ORIGINAL ARTICLE On the systematic transformation of requirements to specifications Zhi Li • Jon G. Hall • Lucia Rapanotti Received: 26 April 2012 / Accepted: 8 May 2013 Ó Springer-Verlag London 2013 Abstract Formal approaches to development are widely acknowledged to have difficulty in the validation of real- world requirements; in contrast, non-formal approaches find it difficult to identify the formal structures in requirements that are useful in a solution. That the prob- lems that computing treats are embedded in the real world with solutions being an essentially formal machine means this dichotomy will always exist, with some new approach to the development needed which can draw a boundary between what is formalised and what can be left informal. In this paper, we show how the natural cause-and-effect structures that can be found in non-formal requirements descriptions can be used systematically to arrive at a software specification. The theoretical contribution of the work is the formalisation of Jackson’s idea of problem progression in his Problem Frames framework through the use of a graph grammar to capture problem models as graphs and their manipulation as transformations. The approach is illustrated through a substantial benchmark example—Swartout’s and Balzer’s package router. We also report on the results of an initial empirical evaluation of the approach based on a prototype problem progression tool we have constructed. Keywords Requirements Specifications Problem Frames Problem progression Graph transformation 1 Introduction It is widely acknowledged (see, e.g., [1–3]) that poorly defined system and user requirements and specifications remain one of the outstanding problems in software development and a key factor in the failure of many soft- ware projects. Even when stakeholder needs are well captured, understood or analysed, elucidating clear requirements and building traceable paths from needs to code is difficult, leading to a mismatch between what stakeholders need and what the software developer understands they need and that subsequently influences the solution. The problem is particularly acute in complex developments and large development teams typically found in industry [4]. As far back as the 80s, Turski, [5], diagnosed the problem as that of software engineering activities being concerned with spanning non-formal and formal domains; that is, software engineering takes, typically, a natural language description of a stakeholder’s need and must map it to a formal description in code. This difficulty of span- ning non-formal and formal—termed the Turski Discon- nect in [6]—has sometimes led to a dichotomy in approaches to software development: some approaches address only the formal concerns, usually in a single formal language; others address only the non-formal concerns, Z. Li (&) College of Computer Science and Information Technology, Guangxi Normal University, No. 15 Yu Cai Road, Guilin 541004, Guangxi, People’s Republic of China e-mail: [email protected]Z. Li Key Laboratory of High Confidence Software Technologies (Peking University), Ministry of Education, Beijing 100871, China J. G. Hall L. Rapanotti Centre of Research in Computing, The Open University, Walton Hall, Milton Keynes, Buckinghamshire MK7 6AA, UK e-mail: [email protected]L. Rapanotti e-mail: [email protected]123 Requirements Eng DOI 10.1007/s00766-013-0173-8
Transcript
ORIGINAL ARTICLE
On the systematic transformation of requirementsto specifications
Zhi Li • Jon G. Hall • Lucia Rapanotti
Received: 26 April 2012 / Accepted: 8 May 2013
� Springer-Verlag London 2013
Abstract Formal approaches to development are widely
acknowledged to have difficulty in the validation of real-
world requirements; in contrast, non-formal approaches
find it difficult to identify the formal structures in
requirements that are useful in a solution. That the prob-
lems that computing treats are embedded in the real world
with solutions being an essentially formal machine means
this dichotomy will always exist, with some new approach
to the development needed which can draw a boundary
between what is formalised and what can be left informal.
In this paper, we show how the natural cause-and-effect
structures that can be found in non-formal requirements
descriptions can be used systematically to arrive at a
software specification. The theoretical contribution of the
work is the formalisation of Jackson’s idea of problem
progression in his Problem Frames framework through the
use of a graph grammar to capture problem models as
graphs and their manipulation as transformations. The
approach is illustrated through a substantial benchmark
example—Swartout’s and Balzer’s package router. We
also report on the results of an initial empirical evaluation
of the approach based on a prototype problem progression
tool we have constructed.
Keywords Requirements � Specifications � Problem
Frames � Problem progression � Graph transformation
1 Introduction
It is widely acknowledged (see, e.g., [1–3]) that poorly
defined system and user requirements and specifications
remain one of the outstanding problems in software
development and a key factor in the failure of many soft-
ware projects. Even when stakeholder needs are well
captured, understood or analysed, elucidating clear
requirements and building traceable paths from needs to
code is difficult, leading to a mismatch between what
stakeholders need and what the software developer
understands they need and that subsequently influences the
solution. The problem is particularly acute in complex
developments and large development teams typically found
in industry [4].
