1072 IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, VOL. 24, NO. 12, DECEMBER 1998
Supporting Scenario-Based Requirements Engineering
Alistair G. Sutcliffe, Member, IEEE, Neil A.M. Maiden, Member, IEEE, Shailey Minocha, and Darrel Manuel
Abstract—Scenarios have been advocated as a means of improving requirements engineering yet few methods or tools exist to support scenario-based RE. The paper reports a method and software assistant tool for scenario-based RE that integrates with use case approaches to object-oriented development. The method and operation of the tool are illustrated with a financial system case study. Scenarios are used to represent paths of possible behavior through a use case, and these are investigated to elaborate requirements. The method commences by acquisition and modeling of a use case. The use case is then compared with a library of abstract models that represent different application classes. Each model is associated with a set of generic requirements for its class, hence, by identifying the class(es) to which the use case belongs, generic requirements can be reused. Scenario paths are automatically generated from use cases, then exception types are applied to normal event sequences to suggest possible abnormal events resulting from human error. Generic requirements are also attached to exceptions to suggest possible ways of dealing with human error and other types of system failure. Scenarios are validated by rule-based frames which detect problematic event patterns. The tool suggests appropriate generic requirements to deal with the problems encountered. The paper concludes with a review of related work and a discussion of the prospects for scenario-based RE methods and tools.
Index Terms—Requirements engineering, use cases, scenarios, scenario generation, exception types, reuse, patterns. ——————————F——————————
1INTRODUCTION EVERAL interpretations of scenarios have been proposed nario-based Requirements engineering that uses scenarios S ranging from examples of behavior drawn from use in the latter sense. cases [29], descriptions of system usage to help understand In industrial practice scenarios have been used as generic socio-technical systems [30], and experience based narra- situations that can prompt reuse of design patterns [8], [48]. tives for requirements elicitation and validation [39], [50]. Reuse of knowledge during requirements engineering could Scenarios have been advocated as an effective means of potentially bring considerable benefits to developer produc- communicating between users and stakeholders and an- tivity. Requirements reuse has been demonstrated in a do- choring requirements analysis in real world experience [15]. main specific context [31], however, we wish to extend this Unfortunately scenarios are extremely labor-intensive to across domains following our earlier work on analogies be- capture and document [20], [44]; furthermore, few concrete tween software engineering problems [51]. recommendations exist about how scenario-based require- The paper is organized in four sections. First, previous ments engineering (RE) should be practised, and even less research is reviewed, then in Section 3 a method and soft- tool support is available. ware assistant tool for scenario-based RE, CREWS-SAVRE Scenarios often describe information at the instance or (Scenarios for Acquisition and Validation of Requirements) example level. This raises the question of how instance is described and illustrated with financial dealing system level information can be generalized into the models and case study. Finally, we discuss related work and future specifications that are used in software engineering. Sce- prospects for scenario-based RE. narios may be used to validate requirements, as ‘test data’ collected from the observable practice, against which the 2BACKGROUND operation of a new system can be checked [40]. Alterna- tively, scenarios may be seen as pathways through a speci- Few methods advise on how to use scenarios in the process fication of system usage, and represented as animations of requirements analysis and validation. One of the excep- and simulations of the new system [14]. This enables vali- tions is the Inquiry Cycle of Potts [39] which uses scenario dation by inspection of the behavior of the future system. scripts to identify obstacles or problems in a goal-oriented This paper describes a method and tool support for sce- requirements analysis. Unfortunately, the Inquiry Cycle does not give detailed advice about how problems may be ²²²²²²²²²²²²²²²² discovered in scenarios; furthermore, it leaves open to hu- • A.G. Sutcliffe, N.A.M. Maiden, S. Minocha, and D. Manuel are with the man judgment how system requirements are determined. Centre for HCI Design, City University, Northampton Square, London This paper builds on the concepts of the Inquiry Cycle with EC1V 0HB. the aim of providing more detailed advice about how sce- E-mail: {a.g.sutcliffe, n.a.m.maiden, s.minocha, d.t.d.manuel}@city.ac.uk. narios can be used in requirements validation. In our previ- Manuscript received 5 Jan. 1998; revised 3 July 1998. Recommended for acceptance by R. Kurki-Suonio and M. Jarke. ous work we proposed a scenario-based Requirements For information on obtaining reprints of this article, please send e-mail to: analysis method (SCRAM) that recommended a combination [email protected], and reference IEEECS Log Number 107457.
