A Framework for Reasoning about Requirements Evolution

10 downloads 27913 Views 215KB Size Report
so do the software boundaries and business rules governing the utilisation of that ... Dept. of Computer Science, University of Sydney, NSW 2006, Australia.
A Framework for Reasoning about Requirements Evolution D. Zowghi1 , A. K. Ghose2 , P. Peppas3

Abstract

We present a logical framework for modeling and reasoning about requirements evolution in the construction of information systems. We illustrate how a suciently rich meta-level logic can formally and accurately capture intuitive ways of handling incompleteness and inconsistency in requirements and how operators that map between theories of this meta-level logic can provide a formal basis for requirements evolution. Speci cally, our framework views a requirements model as a theory of some nonmonotonic logic, while requirements evolution involves mapping one such theory to another. We argue that the AGM theory of belief change [1] should provide the formal basis for the theory change component. We demonstrate our ideas by using the THEORIST system for nonmonotonic reasoning. As a demonstration of the utility of our framework, we analyze operators in the Telos system for requirements modeling to identify some obvious shortcomings. We then show how such problems can be addressed by de ning operations founded on the AGM belief change theory that map one nonmonotonic theory to another. We argue that our framework provides a powerful tool both for analyzing and comparing existing systems and for developing automated systems to support requirements evolution. Keywords: AI applications in software engineering, default reasoning, belief revision. Multiple Submissions: ECAI-96

1 Introduction If we regard a theory as the deductive closure of a given set of axioms, then in essence software engineering is nothing more than the building and managing of large theories. This theory construction typically commences with a collection of activities referred to as Requirements Engineering. The major objective of requirements engineering is de ning the purpose of a proposed system and capturing its external behaviour. Every phase of software development is characterised by continued evolution. Requirements evolve because requirements engineers and users cannot possibly envision all the ways in which the system can be utilised. The environment where the software is situated also changes and so do the software boundaries and business rules governing the utilisation of that software. Implementation has to be changed because designs evolve and defects have to be xed [17]. Clearly, support for evolutionary processes is needed at all stages of software construction but especially in requirements engineering since it is the requirements modi cations that usually initiates this cycle of change throughout software development. CSIRO-Macquarie University Joint Research Centre for Advanced Systems Engineering, Macquarie University, NSW 2109, Australia. [email protected] 2 Knowledge Systems Group, Basser Dept. of Computer Science, University of Sydney, NSW 2006, Australia. [email protected] 3 Dept. of Computing, School of Mathematics, Physics, Computing and Electronics, Macquarie University, NSW 2109, Australia. [email protected] 1

This paper focusses on the problem of managing requirements evolution. This involves handling constant changes in requirements and maintaining the consistency and completeness of the requirements model. We suggest that the management of requirements evolution is most e ective when it is based on a formal underlying framework. The major contributions of this paper are twofold. First, we present a formal framework that can serve as a basis for reasoning with and about requirements. Second, we provide a formal basis for requirements evolution via operations de ned in this formal framework. It is assumed that the requirements model is represented in some formal language with a well-de ned semantics (an example of such a language is Telos [12] [10]). At a meta-level, we view the requirements model as a nonmonotonic theory, speci cally a default theory as formalized in [15] [14]. This enables us to obtain complete requirements models by taking initial incomplete requirements speci cations and applying relevant defaults from the domain. As well, the formal machinery of generating default extensions is available to resolve contradictions and analyze and select from amongst multiple possible views of a requirements model (corresponding to multiple possible extensions of the corresponding default theory). We then analyze operators for requirements evolution in the Telos requirements modeling language using our our default-based framework and point out some obvious shortcomings of these operators. This serves to motivate the development of a new set of operators which may serve as the formal basis for requirements evolution. We apply belief revision techniques, as formalized in the so-called AGM theory [1] [4], to de ne operations through which new requirements may be added or existing requirements may be retracted from a default-based representation of a requirements model. We show how this new approach avoids the problems we identify with the operators in the Telos framework. This work thus presents a principled approach to reasoning about requirements evolution which can serve as the basis for analyzing existing requirements engineering techniques and, at the same time, provide a useful starting point for de ning semantically well-founded systems for managing requirements representation and evolution.