As far back as the 80s, Turski, [5], diagnosed the
problem as that of software engineering activities being
concerned with spanning non-formal and formal domains;
that is, software engineering takes, typically, a natural
language description of a stakeholder’s need and must map
it to a formal description in code. This difficulty of span-
ning non-formal and formal—termed the Turski Discon-
nect in [6]—has sometimes led to a dichotomy in
approaches to software development: some approaches
address only the formal concerns, usually in a single formal
language; others address only the non-formal concerns,
Z. Li (&)
College of Computer Science and Information Technology,
Guangxi Normal University, No. 15 Yu Cai Road, Guilin
using several languages, which often cannot be reconciled.
Yet, an effective approach to development should deal
adequately with the non-formal, the formal, and the rela-
tionships between them. This work is concerned with
addressing this issue.
The Problem Frames approach to requirements and
specifications proposed by Jackson [7] shows some prom-
ise in dealing with this problem. In Problem Frames, a
requirement is regarded as a description of some desired
behaviour in the environment that a computing machine
must eventually bring about, while the software specifica-
tion is regarded as a behavioural description of the com-
puting machine in terms of its interface shared with the
environment.
The Problem Frames approach encourages a proper
understanding of the problem (the requirement in its con-
text) as a first essential step in providing an appropriate
solution (starting with a specification at the machine
boundary). Secondly, it underlines the distinction between
the problem and solution space allowing the clearer for-
mulation of the argument of the satisfaction of the
requirements by a machine that satisfies the specification.
Thirdly, it provides a notation (the problem diagram) to
represent precisely details of the problem space in relation
to the solution space, hence the means to reason about
requirements, contexts, specifications and their relation-
ships, while still allowing descriptions to be informal and
real-world grounded.
The work is an extension and generalisation of the PhD
work of [8] and other preliminary work published in [9].
1.1 Contribution of the research
The theoretical contribution of the work is the provision of
an operational semantics for Jackson’s idea of problem
progression as sketched in his Problem Frames framework
[7]. This is based on the definition of a graph grammar that
permits the expression and transformation of a software
requirement into its solution specification form in the
context of problem diagrams, a key technique in Problem
Frames.
The basis of the graph grammar is the identification of
causal relationships within (natural language/non-formal)
requirements as the vehicle for transformation of those
requirements to be ‘closer to the machine’. The formali-
sation of the transformations without needing a formali-
sation of the requirements is a step towards addressing the
Turski Disconnect, and our work can be seen as drawing a
boundary between what is formalised and what can be left
informal in Problem Frames approach.1
To illustrate our approach, we use a benchmark software
engineering example, the package router, proposed by
Hommel [10], which has been used extensively to illustrate
the Problem Frames approach [7]. This problem is suffi-
ciently complex and representative of real-world situations
to test our approach.
The techniques presented in this paper lay the founda-
tions of a practical approach that could, at one level,
improve traceability between requirements and specifica-
tions and, at a higher level, improve communication
between developer and non-developmental stakeholders. In
other work, we are actively developing a semi-automatic
tool based on our techniques that should allow real-world
problems to be tested. An early prototype was used as part
of the empirical evaluation reported in this paper.
1.2 Paper structure
The remainder of this paper is structured as follows: in
Sect. 2, we introduce some relevant aspects of Problem
Frames, problem progression, causal reasoning and graph
transformation used in this paper; in Sect. 3, we describe
and demonstrate a rule-based technique for implementing
problem progression; in Sect. 4, we illustrate our tech-
niques by applying them to the benchmark package router
problem; in Sect. 5, we report an empirical evaluation of
the techniques; in Sect. 6, we recall and compare our
approach with related work; with discussions and future
work in Sect. 7, we conclude the paper.
2 Background
In this section, we describe the aspects of Problem
Frames,2 of causality and of graph grammars on which our
technique is based.
2.1 Problems Frames
A systematic account of Problem Frames is beyond the
scope of this paper but can be found in [7].
In Problem Frames, a software development problem is
a requirement in a real-world context for which a software
solution is sought. Problem descriptions are captured and
expressed by problem diagrams—labelled graphs that
model the computing machine, the problem world in terms
of the domains that exist therein, the requirement and the
phenomena that relate them. Like many other approaches,
a software specification is regarded as a behavioural
1 We are indebted to Pamela Zave, who through her comments on an
earlier manuscript, helped us to clarify the nature of our contribution.
