A Knowledge Representation language for Requirements Engineering

ERIC DUBOIS, JACQUES HAGELSTEIN, EUGENE ANDRE RIFAUT LAHOU, FRANK PONSAERT,
AND

an invoice, how to calculate a net price from gross the price and the tax, how many invoices are handled per day, etc. These are assumptions that the software system relies upon; they must be included in the requirements document. A similar idea made its way into database design, where the conceptual mode1suggested in [30] is adescription of the universe of discourse, i.e., the portion of the world referred to by the database contents. A second reason for adopting world-oriented requirements is that theusers expectations are often only satisfied by harmonious cooperation between the system and its environment,includingthe users themselves [20]. For instance, a software-controlled elevator should basically lead its users to the intended floor. To achieve this,the elevator I. REQUIREMENTS ENGINEERING AS A MODELING ACTIVITY must react properly t o its commands,but the user must folRequirements engineering (RE) is the part of software delow the right procedure t o communicate his intent (pushvelopment where the expectations of theusers are invesing buttons,etc.). RE must, therefore, define requirements tigated and recorded. It is particularly critical, as the late on the behavior of both the system and its environment. discoveryof misunderstandings in the requirementscauses This will avoid the too frequent dissatisfaction users of not the most expensive modifications to the software system awareof thechanges implied in theirworking environment by the introduction of a computer system. 161. The traditional view of RE (see, for instance, [21]) focuses In this view, requirements subdivide into three parts: on the targetsystem, and produces a document including 1) The overall requirements describe the effect expected functional and performance requirements, external interfrom the cooperation of thesystem and its environment. faces, exception handling, design suggestions, etc. We call 2) Thesystem requirements describe the desired bethese requirements computer-oriented. A different view havior o f the computer system. is now emerging, which pays as much attention to the en3) The environment requirements describe the assump vironment of the computer system as t o the system itself tions about the application domain as well as the environ[3], [MI,[g, [IO], [MI, [15]. Wecall such requirements worldments behavior in presence of the system. oriented. The overall requirements are the best expression of the A first reason for this shift of emphasis is that requireusersexpectations. Their fulfillment can be deduced from ments can only be defined if the application domain is well the two other kinds of requirements. System requirements understood. HOW could one define requirements anon inmust be fulfilled by the developersof the system, whereas voice handling system without knowing what is typically on environment requirements are the users responsibility. These ideas are further developed and applied in [ I q . Our emphasis on world-oriented requirements should ManuscriptreceivedMay9,1985;revisedMay12,1986.Thiswork not be misunderstood. We claim that theyare always usewaspartiallysupported bytheEuropeanCommunityunderProject 432 (METEOR) of the European Strategic Program for Research and ful, but not that they can always be completed. There is, Development of information Technology ( E S P R I T ) . indeed, a class of requirements that we not do cover: those E. Dubois, J. Hagelstein, and A. Rifaut are with Philips Research that constrain the way the target system should be develLaboratory, 8-1170 Brussels, Belgium. oped. In some cases, the ill-definedness of the problemis E. Lahouand F. Ponsaert are with AT&Tand Philips Telecomsuch that part of the requirements on the system or its enmunications, 8-1070 Brussels, Belgium.
Requirements engineering, the phase of software development where the users needs are investigated, is more and more shifting its concern from the target system towards its environment. A new generation of languages is needed to support the definition of application domain knowledge and the behavior ofthe universe around the computer. This paper assesses the applicability of classical knowledge representation techniques to this purpose. Requirements engineers insist, however, more on natural representation, whereas expert systems designers insist on efficient automatic use of the knowledge. Given this priority of expressiveness, two candidates emerge: the semantic networks and the techniques based on logic. They are combined in a language called the E R A E model, which is illustrated on examples, and compared to other requirements engineering languages.
0018-9219/86/1Do(F1431$01.00 @ 1986 IEEE

PROCEEDINGS OF THE IEEE, VOL.

74, NO. 10, OCTOBER 1986

1431

vironment are replaced by requirements of that kind. For instance, a program for playing chess is partly specified by its procedure of acceptance: it should defeat some good level chess players. Even in such cases, world-oriented requirements are needed, for instance, to describe the rules of chess, or the desired interface of the program. Given this, world-oriented requirementsdescribe knowledge of a general nature, unlike computer-oriented requirements which describe computer artifacts: data structures, computations, functions, etc. Languages currently available to supportRE are likely t o be inappropriate in this broader framework. (See [40]for a survey.) This paper proposes a new language inspired by the work on knowledge representation (KR) in artificial intelligence. Section II compares the variousKR languages to the specific needs of RE. The semantic networks and the logical approach emerge asthe bestcandidates, but still lack importantfeatures. They are extended in Section Ill into theERAE model (Entity, Relation, Attribute, Event), which is described and illustrated on examples. Section IV compares the ERAE model with other approaches. II. A
LANGUAGE FOR

one reaches other concepts by a mechanism close to association of ideas. A criticism frequently addressed to the semantic networks is their lack of commonly agreed semantics. Logic: In the logical approach, knowledge is represented by meansofformulas,built up from predicates, logical connectives, quantifiers, etc. Some approaches limit themselves to classical first-order logic, while others advocate the use of modal logic, fuzzy logic, higher order logic, etc. In the example below, we express that (1) all persons have a name, and that (2) Mary is a person. (1) Vx: person(x) = has-name(x) (2) person(Mary). The logical approaches have the advantage of awelldefined semantics, and the availability of inference rules. For instance, from the two formulas above, we may conclude that (3) Mary has a name:

(3) has-name(Mary).
A well-known support for logical approaches is the programming language Prolog, implementing the inference rules for a weakened version of first-order logic. The advantage of using logic in knowledge representation has been the subject ofhot debates. A clear problem is the lack of structure, when knowledge is represented as a linear collection of formulas. Frames: Frames are pieces of knowledgeassociated with stereotypical situations. They take the form of a structured set of components of the situation, called "slots." A slot may refer to another frame, thereby establishing an association between the two frames. General associations like generalization can also be established. The frame represents one's expectations in a situation, and therefore includes ways t o obtain information about the slots (default values, inference rules). The following example describes expectations about a bicycle. cycle FRAME moving-means FRAME-WITH number-of-motor = 0 number-of-wheels: IN { I , 2 )
SPECIALIZATION-OF: DEFAULT VALUE 2

REQUIREMENTSENGINEERING

This section will detail the language features needed in RE, and use them to assess the various KR approaches. A. Overview of Knowledge Representation Techniques This brief overview is only intended to substantiate the discussion in the rest of this section. More complete introductions, as well as references, can be found in[4], [35], P91, W I , and P I . For this presentation, we are subdividing knowledge rep resentation techniques into fourcategories: semantic networks,logicalapproaches, frames, and production systems. The subdivision is, however,somewhatarbitrary, because many approaches could belong to several of these categories. Semantic Networks: This label denotes, i n fact, a whole familyof approaches, having in common the useof agraphical notation based o n nodes connected by links. The nodes represent concepts, andthe linksexpress associations between them. In Fig. 1, "John," "Mary," and "Person" are concepts, whereas "is-a" and "likes" are links. This example uses the

number-of-seats: owner:
INSTANCE-OF

IN ( 7 . 2 ) DEFAULT VALUE 1

person

FRAME

Fig. 1. A semantic network.

very common "is-a" link, which, in this case, denotes the relation ofclassification, i.e., membership of individuals in aclass. It may alsodenotethe relation of generalization, i.e., inclusion of a class in another one(e.g., "Person is-a Mammal").These relations are associated with an inference mechanism whichallowstheinheritanceofproperties downward along the links:Person if a hasa name, then John and Mary have a name. The semantic networksprovide easy accessto the knowledge: starting from a concept and navigating along links, the

There is not much evidence gathered until now on the me its and problems of this approach. Their semantics is generally defined by means of an inference engine. Production Systems: Production systems consist ina set of production rules, stating that if a given condition holds, a given action could be executed. The actions modify an associated database of facts. As several conditions may be true at the same time, a selection strategy must be defined for choosing which of the corresponding actions will be executed. The following example describes in three rules some knowledge about the habits of a swimmer.
IF I F

IF

(weather sunny) (temperature $x) (sx greater 20) (swim in river) (weather sunny) (temperature$x) ($x lower 20) THEN (swim in pool) (weather cloudy) THEN (swim in pool).
THEN

1432

PROCEEDINGS OF THE

I E E E , VOL.

