An Automatic Reasoning Mechanism for NFR GoalModels

Bo Wei∗, Zhi Jin†, and Didar Zowghi‡∗Academy of Math. and Systems Science, Chinese Academy of Sciences, Beijing, China. weibo@amss.ac.cn

†Key Lab. of High Confidence Software Techno., Ministry of Edu., Peking University, Beijing, China. zhijin@amss.ac.cn‡Faculty of Engineering and IT., University of Technology, Sydney, Australia. Didar.Zowghi@uts.edu.au

Abstract—Software requirements, especially non-functional re-quirements, are considered as vital prerequisites for producingsoftware of high quality. As widely accepted, non-functional goalmodeling like the NFR Framework usually employs tree modelingstyle, and presents an interactive process for the analysis of non-functional requirements. However, there still exist some problemsduring the identification of satisficing status. This paper basedon the popular NFR goal model reasoning manners, clearlydistinguishes the closed world assumption and the open worldassumption, and proposes an automatic reasoning mechanism forNFR goal models in order to identify the satisficing statuses ofthe goal tree roots according to leaves’ contributions. Under aspecific assumption, goals’ satisficing statuses will be transformedto affect satisficing statuses of their parents. Then parents’satisficing statuses will be inferred according to the reasoningrules derived from different decomposition relationships. Byalternately adopting these two steps, goal tree root’s satisficingstatus can be identified layer by layer. An illustrative example isused to show how our proposed formal approach works.Keywords: NFR framework; label propagation; satisficing status;contribution; inference; effect.

I. Introduction

Non-functional requirements are quality concerns, usually

described as “ilities” of a software envisioned. They are

crosscutting properties that are not about what the software

will do, but how well the software will carry out its functions.

Non-functional requirements are often hard to quantify and

evaluate, researchers have proposed ways to specify them,

amongst which, the concept of softgoal is widely used to

model such non-functional properties[1]. The fundamental

difference between a softgoal and a “hard” goal is that

softgoals are never fully satisfied. Rather, they can only be

“satisficed” as defined by Herbert Simon in [2], which means

that they are sufficiently addressed, and a good enough solution

is sought. Non-functional requirements, such as, reliability,

security, accuracy, performance, to name but a few, are the

determining factors for making decisions among alternative

designs. Handling these non-functional properties of soft-

ware systems is as important as implementing the desired

functionalities[3], [4], [5], [6].

Existing approaches for modeling non-functional require-

ments, such as i∗/TROPOS [7], [8], NFR Framework[6], [9]

and GRL[10], [11], provide various manners of representation

focusing on how to build a proper NFR goal model and reason

on these goals. The aim of reasoning with goal nodes is

to identify stepwise their satisficing statuses and to further

present a rationale for the current implementation strategy.

Note that all reasoning mechanisms of these popular modeling

approaches are not automatic, which will involve excessive

interactions with stakeholders in some cases. This dilemma

would inevitably suspend the reasoning process if interactions

with stakeholder become impossible, or at least decease the ef-

ficiency of the whole process if the goal model has large num-

ber of nodes. Also, due to its interactivity, it can not support

the automated evaluation for satisficing status of goal node. For

example in the NFR Framework. Weakly satisficed and weakly

denied statuses are not accepted as the satisficing statuses of

nodes except roots and leaves for further analysis[1], [6], [9].

That is, whatever assignment is made, any node except root

and leaves can only be claimed fully satisficed or fully denied.

If partial satisficing status after reasoning occurs, it should

be actively clarified through interaction with stakeholders.

This may contradict with the common understanding about

non-functional requirements which are never satisfied, but

satisificed. Besides, existing reasoning work does not tell us

how far the effects from subgoals can reach. If we can declare

the conflict status of parent directly according to its children’s

conflict statuses, identification of statisficing status should

become easier.

Communication with some stakeholders can help explicitly

identify the weakly satisficing status, but can it be guaranteed

that the previously denied node is still denied? Stakeholders

may provide other fully satisficed OR-decomposed child to

make this node become satiasficed. Or they can also ex-

plore a new fully denied AND-decomposed child to make

its parent fully denied. We argue that this phenomenon is

caused by the mix application of the closed world assumptionand the open world assumption in the reasoning process.