2 We use capitalisation, as here, to distinguish Problem Frames as a
framework from the tools provided by that framework, such as
problem diagrams and context diagrams.
Requirements Eng
123
description of the computing machine in terms of its
interface shared with the environment.
The core of Problem Frames is the problem diagram, a
graph of the scope and structure of a software problem.
Figure 1 shows a problem diagram for a simple Heating
Controller.
The problem diagram shows the domains involved—the
Heating Controller machine and the Heating devices—the
phenomena that exist to relate their behaviours—the con-
trols HC! both on and off phenomena which are observed
by, and serve to control the, Heating devices. The
remaining element is the dashed oval which holds the
requirement, Heating regime, which is the desired rela-
tionship between is_on and is_off.
The heating control problem might be expressed thus as:
A modern office building needs an automatic heating
control system during the cold winter months in a
year. The building has a fixed pattern of usage—the
building needs heating on every working day from
9:00 am till 5:00 pm, which are the regular working
hours in the offices. The problem is to build a simple
controller machine that will switch on the heating
devices (we assume the heating devices have a
mechanism to maintain the temperature) at 8:45 am
and switch them off at 4:45 pm every day.
Some basic elements of the problem diagram are
explained below:
– The problem domain Heating devices representing
those physical devices that are used to generate heat
which can be in either the is_on state or the is_off state;
– The computer machine domain named Heating con-
troller (its machine status indicated by the box
decoration) representing the solution to be specified;
– The shared phenomena annotating the link between
them: the annotation indicates that the HC controls (!)
the phenomena {on, off} that it shares with the Heating
devices;
– The domain description describes how the events on
and off will cause state changes in the Heating devices;
– The requirement Heating regime (the dashed oval)
constrains the Heating devices’ states is_on and is_off
to be on between 8:45 a.m. and 4:45 p.m. every day.
More generally, phenomena are ‘element[s] of what we
can observe in the world’ [7]. and consist of distinguish-
able, named individuals such as events, entities or values
and relations such as states, truths and roles, which are sets
of associations among individuals. There are two catego-
ries of phenomena:
– Causal phenomena which are directly caused or
controlled by some domain and can cause other
phenomena in turn;
– Symbolic phenomena are used to symbolise other
phenomena and relationships among them.
Domains are ‘set[s] of related phenomena that are use-
fully treated as a unit in problem analysis’ [7], often
mapping to a domain experts’ partitioning of the problem
world. Domains control certain phenomena which they
share with other observing domains. Domain properties
describe ‘the expected and assumed relationships among
the phenomena of a domain’ [7].
Domains can be classified based upon their phenomena:
a causal domain is one whose properties include predict-
able causal relationships among its phenomena, whereas a
biddable domain typically consists of people and lacks
positive predictable internal causality. Jackson notes the
important role of chains of causality between domains: this
motivates much of the analysis in the problem domain.
The requirement3 is ‘a condition on one or more
domains of the problem context that the machine must
bring about’ [7]. Requirements are optative in expressing
‘wishes’ for relationships between contextual phenomena.
Satisfaction of the requirement is determined by observing
whether changes wrought by the solution within the real
world match those ‘wishes’. A requirement reference is a
connection between a requirement and a domain, which
consists of references to phenomena of the domain.
A requirement constraint is a requirement reference that
constrains the domain to which it refers, then the machine
must ensure that the state or behaviour of the domain sat-
isfies the requirement. Phenomena can be either referred to
or constrained by a requirement: if constrained, a satisfying
solution will ensure that that constraint is satisfied.
It is with chains of causality between domains with
predictable causality and their relationships that this work
concerns itself. We discuss the other possibilities later in
the paper.
2.2 Problem progression
In [11], Jackson considers the various possibilities for
problem decomposition by which one software develop-
ment problem can be related to others. In passing, Jackson
suggests the possibility of a systematic reduction in a
software development problem to a ‘pure programming
problem’, i.e., a software development problem which
Fig. 1 Automatic heating control problem diagram
3 There is but a single requirement in a problem diagram; this can, of
course, be a conjunction of many subsidiary ‘requirements.’
