[ieee 2011 ieee 5th international symposium on theoretical aspects of software engineering (tase) -...
TRANSCRIPT
An Automatic Reasoning Mechanism for NFR GoalModels
Bo Wei∗, Zhi Jin†, and Didar Zowghi‡∗Academy of Math. and Systems Science, Chinese Academy of Sciences, Beijing, China. [email protected]
†Key Lab. of High Confidence Software Techno., Ministry of Edu., Peking University, Beijing, China. [email protected]‡Faculty of Engineering and IT., University of Technology, Sydney, Australia. [email protected]
Abstract—Software requirements, especially non-functional re-quirements, are considered as vital prerequisites for producingsoftware of high quality. As widely accepted, non-functional goalmodeling like the NFR Framework usually employs tree modelingstyle, and presents an interactive process for the analysis of non-functional requirements. However, there still exist some problemsduring the identification of satisficing status. This paper basedon the popular NFR goal model reasoning manners, clearlydistinguishes the closed world assumption and the open worldassumption, and proposes an automatic reasoning mechanism forNFR goal models in order to identify the satisficing statuses ofthe goal tree roots according to leaves’ contributions. Under aspecific assumption, goals’ satisficing statuses will be transformedto affect satisficing statuses of their parents. Then parents’satisficing statuses will be inferred according to the reasoningrules derived from different decomposition relationships. Byalternately adopting these two steps, goal tree root’s satisficingstatus can be identified layer by layer. An illustrative example isused to show how our proposed formal approach works.Keywords: NFR framework; label propagation; satisficing status;contribution; inference; effect.
I. Introduction
Non-functional requirements are quality concerns, usually
described as “ilities” of a software envisioned. They are
crosscutting properties that are not about what the software
will do, but how well the software will carry out its functions.
Non-functional requirements are often hard to quantify and
evaluate, researchers have proposed ways to specify them,
amongst which, the concept of softgoal is widely used to
model such non-functional properties[1]. The fundamental
difference between a softgoal and a “hard” goal is that
softgoals are never fully satisfied. Rather, they can only be
“satisficed” as defined by Herbert Simon in [2], which means
that they are sufficiently addressed, and a good enough solution
is sought. Non-functional requirements, such as, reliability,
security, accuracy, performance, to name but a few, are the
determining factors for making decisions among alternative
designs. Handling these non-functional properties of soft-
ware systems is as important as implementing the desired
functionalities[3], [4], [5], [6].
Existing approaches for modeling non-functional require-
ments, such as i∗/TROPOS [7], [8], NFR Framework[6], [9]
and GRL[10], [11], provide various manners of representation
focusing on how to build a proper NFR goal model and reason
on these goals. The aim of reasoning with goal nodes is
to identify stepwise their satisficing statuses and to further
present a rationale for the current implementation strategy.
Note that all reasoning mechanisms of these popular modeling
approaches are not automatic, which will involve excessive
interactions with stakeholders in some cases. This dilemma
would inevitably suspend the reasoning process if interactions
with stakeholder become impossible, or at least decease the ef-
ficiency of the whole process if the goal model has large num-
ber of nodes. Also, due to its interactivity, it can not support
the automated evaluation for satisficing status of goal node. For
example in the NFR Framework. Weakly satisficed and weakly
denied statuses are not accepted as the satisficing statuses of
nodes except roots and leaves for further analysis[1], [6], [9].
That is, whatever assignment is made, any node except root
and leaves can only be claimed fully satisficed or fully denied.
If partial satisficing status after reasoning occurs, it should
be actively clarified through interaction with stakeholders.
This may contradict with the common understanding about
non-functional requirements which are never satisfied, but
satisificed. Besides, existing reasoning work does not tell us
how far the effects from subgoals can reach. If we can declare
the conflict status of parent directly according to its children’s
conflict statuses, identification of statisficing status should
become easier.
Communication with some stakeholders can help explicitly
identify the weakly satisficing status, but can it be guaranteed
that the previously denied node is still denied? Stakeholders
may provide other fully satisficed OR-decomposed child to
make this node become satiasficed. Or they can also ex-
plore a new fully denied AND-decomposed child to make
its parent fully denied. We argue that this phenomenon is
caused by the mix application of the closed world assumptionand the open world assumption in the reasoning process.
