stepprocessmodelforgoal-badnego-
iterationofaspiralmodel
forrequirementlaboration,
(1)allstakeholdersinvolvedareidentifiedtogetherwith
theirwishedgoals(calledwinconditions);
(2)conflictsbetweenthegoalsarecapturedtogetherwith
theirassociatedrisksanduncertainties;
(3)goalsarereconciledthroughnegotiationtoreachamutu-
allyagreedtofgoals,constraints,andalternativesfor
thenextiteration.
5.6Alternativelection
Whichgoalrefinementshouldbelectedwhenalternative
onesareidentified?Whichagentassignmentshouldbe
lectedwhenalternativeonesareidentified?Thisisbyand
relocaltacticsofcour,such
asfavoringalternativeswithlesscriticalobstaclesorcon-
flicts,butasystematicapproachhasnotemergedsofarin
theREliterature.
Onepromisingdirectionwouldbetouqualitativereason-
ingschhemesàlaNFR[Myl92]tolectanalternative
refinementthatcontributesthebesttothesatisficingofsoft
goalsrelatedtocost,reliability,rite-
riaanalysistechniquescouldbehelpfulhere.
-orientedREmethodinaction
Itisnowtimetodemonstratehowsomeofthetechniques
reviewedabovecanfittogetherinagoal-orientedRE
backtoacastudywehavealreadypre-
ntedin[Lam00c]becauitillustratesmanyoftheissues
raidhere;theinitialdocumentisunbiadasitcomesfrom
anindependentsourceinvolvedinthedevelopment,;itis
publicallyavailable[BAR99]--unlikemostdocumentsfrom
theindustrialprojectswehavebeeninvolvedin;thesystem
isareal,complex,real-time,safety-criticalone(thisallows
onetosuggestthatgoal-orientedREisnotonlyufulfor
businessapplications).Theinitialdocumentfocusonthe
controlofspeedandaccelerationoftrainsunderresponsibil-
ityoftheAdvancedAutomaticTrainControlbeingdevel-
opedfortheSanFranciscoBayAreaRapidTransit(BART)
system.
WefollowtheKAOSmethod[Dar93,Lam95,Lam00c]in
ordertoincrementallyelaboratefourcomplementarysub-
models:(1)thegoalmodel,(2)theobjectmodel;(3)the
agentresponsibilitymodel,leadingtoalternativesystem
boundaries;(4)lrefinement
graphilaboratedbyelicitinggoalsfromavailablesources
andaskingwhyandhowquestions(goalelaborationstep);
objects,relationshipsandattributesarederivedfromthegoal
specifications(objectmodelingstep);agentsareidentified,
alternativeresponsibilityassignmentsareexplored,and
agentinterfacesarederived(responsibilityassignmentstep);
8
operationsandtheirdomainpre-andpostconditionsare
identifiedfromthegoalspecifications,andstrengthenedpre-
/postconditionsandtriggerconditionsarederivedsoasto
ensurethecorrespondinggoals(operationalizationstep).
Thestepsarenotstrictlyquentialasprogressinonestep
maypromptparallelprogressinthenextoneorbacktracking
toapreviousone.
Theprentationwillbesketchyforlackofspace;theinter-
estedreadermayreferto[Let01]foramuchgreaterlevelof
details.
Goalidentificationfromtheinitialdocument
Afirsttofgoalsisidentifiedfromafirstreadingofthe
availablesource[BART99]byarchingforintentionalkey-
wordssuchas“objective”,“purpo”,“intent”,“concern”,
“inorderto”,rofsoftgoalsaretherebyidenti-
fied,e.g.,“ServeMorePasngers”,“NewTracksAdded”,“Mini-
mize[DevelopmentCosts]”,“Minimize[DistanceBetweenTrains]”,
“SafeTransportation”,oalsarequalitativelyrelated
toeachotherthroughsupportlinks:Contributes(+),Con-
tributesStrongly(++),Conflicts(-),ConflictsStrongly(--).
possible,keywordsfromthemi-formallayeroftheKAOS
ntain
andAvoidkeywordsspecify“always”goalshavingthetem-
poralpattern❑(P→Q)and❑(P→¬Q),
Achievekeywordspecifies“eventually”goalshavingthe
patternP⇒◊“→“connectivedenoteslogicalimpli-
cation;❑(P→Q)isdenotedbyP⇒Qforshort.
denotesoft-goals,parallelogramsdenoteformalizablegoals,
arrowsdenotegoal-subgoallinks,andadoublelinelinking
arrowsdenotesanOR-refinementintoalternativesubgoals.