Requirements Eng
123
must only relate machine ‘inputs’ to ‘outputs’—a so called
specification phenomena. This tantalising possibility is a
result of the careful structuring of a problem’s domain and
of the strict observance of the meaning of a requirement
therein. Jackson says:
You can think of any problem as being somewhere on
a progression towards the machine, like this: The top
problem is deepest into the world. Its requirement RA
refers to domain DA. By analysis of the requirement
RA and the domain DA, a requirement RB can be
found that refers only to domain DB and guarantees
satisfaction of RA. This is the requirement of the next
problem down. Eventually, at the bottom is a pure
programming problem whose requirement refers just
to the machine and completely ignores all problem
domains.4
In Fig. 2, the solution to each of the problems is the
machine M, i.e., each problem transformation is solution-
preserving. Once RM, the machine specification, is known,
it is a simple matter to find M. The problem, then, is to find
RM. To do this, note that RM is the re-expression of
requirement RD so that it mentions only those events that
are shared with M, which are causally related to those
mentioned by RD.
Jackson does not provide any detail on the nature of the
relationship between the various descriptions, nor the sit-
uations in which progression applies. In this paper, we:
– Characterise those problems for which Jackson’s idea
holds in general;
– Identify characteristics of domains that allow progres-
sion to be applied; and
– Provide an implementation of progression as sketched
by Jackson.
2.3 Causality and causal reasoning
Causality is shared among various branches of the social
and natural sciences, including philosophy, logic, physics,
and psychology [12]. In the systems engineering setting, it
has been observed [13] that causation is often a natural
concept for the customer of a system to express his
requirements of it.
Causal chains—in which one phenomenon causes
another and so on—relate effects distant from causes. In a
problem diagram, a requirement will typically refer to one
or more phenomena at the end of a causal chain that ends
with machine phenomena and constrain other phenomena
in a causal chain emanating from the machine. To satisfy
the requirement, then, the machine must concatenate those
causal chains through its behaviour so that the phenomena
constraint is realised from the phenomena reference.
We follow Moffett et al’s treatment of causality. In
particular:
Cause and effect We regard cause as a relation
between events, which induces
a relationship between their
occurrences. Notationally, we use
to indicate direct cause: for
events e and f ; e f indicates that
an occurrence of e is the immediate5
cause of an occurrence of f.
State changes Given a state st of a domain D, the
event corresponding to D’s
entering the state st is denoted
" st6
Simple causality An event is the (simple) cause of
another if an occurrence of the
former is followed by an
occurrence of the latter. The time
period between the former
occurrence and the latter
occurrence may be indeterminate;
moreover, the effect of an earlier
occurrence may occur before the
effect of a later one. If the time
period is not unbounded, then the
cause is said to be sufficient;
otherwise, it is necessary cause.
Throughout this paper, ‘cause’
will mean sufficient cause.
Fig. 2 Problem progression, as sketched by Jackson [7]
4 The figure was named ‘a progression of problems’ by Jackson, on
page 103 in [7].
5 As usual, we indicate the transitive closure of a relation through the? decoration.6 What Problem Frames refers to as state, [13] refers to as conditions.
Requirements Eng
123
Timed causality Given an interval I, an occurrence
of one event e is the timed cause
of another event f on the interval
I if an occurrence of f necessarily
occurs within that time interval
after e’s occurrence, written e I
f :
Timed causality is sufficient
causality with an explicit bound.
The notation for intervals is not
prescribed.
Conditional causality An occurrence of one event e is
the g-guarded cause of another
event f, written g : e f ; whenever
the occurrence of e at a time when
g does not hold does not lead to
an occurrence of f. There are
sufficient and necessary forms of
timed causes.
Within Problem Frames, a domain controls a causal
phenomenon if it has the ability to initiate an occurrence of
that phenomena. In this paper, we interpret this to mean
that there are other phenomena, also under the control of
the domain that is its cause, in one of the senses explained
above. Domains that share phenomena participate in its
occurrence; this allows a causal phenomena of one domain
to be considered as the cause of another in another domain
without compromise.
By exploiting the notions of control and causality
together, we may reason about causal chains of behaviour
in a problem diagram. Following and manipulating these
causal chains is the basis of our implementation of problem
progression.
3 Problem progression
Problem diagrams are graphs. Because of this, the problem
progression can be implemented in the language of graph
grammars [14] which we briefly recall.
A graph, G, is a four-tuple, (V, E, s, t), where V is a
(finite) set of vertices and E is a (finite) set of edges with
V \ E = [ [14]. Functions s; t : E! V define source and
target, respectively. A subgraph of a graph G is a graph
whose vertex and edge sets are subsets of those of
G (including the mapping functions s; t : E! V).