2 A formal basis for reasoning about requirements Consider the requirements engineering process involved in developing a wordprocessor.The initial problem statement only speci es that this wordprocessor is intended to be used by children. Two assumptions may be made immediately that are related to the domain knowledge and useability. Firstly, since all word processors by default have a spell check functionality, we may specify a requirement for existence of a spelling check function. Secondly, since it is intended for use by children, we may add a set of requirements for the ability to change the colour of screen and text etc. These assumptions are added to the initial statement to represent our current state of belief about the software we are to develop and are then presented to the problem owners for validation. They, in turn, con rm that spell check is indeed a requirement but since they will only have monochrome terminals available there is no need for colour change. So we need to

revise our set of beliefs to contract those requirements related to colour. Requirements engineering is typically initiated by the identi cation of a problem and the expression of a need for a possibly computerised solution. Requirements engineers normally examine this brief problem statement and based on past experience and possibly limited knowledge of the application domain make assumptions and use defaults to expand it into a more complete expression of the requirements. This expanded version of requirements is then presented to users for validation and correction. Requirements are normally elicited in natural language, during iterative interactions between the users and requirements engineers. Consequently, the expression of requirements are typically ambiguous, inconsistent, and incomplete. During requirements analysis and modeling, alternative models for the system are elaborated and a conceptual model of the enterprise as seen by the system's eventual users is produced. The speci cations are validated and analyzed against correctness properties (such as completeness and consistency), and feasibility properties (such as cost and resources needed). Although the nal product of requirements engineering is typically a document written almost entirely in natural language, called the Requirements Speci cation, we shall focus our attention on the requirements model, from which the requirements speci cation is generated. Our account of the requirements engineering process this far suggests that any formal framework for reasoning about requirements must satisfy the following three properties:  It must include an explicit notion of defaults so that tentative assumptions and default knowledge about the domain can be brought to bear on an incompletely speci ed initial set of assumptions to obtain a more complete requirements model.

 It must permit the identi cation of consistent alternative models which resolve any con-

tradictions arising in an initial set of potentially contradictory and incompletely speci ed requirements.

 It must provide an adequate account of how a requirements model evolves as a consequence

of new requirements being added or existing requirements being retracted. The model we present in Figure 1 achieves precisely these three objectives. Fundamentally, a requirements model is viewed as a theory in some nonmonotonic logic. Requirements evolution maps one such theory to another through a process of rational belief revision. The two operators j and  encode the two basic, orthogonal processes in our framework.  The operator j encodes the process of nonmonotonic inference. We start with an initial incomplete set of requirements and apply relevant defaults or tentative assumptions about the problem domain to complete the requirements model. By applying the j operator, we obtain the set of nonmonotonic consequences sanctioned by the requirements model represented as a nonmonotonic theory. There can be possibly multiple, mutually contradictory sets of nonmonotonic consequences (also called extensions). A choice is made from

Incomplete Requirements

*

-

Revised Requirements

?j Complete Requirements Figure 1: Modelling Requirements Evolution amongst these extensions through a process of iterative interaction between users and requirements engineers. For the purpose of exposition in this paper, we shall commit to a speci c nonmonotonic formalism, namely the THEORIST system [15] [14], which we shall describe in the next section.

 The operator  encodes the process of belief revision. The AGM theory of belief change

[1] [4], which we describe in the next section, provides a semantic basis for rational belief revision. We maintain that any account of requirements evolution should be based on this semantically well-founded theory.