From the theoretical perspective, these two situations are

totally different. The closed world assumption implies that

the implicit representation of negative facts presumes total

knowledge about the domain being represented[12]. The open

world assumption implies that knowledge representation is an

incremental process, where failure of deriving a fact does

not imply its negation[13]. In requirements engineering, the

closed world assumption and the open world assumption serve

as the general principles in different stages of requirements

development. Obviously, in elicitation stage, the open world

assumption should be adopted because we are expecting new

information. While, in the evaluation and verification stage,

2011 Fifth IEEE International Conference on Theoretical Aspects of Software Engineering

978-0-7695-4506-6/11 $26.00 © 2011 IEEE

DOI 10.1109/TASE.2011.13

52

the closed world assumption might be more suitable. In

the NFR Framework, when exploring the effects of different

contributions of nodes, the negative facts do have a specific

impact on their parent node (environment) because it is under

the closed world assumption. But at the stage of identifying the

final statuses of nodes, extra information is needed to identify

the final results of partial statuses[9]. So identifying work is

still under the open world assumption. Tow assumptions are

mixed up and hence confusing.

As van Lamsweerde states: “the important role played by

goal models, soft goals as evaluation criteria, and propaga-

tion of positive/negative goal contributions are now much

better understood. Others have built upon the results and will

continue to explore the directions”[14]. This paper proposes

explicit reasoning rules in order to distinguish the closed world

assumption and the open world assumption. The decidable

reasoning mechanism is implemented by two steps. The first

is transforming the children’s satisficing statuses into effects

on the parent. The second is obtaining the inference results

from multiple effects as the parent’s satisficing status. Major

challenges here are (i) how to define the contribution-based

transformation rules from children’s satisficing statuses to

parent’s effects under the two assumptions , and (ii) how

to provide an inference mechanism of different effects from

lower-level nodes. With our novel proposed two steps, we can

identify the root’ satisficing status node by node, or layer by

layer.

The structure of this paper is as follows. Section 2 introduces

the reasoning work in existing approached like i∗/TROPOS ,

GRL and the NFR Framework. Section 3 details the automatic

reasoning mechanism for node’s satisficing status, including

how to generate effects and manipulate multiple effects. To

be more applicable, the multi-level implementation will be

presented in this section. Section 4 illustrates the whole pro-

cess using a practical example which includes two scenarios.

Section 5 discusses some key properties of our formalism.

Section 6 presents a comparison of our research with the

related work. Section 7 concludes the whole paper.

II. ReasoningWork in Existing Approaches

Non-functional goal modeling is a critical issue for repre-

senting and analyzing the non-functional requirements under

concern, such as i∗/TROPOS [7], [8], NFR Framework[6],

[9] and GRL[10], [11]. These graphical modeling methods

have their own reasoning mechanisms, i.e. strategic depen-dence/rational model in i∗/TROPOS , label propagation in the

NFR Framework and qualitative/quantitative/hybrid analysis in

GRL. Basically, all these reasoning work follow the main idea

that children’s statuses can impact their parents’ statuses. The

parents’ statuses are the interplaying results of all children’s

statuses. If all goal nodes can be modeled in a hierarchical

structure, like tree style, the root’s satisficing status can be

declared ultimately.

A mentioned above, the NFR Framework employs the goal tree

to construct a top-down decomposition structure of different

abstraction levels for modeling a type of softgoal consid-

ered. There are two kinds of decompositions [9]. One is

operationalization decomposition where contribution can be

attached to each node. The other is goal decomposition where

no contribution is attached, and just goal AND/OR decom-

position exists. Besides, the NFR framework uses side-effect

and correlation relationships to relate one softgoal to another

by low-level nodes’ linkage. Finally, Softgoal IndependenceGraph (abbv. SIG) can be obtained to represent a more global

view of softgoals concerned. Softgoal independence graph is

the prerequisite of reasoning mechanism.

For identifying whether the root softgoal can be implemented

by current leaf (operationalization) softgoals, the NFR Frame-

work employs Label Propagation to judge the satisficing sta-

tuses of nodes according to the contributions and correlations

of operationalization softgoals. When leaves are assigned with

specific satisficing statuses, their parent will be labeled with a

specific satisficing status. If the satisficing status of parent is

explicit(fully satisfied or fully denied), the reasoning process

can be carried on for next level. Otherwise, analysts will

communicate with stakeholders to collect extra information.

That is, it is an interactive reasoning process which integrates

model decomposition structure and nodes contributions to

generate effects as the evidences of judging the status of parent

and declare stepwise the satisficing statuses of higher-level

nodes.

For notational convenience, the NFR Framework uses �, ×,

w+, w−, �, ? and n to denote major satisficing statuses of nodes

satisficed, denied, weakly satisficed, weakly denied, conflict,unknown and undecided respectively. It uses ++, −−, +, and

− to denote contribution relationships between goal and its

subgoals “MAKE”, “BREAK”, “HELP”, and “HURT”. In our

work, we also adopt this representation scheme.