Given graphs G1, G2 with Gi = (Vi, Ei, si, ti) for
i = 1, 2, an injective graph morphism f : G1 ! G2;
f = (fV, fE) consists of two injections fV:V1 ? V2 and fE:E1
? E2 which preserve the source and target functions, that
is, fV � s1 = s2 � fE and fV � t1 = t2 � fE [14].7
3.1 Graph transformation
A (graph) production rule p ¼ ðL l K!r RÞ consists of
graphs L, K and R, called the left-hand side, the interface
and the right-hand side, respectively, and two injective
graph morphisms l:K ? L and r: K ? R [14].
The injective morphisms (the shaded solid arrows
labelled l and r in Fig. 3) identify interface K as the sub-
graph common to both L and R under the production rule.
The injective remainders are those structures which are
transformed.
Production rules are the basis for the definition of graph
transformation; as they may be less familiar than the other
machinery we use, we take a little space to explain their
operation. Suppose that we have a graph G and a produc-
tion rule p ¼ ðL l K!r RÞ. Transforming G under p means
doing the following:
– Identifying a subgraph of G which matches the
structure of L; in the figure, this is the injective graph
morphism m:L ? G, called the ‘match’; then
– Replacing the subgraph m(L) in G with a subgraph
whose structure is defined by m(R) through p, which
leads to a new graph H.
Such a transformation is represented by G¼)p;m
H.
Figure 3 illustrates a graph transformation between
G and H for the production rule p defined above. The
shaded straight arrows labelled l, r and m represent
injective graph morphisms,8 while the shaded bent arrow
Fig. 3 The graph transformation G¼)p;m
H based on production rule
p and injective match m
7 Here, � is functional composition.
8 For brevity, and as m is an injection, vertex names are left
unchanged.
Requirements Eng
123
indicates the complete graph transformation. We note
that the ‘site’ of a rule application is not determined by
the rule, but by the source graph; a rule may therefore
apply many times to any graph. We must, therefore, be
careful in stipulating where within the graph a rule
applies.
3.2 Problem diagrams as graphs
Given a problem diagram D, we define:
1. Three sets, Types = {Domain, Requirement}, the ver-
tex types, Names, the set of domain names, and
Descriptions, the set of descriptions in the problem
diagram:
2. There is one vertex for each domain (including the
machine domain) and one for the requirement: for
n C 1 domains, we have vertices
V ¼ fv1; . . .; vng [ fvnþ1g
Then, lV : V ! Types� Names � Descriptions; which
maps a vertex to its expected value;
3. There is one edge for each relationship between
phenomena, i.e., one edge for each set of shared
phenomena, one for each set of referenced or con-
strained phenomena and one edge for each causal
relationship that is part of a domain description. Let
this set be E. Edge direction is derived as s, t:E ?V such that:
(a) For controlling domain (or constraining require-
ment) v of an edge e, its source is s(e) = v;
(b) For observing domain (or referencing require-
ment) v of an edge e, its target is t(e) = v;
(c) A causal relationship within domain v that gives
rise to an edge e has both source and target that
domain t(e) = s(e) = v;
The edge labelling mapping lE : E! PPhenomena
maps an edge to the set of phenomena from which it
derives.
3.2.1 Example: the heating control problem
As a running example to illustrate problem progression as a
graph grammar, we look again at the heating control
example of Fig. 1. With two domains, a requirement, one
set of shared phenomena, one constrained set and one
internal causal relation, we have:9
With the labelled graph representation of a problem dia-
gram, we are in a position to define graph production rules
for their manipulation. Problem progression can then be
regarded as graph transformations.
3.3 Progression rule classes
In this section, we decompose problem progression into
three classes of ‘atomic’ transformation classes. Briefly:
Reducing through
Cause and Effect
by which the effects and causes are
swapped in the requirements as
appropriate to the causal relations
identified in domain descriptions.
This rule class allows us to reason
through the behaviours of a domain,
thus allowing the requirement
constraint or reference to be
restated based on causal chains
within domain descriptions.
Fig. 4 Heat control problem diagram in Fig. 1 represented as a
directed graph (graph labels are omitted for clarity)
9 For brevity we will, as in Fig. 4, write lV(v) as lv, lE(e) as le.
Requirements Eng
123
Changing Viewpoint by which differing ‘perspectives’ of
domains sharing an event are used,
i.e., switching from the perspective
of a domain controlling an event to
that of a domain observing that
event, or vice versa. This rule class
allows us to reason through the
shared phenomena among domains.
Removed Domain by which we remove domains that
have become disconnected from all
other domains through applications
of the other rules.
