Conference PaperPDF Available

Easy approach to requirements syntax (EARS)

Authors:
Alistair Mavin at Independent Requirements Specialist
Alistair Mavin
  • Independent Requirements Specialist
Philip Wilkinson at Rolls-Royce
Philip Wilkinson
Adrian R. G. Harwood at The University of Manchester
Adrian R. G. Harwood
Mark Novak
Mark Novak
Mark Novak
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Download full-text PDF
Read full-text
Download citation

Abstract

The development of complex systems frequently in-valves extensive work to elicit, document and review stakeholder requirements. Stakeholder requirements are usually written in unconstrained natural language, which is inherently imprecise. During system development, problems in stakeholder requirements inevitably propagate to lower levels. This creates unnecessary volatility and risk, which impact programme schedule and cost. Some experts advocate the use of other notations to in-crease precision and minimise problems such as ambiguity. However, use of non-textual notations requires translation of the source requirements, which can introduce further errors. There is also a training overhead associated with the introduction of new notations. A small set of structural rules was developed to address eight common requirement problems including ambiguity, complexity and vagueness. The ruleset allows all natural language requirements to be expressed in one of five simple templates. The ruleset was applied whilst extracting aero engine control system requirements from an airworthiness regulation document. The results of this case study show qualitative and quantitative improvements compared with a conventional textual requirements specification.
Content uploaded by Alistair Mavin
Author content
All content in this area was uploaded by Alistair Mavin on Jan 06, 2016
Content may be subject to copyright.
Accepted for RE09, IEEE, August 2009
EARS (Easy Approach to Requirements Syntax)
Alistair Mavin
Philip Wilkinson
Adrian Harwood
Mark Novak
Rolls-Royce PLC
PO Box 31
Derby DE24 8BJ, UK
alistair.mavin@rolls-royce.com
Abstract
The development of complex systems frequently in-
volves extensive work to elicit, document and review
stakeholder requirements. Stakeholder requirements are
usually written in unconstrained natural language, which
is inherently imprecise. During system development,
problems in stakeholder requirements inevitably propa-
gate to lower levels. This creates unnecessary volatility
and risk, which impact programme schedule and cost.
Some experts advocate the use of other notations to in-
crease precision and minimise problems such as ambigui-
ty. However, use of non-textual notations requires trans-
lation of the source requirements, which can introduce
further errors. There is also a training overhead associat-
ed with the introduction of new notations. A small set of
structural rules was developed to address eight common
requirement problems including ambiguity, complexity
and vagueness. The ruleset allows all natural language
requirements to be expressed in one of five simple tem-
plates. The ruleset was applied whilst extracting aero
engine control system requirements from an airworthiness
regulation document. The results of this case study show
qualitative and quantitative improvements compared with
a conventional textual requirements specification.
1. Company background
Aircraft engine control systems present a significant
systems engineering challenge: the systems are complex,
safety-critical and developed in ever-compressed time-
scales. To satisfy aircraft manufacturers’ requirements
and maintain market position, control systems must pro-
vide increased functionality and maintain the highest lev-
els of dependability.
Rolls-Royce Control Systems develops Full Authority
Digital Engine Controllers (FADECs) for civil gas turbine
engines. The development and operation of FADECs pre-
sent numerous challenges [1] including: operation in ar-
duous environments, increased system complexity, ever-
greater reliability, improved fault tolerance and the need
to certify against European and US regulations. A typical
modern control system has a dual channel design, con-
tains thousands of components, over 100,000 lines of
code and is developed with up to twenty suppliers.
2. Background to the problem
Stakeholder requirements are often written by individ-
uals who are not experts in requirements definition. Most
commonly, stakeholder requirements are written in un-
structured natural language (NL). The flexibility of NL
makes it an ideal medium for creative expression, such as
drama, poetry and humour. However, unconstrained use
of NL is inherently unsuitable for requirements definition
for a number of reasons. Some of the problems that can
appear in NL requirement documents are:
Ambiguity
1
(a word or phrase has two or more dif-
ferent meanings).
Vagueness (lack of precision, structure and/or de-
tail).
Complexity (compound requirements containing
complex sub-clauses and/or several interrelated
statements).
Omission (missing requirements, particularly re-
quirements to handle unwanted behaviour).
Duplication (repetition of requirements that are
defining the same need).
Wordiness (use of an unnecessary number of
words).
Inappropriate implementation (statements of how
the system should be built, rather than what it
should do).
Untestability (requirements that cannot be proven
true or false when the system is implemented).
There are other problems that this study does not con-
sider, including conflicting requirements and missing
traceability links. There are two main reasons for their
exclusion: firstly these problems are not unique to NL
requirements documents, and secondly there are no occur-
rences of these problems in the case study.
1
There are three common forms of ambiguity: lexical, refer-
ential and syntactical [2]. Lexical ambiguity occurs where a
word or phrase, which has two or more meanings, is used in a
manner that permits a sentence or phrase to be interpreted in
more than one way. Referential ambiguity occurs when a word
or phrase is used that can be referring to two or more things.
Syntactical ambiguity arises when the order of words allows two
or more interpretations.
To overcome problems associated with NL, some ex-
perts advocate the use of other notations for the specifica-
tion of requirements. These include formal notations such
a Z [3] and Petri Nets [4] and graphical notations such as
Unified Modeling Language (UML) [5, 6] and Systems
Modeling Language (SysML) [7]. There are also numer-
ous scenario-based approaches [summarised in 8], tabular
approaches such as Table-Driven Requirements [9] and
ConCERT [10, 11] and pseudocode.
Advocates of some notations claim that they work for
requirements at all system levels, whilst others do not
claim universal applicability. UML and SysML are graph-
ical notations used to describe systems, within which dif-
ferent views can be generated depending on user needs.