0098-5589/98/$10.00 © 1998 IEEE SUTCLIFFE ET AL.: SUPPORTING SCENARIO-BASED REQUIREMENTS ENGINEERING 1073 of concept demonstrators, scenarios and design rationale use for their patterns [8], [19], they do not provide guidance [50]. SCRAM employed scenarios scripts in a walkthrough about the extent of such contexts. Requirements reuse has method that validated design options for ‘key points’ in the been demonstrated by Lam et al. [31]; although, the scope of script. Alternative designs were documented in design ra- reuse was limited to one application domain of jet engine tionale and explained to users by demonstration of early control systems. Many problems share a common abstraction prototypes. SCRAM proved useful for facilitating require- [51], and this raises the possibility that if common abstrac- ments elaboration once an early prototype was in place tions in a new application domain could be discovered early [48]; however, it gave only outline guidance for a scenario- in the RE process, then it may be possible to reuse generic based analysis. requirements and link them to reusable designs. This could Scenarios can be created as projections of future system provide a conduit for reusing the wealth of software engi- usage, thereby helping to identify requirements; but this neering knowledge that resides in reusable component li- raises the question of how many scenarios are necessary to braries, as well as linking requirements to object-oriented ensure sufficient requirements capture. In safety critical solution patterns (e.g., [8], [19]). Building a bridge from re- systems accurate foresight is a pressing problem, so tax- quirements engineering to reusable designs is another moti- onomies of events [24] and theories of human error [37], vation for the research reported in this paper. [42], have been used to investigate scenarios of future sys- Next we turn to a description of the method and tool tem use. In our previous research [49], we have extended support. the taxonomic approach to RE for safety critical systems but this has not been generalized to other applications. 3METHOD AND TOOL SUPPORT FOR SCENARIO- Scenarios have been adopted in object-oriented methods ASED [29], [21], [10] as projected visions of interaction with a de- B RE signed system. In this context, scenarios are defined as The method of scenario-based RE is intended to be inte- paths of interaction which may occur in a use case; how- grated with object-oriented development (e.g., OOSE— ever, object-oriented methods do not make explicit refer- [29]), hence use cases are employed to model the system ence to requirements per se. Instead, requirements are im- functionality and behavior. A separate requirements plicit within models such as use cases and class hierarchies. specification document is maintained to make requirements Failure to make requirements explicit can lead to disputes explicit and to capture the diversity of different types of and errors in validation [17], [38]. Several requirements requirements, many of which cannot be located in use management tools have evolved to address the need for cases. Use cases and the requirements specification are requirements tracability (e.g., Doors, Requisite Pro). Even developed iteratively as analysis progresses. though such tools could be integrated with systems that We define each scenario as “one sequence of events that support object-oriented methods (e.g., Rational Rose) at the is one possible pathway through a use case.” Hence, many syntactic level, this would be inadequate because the se- scenarios may be specified for one use case and each sce- mantic relationships between requirements and object- nario represents an instance or example of events that could oriented models needs to be established. One motivation happen. Each scenario may describe both normal and ab- for our work is to establish such a bridge and develop a normal behavior. The method illustrated in Fig. 1 uses sce- sound means of integrating RE and OO methods and tools. narios to refine and validate system requirements. The Discovering requirements as dependencies between the stages of the method are as follows: system and its environment has been researched by Jackson Elicit and document use case. In this stage use cases are [26] who pointed out that domains impose obligations on a elicited directly from users as histories of real world system required system. Jackson proposed generic models, called usage or are created as visions of future system usage. The problem frames, of system-environment dependencies but use case model is validated for correctness with respect to events arising from human error and obligations of systems its syntax and semantics. The paper does not report this to users were not explicitly analysed. Modeling relationships stage is in detail. and dependencies between people and systems has been investigated by Yu and Mylopoulos [54] and Chung [7]. Analyse generic problems and requirements. A library of reus- Their i* framework of enterprise models facilitates investiga- able, generic requirements attached to models of application tion of relationships between requirements goals, agents and classes is provided. A browsing tool matches the use case tasks; however, scenarios were not used explicitly in this ap- and input facts acquired from the designer to the appropriate proach. Methods are required to unlock the potential of sce- generic application classes and then suggests high level ge- nario-based RE; furthermore, the relationship between in- neric requirements attached to the classes as design rationale vestigation based on examples and models on one hand and “trade-offs.” Generic requirements are proposed at two lev- the systems and requirements imposed by the environment els: first, general routines for handling different event pat- on the other, needs to be understood more clearly. terns, and secondly, requirements associated with application One problem with scenarios is that they are instances, i.e., classes held in the repository. The former provide require- specific examples of behavior which means that reusing sce- ments that develop filters and validation processes as speci- nario based knowledge is difficult. A link to reusable designs fied in event based software engineering methods (e.g., Jack- might be provided if scenarios could be generalized and then son System Development [27]); while the latter provide more linked to object-oriented analysis and design patterns [18]. targeted design advice; for instance, transaction handling Although authors of pattern libraries do describe contexts of requirements for loans/hiring applications. 1074 IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, VOL. 24, NO. 12, DECEMBER 1998
Fig. 1. Method stages for scenario-based requirements engineering.
Generate scenarios. This step generates scenarios by The use case specifies a network of actions linked to the walking through each possible event sequence in the use attainment of a goal which describes the purpose of the use case, applying heuristics which suggest possible exceptions case. Use cases are refined into lower levels of detail, so a and errors that may occur at each step. This analysis helps complete analysis produces a layered collection of use the analyst to elaborate pathways through the use case in cases. Use cases have user-defined properties that indicate two passes; first for normal behavior and secondly for ab- the type of activity carried out, e.g., decision, transaction, normal behavior. Each pathway becomes a scenario. Sce- control, etc. Each action can be subtyped as either cognitive nario generation is supported by a tool which automatically (e.g., the buyer agrees the deal price on offer), physical (e.g., identifies all possible pathways through the use case and the dealer returns the telephone receiver), system-driven requests the user to select the more probable error path- (e.g., the dealing systems stores information about the cur- ways. rent deal) or communicative (e.g., the buyer requests a quote from the dealer). Each action has one start event and Validate system requirements using scenarios. Generation is one end event. Actions are linked through eight types of followed by tool-assisted validation which detects event action-link rules which are described later in more detail. patterns in scenarios and presents checklists of generic re- Each action involves one or more agents. Each agent can quirements that are appropriate for particular normal and be either human (e.g., a dealer), machine (e.g., a dealing- abnormal event patterns. In this manner requirements are system), composite (e.g., a dealing-room) or an unspecified refined by an interactive dialogue between the software type. Agents have user-defined properties that describe engineer and the tool. The outcome is a set of formatted use their knowledge and competencies. Action—agent links are cases, scenarios, and requirements specifications which specified by an involvement relation that can be subtyped have been elaborated with reusable requirements. as {performs, starts, ends, controls, responsible}. Each ac- Although the method appears to follows a linear sequence, tion uses nil, one or many object instances denoted by a use in practice the stages are interleaved and iterative. relation, subtyped as {accesses, reads, operates}. Each action can also result in state transitions which change the state of 3.1 Schema for Scenario-Based Requirements objects. States are aggregations of attribute values which Modeling characterize an object at a given time in both quantitative In this section, we describe the schema of scenario based and qualitative terms. Structure objects are persistent real knowledge shown in Fig. 2. A use case is a collection of ac- world objects that have spatial properties and model physi- tions with rules that govern how actions are linked to- cal and logical units of organization. Structure objects are gether, drawn from Allen’s temporal semantics [2] and the important components in reusable generic domain models calculus of the ALBERT II specification language [14]. An (called object system models and described in Section 3.5), action is the central concept in both scenarios and use cases. but also allow use case models to be extended to describe the location of objects, agents, and their activity. SUTCLIFFE ET AL.: SUPPORTING SCENARIO-BASED REQUIREMENTS ENGINEERING 1075
Fig. 2. Metaschema for modeling use cases and scenario based knowledge.
