Professional Documents
Culture Documents
Abstract. Requirements engineering is concerned with neering concerned with the real-world goals for, functions
the identification of high-level goals to be achieved by the of, and constraints on software systems. It is also con-
system envisioned, the refinement of such goals, the oper- cerned with the relationship of these factors to precise
ationalization of goals into services and constraints, and specifications of software behavior, and to their evolution
the assignment of responsibilities for the resulting require- over time and across software families. This general defini-
ments to agents such as humans, devices and programs. tion, borrowed from [Zav95], stresses the leading part
Goal refinement and operationalization is a complex pro-
cess which is not well supported by current requirements played by goals during requirements elaboration.
engineering technology. Ideally some form of formal sup- There are multiple reasons why goals must be made
port should be provided, but formal methods are difficult explicit in the requirements engineering process. Goals
and costly to apply at this stage. drive the identification of requirements to support them;
This paper presents an approach to goal refinement and they provide an explanation to clients of the rationale
operationalization which is aimed at providing construc- underpinning requirements; they represent the roots for
tive formal support while hiding the underlying mathemat-
ics. The principle is to reuse generic refinement patterns detecting conflicts among requirements and for resolving
from a library structured according to strengthening/weak- them eventually [Rob89]; they provide a completeness cri-
ening relationships among patterns. The patterns are once terion for the requirements specification --the specification
for all proved correct and complete. They can be used for is complete if all stated goals are met by the specification;
guiding the refinement process or for pointing out missing they generally represent the most stable information in the
elements in a refinement. The cost inherent to the use of a requirements product. To sum up, requirements "imple-
formal method is thus reduced significantly. Tactics are ment" goals much the same way as programs implement
proposed to the requirements engineer for grounding pat- design specifications.
tern selection on semantic criteria.
The approach is discussed in the context of the multi-para- Surprisingly, the explicit modelling of goals and the inte-
digm language used in the KAOS method; this language gration of goal specifications in requirements specifications
has an external semantic net layer for capturing goals, con- has been considered only rather recently in the literature.
straints, agents, objects and actions together with their Goals are generally modelled by intrinsic features such as
links, and an inner formal assertion layer that includes a their type and attributes, and by their links to other goals
real-time temporal logic for the specification of goals and and to requirements. Various goal taxonomies have been
constraints. Some frequent refinement patterns are high- proposed to type goals [Myl92], [Dar93], [Nix93], [Ant94].
lighted and illustrated through a variety of examples. For instance, information goals are functional goals con-
The general principle is somewhat similar in spirit to the cerned with keeping agents informed about object states;
increasingly popular idea of design patterns, although it is accuracy goals are non-functional goals concerned with
grounded on a formal framework here .
maintaining the consistency between objects in the envi-
Keywords: Goal-driven requirements engineering, refinement, ronment and their software image. Useful attributes for a
reuse of specifications and proofs, design patterns, formal meth-
goal may include its priority [Dar93] and utility [Rob89].
ods.
Information about goal types and attributes can be used to
define heuristics for goal acquisition, goal refinement, and
1. Introduction requirements elaboration. Links between goals are aimed at
Requirements engineering is the branch of software engi- capturing situations where goals positively or negatively
support other goals. Directly borrowed from problem
reduction methods in Artificial Intelligence [Nil71], AND/
OR graphs may be used to capture goal refinements
[Dar91], [Dar93]. AND-reduction links relate a goal to a set
__________ of subgoals (called reduction); this means that satisfying all
Proceedings 4th ACM Symposium on the Foundations of subgoals in the reduction is a sufficient condition for satis-
Software Engineering (FSE4), San Francisco, Oct. 1996, 179-190. fying the goal. OR-reduction links relate a goal to an alter-
native set of reductions; this means that satisfying one of [Ast86] and PLUSS [Gau92] support algebraic specifica-
the reductions is a sufficient condition for satisfying the tions, where the system's data types are specified as univer-
goal. In this framework, a conflict link between two goals is sal algebras; languages such as PAISLEY [Zav82] and
introduced when the satisfaction of one of them may pre- GIST [Bal83] support operational specifications, which
clude the satisfaction of the other. Operationalization links may be seen as very high-level programs. The benefit of
can also be introduced in goal models to relate goals to full formalization is that the specifications can be manipu-
requirements. Weaker versions of such link types have lated formally --e.g., logical consequences, inconsistencies,
been proposed to relate very high-level goals [Rob89], or refinements can be derived using theorem proving tech-
[Myl92]; the idea is that such goals can rarely be said to be niques [Jon90], [Pot91], [Geo95]; prototypes can be pro-
satisfied in a clear-cut sense. Instead of goal satisfaction, duced [Bal82], [Hek88], [Doug94]; test data can be
goal satisficing is introduced to express that lower-level generated [BGM91]; counterexamples to claims can be
goals or requirements are expected to achieve the goal generated through model checking [Jac96]; partial specifi-
within acceptable limits, rather than absolutely. A subgoal cations can be matched against reusable specifications from
is then said to contribute partially to the goal, regardless of domain libraries [Reu91], [Zar95]; and so forth.