Meanwhile, claims have been made for the effective use
of scenarios in many different ways and at different sys-
tem levels [8] though not necessarily within an integrated
framework.
However, use of any of these non-textual notations of-
ten requires complex translation of the source require-
ments, which can introduce further errors. Such transla-
tion of requirements can serve to create a “language barri-
er” between developers and stakeholders due to uncon-
scious communication of assumed context. There is also a
training overhead associated with the introduction of
many notations. Requirements authors are unlikely to
seek excessive formality and complex training, and rarely
do they require a software tool to help them write.
There are many hundreds of general books on re-
quirements engineering. There are also numerous exam-
ples of published works specifically about how to write
better requirements. These include two well-known pa-
pers titled “Writing Good Requirements” [12, 13] that
focus on the characteristics of well-formed requirements
and the attributes that should be included. There are also
templates available, such as VOLERE [14] and SL-07
[15]. Despite this large body of published material, there
seems to be little simple, practical advice for the practi-
tioner.
It was hypothesised that introducing a small set of
simple requirement structures would be an efficient and
practical way to enhance the writing of high-level stake-
holder requirements. Previous work in the area of con-
strained natural language includes Simplified Technical
English [16], Attempto Controlled English (ACE) [17]
and Event-Condition-Action (ECA) [18]. In ECA, the
event specifies the signal that triggers the rule and the
condition is a logical test that (if satisfied) causes the
specified system action.
The work reported here is principally concerned with
requirements syntax. Although measures were taken to
improve the semantics of the requirements, they are not
described in this paper. There is no claim made that this
approach is universally applicable to all levels of system
decomposition. The technique is most suitable to the defi-
nition of high-level stakeholder requirements.
The remainder of this paper is divided into five sec-
tions. Section 3 describes the Case Study. Section 4 de-
fines the Method used and how it was developed. Section
5 summarises the Results. Section 6 is a Discussion of the
findings and section 7 describes Future Work.
3. Case study
Certification Specification for Engines (CS-E) [19] de-
fines what must be achieved in order for an aero engine to
achieve certification. For this study, the section of CS-E
most applicable to engine control systems (CS-E 50) was
analysed. CS-E 50 contains a relatively small number of
requirements, which was a manageable quantity for a case
study.
When analysing the structure and content of CS-E, it is
prudent to consider the history of the document. CS-E has
evolved from incremental updates to its predecessor Joint
Airworthiness Requirements for Engines (JAR-E) [20]
over many years. Repeated updates have resulted in the
addition of statements to form long paragraphs of prose.
Many of these paragraphs contain a rich mixture of both
complex and simple requirements, along with design and
verification statements and supporting information. Most
requirements are explicit, but there are also some implicit
requirements that can be difficult to discover.
Due to the evolutionary nature of the text, care must be
taken when interpreting the intent of statements within
CS-E. Much of the document is written at an abstract lev-
el, relying on lists and explanatory notes to add meaning.
Engineers use the requirements in CS-E during the design
of an engine, but most are unlikely to be trained and expe-
rienced in requirements definition. Engineers are likely to
be most comfortable when presented with a set of unam-
biguous, simple statements in order to validate their own
work. This will reduce the likelihood of lengthy negotia-
tions or expensive alterations later in an engine pro-
gramme. In addition, if requirements are written well,
they can be reused on future programmes, with obvious
cost savings.
4. Method
The process and ruleset used during this investigation
was developed as the work progressed. The participants
started with a set of loose rules derived from their own
experiences in systems, safety and requirements engineer-
ing and built on the concepts of ECA. These included
basic syntactic rules of thumb such as the use of “when”
for event-driven behaviour, “while” for state-driven be-
haviour and “if-then” statements to handle “failures”.
The collaborative nature of the work led to incremental
changes to the ruleset that were tested empirically during
the ongoing study. Additionally, occasional serendipity
helped the evolution of the syntactic rules.
A group of cross-discipline engineers, including the
company’s CS-E certification expert, analysed the source
text of CS-E 50 in two phases. In the first phase, each
clause of the document was broken into its constituent
parts. Some sentences were explicit requirements; others
needed interpretation, but did imply requirements on the
engine control system. Other statements were determined
to be design guidance or were clearly informative text. All
requirements were placed in a spreadsheet to aid manipu-
lation.
In the second phase, each requirement was rewritten in
a consistent manner using the syntactic ruleset described
below. Subsequent iterations were necessary as the ruleset
evolved. This led to further rewording of requirements
and to the reclassification of some statements.
4.1 Generic requirements syntax
The generic requirement syntax adopted during this
study is as follows:
<optional preconditions> <optional trigger> the
<system name> shall <system response>
This simple structure forces the requirement author to
separate the conditions in which the requirement can be
invoked (preconditions), the event that initiates the re-
quirement (trigger) and the necessary system behaviour
(system response). Both preconditions and trigger are
optional, depending on the requirement type, as described
later in this section.
The order of the clauses in this syntax is also signifi-
cant, since it follows temporal logic:
Any preconditions must be satisfied otherwise the
requirement cannot ever be activated.
The trigger must be true for the requirement to be
“fired”, but only if the preconditions were already
satisfied.
The system is required to achieve the stated sys-
tem response if and only if the preconditions and
trigger are true.
The generic requirement syntax is specialised into five
types of requirement (Ubiquitous, Event-driven, Unwant-
ed behaviours, State-driven and Optional features), which
are described in more detail below.
4.2 Ubiquitous requirements
A ubiquitous requirement has no preconditions or trig-
ger. It is not invoked by an event detected at the system
boundary or in response to a defined system state, but is
always active. The general form of a ubiquitous require-
ment is:
The <system name> shall <system response>
For example: The control system shall prevent engine
overspeed”. This is a system behaviour that must be ac-
tive at all times; hence this is a ubiquitous requirement.