III. The Automatic ReasoningMechanism

This section defines two-step process for identifying the

satisficing status of goal node. All reasoning is based on

the parent node’s perspective, starting from nodes of the

two lowest levels. Two functions are given for these two

steps. The first is status transformation function for obtaining

all candidate effects from the satisficing statuses of children

under the closed/open world assumption. For differentiating

situations under different world assumptions, two types of

status transformation functions are given. The second is effectinference function for manipulating multiple effects further

to identify the satisficing status of parent according to the

semantic of AND/OR decomposition. Then, we can initiate

a new reasoning process for next level, just repeating our

previous steps. Finally, the satisficing status of root can be

identified stepwise.

As introduced above, “unknown” and “undecided” are two

different types of satisficing statuses in the NFR Framework1.

For facilitating and simplifying our discussion, here we make

1The difference between them is whether the parent node receives effectsfrom its children. If not, the parent is said to be unknown about theirstatisficing statuses. Otherwise, the parent is said to be undecided if itssatisficing status is still not determined.

53

a unification between “unknown” and “undecided”. Provided

more knowledge is required to make a further status identifi-

cation, the node is declared to be of “unknown” represented

by “?”.

A. Status Transformation Function

The status transformation function, denoted by fst, aims to

transform all children’s satisficing statuses into effects which

will be used as evidence for identifying the satisficing status

of parent. The term “effect” has been discussed in the NFR

framework where effect is just interpreted based on contribu-

tion links[6], [1], [9]. Effect can be viewed as a contribution-

based transformation rule of a specific node. That is, satisficing

statuses of nodes are not considered from the definition of

effect. Besides, according to a specific effect, the status of

a node can be declared in current tense and future tense.

That is, a node can be of “satisfiable (not satisficed)” status

because no actual satisficing status is involved, but actually

of “denied” status. In this paper, focusing on the current

satisficing status of a node, here we use “effect” to denote

a combinational result of contribution and satisficing status.

Before the identification of node (except leaves)’s satisficing

status, the satisficing statuses of its children must be given.

Note that for goal decomposition, it is true that if AND(OR)-

decomposed children are jointly satisficed (denied), their par-

ent is fully satisficed (denied), and if one arbitrary AND(OR)-

decomposed child is denied(satisficed), their parent is fully

denied(statisficed). So we can assume that each child in

goal decomposition (only AND/OR decomposition exists, not

contribution) has potential full positive contribution (++) to its

parent (partial contribution + can not guarantee two assertions

above). Based on this assumption, we can define different fst

under different world assumptions, as below:

Definition 1: Let S={�, ×, w+, w−, �, ?} be the set of

satisficing statuses, and CNT1={++, −−, +, −} be the set

of contribution relationships. f closedst is said to be a status

transformation function under the closed world assumption,

if f closedst is a mapping from S × CNT1 to S , and its operation

rules are as shown in Table. 1:

TABLE IOperation Rules of f closed

st

f closedst � × w+ w− � ?++ � × w+ w− � ?−− × w+ w− w+ � ?+ w+ w− w+ w− � ?− w− w+ w− w+ � ?

Thus f closedst presents the strict reasoning process from satisfic-

ing status to effect under the closed world assumption. Note

that, the conflicting status � can be totally passed to its parent

as its effect. This can facilitate the path identification during

the conflict management if requirements information has been

regarded as fully acquired. Similarly, we can give the definition

for the open world assumption.

Definition 2: Let S={�, ×, w+, w−, �, ?} be the set of

satisficing statuses, and CNT1={++, −−, +, −} be the set

of contribution relationships. f openst is said to be a status

transformation function under the open world assumption, if

f openst is a mapping from S × CNT1 to S , and its operation

rules are as shown in Table. 2:

TABLE IIOperation Rules of f open

st

f openst � × w+ w− � ?++ � ? w+ ? � ?−− × ? w− ? � ?+ w+ ? w+ ? � ?− w− ? w− ? � ?

Thus f openst presents the strict reasoning process from satisfic-

ing status to effect under the open world assumption. From

the Def. 2, it is obvious that the negative fact (× and w−)

shows no impact on its environment (? as the effect). This

property can help us efficiently identify the status of parent if

its children’s statuses are unknown, because as discussed in

Def. 3, unknown status has no impact on status identification

of parent.

Two definitions above show that effects of satisficing statuses

are expressed in the form of satisficing statuses itself. That

is, E denoting the types of all effects, equals to S . Hence,

effects represent how the parent views the satisficing statuses

of children, satisficed or denied, fully or partially.

B. Effect Inference Function

After effects have been passed to parents, we should assess

whether the parent is satisficed or not. So a well defined

mechanism for manipulating multiple effects is needed.

Here we introduce the effect inference function, denoted by

fei. It is assumed that each node has its own fei to calcu-

late the final result for its satisficing status according to all

children’s effects. Note that if treated bottom-up, both goal

decomposition and operationalization decomposition can be

uniformed into AND/OR decomposition. That is, we can claim

whether the parent can be satisficed jointly or respectively

by its children. Based on this understanding, fei should have

two distinct manipulation mechanisms. One is under AND-

decomposition, and the other is under OR-decomposition.