We formally describe these rule classes in the sequel.
3.4 Reducing through cause-and-effect
There are two subclasses of transformation in this class,
corresponding to whether we wish to replace an effect with
a cause, or a cause with an effect.
3.4.1 The effect-to-cause rule class
The basis for this rule class is that a causal relationship
exists within D, i.e., there are phenomena c and e such that
c e (more generally, ðgÞ : c e with g the guarding
Boolean condition). The reader will note that:
– As we work within the Problem Frame framework, that
c causes e means we may exclude the control of e by a
domain other than D; the resulting six of nine possible
combinations (c, e: controlled, internal, observed) are
illustrated in Table 1;
– Under this condition, the causal relationship between
c and e permits a requirement to be rewritten so that
statements to the effect that ‘… e occurs …’ are replaced
by their (guarded) cause ‘… c occurs (and g holds) …’
without altering satisfaction of the requirement. This
property, in consort with other properties of the other
rules we define, is the basis of problem progression in
that the same solution (M in Fig. 2) will satisfy both
original and rewritten requirements.
We also note that the rewriting of the requirement in this
way decreases by one the number of constraints on the
phenomena controlled by D.
We adopt the following rule naming convention: a rule
name has three parts: (i) a sub-rule acronym in capital
letters—here ETC; (ii) the case number of problem topol-
ogy to which the rule applies; and (iii) either the letter ‘c’
when the requirement phenomenon is constrained or the
letter ‘r’ when the requirement phenomenon is referenced.
Formally, to apply a rule to a problem diagram consid-
ered as a graph, we encode each rule within our graph
grammar; for instance, rule ETC(3)c is the graph production
rule shown in Fig. 5, where the application conditions are:
1. Types(v1) = Types(v2) = Domain, that is, the type of
v1 (i.e. D0) and v2 (i.e. D) is Domain;
2. Types(v3) = Types(v4) = Requirement, that is, the
type of v3 (i.e. R) and v4 (i.e. R0) is Requirement;
3. s(e1) = v1, t(e1) = v2, that is, domain v1 (i.e. D0)controls its shared phenomena e1 (i.e. {c}) with
domain v2 (i.e. D);
4. s(e2) = v3, t(e2) = v2, that is, requirement v3 (i.e.
R) constrains the phenomena e2 (i.e. {e}) of domain
v2 (i.e. D);
5. e2 � v2 ^ e2 � v3 ^ e2 6� v1; that is, the description of
v3 (i.e. R) includes occurrence(s) of event e, i.e., ‘…
Table 1 The ETC rule class:
all causal possibilitiesCase Description/explanation
(1) Both effect e and cause c are internal to D
(2) Effect e is internal to D; cause c is controlled by D (and observed elsewhere)
(3) Effect e is internal to D; cause c is observed by D (and controlled elsewhere)
(4) Effect e is controlled by D (and observed elsewhere); cause c is internal to D
(5) Both effect e and cause c are controlled by D (and shared elsewhere)
(6) Effect e is controlled by D (and observed elsewhere); cause c is observed by D (but
controlled elsewhere)
Requirements Eng
123
e occurs …’, which is an internal phenomenon of v2
(i.e. ‘e internal to D’);
6. s(e3) = v2, t(e3) = v2, and ðgÞ : c DT
e; that is, the
description of e3 (i.e. the dog-eared box in the upper-
left part of Fig. 5) must contain statements of causal-
ity, e.g., there should be a statement like ‘c causes
e when g’ as part of domain D’s properties;
7. DT � Limit ^ Limit 2 R; that is, the time elapsed
between the occurrence of the cause c and that of the
effect e is short enough to be ignored (there is one
complication: for some real-time systems, if problem
progression involves n successive applications of
effect-to-cause sub-rules, in which casePn
i¼1 DTi of
time is needed for the causal events to occur, thenPn
i¼1 DTi � Limit must hold).
After the rule application, the description of v4 is
derived from that of v3 by replacing ‘. . .e occurs. . .’ with
‘. . .c occurs when g holds:. . . ’.
– Statements in R on phenomena other than event e are
untouched by this rule and remain the same in the
derived requirement R0; thus, all the constraints on such
phenomena are the same in both R and R0 and are
satisfied under the same conditions;
– Because ðgÞ : c e; a statement of sufficient causality,
is part of the behaviour of D, occurrences of ‘…e occurs …’ are always the effect of ‘… c occurs when
g holds …’; thus, behaviours that satisfy R will also
satisfy R0, and vice versa;
– That the timing of the system is not compromised by
focusing on event c instead of e means that care has
already been taken in considering the time elapsed
between the occurrence of c and that of its effect e, so
that replacing R with R0 does not affect the order of
event occurrence in behaviours.
