Using Map Requirements Modelling with the B-Method

A colleague recommended a paper by Babar, Tosic and Potter, entitled "Aligning the Map Requirements Modelling with the B-method for Formal Software Development."  There is certainly some overlap with my research, and it’s interesting for me to see Problem Frames being integrated in the approach presented as well.

To be honest, I was a little disapointed.  The most crucial part of the method is how to get from the requirements to the formal model.  This is described in Sec. 3, but in such an informal manner that I don’t see that much value.  It shows that the methods are compatible, but little beyond that.  I guess that’s what the authors mean by "aligning" the methods.

Independent Verification and Validation of Software pays of (big time!)

Just finished a paper Evaluating the effectiveness of independent verification andvalidation by Arthur  What the authors state is not that surprising: independent verification and validation (V&V) efforts result in significantly better results than V&V done by the same team.  This paper is interesting for a number of reasons:

  • The result stem from a controlled study of two identical projects, one realized with "normal" V&V (done by the team), the other using independent V&V
  • The independent V&V group detected significantly more critical faults (97 vs. 58).  Why? The authors conclude that a new class of faults was identified by the IV&V group: "The IV&V team from Group 1 identified an additional class of critical faults not found by Group 2. More specifically, a substantial number of the critical faults reported by Group 1 stem from the detection and recording of ambiguous or unclear statements in the requirement specifications and design documents. (…) Group 1 reported 40 such faults. (…) Group 2 reported only one such fault."
  • Even though both projects were completed and considered a success, things during acceptance testing looked different.  An independent acceptance test suite consisting of 36 tests was provided.  The non-independent V&V group’s software passed only 11 tests, while the independent V&V group’s software passed 33.

Analyzing Natural Language Requirements – automatically?

QuARS is a tool for analyzing Natural Language Requirements – although it would be an exaggeration to call it "automatic".  The tool performs a morphological and syntactical analysis on plain text requirements and attempts to measure vagueness, subjectivity, weakness, and a few more.

Natural Language Requirements (NLRs) won’t go away any time soon – that’s why this kind of research makes a lot of sense.  But it’s unbelievable tricky to work with NLRs in an automated way.  There are three main approaches to deal with the richness of natural languge:

Restrictive: constrain the form of the NLRs, e.g. using templates.  Very convenient for the Requiremens Engineer, but not that nice for the stakeholder.

Inductive: This is mainly theory about writing styles, without going into detail on how to do things better.

Analytic: In this approach, we accept the NLRs, but provide feedback for fixing them.  These have the hightest chance of adaption, because they are the least invasive.  This is also the route of QuARS: Analyze the requirements and provide some feedback on how to improve them.

The biggest catch (in my opinion) is that many analyses require well-maintained dictionaries to be effective.  I wanted to try the tool out, but they didn’t provide a download link (or information about a commercial version, for that matter).  I wrote them an email, if I get an answer, I’ll update here.

Fluents: Events or Ticks?

Imagine you have a system that can have a number of states, and "events" for state transitions.  Fluents are then the constructs that help to reason about state transitions.

Here is an example inspired by [Queins et. al. 2000] that got picked up by [Letier 2005]: Assume that you have the task of building a light controller.  By pushing a button, light is turned out and will switch off after some time.  pushing the button when the light is on will reset the timer.

In this example, we may have the state variables light ∈ {on, off} and timer ∈ {0..n}.  For now, the timer simply counts ticks.  To set these state variables, we may have the events "pushButton", "switchOn", "switchOff", and "tick".

A Fluent is a proposition defined by a pair of sets of events.  Events from the first set the fluent to true, the second to false, e.g.:

fluent LightOn = <switchOn, switchOff>

We can use the Fluent in  temporal logic (e.g. LTL):

â—» (pushButton X LightOn)

The box means "always", and X means "next". So the above means "When pushing the button, next the fluent LightOn must be true".

Quite a bit is fishy here.  For instance, what exactly does "next" mean?  This is where Letier’s contribution comes from: it could be the next event (which he calls asynchronous) or the next tick (which he calls synchronous).  Also check out how restrictive the statement is in the asqnchronous case: It is not allowed to insert any events after pushButton, which would make refinement through stuttering impossible.