For fei under OR-decomposition, we need to give the oper-

ation rules about effects from children. From Tables. 1&2,

it is obvious that negative effects can be generated by both

negative statuses (×, w− with ++, or +) and positive statuses

(�, w+ with −−, or −). While from the semantic of OR-

decomposition, negative statuses can be ignored during the

implementation of parent, but positive statuses can not. Simply

speaking, under OR-decomposition, a child’s denial does not

impact on the final status of parent, while its implementation

does. Unfortunately, when effect × or w− is obtained, there

is no way to determine which type of status is responsible

for it. So fei should distinguish these two situations. The

negative effects worth considering are those of � and w+ with

contribution −− and −.

Definition 3: Let S={�, ×, w+, w−, �, ?} be the set of

satisficing statuses, E={�, ×, w+, w−, �, ?} be the set of

54

TABLE IIIOperation Rules of f∨ei

Condition Resultn5 � 1 �n5 = 0 n−

2� 1 n1 � 1 �

n1 = 0 n3 = 0 n−4

� 1 w−n−

4= 0 ×

n3 � 1 ?n−

2= 0 n2 � 1 n1 � 1 n−

4= 0 �

n−4

� 1 ?n1 = 0 n3 � 1 n−

4� 1 ?

n−4= 0 w+

n3 = 0 n−4= 0 n4 = 0 ×

n4 � 1 w−n−

4� 1 w−

n2 = 0 n1 � 1 n−4= 0 �

n−4

� 1 ?n1 = 0 n3 � 1 n−

4� 1 ?

n−4= 0 w+

n3 = 0 n−4= 0 n4 = 0 ?

n4 � 1 w−n−

4� 1 w−

effects, the numbers of six types of effects �, ×, w+, w−,

�, ? be n1, n2, n3, n4, n5, n6 respectively where the numbers

of × and w− from negative contributions (–&-), are n−2 and

n−4 respectively. f ∨ei is said to be an effect inference function

under OR-decomposition, if f ∨ei is a mapping from En1+...+n6

to S , and its operation rules are as shown in Tab. 3:

Thus f ∨ei presents the strict reasoning rules from effect to

status under OR-decomposition, which exists both in goal

decomposition and operationalization decomposition. First, if

there is a conflict effect (�) among all effects, the parent is

said to be in conflict. This can guarantee conflict information

will not be omitted during reasoning process. Second, when

both � status and × status exist as effects, the parent is said

to be in conflict because its children propagate contradictory

information simultaneously. Third, w+ and w− are partial

effects, and their degrees of partiality is undecided. Hence the

inferences between �/w−, ×/w+, and w+/w− are unknown (?).

Last, unknown effect (?) has no impact on status identification

of parent. That is, only known effects (�, ×, w+, w− and

�) can impact onto the parent. This can make more sense

because unknown status means extra information is needed

from stakeholders, and therefore it is temporarily not involved

in the reasoning process.

For fei under AND-decomposition, because it has been as-

sumed that the potential contribution of each link is ++, each

positive/negative effect can only be generated by one specific

type of status.

Definition 4: Let S={�, ×, w+, w−, �, ?} be the set of

satisficing statuses, E={�, ×, w+, w−, �, ?} be the set of effects,

the numbers of the six types of effects from children be n1, n2,

n3, n4, n5, n6 respectively. f ∧ei is said to be an effect inference

function under AND-decomposition, if f ∧ei is a mapping from

En1+...+n6 to S , and its operation rules are as shown in Table.

4:

Thus f ∧ei presents the strict reasoning rules from effect to

status under AND-decomposition, which only exists in goal

decomposition. First, as in f ∨ei conflicting information will

TABLE IVOperation Rules of f∧ei

Condition Resultn5 � 1 �n5 = 0 n2 � 1 ×

n2 = 0 n6 � 1 ?n6 = 0 n4 � 1 w−

n4 = 0 n3 = 0 �n3 � 1 w+

always be preserved during reasoning process. So, if there is a

conflict effect (�) among all effects, the parent is said to be in

conflict. Second, the parent is said to be fully denied as long

as fully denied effect (×) exists. This completely matches the

semantic of AND-decomposition. Third, when no fully denied

effect exists, unknown effect will dominate the final status of

parent. That is, final status of parent depends on the exact

effect of unknown status, i.e. it can be ×, w− or others. Last,

if and only if all effects are fully satisficed (�), the parent

is said to be fully satisficed. These are clearly suitable for

semantics of AND-decomposition.

C. Evaluation of Goal Tree

With status transformation function and effect inferencefunction a two-level goal tree can be evaluated obviously. In

real practice, however a goal model could possibly be multi-

leveled. The question is whether we can apply these functions

sequentially and the answer is we certainly can.

