Requirements and boilerplates

Tor StålhaneIDI / NTNU

Content • Requirements specifications• Why are requirements specification difficult• Templates – boilerplates and guided natural

language • Guided natural language – GNL • Boilerplates • Boilerplate examples• How to communicate requirements – use

cases and beyond

Requirements specification

Goal tree – 1

Goal tree – 2

Goal tree – example

Goal description

Why are requirements difficult

What is the problemEffects of Inadequate Requirements development – Airbus:

• Requirement: Reverse thrust may only be used, when the airplane is landed.

• Translation: Reverse thrust may only be used while the wheels are rotating.

• Implementation: Reverse thrust may only be used while the wheels are rotating fast enough.

• Situation: Rainstorm – aquaplaning

• Result: Crash due to overshooting the runway

• Problem: erroneous modeling in the requirement phase

The challenge The main challenges in Requirements

Engineering for large systems are that:• There are many requirements – often several

thousands. • Several requirements are interdependent• Requirements are related to two or more of:

– Hardware – computers, sensors, actuators, machinery

– Software – control, measurement, logging– Operators – procedures, behavior

Brake by Wire System – 1

moving

Requirement - Natural language:On a blocked wheel the brake shall be released

within 100ms, while the vehicle is moving.

Brake by Wire System – 2

WSS = Wheel Sped Sensor

TemplatesBoilerplates

and Guided Natural language

Humans and machines – 1 Given the amount and complexity of RE, we

need to automate as much as possible.

Humans and machines have different strong and weak points.

We want to elicit and analyze requirements in a way that allows both parties to build on their strong sides.

Humans and machines – 2 We have focused on the differences between man and machine for

requirements elicitation and formulation – understanding, observing and reasoning and requirements analysis – memory, information processing and consistency

Area Man MachineUnderstanding Good at handling large variations in

written materialBad at handling large variations in written material

ObservationGeneral observations, multifunctional patterns

Specialized observations, quantitative data

Reasoning Inductive, slow, imprecise but with good error correction capabilities

Deductive, fast, precise but with bad error correction capabilities

Memory Innovative, general access Copying, formal access Information processing Single channel, less than 10 bits

per secondMultichannel, several megabits per second

Consistency Unreliable, gets tired, depends on learning

Consistent, do not get tired, repeating several actions

Force Low level, maximum 1500 watt High level over a long time periodSpeed Slow, reaction times in seconds Extremely fast

Humans and machines – 3

• Machines are – good at observing quantitative data and being

deductive, fast and precise. In addition, they are good at doing consistent repetition of several actions.

– bad at handling variations in written material and pattern recognition.

• Humans are good at handling variations in written material, being inductive. In addition, they are good at doing error correction.

TDT 4242

Motivation for use of templates – 1

Text has the advantage of unconstrained expression. There is, however, a need for common

• Understanding of concepts used to express the requirements and relations between them.

• Format of presentation

Lack of common understanding makes requirement specifications expressed as free text prone to ambiguous representations and inconsistencies.

TDT 4242

Motivation for use of templates – 2

Template based textual requirements specification (boilerplates) will introduce some limitations when representing requirements but will also reduce the opportunity to introduce ambiguities and inconsistencies.

Boilerplates

• Provides an initial basis for requirements checking

• Are easy to understand for stakeholders compared to more formal representations

TDT 4242

Requirements – 1 There are three levels of requirements:

• Informal – e.g. Natural language (NL): free text, no rules apply

• Semiformal• Guided Natural Language (GNL): free text but

allowable terms are defined by a vocabulare• Boilerplates (BP): structured text and an ontology

– vocabulary plus relationships between terms

• Formal: e.g. state diagrams or predicate logic

Requirements – 2

Req.012: The system shall enable cabin temperature regulation between 15°C and 30°C

……

Req.124: Cabin temperature shall not exceed 35°

Step 1:Capture Requirements in Natural Language

Step 2:Transfer Requirements and functions into a semi-formal requirements model

Function 1

Req 001Req 002Req 012

…Req 124

Function 2

Req 011Req 028Req 050

……

Function 1

Req 001Req 002Req 012

…Req 124

Function 1

Req 001Req 002Req 012

…Req 124

Function 2

Req 011Req 028Req 050

……

Function 2

Req 011Req 028Req 050

……

Function 1

Function 1a

Function 1b

Function 1c

Function 1

Function 1a

Function 1b

Function 1c

Req 001.01Req 001.02….