74, NO. 10, OCTOBER 1986

Production systems are obviously strong at expressing knowledge which may take the form of state transitions. Their uniformity of representation makes them easily modifiable, by the addition and deletion rules. of The maindisadvantages are a lack of internal structure and the dependency of deductions on the selection strategywhich makes them sometimes hard to interpret.
B. The Compromise Between Knowledge Acquisition and Use

subjective, but this does not prevent the classification from being useful. It is desirable t o further distinguish different kinds of objects and of associations. For objects, we can distinguish thosewhich areof interest bythemselves, likeelevatorsand floors,from thoseonlyused tocharacterizetheformer, like $7 which is the price ofa given book. A distinction between associations is based on thesame idea.Someassociations, such as is-located-at, apply between several objects of interest by themselves. They characterize each of the objects involved. In the example above, is-located-at characterizes the elevator (at which floor is it?),as well as the floor (which elevator is at it?). Other associations apply betweenan object of interest and another one which is not. The association price between a book and$7 is an example.
2) There are individual objects as well as groups of objects.

The differences between the various approaches reflect, among others, their bias towards either the expression or the use of knowledge. Semantic networks claim to be natural, whereas frames and productionsystems favor more the efficient use of knowledge. The logical familyi s in the middle. We will investigate here our needs for an RE language with respect to these two aspects: what knowledge should be expressed, and what it will be used for. Expression o f Knowledge Knowledge acquisition is known to be a difficult problem. This is particularly true in RE, where the situation is highly unfavorable. Thenecessary knowledge is spread among several people, for whom it forms the work environment. They can answer questions, but do not usually have an abstract view on this knowledge. Additionally, these experts are not motivated, and feel it an unnecessary expense to spend much time discussing their environment. For these reasons, a suitable RE language must set its top priority on favoring knowledge acquisition. We will distinguish two aspects of this task: the identification of concepts and the statement of constraints. The former implies mapping a certain real-world phenomenon into a basic concept of the knowledge representation language.The latter impliesfurther constraining the identified concept, and limiting its possible characteristics. The separation is somewhat arbitrary as the same information could be capturedin one or anotherway, depending on the language. It is used here for presentation purposes. Wewilldiscussthetwoaspectsinturn,anddevoteathird part to the structuring mechanisms. The presentation uses informal examples from two classical RE problems: a data processing application (the management of a library) and a process control application (the control of an elevator). Identification o f concepts: As said before, the knowledge we want to record is of a general nature, and does not consist in computer artifacts. Its characteristics are listed in [I61 and are summarized below. 1) A well-known tool in organizing knowledge is the classification of phenomena into categories. A subdivision that is proposed as natural in many fields (AI, databases, programming languages)uses objectsand associationsbetween them. Object must be understood in a very broad sense, namely, anything that i s perceived individually. O n the other hand, associations are only perceived if the associated objects are perceived themselves. Floors and elevators are objects. is-located-at i s a possible association between them. The decision to use an object or an association may be quite

The ground floorand the top floor are individual objects of interest but the group of all floors is also interesting. Objects often belong to several groups at a time. A book may belong to the group books of ofa particular author in the library, and to the group of the lentbooks. A group may be considered an object of interestand thus participate in associations.

Thegroupofbooksinthelibraryhasanassociationcalled
maximum-number, numbers of books. which is the upper limit on the

3) Objects and associations aretime-dependent. Objects need not exist at all times, and associations may change with time. This providesan implicit concept of state, formed by the objects and associations in existence at a given moment.

Members of the library register and resign, havingthereby a time-dependent membership. The association is-located-at between elevators and floors is also time-dependent. The membership of objects in groups is also time-dependent. The group of books owned by the library evolves with time, as books are bought, lost, or destroyed. It must be possibleto refer to timevalues explicitly, for instance,todenotethenumberofbooksinthelibraryonApril 2, 1986. 4) Dynamic phenomena may be perceived either as state transitions or as instantaneous objects. The latter, called events, areused when a phenomenon i s instantaneous and of interest by itself. This event may establish associations with other objects. An event request-for-elevator is associated to the floor where it was issued. A specific use of events is to distinguish different happenings, that would lead to the same state transition.

DUBOIS et a/.: LANGUAGE FOR REQUIREMENTS ENGINEERING

1433

The events "arrival of a new book" and "return of a lent successor maybe referenced. This defines the dynamic evbook" could well result in the same state change, i.e., an olution on a"state by state" basis, where the next state is additional book is now in thelibrary. determined from the current one, and possibly from the events taking place during the state transition. Events may be simultaneous, and neednot have an effect. If an upwards elevator request is expressed on a floor, They are thus not simplynamed state transitions. They inilluminate the up button on that floor. troduce a further refinement among the objects which are of interest by themselves. 4) In the declarative style, there is no limitation on the KR languages fulfill these requirements to various exstates and events thatcan be referenced in the constraint. tents. The difference between object and association is Typical examples are statements such as "if this holds in a rather common.Some semantic networks treat objects and state, this will hold later," "this event may not be followed associations as concepts, without making the difference, by that one," etc. but others distinguish the two categories of concepts.The Each elevator request expressed atafloorwill result some logical approach and production rules make it by distintime later in a stop of an elevator at this floor. guishing objects and tuples of objects. Frames correspond toobjects, whereas associations are expressed by slots. Slots Each library member borrows at leastone bookper year. referencing other frames are associations between objects The logical approach, intended primarily at expressing of interest. However, a further distinction between differstatements, is of course good at it, at least for static stateent kinds of objectsis uncommon. on The distinction between individuals and groups, and the ments. The expression of dynamic statements depends howthe temporal dimension is included. If the logic is augpossibility of considering groupsas objects is a basic idea mented with a time parameter, any kind of dynamic conof semantic networks. The other formalisms are weaker, straint can be expressed. Modal or temporal logic, on the and provide away to handle generic objects of a group, but other hand, puts some restrictions on the possible statenot the group as an object. This is done using variables in ments. The level of expression of the other approaches defirst-order logic, using the pattern-matching mechanism in pends on the extensions available in the particular lanproduction rules, or by means of generic frames. guage under consideration. Semantic networks, for Semantic networks have no special provision for teminstance, vary from complete absence of constraintst o the poral aspects, but can consider time values and events as expressive power of logic with time. Production rules baconcepts like all others. Logical approaches can handle time sically constrain thestate transition, butcan express more values as one of their domains, and add a time argument by including extraneous information in the state. This is, to objects andassociations. Another approach is to use alternate logics which privilege the handling of time; for in- however, heavy and unnatural. Structuring mechanisms: Thisquestioncould have stance, modal or temporal logic. In connection toframes, been tackled under the heading "identification of conscripts deal with events, actions, and temporal relations becepts." Nevertheless, it is traditionally treated with special tween them. Production rules easily represent state tranemphasis. The reason is that the structuringis particularly sitions, but this is a limited way of expressing time depenuseful in condensing information, thereby easing its r e p dency. resentation and use. Statement of constraints: In order toease this part of the process of knowledge acquisition, various kinds of con- Structuring consists in recognizing and expressing the relation between the details and essential, the for instance: straints, as well as various styles, should be allowed. We will distinguish static anddynamicconstraints,andforthe expression of the latter, the procedural and declarative styles. 1) Static constraints are those whichare true at all times. Examples are numerous, and only a few common ones are given below. Existence of objects: elevators are permanent; each book in the libraryhas a different title. Existence of associations: a book has always an author and a title. Cardinality of groups: the elevators are three in number. Cardinality ofassociations: a book can be lent toat most one member, and a member can borrow at most two books at a time. 2) Dynamic constraints make reference t o several states, i.e., they describe restrictions on the evolution of the objects and associations. A book broughtback to the library must have been lent some time before. We distinguish two broad styles for expressing dynamic constraints: the procedural style, and the declarative style. 3) In the procedural style, only astate and its immediate the relation between the parts and the whole, the commonality of properties among several objects, the relation between exceptions and general rules. Each floor is equipped with two buttons, one to request an upelevatorandonetorequestadown-elevator. Exceptions are the ground floor equipped only withan up buttonand the top floor equipped only with a down one. Every library member has a name and an address. The library is managed byamembersboard,which is a subgroup of the members. Therefore, each member of the board has a name and an address. In the example above, the concept of group is used t o express a common ability to participate in some relation. The groups can thus be usedas types, but with important differences with respect to the types in logic or in programming languages. The membership in groups is timedependent, whichmeans that an object may be allowed to participate in some relations at some point in time, but not at another. Additionally, there is no restriction on the intersection of groups, and they can be themselves considered as objects. Structuring can also help, during RE, in combining the