Formalizinggoalsandidentifyingobjects
Theobjectmodelingstepcanstartassoonasgoalscanbe
nciplehereistoiden-
tifyobjects,relationshipsandattributesfromgoalspecifica-
er,forexample,thefollowinggoalatthe
bottomofFigure1:
GoalMaintain[TrackSegmentSpeedLimit]
InformalDefAtrainshouldstaybelowthemaximumspeed
thetrackgmentcanhandle.
FormalDef∀tr:Train,s:TrackSegment:
On(tr,s)⇒≤imit
Fromthepredicate,objects,andattributesappearinginthis
goalformalizationwederivethefollowingportionofthe
objectmodel:
Similarly,theothergoalatthebottomofFigure5isspeci-
fiedasfollows:
GoalMaintain[WCS-DistBetweenTrains]
InformalDefAtrainshouldnevergetsoclotoatrainin
frontsothatifthetraininfrontstopssuddenly(e.g.,
derailment)thenexttrainwouldhitit.
FormalDef∀tr1,tr2:Train:
Following(tr1,tr2)⇒>-Dist
(TheInformalDefstatementsinthogoaldefinitionsare
takenliterallyfromtheinitialdocument;WCS-Distdenotes
thephysicalworst-castoppingdistancebadonthephys-
icalspeedofthetrain.)Thisnewgoalspecificationallows
theaboveportionoftheobjectmodeltobeenrichedwithLoc
andWCS-DistattributesfortheTrainobjecttogetherwitha
malizationofthe
goalAvoid[TrainEnterinClodGate]inFigure1willfurther
enrichtheobjectmodelbyelementsthatarestrictlyneces-
husprovideapreci
drivingcriterionforidentifyingelementsoftheobjectmodel.
ElicitingnewgoalsthroughWHYquestions
Itisoftenthecathathigher-levelgoalsunderpinninggoals
easilyidentifiedfrominitialsourcesarekeptimplicitinsuch
y,however,beufulforfindingoutother
importantsubgoalsofthehigher-levelgoalthatweremiss-
ingforthehigher-levelgoaltobeachieved.
Asmentionedbefore,higher-levelgoalsareidentifiedby
askingWHYquestionsaboutthegoalsavailable.
Forexample,askingaWHYquestionaboutthegoalMain-
tain[WCS-DistBetweenTrains]yieldstheparentgoalAvoid[Train-
Collision];askingaWHYquestionaboutthegoal
Avoid[TrainEnteringClodGate]yieldsanewportionofthegoal
graph,showninFigure2.
Inthisgoalsubgraph,thecompanionsubgoalMaintain[Gate-
ClodWhenSwitchInWrongPosition]walicitedformallyby
matchingaformalrefinementpatterntotheformalizationof
theparentgoalAvoid[TrainOnSwitchInWrongPosition],foundby
aWHYquestion,andtotheformalizationoftheinitialgoal
Avoid[TrainEnteringClodGate][Dar96,Let01].Thedotjoin-
ingthetwolowerrefinementlinkstogetherinFigure2
ServeMorePasngers
Max[Train-
Speed]
NewTracksAdded
Minimize[Costs]
Min[Distance
BetweenTrains]
SafeTransport
Avoid[TrainEntering
ClodGate]
Maintain
[WCS-DistBetweenTrains]
Maintain
[TrackSegmentSpeedLimit]
...
Min[DvlptCosts]
Min
[OperationCosts]
...
Figure1-PreliminarygoalgraphfortheBARTsystem
--
...
++
TrackSegment
SpeedLimit:SpeedUnit
...
Train
Speed:SpeedUnit
...
On
9
meansthattherefinementis(provably)complete.
ElicitingnewgoalsthroughHOWquestions
Goalsneedtoberefineduntilsubgoalsarereachedthatcan
beassignedtoindividualagentsinthesoftware-to-beandin
algoalsbecomerequirementsinthe
formercaandassumptionsinthelatter.
MoreconcretegoalsareidentifiedbyaskingHOWques-
mple,aHOWquestionaboutthegoalMain-
tain[WCS-DistBetweenTrains]inFigure1yieldsanextensionof
thegoalgraphshowninFigure3.
TheformalizationofthethreesubgoalsinFigure3maybe
udtoprovethattogethertheyentailtheparentgoalMain-
tain[WCS-DistBetweenTrains]formalizedbefore[Let01].The
subgoalsneedberefinedinturnuntilassignablesubgoals
eterefinementtreeisgiveninAnnex1.