Step 3:Refine the requirements model and derive detailed requirements

Parallel Steps:Apply dictionary with common vocabulary; validate and check Requirements consistency and completeness

Step 4:Create a preliminary design model based on the requirement model (to be used and refined in SP3)

BPs and GNL – 1

RMM- Refinement- Specialization

Example: The <system function> shall provide <system capability> to achieve <goal>

Template based textual Meta ModelSyntax Semantics

Guided RSL Boilerplates

Requirements expressed using a vocabulary guideUses predefined concepts, relations and axioms to guide requirements elicitation

Requirements expressed on templatesUses predefined templates based on concepts, relations and axioms to guide requirements elicitation

Keywords:Reflects requirement, system and domain concepts

Analysis-Correctness-Completeness-Consistency-Safety analysis

Ontology: General and SP specific- Requirements classification- System attributes- Domain concepts

= + +

Example:The ACC system shall be able to determine the speed of the ego-vehicle.

Guided Natural Language and Boilerplates will reduce variation and thus giving the machines the opportunity to do what they are best at: to be fast, precise and consistent.

By combining humans and machines and let both do what they are best at, we get a better result than we would get if we left the job of handling requirements to just one of them.

BPs and GNL – 2

Why BPs and GNL – 3

The final goal is to allow the machine to assist the developers in analysing requirements for:• Consistency – no requirement contradicts an

other requirement• Completeness – all necessary requirements

are stated • Safety implications – consider the possibility

for hazards

Guided Natural language

• Free text requirement elicitation with the assistance of prescribed words from a dictionary. This will give us requirements which use all terms in a uniform way, thus reducing misunderstandings

• No formal constraints• Requires minimal expertise.

What is GNL - 1

What is GNL - 2

Bridge the gap between unconstrained expression and quality checking when representing requirements as free text.

• Quality measures:– Correctness– Consistency– Completeness– Un-ambiguity (reduced variability)

• Provide the basis for semantic processing and checking of requirements.

• Dictionary – Simple taxonomy or more formal ontology

Ontologies – 1 Ontologies are an important part of CESAR's approach

to requirements engineering. An ontology has three parts

• a thesaurus• a set of relationships between terms in the thesaurus• rules for making interferences based on these

relationships.

The information used to build an ontology is in our case mainly found in standards and glossaries.

Ontology = Thesaurus + Inference Rules• Thesaurus – Domain concepts: entities,

terms and events• Inference Rules – Relations, attributes

and axioms• Causality, similarity, reflexivity,

transitiveness, symmetric, disjoint (contradiction) …

Ontologies – 2

Ontologies – 3 Required Activity• Knowledge capture: Information embedded in

domain events from domain experts and ontologist• Implementation: Formal representation of captured

knowledge. Language: OWL, Support environment: Protégé.

• Verification: Checking that represented ontology is correct using

• Classifiers/reasoners• Domain experts (semantic accuracy)• Mapping of requirement segments to ontology

concepts

Ontologies – example

……Water-level……

Boiler-tankFeeding-pumpNon-return valveTank

Max-limit

Pump

infers

has

is controlledby

Min. water levelMax. water levelWater-level indicator

OnOff

Control-system

has-state

infers

is coupledwith

Boilerplates

What is a boilerplate – 1

The concept of boilerplates was originally suggested by Hull et al. There is one boilerplate template for each type of requirements, e.g.

• the <system> shall be able to <action> to <entity>

• the <system> shall not allow <user> to <action>.

TDT 4242

What is a boilerplate – 2 Boilerplates is a set of structures that can be used to write

requirements. They use high-level concept classification and attributes

Boilerplate attributes

Main part – 1

Main part – 2

The main thing to be achieved by the requirement, e.g.

• "…<system> shall <action>”• ”…<system> shall allow <entity> to be

<state>”

Prefix – 1

Prefix – 2

Prefixes are used to state:• The condition under which the action part of a

requirement should be executed, e.g. – "While <state>…“– "If <event>…“

• The rational or goal of the requirement, e.g.– “In order to <action>...”

Suffix – 1

Suffix – 2

A suffix is used to describe:• Sequencing – e.g. “...before <event>”• Exceptions – e.g. “...except for <action>”• Timing – e.g. “...within <number> <unit>”• Repetitions – e.g. “...at least <quantity> times

per <unit>”

Using the boilerplates

The RE process is as follows:

1. Select a boilerplate or a sequence of boilerplates. The selection is based on the attributes that need to be included and how they are organized – fixed terms.