3.1.1 Introduction to the Case Study commercial requirements management and computer- The case study is based on a security dealing system at a aided software engineering software tools. It supports six- major bank in London. Securities dealing systems buy and main functions which correspond to the architecture com- sell bonds and gilt-edged stock for clients of the bank. The ponents shown in Fig. 4. bank’s dealers also buy and sell securities on their own ac- 1) incremental specification of use cases and high-level count to make a profit. Deals may be initiated either by a system requirements (the domain/use case modeler client requesting transactions, or by a counterparty (another supports method stage 1) bank or stockbroker who acts as a buyer) requesting a 2) automatic generation of scenarios from a use case quotation, or by the dealer offering to buy or sell securities. (scenario generator supports stage 3); Quotes are requested over the telephone, while offers are 3) manual description of use cases and scenarios from posted over electronic wire services to which other dealers historical data of previous system use, as an alternative and stockbrokers subscribe. In this case study, we focus on to tool-based automatic scenario generation (use deals initiated by a counterparty from the viewpoint of the case/scenario authoring component supports stage 1); dealer. The main activities in this use case include agree- 4) presentation of scenarios, supporting user-led walk- ment between the dealer and buyer on the deal price and through and validation of system requirements (sce- number of stock, entering and recording deal information nario presenter supports stage 4); in the computer system, and checking deal information 5) semiautomatic validation of incomplete and incorrect entered by the dealer to validate the deal. system requirements using commonly occurring sce- The case study contains several use cases; however, as nario event patterns (requirements validator supports space precludes a complete description, we will take one stage 4). CREWS-SAVRE is loosely coupled with use case “prepare-quote” as an example, as illustrated in RequisitePro’s requirements database so it can make Fig. 3. The sequence is initiated by a request event from the inferences about the content, type and structure of the counterparty agent. The dealer responds by providing a requirements. quotation which the counterparty assesses. If it is suitable Another component, which guides natural language the counterparty agrees to the quotation and the deal is authoring of use case specifications, is currently under de- completed. Inbound events to the system are the deal velopment. The component uses libraries of sentence case which has to be recorded and updated, while outbound patterns (e.g., [13]) to parse natural language input into events are displays of market information and the recorded semantic networks prior to transforming the action de- deal. System actions are added to model the first vision of scription into a CREWS-SAVRE use case specification. how the dealing support system will work. The dealer Space precludes further description of the component in agent is linked to the dealing room structure object that this paper. describes his location of work. The dealer carries out the The CREWS-SAVRE tool permits the user to develop use “prepare quote” use case which is composed of several ac- cases which describe projected or historical system usage. It tions and involves the “trade” object. then uses an algorithm to generate a set of scenarios from a 3.2 Tool Support use case. Each scenario describes a sequence of normal or The method is supported by Version 2.1 of the CREWS- abnormal events specified in the original use case. The tool SAVRE tool that has been developed on a Windows-NT uses a set of validation frames to detect event patterns in platform using Microsoft Visual C++ and Access, thus scenarios, thereby providing semiautomatic critiquing with making it compatible for loose integration with leading suggestions for requirements implied by the scenarios. 1076 IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, VOL. 24, NO. 12, DECEMBER 1998
Fig. 3. Upper level use case illustrated as an agent-interaction showing tasks, agent, and actions.
Fig. 4. Overview of the CREWS-SAVRE tool architecture.
3.3 Use Case Specification AND ((ev(endA) > (ev(endB)); The user specifies a use case using CREWS-SAVRE’s do- concurrent (A and B): no rules about ordering of events; main and use case modeler components. First, for a do- alternative (A or B): (ev(startA) occurs) OR (ev(startB) main, the software engineer specifies all actions in the do- occurs); main, defines agents, and objects linked to these actions, parallel and equal (A parallel B): (ev(startA) = ev(startB)) assigns types (e.g., communicative, physical, etc.) to each AND ((ev(endA) = (ev(endB)); action, and specifies permissible action sequences using equal-start (A starts-with B): (ev(startA) = ev(startB)) action-link rules. From this initial domain model, the user AND ((ev(endA)not = (ev(endB)); can then choose the subset of domain actions which form equal-end (A ends-with B): (ev(endA) = ev(endB)) the normal course of a use case. This enables a user to spec- AND ((ev(startA)not = (ev(startB)). ify more than one use case for a domain, and hence gener- where event ev(X) represents the point in time at which the ate more scenarios for that domain. As a result, a use case event occurs. Actions are defined by ev(startA) < ev(endA) acts as a container of domain information relevant to the and ev(startB) < ev(endB), that is all actions have a duration current scenario analysis. As scenarios are used to validate and the start event of an action must occur before the end different parts of the domain’s future system, different use event for the same action. These link rules types build on cases containing different action descriptions are specified. basic research in temporal semantics [2] and the formal Consequently, the domain model enables simple reuse of temporal semantics and calculus from a real-time temporal action descriptions across use cases, because two or more logic called ALBERT-CORE which underpins the ALBERT use cases can include the same action. II specification language [23]. The current version of Eight types of action-link rule are available in CREWS- CREWS-SAVRE does not provide all of Allen’s [2] 13 ac- SAVRE: tion-link types. Rather, it provides a set of useful and usable strict sequence (A then B): ev(endA) < ev(startB); semantics based on practical reports of use case analysis part sequence (A meanwhile B): (ev(startA) < ev(startB)) (e.g., [1], [29]). AND ((ev(endA) > (ev(startB)) For the dealing system domain, two actions are Buyer re- AND ((ev(endA) < (ev(endB)) ; quests deal from the dealer and Dealer retrieves price information inclusion (A includes B): (ev(startA) < ev(startB)) from the dealer-system. Selection of the action-link rule SUTCLIFFE ET AL.: SUPPORTING SCENARIO-BASED REQUIREMENTS ENGINEERING 1077
Fig. 5. Domain modeler screen dump.