other subgoals; it may contribute positively or negatively. Most formal specification techniques to date are limited in
The purpose of goal modelling is to support some form of several respects.
reasoning about goals during requirements elaboration. • Limited scope: while addressing WHAT questions,
Two kinds of reasoning can be distinguished, namely, qual- they do not address the WHY, WHO or WHEN ques-
itative reasoning and formal reasoning. Qualitative reason- tions that are found in real requirements documents; the
ing is most appropriate for very high-level, non- latter are captured by goals, agents, and causing events,
formalizable goals. The labelling procedure described in respectively.
[Myl92] is a typical example of what can be done; this pro-
cedure determines the degree to which a goal is satisficed/ • Poor separation of concerns: the languages do not
denied by lower-level requirements, by propagating such allow specifiers to introduce a strict separation between
information along positive/negative support links in the descriptions of the domain objects/operations and the
goal graph. Goal models can also be at the root of require- actual requirements; the need for such separation has
ments engineering processes; for example, [Boe95] pro- been convincingly argued [Jac93].
poses an iterative process model for goal-based negotiation • Poor guidance: while the techniques provide well-
of requirements among multiple stakeholders. When goal defined notations and support for a posteriori analysis,
formulations can be formalized, formal reasoning tech- they are not equipped with constructive techniques for
niques are expected to do much more than qualitative rea- guiding the modelling/specification process.
soning. For example, one can use planning techniques to • Difficulty and cost of use: applying such methods
generate admissible system behaviors showing that some requires high expertise in mathematical logic and for-
desired goal is not achieved, and propose recovery actions mal systems; due to the scarcity of such expertise the
[And89], [Fic92]. Beside specification exploration and use of formal methods in industrial projects is nowa-
debugging, one might expect that formal goal models days limited to core parts of critical systems.
would ultimately enable specifiers to formally verify that
goals are achieved or, more constructively, to formally The purpose of this paper is to explore a formal technique
derive requirements specifications that satisfy the goals for requirements elaboration that can be used (i) upstream
specified. Preliminary attempts in this direction are encour- in the specification process, as it supports formal reasoning
aging [Dar93], [Fea94], [Lam95]. about goals, (ii) constructively, as it suggests ways of refin-
ing goals and operationalizing them, and (iii) at reasonable
Formal methods are being increasingly popular for the later cost, as it hides proofs and their underlying mathematics.
stages of the specification process where the boundary
between the software and its environment has already been The general principle is to reuse generic refinement pat-
established and the set of software objects/operations has terns. The latter are organized in a rich library according to
already been made precise. Many languages have been pro- various strengthening/weakening relationships among
posed to capture such lower-level specifications; they differ abstract goal formulations. The patterns are once for all
mainly by the particular specification paradigm used. For proved correct and complete; reusing a pattern entails reus-
example, languages such as Z [Pot91], VDM [Jon90] or ing its proof. Tactics are proposed to the requirements engi-
their object-oriented variants [Lan95] support state-based neer for grounding pattern selection on semantic criteria.
specifications, where the system is described by logical The general principle is somewhat similar in spirit to the
predicates that restrict the set of admissible states; lan- increasingly popular idea of design patterns [Gam95],
guages such as ERAE [Dub91] or TRIO [Mor92] support although it is grounded here on a solid, formal framework.
history-based specifications, where the system is described The reuse of generic refinement patterns is detailed in the
by predicates that restrict the set of admissible histories; the paper in the context of the KAOS requirements elaboration
formalisms in STATECHARTS [Har87] or SCR [Sch93] methodology [Dar93], [Lam95]. KAOS provides a multi-
support transition-based specifications in the finite state paradigm specification language and a goal-directed elabo-
machine tradition; languages like LARCH [Gut93], ASL ration method. The language combines semantic nets
[Bra85] for the conceptual modelling of goals, consraints, • Agent: an agent is another kind of object which acts as
agents, objects and operations in the system; temporal logic processor for some actions. An agent performs an action
[Man92], [Koy92] for the specification of goals, constraints if it is effectively allocated to it; the agent knows an
and objects; and state-based specifications [Pot91] for the object if the states of the object are made observable to it.
specification of operations. It supports the separation of Agents can be humans, devices, programs, etc.
requirements from domain descriptions. The method • Goal: a goal is an objective the composite system should
roughly consists of (i) identifying and refining goals pro- meet. AND-refinement links relate a goal to a set of sub-
gressively until constraints that are assignable to individual goals (called refinement); this means that satisfying all
agents are obtained, (ii) identifying objects and operations subgoals in the refinement is a sufficient condition for
progressively from goals, (iii) deriving requirements on the satisfying the goal. OR-refinement links relate a goal to
objects and operations to meet the constraints, and (iv) an alternative set of refinements; this means that satisfy-
assigning the constraints, objects and operations to the ing one of the refinements is a sufficient condition for
agents. satisfying the goal. The goal refinement structure for a
The paper is organized as follows. Section 2 provides some given system can be represented by an AND/OR directed
background material on the KAOS methodology. Section 3 acyclic graph. Goals often conflict with others. Goals
introduces refinement patterns in this framework and dis- concern the objects they refer to.