3 Formal Preliminaries

3.1 Belief change: Preliminaries Belief change is the area of research that studies the process by which a rational agent changes her beliefs about the world in the light of new information (possibly contradicting her current belief state). Much of the research in the area is based on the work of Alchourron, Gardenfors and Makinson [1] who have developed a framework (widely known as the AGM framework) for studying the process of belief revision. In the AGM framework, the new information is represented by a sentence of the logical language L, belief states are represented as theories of a L, and the process of belief revision is modelled as a function ? over theories, called a revision function, satisfying certain postulates (known as the AGM postulates) that intend to capture the essence of rational belief revision. The guiding idea used in formulating these postulates was that the new belief state ought to di er as little as possible from the old belief state in order to accommodate the new information. This is known as the Principle of Minimal Change. Let Cn(?), for any set of sentences ? of L, denote the logical closure of ? in L. A theory K of L is any set of sentences of L closed under logical implication, i.e. K = Cn(K ). We shall denote the set of all consistent theories of L by KL . Then, a revision function ? is any function from KL  L to KL, mapping hK; 'i to K ?' , which satis es a set of eight postulates. We shall not

present these postulates here for brevity. In essence, these postulates require that the outcome of a revision operation be a logically closed consistent theory, that the revision operation succeed (i.e., the new information should be consequence of the resulting theory), the the outcome be independent of the syntactic form of the input and the operation involve minimal change. The AGM framework de nes, in a similar way, the operations of contraction, in which some sentence  is retracted from K to obtain K?, and expansion, in which some sentence  is added to K to obtain K+ , given a guarantee that  is consistent with K . Postulates similar to the revision postulates exist for de ning rational contraction and expansion. The operations of revision, contraction and expansion may be related via the so-called Levi identity [11]: K = (K:? )+ . Given a theory K and a sentence ' (representing the current belief state and the new information respectively) the revision postulates con ne, but do not uniquely determine the result K ?' of revising K by '. This is mainly due to the fact that the exact outcome of the revision process depends on certain extra-logical factors that are domain-dependent. It turns out that these domain-dependent factors can be encoded with an ordering  on the sentences of K , called an epistemic entrenchment, that represents the relative epistemic importance of the agent's beliefs. The epistemic importance of a belief in K determines its fate when K is revised. Loosely speaking, for any two formulas ' and such that '  , whenever a choice exists between giving up ' and giving up the former will be surrendered in order to minimize the epistemic loss. With this revision policy, an epistemic entrenchment conveys all the necessary information to uniquely determine the outcome of revising K by any sentence ' [5]. While the AGM framework provides a useful abstraction for the belief change process, it does not lend itself to implementation in a straightforward way. Several studies (such as [13]) have therefore focussed on belief bases, which are nite sets of sentences, instead of logically closed theories, as representations of beiief states. Belief base approaches consider priority relations on the belief base, instead of entrenchment relations de ned on the entire language, in determining the outcome of a belief change step. In the rest of this paper, we shall only consider AGM-rational operators (i.e., operators which satisfy the relevant AGM postulates) for belief bases.

3.2 Nonmonotonic inference: Preliminaries The model we have presented in the previous section commits to a nonmonotonic as a metalevel representation language for requirements. Any default-based formalism (such as default logic [16]) becomes an obvious candidate for such a representation language. A default theory includes explicit language constructs for asserting tentative or default knowledge. The accompanying machinery for generating extensions resolves potential contradictions amongst defaults and provides consistent views of the world sanctioned by the default theory. Our choice of the THEORIST nonmonotonic reasoning system for the purposes of this work is not entirely arbitrary. The THEORIST framework provides the features necessary for this

reconstruction and is, at the same time, simple enough to facilitate ease of exposition. Additionally, it provides several advantages over Reiter's default logic, such as avoiding situations where Reiter's default logic is too strong or too weak, guaranteeing the existence of extensions, semi-monotonicity and a constructive de nition for extensions (see [?] for a detailed discussion of how a closely related default logic, called Prerequisite-free Constrained Default Logic, improves over Reiter's default logic). The THEORIST framework envisages a knowledge base comprising of a set of closed formulas that are necessarily true, called facts, and a set of possibly open formulas that are tentatively true, called hypotheses. Default reasoning in this framework involves identifying maximal scenarios (i.e., extensions), where a scenario consists of the set of facts together with some subset of the set of ground instances of the hypotheses which is consistent with the set of facts. The framework can be augmented with constraints, which are closed formulas such that every THEORIST scenario is required to be consistent with the set of constraints. Following [14], we can present the following de nition of a maximal scenario.