2. If needed, identify and include mode boilerplates – prefixes

3. Instantiate all attributes

A boilerplate consists of fixed terms and attributes. It may, or may not, contain one or more modes.

Boilerplates in CESAR The original set of boilerplates had an ad-hoc structure

and several of them were difficult to combine into more complex requirements. The CESAR project has an on-going process where

• Project partners use the current set of boilerplates to write requirements for safety critical systems and report problems back to the boilerplate working group – NTNU, Infineon and TU Vienna

• The boilerplate working group meet when necessary to solve reported problems and issue new boilerplates and update existing ones.

Boilerplate structure

A complete boilerplate requirement consist of a prefix, a main part and a suffix.

An example of a complete boilerplate requirement is shown below. Even though this requirement is in a semi-formal form it is still easy to read.

• If <temperature reaches max temperature>, the <boiler controller> shall <reduce the power to the heating unit> within <2> <seconds>.

Ontologies and boilerplates The full potential of using boilerplates for requirements will only

be realized when we combine them with one more ontologies. We can then:

• Check the completeness of the requirements in relations to a given ontology.

E.g. if we are using the steam-boiler ontology and do not have a requirement for a safety valve, the tool will tell you that the requirements are not complete and, if inquired, will tell you that it expects one or more safety valve requirements.

• Enforce a consistent use of terms, just as for GNL.

E.g. in the steam boiler ontology, the terms tank and vessel will be replaced by the term boiler-tank.

TDT 4242

Boilerplate examples - 1

The <user> shall be able to <capability>

Attributes:• <user> = driver• <capability> = <verb> <entity> = start the ACC system

Requirement

The driver shall be able to start the ACC system

TDT 4242

Boilerplate examples - 2

The <system> shall be able to <action> <entity>

Attributes:• <system> = ACC system• <action> = <verb> = determine• <entity> = the speed of the ego-vehicle

Requirement

The ACC system shall be able to determine the speed of the ego-vehicle

TDT 4242

Boilerplate examples - 3• Prefix: While <state> • Main part: <user> shall be able to <capability>

Attributes • <state> = activated• <user> = driver• <capability> = override engine power control of the ACC system

Requirement

While activated the driver shall be able to override engine power control of the ACC-system

TDT 4242

Non-functional requirement example – 1

Non-functional requirements and soft goals fits into the same BPs as functional requirements

The <system> shall be able to <action> to <entity>

Suitability: The <system > shall be able to <provide an appropriate set of functions> to <the user>

TDT 4242

Non functional requirement example – 2 Non-functional requirements and soft goals

fits into the same BPs as functional requirements

The <system> shall be able to <capability>…for a period of at least <quantity> <unit>

Maturity:The <system > shall be able to <operate without failure> for a sustained period of at least <quantity> <time unit>

Non functional requirement example – 3 • While <state> • The <system> shall be able to <action> <entity>

While <normal state> the <system> shall be able to <tolerate> <90% of software faults of category...>

Summing up

The use of boiler plates and ontologies will• Enforce a uniform use of terms• Reduce the variability of presentations –

requirements that are similar will look similar

Reduced variation in form and contents simplifies the use of automatic and semi-automatic tools for

• Checking requirement quality – e.g. completeness and consistency

• Creating test cases

User stories

Why user stories

User stories is another way to use templates.

• Boilerplates define the terms to use• User stories define the required content

What is a User Story• A concise, written description of a piece of functionality

that will be valuable to a user (or owner) of the software.

• Stories are used as:– Descriptions of user’s needs– Product descriptions– Planning items– Tokens for a conversation– Mechanisms for deferring conversation

User Story Cards have three parts

1. Description - A written description of the user story for planning purposes and as a reminder

2. Conversation - A section for capturing further information about the user story and details of any conversations

3. Confirmation - A section to convey what tests will be carried out to confirm the user story is complete and working as expected

User Story Template – 1

- As a [user role] I want to [goal] so I can [reason]

- As a [type of user] I want to [perform some task] so that I can [reach some goal]

Example: • As a registered user I want to log in

so I can access subscriber-only content

User Story Template – 2 • Who (user role)

• What (goal)

• Why (reason)o gives clarity as to why a feature is usefulo can influence how a feature should functiono can give you ideas for other useful features

that support the user's goals

From user story to test caseWe can use templates to write test cases for the

use stories. One tool that employs such templates is CUCUMBER:

• Scenario: a short description of the test scenario

• Given: test preconditions• When: test action – input• Then: test result – output• And: can be used to include more than one

precondition, input or output.