cusses patterns for refining goals into subgoals. Section 4 • Constraint: a constraint is an implementable goal, that is,
applies the same principle for operationalizing goals into a goal that can be formulated in terms of states controlla-
requirements according to stimulus/response heuristics. ble by some individual agent. Goals must be eventually
AND/OR refined into constraints. Constraints in turn are
2. Goal-Driven Requirements Elabora- AND/OR operationalized by actions and objects through
tion in KAOS strengthenings of their pre-, post-, trigger conditions and
invariants, respectively. Alternative ways of assigning
The KAOS methodology is aimed at supporting the whole responsible agents to a constraint are captured through
process of requirements elaboration --from the high-level AND/OR responsibility links; the actual assignment of
goals that should be achieved by the composite system to agents to the actions that operationalize the constraint is
the operations, objects and constraints to be implemented captured in the corresponding performance links.
by the software part of it. (The term “composite system” is
used here to denote the intended software together with its 2.1.2 Language constructs
environment [Fea87].) The methodology comprises a spec- Each construct in the KAOS language has a two-level
ification language, an elaboration method, and meta-level generic structure: an outer semantic net layer for declaring
knowledge used for local guidance during method enact- a concept, its attributes and its various links to other con-
ment. Hereafter we introduce some of the features that will cepts; an inner formal assertion layer for formally defining
be used later in the paper; see [Dar93] for more details the concept. The generic structure is instantiated to specific
(various simplifications have been made here based on types of links and assertion languages according to the spe-
some rather extensive experience on industrial projects). cific type the concept is an instance of.
2.1 The KAOS language For example, a goal that appears at some stage of the elabo-
ration of a meeting scheduler system is to get all partici-
The specification language provides constructs for captur-
pants’ constraints known to the scheduler. The concept
ing various kinds of concepts that appear during require-
ParticipantsConstraintsKnown is of type “Goal”; it could be
ments elaboration, namely, goals, constraints, agents,
partially declared and formally defined as follows:
entities, relationships, events, actions, views, and scenar-
Goal Achieve [ParticipantsConstraintsKnown]
ios. There is one construct for each type of concept. We InstanceOf InformationGoal
define some of these types first; the constructs for specify- Concerns Meeting, Participant, Scheduler, ...
ing their instances are introduced next. RefinedTo ConstraintRequested, ConstraintProvided
InformalDef A meeting scheduler should know the constraints
2.1.1 The underlying ontology of the various participants invited to the meeting within C days
after appointment
The following types of concepts will be used in the sequel.
FormalDef ' m: Meeting, p: Participant, s: Scheduler
• Object: an object is a thing of interest in the domain Invited (p, m) ! Scheduling (s, m)
whose instances may evolve from state to state. It is in % $&Cd Knows (s, p.Constraints)
general specified in a more specialized way -as an entity, The declaration part of the specification above states that
relationship, or event according as the object is an auton- the goal ParticipantsConstraintsKnown (i) is concerned with
omous, subordinate, or instantaneous object, respec- keeping agents informed about object states, (ii) refers to
tively. Objects are described by invariant assertions. objects such as Participant or Scheduler, and (iii) is refined
• Action: an action is an input-output relation over objects; into two subgoals. (The latter turn to be constraints assign-
action applications define state transitions. Actions may able to single agents; the fact that the ConstraintRequested
be caused/stopped by events. They are characterized by constraint is assignable to the Scheduler agent would be
pre-, post- and trigger conditions. stated in the declaration of that constraint.)
The formal assertion defining this goal is written in a real- fied by asking WHY questions.
time temporal logic borrowed from [Koy92]. In this paper • Identify the objects concerned by goals and describe their
we will use some classical operators for temporal referenc- domain properties.
ing: o (in the next state), • (in the previous state), $ (eventu-
ally), * (some time in the past), ! (always in the future), " • Identify object state transitions that are meaningful to the
goals, specify them as domain pre- and postconditions of
(always in the past), U (always in the future until), W
actions, and identify agents that could have those actions
(always in the future unless). Real-time restrictions are
among their capabilities.
indicated by subscripts (e.g., &Cd where d denotes the day
time unit). Such restrictions will not be considered in the • Derive additional pre- and postconditions of actions and
refinement patterns discussed in this paper; we will stick to invariants of objects so as to ensure that all constraints
“classical” temporal logic [Man92]. are met (requirements that operationalize the goals are
obtained thereby).