De nition 3.1 For a THEORIST speci cation (F; H; C ) where F is the set of facts, H is the set of hypotheses and C is the set of constraints, such that F [ C is satis able, a maximal scenario is a set F [ h such that h  H and F [ h [ C is satis able. In viewing requirements models as default theories, speci cally THEORIST knowledge bases, requirements that are known to be true of the domain, together with domain knowledge are treated as facts (i.e., elements of F ) while defaults or tentative requirements are treated as elements of H . We shall not discuss the role of the set C now, but shall point out that it plays a crucial role when requirements are retracted.

4 A logical reconstruction of belief change in Telos The Telos system [12] [10] is a powerful requirements modeling language with a formally speci ed syntax and semantics. In this section, we shall demonstrate the utility of our framework by showing how a reformulation of Telos in this framework brings out some obvious shortcomings in the Telos knowledge base update operators. To do this, we shall consider an abstract Teloslike language. We shall assume that a Telos knowledge base consists of a set of assertions in a rst-order language augmented with a temporal argument. The underlying notion of time is that of Allen's interval-based framework [2]. Every atom in this language is thus of the form p(~x; t), where ~x is a vector of terms and t denotes a time interval. The assertion p(~s; t) thus states that the property p is true for the vector of ground terms ~s over the interval given by t. The Telos framework provides a set of three operations for updating a knowledge base:

 TELL: The TELL command is used to introduce a new object in the knowledge base or to attach attributes to an already de ned one.

 UNTELL: The UNTELL command is used to assert that a speci c relationship of an object that has been explicitly de ned does not hold for a certain period of time.

 RETELL: The RETELL command is used to assert that a speci c relationship that has been explicitly created for a certain object does not hold for certain time period and some other relationship holds.

Super cially, TELL, UNTELL and RETELL appear to be implementations of the three basic belief change operators, expansion, contraction and revision, respectively. Like expansion, TELL adds new beliefs to a belief state with no provision for inconsistency handling. Like contraction, UNTELL retracts beliefs. RETELL, like revision, involves the addition of new beliefs with a concommittant removal of prior beliefs which are inconsistent with the new one. As well, RETELL is de ned in a manner analogous to the Levi identity [11], as a contraction (UNTELL) followed by an expansion (TELL). Despite these super cial similarities, there are crucial di erences between these operators and the basic belief change operators.

 RETELL and UNTELL operations do not consider possible violations of integrity con-

straints. Thus only explicit contradictions need to be considered. This makes the problem of revising the knowledge base almost trivial, but ignores the possibility of integrity constraint violations in real-life situations.

 Unlike expansion, the TELL operation results in the addition of a default. Thus TELL p(~x; t) results in the addition of a default rule in Reiter's default logic [16] of the form: p(~x;t):M (t meets+1) (t meets+1)

This states that the time interval associated with the TELL assertion is right in nite as long as it is consistent to assume so. It may be inconsistent to assume so in case there is an explicit UNTELL operation of the form UNTELL p(~x; t0 ) such that the intervals t and t0 intersect (in which case the default is blocked for an interval corresponding to the intersection of t and t0 ) or if there is a RETELL operation of the form RETELL p(~y; t0 ); q(~z; t00 ) (where p is the relation being retracted and q is the new relation being asserted in its place) such that ~x 6= ~z and t and t00 intersect (in which case the default is blocked for an interval corresponding to the intersection of t and t00 ). Clearly, a Telos knowledge base is a default theory, and any account of the dynamics of such a knowledge base must be formulated in terms of the dynamics of a default theory. Since the literature on Telos provides no such account, we shall attempt to provide one in this section, to set the stage for de ning a model of requirements evolution through belief change. In our logical reconstruction of the dynamics of a Telos knowledge base, we shall view a Telos knowledge base as a THEORIST speci cation (F; H; C ). The TELL, UNTELL and RETELL