From the theoretical perspective, these two situations are
totally different. The closed world assumption implies that
the implicit representation of negative facts presumes total
knowledge about the domain being represented[12]. The open
world assumption implies that knowledge representation is an
incremental process, where failure of deriving a fact does
not imply its negation[13]. In requirements engineering, the
closed world assumption and the open world assumption serve
as the general principles in different stages of requirements
development. Obviously, in elicitation stage, the open world
assumption should be adopted because we are expecting new
information. While, in the evaluation and verification stage,
2011 Fifth IEEE International Conference on Theoretical Aspects of Software Engineering
978-0-7695-4506-6/11 $26.00 © 2011 IEEE
DOI 10.1109/TASE.2011.13
52
the closed world assumption might be more suitable. In
the NFR Framework, when exploring the effects of different
contributions of nodes, the negative facts do have a specific
impact on their parent node (environment) because it is under
the closed world assumption. But at the stage of identifying the
final statuses of nodes, extra information is needed to identify
the final results of partial statuses[9]. So identifying work is
still under the open world assumption. Tow assumptions are
mixed up and hence confusing.
As van Lamsweerde states: “the important role played by
goal models, soft goals as evaluation criteria, and propaga-
tion of positive/negative goal contributions are now much
better understood. Others have built upon the results and will
continue to explore the directions”[14]. This paper proposes
explicit reasoning rules in order to distinguish the closed world
assumption and the open world assumption. The decidable
reasoning mechanism is implemented by two steps. The first
is transforming the children’s satisficing statuses into effects
on the parent. The second is obtaining the inference results
from multiple effects as the parent’s satisficing status. Major
challenges here are (i) how to define the contribution-based
transformation rules from children’s satisficing statuses to
parent’s effects under the two assumptions , and (ii) how
to provide an inference mechanism of different effects from
lower-level nodes. With our novel proposed two steps, we can
identify the root’ satisficing status node by node, or layer by
layer.
The structure of this paper is as follows. Section 2 introduces
the reasoning work in existing approached like i∗/TROPOS ,
GRL and the NFR Framework. Section 3 details the automatic
reasoning mechanism for node’s satisficing status, including
how to generate effects and manipulate multiple effects. To
be more applicable, the multi-level implementation will be
presented in this section. Section 4 illustrates the whole pro-
cess using a practical example which includes two scenarios.
Section 5 discusses some key properties of our formalism.
Section 6 presents a comparison of our research with the
related work. Section 7 concludes the whole paper.
II. ReasoningWork in Existing Approaches
Non-functional goal modeling is a critical issue for repre-
senting and analyzing the non-functional requirements under
concern, such as i∗/TROPOS [7], [8], NFR Framework[6],
[9] and GRL[10], [11]. These graphical modeling methods
have their own reasoning mechanisms, i.e. strategic depen-dence/rational model in i∗/TROPOS , label propagation in the
NFR Framework and qualitative/quantitative/hybrid analysis in
GRL. Basically, all these reasoning work follow the main idea
that children’s statuses can impact their parents’ statuses. The
parents’ statuses are the interplaying results of all children’s
statuses. If all goal nodes can be modeled in a hierarchical
structure, like tree style, the root’s satisficing status can be
declared ultimately.
A mentioned above, the NFR Framework employs the goal tree
to construct a top-down decomposition structure of different
abstraction levels for modeling a type of softgoal consid-
ered. There are two kinds of decompositions [9]. One is
operationalization decomposition where contribution can be
attached to each node. The other is goal decomposition where
no contribution is attached, and just goal AND/OR decom-
position exists. Besides, the NFR framework uses side-effect
and correlation relationships to relate one softgoal to another
by low-level nodes’ linkage. Finally, Softgoal IndependenceGraph (abbv. SIG) can be obtained to represent a more global
view of softgoals concerned. Softgoal independence graph is
the prerequisite of reasoning mechanism.
For identifying whether the root softgoal can be implemented
by current leaf (operationalization) softgoals, the NFR Frame-
work employs Label Propagation to judge the satisficing sta-
tuses of nodes according to the contributions and correlations
of operationalization softgoals. When leaves are assigned with
specific satisficing statuses, their parent will be labeled with a
specific satisficing status. If the satisficing status of parent is
explicit(fully satisfied or fully denied), the reasoning process
can be carried on for next level. Otherwise, analysts will
communicate with stakeholders to collect extra information.
That is, it is an interactive reasoning process which integrates
model decomposition structure and nodes contributions to
generate effects as the evidences of judging the status of parent
and declare stepwise the satisficing statuses of higher-level
nodes.
For notational convenience, the NFR Framework uses �, ×,
w+, w−, �, ? and n to denote major satisficing statuses of nodes
satisficed, denied, weakly satisficed, weakly denied, conflict,unknown and undecided respectively. It uses ++, −−, +, and
− to denote contribution relationships between goal and its
subgoals “MAKE”, “BREAK”, “HELP”, and “HURT”. In our
work, we also adopt this representation scheme.