1434

PROCEEDINGS OF THE IEEE,

VOL. 74, NO. 10, OCTOBER 1986

partial views of the people involved: is there always a higher level in the hierarchy of details, where a commonality can be found. For instance, some peopleonly know of ageneral case, whereas others only know of a subcases, few or even exceptions. Onlya full structured description will provide the framework for all contributions. Semantic networks and frames provide the structuring mechanisms mentioned above. Some semantic networks donotdistinguishclassificationandgeneralization,by using thesame IS-Alink, but most distinguish them. On the other hand, the logical approach and production rules systems are lacking structuring mechanisms. Use of Knowledge

is a prerequisite to an elevator's move and that their opening is conditioned by the stop of the elevator at a floor. As stated in Section I, part of the work in RE is to establish that the behavior of system the and itsenvironment combine harmoniously, and achieve the desired global effect. This can be proved by deducing this effect from the description of the two behaviors. In the librarysystem, an objective is t o have the system know that a book is available at most 1 h after its return. This will be achieved if the librarian checks it in within 50 min and if the system handles this information within 10 min.

We noted above that knowledge acquisitionis an essenThe formality and the deductive power of the logical ap tial problem in RE. On the other hand, the use of knowledge proach are its main strength. Attheother extreme, semantic is less of a problem; building an expert system is not the networksdonothaveaformal basisonwhichthereisawide goal. The purpose of using KR techniques here is only to agreement. Some proposals have been made, however, in make explicit some important knowledge that is usually this direction. Frames and production systems have their overlooked, and to let every actor agree on it. semantics defined in terms of their inference engine. This Four means for improving communication will be disimplies that their deductive power is limited to what these cussed in turn: formality, deductive power, abstraction caengines can do. In particular, it is easy and efficient to verify pability, and conversion towards other languages, facts, but not to establish general properties. Formality: A language is formal if it provides agreed Abstraction: Abstraction is a mechanism that omits denotations as well as mathematical rules for interpreting tails from awhole. Given the representation some of knowlthem. In particular, languages used bycomputers-such as edge, one obtains an abstracted version by just suppressing programming languages-are formal, as thecomputer must some parts. This is of no great use when done arbitrarily, be able t o reject ill-formed sentences, and to handle the but becomes interesting when combined with the strucwell-formed ones in a predictableway. useturing mechanisms above. What should be left outa in In RE, formality is advocated, not for use by computers, ful abstraction is but for common interpretation by humans. Indeed, large amounts of precise knowledge must be transferred bethe parts, while keeping the whole, tween several people, through large periods of time. the noncommon properties, while keeping the comIt is however not realistic to assume that all actors of RE mon ones, will be able to read a formal language. Instead, the formal the exceptions, while keeping the general rule. description willact as a depository of the common knowlIn the library, books are considered from several viewedge, only used byexperts. Its use for interacting with "napoints: members are interested in knowingwhat books ive"actors is discussed under the heading "conversion toare currently available, the library board is interested in wards other languages." booksacquisition,and thelibrarian isconcerned with the Deductivepower: The deductivepower associated books whichare currently lent out. Each view deals with with alanguage dependson the availability of rules defor only part of the book's characteristics, and is thus an abriving newsentences from given ones. Deductive power is straction of the concept of book characterized by its purnot a mereconsequenceof formality: the programming lanchase date and price, its last lending date and borrower, guages, which are formal, do not include rules of deducand its last return date. tion. Deductions are useful in RE for several reasons: This form of abstraction is important to ensure a good The knowledge that is recorded is acquired from varunderstandingofthelargeamountsofinformationinious sources, and in a stepwisemanner, with potential involved in RE. It permits first looking at the essential, and consistencies between contributions. The inconsistency then going down the levels of detail-the t o p d o w n apbetween two statements is recognized by showing that they proach-or conversely, first looking at a detailed small piece imply contradictory statements. before placing it in a moregeneral framework-the bottomup approach. There might be inconsistencies in the interpretation of Abstraction is also used in RE when isolating the inforthe concept ofa book. It mightbe a unique physical obmation belonging to a specific person's view. Only this inject for some, and an abstract one(e.g., Hamlet, by Shakeformation is used when communicating with thatperson, speare) for others. This can be detected by notingthat, because the rest is unknown to him. intheformercase,abookcannotmeaningfullybeseveral Semantic networks, andto some extent frames, are best times in the library, whereas it can in the latter case. suited for abstraction: networks can be merged into larger It is not easy t o make sure that a formal descriptioncapones; generalizations or specializations can be extracted tures indeed the intended knowledge. Agood way to check from part of a network; a mechanism of definition allows ones, and to this is to deduce new facts from the available to abstract a network into a single concept. The logic repcheck whether they intuitively hold. resentation formalism has basically only the ability to define a function or predicate that abstracts from a complex "Elevator's doors are closed during a transportation" is a property implied by the fact that the closing of doors expression. This is, however, less useful because it gen-

DUBOIS et a/.: LANGUAGE FOR REQUIREMENTS ENGINEERING

1435

erally is not combined with a structuring mechanism. Production rules systems provide only rough abstraction mechanisms such as the extraction of rules having conditions in common. Conversion towards otherlanguages:We have already noticed that all people involved in RE are not able to understand formal representations of knowledge. Therefore, parts of the formal representation must be converted into a form more suited for communication. On the user's side, these target notations include graphical notations, tabularnotations, prototypes, existing RE languages (SA, JSD,SREM, PSUPSA, NIAM, etc.), natural language. Natural language is the most obvious medium for communication, butits weakness becomes obvious when large amounts of precise information are involved: ambiguity, verbosity, lack of structure. Graphics are traditionally used in RE and are considered very expressive. The most classical forms are data structure diagrams, data flow diagrams, and event precedence diagrams. Tabular data may consist of cross references, examples of relations, etc. Prototypes are particularly interestingmeans of support for communication.In current practiceof RE, theyarequickanddirty programs simulating some aspects of the software system under definition:screen layout, man-machine dialogue, subset of the functions, etc. They are intended to help and capture the precise user requirements. They can be used for additional purposeswhen RE is understood as suggested in Section I, and includes the study of the ap plication domain and the definition of the future system's environment. These two aspects can be "animated," i.e., simulated by computer, so that theuser cancheck whether the behavior he observesis as expected. On the designer's side, typical target formulations includeinterfacespecifications,andperformancespecifications. The problem is simpler, because the developer needs only part of the knowledge, consisting of computer artifacts for which he has specific languages. On bothsides, the conversion operationhas t o face two problems: distortion andloss of information. Distortion is a modification of the knowledge during the conversion. Its absence canbe checkedas long as the targetlanguage has a welldefined semantics. Obviously,this is not the case for natural language which must be used with care. Loss of information happens when the conversionis towards a language with limited expressive power, such as diagrams. The only way t o overcome this is to convert the same information in several ways, so as to provide complementary views on it. In particular, there is a loss of information when prototyping is used: what will be perceived by the users of a prototype is a set of executions, not all possible executions.It is not because you have not seen it crash that it will never do so. Conversion towards designers' languages canbe lossless when the designers usea language with sufficient expressive power. Because of theirnaturalness, semantic networks can easily be translatedinto natural language. Their graphical nature i s also a help in communicating. There exist tools to manipulate frame-based models andproduction rulessys-

tems through dialogue into informal language. Frames can also be translated into a graphical representation or serve as a basis for prototyping. This i s also, t o some extent, the case for logic formalisms (e.g., Prolog). Logic can be used as the common formal basis for most of the existing representation schemes, thus allowing conversion towards them.