operations can then be viewed as operations on a THEORIST speci cation (F; H; C ). We shall focus on logical contradictions that arise between assertions over the same time interval and shall ignore the temporal argument for the rest of the discussion. We shall assume that the set of Telos integrity constraints IC is included in F . Following well-established conventions in the literature on belief change, let (F; H; C )TELL denote the outcome of performing a TELL   operation on a Telos knowledge base (F; H; C ) and (F; H; C )UNTELL denote the outcome of  denotes the an UNTELL  operation on a TElos knowledge base (F; H; C ). (FH; C )RETELL 1 ;2 outcome of a RETELL operation in which 1 is retracted and 2 is asserted in its place.

 Let (F; H; C )TELL = (F 0 ; H 0 ; C 0 ). Then: 

{ F0 = F { H0 = H [  { C0 = C  Let (F; H; C )UNTELL = (F 0 ; H 0 ; C 0 ). Then: 

{ F0 = F { H0 = H { C 0 = C [ :  Let (F; H; C )RETELL = (F 0 ; H 0 ; C 0 ). Then: 1 ;2

{ F0 = F [  { H0 = H ?  { C0 = C

2 1

For the THEORIST speci cation (F; H; C ) to be a Telos knowledge base, it must have a single maximal scenario. Furthermore, Telos appears to include an implicit assumption that the set of TELLed propositions is consistent, i.e., the set H is satis able. Clearly, such an assumption is unrealistic, since in real-life there are no guarantees that inputs to the knowledge base will not contradict each other. The following results provide a formal speci cation of the correctness of the UNTELL and RETELL operations as formulated above.

Theorem 1 If (F; H; C ) is a Telos knowledge base, and C [:[F is satis able, then (F; H; C )UNTELL 

is a Telos knowledge base with a unique maximal scenario which does not contain .

Theorem 2 If (F; H; C ) is a Telos knowledge base, and F [[C is satis able, then (F; H; C )RETELL 

is a Telos knowledge base with a unique maximal scenario which contains .

As we have noted earlier, the UNTELL operation ignores the possibility of violating the integrity constraints and is thus guaranteed to be correct only in the case that C [ : [ F is satis able, where  is the relation being UNTELLed. The same holds for the RETELL operation, which is guaranteed to be correct only in the case that F [  [ C is satis able, where  is the relation being RETELLed. Example 4.1 Consider an example which continues on the theme of building a requirements model for a wordprocessor. Let screencolour denote the requirement that the monitor screen be colour, and screenmono denote the requirement that the monitor screen be monochrome. Let targetadults denote that the target market for the wordprocessor is adults while targetchildren denote that the target market for the wordprocessor is school-going children. Let the initial set of integrity constraints be given by: IC = fscreencolour $ :screenmono; targetchildren ! screencolourg Consider the following sequence of Telos knowledge base updates:  TELL wordproc

 TELL screencolour  TELL targetadults At this point the Telos knowledge base is given (F0 ; H0 ; C0 ) where:  F0 = IC

 H = fwordproc; screencolour; targetadultsg  C = fg 0

0

Let the next update be: RETELL screencolour; screenmono. The new Telos knowledge base is given by (F1 ; H1 ; C1 ) where:  F1 = IC [fscreenmonog

 H = fwordproc; targetadultsg  C = fg 1

1

Let the nal operation be: RETELL targetadults; targetchildren. At this point, Telos fails since the outcome, (F2 ; H2 ; C2 ) where:  F2 = F1 [ ftargetchildreng