For example, lets consider the goal tree in Fig. 12. It is obvious

that, for nodes g3 and g4, using status transformation function

we can generate the effects on their parent g2. For g2, using

effect inference function can identify the satisficing status by

effects. Hence the high level node g2’s satisficing status can

be used as the input of status transformation function of next

2This goal tree is created by RE-Tools which is work of the LawrenceChung and Sam Supakkul in University of Texas at Dallas. Fig. 2, 3, 4 arealso created by that.URL: http://www.utdallas.edu/ supakkul/tools/RE-Tools/index.htm

55

two higher levels g2 and g1 . Simply, if the satisficing statuses

of leaves have been declared, we can incrementally identify

the satisficing status of the root, by alternately applying status

transformation function and effect inference function.

Focusing on the main idea of multiple-level implementation,

Fig. 1 does not specify which type of world assumption is

adopted and what the type of decomposition is in each level. In

real practice, the closed world assumption and the open world

assumption are used in different situations. Which assumption

should be used depends on our confidence about whether all

information has already been obtained. As a simple guideline,

the closed world assumption can be used, for example when

dealing with security requirements where emphasis is often

on mitigating known threats. While, this assumption may not

be intuitive for organizational level modeling, especially for

stakeholder goal modeling where the open world assumption

could better reflect knowledge about the world.

Fig. 1. Identification of Satisficing Status in A Goal Tree

IV. An Illustrative Example

This section will present a practical example about se-

curity requirements to illustrate how differentiation between

the closed world assumption and the open world assumption

benefits the formal process on status identification. We will

introduce two scenarios for stepwise status identification and

highlighting conflict path by reasoning.

Assuming an analyst is in charge of eliciting and analyzing

security requirements of system-to-be. After communication

with all stakeholders, he obtains a goal model under the NFR

framework as shown in Fig. 2. Now, he assumes that all leaves

can be fully satisficed (�) to see whether the root can be fully

satisficed as well. Closed world assumption is adopted.

• For WebpageVerificationCode[Interface], f closedst (�,

++) = �.

• For MobileVerificationCode[Interface], f closedst (�, ++)

= �.

• For FingerprintVerificationOnly[Interface], f closedst (�,

−−) = ×.

• For Cookies[System], f closedst (�, −) = w−.

Fig. 2. Security Goal Model under the NFR framework

Now we get all leaves’ effects onto corresponding parents,

followed by effect inference.

• For VerificationCode[Interface], f ∨ei (�, �, ×) = �.• For ProtectvalidAccount[Account], f ∨ei (w

−) = w−.

To go further, we repeat previous work on the higher levels.

• For VerificationCode[Interface], f closedst (�, +) = �.

• For AvoidRobot[Signup], f ∨ei (�) = �.• For ProtectvalidAccount[Account], f closed

st (w−, ++) =

w−.

• For AvoidRobot[Signup], f closedst (�, ++) = �.

• For Security[System], f ∧ei (�, w−) = �.

Fig. 3. Conflict of Security Goal under Closed World Assumption

That is, the softgoal Security[System] is in conflict status based

on the assumption of all leaves fully satisficed. Also, all nodes

56

on the left branch except leaves are labeled with �, as shown in

Fig. 3. That is, the reason why the root is in conflict lies here,

i.e. because under the closed world assumption, Fingerprint-VerificationOnly[Interface]’s implementation can propagate

full negative effect × to its parent, which contradicts with

full positive effects �. Thus, the conflict path can be easily

highlighted for later analysis.

Again, the analyst changes the initial condition for leave’s sta-

tuses. He denies all leaves which have negative contributions.

• For WebpageVerificationCode[Interface], f closedst (�,

++) = �.

• For MobileVerificationCode[Interface], f closedst (×, ++) =

×.

• For FingerprintVerificationOnly[Interface], f closedst (×,

−−) = w+.

• For Cookies[System], f closedst (×, −) = w+.

Now we get all leaves’ effects onto corresponding parents,

followed by effect inference.

• For VerificationCode[Interface], f ∨ei (�, �, w+) = �.

• For ProtectvalidAccount[Account], f ∨ei (w+) = w+.

To go further, we repeat previous work on the higher levels.

• For VerificationCode[Interface], f closedst (�, +) = w+.

• For AvoidRobot[Signup], f ∨ei (w+) = w+.

• For ProtectvalidAccount[Account], f closedst (w+, ++) =

w+.

• For AvoidRobot[Signup], f closedst (w+, ++) = w+.

• For Security[System], f ∧ei (w+, w+) = w+.