4.3 Event-driven requirements
An event-driven requirement is initiated only when a
triggering event is detected at the system boundary. The
keyword When is used for event-driven requirements. The
general form of an event-driven requirement is:
WHEN <optional preconditions> <trigger> the
<system name> shall <system response>
For example: “When continuous ignition is command-
ed by the aircraft, the control system shall switch on con-
tinuous ignition”. This system response is required when
and only when the stated event is detected at the boundary
of the system.
4.4 Unwanted behaviours
Requirements to handle unwanted behaviour
2
are de-
fined using a syntax derived from event-driven require-
ments. “Unwanted behaviour” is a general term used to
cover all situations that are undesirable. This includes
failures, disturbances, deviations from desired user behav-
iour and any unexpected behaviour of interacting systems.
The authors experiences suggest that unwanted behav-
iour is a major source of omissions in early requirements,
necessitating costly rework. Consequently, these require-
ments were given their own syntax, so that they could be
easily identified throughout the lifecycle.
Requirements for unwanted behaviour are designated
using the keywords If and Then. The general form of a
requirement for unwanted behaviour is:
IF <optional preconditions> <trigger>, THEN the
<system name> shall <system response>
For example “If the computed airspeed fault flag is
set, then the control system shall use modelled airspeed”.
In this example, the unwanted event (computed air speed
fault flag is set) triggers the system response, which al-
lows continued safe operation of the system.
Using the If-Then structure explicitly differentiates the
requirements that handle unwanted behaviour. In such
requirements the system response mitigates the impact of
the unwanted event, or prevents the system from entering
an unwanted state.
2
The distinction between wanted and unwanted behaviour is
not always clear. For example, due to the safety-critical nature
of aero engine control systems, many subsystems employ multi-
ple redundant components. This allows the system to accommo-
date unwanted events whilst continuing to satisfy operational
requirements. In such cases, the system is behaving “normally”,
but the requirements would be considered as describing “un-
wanted behaviours” using the classification described here.
Hence the distinction between wanted and unwanted behaviour
is a matter of viewpoint, or even a matter of “style”. Another
perspective on the distinction between wanted and unwanted
behaviours is provided by the concept of Misuse Cases [21].
Misuse Cases describe users with hostile intent who are likely to
have wants that are in direct opposition to the wants of other
system stakeholders.
4.5 State-driven requirements
A state-driven requirement is active while the system
is in a defined state. The keyword While is used to denote
state-driven requirements. The general form of a state-
driven requirement is:
WHILE <in a specific state> the <system name>
shall <system response>
For example: “While the aircraft is in-flight, the con-
trol system shall maintain engine fuel flow above
XXlbs/sec”. The system response is required at all times
whilst the system is in the defined state.
To make requirements easier to read, the keyword
During can be used instead of While for state-driven re-
quirements. For example: “During thrust reverser door
translation, the control system shall limit thrust to mini-
mum idle”. In this context, the meaning of During is iden-
tical to While, and this alternative keyword is used purely
to aid readability.
4.6 Optional features
An optional feature requirement is applicable only in
systems that include a particular feature. An optional fea-
ture requirement is designated with the keyword Where.
The general form of an optional feature requirement is:
WHERE <feature is included> the <system name>
shall <system response>
For example, “Where the control system includes an
overspeed protection function, the control system shall
test the availability of the overspeed protection function
prior to aircraft dispatch”. This functionality only makes
sense (and therefore is only required) for a system that
includes the specified feature.
4.7 Complex requirement syntax
For requirements with complex conditional clauses,
combinations of the keywords When, While and Where
may be required. The keywords can be built into more
complex expressions to specify richer system behaviours.
For instance, the same event may trigger different system
behaviour depending on the state of the system when the
event is detected.
For example: “While the aircraft is on-ground, when
reverse thrust is commanded, the control system shall
enable deployment of the thrust reverser”. The triggering
event (reverse thrust command) triggers the system re-
sponse only when the system is in a particular state (air-
craft on-ground).
The keywords When, While and Where can also be
used within If-Then statements to handle unwanted behav-
iour with more complex conditional clauses. For example
the requirement to handle thrust reverser commands dur-
ing the in-flight state (an unwanted and potentially cata-
strophic event) is handled as follows: “While the aircraft
is in-flight, if reverse thrust is commanded, then the con-
trol system shall inhibit thrust reverser deployment”. In
this situation the trigger (reverse thrust command) is un-
wanted whilst in-flight and the required system response
prevents the system from entering an unwanted state.
Similarly, in the requirement “When selecting idle set-
ting, if aircraft data is unavailable, then the control sys-
tem shall select Approach Idle”, the unwanted behaviour
(aircraft data is unavailable) should result in the stated
system response only when the triggering event (selecting
idle) is satisfied.
4.8 Testing the hypothesis
The hypothesis was tested against a number of criteria,
based on the eight problems associated with NL require-
ments identified in section 2. For each problem, instances
were counted in the both the raw requirements from the
CS-E document and the interpretations. The count for
each set of requirements was compared to assess the ef-
fectiveness of the EARS ruleset.
5. Results
The majority of the requirements could be written in
one of the EARS templates with little difficulty. Those
that could not were either manipulated to fit the ruleset or
the ruleset was evolved to incorporate the additional re-
quirement types.
Interpretation
Type
The Engine Control
System shall not cause
unacceptable thrust or
power oscillations.
Ubiqui-
tous
When the Engine
Control System
changes operational
mode, the Engine
Control System shall
maintain the engine
within approved op-
erational limits.
Event
Driven
If a single Failure
leads to deficient
Aircraft-Supplied
Data, then the Engine
Control System shall
not cause a Hazardous
Engine Effect.