Identifyingpotentialresponsibilityassignments
Annex1alsoprovidesapossiblegoalassignmentamong
signmentemstheonesuggested
intheinitialdocument[BAR99].Forexample,theaccuracy
goalMaintain[AccurateSpeed/PositionEstimates]isassignableto
theTrackingSystemagent;thegoalMaintain[SafeTrainRespon-
ToCommand]isassignabletotheOnBoardTrainControlleragent;
thegoalMaintain[SafeCmdMsg]isassignabletotheSpeed/
AccelerationControlSystemagent.
Itisworthnoticingthatgoalrefinementsandagentassign-
mentsarebothcapturedbyAND/a-
tiverefinementsandassignmentscanbe(andprobablyhave
been)mple,theparentgoalMaintain[WCS-
DistBetweenTrains]inFigure3mayalternativelyberefinedby
thefollowingthreeMaintainsubgoals:
PreceedingTrainSpeed/PositionKnownToFollowingTrain
SafeAccelerationBadOnPreceedingTrainSpeed/Position
NoSuddenStopOfPreceedingTrain
ThecondsubgoalabovecouldbeassignedtotheOnBoard-
ternativewouldgiveritoa
fullydistributedsystem.
Assuggestedbefore,qualitativereasoningtechniquesinthe
styleof[Myl99]mightbeappliedtothesoftgoalsidentified
inFigure1tohelpmakingchoicesamongalternatives.
Derivingagentinterfaces
LetusnowassumethatthegoalMaintain[SafeCmdMsg]atthe
bottomofthetreeinAnnex1hasbeenactuallyassignedto
theSpeed/erfacesof
thisagentintermsofmonitoredandcontrolledvariablescan
bederivedfromtheformalspecificationofthisgoal(wejust
takeitsgeneralformhereforsakeofsimplicity):
GoalMaintain[SafeCmdMsg]
FormalDef∀cm:CommandMessage,ti1,ti2:TrainInfo
∧D=D∧FollowingInfo(ti1,ti2)
⇒≤F(ti1,ti2)∧>G(ti1)
TofulfilitsresponsibilityforthisgoaltheSpeed/Acceleration-
ControlSystemagentmustbeabletoevaluatethegoalante-
nt’s
ereasitscon-
nd
terwillinturnbecomemon-
itoredvariablesoftheOnBoardTrainControlleragent,bysimilar
hniqueforderivingtheagent’smonitored
andcontrolledvariablesisfairlysystematic,e[Let01]for
details.
Identifyingoperations
Theoperationalizationstepstartsbyidentifyingtheopera-
tionsrelevanttogoalsanddefiningtheirdomainpre-and
efertospecificstatetransitions;for
eachsuchtransitionanoperationcausingitisidentified;its
domainpre-andpostconditioncapturethestatetransition.
ForthegoalMaintain[SafeCmdMsg]formalizedaboveweget,
forexample,
OperationSendCommandMessage
InputTrain{argtr}
OutputComandMessage{rescm}
DomPre¬
∧D=
Thisdefinitionminimallycaptureswhatanyndingofa
commandtoatrainisaboutinthedomainconsidered;it
doesnotensureanyofthegoalsitshouldcontributeto.
Operationalizinggoals
Thenextoperationalizationsub-stepistostrengthensuch
domainconditionssothatthevariousgoalslinkedtothe
lsassignedtosoftwareagents,
thisstepproducesrequirementsontheoperationsforthecor-
ionedbefore,
derivationrulesforanoperationalizationcalculusareavail-
able[Dar93,Let01].Inourexample,theyyieldthefollow-
ingrequirementsthatstrengthenthedomainpre-and
postconditions:
Avoid
[TrainEnteringClodGate]
Maintain[TrainOnCorrectLine]
Avoid[TrainOnSwitchInWrongPostion]
Maintain[GateClodWhen
SwitchInWrongPosition]
Figure2-EnrichingthegoalgraphbyWHYelicitation
Maintain
[WCS-DistBetweenTrains]
Maintain[Safe
Speed/Acceleration
Commanded]
Maintain
[SafeTrainRespon
ToCommand]
Maintain
[NoSuddenStop
OfPrecedingTrain]
Figure3-Goalrefinement
10
OperationSendCommandMessage
InputTrain{argtr},TrainInfo;OutputComandMsg{rescm}
DomPre...;DomPost...