Example (cont’d) The Heating Control Problem Consider
again the heating control problem. From its description
(Sect. 3.2.1), we have that on " is on: Hence, ETC(3)c
can be used to replace the requirement reference on
is_on with a constraint on the machine controlled on.
In detail, if
mðD0Þ ¼ Heating controller mðcÞ ¼ on
mðDÞ ¼ Heating devices mðeÞ ¼ is on
mðRÞ ¼ Heating regime0;
then m matches the dog-eared box containing ‘e internal to
D, c causes e when g’ in the rule to the dog-eared box
containing ‘on " is on’ in the problem diagram. The
changes wrought by the graph transformation are as
follows:
– Heating regime becomes10 Heating regime’, with
description ‘the heating devices should receive an on
pulse command at 8:45 a.m. and be switched off at 4:45
p.m. every day’, as indicated by the pattern ‘… on
pulse command [c occurs when g holds]’.
We note that ‘receive an on pulse command at 8:45
a.m.’ is a constraint on machine phenomena: in effect, we
have ‘moved’ the requirement closer to the machine. The
transformed problem diagram is shown in the bottom right
corner of Fig. 6.
There is a second application of the rule possible, this
time with match n applied to the off phenomenon, shown as
the end point of Fig. 7 (in which Heating regime’ has been
renamed to Command Regime).
When applied in this way, i.e., to phenomena
observed by the environment and controlled by the
machine, the number of phenomena referred to by the
requirement decreases by one for each application of
this rule as the number of constrained phenomena
increases by one. In this way, causal chains may be
followed from those machine-controlled phenomena to
the environment.
Fig. 5 Rule ETC(3)c, derived from case (3) of Table 1, written in a
problem diagram-like notation (above) and as a graph transformation
(below)
Fig. 6 Applying effect-to-cause rule ETC(3)c to on " is on in the
heating control problem diagram …
10 With changes italicised.
Requirements Eng
123
3.4.2 The cause-to-effect (CTE) rule class
The cause-to-effect rule class is based on the same analysis
as the effect-to-cause rule class; indeed, Table 1 again
serves to enumerate the cases. For cause-to-effect, how-
ever, the requirement is rewritten so that any occurrence of
a cause, say event ‘… c occurs … ’, is replaced by an
occurrence of its guarded effect, say ‘e occurs and g held’.
In contrast to the effect-to-cause rule, the number of
phenomena referred to by the requirement increases by one
for each application of this rule as the number of con-
strained phenomena decreases by one. In this way, causal
chains may be followed from environment-controlled
domains to machine-observed phenomena.
3.4.3 The observe-to-control (OTC) rule class
This rule class focuses on two domains D and D0 and a
phenomenon that they share ev. It is based on the following
observation: a requirement R may be rewritten so that a
description of a shared event, say ev, is switched from the
viewpoint of its ‘observer’ domain, say D0, to that of its
‘controller’ domain, say D. In this way, we replace ‘… D0
observes ev …’ appearing in R with ‘… D observes ev …’
to make the new requirement R0.The are only two cases, corresponding to whether the
phenomenon ev is constrained or referred to, and both of
which give rise to the rule ‘shape’ that is shown in Fig. 8.
That the above rules preserve solution-hood of the
machine follow from the following observations:
– Statements in R on phenomena other than event ev are
untouched by this rule and remain the same in the
derived requirement; thus, all constraints on such
phenomena remain the same in both R and R0 and are
satisfied under the same conditions;
– Because ev is shared between D and D0, the occurrence
of ev that D0 observes is exactly the same as that
D controls; thus, behaviours satisfying R also satisfy
R0, and vice versa.
Like ETC, this rule can be used to ‘move’ the require-
ment towards the cause in a causal chain.
3.4.4 The control-to-observe (CTO) rule class
This rule class bears the same relationship to the OTC class
as CTE does to ETC. We omit its description for brevity,
other than to remark that, like CTE, this rule can be used to
’move’ the requirement towards the effect in a causal
chain.
3.4.5 The domain removal rule class
The goal of the transformations we have defined so far is to
move the focus of a requirement from a domain further
from the solution machine, such as the DA in Fig. 2, to a
domain, DB, closer to the machine. If our goal is reached,
then we should hope to find a domain that has become
‘isolated’ from the requirement in that its phenomena are
not referenced or constrained by it. If this is that case, we
should remove it from the problem diagram, thus effecting
the topology changing part of problem progression.