MEANWHILE indicates that, in general, the dealer begins to in a use case, the latter case frames detect event patterns in retrieve price information only after the buyer begins to re- scenarios and suggest appropriate, generic requirements. quest the deal. A third action, this time describing system Two examples of consistency checking frames are as follows: behavior—Dealer-system displays the price information to the 1) Checks for agents connected by a specific relationship dealer—can be linked through the THEN rule to specify a type. strict sequence between the two actions, in that the first ac- tion must end before the second action starts. Part of the validation-frame {detects dyadic component relationships} dealing system domain model is shown in Fig. 5. It shows a situation: subset of the current domain actions (shown as (A) in Fig. 5), model(component(x), relationship (y), component (z)); the specification of attributes of a new action (B), current ac- schema requirements: tion-link rules (C) and agent types (D). Other parts of the (component type (i) component (x), domain modeler are outside of the scope of this description. mandatory) ; One or more use cases are specified for a domain such as (component type (j) component (y), the dealing system. Each use case is linked to one high-level mandatory); requirement statement, and each system action to one or (relationship type (k) relationship (z), more system requirements. Each use case specification is in mandatory) four parts. The first part specifies the identifiers of all ac- end-validation-frame tions in the use case. The second part specifies action-link rules linking these actions. The third part contains the ob- EXAMPLE. The user decides to check that all actions are ject-mapping rules needed to handle use of synonyms in controlled by at least one agent. First the tool finds all action descriptions. The fourth part specifies exception- nodes with a component type = agent, then it finds all types linked to the use case, as described in Section 3.6. the nodes connected to that agent which are actions and finally whether the involvement relationship that 3.4 Checking the Use Case Specification connects the two nodes is of the correct type = control. Validation rules check the integrity of the relationships As the tool is configurable the input parameters, (i) specified in Section 3.1, represented in tuple format and (j) can be any schema primitives, and the rela-
mandatory); sign solutions as proposed by [19]. Each OSM represents a (component type (j) component (y), transaction or a cooperating set of objects and are modeled mandatory); as class diagrams, while the agent’s behavior is represented (relationship type (k) relationship (z), in a use case annotated with high level generic require- not specified); ments, expressed in design rationale diagrams. (component (x) property (w), A separate set of generic use case models are provided mandatory); for the functional or task-related aspects of applications. (component (y) property (v), Generic use cases cause state changes to objects or agents; mandatory); for instance, a diagnostic use case changes the state of a end-validation-frame malfunctioning agent (e.g., human patient) from having an EXAMPLE. The user wishes to validate that all agents that are unknown cause to being understood (symptom diagnosed). linked to a use case with a
Fig. 7. Design rationale for high level generic requirements from clusters 2 and 3 in Fig. 6 attached to “evaluate choice” and “prepare quote” use cases. The instantiated requirement derived from the generic version is given in brackets.
Fig. 8. Diagram illustrating three normal scenario paths generated from a use case fragment. SUTCLIFFE ET AL.: SUPPORTING SCENARIO-BASED REQUIREMENTS ENGINEERING 1081
TABLE 1 SUMMARY OF EXCEPTION TYPES FOR EVENTS ORIGINATING IN THE SYSTEM AND GENERIC REQUIREMENTS TO DEAL WITH ABNORMAL PATTERNS
Exception Generic Requirement event does not happen—omitted time-out, request resend, set default event happens twice (not iteration) discard extra event, diagnose duplicate event happens in wrong order buffer and process, too early—halt and wait, too late— send reminder, check task event not expected validate vs. event set, discard invalid event information—incorrect type request resend, prompt correct type incorrect information values check vs. type, request resend, prompt with diagnosis information too late (out of date) check data integrity, date/time check, use default information too detailed apply filters, postprocess to sort/group information too general request detail, add detail from alternative source
A set of rules constrain the generation of alternative • human agents. Influencing factors that give rise to user courses in a scenario using action and agent types. These errors and exceptions are derived from cognitive sci- rules are part of an extensible set which can be augmented ence research on human error [42], Norman’s model using the agent types and influencing factors described of slips [37] and Rasmussen’s three levels of human- below. Two example rules are: task mismatches [41]. However, as human error can- IF ((ev1 starts ac1) OR (ev1 ends ac1)) not be adequately described by only cognitive factors; AND ac1(type = cognitive) we have included other performance affecting prop- THEN (ex(type = human) applies-to ev1). erties such as motivation, sickness, fatigue, and age; based on our previous research on safety critical sys- which ensures that only human exception types and influ- tems [49]. encing factors (see next section) are applied to a cognitive • machine agents. Failures caused by hardware and action for event (ev1), action (ac1) and exception type (ex), software, e.g., power supply problems, software and crashes, etc. IF ((ev1 starts ac1) OR (ev1 ends ac1)) • human-machine interaction. Poor user interface design AND ac1(type = communicative) can lead to exceptions in input/output operations. AND (ac1 involves ag1) AND ag1(type = machine) This group draws on taxonomies of interaction fail- AND (ac1 involves ag2) AND ag2(type = machine) ures from human-computer interaction [46] and con- THEN (ex(type = machine-machine-communication) sequences of poor user interface design (e.g., [36]); applies-to ev1). • human-human communication. Scenarios often involve which ensures that only machine-machine communication more than one human agent. Communication break- failures are applied to communication actions where both downs between people have important consequences. agents are of type ‘machine’ for event (ev1), action (ac1), Exceptions have been derived from theories from agents (ag1 and ag2) and exception type (ex). The rules computer-supported collaborative work [46]. Exam- identify particular types of failure that may occur in differ- ples include communication breakdowns and misun- ent agent-type combinations so that generic requirements derstandings; can be proposed to remedy such problems. For instance, in • machine-machine communication. Scenarios often in- the first rule, human cognitive errors that apply to action1 volve machine agents, and exceptions specific to their can be counteracted by improved training or aid memoir communication can also give rise to alternative paths. facilities (e.g., checklists, help) in the system. In the second The interaction between influencing factors that give rise rule which detects network communication errors, generic to human error is described in Fig. 9. Four outer groups of requirements are suggested for fault tolerant designs sand factors (working conditions, management, task/domain back-up communications. and personnel qualities) effect four inner factors (fatigue, The algorithm generates a set of possible alternative stress, workload, and motivations). These in turn effect the paths according to the agent-action combination. The use probability of human error which is manifest as an event case modeler allows the user to select the more probable exception of type abnormal pathways according to their knowledge of the domain. To help the software engineer anticipate when ex-
Fig. 9. Influencing factors for exceptions and their interrelationships.