ReqPostforSafeCmdMsg:
Tracking(ti1,tr)∧Following(ti1,ti2)
→≤F(ti1,ti2)∧>G(ti1)
ReqTrigforCmdMsgSentInTime:
I
≤0.5c
¬∃cm2:CommandMessage:
∧D=
(Thetriggerconditioncapturesanobligationtotriggerthe
operationassoonastheconditiongetstrueandprovidedthe
xampleabovethecondi-
tionsaysthatnocommandhasbeenntineverypaststate
uptoonehalf-cond[BAR99].)
Usingamixofmi-formalandformaltechniquesforgoal-
orientedrequirementlaboration,wehavereachedthelevel
atwhichmostformalspecificationtechniqueswouldstart.
Anticipatingobstacles
Asmentionedbefore,goalsalsoprovideabasisforearly
generationofhigh-levelexceptionswhich,ifhandledprop-
erlyatrequirementngineeringtime,maygeneratenew
requirementsformorerobustsystems.
Thefollowingobstaclesweregeneratedtoobstructthesub-
goalAchieve[CommandMsgIssuedInTime]:
CommandMsgNotIssued,
CommandMsgIssuedLate,
CommandMsgSentToWrongTrain
ForthecompanionsubgoalAchieve[CommandMsgDeliveredIn-
Time]wesimilarlygeneratedobstaclessuchas:
CommandMsgDeliveredLate,
CommandMsgCorrupted
ThelastcompanionsubgoalMaintain[SafeCmdMsg]maybe
obstructedbythecondition
UnsafeAcceleration,
taclegenerationprocessforasinglegoal
resultsinagoal-anchoredfault-tree,thatis,arefinementtree
edwithstandard
fault-treeanalysis[Lev95],obstacleanalysisisgoal-ori-
ented,formal,andproducesobstacletreesthatareprovably
completewithrespecttowhatisknownaboutthedomain
[Lam00a].
Alternativeobstacleresolutionsmaythenbegeneratedto
mple,the
obstacleCommandMsgSentLateabovecouldberesolvedbyan
alternativedesigninwhichaccelerationsarecalculatedby
theon-boardtraincontrollerinstead;thiswouldcorrespond
tacleUnsafeAccelera-
tionabovecouldberesolvedbyassigningtheresponsibility
forthesubgoalSafeAccelerationCommandedofthegoalMain-
tain[SafeCmdMsg]totheVitalStationComputeragentinstead
[BART99];thiswouldcorrespondtoanagentsubstitution
aclemitigationstrategycouldbeappliedto
resolvetheobstacleOutOfDateTrainInfoobstructingtheaccu-
racygoalMaintain[AccurateSpeed/PositionEstimates],byintro-
ducinganewsubgoalofthegoalAvoid[TrainCollisions],
namely,thegoalAvoid[CollisionWhenOutOfDateTrainInfo].This
newgoalhastoberefinedinturn,e.g.,bysubgoalsrequiring
fullbrakingwhenthemessageoriginationtimetaghas
expired.
Handlingconflicts
TheinitialBARTdocumentsuggestsaninterestingexample
ofdivergence[BART99,p.13].Roughlyspeaking,thetrain
commandedspeedmaynotbetoohigh,becauotherwiit
forcesthedistancebetweentrainstobetoohigh,inorderto
achievetheDistanceIncreadWithCommandedSpeedsubgoalof
theSafeTransportationgoal;ontheotherhand,thecom-
mandedspeedmaynotbetoolow,inordertoachievethe
LimitedAccelerAbove7mphOfPhysicalSpeedsubgoalofthe
eemstobeaflavorofdivergence
here.