The remaining rule class we define, Domain Removal—
RD— implements this problem transformation. The RD
rule class focuses on two domains D and D0. Domain D is
attached to the requirement R, while D0 is the domain to be
removed (see Fig. 9). Again on whether the requirement
constrains or refers to the event they share or other events
that do not belong to D0, there are six possible cases, as
shown in Fig. 10:
– Event ev is constrained by the requirement R and
controlled by D; thus, this rule is called RD(1)c;
– Event ev is referenced to by the requirement R and
controlled by D; thus, this rule is called RD(1)r;
– Event ev is constrained by the requirement R and
controlled by D0; thus, this rule is called RD(2)c;
– Event ev is referenced to by the requirement R and
controlled by D0; thus, this rule is called RD(2)r.
– Event ev is constrained by the requirement R and does
not belong D0; thus, this rule is called RD(3)c;
– Event ev is referenced to by the requirement R and does
not belong D0; thus, this rule is called RD(3)r.
Fig. 7 … and subsequently to off " is off in the heating control
problem diagram
Fig. 8 Observe-to-control rules OTCc and OTCr
Fig. 9 Left: D’ ready for domain removal; right: without further
influence, R’ compensates
Requirements Eng
123
All of the above cases are admissible, from which six
sub-rules are derived.
Note that we only apply this rule when R does not
constrain internal phenomena of D0 (except D0’s shared
event ev with D in RD(1)c&b, RD(2)c&b and RD(3)c&b,
ev is internal phenomenon of D), and in other words, no
more events that belong to D0 are constrained by
R; therefore, we have the following justification of the rule
(which is similar to all removing domain rules):
– Statements in R on phenomena other than event ev are
untouched by this rule and remain the same in the derived
requirement; since R’s only constraint on domain D0 is ev
(R may constrain or refer to some internal phenomena
that belong to D or D’s shared phenomena with other
domains), removing D0 does not touch any phenomena in
R, and since R’s constraint on ev is still kept within the
rewritten requirement, i.e., R0 repeats what is stated in
R; thus, all constraints or references on such phenomena
remain the same in both R and R0.
The effect of this rule is to reduce by one the number of
domains.
3.5 A terminating heuristic for rule application
The aim of this work is an operationalisation of problem
progression which identifies and exploits useful structures
and causal relationships in informal real-world domain
descriptions for the systematic and traceable transforma-
tion of requirements into software specifications. Note that
we do not claim that every application of rules will lead to
the same end point, only that any endpoint that is reached,
i.e., every specification derived from a problem, will pro-
vide a solution. Here, we argue that, given suitable causal
chains linking phenomena, there is a sequence of rule
applications which end with a machine specification.
It is not obvious that rule application will always ter-
minate. Indeed, it is not the case that an arbitrary appli-
cation will terminate: take the transformation in Fig. 6, for
example, and consider the effect of ETC(3)c followed by
CTE(3)c with the same causal relationship as subject, the
result of the CTE application is the inverse of the CTE
application. Some way must be found of preventing such
inverse pairs being applied.
Recall that our aim is to attach the requirement to the
machine under the assumption that causal chains link the
phenomena that appear in the software problem. Given a
machine-shared phenomena, we may determine whether it
is observed by the machine or controlled by it.
In the former case, we may assume that that phenome-
non is at the end of a causal chain that is incident on the
machine, but with original cause distant from the machine
and referenced by the requirement, in which case we
should apply the CTE and/or CTO rules applied to the
distant cause to ‘move’ the requirement ‘closer’ to the
effect, i.e., the machine.
In the latter case, we may assume that that phenomenon
is at the end of a causal chain incident on the machine, but
with effect distant from the machine and constrained by the
requirement, in which case we should apply the ETC and/
or OTC rules to the distant effect to ‘move’ the requirement
‘closer’ to the cause, i.e., the machine.
In each case, a distant cause or effect is moved closer to
the machine; applying an inverse would move the cause or
effect further from the machine and so would not be
allowed under this heuristic.
4 Example: the package router
The package router is used extensively in the Problem
Frames literature as a benchmark example for Problem
Frame techniques. Here, we present problem progression as
applied to this benchmark example.
4.1 The package router problem
A package router is a large machine used by delivery
companies to sort packages into bins according to
bar-coded destination labels affixed to the packages.