III. The Automatic ReasoningMechanism
This section defines two-step process for identifying the
satisficing status of goal node. All reasoning is based on
the parent node’s perspective, starting from nodes of the
two lowest levels. Two functions are given for these two
steps. The first is status transformation function for obtaining
all candidate effects from the satisficing statuses of children
under the closed/open world assumption. For differentiating
situations under different world assumptions, two types of
status transformation functions are given. The second is effectinference function for manipulating multiple effects further
to identify the satisficing status of parent according to the
semantic of AND/OR decomposition. Then, we can initiate
a new reasoning process for next level, just repeating our
previous steps. Finally, the satisficing status of root can be
identified stepwise.
As introduced above, “unknown” and “undecided” are two
different types of satisficing statuses in the NFR Framework1.
For facilitating and simplifying our discussion, here we make
1The difference between them is whether the parent node receives effectsfrom its children. If not, the parent is said to be unknown about theirstatisficing statuses. Otherwise, the parent is said to be undecided if itssatisficing status is still not determined.
53
a unification between “unknown” and “undecided”. Provided
more knowledge is required to make a further status identifi-
cation, the node is declared to be of “unknown” represented
by “?”.
A. Status Transformation Function
The status transformation function, denoted by fst, aims to
transform all children’s satisficing statuses into effects which
will be used as evidence for identifying the satisficing status
of parent. The term “effect” has been discussed in the NFR
framework where effect is just interpreted based on contribu-
tion links[6], [1], [9]. Effect can be viewed as a contribution-
based transformation rule of a specific node. That is, satisficing
statuses of nodes are not considered from the definition of
effect. Besides, according to a specific effect, the status of
a node can be declared in current tense and future tense.
That is, a node can be of “satisfiable (not satisficed)” status
because no actual satisficing status is involved, but actually
of “denied” status. In this paper, focusing on the current
satisficing status of a node, here we use “effect” to denote
a combinational result of contribution and satisficing status.
Before the identification of node (except leaves)’s satisficing
status, the satisficing statuses of its children must be given.
Note that for goal decomposition, it is true that if AND(OR)-
decomposed children are jointly satisficed (denied), their par-
ent is fully satisficed (denied), and if one arbitrary AND(OR)-
decomposed child is denied(satisficed), their parent is fully
denied(statisficed). So we can assume that each child in
goal decomposition (only AND/OR decomposition exists, not
contribution) has potential full positive contribution (++) to its
parent (partial contribution + can not guarantee two assertions
above). Based on this assumption, we can define different fst
under different world assumptions, as below:
Definition 1: Let S={�, ×, w+, w−, �, ?} be the set of
satisficing statuses, and CNT1={++, −−, +, −} be the set
of contribution relationships. f closedst is said to be a status
transformation function under the closed world assumption,
if f closedst is a mapping from S × CNT1 to S , and its operation
rules are as shown in Table. 1:
TABLE IOperation Rules of f closed
st
f closedst � × w+ w− � ?++ � × w+ w− � ?−− × w+ w− w+ � ?+ w+ w− w+ w− � ?− w− w+ w− w+ � ?
Thus f closedst presents the strict reasoning process from satisfic-
ing status to effect under the closed world assumption. Note
that, the conflicting status � can be totally passed to its parent
as its effect. This can facilitate the path identification during
the conflict management if requirements information has been
regarded as fully acquired. Similarly, we can give the definition
for the open world assumption.
Definition 2: Let S={�, ×, w+, w−, �, ?} be the set of
satisficing statuses, and CNT1={++, −−, +, −} be the set
of contribution relationships. f openst is said to be a status
transformation function under the open world assumption, if
f openst is a mapping from S × CNT1 to S , and its operation
rules are as shown in Table. 2:
TABLE IIOperation Rules of f open
st
f openst � × w+ w− � ?++ � ? w+ ? � ?−− × ? w− ? � ?+ w+ ? w+ ? � ?− w− ? w− ? � ?
Thus f openst presents the strict reasoning process from satisfic-
ing status to effect under the open world assumption. From
the Def. 2, it is obvious that the negative fact (× and w−)
shows no impact on its environment (? as the effect). This
property can help us efficiently identify the status of parent if
its children’s statuses are unknown, because as discussed in
Def. 3, unknown status has no impact on status identification
of parent.
Two definitions above show that effects of satisficing statuses
are expressed in the form of satisficing statuses itself. That
is, E denoting the types of all effects, equals to S . Hence,
effects represent how the parent views the satisficing statuses
of children, satisficed or denied, fully or partially.
B. Effect Inference Function
After effects have been passed to parents, we should assess
whether the parent is satisficed or not. So a well defined
mechanism for manipulating multiple effects is needed.
Here we introduce the effect inference function, denoted by
fei. It is assumed that each node has its own fei to calcu-
late the final result for its satisficing status according to all
children’s effects. Note that if treated bottom-up, both goal
decomposition and operationalization decomposition can be
uniformed into AND/OR decomposition. That is, we can claim
whether the parent can be satisficed jointly or respectively
by its children. Based on this understanding, fei should have
two distinct manipulation mechanisms. One is under AND-
decomposition, and the other is under OR-decomposition.
