Professional Documents
Culture Documents
Manfred Broy
Technische Universität München, Institut für Informatik
80290 München
e-mail: broy@informatik.tu-muenchen.de
FAX: +49 89 / 289 28183
Abstract
1. Introduction
The general purpose of an embedded hardware/software system is to regulate a physical device
by sending control signals to actuators in reaction to input signals provided by its users and by
sensors capturing the relevant state parameters of the system. We therefore call an embedded
system also a reactive system. The control is achieved by processing information coming from
sensors and user interfaces and controlling some actuators that regulate the physical devices.
The reliability of a system with an embedded software system depends on well-actuated
reactions according to the users’ expectations, even in exceptional situations. This reaction of
the overall system is to a critical extend determined by the embedded software system that is a
part of the overall system. The task of the embedded system is to guarantee, as far as the
physical parts function properly, the adequate behaviour of the overall system. Therefore the
requirements for the embedded system have to be captured and formulated in terms of the
behaviour of the overall system.
In the development of embedded reactive systems the specification of the required
functionality is a most critical issue. Statistics show that in typical application areas more than
1) This work was partially sponsored by the Sonderforschungsbereich 342 "Werkzeuge und Methoden für die
Nutzung paralleler Rechnerarchitekturen", by the BMBF project KorSys, and the industrial research project
SysLab.
-2-
50 % of the problems (malfunctions) that occur within delivered systems and that are reported
by the customers are not problems with the correctness of the implementation but with
misconceptions in capturing the requirements (called conceptual requirements errors).
Embedded systems - especially when running in risk critical applications - demand a high
degree of reliability. Basis of the reliability of a system is the careful capturing of the adequate
user requirements.
In the pre-phase (1) the overall goals and marketing issues of the planned product are
determined. On this basis a first informal rough requirements document is written. It may
contain a number of alternatives and list given constraints.
Based on these results, in the main phase (2) the more technical requirements engineering is
carried out. Its goal is to produce an agreement and understanding in and between the groups
involved with respect to the requirements. Finally, these should be completely and precisely
documented in the technical requirements specification. We mainly concentrate on the main
phase (2) in the following.
The requirements engineering phase is followed by the system design phase. Often it is not
so easy to get a clear cut between these two phases. In an incremental development process the
requirements may be revised after the design and a first experimental implementation phase.
Therefore changeability and adaptability are important issues for requirements specifications.
Moreover, breaking down the system into subcomponents in the design asks for a specification
of the component requirements and often a mini requirements engineering process.
-3-
A very helpful technique in capturing function requirements are scenarios or use cases. There
typical cases of interactions between the user, the system, and the environment are described.
We recommend to work with a number of scenarios (use cases) and views of the system usage
that describe typical functions and services of a system. There we should define as far as
relevant for the system:
• the user processes at the interface of the system,
• its modes of operation,
• critical situations and conditions,
• forms of operations and the user model.
Use cases are an excellent means to let the use participate in the requirements capture process.
The goal of the requirements engineering process is not only to produce a couple of documents
that describe the requirements, its goal is also to achieve a common system understanding of the
development team at an abstract, logical, implementation independent level.
Often it is useful to distinguish between exceptional and non-exceptional cases in
requirements: In general, it is advisable to work in requirements engineering only with non-
exceptional cases to begin with and then add the treatment of exceptional cases in a systematic
way.
Informal Requirements
Domain Analysis
A special case are hybrid systems where parts of the system are modelled by discrete event
systems and other parts are time or message continuous. Then mixed "hybrid" description
formalisms have to be used.
EV
Each arrow stands for an input or an output channel. These arrows represent channels on which
streams of discrete messages or continuous signals are exchanged. Note that the control device
is not connected to the environment but only to the user interface and the physical device. Note,
moreover, that we have seen the user and the environment of the physical device as a more
vague entity where the connection between the user and the environment is left unspecified. We
also have indicated that the interaction between the physical device and its environment can be
rather sophisticated such that it cannot easily be described by the concept of a discrete message
exchange over channels.