Fig. 10. Validation frames for adding generic requirements. 1084 IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, VOL. 24, NO. 12, DECEMBER 1998
This frame detects the absence of a reply event after a set match(acA,acX, osm(acX, object-messaging)); time period from a human agent (implicitly) and signals the requirements: requirement to ask for resend or set a time out. An instan- requirement(functional, mandatory, link), tiation of this is the requirement to request a price to be generic-requirement(GOM1, system shall support entered by the dealer within 30 sec of accessing the ‘prepare identification/retrieval of receiver agent’s address); quote’ option. This exception deals with inbound event generic-requirement(GOM2, system shall enable a user to delays, so if the time is longer than a preset limit (i.e., the enter the receiver agent’s address); system is not used for that period), the tool recommends generic-requirement(GOM3, system shall enable a user to reusable generic requirements, for example to warn the enter the content of a message); user and log-out the user after a certain period of time. generic-requirement(GOM4, system shall enable a user to Validation frames for alternative course events provide send a composed message to the receiver agent); generic requirements to handle an event exception (ev) generic-requirement(GOM5, system shall maintain a linked to an event ‘ev’ as follows: sender-agent log of all messages which are sent from and validation-frame received by the sender-agent); situation: end-validation-frame
event(evA,,acA) AND For example, the validation frame is applicable to event
action(acA,,agA) AND S30 which starts the action “buyer requests quote from agent(agA,machine) AND dealer.” Each of the generic requirements is applicable to exception(acA,human-attention); computerised support for this action, whether or not the requirements: action is undertaken by telephone or e-mail, for example requirement(functional, mandatory, link), retrieving the receiver agent’s telephone number or e-mail generic-requirement(GR1, system shall check address, and maintaining a sender log of all telephone calls for data entry mistakes), or e-mail messages. Such generic requirements can be in- generic-requirement(GR2, system shall stantiated and added to the requirement specification. restrict possible data entry); end-validation-frame 4DISCUSSION Such attention failures are possible when entering dealer The contributions to RE we have reported in this paper are information. The tool proposes generic requirements, and threefold. First, extensive reuse of requirements knowl- the requirements engineer chooses requirement GR1 “the edge is empowered via decision models and generic re- system shall check for data entry mistakes”. In Fig. 11, the quirements. Secondly a means of semiautomatic require- requirements engineer is again examining event S90 [the ments validation is provided via frames. Frames extend dealer enters the deal information into the dealer-system] type checking by recognizing patterns of agents’ behavior (A) and the causal influencing factor [agent pays poor at- to which appropriate validation questions, and possible tention to detail] (B). Again the above validation frame de- design solutions, may be applied. Third, we have de- tects the need for functional requirements to handle the scribed the use of scenarios as test pathway simulations, alternatives linked to event S90. As a result, the user is able with novel tool support for semiautomatic scenario gen- to add new requirements to the requirements document to erations. The current status of development is that the handle this alternative course. scenario generator-validator tool has been implemented Finally the tool uses validation frames for applying OSM- and industrial trials are commencing. Clearly coverage in specific generic requirements in a similar manner. In Section terms of the number of validation frames and generic re- 3.4, high level generic requirements were recruited as design quirements contained in the tool database is a key issue rationale trade-offs, whereas when frames are used to detect effecting the utility of our approach. Our approach is OSM specific patterns in scenarios, more detailed require- eclectic and depends on knowledge in literature such as ments can be indicated. The computerised dealing system is from ergonomics, human resource management and user an instantiation of the object supplying, object messaging interface design. The contribution we have made to im- and agent-object control system models. Consider a valida- plement and integrate this knowledge in an extensible tion frame linked to the ‘send’ communication action in the architecture. The advice currently contained retrieved by object messaging system model. The situation (scenario) the validation frames provides requirements knowledge at specifies an event which starts a communication action that a summary level. Although this may be criticised as lack- involves a machine agent and which matches one of the ac- ing sufficient detail initial industrial reaction to the tool tions in the object messaging OSM (i.e., sending or returning has been encouraging, in particular the value of raising messages). For this situation, the validation frame identifies design issues which are not addressed by current meth- at least five generic system requirements: ods, e.g., DSDM [15]. So far we have demonstrated proof validation-frame of concept in terms of operation. This will be followed by comment: generic requirements for send action, further testing of utility within a small scale, but industri- object messaging OSM situation: ally realistic application. In many senses the strength of the method we have pro- event(evA,_,,acA) AND action(acA, communication, [agA,agB]) AND posed lies in integration of previous ideas. We have brought [agent(agA,machine) OR agent(agB,machine)] AND concepts from safety critical system assessment [24], [42] to SUTCLIFFE ET AL.: SUPPORTING SCENARIO-BASED REQUIREMENTS ENGINEERING 1085