 H = fwordprocg  C = fg 2

2

is an inconsistent THEORIST speci cation (F2 is unsatis able). 2

5 A default-based requirements evolution model We have seen in Section 2 how a default-based formalism is useful as a requirements modeling language. The previous section demonstrates how the well-known requirements modeling language Telos also uses a default-based formalism, although in a restricted sense. In this section, we shall provide a model for requirements evolution based on a revision scheme for default theories. This model can be viewed as a speci c instance of the general framework presented in Section 2 and we shall use it to demonstrate that it is possible to de ne operators for mapping between requirements models which are well-founded in the semantics of rational belief change. Following the approach in the previous section, we shall view a requirements model abstractly as a a THEORIST speci cation (F; H; C ). Thus, the basis for our model will be a set of operators for mapping between default theories. In general, a default theory may have several extensions (or maximal scenarios). Thus, in general, a mapping between default theories translates to a mapping between sets of theories (each theory corresponding to a potential default extension). The operators we present in this section are loosely based on similar operators de ned for a belief revision scheme for default theories in [7] [8] and [6], which in turn are closely related to operators de ned in [3]. We shall consider only operations which revise a requirements model with a new requirement, or retract an existing requirement from a requirements model. In other words, we shall not consider expansion (TELL) operations, given that there are rarely any guarantees that the new requirement being added will not con ict with some existing requirement. We shall establish some notational conventions rst. Following the literature on belief change, we shall denote the revision operation with the symbol  and the contraction operation with the symbol ?. Thus (F; H; C ) and (F; H; C )? denote the outcome of a revision with  and a contraction of , respectively, starting with a THEORIST speci cation (F; H; C ). As well, let E () denote the set of maximal scenarios of a THEORIST speci cation . Following the spirit of the AGM postulates for belief change, we shall motivate our de nition of revision/contraction operators by noting the following requirements for these operations.

 The outcome should be a consistent default theory. In the context of a THEORIST speci cation (F; H; C ), this implies that F [ C should be satis able.  The operation should be successful. Thus, every maximal scenario of (F; H; C )? must not include , while every maximal scenario of (F; H; C ) must include .

 The outcome should be independent of the syntax of the input. If   0, then E ((F; H; C )? ) = E ((F; H; C )? ) and E ((F; H; C ) ) = E ((F; H; C ) ). 0

0

 The operation should involve minimal change to the default theory. For classical theories, minimal change is ensured by establishing conformance with the AGM postulates. For default theories, this is not very straightforward, as we shall see later.

We de ne the revision operator as follows: (F; H; C ) = (F 0 ; H 0 ; C 0 ) where:

 F 0 = F  H 0 = H [ (F ? F 0 )  C 0 = C:?F 0

0

0

where 0 and ?0 are AGM-rational revision and contraction operators respectively for classical theories.

Theorem 3 Let (F; H; C ) = (F 0 ; H 0; C 0). Then: 1. F 0 [ C 0 is satis able. 2. 8e : e 2 E ((F 0 ; H 0 ; C 0 )) ! e j= . 3. If 0  , then E ((F 0 ; H 0 ; C 0 )) = E ((F; H; C ) ). 0

In the result above, the rst condition guarantees that the outcome is a consistent default theory. The second condition guarantees that the revision operation succeeds, i.e., every extension of the resulting default theory contains the new input. The third condition ensures that the operation is independent of the syntax of the input. We de ne the contraction operator as follows: (F; H; C )? = (F 0 ; H 0 ; C 0 ) where:

 F 0 = F:?C  H 0 = H [ (F ? F 0 )  C 0 = C:  0

0

0

where 0 and ?0 are AGM-rational revision and contraction operators, respectively, for classical theories. We can establish a set of properties for the contraction operation similar to those for the revision operation.