For fei under OR-decomposition, we need to give the oper-
ation rules about effects from children. From Tables. 1&2,
it is obvious that negative effects can be generated by both
negative statuses (×, w− with ++, or +) and positive statuses
(�, w+ with −−, or −). While from the semantic of OR-
decomposition, negative statuses can be ignored during the
implementation of parent, but positive statuses can not. Simply
speaking, under OR-decomposition, a child’s denial does not
impact on the final status of parent, while its implementation
does. Unfortunately, when effect × or w− is obtained, there
is no way to determine which type of status is responsible
for it. So fei should distinguish these two situations. The
negative effects worth considering are those of � and w+ with
contribution −− and −.
Definition 3: Let S={�, ×, w+, w−, �, ?} be the set of
satisficing statuses, E={�, ×, w+, w−, �, ?} be the set of
54
TABLE IIIOperation Rules of f∨ei
Condition Resultn5 � 1 �n5 = 0 n−
2� 1 n1 � 1 �
n1 = 0 n3 = 0 n−4
� 1 w−n−
4= 0 ×
n3 � 1 ?n−
2= 0 n2 � 1 n1 � 1 n−
4= 0 �
n−4
� 1 ?n1 = 0 n3 � 1 n−
4� 1 ?
n−4= 0 w+
n3 = 0 n−4= 0 n4 = 0 ×
n4 � 1 w−n−
4� 1 w−
n2 = 0 n1 � 1 n−4= 0 �
n−4
� 1 ?n1 = 0 n3 � 1 n−
4� 1 ?
n−4= 0 w+
n3 = 0 n−4= 0 n4 = 0 ?
n4 � 1 w−n−
4� 1 w−
effects, the numbers of six types of effects �, ×, w+, w−,
�, ? be n1, n2, n3, n4, n5, n6 respectively where the numbers
of × and w− from negative contributions (–&-), are n−2 and
n−4 respectively. f ∨ei is said to be an effect inference function
under OR-decomposition, if f ∨ei is a mapping from En1+...+n6
to S , and its operation rules are as shown in Tab. 3:
Thus f ∨ei presents the strict reasoning rules from effect to
status under OR-decomposition, which exists both in goal
decomposition and operationalization decomposition. First, if
there is a conflict effect (�) among all effects, the parent is
said to be in conflict. This can guarantee conflict information
will not be omitted during reasoning process. Second, when
both � status and × status exist as effects, the parent is said
to be in conflict because its children propagate contradictory
information simultaneously. Third, w+ and w− are partial
effects, and their degrees of partiality is undecided. Hence the
inferences between �/w−, ×/w+, and w+/w− are unknown (?).
Last, unknown effect (?) has no impact on status identification
of parent. That is, only known effects (�, ×, w+, w− and
�) can impact onto the parent. This can make more sense
because unknown status means extra information is needed
from stakeholders, and therefore it is temporarily not involved
in the reasoning process.
For fei under AND-decomposition, because it has been as-
sumed that the potential contribution of each link is ++, each
positive/negative effect can only be generated by one specific
type of status.
Definition 4: Let S={�, ×, w+, w−, �, ?} be the set of
satisficing statuses, E={�, ×, w+, w−, �, ?} be the set of effects,
the numbers of the six types of effects from children be n1, n2,
n3, n4, n5, n6 respectively. f ∧ei is said to be an effect inference
function under AND-decomposition, if f ∧ei is a mapping from
En1+...+n6 to S , and its operation rules are as shown in Table.
4:
Thus f ∧ei presents the strict reasoning rules from effect to
status under AND-decomposition, which only exists in goal
decomposition. First, as in f ∨ei conflicting information will
TABLE IVOperation Rules of f∧ei
Condition Resultn5 � 1 �n5 = 0 n2 � 1 ×
n2 = 0 n6 � 1 ?n6 = 0 n4 � 1 w−
n4 = 0 n3 = 0 �n3 � 1 w+
always be preserved during reasoning process. So, if there is a
conflict effect (�) among all effects, the parent is said to be in
conflict. Second, the parent is said to be fully denied as long
as fully denied effect (×) exists. This completely matches the
semantic of AND-decomposition. Third, when no fully denied
effect exists, unknown effect will dominate the final status of
parent. That is, final status of parent depends on the exact
effect of unknown status, i.e. it can be ×, w− or others. Last,
if and only if all effects are fully satisficed (�), the parent
is said to be fully satisficed. These are clearly suitable for
semantics of AND-decomposition.
