“what”?dberry/html.documentation/...2007 daniel m. berry requirements engineering what, not how?...

What, Not How?When Is “How” Really“What”?:

Daniel M. Berry, Computer ScienceUniversity of Waterloo, Canada

2007 Daniel M. Berry Requirements Engineering What, Not How? Pg. 1

Mantra

An oft heard mantra of those who preachrequirements engineering:

What, Not How!

That is, specify what the computer-basedsystem (CBS) you are building is supposed todo and not how the CBS is supposed to do it.


Difficulties

However, we all know how difficult it is tofollow the mantra when writing softwarespecifications, ...

especially since we have to ask so many Howquestions of the stakeholders in order tounderstand the requirements

As we are writing the What, a lot of the Howcreeps in.


Guilt

We develop a guilt complex over thistendency!

This talk attempts to dispel the guilt byshowing that sometimes

g it is necessary to specify the How alongwith the What, and

g the best or only specification of the What isthe How.


Examples of Specifications

We consider 4 requirements that we mightwant to specify:

1. good looking formatted text2. robust, safe, secure, or survivable CBSs3. non-conflicting features4. chewy bagels


Good Looking Formatted Text

Recall Freddy Brooks’s famous quotation:

“The hardest single part of building a softwaresystem is deciding precisely what to build. Noother part of the conceptual work is sodifficult as establishing the detailed technicalrequirements.... No other part of the work socripples the resulting system if done wrong.No other part is more difficult to rectify later.”


Question to Knuth

When Don Knuth visited U of Waterloo in Fall2000, he fielded questions on “The Art ofComputer Programming” at a town meeting.

I asked, “What was the hardest part ofdeveloping TEX?”

I expected to hear something about decidingwhat commands TEX shall provide or what TEXshall do for each of these commands.


Surprising Answer

Knuth surprised me by answering that thehardest part was figuring out the line-breakingalgorithm.

Recall that Knuth started to build TEX in 1979.

Prior to TEX, most formatters, including troff,used line-by-line greedy algorithm.


Greedy Algorithm*

In a start-to-end scan of document, fill each line with asmany words as possible (last “word” can be wordfragment with hyphen) and then spread the words onthe line as evenly as possible.

Interword spacing on one line can vary wildly fromthose on the others.

hhhhhhhhhhhhhhhhhhhhhhhh* The contents of this slide were formatted by troff’s line-by-line greedy algorithm.


Knuth Wants Better

Knuth, concerned with the declining quality oftypesetting in general and preserving thequality of the typesetting for his 7-volumeseries on the art of computer programming,wanted to duplicate the quality of hand-typeset documents.

Knuth knew that human typesetters do notalways follow the greedy algorithm.


What Humans Do*

Sometimes, a typesetter can determine that if he or shefills the current line as much as possible, then theinterword spacing on the next line will be observablybigger. He or she then moves the last word of thecurrent line to the next line. The line spacing on thecurrent line increases. After filling and spreading thenew next line, its spacing is about the same as that ofthe current line.



What Humans Really Do*

Sometimes, a typesetter can determine that if he orshe fills the current line as much as possible, then theinterword spacing on the next line will be observablybigger. He or she then moves the last word of thecurrent line to the next line. The line spacing on thecurrent line increases. After filling and spreading thenew next line, its spacing is about the same as thatof the current line.

hhhhhhhhhhhhhhhhhhhhhhhh* The contents of this slide were formatted manually by agood human typesetter.


Duplicating Human’s Art

The problem for Knuth was how to duplicatethis artistic, seemingly non-algorithmic, effectin TEX.


Knuth-Plass Algorithm*

The Knuth-Plass line-breaking algorithm uses dynamicprogramming to minimize the differences between theinterword spacing over each paragraph, assuming thatthe spacing on each line is uniform. Basically, thealgorithm finds the best line breaks among the set ofall possible line breaks in a paragraph.

hhhhhhhhhhhhhhhhhhhhhhhh* The contents of this slide were formatted by TEX’s Knuth-Plass algorithm and its spacing was manually entered intothe troff input for these slides.