Use stories (US) vs. boilerplates (BP)We can use boilerplates to formulate use stories• US: As a [user role] I want to [goal] so I can

[reason]BP: The [user role] shall [action] in order to achieve [goal]

• US: As a [type of user] I want to [perform some task] so that I can [reach some goal]BP: The system shall be able to [perform some task] in order to achieve [some goal]

Boilerplate examples

Robot rail Position switchRobot arm Robot platform

Light emitter

Light receiver

Gate B Gate A

Area A Area B

Fence

Restart switch

SafeLoc – 1

TDT 4242

SafeLoc – 2 • if <state>, <system> shall <action> within <quantity>

<unit>

if <gate is opened to the zone where the robot is operating>, <robot control> shall <stop> <robot> within <10> <milliseconds>,

• <system> shall not allow <entity> to be <state>, unless <state>

<robot control> shall not allow <robot> to be <started>, unless <all gates are closed> and <reset button is pushed>

SafeLoc – 3

• If <event>, <system> shall <action>

if <robot moves into an occupied zone>, <robot control> shall <stop> <robot>

ACC requirements – 1 • The minimum selectable time gap for steady state vehicle following shall be greater

than or equal 1s for all speeds. At least one time gap tau in the range 1.5s to 2.2s shall be provided

<ACC> shall not allow <driver> to <set> <time gap less than 1s> <ACC> shall be able to <select> <at least one time gap tau> within <1.5 to 2.2>

<seconds>

• The ACC system shall be able to determine the speed of the ego-vehicle

<ACC> shall be able to <determine > <the speed of the ego-vehicle> • An ACC system is not required to respond to stationary targets. If the system is not

designed to respond to stationary targets the driver shall be informed at least by a statement in the vehicle owner’s manual

<ACC > may <response> <to stationary targets>

If <ACC does not respond to stationary targets>, <ACC manual> shall <inform> < driver>

ACC requirements – 2 • The ACC system shall enable steady state vehicle following on (a) straight

roads (class I, II, III and IV) and (b) curves with a radius down to 500m (class II, III and IV), down to 250 m (class III and IV), and down to 125m (class IV)

<ACC> shall be able to <steady state vehicle following> on {<straight roads class I, II, III and IV> and < curves with a radius down to 500m on roads class II, III and IV> and <curves with a radius down to 250 m roads class III and IV> and <curves with a radius down to 125m on roads class IV>}

• An ACC system shall provide means for a driver to select a desired set speed

<driver> shall be able to <select> <desired speed> • The driver shall always have the authority to override the ACC system engine

power control

<driver> shall be able to <override> <ACC engine power control>

Temperaturesensor

Heating element

220V AC

Controller

I/O panel

Heating unit – system overview

Natural language requirements 1. The user shall be able to use a simple panel to define time

intervals, consisting of– Starting time– Ending time– Temperature during this interval – Ta

2. The time intervals are not allowed to overlap3. The user shall be able to use a simple panel to define a

temperature tolerance value d. 4. If the user don't set a temperature tolerance, the system shall

use default value d = 2oC5. If the temperature falls below Ti – d, the heather shall be turned

on6. If the temperature exceeds Ti + d, the heather shall be turned off7. If time is outside all defined intervals the temperature shall be

set to a predefined default value T0.

Boilerplate requirements – 1

1. <user> shall be able to <define> <time interval a = [ts, te]>2. <system> shall not allow <time intervals> to <overlap>3. <user> shall be able to <set> <temperature Ta for time

interval a>4. <user> shall be able to <set> <temperature tolerance d>5. If <temperature tolerance not set>, <system> shall <set>

<temperature tolerance = 2>6. <system> shall have <simple input / output panel>7. <system> shall have <heating unit>8. <system> shall have <default temperature = T0>9. In order to <measure temperature>, <system> shall have

<temperature sensor>

Boilerplate requirements – 2 10. In order to <control temperature>, <heating unit> shall have

<on / off switch> 11. If <temperature sensor reading exceeds T + d>, <system> shall

<switch on heating unit>12. If <temperature sensor reading is below T - d>, <system> shall

<switch off heating unit>13. When <time in [ts, te] for interval a>, <system> shall <set> <T =

Ta>14. <system> shall <sample> <temperature sensor> at least <3>

times per <minute>15. <system> shall not allow <time intervals> to <overlap>16. If <time is outside all time intervals>, <system> shall <set> <T =

T0>

How to communicate requirements

Use cases and beyond

TDT 4242

Finding use cases • Describe the functions that the user

wants from the system

• Describe the operations that create, read, update, and delete information

• Describe how actors are notified of changes to the internal state of the system

• Describe how actors communicate information about events that the system must know about

TDT 4242

Key points for use cases - 1

• Building use cases is an iterative process

• You usually don’t get it right at the first time.