C. Evaluation of Goal Tree
With status transformation function and effect inferencefunction a two-level goal tree can be evaluated obviously. In
real practice, however a goal model could possibly be multi-
leveled. The question is whether we can apply these functions
sequentially and the answer is we certainly can.
For example, lets consider the goal tree in Fig. 12. It is obvious
that, for nodes g3 and g4, using status transformation function
we can generate the effects on their parent g2. For g2, using
effect inference function can identify the satisficing status by
effects. Hence the high level node g2’s satisficing status can
be used as the input of status transformation function of next
2This goal tree is created by RE-Tools which is work of the LawrenceChung and Sam Supakkul in University of Texas at Dallas. Fig. 2, 3, 4 arealso created by that.URL: http://www.utdallas.edu/ supakkul/tools/RE-Tools/index.htm
55
two higher levels g2 and g1 . Simply, if the satisficing statuses
of leaves have been declared, we can incrementally identify
the satisficing status of the root, by alternately applying status
transformation function and effect inference function.
Focusing on the main idea of multiple-level implementation,
Fig. 1 does not specify which type of world assumption is
adopted and what the type of decomposition is in each level. In
real practice, the closed world assumption and the open world
assumption are used in different situations. Which assumption
should be used depends on our confidence about whether all
information has already been obtained. As a simple guideline,
the closed world assumption can be used, for example when
dealing with security requirements where emphasis is often
on mitigating known threats. While, this assumption may not
be intuitive for organizational level modeling, especially for
stakeholder goal modeling where the open world assumption
could better reflect knowledge about the world.
Fig. 1. Identification of Satisficing Status in A Goal Tree
IV. An Illustrative Example
This section will present a practical example about se-
curity requirements to illustrate how differentiation between
the closed world assumption and the open world assumption
benefits the formal process on status identification. We will
introduce two scenarios for stepwise status identification and
highlighting conflict path by reasoning.
Assuming an analyst is in charge of eliciting and analyzing
security requirements of system-to-be. After communication
with all stakeholders, he obtains a goal model under the NFR
framework as shown in Fig. 2. Now, he assumes that all leaves
can be fully satisficed (�) to see whether the root can be fully
satisficed as well. Closed world assumption is adopted.
• For WebpageVerificationCode[Interface], f closedst (�,
++) = �.
• For MobileVerificationCode[Interface], f closedst (�, ++)
= �.
• For FingerprintVerificationOnly[Interface], f closedst (�,
−−) = ×.
• For Cookies[System], f closedst (�, −) = w−.
Fig. 2. Security Goal Model under the NFR framework
Now we get all leaves’ effects onto corresponding parents,
followed by effect inference.
• For VerificationCode[Interface], f ∨ei (�, �, ×) = �.• For ProtectvalidAccount[Account], f ∨ei (w
−) = w−.
To go further, we repeat previous work on the higher levels.
• For VerificationCode[Interface], f closedst (�, +) = �.
• For AvoidRobot[Signup], f ∨ei (�) = �.• For ProtectvalidAccount[Account], f closed
st (w−, ++) =
w−.
• For AvoidRobot[Signup], f closedst (�, ++) = �.
• For Security[System], f ∧ei (�, w−) = �.
Fig. 3. Conflict of Security Goal under Closed World Assumption
That is, the softgoal Security[System] is in conflict status based
on the assumption of all leaves fully satisficed. Also, all nodes
56
on the left branch except leaves are labeled with �, as shown in
Fig. 3. That is, the reason why the root is in conflict lies here,
i.e. because under the closed world assumption, Fingerprint-VerificationOnly[Interface]’s implementation can propagate
full negative effect × to its parent, which contradicts with
full positive effects �. Thus, the conflict path can be easily
highlighted for later analysis.
Again, the analyst changes the initial condition for leave’s sta-
tuses. He denies all leaves which have negative contributions.
• For WebpageVerificationCode[Interface], f closedst (�,
++) = �.
• For MobileVerificationCode[Interface], f closedst (×, ++) =
×.
• For FingerprintVerificationOnly[Interface], f closedst (×,
−−) = w+.
• For Cookies[System], f closedst (×, −) = w+.
Now we get all leaves’ effects onto corresponding parents,
followed by effect inference.
• For VerificationCode[Interface], f ∨ei (�, �, w+) = �.
• For ProtectvalidAccount[Account], f ∨ei (w+) = w+.
To go further, we repeat previous work on the higher levels.
• For VerificationCode[Interface], f closedst (�, +) = w+.
• For AvoidRobot[Signup], f ∨ei (w+) = w+.
• For ProtectvalidAccount[Account], f closedst (w+, ++) =
w+.
• For AvoidRobot[Signup], f closedst (w+, ++) = w+.
• For Security[System], f ∧ei (w+, w+) = w+.