C. The Best Choice

In the discussion, no KR technique emerges as an ideal RE language. The basic idea of objects and associations is found inmost of them, but a further distinction is not. Semantic networks are natural and expressive, have structuring and abstraction mechanisms, and are easily translated into natural language. However, they are weak at expressing complex constraints, and their "concept" needs further refinement. Theirsemantics, when provided, is not commonly agreed on. The logical approach is good at expressing constraints and making deductions. Its well-defined semantics should ease its conversion toward other notations. On the otherhand, it is a "naked" framework, which is best regarded as complementary to other a p proaches. Frames and production systems, although good at some aspects, pay a penalty due to their emphasis on efficient use bycomputers, in particulartheir semanticsdefined by an inference engine. The best choice is hence a combination of semantic networks and logic. A first way of doingthis, suggested for instance in [42], is to incorporate a description of logical assertions as objects within thesemantic network. However, this leads quickly to complex networks which are losing part of their expressiveness. We preferto consider semantic networks as declarations for a logic in which constraints are then stated as formulas. However, this combination is stilllackingsomefeatures,suchasaclassificationofobjects and associations, or a flexible handling of time. The next section presents an attempt at including these features.
111.

THE E R A E MODEL

The E R A E model (Entity, Relation, Attribute, Event) is based on a combination of semantic networks and logic, but is also largely inspired by the entity-relationship model [12],[MI, used in database conceptual modeling. From semantic networks, it has kept the emphasis on instances rather than on classes as well as the structuring and abstraction mechanisms. From the entity-relationship model, it has kept more specific building blocks than the "concepts" and "links" of semantic networks. This is reflected in the terminology of the ERAE model: entity, value, event, relation, and attribute are terms widelyused in the various entity-relationship approaches. The presentation of the E R A E model will follow the presentation of Section 11-B,and use the same examples. A. Expression o f Knowledge The distinction between the identification of concepts and the statement of constraints i s clearly emphasized in the ERAE model. The former correspondsto graphical declarations, while the latterare logical formulas. We will describe them in sequence, before turning to the structuring mechanisms.

1436

PROCEEDINGS OF THE IEEE, VOL. 74, NO. 10, OCTOBER 1986

Identification o f Concepts: As required inSection I I , objects and associations form the basis for classifying concepts. Objects are further subdivided into entities, events, and values, whereasassociations are relations or attributes. Here are the intended meaning of thoseconcepts, which will be formally defined later. An entity is a concept perceived individually, being of interest by itself, and having a certain duration. An event is a concept perceived individually, beingof interest by itself and instantaneous. A value is a concept perceived individually, which is only of interest when associated with an entity or an event. A relationis a temporary or permanent association between entities and/or events, possibly also involving some values. An attribute is a temporary or permanent association between an entity or event, and a value. Entities are distinguished from events by their duration, and from values by their intrinsic interest. Relations and attributes are distinguished from objects by the fact that they are perceived only if the objects they characterize are perceived. An attribute links an object of interest to a value. Declarations areprovided graphically, in a style inspired by semantic network diagrams. Entities appear as squared boxes, events as rounded boxes, value sets by theirname, relations by arrows, and attributes by simple lines. For instance, Fig. 2 declares that there are two entities called boardand library,which may be linked bythe relation

rows and lines connected to an inner box denote associations applicable to all members of the group. This is the case for instance for is-located-at linking an elevator to a floor. In fact, is-located-at may have several occurrences at a time and denotes a set of relations. Similarly, direction denotes a set of attributes. We will still call these sets relation and attribute and use the context to remove the ambiguity. We were tempted t o use reletionship instead of relation to emphasize the difference, but there i s no counterpart for attribute. A predefined relation, named isin, applies between a group and its members. Fig. 4declares that topfloor may be a member of the groupfloors. This relation is similar to theis-a link in semantic networks (at least when used for classification).

1-1

floors top-floor 1s-In

Fig. 4. The predefined isin relation.

number-ofmembers lnteper

Fig. 2. Declaration of individual objects.

manages. The event establishment may be linked t o library by a relation called of. The library has an attribute called number-of-members. This example declares only individual objects and associations. It is also possible to declare groups in ERAE. Consider the example of Fig. 3. It declares the groups of floors and elevators, which are entities, and the group of elevator-requests, which are events. The three groups are

floors IS-located-at from

elevator requests

elevators

number Integer
(UP.

dlrectlon

dm1

Fig. 3. Declaration of groups. themselves entities. A group ofentities is thus denoted by a squared box containing an inner squared box. A group of events is a box with an inner rounded box. Arrows and Iinesconnected totheouter boxareassociationsapplicable to the group as an object. This is the case for number which is the number of members in the groupfloors.Ar-

As requested in Section I I , objects and associations are timedependent. Therefore, an association like manages betweentheentitiesboardandlibraryisonlydeclared as being possible. It need not be true at all times. This is the case for all associations involving only entities (and values). As events areinstantaneous, it makes no sense to have their associations change with time. For instance, the relation from between a given elevator-request and a floor does not change with time. Objects havealsoatemporal dimension.This is reflected by an implicit attribute of every entity and event. For entities, it is an attribute exists taking i t s value in theBooleans (true orfalse). This attribute associates an entity with true at acertain moment if that entityexists at that moment. For events, there is an attributetimeassociating an event with its time of occurrence. As always for events, this association does not vary with time. Note that the relation isin, expressing membership,is treated as any other. It is therefore timedependent for groups of entities, but not for groups of events. The example aboveexpresses only that top-floormay be in the group floors at some time. Of course, wn can add the constraint that this membership is permanent, but this is not a declaration any more. As requested in Section II, nothing prevents an object from being in several groups at a time. Statement o f Constraints: The declarationsabove define constants and predicates in atyped first-order logic. Typing is now meant in the mathematical sense: there are predefined disjoint domains, or types, which are Event, Entity, and some value sets (Time, Integer, String, etc.). All variables, constants, functions, and predicates take their value (and argument)in a type.Types should be carefully distinguished from groups. The declaration diagrams definethe following symbol: Each entity box-individual or group-defines a constant of type Entity. Each attribute or relation not involving events defines

DUBOIS et a/.: LANGUAGE FOR REQUIREMENTS ENGINEERING

1437

a predicate taking as arguments the various objects involved, and an additional time value. Each attribute or relation involving events defines a predicate takingas arguments the various objects involved. Those declarations, expressed by diagrams, come inaddition to implicit declarations associated with the predefined domains. The equality predicate. Thepredicate"exists"takinganentityandatimeva1ue as arguments. The predicate "time" takingan event and atime as arguments. The predicate "isin" taking, either two entities and a time value, or an event and an entity as argument. Constants, functions,andpredicates in the various e , etc. value sets, such as 0,1,

v x,y,t: is-located-at(x,y,t) * isin(x,elevators,t)

A

isin( y,floors,t).

A relation or attribute may only be true when its entity arguments exist.

v x,i,t: number(x,i,t) * exists(x,t).