Unwant-
ed Be-
haviour
While in a Full-Up
Configuration, the
Engine Control Sys-
tem shall be Essential-
ly Single Fault Toler-
ant with respect to
LOTC/LOPC event.
State
Driven
Raw extract of CS-E
Interpretation
Type
When over-speed protection
is provided through hydro-
mechanical means, it must be
demonstrated by test or other
acceptable means that the
over-speed function remains
available between inspection
and maintenance periods.
Where over-speed
protection is provided
through hydro-
mechanical means, the
frequency of Engine
Control System in-
spection and mainte-
nance periods shall be
consistent with the
required availability of
the feature.
Optional
Feature
Table 1. Examples of raw extracts from CS-E with
interpreted control system requirements
Several patterns emerged as the rules were applied to
the raw extracts from CS-E. Common examples of these
patterns were:
Logical restructuring to increase clarity and un-
derstanding.
Reduced wordiness to create simpler statements.
The separation of complex triggers resulting in
two or more atomic requirements.
Reusable statements and reusable formats.
Ambiguity
Vagueness
Complexity
Omission
Duplication
Wordiness
Implementation
Untestability
EARS Applied (Scaled) Raw Text (Scaled)
Graph 1. Quantitative results for case study
Consultation with a team of specialists, including Safe-
ty Engineers and Airworthiness Engineers, uncovered the
contextual intent of CS-E, allowing an accurate set of
requirements to be defined. Table 1 shows some examples
of raw extracts from CS-E and the resulting interpreta-
tions. As part of the interpretation process, it was occa-
sionally necessary to examine associated advisory materi-
al [22]. This material contains information, verification
and design statements in addition to requirements.
Following translation of the requirements, the raw re-
quirements and interpretations were compared against the
criteria described in section 2. Graph 1 shows the differ-
ences for the eight criteria on a log scale
3
. Overall, the
interpretations scored significantly better than the raw
requirements. Against five of the criteria, the interpreta-
tions contain none of the problems present in the raw re-
quirements. For the other three criteria ambiguity,
vagueness and wordiness a substantial reduction in
problems was observed. The number of requirements and
the average words per requirement for the raw require-
ments and the interpretations is shown in Table 2. The
total number of requirements has increased, while the
average number of words per requirements has reduced.
Raw extract
Interpretation
No. individual requirements
36.0
47.0
Av. words per requirement
36.9
25.6
Table 2. Word count of raw requirement extracts and
interpretations
6. Discussion
The results show that the modified notation has a
number of advantages over the use of unconstrained NL.
All of the text from the regulation, once formatted as re-
quirements, was successfully translated into one of the
EARS templates. Where problems of translation were
initially experienced, these were addressed by further evo-
lutionary development of the ruleset.
The review against the criteria of section 2 demon-
strated a significant reduction in all eight problem types.
For the case study, the notation appears to have eliminat-
ed the problems of complexity, omission, duplication,
implementation and untestability. However, the claim that
omissions have been eliminated needs to be treated with
caution. Whilst the trial may have effectively identified
some unwanted behaviour, there is no evidence that other
missing requirements have been captured.
The problems of ambiguity, vagueness and wordiness
were reduced, but not eliminated. The remaining prob-
lems are thought to be due to:
Lexical ambiguity, where a precondition was un-
derstood by inference, but not explicitly recorded.
3
The data contained a combination of large and small data
values. It was therefore necessary to scale the numbers using a
log function (on values greater than 1) for clarity on the chart.
General vagueness, which is an innate feature of
high-level requirements and difficult to remove
until accompanying design decisions are made.
Wordiness occurred where a particularly long re-
quirement, containing numerous conditional
clauses, employed clumsy word constructions.
The increase in the number of requirements was ex-
pected. This was because some clauses of CS-E contain
numerous compound requirements, which were separated
out during the interpretation process. A reduction in the
average word-count of the interpretations was also antici-
pated, and is mainly due to reduced complexity, duplica-
tion and wordiness.
Although the results of this case study are very posi-
tive, a number of limitations could have influenced the
outcomes of the study:
The sample size was small, consisting of only 36
original requirements.
The study was restricted to high-level safety-
related requirements. It is possible that other types
of high-level requirements and lower-level re-
quirements may exist that cannot be adequately
represented in the notation.
Although efforts were made to reduce subjective
influences, the classification of vagueness is inevi-
tably a matter of personal opinion and therefore
open to inconsistency.
Despite these limitations, the study seems to provide
ample evidence to support the hypothesis: that a small set
of simple requirement structures would be an efficient and
practical way to enhance the writing of high-level stake-
holder requirements.
7. Future work
The authors intend to continue with their assessment
of the remainder of CS-E. This would involve the transla-
tion of all requirements pertaining to the engine control
system. Further studies are also planned to assess the no-
tation against an entire suite of high-level engine control
system requirements and lower-level elements of the con-
trol system design. It is hoped that these studies will es-
tablish the effectiveness of the notation by addressing the
limitations identified in section 6.
As stated in section 2, a number of known require-
ments problems were consciously excluded from this
study. One of the reasons for this was that the document
used in the case study did not include such problems.
However, it is expected that use of the EARS templates
will address at least some of these issues when applied to
other stakeholder requirement documents. For example,
applying the syntactic rules will clarify the precise pre-
conditions and triggers, which should highlight conflict-
ing requirements. The intention is to apply the EARS sys-
tem to a wider range of system documents which contain
such problems.
Further thought is necessary to investigate how the If
and When preconditions can be applied to unwanted
states. Although the case study identified no such scenari-
os, unwanted states may require an additional template to
define how the system should behave while in an unwant-
ed state.