Fig. 4. Satisficing Status of Security Goal under Closed World Assumption
We find that the softgoal Security is partially satisficed. That
is, by denying the nodes of negative contributions, the root can
be guaranteed fully or partially satisficed, as Fig. 4 shows.
If we adopt label propagation, the reasoning can not be final-
ized because the nodes like ProtectvalidAccount[Account]shows partial statuses. We need extra information to clarify
them. But our world is closed, and no extra information can
be provided.
V. Discussion
Our method distinguishes two assumptions and provides
a formal treatment of identifying the satisficing status of
non-functional requirements. Applying status transformation
function fst and effect inference function fei to given satisficing
statuses of nodes can guarantee explicit identification of status
in each step.
Our method makes a clear distinction between the closed
world assumption and the open world assumption, and fa-
cilitates the more effective reasoning process. As defined
above, rather than traditional reasoning process in the NFR
framework, the two functions have different operation rules
for different assumptions, which provide two sets of reasoning
mechanisms. In principle, this differentiation matches the pre-
requisite of reasoning in an information system (either CWA
or OWA applies). In practice, it can also fit for the specific
problem background (whether information can be guaranteed
complete). That is, applying a certain reasoning mechanism
should rely on the specific chosen assumption, not mixing both
assumptions.
Also, our method does not ignore the partial effect of satisfic-
ing status. That is, w+ and w− are equally treated as that to
�. Under the open world assumption, we may collect extra
information for further clarification of partial effect w+ and w−,
aiming to obtain full effect � and ×. This can not happen under
the closed world assumption. So our method just takes w+ and
w− for granted, and gives some reasoning rules for them under
the specific assumption, not relying on extra information from
stakeholders.
Besides, it is clear that the � status can be propagated till the
root as long as one of its offsprings is in conflict. According
to operation rules of status transformation function fst and
effect inference function fei, whatever assumption applies, �can be transformed to � as the effect, which will make the
parent in conflict status as well. Hence, each node along the
path related to the conflict will be labeled by the sign �. This
can greatly facilitate identification of conflict in inconsistency
management for non-functional requirements.
Last but not least, under whatever assumption, unknown status
(?) can be propagated as unknown effect (?) to high level
nodes, then show no impact on status identification of parent if
OR-decomposition is adopted in each level. This can reduce
complexity of status identification work, since the unknown
nodes can be left alone.
VI. RelatedWork
Literature offers very little on differentiation between these
two assumptions and formal reasoning of non-functional re-
quirements. One reason is that verification of non-functional
requirements is not straight forward. The other is formal
reasoning for non-functional requirements highly relies on
a proper modeling method. Goal-oriented method, the most
systematic and widely accepted in the current literature, treats
57
each non-functional requirement as a goal of software[5]. To
build a successful software product, all related goals should
be satisfied completely or partially. Hence, from goal model-
ing’s point of view, non-functional requirements can also be
noted as softgoals, contrary to the functional requirements as
(hard)goals (In fact, “non-functional requirements”/“functional
requirements” and “softgoal”/“hardgoal” belong to two dif-
ferent taxonomies. Non-functional requirements are not com-
pletely equivalent to softgoals, and neither are functional goals.
The key point here is the verification. Here to bridge the gap,
we assume that verifications of non-functional requirements
can not be achieved in a straight forward manner . For a
discussion please see [15]).
Goal-based reasoning is pivotal for model construction and
requirements elaboration, exploration and evaluation of al-
ternatives, conflict management, anticipation of incidental or
malicious behaviors, and optimization of behavior model
synthesis[16]. Among all goal-oriented methods, the NFR
framework is the first to propose the concept of softgoal in
the RE context and offer a process for dealing with non-
functional requirements. And then, i∗/Tropos[17], GRL[18],
[7], REF[19] all employ the concept of softgoal in their
dependent advancements.
Within goal-oriented paradigms, the NFR Framework and
i∗/Tropos are two widely adopted non-functional require-
ments solutions. As mentioned before, the NFR Framework
puts more emphasis on goal contribution and correlation[5],
[6], [1]. Using label propagation, we can make design de-
cisions based on the consideration of goal satisfication[20].
The i∗/Tropos, which has a set of unique notation, captures
the interaction between the software entity and environmental
entities. In i∗/Tropos, goals are correlated with other entities
by tasks and resources, which should be implemented by real
agents[21], [22], [23]. With Strategic Dependency Model and
Strategic Rationale Model, i∗/Tropos supports goal modeling
and reasoning[24]. Note that reasoning process in i∗/Tropos is
an organizational and social evolution process. In our previous
work, we have presented a formal language Σ to represent
the goal model under the NFR framework[25]. Σ is a link-
based language upon which reasoning process is executed by
decomposition structure of goal models.