Theorem 4 Let (F; H; C )? = (F 0; H 0 ; C 0). Then: 1. F 0 [ C 0 is satis able. 2. 8e : e 2 E ((F 0 ; H 0 ; C 0 )) ! e 6j= . 3. If 0  , then E ((F 0 ; H 0 ; C 0 )) = E ((F; H; C )? ). 0

Example 5.1 We shall reformulate Example 4.1 using the new operators  and ? we have

de ned above. Unlike Example 4.1, both TELL and RETELL operations will be uniformly treated as revision () operations (thus, in the RETELL operation, the argument denoting the relation being retracted is dropped). We start with the same set of initial integrity constraints IC . After the rst three revisions with wordproc, screencolour and targetadults respectively, the requirements model (F0 ; H0 ; C0 ) is given by:

 F = IC [ fwordproc; screencolour; targetadultsg 0

 H = fg 0

 C = fg 0

Revision with screenmono generates a requirements model (F1 ; H1 ; C1 ) where:

 F = F [ fscreenmonog 1

0

 H = fg 1

 C = fg 1

Finally, revision with targetchildren will generate a requirements model (F2 ; H2 ; C2 ) where:

 F = (F )targetchildren 0

2

1

 H = F ? (F )targetchildren 2

1

1

 C = fg 2

The precise outcome will be determined by the priority relation used by the 0 operator. One possible outcome is given by:

 F = IC [ fwordproc; screencolour; targetadults; targetchildreng 2

 H = fscreenmonog 2

 C = fg 2

The point to be noted is that our framework provides support for handling contradictions, unlike Telos. 2 A crucial question is the extent to which these operators satisfy the requirement that belief revision involve minimal change. For classical theories, conformance with the AGM postulates ensures that the minimal change requirement is satis ed. However, the AGM postulates cease to be useful in the case of default theories since they do not apply to situations where the belief change operators map between sets of classical theories (default extensions). One obvious feature

of the operators we de ne is that the belief change operations on the F and C components of a THEORIST speci cation are guaranteed to be rational with respect to the AGM postulates. It has been shown in [6] that a closely related set of operators satisfy a reformulated version of the AGM postulates, under a set of reasonable conditions. Brie y, the reformulation involves replacing every statement of the form "belief set K is a subset of belief set K'" to a sentence of the form "for every extension e of a default theory  there exists an extension e' of the default theory 0 such that e is a subset of e'". This speci c instance of the general framework presented in Section 2 is thus well-founded with respect to the semantics of rational belief change (as formulated in the AGM framework). In addition to guaranteeing a consistent and rational mapping between requirements models, the revision and contraction operators de ned above o er several additional bene ts which assume special importance in the context of requirements engineering.

 The explicit representation of contractions in the set of THEORIST constraints C ensures that revisions and contractions are treated in a symmetric manner. In the AGM framework, as well in approaches inspired by it (including Nebel's operators for belief bases [13]), contractions are never represented explicitly, while revisions are. Consequently, the e ects of a contraction operation are not guaranteed to persist beyond a single step. Requirements evolution operations such as the Telos UNTELL operation must persist over iterated evolution steps, which is only possible given an explicit representation for contractions, such as in our approach.

 Our model ensures that requirements are never discarded. A requirement, once added via

a revision operation, is contained in either F or H at all future times. Thus, if a new requirement r2 contradicts an existing requirement r1 contained in F , then r1 is demoted to the status of a default (i.e., it becomes an element of H ). As well, no maximal scenario of the THEORIST speci cation will contain r!. If, however, r2 is later retracted, r1 can reappear in a maximal scenario of the resulting THEORIST speci cation.

 One may view every element of F and C as representing a prior requirements evolution step.

Every element of F represents a prior revision, while every element of C represents a prior contraction. Thus, priority relations on F and C , which are the only two prerequisites necessary for generating a consistent outcome of a requirements evolution step, can be obtained by merely requiring an ordering on the belief change steps. Results from [8], [7] and [6] show that such an approach provides an elegant and easily implementable solution to a well-known problem with the AGM framework and related systems, namely, the absence of a de nition of belief change operations beyond a single step (often referred to as the problem of iterated belief change).

 Using results from [9], we can show that for requirements models represented as ground

theories in THEORIST, the outcome of a requirements evolution step can be computed in linear time (in the cardinality of F [ C ) if every step involves a single literal and in polynomial time if every step involves a Horn clause. Our approach thus lends itself to ecient implementation.