In the formal assertion above, the predicate Invited (p, m)
means that, in the current state, an instance of the Invited • Identify alternative responsibilities for constraints; make
relationship links variables p and m of sort Participant and decisions among refinement, operationalization, and
Meeting, respectively. The Invited relationship, Participant
responsibility alternatives (with process-level objectives
agent and Meeting entity are declared in other sections of the such as resolving conflicts, reducing costs, increasing
specification, e.g., reliability, avoiding overloading agents, etc.); assign the
actions to agents that can commit to guaranteeing the
Agent Participant
CapableOf CommunicateConstraints, ... requirements in the alternatives selected.
Has Constraints: Tuple [ExcludedDates: SeqOf [TimeInterval], The steps above are ordered by data dependencies; they
PreferredDates: SeqOf [TimeInterval]] may be running concurrently, with possible backtracking at
...
every step. The refinement patterns discussed below are to
Relationship Invited
Links Participants {card: 0:N}, Meeting {card: 1:N}
be used in the first step above.
DomInvar 'p: Participant, m: Meeting
Invited (p, m) # p + Requesting[-,m].ParticipantsList 2.3 Using meta-level knowledge
In the declarations above, Constraints is declared as an At each step of the goal-driven method, domain-indepen-
attribute of Participant (this attribute was used in the formal dent knowledge can be used for local guidance and valida-
definition of ParticipantsConstraintsKnown). Also note that the tion in the elaboration process.
invariant defining Invited is not a requirement, but a domain • A rich taxonomy of goals, constraints, objects and
description. Object inheritance is of course supported, e.g., actions is provided together with rules to be observed
an agent type ImportantParticipant can be introduced as a spe- when specifying concepts of the corresponding sub-
cialization of Participant with some extra attributes and type. We give a few examples of such taxonomies.
invariants. – Goals are classified by pattern of temporal behavior
As mentioned earlier, operations are specified formally by they require:
pre- and postconditions, for example, Achieve: P % $ Q or Cease: P % $ ¬ Q
Action DetermineSchedule Maintain: P % ! Q or Avoid: P % ! ¬ Q
Input Requesting, Meeting {Arg: m};
Output Meeting {Res: m} – Goals are also classified by type of requirements
DomPre Requesting (-,m) ! ¬ Scheduled (m) they will drive with respect to the agents concerned
DomPost Feasible (m) % Scheduled (m) (e.g., SatisfactionGoal, InformationGoal, Consistency-
! ¬ Feasible (m) % DeadEnd (m)
Goal, SafetyGoal, PrivacyGoal, etc.)
In a KAOS specification, the outer declaration layer is – Constraints are in the HardConstraint category if they
much useful for requirements traceability (through seman- may never be violated, or in the SoftConstraint cate-
tic net navigation) and specification reuse (through que- gory if they are likely to be temporarily violated.
ries). The inner assertion level is introduced for formal
– Actions are Modify or Inspect actions according as
reasoning, and will be used later in the paper. Note that the
they modify some object states or not.
specifier does not necessarily need to use the full power of
this “two-button” language; in fact, industrial users tend to Such taxonomies are constrained by rules, e.g.,
use the semantic net level (for which a concrete graphical – SafetyGoals are AvoidGoals to be refined in Hard-
syntax is available) without “pressing the formal button”. Constraints;
– PrivacyGoals are AvoidGoals on Knows predicates;
2.2 The elaboration method – SoftConstraints must have associated ModifyAc-
The following steps may be followed to systematically tions to restore them.
elaborate KAOS specifications from high-level goals. Meta-level rules can be used to ensure consistency and
• Elaborate the goal AND/OR structure by defining goals completeness of the requirements model being elabo-
and their refinement/conflict links until implementable rated. For example, declaring the constraint Constraint-
constraints are reached; offspring goals are identified by Provided that appeared in the refinement of the goal
asking HOW questions whereas parent goals are identi- ParticipantsConstraintsKnown above as a SoftConstraint
would prompt a question about what restoration action ditions hold:
should be foreseen in case of violation; as a result, 1.G1 ! G2 !... ! Gn |– G (entailment)
actions like emailing a reminder or giving a phone call
to negligent participants would be introduced. 2. ' i: !j Gj
i |/ G (minimality)
• Tactics capture heuristics to drive the elaboration or 3. G1 ! G2 !... ! Gn |/ false (consistency)
select among alternatives, e.g., To avoid trivial refinements consisting in rewriting G into
– Refine goals so as to reduce the number of agents logically equivalent forms, the following rule is added:
involved in the achievement of each subgoal;
4. n > 1 or the refinement relies on domain knowledge.
– Favor goal refinements that introduce less conflicts.
Definition. A refinement pattern is a one-level AND-tree of
2.4 Constructive formal support abstract goal assertions such that the set of leaf assertions is
a complete refinement of the root assertion.
Formal derivation rules can be used to derive requirements
from goals. Consider, for example, the following inference As a first example, the following refinement pattern pro-
rule. poses a way to decompose Achieve goals into three sub-
Constraint: ! [ C ! ( P1 ! o P2 % Q1 ! o Q2 ) ] , goals.