K-P vs. Greediness*

The Knuth-Plass line-breaking algorithm uses dynamicprogramming to minimize the differences between theinterword spacing over each paragraph, assuming thatthe spacing on each line is uniform. Basically, thealgorithm finds the best line breaks among the set of allpossible line breaks in a paragraph.



Performance of K-P Algorithm

The process is NP-complete in general, but forany finite text, it is finite.

The paragraph is the right size unit over whichto apply the algorithm.

Over less than that, e.g., one sentence, theuniformity would not be observable.

Over more than that, e.g., the wholedocument, the space or time would beprohibitive.


Quality

How successful is this algorithm?

TEX is known for its quality word spacing.

In fact, since the algorithm finds the optimalline-breaking choices, a human typesetter cando no better.


Requirement for TEX

So, Knuth has specified that TEX uses theKnuth-Plass line-breaking algorithm.

This does not force an implementation to usethe algorithm; it can use any algorithm thatachieves the same effect.


A How Specification for TEX

It appears that Knuth has gone far beyondwhat is considered acceptable in exposingimplementation details to the user.

TEX has a How specification of line breaking.

It’s in the TEXbook!

However, look at the alternative ways ofspecifying line breaking:


One Alternative

One alternative is specify the qualityrequirement only in words, as one of:

g The output looks good.

g The interword spacing looks good.

g The interword spacing looks better than inany other existing formatter.

g The interword spacing looks as good asproduced by the best human typesetters.


Too Fuzzy

It is not clear what these mean and all leavetoo much leeway to the implementor.

Different implementations of any can producedifferent results.


Another Alternative

Another alternative is a declarativespecification:

1. The interword spacing is as uniform aspossible.

2. The interword spacing is that achieved byminimizing the differences between theinterword spacing, assuming that thespacing on each line is completely uniform.


No Guarantees

The main problem, at least before it has beenimplemented, is that there is no guarantee thatit is feasible or even possible to implement thespecifications; there may be no algorithm orthe algorithm might be computationallyprohibitive.

Knuth and Plass found that the unit of thealgorithm could not be the whole document.


How is What

By specifying line-breaking with a thoroughlyanalyzed How specification, Knuth was able tomake sure that the specified requirementcould be achieved.

In the end, it was clear that Knuth’s answer tomy question was about requirements, and thatwhat he thought was the hardest part ofbuilding TEX was deciding requirements.


A Precisely Specified NFR

As a side-effect, Knuth ended up preciselydefining the normally unspecifiable qualityattribute of “looking good” in a way thatcaptured the essence of looking good in thedomain of line-breaking in typesetting.

In this case, the How specification ends upbeing a highly sought-after What specification.


User’s Manual as Specification

Perhaps you were surprised that I called TEX’suser’s manual, the TEXbook, TEX’sspecification.

It should not be suprising:*

I think that the TEX community does.

hhhhhhhhhhhhhhhhhhhhhhhh* D.M. Berry, K. Daudjee, J. Dong, I. Fainchtein, M.A.Nelson, & T. Nelson, “User’s Manual as a RequirementsSpecification: Case Studies”, Requirements Engineering J.,9: 1, 67–82, 2004.


UM as Spec, Cont’d

Moreover, ...

the TEXbook describes every feature as seenby the user.

To my understanding, it was the main testcase for the TEX program.


Robust, Safe, Secure, orSurvivable CBSs

The treatments of requirements forrobustness, safety, security, and survivabilityin CBSs are similar.

Security, a problem studied formally since1970s, is taken as the representative.


Must Require From Start

It is impossible to add security atimplementation time or after deployment to aCBS that is insecure or that has beendesigned totally oblivious to security.


Must Require From Start, Cont’d

Security must be required in from thebeginning so that consideration of the securityrequirements permeate the entire design,implementation, and testing.

Otherwise, it is too easy to build a CBS whosevery design precludes security, e.g., theInternet.