Aspects in Requirements Engineering

After Aspect Oriented Programming (AOP) became popular, people started to think about Aspect Oriented Requirements Engineering (AORE).  Kaindl published a neat article trying to figure out what exactly was meant by that. Amongst other things, he points out that there is confusion about whether "Aspect" is meant as a synonym for crosscutting concern or a solution to it (in his opinion, the first doesn’t make much sense, and I agree; even the secion he doesn’t like to much, but the term is established, and we’re stuck with it now).

So Aspects solve cross-cutting concerns; in Software Development, typicall cross-cutting concerns are authorization, authentication, transaction management and more.  Aspects provide a means to modularize these concerns.

Kaindl points out that almost always there is the hidden assumption that crosscutting concerns in software are the same as crosscutting concerns in requirements – but there is no foundation for that assumption!  In fact, I would consider this a dangerous assumption.

So where does that leave us? Kaindl’s point is that we should avoid falling into the trap that cross-cutting concerns in requirements are not necessarily the same as in software.  But what are the cross-cutting concerns in requirements?  That’s a question that needs more research, but I am sure that it depends on the representation of the requirements, amongst other things.  In a plain text specification, every entity (noun) or every action (verb) could be considered a cross-cutting concern.  Consider a specification for a simple traffic light.  Many requirements may refer to the same,  traffic light in the specification.  In the specification, the traffic light is a crosscutting concern.  But not in the implementation – there, the traffic light may be one neatly capsuled object.  Other representations don’t have this problem.  KAOS, for instance, explicitly models objects.

Food for thought.

Requirements in Cocktail Recipes

Being able to follow recipes is certainly a good foundation for mixing a decent drink.  Even experienced bartenders follow recipes, although they manage without the measuring cups and they have the recipes in their head.  Why is that?  A recipe is like a blueprint.  But unlike the blueprint for an air traffic control system, almost everybody can read the blueprint for a Martini.  Interestingly, not everybody can read a cooking recipe!  Just ask any freshman to sauté chopped onions, I rest my case.  

But why are recipes for cocktails relatively easy, and those for software so incredibly difficult?  For one, they are of a different nature!  A recipe is more like a system specification or a process description.  It is designed to be used over and over again for producing a desired, repeatable result.  The software is usually built exactly once, and then distributed many times.  Although in practice, the software is modified, fixed and extended, and having an accurate specification can make a big difference.

Recipes are easy, because we can assume common knowledge between the cook and the writer of the recipe.  When James Bond orders a Martini, the bartender understands what’s meant by shaken, and we know what stirring is.  On the other hand, every chef knows how to sauté, but not every teenager who is away from home for the first time does.  We can strive to make our technical specifications better by stating explicitly what skill set we expect the reader to have, and many technical books have a section describing their target audience – a good practice.

Specifications are easy if a good requirements document exists.  Many projects fail because of faulty requirements, as Tom DeMarco beautifully described in his novel "The Deadline", where the leading characters inspects the requirements for a air traffic control system, just to realize that they say nothing in a sophisticated way.  Contrast that with a recipe, where the requirements are simple: "Make me a Martini", "I need to drive, something without alcohol, please".  "Martini" describes what I want, but not how it’s prepared (although 007 begs to differ).  I leave the implementation details to the barkeeper, who decides what glass to use, the proportions of liquor and so forth.  Likewise, if we collect the requirements for a software, we shouldn’t describe the how ("use XML", "must be Oracle"), but the what ("allow secure communication over the Internet", "must allow ODBC access").

But the main reason why the bartender’s job is so much easier is that he doesn’t have to design the product on the spot.  He gets the requirements and simply picks an existing recipe that fits the bill.

Vincenti distinguishes between radical design and normal design.  Building a car today is normal design – we have done it many times before, the driver sits up front (there once were cars with the driver in the back), and so forth.  But in software we often do radical design, and success at best means building something that will function well enough to warrant further development.

Sadly, in software we are typically faced with radical design, no matter how much the vendors promise a world where solutions are assembled like Lego pieces.  So be prepared to put the required effort in for describing, specifying and building your software – it will be worth it.