References
1. Holt J.E., “The Challenges of Civil Aircraft Engine Control Sys-
tem Development at Rolls-Royce”, Proceedings of IEEE United
Kingdom Automatic Control Council (UKACC) International Con-
trol Conference, Glasgow, August, 2006.
2. Warburton, N., “Thinking from A to Z”, 2
nd
edition, Routledge,
2000.
3. Woodcock, J. and Davies, J., “Using Z-Specification, Refinement
and Proof”, Prentice Hall, 1996.
4. Peterson, J. “Petri Nets”, ACM Computing Surveys 9 (1977), 223-
252.
5. Object Management Group, UML Resource Page,
http://www.uml.org/
6. Holt, J., “UML for Systems Engineering: Watching The Wheels”
(2
nd
edition), IEE, 2004.
7. Object Management Group, Official OMG SysML Site,
http://www.omgsysml.org/
8. Alexander, I.F. & Maiden, N.A.M. (eds), “Scenarios, Stories, Use
Cases: Through the Systems Development Life-Cycle” Wiley,
2004.
9. Alexander, I.F. & Beus-Dukic, L., “Discovering Requirements”,
John Wiley, 2009.
10. Vickers, A., Tongue, P.J. and Smith, J.E., “Complexity and its
Management in Requirements Engineering”, INCOSE UK Annual
Symposium Getting to Grips with Complexity, Coventry, UK,
1996.
11. Vickers, A., Smith, J.E., Tongue, P.J. and Lam, W., “The Con-
CERT Approach to Requirements Specification (version 2.0)”,
YUTC/TR/96/01, University of York, November 1996 (enquiries
about this report should be addressed to: High-Integrity Systems
Engineering Research Group, Department Computer Science, Uni-
versity of York, Heslington, YORK, YO10 5DD, UK).
12. Hooks, I., “Writing Good Requirements”, Proceedings of Third
International Symposium of INCOSE Volume 2, INCOSE, 1993.
13. Wiegers, K., Writing Good Requirements”, Software Develop-
ment Magazine, May 1999.
14. “VOLERE Requirements Specification Template”, Atlantic Sys-
tems Guild, http://www.volere.co.uk/template.htm
15. Lauesen, S., Guide to Requirements SL-07. Template with Exam-
ples”, Lauesen Publishing, 2007.
16. “ASD Simplified Technical English: Specification ASD-STE100.
International specification for the preparation of maintenance doc-
umentation in a controlled language”, Simplified Technical Eng-
lish Maintenance Group (STEMG), 2005.
17. Fuchs, N. E., Kaljurand, K. and Schneider, G., "Attempto Con-
trolled English Meets the Challenges of Knowledge Representa-
tion, Reasoning, Interoperability and User Interfaces", FLAIRS,
2006.
18. Dittrich, K. R., Gatziu, S. and Geppert, A., “The Active Database
Management System Manifesto: A Rulebase of ADBMS Fea-
tures.”, Lecture Notes in Computer Science 985, Springer, 1995,
pages 3-20.
19. “Certification Specification for Engines” (CS-E) Amendment 1,
18-20, European Aviation Safety Agency (EASA), 10
th
December
2007, http://easa.europa.eu/ws_prod/g/rg_certspecs.php
20. “Joint Airworthiness Requirements for Engines” (JAR-E), JAA,
http://easa.europa.eu
21. Sindre, G. and Opdahl, A., “Capturing Security Requirements
through Misuse Cases”, TOOLS 37 (2000), pp. 120-131.
22. AMC20 Effective 26/12/2007”, European Aviation Safety Agen-
cy (EASA), http://easa.europa.eu/ws_prod/g/rg_certspecs.php
... Given that there is little evidence on the extent to which humans can effectively model requirements using semi-formal notations, and how the modeling impacts the development and testing of reliable systems, in this paper, we investigate the implications of applying structured requirements specification and test generation based on the impact of modeling on development and testing of PLC systems. In this context, we study how practitioners write requirements using the Easy Approach to Requirements Syntax (EARS) [8], a simple notation for specifying textual requirements in a structured and unambiguous manner. Page 2 of 21 ...
... Writing the stakeholder requirements in unconstrained Natural Language (NL) is not accurate and can raise critical problems in lower levels of system development [8]. Aiming at mitigating the ambiguity problems and increasing the accuracy in the process of requirements engineering, some practitioners argue for using other textual and non-textual notations [8]. ...
... Writing the stakeholder requirements in unconstrained Natural Language (NL) is not accurate and can raise critical problems in lower levels of system development [8]. Aiming at mitigating the ambiguity problems and increasing the accuracy in the process of requirements engineering, some practitioners argue for using other textual and non-textual notations [8]. Using non-textual notations demands translation of the original requirement, which can be faulty sometimes. ...
An Empirical Investigation of Requirements Engineering and Testing Utilizing EARS Notation in PLC Programs
Article
Full-text available
  • Mar 2025
Regulatory standards for engineering safety-critical systems often demand both traceable requirements and specification-based testing, during development. Requirements are often written in natural language, yet for specification purposes, this may be supplemented by formal or semi-formal descriptions, to increase clarity. However, the choice of notation of the latter is often constrained by the designers’ training, skills, and preferences. The Easy Approach to Requirements Syntax (EARS) addresses the inherent imprecision of natural language requirements concerning potential ambiguity and lack of accuracy. This paper investigates requirements specification using EARS, and specification-based testing of embedded software written in the IEC 61131-3 language, a programming standard for developing programmable logic controllers (PLC). Further, we study, utilizing an experiment, how human participants translate natural language requirements into EARS and how they use the latter to test PLC software. We report our observations during the experiments, including the type of EARS patterns that participants use to structure natural language requirements and challenges during the specification phase, and present the results of testing based on EARS-formalized requirements in real-world industrial settings.