The complete list of these predefined statements, as well as the precise rules to derive declarations from diagrams, provide the ERAE model with formal semantics. They can be found in [18]. We will now show that explicit constraints can be stated with the flexibility required inSection II. The following statement expresses that the group of elevators does not change with time, and consequently, that all elevators are permanent:
3 t: isin(x,elevators,t)

+,

* v t: isin(x,elevators,t).

Let us illustrate this by an example (Fig. 5). This diagram declares three constants of type Entity: elevators, floors,and

Another example is the statement that all books in the library have different titles: Assume "title" is declared as attribute of all books and takes its values in String. Let us type the variable s o n String (s:String). vx,y,t,s: isin(x,books,t) A isin(y,books,t) A title(x,s,t) A title(y,s,t)

fioors
Is-located-at

number
Integer

= )

x = y.

Fig. 5.

topfloor. It declares two predicates: "is-located-at" and "number" (isin is predefined). Here are some well-formed formulas: Assume from now on that the variables x,y are typed on Entity, i is typed o n Integer, andtis typed on Time (which we write x,yEntity; ilnteger; CTime). isin(x,elevators,t) This predicate is true if the entityx is a member of the group elevators at time t. is-located-at(x,y,t) This predicate can only be true ifx is an elevator, y is a floor, and that elevator is located at that floor at time t. number(floors,i,t) This predicate is true if i i s the number of membersin the group of floors at time t. Constraints are expressed as formulas using these symb o k and the usual first-order logicconnectives.In the same way that thereare implicit and explicit declarations, there are also implicit and explicit statements. The former express properties known beforehand, and assumed when writing the diagrams. Examples are: All entities and events in the diagram are different. elevators # topfloor elevators # floors floors # topfloor. A relation can only be true if the objects involvedbelong to the right groups. Vhis condition is necessary but not sufficient.)

Several shorthand notationscan be used to simplifycommon formulas. The first one is t o assume that free variables in formulas may be omitted. Any external universal quantification may thus be skipped. The secondone is to use as functions thepredicates that are known to be functional. For instance, if westate separately that each book has just one title, we may replace title(x,s,t) by title(x,t) = s.

By combining those two abbreviations, the preceding formula becomes isin(x,books,t) A isin(y,books,t) A title(x,t) = title(y,t) x = y.

=)

There is a further abbreviation that is frequently useful for static constraints: avariableof typeTime may beomitted if it is universally quantified over a whole formula, and a p pears only as the last argument of relations and attributes. The formula above now becomes: isin(x,books) A isin(y,books) A title(x) = title(y)

x = y.

A very frequent form of static constraint deals with the cardinality of relations or attributes. These statements can be expressed as formulas, but here again, we provide an abbreviation which is, this time, graphical. The statement "a book can be lent to at most one member, and a member can borrow at most two books at a time" appears in the diagram of Fig. 6. In general, the notation "i-j" close to the end of a line means that each object at that end participates at all times in a number ofassociations comprised betweeni and j (included). The sign "N" denotes infinity, and "i-i" may be

1438

PROCEEDINGS OF THE IEEE,

VOL. 74, NO. 10, OCTOBER 1986

Io., eL4+j
Fig. 6. Abbreviation for connectivity constraints. Fig. 9.

elevators
D.i

f loon

elevator

reqwts

Is-located-at

from

is equivreplaced by justi. Absence of such a constraint alent to 0-N and 1 guarantees that an association is functional. As an example, the fact that a book has always one and only one title is expressed as shown in Fig. 7 .The

isin(ev,elevator-request) = 3 t,x: t > time(ev) A isin(x,elevators,t) A is-located-at(x,from(ev),t). Structuring Mechanisms: Classification ofentitiesor events is achieved by means of the concept of group. As noted earlier, implicit statements express among others that relations and attributes can only be true if their arguments belong to the right groups. In other words, the ability to participate in those relations and attributesis inherited by all elements of the group. For instance, Fig. 10 states that each floor may have the attributes u p b u t t o n and down-button,with values in (illuminated,off).This inheritancecan be

Jbooksl
Fig. 7. Abbreviations for a unicity constraint.

corresponding abbreviated formula is isin(x,books)

3! s: title(x) = s.
flmrs

Let us now turn to the dynamic constraints, which make reference to the states at several moments. Hereis a simple example. A book brought back to the library must have been lent some time before. Assume the two groups of events book-returns and book-lendings, with a functional relation of towards books. ev,,ev,: Event isin(ev,,book-returns) * 3 ev,: isin(ev,,book-lendings) A of(ev,)=of(ev,) A time(ev,) < time(evl).

Fig. 10. Possible attributes of group members.

refined by means of connectivity constraints on the attributes and relations. Fig. 11states that up-button and downbutton are mandatory attributes of all floors.

IIllumlnated, off1

In Section II, we require some flexibility in expressing constraints; namely, the availability of both a procedural Fig. 11. Mandatory attributes of group members. and a declarative style. In the procedural style, the constraints give sufficient or necessary conditions for a transition t o happen. A new state This is, however, undesirable,as thegound and top floors is determined from the one just preceding it, and possibly do not have the two attributes. But we can also state that from the events taking place during the state transition. An all floors, except the ground and top one, havethe two butexample is if an upwards elevator requestis expressed on tons: a floor, the up button on that floor should be illuminated i,j: (illuminated,off) (Fig. 8 ) . isin(x,floors) A x # top-floor A x # ground-floor * 3! i,j: up-button(x)=i A down-button(x)=j. Asthe membershipin groups is time-dependent, theabilityof an object toestablish associations mayvarywith time. The elements of a group can be characterized by other properties than the ability to participate in relations and attributes. An example is the grouping of heterogeneous events that are part of an action. We can define an action of adding a new book to the library as a group consisting of oneevent in the group filling-identification-card, one in sticking-label-on-book, etc. The common point of all those events is that they are related to the same book. Another structuringmechanism is also available through the concept of group inclusion. There is a predefined predicate called isincluded which provides generalization, just like isin provided classification. Of course, isincluded applies only between groups, and i s time-dependent. Fig. 12 states that isincluded may apply between the group

Fig. 8.

ev:Event isin(ev,elevator-request) A direction(ev)=up * up-button(from(ev),time(ev))=illuminated. Note that the time of an event is the time just after it has happened. In a declarative style, there i s no limitation on the states and events that can be referencedin the constraint. An example is each elevator request expressed at a floor will result sometime later in a stop of an elevator atthis floor (Fig. 9).

DUBOIS et a/.:

LANGUAGE FOR REQUIREMENTS ENGINEERING

1439

members of the board

addrea Integer String Strlng

10 min isin(of(ci),available-books,t) Overall axiom: a book is known to be available within one hour of its return. isin(br,book-return) = 3 t: t < time(br) 60 min A isin(of(ci),available-books,t).
isin(ci,check-in)
3t:
A

t < time(ci)

Fig. 12. The group inclusion structuring mechanism.

members-of-the-board and the group members. To state that this inclusion is permanent, we would say:

isincluded(members,members-of-the-board).
The isincluded relation implies also the inheritance of properties. In thisexample,the board members haveaname and an address, because they are members and all members have those attributes, but they have an additional attribute "age." So, inheritance of general properties can be combined with addition of specific ones. This i s also true for classification, as a specific element ofgroup a may have more properties than are common to all members. B. Use of Knowledge This section gives only a broad overview of the use of the ERAE model, as the subject of thispaper is more a description of thelanguage, than guidelines for using it properly in RE. Formality and Deductive Power: The ERAE model is obviously a formal language, and itssemantics is precisely defined in[18]. Its deductive power is that of first-order logic.

The interesting point is that theoverall axiom i s a logical implication of the two other ones. Thismight seem a simple example, but it applies to more complex, or less obvious statements. Examples are given in [Iq. Abstraction: An abstracted version of a model is nothing but a subpart of this model. In thefollowing, we will give a brief example of abstraction combined with generalization. This is a particularly useful combination, which allows a top-down presentation of a large piece of knowledge. At the highest level of abstraction (Fig. 14), books only have a title and author($. This view is shared by all persons involved. At a lower level (Fig. 15), for the librarian,

Strlng

Strlng

Fig. 14. High-level view of books.