Fig. 4. Satisficing Status of Security Goal under Closed World Assumption

We find that the softgoal Security is partially satisficed. That

is, by denying the nodes of negative contributions, the root can

be guaranteed fully or partially satisficed, as Fig. 4 shows.

If we adopt label propagation, the reasoning can not be final-

ized because the nodes like ProtectvalidAccount[Account]shows partial statuses. We need extra information to clarify

them. But our world is closed, and no extra information can

be provided.

V. Discussion

Our method distinguishes two assumptions and provides

a formal treatment of identifying the satisficing status of

non-functional requirements. Applying status transformation

function fst and effect inference function fei to given satisficing

statuses of nodes can guarantee explicit identification of status

in each step.

Our method makes a clear distinction between the closed

world assumption and the open world assumption, and fa-

cilitates the more effective reasoning process. As defined

above, rather than traditional reasoning process in the NFR

framework, the two functions have different operation rules

for different assumptions, which provide two sets of reasoning

mechanisms. In principle, this differentiation matches the pre-

requisite of reasoning in an information system (either CWA

or OWA applies). In practice, it can also fit for the specific

problem background (whether information can be guaranteed

complete). That is, applying a certain reasoning mechanism

should rely on the specific chosen assumption, not mixing both

assumptions.

Also, our method does not ignore the partial effect of satisfic-

ing status. That is, w+ and w− are equally treated as that to

�. Under the open world assumption, we may collect extra

information for further clarification of partial effect w+ and w−,

aiming to obtain full effect � and ×. This can not happen under

the closed world assumption. So our method just takes w+ and

w− for granted, and gives some reasoning rules for them under

the specific assumption, not relying on extra information from

stakeholders.

Besides, it is clear that the � status can be propagated till the

root as long as one of its offsprings is in conflict. According

to operation rules of status transformation function fst and

effect inference function fei, whatever assumption applies, �can be transformed to � as the effect, which will make the

parent in conflict status as well. Hence, each node along the

path related to the conflict will be labeled by the sign �. This

can greatly facilitate identification of conflict in inconsistency

management for non-functional requirements.

Last but not least, under whatever assumption, unknown status

(?) can be propagated as unknown effect (?) to high level

nodes, then show no impact on status identification of parent if

OR-decomposition is adopted in each level. This can reduce

complexity of status identification work, since the unknown

nodes can be left alone.

VI. RelatedWork

Literature offers very little on differentiation between these

two assumptions and formal reasoning of non-functional re-

quirements. One reason is that verification of non-functional

requirements is not straight forward. The other is formal

reasoning for non-functional requirements highly relies on

a proper modeling method. Goal-oriented method, the most

systematic and widely accepted in the current literature, treats

57

each non-functional requirement as a goal of software[5]. To

build a successful software product, all related goals should

be satisfied completely or partially. Hence, from goal model-

ing’s point of view, non-functional requirements can also be

noted as softgoals, contrary to the functional requirements as

(hard)goals (In fact, “non-functional requirements”/“functional

requirements” and “softgoal”/“hardgoal” belong to two dif-

ferent taxonomies. Non-functional requirements are not com-

pletely equivalent to softgoals, and neither are functional goals.

The key point here is the verification. Here to bridge the gap,

we assume that verifications of non-functional requirements

can not be achieved in a straight forward manner . For a

discussion please see [15]).

Goal-based reasoning is pivotal for model construction and

requirements elaboration, exploration and evaluation of al-

ternatives, conflict management, anticipation of incidental or

malicious behaviors, and optimization of behavior model

synthesis[16]. Among all goal-oriented methods, the NFR

framework is the first to propose the concept of softgoal in

the RE context and offer a process for dealing with non-

functional requirements. And then, i∗/Tropos[17], GRL[18],

[7], REF[19] all employ the concept of softgoal in their

dependent advancements.

Within goal-oriented paradigms, the NFR Framework and

i∗/Tropos are two widely adopted non-functional require-

ments solutions. As mentioned before, the NFR Framework

puts more emphasis on goal contribution and correlation[5],

[6], [1]. Using label propagation, we can make design de-

cisions based on the consideration of goal satisfication[20].

The i∗/Tropos, which has a set of unique notation, captures

the interaction between the software entity and environmental

entities. In i∗/Tropos, goals are correlated with other entities

by tasks and resources, which should be implemented by real

agents[21], [22], [23]. With Strategic Dependency Model and

Strategic Rationale Model, i∗/Tropos supports goal modeling

and reasoning[24]. Note that reasoning process in i∗/Tropos is

an organizational and social evolution process. In our previous

work, we have presented a formal language Σ to represent

the goal model under the NFR framework[25]. Σ is a link-

based language upon which reasoning process is executed by

decomposition structure of goal models.