DomPre: P1, DomPost: P2
(RP1)
P%$Q
RequiredPre: Q1, RequiredPost: Q2
As a very simple example of using this inference rule, con-
sider the following SafetyConstraint for a lift system:
P!R%$Q P%$R P%PWQ
HardConstraint Maintain [DoorsClosedWhileMoving]
Refines SafeTransportation
FormalDef ' l: Lift, d: Doors, f,f’: Floor This pattern is generic; it can be instantiated to completely
PartOf (d, l) % ! [ LiftAt (l,f) ! o LiftAt (l,f’) ! f’ f different situations. A simple instantiation is presented
% d.State = 'closed' ! o (d.State = 'closed') ]
first; other instantiations will be used later.
The following required pre-/postconditions are then for-
mally derived using the rule above: Consider the train control system studied in [Fea94]. One
functional goal is to ensure that trains move through con-
Action GoToFloor
Input Lift {arg: l}, Floor {arg: f, f’}, Passenger {arg: p}; secutive blocks:
Output LiftAt Goal Achieve [TrainProgress]
DomPre LiftAt (l, f) ! Requesting (p, f’) ! f’ f FormalDef (' t: Train, b: Block) [At (t, b) % $ At (t, b+1)]
DomPost LiftAt (l, f’)
RequiredPre for DoorsClosedWhileMoving: d.state = 'closed' A particular case that comes directly to mind is when
RequiredPost for DoorsClosedWhileMoving: d.state = 'closed' blockb+1’s signal is set to ‘go’. One may thus instantiate
the meta-variable R in the first subgoal of the pattern above
3. Refining Goals into Subgoals to the predicate Go [b+1] formalizing this situation; hence
the refinement into the following three subgoals:
3.1 Basic idea Goal Achieve [ProgressWhenGoSignal]
FormalDef ' t: Train, b: Block
Experience with KAOS has revealed that correct goal At (t, b) ! Go[b+1] % $ At (t, b+1)
refinements are often hard to find; goal decompositions
Goal Achieve [SignalSetToGo]
made by hand are usually incomplete and sometimes FormalDef ' t: Train, b: Block
inconsistent [Lam95]. Moreover, the goal graph usually has At (t, b) % $ Go[b+1]
few OR-branches and contain implicit choices; interesting Goal Maintain [TrainWaiting]
alternatives may be overlooked. The idea is therefore to FormalDef ' t: Train, b: Block
provide formal support for building goal refinement graphs At (t, b) % At (t, b)W At (t, b+1)
that are complete, proved correct, and integrate alterna-
tives. This section introduces domain-independent refine- The last subgoal obtained from this pattern states that a
ment patterns as a way to achieve this objective. Patterns train t must stay in block b unless it is in block b+1; back-
are proved correct and complete once for all by the pattern ward moves are thereby discarded.
designer; reusing the pattern entails reusing the proof, and Refinement patterns are useful for the following reasons.
the mathematics can therefore be hidden to the user of pat- • They allow formal reasoning to be hidden to the require-
terns. The concept of refinement and refinement patterns ments engineer;
are first carefully defined. Next an example of frequent
refinement pattern is shown and proved. The benefits of • They may help detecting incomplete refinements and
using refinement patterns are then discussed. Finally, we reconnoitering requirements;
detail the contents and structure of our library of patterns. • They allow choices underlying refinements to be made
Definition. A set of goal assertions G1, G2,..., Gn is a com- explicit.
plete refinement of a goal assertion G iff the following con- Each point is illustrated now in turn.
3.1.1 Hiding mathematics The pattern (RP1) introduced above tells the specifier that
Patterns are proved correct once for all and reused many this refinement is incomplete. There is a missing Maintain
times through instantiation. The pattern above, for instance, subgoal that can be derived systematically, namely,
can be proved using the proof theory of temporal logic Goal Maintain [??]