AsexplainedinSectionI1,deductionsareusedtocheckthe

consistency of requirements, as well as properties that give indications of completeness. We will illustrate this by an tftle k + h o r example. Strlng Strlng Strlng An overall requirement in the library applicationis that a book must be considered available by the computer sysFig. 15. Detailed view of books. tem at most 1 h after its return. This can only be achieved through the cooperation of the librarian, who informs the computer about the return, and of thecomputer which prothe current borrower i s an additional piece of informacesses that information. This cooperation is specified by tion associated with the book. means of the following statements, referring to the decOf course, abstraction may alsoapply to formulas. In that larations of Fig. 13: case, it is lessobvious, but can be proved, that an abstracted view is consistent with a more detailed one. Conversion Mechanisms in the Language: The conversion of an ERAE description towards a different notation is usually preceded by an abstraction, where only some aspects are kept: those that are of interest, or simply those that can be represented in the target notation. We will here illustrate this by astate transition diagram, is often found useful for real-time systems, such as which Fig. 13. the elevator control. Let us focus our attention on some events happening on a floor, and their effect on a part of the state. The events are elevator-requests and floor-servbr,ci: Event; icings (the event of an elevator stopping at the floor); the Librarian axiom: a book must be checked in within state is limited to the illumination of the button on that 50 min of its return. On the basis of the ERAE description, and of rules of conisin(br,book-returns) version, we may derive the Petri-net-like graph of Fig. 16. * 3 ci: isin(ci, check-in) h of(br)=of(ci) A time(ci) < time(br) 50 min In this graph, the circles represent the possible states and the bars represent the transitions from state to state. There Computer axiom: a check-in must be taken into account within 10 min. isatoken indicatingthecurrentstateandmovingfromstate

lname

1440

PROCEEDINGS OF THE IEEE,

VOL. 74, NO. 10, OCTOBER 1986

ELE~ATOR REQUEST

REDUEST

Fig. 16. State transition graph for the illumination of one floor's button. to state when transitions happen. Initially, it i s in the state "off."The diagram expresses that, from the state "off," the token can go to the state "on" by passing along the transition "elevator-request." From this new state, the token can pass along another elevator-request leading it back to the same state "on." The transition "floor-servicing" returns to the state "off," where a further floor-servicinghas no effect on the state. IV. COMPARISON WITH
OTHER

APPROACHES

This section gives an overview of existing RE languages, in the light of the requirements in Section II. These languages originate from three main fields: database, specification languages, and artificial intelligence. We will discuss the general ideas from the two first fields only, as the last one has already been reviewed in Section II. We will then investigate, in more detail, two RE languages that were inspired by thesame ideas as the ERAE model. One owes its ideas t o knowledge representation techniques, and the other todatabase conceptual modeling.
A. Database Conceptual Modeling

The idea of modeling the universe discourse, of i.e., the portion of thereal world referred to by the database contents, has been consecrated bythe I S 0 report [30] in 1982. This report calls a "conceptual schema" the explicit description of this universe. The Declarations: The concepts of object association and have been widely recognized in conceptual models. (See [33] and (321 for a survey.) There is additionally a general tendency to distinguish objects and association of various kinds. For instance, objects of interest are called entities in the Entity-Relationship model [12], [38], and non-lexical object types in theBinary model [I], [43] or in NIAM [47l. Objects not interesting by themselves areoften called values, whereas associations are grouped in relations or attributes, depending whether they link several objects of interest, or an object of interest to a value. The emphasis is clearly on groups of objects, rather than individuals. These groups bear various names, for instance, entity class in [12], [28], or object type in [8]. The fact that groups need not be disjoint is explicitly recognized in[12], [28], [38]. Individuals necessarily belong to an entity group, and only the latteris described in theconceptual schema. Individuals appear when one comes to describe the socalled "information base," i.e., facts then happen and are recorded as they become known. This i s however clearly distinguished from theconceptual model,which states facts that are known beforehand. Groupsareneverconsiderednormalobjects. Sometimes, however, they may be grouped themselves in higher level groups. This is the case in ACM/PCM [8] and in SDM [281.

The concept of event is far less common than those of entities and values. Examplesof languages proposing them are DSL [5] or REMORA [39]. Those events however must have an effect. TheStatements:Early conceptual schemata only consisted of declarations and lacked any statement of constraint. This was soon recognized as too weak, and static constraints were permitted, but often in a restricted form: cardinalityof groups, connectivityof associations, etc.This is the case in the Entity-Relationship model [12], in ACMl PCM [8], or in NIAM [47l. Dynamic statements were considered later, and first introduced,inalimitedform,viatheconceptofevent.InDSL [5] and INCOD-DTE [2], the effect of an event can only be described in terms of the states just preceding and just following it. Reference to past and futurestates is impossible, as there is no explicit concept time. of In REMORA[39], time appears explicitly, allowing reference to any state of the system. Thereis still a limitation in that an event musthave an immediate effect. In order to express the delayed effect of an event,there must be a trace left by this event in the state at its time of occurrence. The more declarative style advocatedinSectionIIisfoundin[13]and[lO].Thelatterwork will be presented hereafter with more details. Structuring Mechanisms: Classification is limited in these languages,because individualscannotbedeclared beforehand. Generalization is often provided in the form of an inclusion relation between groups: subclasses in SDM [28], subsets in INCOD-DTE [2], categories in [19]. In SDM [28], a characteristic predicatemust beassociated with the subgroup definition. Some authors provide a more restrictive form of inclusion, i.e., the definition of a partition. A group G is said to be partitioned into G,, ,G , if each member of G is also a member of one and only one of the groups Gi. Examplesaregeneralization in [2],orgenerictype in [44] and in ACMIPCM [8]. In summary, conceptual schema languages suffer from two major weaknesses for their use in RE:

...

declarations are limited togroups, at the exclusion of individuals; constraints, static or dynamic, can only be stated in limited ways.

B. Specification Languages
Specification languages aim at describing the effect of programs in more abstract terms than programming languages. A number of RE languageshave included basic concepts from this field, such as types, functions, control flow, data flow, state, finite-state machine, state transition, processes, communications between processes, etc. We already noted that those languages aimed at describing computer artifacts, rather than at expressing general knowledge. This obviously leads t o some inadequacies that will now be described in detail. Dataflow Models: Dataflow models emphasize the data processing activities. The main models of this category are SADT [41] and SA [14]. The basic objects of interest in the world are considered to be activities linked by relations corresponding to the data flowing between them. In a dual perception [41], the stress may beput on activities being nary associations between the input and output data. This

DUBOIS et a/.: LANGUAGE FOR REQUIREMENTS ENGINEERING

1441

narrow view limits of course the general applicability of these approaches. There is no global perception of timeas the actions run asynchronously, controlled only by the need of input for producing an output. This leads to a very operational description of the dynamics of the system. A major drawback of these approaches is their lack of semantics. Communicating Processes: These models favor the concept of process linked by communication channels, as a way to organize the universe under description [MI, [31]. There is n o global state, but each process defines its own local state and state transition function. Process states are formed by means of entities, values, and associations between them. Problems are on the side of dynamicconstraints, as state transitions remain the only way t o state how the system evolves. The description is therefore quite operational. State Machine Models: This is a broad class of models which describe a usually well-structured state evolving through state transitions [37. An important subset of these models is the family of Petri nets. The state of all these models is, however, based o n values, rather than objects which would exhibitsome duration. Additionally, the dynamics can only be expressed operationally. Abstract Data Types: These approaches focuson the definition of value types, and their associated functions [22], [27. These typical computerartifacts can hardly be used to represent general knowledge. Particularly restrictive is the lack of the conceptof object, which is more than the sum of its known characteristics. In summary, specification languages provide too specific concepts, well suitedto the description algorithms, of but inappropriate when expressing general knowledge: activities linked by data streams, processes communicating by messages, etc.In particular, dynamic propertiesare always expressed in a very operational way.

