Professional Documents
Culture Documents
requirements engineering
A Reference Model
for Requirements
and Specifications
The authors define Carl A. Gunter, University of Pennsylvania
a reference model Elsa L. Gunter, Bell Labs, Lucent Technologies
for applying for-
Michael Jackson and Pamela Zave, AT&T Laboratories
mal methods to
the development
of user require- equirements for software often fall into two categories: for those
R
ments and their who commission, pay for, or use it and for those who program
reduction to a be-
havioral system it. These documents are sometimes distinct, receiving distin-
specification. The guishing names such as customer-specification document and
approach focuses feature-specification document. The distinction also appears in standards;
on the shared phe- for example, the European Space Agency software standard1 distinguishes
nomena that de-
fine the interface between the user-requirements specification cisely enough that we can rigorously analyze
between the and the software-requirements specification, substantive properties.
system and mandating complete documentation of each
environment. according to various rules. Other cases em- The Reference Model
phasize this distinction less. For instance, Reference models have a time-honored
some groups at Microsoft argue that the dif- status, and one well-known example is the
ficulty of keeping a technical specification ISO 7-Layer Reference Model, which di-
consistent with the program is more trouble vides network protocols into seven layers.
than the benefit merits.2 We can find a wide The model is informal and does not corre-
range of views in industry literature and from spond perfectly to the protocol layers in
the many organizations that write software. widespread use but is still discussed in vir-
Is it possible to clarify these various arti- tually every basic textbook on networks—
facts and study their properties, given the the model is widely used by network engi-
wide variations in the use of terms and the neers to describe network architectures.
many different kinds of software being writ- The ISO 7-layer model is successful because
ten? Our aim is to provide a framework for it draws on what was already understood
talking about key artifacts, their attributes, about networks, and it’s general enough to
and relationships at a general level, but pre- be flexible.
O
benefited mula 3 translates to ∀m. (∃c. NAT(m, c)) ⇒ ur reference model is meaningful
(∃i o c. NAT(m, c) ∧ IN(m, i) ∧ SOF(i, o) ∧ whether or not you are using a for-
significantly OUT(o, c)), which would have revealed the malization such as a theorem prover
just from the programming bug in the earlier example. It or a model checker. The proof obligations
clarity of also subsumes their second (unnamed) obliga- are just as sensible for natural-language
tion. Translated into our terms, their feasibility documentation as they are for formal speci-
knowing what obligation is ∀ev. (∃eh sv. W) ⇒ (∃eh sv. W ∧ fications. Moreover, there is no absolute re-
the objective of R), which is implied by our Formulas 1 and 3. quirement that the proof obligations be met
Like our reference model, the functional- in the sense of automated theorem proving.
a model’s documentation model insists on a rigid divi- On the contrary, the applications we studied
component sion between system and environment control have benefited significantly just from the
should be, even of designated terminology. Some other sys- clarity of knowing what the objective of a
tems, such as Unity8 and TLA,9,10 leave to the model’s component should be, even without
without user such matters as distinguishing environ- formalization, let alone machine-assisted
formalization. ment from system and domain knowledge proof. However, our description is precise
from requirements, but support shared control enough to support formal analyses. For ex-
of a designated term by system and environ- amples of such formal analyses and a more
ment. For example, in the Unity formalism, we in-depth discussion of some of the logic
can express that both E and M control a connections, see our technical report from
Boolean variable b, but E can only set it to true the University of Pennsylvania.13
while M can only set it to false. Our restricted Our current and future research involves
notion of control, in which each phenomenon extending and applying the reference model.
must be strictly environment or system con- We are interested in extensions that unify it
trolled, is easier to document and think about with game-theoretic modeling of our system
than shared control. When necessary, we can and environment. Such extensions might
model shared control by using two variables— make the model more complex to describe
one controlled by the system and the other by but might offer better guidance when using
the environment—together with an assertion it for applications. We are applying the
in W that they must be equal. model to problems networking and teleph-
The composition and decomposition the- ony. In networking, we are using it to de-
orems of TLA are particularly valuable scribe attributes of routing protocols; for
when parts of the formal documentation are telephony, we are using it to model distrib-
not complete and unconditional (as the func- uted feature composition.
tional-documentation model requires them
to be). For example, we can use the TLA
Acknowledgments
composition theorem to prove adequacy of a We thank Samson Abramsky, Rajeev Alur, Karthik
specification even when all of the domain Bhargavan, Trevor Jim, Insup Lee, and Davor Obra-
knowledge, requirements, and specification dovic for their input to this work. NSF Contract
CCR9505469 and ARO Contract DAAG-98-1-0466
components are written in an assumption partially support this research.
and guarantee style.
As part of a benchmark problem for
studying the reference model, we used the References
1. C. Mazza et al., Software Engineering Standards, Pren-
model checker Mocha11,12 to prove the de- tice Hall, Upper Saddle River, N.J., 1994.
sired properties of the relationship between 2. S.A. Maguire, Debugging the Development Process:
specification and program (see Formula 5). Practical Strategies for Staying Focused, Hitting Ship
Dates, and Building Solid Teams, Microsoft Press, Red-
The Mocha concept of a reactive model is mond, Wash., 1994.
extremely similar to our reference model, 3. D.L. Parnas and J. Madey, “Functional Documentation
because it allows for interface variables con- for Computer Systems,” Science of Computer Program-
ming, Vol. 25, No. 1, Oct. 1995, pp. 41–61.
trolled by the environment or system and 4. M. Jackson and P. Zave, “Domain Descriptions,” Proc.
system-controlled variables that are hidden IEEE Int’l Symp. Requirements Eng., IEEE Computer
Training You
Can Trust
From the IEEE Computer Society and five partner universities
Continuing education courses based on
software engineering standards.
Computer Society 2000 Authorized Training Centers
• California State University, Sacramento
• New Jersey Institute of Technology
• Oregon Graduate Institute
• Southern Polytechnic State University
• University of Strathclyde