[Man92] as follows. FormalDef ' u: User, res: Resource, rep: Repository
Requesting (u, res, rep) ! Registered (res, rep)
Proof % (Requesting (u, res, rep) ! Registered (res, rep))
W (( ru: ResourceUnit) (Unit (ru, res) ! Has (u, ru))
1. P % $ R Hyp
2. P ! R % $ Q Hyp This missing subgoal can in turn be refined by application
of another frequently used pattern, called the “Maximize
3. P % P W Q Hyp
Cohesion” pattern:
4. P % (P U Q) ) ! P 3, def of Unless
5. P % $ Q ) ! P 4, def of Until (RP2)
6. P % $ R ! ($ Q ) ! P) 1, 5, strengthen consequent P ! Q % (P ! Q) W R
7. P % ($ R ! $ Q) ) ($ R ! ! P) 6, distribution
8. P % ($ R ! $ Q) ) $ (R ! P) 7, trivial lemma P % (P W R) Q % (Q W R)
9. P % ($ R ! $ Q) ) $ $ Q 8, 2, strengthen consequent
10. P % ($ R ! $ Q) ) $ Q 9, $-idempotence The resulting refinement for the missing subgoal is:
11. P % $ Q 10, absorption
Goal Maintain [PendingRequest]
Temporal logic proofs tend to be rather complex even for FormalDef ' u: User, res: Resource, rep: Repository
simple refinements. Such proofs are built for every pattern Requesting (u, res, rep)
before inclusion into the library. A pattern may be reused % (Requesting (u, res, rep)
by requirements engineers without need to prove that its W (( ru: ResourceUnit) (Unit (ru, res) ! Has (u, ru))
instantiations produce correct refinements; the proofs are Goal Maintain [ResourceRegistered]
instantiated accordingly. FormalDef ' res: Resource, rep: Repository
Registered (res, rep) % ! Registered (res, rep) ,
3.1.2 Checking refinements for completeness where a stronger version for the second subgoal has even-
Refinement patterns can be used to check whether given tually been selected. Asking what is meant by “requests
decompositions are complete refinements. This way of should be maintained” or “resource registration should be
using patterns is very important; it is our experience that maintained” (or “why a resource should not be kept regis-
intuitive refinements made “by hand” tend to be incomplete tered”) triggers the discovery of new, more concrete
[Lam95]. Incomplete goal refinements result in incomplete requirements --e.g., reservation instalments or fines for the
requirements. first subgoal, policies to avoid lost or stolen resource units
Consider the specification of a general resource manage- for the second subgoal.
ment system. A root in the goal refinement graph states that Another example of refinement debugging through such
any relevant request for a resource should be eventually patterns, for a quite different (and real) system, can be
satisfied by providing a resource unit from the repository to found in [Lam95].
the requestor.
3.1.3 Constructive refinement and reconnoitering of
Goal Achieve [ResourceRequestSatisfied]
FormalDef ' u: User, res: Resource, rep: Repository alternatives
Requesting (u, res, rep) ! Registered (res, rep) Refinement patterns can be used to help completing partial
% $ (( ru: ResourceUnit) (Unit (ru, res) ! Has (u, ru))
refinements. The requirements engineer might for instance
The above goal can be trivially satisfied in the particular be interested in retrieving all complete patterns that match
case where some resource unit is available. This suggests the following partial pattern:
the following decomposition:
Goal Achieve [AvailableResourceProvided]
P%$Q
FormalDef ' u: User, res: Resource, rep: Repository
Requesting (u, res, rep) !
(( ru: ResourceUnit) (Unit (ru, res) ! Available (ru, rep)) P!R%$Q ?
% $ (( ru: ResourceUnit) (Unit (ru, res) ! Has (u, ru))
Goal Achieve [ResourceUnitAvailable] As suggested before, this partial pattern corresponds to a
FormalDef ' u: User, res: Resource, rep: Repository frequent situation where some easy or limit case R comes
Requesting (u, res, rep) ! Registered (res, rep) directly to mind to define a “trivial” subgoal. A formal
% $ (( ru: ResourceUnit) (Unit (ru, res) ! Available (ru, rep))
query on the pattern library allows one to retrieve candidate
In the first subgoal above, the conjunct Registered (res, rep) patterns to complete the above refinement, e.g.,
has been kept implicit in the antecedent due to the follow-
ing domain invariant attached to the Available relationship: P % $ R and P W Q as other subgoals,
(( ru: ResourceUnit) (Unit (ru, res) ! Available (ru, rep)) or P ! ¬ R % $R and P W Q as other subgoals,
% Registered (res, rep) or ¬ R % $ R and P W Q as other subgoals.
To illustrate the point, consider the train control system Goal Achieve [ChannelAllocatedStatically]
again. The first candidate pattern has already been instanti- FormalDef ' p1, p2: Point
Connection (p1, p2)
ated above. The instantiation of the second candidate pat- % (( c: Channel) (! Allocation (p1, p2, c))
tern would produce the following alternative subgoal for
SignalSetToGo: (Note that the difference is just in the ! operator jumping
over the existential quantifier.) The use of patterns explic-
Goal Achieve [SignalSetToGo]
FormalDef ' t: Train, b: Block itly structured in a weakening/strengthening hierarchy may
At (t, b) ! ¬ Go[b+1] % $ Go[b+1] thus help selecting refinements that make design choices
whereas the third retrieved pattern would produce a third explicit (here, dynamic vs. static allocation of channels)
alternative: and better fit actual needs (in view of other parent goals in
the graph that need to be achieved as well).