Wethereforelookattheformalizationofthesuspectgoals:
GoalMaintain[CmdedSpeedCloToPhysicalSpeed]
FormalDef∀tr:Train
CM
≥0
⇒
CM
≤+f(dist-to-obstacle)
and
GoalMaintain[CmdedSpeedAbove7mphOfPhysicalSpeed]
FormalDef∀tr:Train
CM
≥0⇒
CM
>+7
Thetwogoalsareformallydetectedtobedivergentusing
thetechniquesdescribedin[Lam98b].Thegeneratedbound-
aryconditionformakingthemlogicallyinconsistentis
◊(∃tr:Train)(
CM
≥0∧f(dist-to-obstacle)≤7)
Theresolutionoperatorsfrom[Lam98b]maybeudto
generatepossibleresolutions;inthiscaoneshouldkeep
thesafetygoalasitisandweakentheotherconflictinggoal
toremovethedivergence:
GoalMaintain[CmdedSpeedAbove7mphOfPhysicalSpeed]
FormalDef∀tr:Train
CM
≥0⇒
CM
>+7
∨f(dist-to-obstacle)≤7
enceandtoolsupport
Thepurrpoofthispaperisobviouslynottodeliveran
djustliketomentionherethat
LimitedAccelerWhen
CmdedSpeedAbove7mph
OfPhysicalSpeed
ServeMorePsgers
SmoothMove
Min[Dist
BetwTrains]
Max
[TrainSpeed]
SafeTransport
DistanceBetweenTrains
IncreadWithCmdedSpeed
Maintain[CmdedSpeed
CloToPhysicalSpeed]
Maintain[CmdedSpeed
Above7mphOfPhysicalSpeed]
Figure4-Conflictinspeed/accelerationcontrol
11
experiencewithgoal-orientedrequirementngineeringis
growingsignificantly,indifferentdomain,differenttypesof
projects,mple,Antonand
colleagueshavereportedtheirexperiencewithBPRapplica-
tions[Ant94]andvarioulectroniccommercesystems
[Ant98,Ant01].OurunderstandingisthattheNFRandi*
frameworkshavebeenexperiencedinrealttingsaswell.
OurKAOSmethodhasbeenudin11industrialprojectsto
ncludethegoal-orientedreengineeringofa
complex,unintelligiblerequirementsdocumentforaphone
systemonTVcable;thegoal-orientedmodelingofacom-
plexairtrafficcontrolapplication;thegoal-orientedengi-
neeringofrequirementsforavarietyofsystemssuchas:a
copyrightmanagementsystemforamajoreditorofcartoon
strips,amanagementsystemforahospitalemergencyr-
vice,adrugdeliverymanagementsystemforabigdrugdis-
tributor,anewinformationsystemforabigdailynewspaper,
aweb-badjobinformationrver,aweb-badlanguage
translationsystem,
anidea,thecopyrightmanagementsystemhas65goals,75
entitytypesandrelationships,11agents,and45operations;
eof
thegoalrefinementgraphfortheotherapplicationsranges
from50to100goalsandrequirements.
Thoprojectscouldnothavebeenundertakenwithouttool
rentGRAILenvironmentprovidesagraphi-
caleditortightlycoupledwithasyntax-directededitor,an
object-orientedspecificationdatabarversupportingque-
riesformodelanalysis,staticmanticscheckers,viewfil-
teringmechanisms,aHTMLgeneratorformodelbrowsing
inhypertextmode,andvarioustypesofreportgenerators.
Currenteffortsaredevotedtoanopen,fullJavaversion;the
planthenistointegratemoreformalsupportsuchasanima-
tors,modelcheckers,testdatagenerators,formalverifica-
tiontools,andsoforth.
ientationbeyondRE
Ithasbeensuggestedrecentlythatthefunctionaland(espe-
cially)non-functionalgoallaboratedintheREprocess
couldbeudforderivingandrefiningarchitectures
[Lam00c]andforannotatingdesignpatterns[Chu00].The
arejustpreliminaryeffortsthatshouldbeexpandedinanear
future.
sion
Goal-orientedrequirementngineeringhasmanyadvan-
tages,someofwhichwererecurrentlyfeltintheaforemen-
tionedprojects,torestateafewofthem:
•objectmodelsandrequirementscanbederivedsystemati-
callyfromgoals;
•goalsprovidetherationaleforrequirements;
•agoalgraphprovidesverticaltraceabilityfromhigh-level
strategicconcernstolow-leveltechnicaldetails;itallows
evolvingversionsofthesystemunderconsiderationtobe
integratedasalternativesintoonesingleframework;
•goalAND/ORgraphsprovidetherightabstractionlevelat
whichdecisionmakerscanbeinvolvedforimportantdeci-
sions;
•thegoalrefinementstructureprovidesacomprehensible
structurefortherequirementsdocument;
•alternativegoalrefinementsandagentassignmentsallow
alternativesystemproposalstobeexplored;
•goalformalizationallowsrefinementstobeprovedcorrect
andcomplete.
WehopetohaveconvincedthereaderthatthisareaofREis
remanyopenissuestoworkonin
thefuture,ofcour;thereadermayreferto[Lam00c]fora
discussionofthem.
sionswithRobertDarimontand
EmmanuelLetierwereapermanentsourceofinspirationandcon-
frontationofsomeoftheissuesraidinthispaper;theywerein
particularinstrumentalindevelopingKAOSspecificationsforvar-
iousnon-trivialsystems,includingtheoneoutlinedhere[Let01].I
amalsogratefultotheKAOS/GRAILcrewatCEDITIforusing
someoftheideasprentedhereinindustrialprojectsandprovid-
ingregularfeedback,amongothers,EmmanuelleDelor,Philippe
Massonet,andAndrépeoplewhoworkismen-
tionedinthispaperhadsomeinfluenceonitinsomewayor
another(whethertheyrecognizeandlikeitornot!).