C. Two RE Languages
WewillnowcomparetheERAEmodelwithtwoimportant proposals, which are also based o n database conceptual modeling or knowledge representation techniques: C I M (Conceptual Information Model) [IO],[26] and RML (Requirements Modeling Language) [23], [25]. 7) CIM: The constituents of the Conceptual Information Model (CIM) are very close to those presentedin the ERAE model. Bothmay be presentedas a first-order logic version of an extended Entity-Relationship model [12]. In CIM, the basic concepts are entities, events, data types, attributes,and relationshipfunctions.Theycorrespond, respectively, to entities, events, values, attributes, and relations in the E R A E model. In spite of an obvious similarity, there is a notable difference: individual objects cannot be defined; only groups can, and are called entity type and event type. They might have an intersection, but are not considered themselves as objects and cannot belong to higher level groups. Objects and associations are time dependent as required in Section l l . An odd restrictioni s inherited from database concerns: any object must have an attribute value which identifies it uniquely. Constraintsareexpressed by means of predicatecalculus formulas. Greatflexibility is achieved through the concept

of event andthe possibilityt o refer to time values explicitly [Ill. The concept of type supports structuring by classification but is restricted to only onelevel: types with other types as members are not allowed. Subtypes may be defined by the use of the mechanism of generalization specification, which is analogous to the relation isincluded in ERAE. However, it is restricted to groups of entities, and does not extend to events. CIM is undoubtedly formal. Its deductive power has not been investigated yet, but research is currently devoted to it in the AXlM projectat the SYSLAB laboratory [MI. The issues of conversion to other languages, or combination of views through abstraction mechanisms are not addressed in CIM. In particular, there is no emphasis o n graphical representation. To summarize, the main difference between E R A E and CIM is in the availability of individual objects in the former. The absence of a graphical part can be considered important for practical use, but is not, of course, semantically relevant. The other differences are minor technical points. 2) RML: The Requirements Modeling Language (RML)is based o n semantic networks. An important difference between it and E R A E is that RMLestablishes aconnection with logic by considering constraints as objects, called p r o p erties. E R A E makes instead a cleardistinction between the declarations, which take the appearance of a semantic network, and the statements, which are predicate calculus formulas. In other words, RMLuses logic within the net, whereas E R A E uses the net within logic. Apart from properties, the RML objects subdivide into is neither based on entities and activities. The subdivision interest, becausevaluesarenotdistinguishedfrom entities, nor o n duration, because entities and activities may both last for some time. It is based instead on theperceived difference between a thing and an action. An event can be simulated in RML as an activity of instantaneous duration. Groups are called classes, and are considered objects as far as they may be grouped themselves into metaclasses. Individual objects cannot be defined outside o classes. Relations between entities, activities, and properties are binary and must belong to one of several predefined categories, such as, for an activity, control, output, postcondition, etc. These categories have implicit statements associated with them. Relations falling outside of is not recognized those categories can be defined but this as normal practice [25]. Classification and generalization are analogous to the structuring mechanisms of the E R A E model (respectively, isin and isincluded). Both support property inheritance. RML i s formally defined, but the deductive power of the language and the use of abstraction for combining several views are issues which are not explicitly addressed in RML. Conversion receives however some attention, as rules are given to convert an SADTdiagram into an RMLdescription [24]. Activity and entity are used with thesame meaning as activity and data in SADT while assertions capture arrow connections as general constraints. To summarize, despite a close starting point, E R A E and R M L have taken decisions that lead t o rather different languages. In particular, E R A E distinguishes clearly declara-

1442

PROCEEDINGS OF THE IEEE, VOL. 74, NO. 10, OCTOBER

1986

REFERENCES tions from statements, and uses orthogonal basic concepts. The latter leads to prefer eventsto activities. Availability of J. R. Abrial, Data semantics, in Data Base Management, J. individual objects, and a more general concept are of group Klimbic andK. Koffemann, Eds. New York, NY: Elsevier, 1974. theotherdifferences.AswithCIM,theabsenceofgraphical P.Atzeni,C.Batini,V. DeAntonelIis,M. Lenzerini,F.Vilanelli, and B. Zonta, A computer aided tool for conceptual data part in RML should be noted. base design, in Automated Tools for lnformation Systems Design, H. J. Schneider and A. I. Wasserman, Eds. AmsterV. CONCLUSION dam, The Netherlands: North-Holland, 1982, pp. 85-105. R. Balzer and N. Goldman, Principlesof good software specAshiftof emphasis is currentlyobserved in requirements ification and their implications for specification languages, engineering: the target system is not any more thesole obin Specifications of Reliable Software. IEEE Computer SOC., ject of interest. Both the application domain and the sys1979, pp. 58-67. A. Barr and E. Feigenbaum, The Handbook ofArtificial lnteltems environment deserve comparable attention. This religence, vol. 1. Los Altos, CA: W. Kaufman, 1981, ch. 3, pp. quires a new generation of RE languages, that owes more 141-222. to knowledge representation than to the specification of F. Bodart andY. Pigneur, A model and a language for funcprograms. A look at artificial intelligenceis in order before tional specifications and evaluation of information system trying to define such a language. dynamics, in Formal Models and Practical Tools for lnformationsystem Design. Amsterdam,The Netherlands: NorthIn investigating the specific needs of requirements enHolland, 1979. gineering, it turns out that acquisition of knowledge is esB. W. Boehm, Software Engineering Economics. Englewood sential, whereas its automatic use by a computer is less imCliffs, NJ: Prentice-Hall, 1981. portant than in artificial intelligence. This has led us to A.Borgida, S. Greenspan, and J. Mylopoulos, Knowledge representation as the basis for requirement specifications, choose as a basis the techniques that seem the most ap/E Computer, vol. 18, pp. 82-91, 1985. propriate to the easy expression of general knowledge: seM. L. Brodie and E. Silva,Activeandpassivecomponent mantic networks and logical languages. In combining these modeling: ACM/PCM, in Information System Design Methwith still other ideas from database conceptual modeling, odologies: A Comparative Review, T. W. Olle, H. G. Sol, and and some of our own, we have obtained the E R A E model. The Netherlands: A. A. Verrijn-Stuart, Eds. Amsterdam, North-Holland, 1982, pp. 41-91. Yet, thework reported here is only part of a larger project, M. L. Brodie, J. Mylopoulos, and J. Schmidt, On Conceptual which aims at covering the whole of software development 1984, pt. 2, pp. Modeling.NewYork,NY:Springer-Verlag, with integrated formal methods. This implies that much at85-273. tention is devoted to interfacing the ERAE model withspecJ. A. Bubenko, lnformation modeling in the contextof systemdevelopment, in lnformation Processing80.Amsterification languages thatare used during design and impledam, The Netherlands: North-Holland, 1980, pp. 395-411. mentation. This problem is considered one of conversion -, On concepts and strategies for requirements and infrom ERAE t o another formal language with different primformation analysis, in lnformation Modeling, J. A. Bubenko, itive concepts. Not being the main topic of this paper, the Ed. Chartwell-Bratt Ltd., 1983, pp. 125-169. question was only superficially sketched. P. P. Chen, The entity-relationships model: Towards a unified view of data, ACM TODS, vol. 1 , no. 1, pp. 9-36, 1976. Even on the topic of requirements engineering, some asJ. M. V. De Castilho, M. A. Casanova, and A. L. Furtado, A pects of the projecthave not been reported.An important temporal frameworkfor database specifications, in Proc. 8th aspect is that we aim at defining a methodology, not just lnt. Conf. on VeryLargeDataBases(MexicoCity,Mexico, a language. This means that the process of acquiring and Sept. 1982), pp. 280-291. validating requirements deserves as much attentionas the T. De Marco, Structured Analysis andSystem Specification (A 1979. Yourdon Book). Englewood Cliffs, NJ: Prentice-Hall, ERAE model itself. E. Dubois, J. Hagelstein, E. Lahou, A. Rifaut, and F. Williams, We did not insist on the practical aspects of this work. A process model for requirements engineering, in ESPRlT An attempt to define yet another requirements language, 85: Status Report o f Continuing Work. Amsterdam, The as justified as it may be, would be useless if it were not Netherlands: North-Holland, 1986, pp. 593-607. -, A data model for requirements engineering, in Proc. guided byexperimentsand did not providetoolstosupport 2nd Int. Conf. on Data Engineering, pp. 646-653, Feb. 1986. the use of the language. Case studies have been and are still E. Dubois, J. Hagelstein, E. Lahou, F. Ponsaert, A. Rifaut, and performed, on real applications with naive systems users. F. Williams, The ERAE Model: A Case Study, in Information A support environmentis under design and currently comSystems Design Methodologies: lmproving the Practice, T. W. bines an editor for graphics and formulas with database a Olle,H.G.Sol,andA.A.Verrijn-Stuart,Eds. Amsterdam,The Netherlands: North-Holland, 1986, pp. 87-105. of requirements. Plans include tools for handling views on E. Dubois, J. Hagelstein, E. Lahou, F. Ponsaert, and A. Rifaut, the requirements, for converting ERAE into various notaThe axiomatisation of the E R A E model, Phillips Res. mantions, for performing deductions, etc. uscript, 1986. There are plans to improve the ERAE model as well. For R. Elmasri, J. Weeldreyer, and A. Hevner, The category concept: An extension to the entity-relationship model, Data instance, the handling of undefined, or badly defined inKnow/. Eng., vol. 1, no. 1 , pp. 75-116,1985. formation will be included. Another important feature is M. S. Feather, Language support for the specification and the definition of additional concepts, such as activity, mesdevelopment of composite systems, UCS/Information Sci. sage, process, etc. They will not, however, form an extenInst., Marina del Rey, CA, Apr. 1985. sion of theE R A E model, but willbe definedi n terms of the R. L. Glass, Modern Programming Practices ( A Report From Industry).EnglewoodCliffs, NJ: Prentice-Hall, 1982. available primitives. S. L. Gerhart and S. Lee, AFFIRM users guide, USC/lnformation Sci. Inst., Marina Del Rey, CA, Feb. 1981. ACKNOWLEDGMENT S. J. Greenspan and J. Mylopoulos, Capturing more world knowledge in the requirements specification, in Proc. 6th We would like to thank Fiona Williams for her contrilnt. Conf. on Software Engineering (Tokyo, Japan, 1982), pp. butions to the ERAE model, and the reviewers fortheir help 225-234. ful suggestions. S. J. Greenspan, Requirements modeling: A knowledge rep-