GRL[11] integrates the core concepts of i∗ and the NFR
Framework and supports links to a companion scenario no-
tation called Use Case Maps (abbr. UCM). It provides three
algorithms to support qualitative, quantitative and hybrid eval-
uations for different modeling elements. However some key
principles are different between GRL and Σ regarding to the
reasoning mechanism. First, GRL puts much emphasis on
qualitative analysis which takes precise satisficing (strategy)
degrees (integers between -100 and 100) of any modeling ele-
ments into consideration. In our approach, we use six types of
qualitative satisficing degrees to initiate the reasoning process.
Second, GRL explicitly differentiates between decomposition
links and contribution links, but hides the inherent reasoning
mechanisms of evaluation in both. For example, in GRL there
is no explanation provided as to why is the value of OR-
decomposed node equal to the maximum value of all its
children’s values. We, however, explicitly differentiate two
steps of the inherent reasoning mechanisms in evaluation, and
differentiate decomposition links and contribution links only
when applying the reasoning rules. Last, GRL attempts to
presents a more general treatment of goal-oriented analysis.
We just restrict our work in the NFR Framework background.
As an efficient way of manipulating (hard)goals, KAOS
provides a mechanism for representing and reasoning with
functional goals, using temporal logic. But unfortunately, work
of KAOS is function-centered. Leiter et. al pointed out that
though fuzzy logic is proposed for characterizing softgoals,
the key limitation of this approach is that measurement for
the degree of requirements satisfaction can not be guaranteed
to be objective. They proposed an approach enriching goal re-
finement models with a probabilistic layer for reasoning about
partial satisfaction[26]. Within such models, non-functional
goals are specified in a precise, probabilistic way. Jureta et.alproposed a formalism for characterizing softgoals, but it just
gives a new formal representation, aiming to obtain more
profound understanding of a single softgoal instance[15].
VII. Conclusion
Reasoning mechanisms in the existing approaches for goal
modeling have some distinctive weaknesses which can not
guarantee the automatic reasoning process during the analysis
of non-functional requirements. To solve this problem, we
distinguish the closed world assumption and the open world
assumption. First, under different assumptions, by applying
status transformation function fst, the satisficing statuses of
low level nodes can be transformed to the effects on parents.
Then the satisficing statuses of parents can be identified by
effect inference function fei, involving effects from children.
Layer by layer, the root’s satisficing status can be finally
identified by alternately adopting two functions.
Our contribution is thus threefold. First, compared with current
research, our work provides a formalism for declaring whether
the specific non-function requirements can be achieved by the
existing low level requirements alternatives. According to the
formal reasoning process, we can obtain the root’s satisficing
status, i.e. fully, partially, satissficed, denied, unknown or
conflict. Second, this formalism differentiates between the
closed world assumption and the open world assumption,
which makes more sense in reasoning in real practice. Last,
we use two-step process to identify the satisficing status. This
strategy gives a very clear view about reasoning: obtaining
effects and manipulating effects. They are strictly-executable
processes. Also, it makes the satisficing status identification
more readable and understandable. The label propagation hides
its mechanism altogether, and only supports manual reasoning.
Some issues still need our exploration. We admit that the most
significant challenge is to decide which assumption should be
applied at any situation. It is theoretically and practically a
complex issue. In some cases, the goal that we are concerned
with does not make it so obvious to identify the assumption
at first glance. We are working on developing guidelines
58
either from theory or practice of requirements engineering
can emerge to support this decision making process. Detecting
nodes related to conflict and developing strategies to mitigate
or eliminate conflict is also a promising future direction. Work
in this paper can be used in conflict identification in one goal
model. That is, nodes along the conflict-related path can be
labeled with conflict status as long as one of the offsprings is
in conflict. For conflict hidden among several goal models, we
will apply the extension operator/function presented in [25] to
integrate these models, and then we propose to employ the
method presented this paper to find which node is in conflict.
As another combination of our previous work, the formal
representation language Σ, we will explore some reasoning
rules about formally identifying the satisficing status of nodes,
if the softgoal is represented by a formula in Σ. That is, after
a softgoal is represented as a formula by Σ, we can deduct
its satisficing status of each atom (nodes of the goal tree) in
the formula, applying some reasoning rules which involves
the status transformation function and the effect inference
function. This part of work is inspired by the traditional work
in goal-oriented RE, with many interesting results based on
the KAOS language. This can bring us closer to the aim of
automating the satisficing status identification.
Acknowledgment
This work is supported by the National Grand Fundamental
Research Program of China under Grant No. 2009CB320701,
the Key Projects of National Natural Science Foundation
of China under Grant No. 90818026, and the International
Science Linkage Research Grant under the Australia-China
Special fund for Science and Technology.