GRL[11] integrates the core concepts of i∗ and the NFR

Framework and supports links to a companion scenario no-

tation called Use Case Maps (abbr. UCM). It provides three

algorithms to support qualitative, quantitative and hybrid eval-

uations for different modeling elements. However some key

principles are different between GRL and Σ regarding to the

reasoning mechanism. First, GRL puts much emphasis on

qualitative analysis which takes precise satisficing (strategy)

degrees (integers between -100 and 100) of any modeling ele-

ments into consideration. In our approach, we use six types of

qualitative satisficing degrees to initiate the reasoning process.

Second, GRL explicitly differentiates between decomposition

links and contribution links, but hides the inherent reasoning

mechanisms of evaluation in both. For example, in GRL there

is no explanation provided as to why is the value of OR-

decomposed node equal to the maximum value of all its

children’s values. We, however, explicitly differentiate two

steps of the inherent reasoning mechanisms in evaluation, and

differentiate decomposition links and contribution links only

when applying the reasoning rules. Last, GRL attempts to

presents a more general treatment of goal-oriented analysis.

We just restrict our work in the NFR Framework background.

As an efficient way of manipulating (hard)goals, KAOS

provides a mechanism for representing and reasoning with

functional goals, using temporal logic. But unfortunately, work

of KAOS is function-centered. Leiter et. al pointed out that

though fuzzy logic is proposed for characterizing softgoals,

the key limitation of this approach is that measurement for

the degree of requirements satisfaction can not be guaranteed

to be objective. They proposed an approach enriching goal re-

finement models with a probabilistic layer for reasoning about

partial satisfaction[26]. Within such models, non-functional

goals are specified in a precise, probabilistic way. Jureta et.alproposed a formalism for characterizing softgoals, but it just

gives a new formal representation, aiming to obtain more

profound understanding of a single softgoal instance[15].

VII. Conclusion

Reasoning mechanisms in the existing approaches for goal

modeling have some distinctive weaknesses which can not

guarantee the automatic reasoning process during the analysis

of non-functional requirements. To solve this problem, we

distinguish the closed world assumption and the open world

assumption. First, under different assumptions, by applying

status transformation function fst, the satisficing statuses of

low level nodes can be transformed to the effects on parents.

Then the satisficing statuses of parents can be identified by

effect inference function fei, involving effects from children.

Layer by layer, the root’s satisficing status can be finally

identified by alternately adopting two functions.

Our contribution is thus threefold. First, compared with current

research, our work provides a formalism for declaring whether

the specific non-function requirements can be achieved by the

existing low level requirements alternatives. According to the

formal reasoning process, we can obtain the root’s satisficing

status, i.e. fully, partially, satissficed, denied, unknown or

conflict. Second, this formalism differentiates between the

closed world assumption and the open world assumption,

which makes more sense in reasoning in real practice. Last,

we use two-step process to identify the satisficing status. This

strategy gives a very clear view about reasoning: obtaining

effects and manipulating effects. They are strictly-executable

processes. Also, it makes the satisficing status identification

more readable and understandable. The label propagation hides

its mechanism altogether, and only supports manual reasoning.

Some issues still need our exploration. We admit that the most

significant challenge is to decide which assumption should be

applied at any situation. It is theoretically and practically a

complex issue. In some cases, the goal that we are concerned

with does not make it so obvious to identify the assumption

at first glance. We are working on developing guidelines

58

either from theory or practice of requirements engineering

can emerge to support this decision making process. Detecting

nodes related to conflict and developing strategies to mitigate

or eliminate conflict is also a promising future direction. Work

in this paper can be used in conflict identification in one goal

model. That is, nodes along the conflict-related path can be

labeled with conflict status as long as one of the offsprings is

in conflict. For conflict hidden among several goal models, we

will apply the extension operator/function presented in [25] to

integrate these models, and then we propose to employ the

method presented this paper to find which node is in conflict.

As another combination of our previous work, the formal

representation language Σ, we will explore some reasoning

rules about formally identifying the satisficing status of nodes,

if the softgoal is represented by a formula in Σ. That is, after

a softgoal is represented as a formula by Σ, we can deduct

its satisficing status of each atom (nodes of the goal tree) in

the formula, applying some reasoning rules which involves

the status transformation function and the effect inference

function. This part of work is inspired by the traditional work

in goal-oriented RE, with many interesting results based on

the KAOS language. This can bring us closer to the aim of

automating the satisficing status identification.

Acknowledgment

This work is supported by the National Grand Fundamental

Research Program of China under Grant No. 2009CB320701,

the Key Projects of National Natural Science Foundation

of China under Grant No. 90818026, and the International

Science Linkage Research Grant under the Australia-China

Special fund for Science and Technology.