View
... Several template-based approaches, with different levels of adoption, were proposed throughout literature (e.g., [3][4][5][6][7][8][9]). However, the majority of these approaches do not describe or propose a process for creating templates, and they do not support the extension nor the creation of new templates. ...
... The modeling of the templates and their mapping to domain models is part of the step "Defining and modeling templates" of the first phase which is detailed in Sect. 3. Figure 2 illustrates the fundamental idea, showing the building blocks of RESPECT and the dependencies between them. ...
... For this case study, we applied RESPECT on a set of general purpose requirements that we gathered from an online community platform called Kaggle. 3 The dataset included a set of 977 requirements of different types, all related to nonsafety-critical systems. To apply RESPECT, we focused on functional requirements, from which we randomly sampled a set of 100 requirements. ...
Requirements specification using templates: a model-driven approach
Article
Full-text available
  • Jan 2025
  • SOFTW SYST MODEL
Requirements specification and verification are crucial processes of software development. These processes are particularly costly for safety critical systems due to the high number of requirements and their complexity. For such systems, it is important to use natural language for the specification, as requirements need to be readable by non-technical stakeholders and certification agents. To mitigate the inherent ambiguity caused by the use of natural language, controlled natural languages (CNL) are introduced as a means to constrain the specification while maintaining readability. In this paper, we leverage model-driven engineering (MDE) to propose RESPECT, REquirements SPECification using Templates, a CNL-based approach for requirements specification and verification. The fundamental idea of RESPECT is to use MDE techniques to: 1) model requirements’ templates and thus ease their creation, implementation and evolution and 2) link the template models to existing domain models to support, to some extent, requirements verification and auto-filling. We provide a systematic process for the creation of customizable and reusable templates, which, to the best of our knowledge, represents a novel contribution. The application of this systematic process to a subset of the ARINC-653 standard from the avionics domain, resulted in seven templates that cover various types of requirements. We developed a tool, called MD-RSuT, that supports the specification of requirements using the seven templates created for ARINC-653, and the automated verification and auto-filling of requirements using an ARINC domain model. We evaluated the applicability of the approach across domains, and its effectiveness in improving requirements quality in terms of necessity, unambiguity, completeness, singularity, and verifiability. To do so, we applied the approach on three case studies coming from different domains, namely avionics, automotive, and general purpose software. This evaluation encompasses over a thousand requirements. We also performed a quantitative and qualitative analysis of the results. The results show that RESPECT is applicable across domains, and it yields requirements with higher quality.
View
... All subsequent development, testing, and refinement are based on the defined requirements. Although the most common way to communicate and document the system requirements is the usage of natural language [27], this practice is susceptible to several problems [28]. To address the possible ambiguity, vagueness, complexity, and untestability that can arise in using natural language requirements, multiple studies have proposed the adoption of requirement templates. ...
Generative Artificial Intelligence for Model-Based Graphical Programming in Automotive Function Development
Preprint
  • Mar 2025
The recent development in large language models (LLMs) enhanced their ability to write code in different programming languages based on natural language text input. However, to the best of the authors’ knowledge, there has been no LLM-based study that focuses on the generation of functions in a graphic programming language. Developing a specialised LLM for generating functions in MATLAB Simulink, a widely utilised graphical programming environment in the automotive industry, holds promise for significantly boosting efficiency and reducing development time in function development. The primary objective of this study is to automate: (1) the generation of MATLAB Simulink functions from software requirements, and (2) the creation of documentation for existing functions. To achieve this, two open-source foundational LLMs with 7 billion parameter (7B) have been fine-tuned. To overcome the scarcity of training data, using the chat generative pre-trained transformer (ChatGPT) GPT-3.5-turbo language model, a modified self generated instructions (self-instruct) approach is employed to generate synthetic training data. Subsequently, as a post-processing step, a repair algorithm is utilised to improve the quality of the generated data. This study reports on the quality of the generated data and the improvements made to it. Furthermore, a testing benchmark is developed to test LLMs performance for graphical programming in MATLAB Simulink. We show that the fine-tuned LLMs, despite having 7B parameters, outperformed ChatGPT GPT-3.5-turbo by 53% and ChatGPT more advanced GPT-4 language model by 20% on the benchmark.
View
... Este estudo foi desenvolvido em virtude da percepção dos autores da utilização de linguagem natural não estruturada na escrita de requisitos de stakeholders não ser adequada para a definição de requisitos tendo em vista a ocorrência de problemas como ambiguidade, falta de precisão, complexidade, omissão, duplicidades, falta de concisão. Foram propostos padrões para a escrita de requisitos: uma estrutura genérica, outras cinco especializações de acordo com o tipo de requisito a partir da estrutura genérica e uma estrutura combinada [9], conforme apresentada na Tab 1. ...
Uma Proposta de Padrões de Sintaxe de Requisitos no Idioma Português
Conference Paper
  • Jan 2023
Requisitos permeiam todo o ciclo de vida de um sistema, desde a etapa de identificação das necessidades das partes interessadas, incluindo as atividades de verificação e validação, bem como operação, suporte, até o descarte. Para tal, deve-se observar o processo pelo qual estes requisitos são estabelecidos, isto é, as disciplinas que compõem a Engenharia de Requisitos, a fim de garantir que os requisitos sejam completos, coerentes e corretos, seja a declaração de requisito per se ou o documento contendo o conjunto de requisitos. Entretanto, observando práticas realizadas durante o desenvolvimento de um sistema, tem-se que programas problemáticos tendem a apresentar requisitos incertos, irrealistas ou instáveis. A organização de requisitos em uma estrutura adequada pode auxiliar nestes aspectos, além da redução da quantidade de requisitos, detecção de duplicidades e omissões, dentre outros. Este trabalho, portanto, pro-põe a utilização de padrões de sintaxe de requisitos em português, dentro do contexto da ferramenta de MBSE Capella, a fim de auxiliar no desenvolvimento de requisitos em diferentes níveis hierárquicos, tais como requisitos de usuário, e requisitos de sistema. Desta forma, serão identificados em literaturas consagradas de requisitos, atributos e características considerados necessários para atingir requisitos de qualidade, além de entender os requisitos-modelos em inglês propostos e assim viabilizar uma proposição de padrão de sintaxe em português contemplando tais considerações. Como resultado deste trabalho, identifica-se como oportuno a ampla divulgação do conhecimento na área de engenharia de requisitos na comunidade brasileira e a mitigação de problemas envolvendo requisitos de baixa qualidade, principalmente no que tange a questões de idioma.