6 Conclusion This paper has presented a logical framework for modeling and reasoning about requirements evolution. The focus of this presentation has been on the problem of e ective management of changes to requirements models, while maintaining consistency and completeness. We have demonstrated the strength of this framework by analyzing operators in the TELOS requirements modeling language and pointed out some of their shortcomings. We have then presented a new set of default based operators which serve as the formal basis for the evolution of requirements models. This work has o ered a principled approach to reasoning about requirements evolution which acts as the basis for analyzing current techniques in requirements modeling. Furthermore, it provided a starting point for de ning semantically well-founded systems for managing requirements models and their subsequent evolution. This framework thus provides a formal account for the requirements engineering process.

References [1] Carlos E. Alchourron, Peter Gardenfors, and David Makinson. On the logic of theory change: partial meet contraction and revision functions. Journal of Symbolic Logic, 50:510{530, 1985. [2] James Allen. Towards a general model of action and time. Arti cial Intelligence, 23(2), 1984. [3] Gerhard Brewka. Belief revision in a framework for default reasoning. In Proc. of the Konstanz Workshop on Belief Revision, pages 206{222, 1989. [4] Peter Gardenfors. Knowledge in Flux: Modeling the Dynamics of Epistemic States. MIT Press, Cambridge, MA, 1988. [5] Peter Gardenfors and David Makinson. Revisions of knowledge systems using epistemic entrenchment. In Proc. of the Second Conference on Theoretical Aspects of Reasoning about Knowledge, pages 83{95, 1988. [6] Aditya K. Ghose. Practical belief change. PhD thesis, Department of Computing Science, University of Alberta, 1995.

[7] Aditya K. Ghose, Pablo O. Hadjinian, Abdul Sattar, Jia-H. You, and Randy Goebel. Iterated belief change. Technical Report TR93-05, University of Alberta, Dept. of Computing Science, 1993. Also published as Grith University, School of Computing and Information Technology Research Report No. 62. [8] Aditya K. Ghose, Pablo O. Hadjinian, Abdul Sattar, Jia-H. You, and Randy Goebel. Iterated belief change: A preliminary report. In Proc. of the Sixth Australian Joint Conference on AI, 1993. [9] Aditya K. Ghose, Abdul Sattar, and Randy Goebel. Pragmatic belief change: Computational eciency and approximability. In Proc. of the Workshop on 'Belief Revision: Bridging the Gap between Theory and Practice', 1993. Held in conjunction with the SIxth Australian Joint Conference on AI. [10] Manolis Koubarakis, John Mylopoulos, Martin Stanley, and Alex Borgida. Telos: Features and formalization. Technical Report KRR-TR-89-4, Dept. of Computer Science, Univeristy of Toronto, Toronto, Canada, February 1989. [11] Isaac Levi. Subjunctives, dispositions and chances. Synthese, 34:423{455, 1977. [12] John Mylopoulos, Alex Borgida, Matthias Jarke, and Manolis Koubarakis. Telos: Representing knowledge about information systems. ACM Transactions on Information Systems, 8(4):325{362, 1990. [13] Bernhard Nebel. Belief revision and default reasoning: Syntax-based approaches. In Proc. of the Second International Conference on Principles of Knowledge Representation and Reasoning, pages 417{428, 1991. [14] David Poole. A logical framework for default reasoning. Arti cial Intelligence, 36:27{47, 1988. [15] David Poole, Randy Goebel, and Romas Aleliunas. Theorist: a logical reasoning system for defaults and diagnosis. In N.J. Cercone and G. McCalla, editors, The Knowledge Frontier: Essays in the Representation of Knowledge, pages 331{352. Springer Verlag, 1987. [16] Raymond Reiter. A logic for default reasoning. Arti cial Intelligence, 13(1 and 2):81{132, 1980. [17] Charles Rich and Yishai A. Feldman. Seven layers of knowledge representation and reasoning in support of software development. In IEEE Trans. on Software Engg., volume 18, pages 451{469, 1992.