DUBOIS et a/.: LANGUAGE FOR REQUIREMENTS ENGINEERING

1443

1291 1301

1311 1321

resentation approachto software requirements definition, Univ. of Toronto, Toronto, Ont., Canada, Tech. Rep. CSRG155, Mar. 1984. S. J. Greenspan, A. Borigida, and J. Mylopoulos, A requirements modeling language and its logic, Inform. Syst., vol. 11, no. 1, pp. 9-23,1986. M. R. Gustafsson, T. Karlsson, and J.A. Bubenko, A declarative approachto conceptual information modeling, in Information System Design Methodologies: A Comparative Review, T. W. Olle, H. G.Sol, and A. A. Verrijn-Stuart, Eds. Amsterdam, The Netherlands: North-Holland, 1982, pp. 93-142. J. Guttag and J. Horning, An introduction to the LARCH shared language, IFIP, 1983. M. HammerandD.McLeod,Databasedescription with SDM: A semantic database model, Trans. DatabaseSyst., vol. 6, pp. 351-386,1981. SpecialIssue on KnowledgeRepresentation, IComputer, vol. 16, no. IO, pp. 12-123, Oct. 1983. ISOiTC97/SC5/WG3,Conceptsand terminologyfor the conceptual schema and the information base, J. J. van Griethuisen,Ed.Geneva,Switzerland: InternationalOrganization for Standardization, Mar. 1982. M. A. Jackson, System Development. Englewood Cliffs, NJ: Prentice-Hall, 1983. D. A. Jardine andA. R. Reuber, lnformation semantics and the conceptual schema, Inform. Syst., vol. 9, no. 2, pp. 147-

(371 P. G. Neumann et a/., On the design of a provably secure

operating system, in Proc. Int. Workshop on Protection in Operating Systems (IRIA, Rocquencourt, France, 1974), pp.
161-175.

A. Pirotte, The entity-property-association model: An information oriented database model, in Proc. ICs-77, Morlet and Ribbens, Eds. Amsterdam,The Netherlands: North-Holland,
1977.

C. Rolland and C. Richard, The Remora methodology for information systems design and management,in Information System Design Methodologies: A Comparative Review, T. W. Olle, H.G.Sol,andA.A.Verrijn-Stuart, Eds. Amsterdam,The Netherlands: North-Holland, 1982, pp. 369-426. G-C. Roman, A taxonomy of curent issues in requirements engineering, IComputer, vol. 18, no. 1, pp. 14-24,1985. D. T. Ross andK. G. Schoman, Structured analysis for requirements definition, / Trans. Software fng., vol. SE-3, no. 1, pp. I-65,1977. of semantic 1421 L. K. Schubert, Extending the expressive power networks, Artificial Intell., vol.7, pp. 163-198, 1976. 1431 M. E. Senko, Data description language in the context of a multilevel structured description: Diam2 with Foral, in Proc. IFlP-TC2 Special Working Conf. on Data Description, Nijssen, Ed. Amsterdam, The Netherlands: North-Holland, 1975, pp.
239-258.

156,1984. L. Kerschberg, A. Klug, and D. Tsichritzis, A taxonomy of data models, in Systems for Large Databases, P. C.Lockemann andE. J. Neuhold, Eds. Amsterdam,The Netherlands: North-Holland, 1976, pp. 43-64. in knowl[341 B. Lundberg, Specifying deductive capabilities edge representation, presented lFlP at WG8.3 Working Conf.

C. P. Smith, Database abstractions: Aggregation and generalization, Trans. Database Syst., vol. 2, no. 2, pp. 105-133,1977. W. Swartout, GIST English generator,in Proc. AAAI-82, pp. 404-409, Aug. 1982. D. Teichroew and E. A. Hershey, PSUPSA A computer aided technique for structured documentation and analysis of information processing systems, / Trans. Software Fng., vol. SE-3, no. 1, pp. 41-48, 1977. on Knowledge Representation for Decision Support Systems, G. M. A. Verheijen and J. Van Bekkum, NIAM: An inforDurham, England, 1984. mationanalysismethod, in lnformation SystemsDesign G. McCalla and N. Cercone, Guest Editors Introduction: Methodologies:A Comparative Review, T. W. Olle, H. G.Sol, Approaches to knowledge representation, I Computer, and A. A. Verrijn-Stuart, Eds. Amsterdam, The Netherlands: vol. 16, no. IO, pp. 12-18, 1983. North-Holland, 1982, pp. 537-589. J. Mylopoulos and H. Levesque, An overview of knowledge representation, in On Conceptual Modeling, M. L. Brodie, 1481 P. Zave, An operational approach to requirements specifi/E Trans. SoftwareFng.,VOI. cation for embedded systems, J.Mylopoulos, andJ.Schmidt, Eds. New York, NY: SpringerSE-8, no. 3, pp. 250-269,1982. Verlag, 1984, pp. 3-18.

[441 J-M. Smith and D.

1444

PROCEEDINGS OF THE IEEE, VOL. 74,

NO. 10, OCTOBER 1986