References
[1] Mylopoulos, J., Chung, L., Nixon, B.: Representing and using nonfunc-tional requirements: A process-oriented approach. IEEE Trans. SoftwareEngineering 18(6) (1992) 483–497
[2] Simon, H.A.: Rational choice and the structure of the environment.Psychological Review, 63 (1956) 129–138
[3] Ryan, A.: An approach to quantitative non-functional requirements insoftware development. In: the 34th Annual Government Electronics andInformation Association Conference. (2000)
[4] Cysneiros, L., Leite, J.: Nonfunctional requirements: From elicitation toconceptual models. IEEE Transactions on Software Engineering 30(5)(2004) 328–350
[5] Chung, L., do Prado Leite, J.: On non-functional requirements in soft-ware engineering. Conceptual Modeling: Foundations and Applications,LNCS 5600 (2009) 363–379
[6] Chung, L., Nixon, B.: Dealing with non-functional requirements: Threeexperimental studies of a process-oriented approach. In: the 17thInternational Conference on Software Engineering. (1995) 24–28
[7] Yu, E.: Towards modelling and reasoning support for early-phaserequirements engineering. In: the 3rd IEEE International Symposiumon Requirements Engineering (RE’97). (1997) 226–235
[8] Giorgini, P., Mylopoulos, J., Sebastini, R.: Goal-oriented requirementsanalysis and reasoning in the tropos methodology. Appl. Artif. Intell.18 (2005) 159–171
[9] Chung, L., Nixon, B., Yu, E., Mylopoulos, J.: Non-Functional Require-ments in Software Engineering. Springer (2000)
[10] Weiss, M., Amyot, D.: Business process modeling with urn. Int. J.E-Business Res. 1(3) (2006) 63–90
[11] Amyot, D., Ghanavati, S., Horkoff, J., Mussbacher, G., Peyton, L.,Yu, E.: Evaluating goal models within the goal-oriented requirementlanguage. Int. J. Intel. Syst. 25(8) (2010) 841–877
[12] Reiter, R.: On closed world data bases. Logic and Data Bases GallaireH and Minker J. (ed) (1978) 55–76
[13] Hustadt, U.: Do we need the closed-world assumption in knowledgerepresentation. In: Working Notes of the KI94 Workshop: Reasoningabout Structured Objects: Knowledge Representation Meets Databases(KRDB94). Volume D-94-11 of Document. (1994) 24–26
[14] van Lamsweerde., A.: Reasoning about alternative requirements options.Conceptual Modeling: Foundations and Applications 5600 (2009) 380–397
[15] Jureta, I., Faulkner, S., Schobbens, P.: A more expressive softgoalconceptualization for quality requirements analysis. In: the 25th In-ternational Conference on Conceptual Modeling (ER06). (2006)
[16] van Lamsweerde, A.: Engineering requirements for system reliabilityand security. Software System Reliability and Security 9 (2004) 196–238
[17] Castro, J., Kolp, M., Mylopoulos, J.: Towards requirements-driveninformation systems engineering: the tropos project. Information System6 (2002) 365–389
[18] Liu, L., Yu, E.: Designing information systems in social context: agoal and scenario modeling approach. Information System 29 (2003)187–203
[19] Donzelli, P.: A goal-driven and agent-based requirements engineeringframework. Requirements Engineering 9 (2004) 16–39
[20] Giorgini, P., Mylopoulos, J., Nicchiarelli, E., Sebastiani, R.: Reasoningwith goal models. Spaccapietra, S., March, S.T., Kambayashi, Y. (eds.)ER 2002. LNCS 2503 (2002) 167–181
[21] Fuxman, A., Liu, L., Mylopoulos, J., Pistore, M., Roveri, M., Traverso,P.: Specifying and analyzing early requirements in tropos. RequirementsEngineering 9(2) (2004) 132–150
[22] Yu, E., Mylopoulos, J.: Enterprise modelling for business redesign: thei* framework. SIGGROUOP Bull 18(1) (1997) 59–63
[23] de Padua Albuquerque Oliveira, A., Cysneiros, L., do Prado Leite, J.,Figueiredo, E., Lucena, C.: Integrating scenarios, i*, and aspects in thecontext of multi-agent systems. In: the Conference of the Center ForAdvanced Studies on Collaborative Research, CASCON 2006, ACM,New York (2006) 16
[24] van Lamsweerde, A.: Managing conflicts in goal-driven requirementsengineering. IEEE Transactions on Software Engineering 44(11) (1998)
[25] Wei, B., Jin, Z., Liu, L.: A formalism for extending the NFR Frameworkto support the composition of the goal trees. In: 17th Asia PacificSoftware Engineering Conference. (2010) 23–32
[26] Letier, E., van Lamsweerde, A.: Reasoning about partial goal satisfactionfor requirements and design engineering. In: ACM SIGSOFT Symp.Foundation of Software Engineering. (2004) 53–62
59