References

[1] Mylopoulos, J., Chung, L., Nixon, B.: Representing and using nonfunc-tional requirements: A process-oriented approach. IEEE Trans. SoftwareEngineering 18(6) (1992) 483–497

[2] Simon, H.A.: Rational choice and the structure of the environment.Psychological Review, 63 (1956) 129–138

[3] Ryan, A.: An approach to quantitative non-functional requirements insoftware development. In: the 34th Annual Government Electronics andInformation Association Conference. (2000)

[4] Cysneiros, L., Leite, J.: Nonfunctional requirements: From elicitation toconceptual models. IEEE Transactions on Software Engineering 30(5)(2004) 328–350

[5] Chung, L., do Prado Leite, J.: On non-functional requirements in soft-ware engineering. Conceptual Modeling: Foundations and Applications,LNCS 5600 (2009) 363–379

[6] Chung, L., Nixon, B.: Dealing with non-functional requirements: Threeexperimental studies of a process-oriented approach. In: the 17thInternational Conference on Software Engineering. (1995) 24–28

[7] Yu, E.: Towards modelling and reasoning support for early-phaserequirements engineering. In: the 3rd IEEE International Symposiumon Requirements Engineering (RE’97). (1997) 226–235

[8] Giorgini, P., Mylopoulos, J., Sebastini, R.: Goal-oriented requirementsanalysis and reasoning in the tropos methodology. Appl. Artif. Intell.18 (2005) 159–171

[9] Chung, L., Nixon, B., Yu, E., Mylopoulos, J.: Non-Functional Require-ments in Software Engineering. Springer (2000)

[10] Weiss, M., Amyot, D.: Business process modeling with urn. Int. J.E-Business Res. 1(3) (2006) 63–90

[11] Amyot, D., Ghanavati, S., Horkoff, J., Mussbacher, G., Peyton, L.,Yu, E.: Evaluating goal models within the goal-oriented requirementlanguage. Int. J. Intel. Syst. 25(8) (2010) 841–877

[12] Reiter, R.: On closed world data bases. Logic and Data Bases GallaireH and Minker J. (ed) (1978) 55–76

[13] Hustadt, U.: Do we need the closed-world assumption in knowledgerepresentation. In: Working Notes of the KI94 Workshop: Reasoningabout Structured Objects: Knowledge Representation Meets Databases(KRDB94). Volume D-94-11 of Document. (1994) 24–26

[14] van Lamsweerde., A.: Reasoning about alternative requirements options.Conceptual Modeling: Foundations and Applications 5600 (2009) 380–397

[15] Jureta, I., Faulkner, S., Schobbens, P.: A more expressive softgoalconceptualization for quality requirements analysis. In: the 25th In-ternational Conference on Conceptual Modeling (ER06). (2006)

[16] van Lamsweerde, A.: Engineering requirements for system reliabilityand security. Software System Reliability and Security 9 (2004) 196–238

[17] Castro, J., Kolp, M., Mylopoulos, J.: Towards requirements-driveninformation systems engineering: the tropos project. Information System6 (2002) 365–389

[18] Liu, L., Yu, E.: Designing information systems in social context: agoal and scenario modeling approach. Information System 29 (2003)187–203

[19] Donzelli, P.: A goal-driven and agent-based requirements engineeringframework. Requirements Engineering 9 (2004) 16–39

[20] Giorgini, P., Mylopoulos, J., Nicchiarelli, E., Sebastiani, R.: Reasoningwith goal models. Spaccapietra, S., March, S.T., Kambayashi, Y. (eds.)ER 2002. LNCS 2503 (2002) 167–181

[21] Fuxman, A., Liu, L., Mylopoulos, J., Pistore, M., Roveri, M., Traverso,P.: Specifying and analyzing early requirements in tropos. RequirementsEngineering 9(2) (2004) 132–150

[22] Yu, E., Mylopoulos, J.: Enterprise modelling for business redesign: thei* framework. SIGGROUOP Bull 18(1) (1997) 59–63

[23] de Padua Albuquerque Oliveira, A., Cysneiros, L., do Prado Leite, J.,Figueiredo, E., Lucena, C.: Integrating scenarios, i*, and aspects in thecontext of multi-agent systems. In: the Conference of the Center ForAdvanced Studies on Collaborative Research, CASCON 2006, ACM,New York (2006) 16

[24] van Lamsweerde, A.: Managing conflicts in goal-driven requirementsengineering. IEEE Transactions on Software Engineering 44(11) (1998)

[25] Wei, B., Jin, Z., Liu, L.: A formalism for extending the NFR Frameworkto support the composition of the goal trees. In: 17th Asia PacificSoftware Engineering Conference. (2010) 23–32

[26] Letier, E., van Lamsweerde, A.: Reasoning about partial goal satisfactionfor requirements and design engineering. In: ACM SIGSOFT Symp.Foundation of Software Engineering. (2004) 53–62

59