View
... NL-based requirements (Wiegers & Beatty 2013;Mavin et al. 2009;Whittle et al. 2010) are requirements formulated in the form of unrestricted NL text, or NL text, restricted in a certain way. NL-based requirements are easy to learn and are supported by a wide variety of tools and education materials. ...
UOOR: Seamless and Traceable Requirements
Preprint
Full-text available
  • Feb 2025
In industrial practice, requirements are an indispensable element of any serious software project. In the academic study of software engineering, requirements are one of the heavily researched subjects. And yet requirements engineering, as practiced in industry, makes shockingly sparse use of the concepts propounded in the requirements literature. The present paper starts from an assumption about the causes for this situation and proposes a remedy to redress it. The posited explanation is that change is the major factor affecting the practical application of even the best-intentioned requirements techniques. No sooner has the ink dried on the specifications than the system environment and stakeholders' views of the system begin to evolve. The proposed solution is a requirements engineering method, called UOOR, which unifies many known requirements concepts and a few new ones in a framework entirely devised to accommodate and support seamless change throughout the project lifecycle. The method encompasses the commonly used requirements techniques, namely, scenarios, and integrates them into the seamless software development process. The work presented here introduces the notion of seamless requirements traceability, which relies on the propagation of traceability links, themselves based on formal properties of relations between project artifacts. As a proof of concept, the paper presents a traceability tool to be integrated into a general-purpose IDE that provides the ability to link requirements to other software project artifacts, display notifications of changes in requirements, and trace those changes to the related project elements. The UOOR approach is not just a theoretical proposal but has been designed for practical use and has been applied to a significant real-world case study: Roborace, a competition of autonomous racing cars.
View
... To increase the practical usefulness of the guidelines, we formulated them as implementable system requirements. To structure the requirements, we adopted the Easy Approach to Requirements Syntax (EARS) method [8] which provides constraints for how the requirements should be formulated. We discuss the pillars and their system requirements in more detail in Table 1. ...
Leveraging Large Language Models for Realizing Truly Intelligent User Interfaces
Preprint
  • Jan 2025
The number of published scholarly articles is growing at a significant rate, making scholarly knowledge organization increasingly important. Various approaches have been proposed to organize scholarly information, including describing scholarly knowledge semantically leveraging knowledge graphs. Transforming unstructured knowledge, presented within articles, to structured and semantically represented knowledge generally requires human intelligence and labor since natural language processing methods alone typically do not render sufficient precision and recall for many applications. With the recent developments of Large Language Models (LLMs), it becomes increasingly possible to provide truly intelligent user interfaces guiding humans in the transformation process. We present an approach to integrate non-intrusive LLMs guidance into existing user interfaces. More specifically, we integrate LLM-supported user interface components into an existing scholarly knowledge infrastructure. Additionally, we provide our experiences with LLM integration, detailing best practices and obstacles. Finally, we evaluate the approach using a small-scale user evaluation with domain experts.
View
... Another specific area is the application of controlled language and the QA of controlled language. RETA [4] specifically analyzes requirements that are written via certain requirements patterns (such as with the EARS template [54]). Their goal is to detect both conformance to the template but also some of the ambiguities as defined by Berry et al [7]. ...
Rapid quality assurance with Requirements Smells
Preprint
  • Nov 2016
Bad requirements quality can cause expensive consequences during the software development lifecycle, especially if iterations are long and feedback comes late. %-- the faster a problem is found, the cheaper it is to fix. This makes explicit the need of a lightweight detection mechanism of requirements quality violations. We aim at a light-weight static requirements analysis approach that allows for rapid checks immediately when requirements are written down. We transfer the concept of code smells to Requirements Engineering as Requirements Smells. To evaluate the benefits and limitations, we define Requirements Smells, realize our concepts for a smell detection in a prototype called Smella and apply Smella in a series of cases provided by three industrial and a university context. The automatic detection yields an average precision of 59% at an average recall of 82% with high variation. The evaluation in practical environments indicates benefits such as an increase of the awareness of quality defects. Yet, some smells were not clearly distinguishable. Lightweight smell detection can uncover many practically relevant requirements defects in a reasonably precise way. Although some smells need to be defined more clearly, smell detection provides a helpful means to support quality assurance in Requirements Engineering, for instance, as a supplement to reviews.
View
... In some scenarios, these requirements also contain additional elements, such as "to do" or "to make". Moreover, requirements in UAV dataset adhere to EARS (Easy Approach to Requirements Syntax) format [75]. This dataset consists of 6,670 requirements pairs labeled as either conflict or neutral. ...