Fig. 11. Validation frames for exceptions. bear on requirements analysis, and integrated these with sis such as we have reported. Scenarios have been used for scenario based approaches to RE. We acknowledge the assessing the impact of technical systems by several authors heritage of the Inquiry Cycle [39]; however, our research [6], [30], [16]. However, these reports give little prescriptive has contributed an advanced method and support tool that guidance for analysis, so the practitioner is left with exam- give more comprehensive guidance for solving RE prob- ples and case studies from which general lessons have to be lems. Specification of requirements to deal explicitly with extracted. For instance, the ORDIT method [16] gives lim- the implications of human error is a novel contribution ited heuristics that advise checking agent role allocations, where we have broken ground beyond the previous ap- but these fall far short of the comprehensive guidance we proaches [30], [20]. Furthermore, the influencing factors have proposed. that bear on causes for potential error are useful heuristics Dependencies between systems and their environment to stimulate debate about many higher level requirements have been analysed in detail by Jackson and Zave [28] who issues, such as task and workplace design. However, we point out that input events impose obligations on a required acknowledge it is difficult to provide prescriptive guidance system. They propose a formalism for modeling such depend- from such heuristics. While some may contend that for- encies. Formal modeling is applicable to the class of systems malising analytic heuristics can not capture the wealth of they implicitly analyse, e.g., real time and safety critical appli- possible causes of error in different domains, we answer cations, but it is less clear how such models can deal with the that some heuristics are better than none and point out that uncertainties of human behavior. To deal with uncertainty in the method is incremental and grows by experience. Failure human computer interaction, we believe our scenario based to formalise knowledge can only hinder RE. approach is more appropriate as it focuses on eliciting re- Parts of the scenario based method reported in this pa- quirements to repair problems caused by unreliable human per are related to the enterprise modeling approach of Yu behavior. Another approach is the KAOS specification lan- and Mylopoulos [54] and Chung [7]. They create models of guage and its associated GRAIL tool [32], [33] a formal mod- the system and its immediate environment using similar eling that refines goal-oriented requirements into constraint semantics for tracing of dependencies between agents, the based specifications. Van Lamsweerde et al. [33] have also goals and tasks with limited reasoning support for trade- adopted problems and obstacles from the Inquiry cycle [39]; offs between functional requirements and non-functional furthermore, they have also employed failure concepts from requirements (referred to as soft goals). However the i* the safety critical literature in a similar manner to CREWS- method does not contain detailed event dependency analy- SAVRE. Their approach is anchored in goal-led requirements 1086 IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, VOL. 24, NO. 12, DECEMBER 1998 refinement and does not use scenarios explicitly. In contrast, CREWS-SAVRE covers a wider range of issues in RE than KAOS but with less formal rigour, representing a trade-off in RE between modeling effort, coverage, and formal reasoning. So far the method has only partially dealt with nonfunc- tional requirements. Scenarios could be expressed in more quantifiable terms, for instance by the Goal- Question- Metric approach of Basili et al. [4], or by Boehm’s [5] qual- ity-property model. Scenarios in this sense will contain more contextual information to represent rich pictures of the system and its environment [30]. The description could Fig. 12. Object Supply OSM. Each OSM is illustrated as an informal be structured to include information related to the NF goal diagram using the metaschema semantics and a corresponding model being investigated and metrics for benchmark testing in object-oriented analysis notation. This shows classes, inheritance, achievement of the goal. Validation frames may be ex- aggregation and instance relationships with message connections. Only key attributes and methods are included. tended for assessing such rich picture scenarios for non functional and functional requirements. For instance, each one or more controlled agents contained in an object struc- inbound/outbound event that involves a human agent will ture which models the real world environment, e.g., air- be mediated by a user interface. Usability criteria could be space in air traffic control. The transitions represent mes- attached to this event pattern with design guidelines e.g., sages passed from the controlling agent to the controllee to ISO 9241 [25]. Performance requirements could be assessed change its behavior in some way. by checking the volume and temporal distribution of events against system requirements. Elaborating the scenario Goal state: for one agent to control the behavior of another; based approach to cover nonfunctional requirements is part all commands issued by the commanding of our ongoing research [52]. agents have to be responded to in some manner In spite of the advances that scenario-based RE may of- by the controlled agent fer, we have still to demonstrate its effectiveness in practice. Agents: controller, controllee There is evidence that the approach is effective in empirical Key objects: as for agents studies of earlier versions of the method which did use sce- Transitions: command, respond narios but without the support tool [50]. Further validation with industrial case studies is in progress.
APPENDIX A–A SELECTION OF THE OBJECT SYSTEM MODELS USED IN THE CASE STUDY—FOR MORE DETAILS SEE SUTCLIFFE AND MAIDEN [51]