• Developing use cases should be looked at as an iterative process where you work and refine.

• Involve the stakeholders in each iteration

TDT 4242

Reuse opportunity for use cases – 1 There is duplicate behavior in both the buyer and

seller which includes "create an account" and "search listings".

Extract a more general user that has the duplicate behavior and then the actors will "inherit" this behavior from the new user.

TDT 4242

Reuse opportunity for use cases – 2 Relationships between use cases:• Dependency – The behavior of one use

case is affected by another. Being logged into the system is a pre-condition to performing online transactions. Make a Payment depends on Log In

• Include – One use case incorporates the behavior of another at a specific point. Make a Payment includes Validate Funds Availability

TDT 4242

Reuse opportunity for use cases – 3

Relationships between use cases:

• Extends – One use case extends the behavior of another at a specified point, e.g. Make a Recurring Payment and Make a Fixed Payment both extend the Make a Payment use case

• Generalize – One use case inherits the behavior of another; it can be used interchangeably with its “parent” use case, e.g. Check Password and Retinal Scan generalize Validate User

Extend

Respond to emergency

Control centeroperator

communication down

<<extends>>

Request arrives through radio or phone

Generalize

Request (re)scheduling of maintenance

Already scheduled- reschedule

Proposed timenot acceptable

Maintenance worker

Ask for new suggestion

Changes in time consumption or personnel

Adding details

We can add details to a use case diagram by splitting uses cases into three types of objects.

Entity object Control object Boundary object Entity object Control object Boundary object

Adding details – example • Input and output via boundary objects• Validate input and output via control objects• Save via entity objects

Web serverValidate Main page

Database Update Show Result page

Web serverValidate Main page

Database Update Show Result page

Web serverValidate Main page

Database Update Show Result page

From UC to SD – 1

From UC to SD – 2

From UC to SD – 3

Use case diagrams – pros and cons

Simple use case diagrams are• Easy to understand• Easy to draw

Complex use case diagrams – diagrams containing <<include>>> and <<extend>> are difficult to understand for most stakeholders.

Use case diagrams do not show the sequence of actions

TDT 4242

Textual use cases - 1Identify the key components of your use

case. The actual use case is a textual representation

TDT 4242

Textual use cases - 2Examples of alternative flow are:

• While a customer places an order, their credit card failed

• While a customer places an order, their user session times out

• While a customer uses an ATM machine, the machine runs out of receipts and needs to warn the customer

Alternative flow can also be handled by using <<extend>> and <<include>>

Textual use cases – 3 Most textual use cases fit the following pattern:

Request with data

Respond with result

Validate

Change

Request with data

Respond with result

Validate

Change

Textual use case – example Use case name Review treatment planUse case actor DoctorUser action System action1. Request treatment plan for

patient X2. Check if patient X has this doctor3. Check if there is a treatment plan for

patient X4. Return requested document

5. Doctor reviews treatment plan

Exceptional paths

2.1 This is not this doctor’s patient2.2 Give error messageThis ends the use case3.1 No treatment plan exists for this patientThis ends the use case

Textual use case <<extend>>

Use case name Respond toSystememergency call

Use case actor Operator

User action System action

System OK => Receive system signal

System Down => Use radio

Receive systemmessage

Act on message

Send response

End REC – 1

Use case name Respond to radioemergency call

Use case actor Operator

User action System action

Receive radiomessage

Act on message

Send response

End REC – 2

Textual use case <<include>>Use case name Controller

Use case actor NA

Start timer

Get data

Action necessary?

Yes => Set Actuator

Timer expired ?

No => BIT

Check error status

On => Error handling

End Controller

Use case name BIT

Use case actor NA

Get test pattern A

Write test pattern

Read test pattern

Compare patterns

Difference => Set error status

End BIT

Textual use cases – pros and cons

Complex textual use cases • Are easier to understand than most complex

use case diagrams• Are easy to transform into UML sequence

diagrams• Require more work to develop• Show the sequence of actions