Goal Achieve [SignalSetToGo]
FormalDef ' t: Train, b: Block As this example suggests, our pattern library is structured
¬ Go[b+1] % $ Go[b+1] according to a weakening/strengthening hierarchy. Section
The three alternative subgoals generated result in different 3.4 investigates this structure more precisely. Before that,
policies. In the first two alternatives, signal changes are Sections 3.2 and 3.3 provide typical examples of proposi-
triggered by train arrivals. In the third alternative, signal tional and first-order refinement patterns, respectively.
changes occur under every circumstance regardless of train
arrivals. The requirements “implementing” the SignalSet- 3.2 Propositional refinement patterns
ToGo subgoal issued from the two first patterns need to Propositional patterns are worth being considered for glo-
introduce a new agent, namely, a train detection device near bal refinements in which quantifiers do not interfere with
each signal. the refinement.
3.1.4 Making choices explicit A sample of frequently used propositional patterns for
Achieve goals is shown in Table 1. Each row in the table
Pattern-directed refinement may sometimes allow require- gives a possible refinement of the parent goal P % $ Q. Pat-
ments engineers to make explicit some design choices that tern RP3 defines a milestone-driven refinement where an
were hidden in informal elaborations or past designs. We intermediate state satisfying R must first be reached, from
experienced this in reengineering the requirements of a which a final state satisfying Q must be reached. Pattern
cable phone system for a major telecommunication com- RP4 advocates for a decomposition by cases. Pattern RP5
pany. The system had to be built on top of an existing tech- identifies a condition R which must be set in order to reach
nology that imposed pre-existing choices. As an example Q. Pattern RP6 strengthens RP5 by requiring that condition
abstracted from this system, consider the following specifi- R hold independently of the truth value of P. RP7 strength-
cation of a point-to-point communication between two ens RP3 by requiring R to continuously hold until Q holds.
agents:
Goal Achieve [CommunicationSatisfied]
FormalDef ' p1, p2: Point, m: Message Subgoal Subgoal Subgoal
CallRequest (p1, p2) ! (p1.msgOut = m) % $ (p2.msgIn = m)
RP3 P % $R R % $Q
The way taken to satisfy this goal was to require that (i) a
RP4 P ! P1% $ Q1 P ! P2 % $ Q2 ! (P1 ) P2)
channel be allocated for the communication, and (ii) the
Q1 ) Q2 % Q
communication use the allocated channel. Consider sub-
goal (i). The weakest refinement pattern we used led to the RP5 P!¬ R % $R P ! R % $Q P%!P
following formalization: RP6 ¬ R % $R P ! R % $Q P%!P
Goal Achieve [ChannelAllocatedUponCall] RP7 P % $R R%RUQ
FormalDef ' p1, p2: Point
CallRequest (p1, p2) TABLE 1. Some propositional patterns for Achieve goals
% $ (( c: Channel) (Allocation (p1, p2, c))
As already suggested, the use of one pattern instead of
A stronger refinement pattern produced the requirement
another may lead to completely different systems. For
that channels be allocated not just when calls are issued,
example, RP5 and RP6 in a library system lead to com-
but as soon as pairs are plugged into the network:
pletely different policies for book loan. Suppose P stands
Goal Achieve [ChannelAllocatedUponPlugIn] for “a member requests some book” and Q stands for “the
FormalDef ' p1, p2: Point
Connection (p1, p2) member can borrow a copy of that book”. Now suppose R
% ! (( c: Channel) (Allocation (p1, p2, c)) stands for “a copy of that book is available”. Patterns RP5
and RP6 both require that a request for a book which has a
Under this refinement the following domain invariant was
copy available is eventually satisfied. They disagree how-
attached to the CallRequest relationship:
ever on what happens when there is no copy available. RP5
(' p1, p2: Point) CallRequest (p1, p2) % Connection (p1, p2) requires that a book requested with no copy available has a
This version still allows the channel to vary over time. An copy eventually available; RP6 requires that every copy of
even stronger refinement pattern produced the requirement a book, be it requested or not, must eventually become
that the same channel be used forever: available. In the former case, borrowers are allowed to
keep copies as long as there is no other member requesting propositional patterns) or by replacing the eventually oper-
a copy of the corresponding book; in the latter case, they ator by an until operator.
have to return copies even if there is no request. To illustrate the use of these patterns, consider the meeting
An extensive set of patterns for Achieve and Maintain goals scheduler system again. A meeting can be planned (Q) if
can be found in [Dar95]; all proofs of correctness and com- there is a date on which the participants agree and a venue
pleteness are given there. for the meeting. The three refinements in Table 2 propose
to sequentialize the problem of finding a date and a venue.