Often the communication links between the different components of a system need particular
care. They may work with special communication links and special protocols. These aspects,
however, are rather a part of the design than of the requirements specification, in general.
-8-
views in requirements specifications1). Even if there is a direct connection between the user
interface and the physical device this can be modelled as a special case of the CD as long as all
specifications provide appropriate black box views for the component of the distributed system.
1) Of course, the distribution of the controller, for instance for safety reasons, can be part of the
requirements; this is a typical example where requirements constrain the design.
- 11
10 -
keyboards,
The individual
joysticks,
component
etc.) andbehaviour
for displaying
can either
outputbe(like
described
signal by
lights,
input/output
screens, relations
etc.). Often
or by
state machines.
there are parts of Input/output relationsthat
the physical system describe the causality
can either be seen asbetween
part ofthe
themessages in theor of
user interface
streams of input
the controlled and thedevice.
physical messages in the
Again thestreams of output
structuring has toactions without
be decided providing
on by the systema concrete
model forThe
engineer. the state
user ofinterface
a component. State
can again bemachines
decomposed describe
into athe behaviour
number of a component
of distributed user in
terms of its state and state changes in relation to time and input/output actions.
stations.
6. Conclusion
8. The Semantic Views
Embedded
According systems
to the structure
are an important
we have described
area of application
in the previous
of reactive
section
systems.
we have
Their
to proper
specify formal
the
and
following
methodological
views on antreatment
embedded is of
system
majortoimportance.
deal with proper
For abehaviours:
systematic development standards
are•needed such as process models and reference architectures.
the behaviours (observations) showing the causality between It isuser
the purpose of the
actions and this paper to
give an overview and
interactions to physical
of the outline the general
device withissues of to
respect requirements engineering for embedded
its environment,
systems. The process
• the behaviour of physical
of the requirements engineering
device showing isthedecisive forbetween
causality the quality
theof service
control of the
signals
system. For embedded systems it is typically a part of the systems engineering. It
send by the controller and the sensor signals and the observable actions of the physical has to pay
attention to all aspects of the system behaviour and therefore needs models that go beyond the
device,
classical
• the behaviourfor
models ofhardware or software
the controller systems.
consisting of the causal relationship between the input from
the user interface and the sensors and the output to the user interface and to the actuators,
• the user interface consisting of the causal relationship between the input from users and
Acknowledgement
the controller and the output to the user and the controller.
All
Thisthese
workviews of an embedded
was strongly influencedsystem have to be
by discussions formally
within specified
a joint in a proper
project with the ESGdevelopment
and my
process. They
colleagues Evacomprise all and
Geisberger the requirements
Jan Philipps. for the overall system and its parts.
7. Description Techniques
References
As we described above the requirements capture introduces several views. These views mainly
[IEEE 94]
describe parts of the system as components. The modelling of the components of an embedded
IEEE Std 830 -1993: IEEE Recommended Practice for Software Requirements Specification.
system, in general, should consist of the following descriptions:
IEEE 1994
• the syntactic
[Parnas 92] interface,
D. •L.the typicalAprocesses
Parnas: Techniqueofforinteraction
Software(event
Moduletraces),
Specification with Examples. CommACM
•
1992 the individual component behaviour.
[Pohl 96]
The syntactic interface is described by the actions that connect a component with its
K.
environment. Such actions Requirements
Pohl: Process-Centered may be discreteEngineering,
such as Research Studies Press Ltd.: Tannton,
John Wileg & or
• receiving Sons Inc.: New
sending York,and
messages 1996
signals,
• reading or writing attributes (variables).
We may also work with continuous signals and continuous state variables, of course.
Important, in general, is the timing of the actions.
The process of interaction may be described by message sequence charts or process
diagrams. By such techniques we represent use cases which are typical runs of the system
showing the causal relationship of the individual actions of the components and the
environment. It strongly depends on the type of system whether we try to give a complete set of
use cases or only selected class of instances.