A.1 Level-1 Class: Object Supply This class is characterized by the unidirectional transfer of key objects from an owning structure to a client agent who Fig. 13. Agent control OSM which has two agents instead of key objects. generated the request for the object. Transferred objects are moved physically in a different container and are conse- quently owned by a different agent. Familiar examples are A.3 Level-1 Class: Object Sensing sales order processing systems and inventory applications. The purpose of this class is to monitor the physical condi- The model has one structure object, two agents (client and tions or movement of objects in the real world and record resource owners), one key object, one event that models the their relative state with respect to a spatial/physical struc- request for the transaction and one state transition for de- ture object. This class has a sensing agent which reports on livery of the object. The common purpose of this class is the the key object. Subclasses in this family are determined ac- orderly transfer of resource objects from an owner to a cli- cording to whether it is a property of the key object which ent who requires the resource. The goal state asserts that all is to be detected or spatial behavior, and whether the sens- requests must be satisfied by transfer of key objects to the ing agent is active or passive, e.g., spatial sensing by radar requesting client. Specializations of this class distinguish detection of air traffic; or property sensing applications, between transfer of physical objects, while a separate ab- e.g., monitoring temperature, pressure in process control straction is used for the monetary aspects of sales. applications. Object sensing models are often aggregated Goal state to satisfy all resource requests with the agent-object control class. by supply of resource objects Goal: to detect any state change in a key object Agents client (requester), supplier and report that change to an external agent Key object resource Agents: sensor, client Transitions request, supply-transfer Key objects: real world objects A.2 Level-1 Class: Agent Control Transitions: detect, report This OSM family models command and control applica- tions. The class is characterized by a controlling agent and SUTCLIFFE ET AL.: SUPPORTING SCENARIO-BASED REQUIREMENTS ENGINEERING 1087
REFERENCES [1] C.B. Achour and C. Rolland, “Introducing Genericity and Modu- larity of Textual Scenario Interpretation in the Context of Re- quirements Engineering,” CREWS Technical Report, Centre de Re- cherche en Informatique, Universite de Paris 1, Paris, France, 1997. [2] J. Allen, “Maintaining Knowledge about Temporal Intervals,” Comm. ACM, vol. 26, no. 11, pp. 832–843, 1985. [3] R.W. Bailey, Human Performance Engineering. Prentice Hall, 1982. [4] V.R. Basili and D.M. Weiss, “A Methodology for Collecting Valid Software Data,” IEEE Trans. Software Eng., vol. 10, no. 3, pp. 728– 738, 1984. [5] B. Boehm and I. Hoh, “Identifying Quality-Requirement Con- flicts,” IEEE Software, pp. 25–35, Mar. 1996. [6] C.M. Carroll, “The Scenario Perspective on System Develop- Fig. 14. Object sensing OSMs; the sensor agent may be a means of ment,” J.M. Carroll, ed., Scenario-Based Design: Envisioning Work communicating events or an active detection device. The OOA model is and Technology in System Development. New York: John Wiley & the same for both the level-1 and level-2 classes, although the event and Sons, 1995. attributed in the spatial object sensing will be different. [7] L. Chung, “Representing and Using Non-Functional Require- ments: A Process-Oriented Approach,” Technical Report, DKBS-TR- TABLE 2 93-1, Univ. of Toronto, June 1993. [8] P. Coad, D. North, and M. Mayfield, Object Models: Strategies, DECISION TABLE FOR LOCATING OSMS Patterns and Applications, Englewood Cliffs, N.J.: Prentice Hall, 1995. [9] P. Coad and E. Yourdon, Object Oriented Analysis. Englewood Cliffs, N.J.: Yourdon Press, 1991. [10] A. Cockburn, “Structuring Use Cases with Goals,” 1995. http:// members.aol.com/acockburn/papers/usecase.htm [11] J. Conklin and M.L. Begeman, “gIBIS: A Hypertext Tool for Ex- ploratory Policy Decision,” Trans. Office Information Systems, vol. 6, no. 4, pp. 303–331, 1988. [12] A. Dardenne, A. van Lamsweerde, and S. Fickas, “Goal-Directed Requirements Acquisition,” Science of Computer Programming, vol. 20, pp. 3–50, 1993. [13] S.C. Dik, The Theory of Functional Grammar, Part I: The Structure of the Clause, Functional Grammar Series, vol. 9, Foris Publications, 1989. [14] P. Dubois, E. Dubois, and J. Zeippen, “On the Use of a Formal Representation,” Proc. Third Int’l Symp. Requirements Eng., IEEE CS Press, pp. 128–137, 1997. [15] Dynamic Systems Development Method (DSDM) Version 3.0, DSDM Consortium, Tesseract Publishing, Sept. 1997. [16] K.D. Eason, S.D. Harker, and C.W. Olphert, “Representing Social- Technical System Options in the Development of New Forms of Work Organization,” European J. of Work and Organizational Psy- chology, vol. 5, no. 3, pp. 399–420, 1996. [17] S.R. Faulk, “Software Requirements: A Tutorial,” Software Engi- neering, M. Dorfman and R. H. Thayer, eds., pp. 82–103, 1996. [18] M. Fowler, Analysis Patterns: Reusable Object Model. Addison- Wesley, 1997. [19] E. Gamma, R. Helm, R. Johnson, and J. Vlissides, Design Patterns: Elements of Reusable Object-Oriented Ssoftware. Reading, Mass.: Addison-Wesley, 1994. [20] P.A. Gough, F.T. Fodemski, S.A. Higgins, and S.J. Ray, “Scenar- ios—An Industrial Case Study and Hypermedia Enhancements,” Proc. Second IEEE Symp. Requirements Engineering, IEEE Computer Each column is linked to a set of keywords that identify the generic models in Society, pp. 10–17, 1995. a variety of applications. [21] I. Graham, “Task Scripts, Use Cases and Scenarios in Object- Oriented Analysis,” Object-Oriented Systems, vol. 3, pp. 123–142, 1996. CKNOWLEDGMENTS [22] R. Hauser and D. Clausing, “The House of Quality,” Harvard A Business Review, pp. 63–73, May-June 1988. This research has been funded by the European Commis- [23] P. Heymans and E. Dubois, “Some Thoughts about the Animation of Formal Specifications written in the ALBERT II Language,” sion ESPRIT 21903 long term research project Cooperative CREWS Technical Report, Computer Science Dept., Univ. of Na- Requirements Engineering With Scenarios (CREWS). The mur, Belgium, 1997. project partners include RWTH-Aachen (project co- [24] E. Hollnagel, Human Reliability Analysis Context and Control. Aca- ordinator), City University, London, University of Paris I, demic Press, 1993. [25] ISO 9241, Ergonomic requirements for office systems visual dis- France, FUNDP, University of Namur, Belgium. play terminals, Parts 10, 11, 16 International Standards, parts 1-9, 12-15, 17, draft standards; Int’l Standards Organization, Switzer- land, available from National Standards Organization. [26] M.A. Jackson, Software Requirements and Specification. Addison- Wesley, 1995. [27] M.A. Jackson, System Development. Prentice Hall, 1983. 1088 IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, VOL. 24, NO. 12, DECEMBER 1998