3.3 First-order refinement patterns First a date must be found (Q1). FO2 and FO3 state that a
First-order goal assertions are classified into four catego- venue must be found for the date found (Q2). Pattern FO1
ries with respect to refinement: is weaker; provided a date can be found, it requires one to
find a date (not necessarily the one initially foreseen) and a
1. the assertion consists of a composition, via logical/tem- venue for the latter date.
poral connectives, of closed formulas that are not
decomposed by the refinement; 3.3.2 Variables common to antecedents and consequents
2. the consequent of the assertion is a closed formula tak- Universally quantified variables common to the antecedent
ing the form of a conjunction/disjunction of subformulas and consequent of the parent goal do not interfere with
which have to be decomposed by the refinement and refinements; one may (i) use the intantiation rule from clas-
cannot be rewritten to match case 1; sical logic on the universally quantified variables, (ii) apply
3. the antecedent of the assertion is a closed formula taking a refinement pattern to the resulting formula, and (iii) use
the form of a conjunction/disjunction of subformulas the inverse generalization rule on each subgoal to reintro-
which have to be decomposed by the refinement and duce the quantifiers for the variables frozen in (i).
cannot be rewritten to match case 1; For an existentially quantified variable common to the
4. the antecedent and the consequent of the instantiated antecedent and consequent of the parent goal, the refine-
assertion are not closed formulas, because they are shar- ments must guarantee that the consequent of the parent for-
ing variables. mula holds for the value satisfiying the antecedent. This
explains why subgoals generally have to introduce univer-
Formulas in the first category can be treated as proposi- sal quantifiers instead of existential ones. For instance, a
tional formulas; the closed subformulas are abstracted as possible refinement for the pattern (( x) (P % $ Q) is:
propositional symbols. The third category is just the dual of
the second. We will therefore concentrate on cases 2 and 4 (( x) (P % $ R) , R(x) % $ Q(x)
successively. Other patterns can be found in [Dar95].
Notations. When no ambiguity arises, 3.4 Exploring the pattern space
• free variables in formulas will be assumed to be universally To be effective in practice, the pattern library should have
quantified; for instance, the following properties.
P ! Q1 (x) % $ (Q1 (x) ! Q2 (x)) stands for
(' x) [P ! Q1 (x) % $ (Q1 (x) ! Q2 (x))] • Relevance: the library should provide patterns that are
• predicate arguments will be dropped; for instance,
actually needed by requirements engineers;
$ (( x) Q1 ) $ (( x) Q2 % $ (( x) (Q1 ! Q2) stands for • Retrievability: relevant patterns should be retrieved eas-
$ (( x) Q1 (x) ) $ (( x) Q2 (x) % $ (( x) (Q1 (x) ! Q2 (x)) ily.
3.3.1 Decomposing consequents 3.4.1 Relevance
The most frequent generic assertion in this category is P % A two-step process was followed to identify relevant
$ (( x) (Q1 ! Q2). Some possible refinements of it are refinement patterns.
shown in Table 2. Each row contains a refinement that has • Inductive step: candidate patterns were identified by
been proved correct and complete. More patterns can be abstracting goal refinements from a wide variety of case
found in [Dar95]. For instance, other patterns can be studies --among others, resource management systems
with multiple specializations (e.g., sharable resources,
Subgoal Subgoal Subgoal returnable resources, reservable resources, chargeable
resources, convertible resources); transportation sys-
FO1 P % $ (( x) Q1 P ! Q1 (x) P%!P tems; communication systems; process monitoring; meet-
% $ (( x) (Q1 ! Q2) ing scheduling; conference organization. The candidate
FO2 P % $ (( x) Q1 P ! Q1 (x) P%!P refinement patterns that emerged from these case studies
% $ (Q1 (x) ! Q2 (x)) were proved correct using the proof theory of temporal
FO3 P % $ (( x) Q1 P ! Q1 (x) % $ Q2 (x) P%!P logic [Man92]. The proofs were bottom-up, in that the
Q1 (x) % ! Q1 (x) conjunction of subgoals was shown to minimally entail
the parent goal. The result of this step was a preliminary
TABLE 2. Some first-order patterns for Achieve goals library of complete AND-refinements reusable through
derived by dropping the term P in the second subgoal (as in instantiation. This library had the following weaknesses:
patterns were unrelated to each other; they did not is provided to help selecting appropriate patterns according
explore all alternatives; they contained implicit choices. to more semantic criteria. Meta-level refinement tactics
structure the pattern space according to the nature of the
• Deductive step: the library of AND-refinements obtained
decomposition proposed. The patterns are indexed by tac-
in the inductive step was reorganized by deriving refine-
tics; they can be used in the context described by the tac-
ment patterns top-down from basic patterns. Refinement
tics. Fig. 2 shows the domain-independent tactics identified
choices were thereby made explicit; this opened the way
so far.
to a systematic investigation of other refinement alterna-
tives. The result is an AND/OR library of refinement pat- Milestone-driven Agent-driven
terns, which can be seen as a a directed graph of patterns
linked through weakening/strengthening relationships.
Fig. 1 shows a piece of this graph. The higher a goal in
the figure, the weaker it is. Multiple Scheduled Agent
Milestones Cooperation Abilities
P%$Q
AND-decomposition
Case-driven
P ! ¬ R % $ (P ! R) P!R%$Q
OR-decomposition Antecedent Consequent
Decomposition Decomposition
P % $ (P ! R) P!¬R%$R!!P
Independent Dependent Independent Dependent