References
[Amo94]o,ce-Hall,
1994.
[And89],"APropodPerspectiveShift:View-
ingSpecificationDesignasaPlanningProblem",-
shoponSoftwareSpecificationandDesign,IEEE,1989,177-184.
[Ant94],ken,,"GoalDecomposition
andScenarioAnalysisinBusinessProcessReengineering,Proc.
CAISE'94,LNCS811,Springer-Verlag,1994,94-104.
[Ant98],“TheUofGoalstoSurfaceRequire-
mentsforEvolvingSystems”,-98:20thIntrnationalCon-
ferenceonSoftwareEnginering,Kyoto,April1998.
[Ant01],,o,,
“DerivingGoalsfromaU-CaBadRequirementsSpecification”,
RequirementsEngineeringJournal,Vol.6,2001,63-73.
[BAR99]BayAreaRapidTransitDistrict,AdvanceAutomatedTrainCon-
trolSystem,NationalLabs,
/.
[Ber91]sandLuqi,-
ison-Wesley,1991.
[Boe95],,tz,andMingJuneLee,“Soft-
wareRequirementsNegotiationandRenegotiationAids:ATheory-W
BadSpiralApproach”,ware
Engineering,Seattle,1995,pp.243-253.
[Chu00],,ulos,Non-functional
Academic,Boston,
2000.
[Dar91]ne,sweerde,“Goal-Directed
ConceptAcquisitioninRequirementsElicitation”,-6-6th
oponSoftwareSpecificationandDesign,Como,1991,14-
21.
[Dar93]ne,,“Goal-Directed
RequirementsAcquisition”,ScienceofComputerProgramming,Vol.
20,1993,3-50.
[Dar96]sweerde,“FormalRefinementPat-
ternsforGoal-DrivenRequirementsElaboration”,’4-
oundationsofSoftwareEngi-
neering,SanFrancisco,October1996,179-190.
12
[Dar98]nt,,et,sweerde,
“GRAIL/KAOS:AnEnvironmentforGoal-DrivenRequirementsEngi-
neering”,’wareEngineering,
Kyoto,April1998,vol.2,58-62.(Earlierandshorterversionfoundin
’wareEngineering,Boston,May
1997,612-613.)
[Dub98],,"FromEarlytoLateFormal
Requirements:AProcess-ControlCaStudy”,’98-9th
InternationalWorkshoponSoftwareSpecificationandDesign,Isobe,
IEEECSPress,April1998,34-42.
[Dwy99],t,“PatternsinProperty
SpecificationsforFinite-StateVerification”,-99:21thIntr-
nationalConferenceonSoftwareEnginering,LosAngeles,411-420.
[Eas94]brook,“ResolvingRequirementsConflictswithCom-
puter-SupportedNegotiation”.InRequirementsEngineering:Social
andTechnicalIssues,(Eds.),AcademicPress,
1994,41-65.
[Fea87]r,“LanguageSupportfortheSpecificationandDevelop-
mentofCompositeSystems”,rammingLanguages
andSystems9(2),Apr.87,198-234.
[Fea93]r,"RequirementsReconnoiteringattheJunctureof
DomainandInstance",’ire-
mentsEngineering,Jan.1993,73-77.
[Fea98]r,,sweerde,d,“Rec-
oncilingSystemRequirementsandRuntimeBehaviour”,Proc.
IWSSD’98-9thInternationalWorkshoponSoftwareSpecificationand
Design,Isobe,IEEECSPress,April1998.
[Fic92],“KnowledgeReprentationandReasoning
intheDesignofCompositeSystems",wareEngi-
neering,June1992,470-482.
[Fin87],"BuildingFormalSpecificationsUsing
StructuredCommonSen",-4-4thInternationalWork-
shoponSoftwareSpecificationandDesign(Monterey,Ca.),IEEE,
April1987,108-113.
[Fow97],n-Wesley,1997.
[Got95]stein,“ContributionStructures”,Proc.
RE’irementsEngineering,York,
IEEE,1995,100-107.
[Gro01],“FromNon-FunctionalRequirementsto
DesignthroughPatterns”,RequirementsEngineeringJournalVol.6,
2001,18-36.