[28] M. Jackson and P. Zave, “Domain Descriptions,” IEEE Symp. Re- Alistair G. Sutcliffe is a professor of systems quirements Engineering, IEEE CS Press, pp. 56–64, 1993. engineering and director of the Centre of Human- [29] I. Jacobson, M. Christerson, P. Jonsson, and G. Overgaard, Object- Computer Interface Design at City University, Oriented Software Eng.: A Use-Case Driven Approach. Addison- London. He has research interests in software Wesley, 1992. engineering and human computer interaction. [30] M. Kyng, “Creating Contexts for Design,” J.M. Carroll, ed., Sce- His software engineering research is focused on nario-Based Design: Envisioning Work and Technology in System De- requirements analysis, cognitive modeling, the velopment. New York: John Wiley & Sons, 1995. software engineering process, and investigation [31] W. Lam, J.A. McDermid, and A.J. Vickers, “Ten Steps Towards of intelligent assistance for requirements cap- Systematic Requirements Reuse,” Proc. Third IEEE Int’l Symp. Re- ture. He has extensive publications in human- quirements Engineering, IEEE CS Press, pp. 6–13, 1997. computer interaction and software engineering, [32] A. van Lamsweerde and E. Leiter, “Integrating Obstacles in Goal- and has written two textbooks. He is a member of the British Computer Driven Requirements Engineering,” technical report, Dept. of Society and the IEEE . Computer Science, Catholic Univ. of Louvain, 1997. [33] A. van Lamsweerde, R. Darimont, and P. Massonet, “Goal Di- rected Elaboration of Rrequirements for a Meeting Scheduler: Neil A.M. Maiden received a PhD degree in Problems and Lessons Learned,” Proc. Second IEEE Symp. Re- computer science from City University, London in quirements Eng., IEEE Computer Society, pp. 194–203, 1995. 1992. He is a senior lecturer in the Centre for [34] N.A.M. Maiden and A.G. Sutcliffe, “Requirements Critiquing Human-Computer Interface Design, a research Using Domain Abstractions,” Proc. IEEE Conf. Requirements Eng., centre in the School of Informatics at City Uni- IEEE CS Press, pp. 184–193, 1994. versity. His research interests include frame- [35] C. Mazza, J. Fairclough, B. Melton, D. De Pable, A. Scheffer, and works for requirements acquisition and negotia- R. Stevens, Software Engineering Standards. Prentice Hall, 1994. tion, scenario-based systems development, [36] J. Nielsen, Usability Engineering. Academic Press, 1993. component-based software engineering, re- [37] D.A. Norman, The Psychology Of Everyday Things. Basic Books Inc., quirements reuse and more effective transfer of 1988. academic research results into software engi- [38] J.D. Palmer, “Traceability,” Software Engineering, M. Dorfman and neering practice. Neil has numerous journal and conference publica- R.H. Thayer, eds., pp. 266–276, 1996. tions. Dr. Maiden is also co-founder and treasurer of the British Com- [39] C. Potts, K. Takahashi, and A.I. Anton, “Inquiry-Based Require- puter Society Requirements Engineering Specialist Group. He is a ments Analysis,” IEEE Software, vol. 11, no. 2, pp. 21–32, 1994. member of the IEEE. URL http://www.soi.city.ac.uk/~cc559/info.html. [40] C. Potts, K. Takahashi, J. Smith, and K. Ora, “An Evaluation of Inquiry Based Requirements Analysis for an Internet Service,” Proc. Second IEEE Symp. Requirements Eng., IEEE Computer Soci- ety, pp. 27–34, 1995. Shailey Minocha holds an engineering and a [41] J.Rasmussen, A.M. Pejtersen, and L.P. Goodstein, Cognitive Sys- PhD degree in the area of digital signal proc- tems Engineering. John Wiley & Sons, 1994. essing from the Indian Institute of Technology, [42] J.T. Reason, Human Error. Cambridge Univ. Press, 1990. New Delhi, India. She is a research fellow at the [43] S. Roberston at the Atlantic Systems Guild, United Kingdom, Centre for HCI Design at City University, London. personal communication. She is involved in the European Union long-term [44] T. Royer, “Using Scenario-Based Designs to Review User Interface ESPRIT research project: Cooperative Require- Changes and Enhancements,” Proc. DIS95: Designing Interactive ments Engineering With Scenarios (CREWS). Systems, Ann Arbor, pp. 237–246, 1995. The main areas of her research and teaching at [45] M.S. Sanders and E.J. McCormick, Human Factors Engineering and City University are socially- and context-centered Design. McGraw-Hill, 1992. design with human factors of central concern [46] B. Shneiderman, Designing the User Interface: Strategies for Effective within the design process, use case and scenario-based requirements Human-Computer Interaction. Addison-Wesley, third edition, 1997. engineering, usability engineering and conducting usability evaluations, [47] A.G. Sutcliffe, Human Computer Interface Design. second edition, software quality, and object-oriented analysis and design. She received London: Macmillan, 1994. her postdoctoral fellowship from the Institute of Computer Engineering [48] A.G. Sutcliffe, “Requirements Rationales: Integrating Approaches of Technical University, Braunschweig, Germany, where she worked on to Requirements Analysis,” Proc. Designing Interactive Systems the project on Adaptive User Interfaces and Adaptive Window Man- (DIS’95), pp. 33–42, New York: ACM Press, 1995. agement. Her current research interests include scenario-based re- [49] A.G. Sutcliffe and G. Rugg, “A Taxonomy of Error Types for Failure quirements engineering, software engineering for interactive systems, Analysis and Risk Assessment,” Int’l J. Human Computer Interactions, human factors engineering, and usability engineering. to appear. [50] A. G. Sutcliffe, “A Technique Combination Approach to Require- ments Engineering,” Proc. Third IEEE Int’l Symp. Requirements En- Darrel Manuel received the BSc and MSc (with gineering, IEEE CS Press, pp. 65–74, 1997. distinction) degrees in computer science both [51] A.G. Sutcliffe and N.A.M. Maiden, “The Domain Theory for Re- from the University of Exeter, United Kingdom. quirements Engineering,” IEEE Trans. Software Eng., vol. 24, no. 3, He was a research assistant in the Centre for pp. 174–196, Mar. 1998. Human-Computer Interface Design at City Uni- [52] A.G. Sutcliffe and S. Minocha, “Scenario-Based Analysis of Non- versity, London working on the ESPRIT 'CREWS' Functional Requirements,” Proc. Workshop ‘Requirements Engi- long-term research project. He is currently neering for Software Quality’ (REFSQ’98) at CAiSE’ 98, Pisa, Italy, working towards his PhD thesis (also from the June 1998. University of Exeter) which is in the field of pro- [53] A.G. Sutcliffe, “Domain Analysis for Software Reuse,” J. Systems gram visualization. and Software. to appear [54] E. Yu and J. Mylopoulos, “Towards Modelling Strategic Actor Relationships for Information Systems Development—with Ex- amples from Business Process Reengineering,” Proc. Fourth Work- shop on Information Technology and Systems (WITS’94), Vancouver, B.C. Canada, Dec. 1994.