PassionNet: An Innovative Framework for Duplicate and Conflicting Requirements Identification
Preprint
  • Dec 2024
Early detection and resolution of duplicate and conflicting requirements can significantly enhance project efficiency and overall software quality. Researchers have developed various computational predictors by leveraging Artificial Intelligence (AI) potential to detect duplicate and conflicting requirements. However, these predictors lack in performance and requires more effective approaches to empower software development processes. Following the need of a unique predictor that can accurately identify duplicate and conflicting requirements, this research offers a comprehensive framework that facilitate development of 3 different types of predictive pipelines: language models based, multi-model similarity knowledge-driven and large language models (LLMs) context + multi-model similarity knowledge-driven. Within first type predictive pipelines landscape, framework facilitates conflicting/duplicate requirements identification by leveraging 8 distinct types of LLMs. In second type, framework supports development of predictive pipelines that leverage multi-scale and multi-model similarity knowledge, ranging from traditional similarity computation methods to advanced similarity vectors generated by LLMs. In the third type, the framework synthesizes predictive pipelines by integrating contextual insights from LLMs with multi-model similarity knowledge. Across 6 public benchmark datasets, extensive testing of 760 distinct predictive pipelines demonstrates that hybrid predictive pipelines consistently outperforms other two types predictive pipelines in accurately identifying duplicate and conflicting requirements. This predictive pipeline outperformed existing state-of-the-art predictors performance with an overall performance margin of 13% in terms of F1-score
View
Expressing the Needs in Smart Home: What is the End Users’ Favorite Way
Article
  • Jan 2025
  • ACM T COMPUT-HUM INT
The Internet of Things (IoT) has witnessed remarkable advancements, enabling smart homes with user-centric features. To effectively articulate their personalized needs, it becomes crucial to equip end users with programming capabilities. Currently, the executable Trigger-Action Programming (TAP) rules have become the mainstream paradigm for IoT end-user programming. To simplify the creation of TAP rules, many studies have proposed various levels of requirements abstraction, yet the connections between them remain unclear. In this paper, we employ a mixed-methods study to identify the preferred way of expressing end users’ requirements in practical scenarios. Subsequently, from the perspective of requirements engineering, we categorize the needs of smart home into three hierarchical levels of abstraction. Accordingly, we propose an innovative multi-level requirements description language called SH-RDL . We also address potential challenges and conduct an evaluation to validate SH-RDL ’s usability, understandability and error-prevention. This will aid in the broader adoption of IoT end-user programming.
View
Integrating axiomatic design and design structure matrix into model‐based systems engineering: A case study for emergency response space mission design
Article
  • Dec 2024
  • SYSTEMS ENG
With the increasing complexity of space missions due to technological advancements, model‐based systems engineering (MBSE) has become a new paradigm for systems engineering (SE), providing a more formal and accurate system engineering process while reducing costs. However, MBSE does not offer a comprehensive approach for effective system function design. This study introduces a conceptual design approach that integrates axiomatic design (AD) and design structure matrix (DSM) into the MBSE paradigm and applies it to functional and logical design. The research focuses on utilizing the design knowledge encapsulated by system models to facilitate the development of new systems. System models have the potential to bridge different design domains in AD, reveal implicit associations, and offer functional and structural analysis capabilities. To validate our approach, we conducted a case study on an Emergency Response Remote Sensing mission system. This case study demonstrates that our proposed methodology lends formality to traditional AD by deriving AD matrices and DSMs from a system model, thereby enhancing the system's structure while curtailing elemental alterations during iterative design processes. The novelty of this research lies in realizing the integration of traditional design theory with the model paradigm of SE, leading to an effective design solution during the functional and logical design stages.
View
Capturing security requirements through misuse cases
Article
Full-text available
Use cases have become popular for eliciting, communicating and documenting requirements. They support functional requirements well, but provide less support for working with extra-functional requirements, such as security requirements. With the advent of e -and m -commerce applications, such requirements are growing in importance. This paper discusses a conceptual extension of use cases, namely 'misuse cases', describing actions that should not be possible in a system. In particular, we discuss templates for their textual description.
View
Attempto Controlled English Meets the Challenges of Knowledge Representation, Reasoning, Interoperability and User Interfaces.
Conference Paper
Full-text available
  • May 2006
We present Attempto Controlled English — a user- friendly first-order logic language with a rich English syntax — and its associated tools, and demonstrate how they meet the challenges of knowledge representation, reasoning, interoperability and user interfaces created by large software projects like the semantic web.
View
Guide to Requirements SL-07 - Template with examples v4
Book
  • Jan 2016
This booklet contains a software requirements specification for a complex system - and a guide to why it is written in this way. The specification itself can be used as inspiration and template for other systems. Until now it has been used successfully in 100+ projects ranging from public acquisitions to product development and agile in-house projects.
View
View
Writing Good Requirements
Article
  • Aug 1994
The primary reason that people write poor requirements is that they have had no training or experience in writing good requirements. This paper will address what makes a good requirement. It will cover some of the most common problems that are encountered in writing requirements and then describe how to avoid them. It also includes examples of problem requirements and how to correct them.
View
View
View
The Active Database Management System Manifesto: A Rulebase of ADBMS Features
Conference Paper
  • Sep 1995
  • Lect Notes Comput Sci
Active database systems have been a hot research topic for quite some years now. However, while "active functionality" has been claimed for many systems, and notions such as "active objects" or "events" are used in many research areas (even be- yond database technology), it is not yet clear which functionality a database manage- ment system must support in order to be legitimately considered as an active system. In this paper, we attempt to clarify the notion of "active database management system" as well as the functionality it has to support. We thereby distinguish mandatory features that are needed to qualify as an active database system, and desired features which are nice to have. Finally, we perform a classification of applications of active database sys- tems and identify the requirements for an active database management system in order to be applicable in these application areas.
View
Petri Nets
Article
  • Sep 1977
The basic concepts and uses of Petri nets are surveyed. The structure of Petri nets, their markings and execution, several examples of Petri net models of computer hardware and software, and research into the analysis of Petri nets are presented, as are the use of the reachability tree and the decidability and complexity of some Petri net problems. Petri net languages, models of computation related to Petri nets, and some extensions and subclasses of the Petri net model are also briefly discussed.
View
View