[Hau98],,haupt,“RequirementsElicita-
tionandValidationwithRealWorldScenes”,are.
Engineering,SpecialIssueonScenarioManagement,December1998,
1036-1054.
[Hey98],“Scenario-BadTechniquesforSup-
portingtheElaborationandtheValidationofFormalRequirements”,
RequirementsEngineeringJournalVol.3No.3-4,1998,202-218.
[Hic74],,ll,SystemDevelopment
olland,1974.
[Hun98]eh,“ManagingInconsistentSpecifica-
tions:Reasoning,AnalysisandAction”,ACMTransactionsonSoft-
wareEngineeringandMethodology,r1998,335-
367.
[Jac95]n,SoftwareRequirements&Specifications-ALexicon
ofPractice,ss,Addison-Wesley,
1995.
[Jar93],“Vision-DrivenRequirementsEngineering”,
8.1WorkingConferenceonInformationSystemDevel-
opmentProcess,NorthHolland,1993,3-22.
[Kai00],“ADesignProcessBadonaModelCombiningSce-
narioswithGoalsandFunctions”,ems,Manand
Cybernetic,Vol.30No.5,September2000,537-551.
[Kel90],,"SpecifyingSoftware
QualityRequirementswithMetrics",inTutorial:SystemandSoftware
RequirementsEnginering,n,Eds.,IEEE
ComputerSocietyPress,1990,145-163.
[Koy92]s,Specifyingmessagepassingandtime-criticalsystems
withtemporallogic,LNCS651,Springer-Verlag,1992.
[Lam95]sweerde,nt,et,"Goal-
DirectedElaborationofRequirementsforaMeetingScheduler:Prob-
lemsandLessonsLearnt",’
RequirementsEngineering,March1995,194-203.
[Lam98a],“IntegratingObstaclesinGoal-
DrivenRequirementsEngineering”,-98:20thIntrnational
ConferenceonSoftwareEnginering,Kyoto,April1998.
[Lam98b]sweerde,,"ManagingCon-
flictsinGoal-DrivenRequirementsEngineering",-
ering,SpecialIssueonInconsistencyManagementin
SoftwareDevelopment,November1998.
[Lam98c]et,"InferringDeclarative
RequirementsSpecificationsfromOperationalScenarios",IEEETrans.
ering,SpecialIssueonScenarioManagement,
December1998,1089-1114.
[Lam00a],“HandlingObstaclesinGoal-
OrientedRequirementsEngineering”,IEEETransactionsonSoftware
Engineering,SpecialIssueonExceptionHandling,2000.
[Lam00b]sweerde,“FormalSpecification:aRoadmap”.InThe
FutureofSoftwareEngineering,stein(ed.),ACMPress,2000.
[Lam00c]sweerde,“RequirementsEngineeringintheYear00:
ARearchPerspective”.InvitedKeynotePaper,’2000:
22ndInternationalConferenceonSoftwareEngineering,ACMPress,
2000,pp.5-19.
[Lee91],"ExtendingthePottsandBrunsModelforRecording
DesignRationale",wareEngi-
neering,IEEE-ACM,1991,114-125.
[Lei97],,er,na,,
ros,“EnhancingaRequirementsBalinewithScenar-
ios”,RequirementsEngineeringJournalVol.2No.4,1997,184-198.
[Let01],ReasoningaboutAgentsinGoal-OrientedRequirements
,UniversityofLouvain,May2001.
[Lev95]n,n-
Wesley,1995.
[Man92],TheTemporalLogicofReactiveandCon-
currentSystems,Springer-Verlag,1992.
[Man96]ndtheSTepGroup,“STeP:Deductive-Algorithmic
VerificationofReactiveandReal-TimeSystems”,’96-8th
uter-AidedVerification,LNCS1102,Springer-Ver-
lag,July1996,415-418.
[Mas97]sweerde,“AnalogicalReuof
RequirementsFrameworks”,ire-
mentsEngineering,Annapolis,1997,26-37.
[Mos85],"TowardsBetterModelsoftheDesignProcess",AI
Magazine,Vol.6,1985,pp.44-57.
[Mun81]d,"ParticipativeSystemsDesign:Structureand
Method",Systems,Objectives,Solutions,Vol.1,North-Holland,1981,
5-19.
[Myl92]Mylopoulos,J.,Chung,L.,Nixon,B.,“ReprentingandUsing
NonfunctionalRequirements:AProcess-OrientedApproach”,IEEE
ering,Vol.18No.6,June1992,pp.483-497.
[Myl99]ulos,,"FromObject-Orientedto
Goal-OrientedRequirementsAnalysis",CommunicationsoftheACM,
Vol.42No.1,January1999,31-37.
[Nil71]n,ProblemSolvingMethodsinArtificialIntelligence.
McGrawHill,1971.
[Nix93],"DealingwithPerformanceRequirementsDuringthe
DevelopmentofInformationSystems",’
irementsEngineering,Jan.1993,42-49.
13
[Nus94]eh,stein,"AFrameworkfor
ExpressingtheRelationshipsBetweenMultipleViewsinRequirements
Specifications",IEEETransactionsonSoftwareEngineering,Vol.20
No.10,October1994,760-773.
[Par95],“FunctionalDocumentsforComputer
Systems”,ScienceofComputerProgramming,Vol.25,1995,41-61.
[Pot94],,"Inquiry-BadRequire-
mentsAnalysis",IEEESoftware,March1994,21-32.
[Pot95],“UsingSchematicScenariostoUnderstandUrNeeds”,
’95-ACMSymposiumonDesigninginteractiveSystems:
Process,PracticesandTechniques,UniversityofMichigan,August
1995.
[Rob89]Robinson,W.N.,“IntegratingMultipleSpecificationsUsing
DomainGoals”,oponSoftwareSpec-
ificationandDesign,IEEE,1989,219-225.
[Rol98]d,our,“GuidingGoalModel-
ingUsingScenarios”,ering,Special
IssueonScenarioManagement,December1998,1055-1071.
[Ros77]n,"StructuredAnalysisforRequire-
mentsDefinition",IEEETransactionsonSoftwareEngineering,Vol.3,
No.1,1977,6-15.
[Rub92]rg,"ObjectBehaviorAnalysis",Com-
municationsoftheACMVol.35No.9,September1992,48-62.
[Som97],RequirementsEngineering:AGood
,1997.
[Sut93],“BridgingtheRequirementsGap:Poli-
cies,GoalsandDomains”,oponSoft-
wareSpecificationandDesign,IEEE,1993.
[Sut98]ffe,“Scenario-BadRequirementsAnalysis”,Require-
mentsEngineeringJournalVol.3No.1,1998,48-65.
[Swa82],"OntheInevitableIntertwiningof
SpecificationandImplementation",CommunicationsoftheACM,Vol.
25No.7,July1982,438-440.
[Yue87],“WhatDoesItMeantoSaythataSpecificationisCom-
plete?”,-4,FourthInternationalWorkshoponSoftware
SpecificationandDesign,Monterey,1987.
[Yu93],"ModellingOrganizationsforInformationSystems
RequirementsEngineering",'ire-
mentsEngineering,IEEE,1993,34-41.
[Yu97],“TowardsModelingandReasoningSupportforEarly-Pha
RequirementsEngineering”,ire-
mentsEngineering,Annapolis,1997,226-235.
[Zav97a]n,"FourDarkCornersofRequirements
Engineering",ACMTransactionsonSoftwareEngineeringandMeth-
odology,1997,1-30.
[Zav97b],“ClassificationofRearchEffortsinRequirements
Engineering”,ACMComputingSurveys,Vol.29No.4,1997,315-321.
14
Achieve
[CmdMsgSentInTime]
Maintain
[SafeCmdMsg]
Achieve
[SentCmdMsg
DeliveredInTime]
Maintain
[WCS-DistBetweenTrains]
Avoid
[TrainCollisions]
Maintain
[SafeComandToFollowingTrain
BadOnSpeed/PositionEstimates]
Maintain
[AccurateSpeed/Position
Estimates]
Maintain[Safe
Speed/Acceleration
Commanded]
Maintain
[SafeTrainRespon
ToCommand]
Maintain
[NoSuddenStop
OfPrecedingTrain]
Maintain
[DeliveredCmdMsg
Exercid]
Speed/Acceleration
ControlSystem
Communication
Infrastructure
OnBoard
TrainController
Tracking
System
OnBoard
TrainController
Resp
Resp
Resp
RespResp
Resp
ANNEX1:GOALREFINEMENTTREEANDRESPONSIBILITYASSIGNMENTINTHEBARTSYSTEM
本文发布于:2022-11-25 15:15:37,感谢您对本站的认可!
本文链接:http://www.wtabcd.cn/fanwen/fan/90/19242.html
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系,我们将在24小时内删除。
| 留言与评论(共有 0 条评论) |