Easy to Specify

It is fairly easy to give an over-all requirementfor a secure CBS, ...

that it release no data to any user except oneauthorized by the current security policy toreceive them.


Hard to Verify

However, without knowing how specific partsof the CBS do their activities, it is impossibleto validate that the CBS, as specified, willindeed satisfy its security requirements afterdeployment.

Unfortunately, it is often impossible to see asecurity leak until enough detail is shownabout the implementation to see how the dataare moved and where potential leaks are,sometimes, through covert channels.


Dilemma

The security requirement specificationdilemma.

We want to have What specifications forsecure CBSs, and the only way to ensuresecurity of a CBS is to require it from thebeginning.

It is impossible to see where the security leaksare without a How specification that exposesthe leaks.


Dilemma, Cont’d

Indeed it might even be verifiable that a purelyWhat specification does satisfy securityrequirements when the specified CBS is not,simply because the details by which the CBSbecomes insecure have not been exposed inthe What specification.


Example

Suppose a requirement is that there be nomore than one copy of a classified file.

At the highest level,

mv source target

satisfies the requirement.


Example, Cont’d

However, in any implementation, there may beup to 3 copies of the moved file during theexecution of the move: source, temporary, andtarget, particularly if the source and target arein different file systems, ...

and the source is deleted only after it isverified identical to the target.


How Specifications Needed

A How specification is needed.

The same dilemma exists for robustness,safety, and survivability of CBSs.


Non-Conflicting Features

In telephony and other reactive CBSs to whichfeatures are constantly being added, it isnecessary to investigate any proposed newfeature to see

g if it interacts any existing feature andg to make sure that the new feature does not

conflict with any existing feature.


Desired Analysis

We want to be able to do the analysis basedon specifications that are as high level aspossible, preferably purely Whatspecifications that state only what eachfeature is.


Nature of Interaction

However, interaction and conflict occurbecause at least two features f1 and f2 use thesame hardware or the same data D to achievetheir function.

The use of D by f1 in some way affects or isaffected by the use of D by f2.


Details Are Needed

In the end, all such interactions and conflictscan be detected if the detailed code of allfeatures is examined to see to which devicesor data the features share access.

However, no one wants to have to dig sodeeply into the code.


How to Detect Conflicts

To be able to detect interaction and conflictfrom high level specifications, it must beapparent from the specifications that f1 and f2share access to some D.


Problem with Detection

If the specification is too high level, it may bethat the specifications of f1 and f2 share nowords in common. Therefore, it might appearthat they do not interact when they do.


Example

The featuresg unlisted phone number, which allows a

subscriber not to list his or her phonenumber, and

g caller identification, which allows a calleeto see the name and number of a caller,

conflict because caller identification shows aname with the phone number, contrary to whatthe subscriber with an unlisted phone numberwants.


The Conflict

With a high level what specification such asgiven in the phrases beginning with “which”in the bulleted list, the conflict might not beapparent.

The given specification of unlisted phonenumber neglects to mention explicitly that thegoal is to avoid listing the phone number withthe subscriber’s name.


Another Problem with Detection

Alternatively, it may be that the specificationsof f1 and f2 share words in common, but thosewords do not represent any real shared D.


Examples

Consider a feature’s name to be the highestlevel What specification possible.

For example, consider telephony features withthe word “call” in their names:

g Call Forwarding On Busyg Call Forwarding No Answerg Call Waitingg Originating Call Screeningg Three-Way Calling


Analysis

In the four requirements that use “call” as anoun, the requirement is a verb phrase thatsays that something is happening to the call.In the other case, “call” is the root of a gerunddescribing how the call is made.

So, in a sense, all five share data, the databeing the call itself.

Call is a high level datum containing allinformation involved in making a call.


Overly Safe Analysis

So in this sense, they all interact and possiblyconflict.

However, declaring all features to conflict isoverkill.

We need to go to more detailed levels toanswer the question more precisely.


Nonconflicting, In Fact

In fact, the elements of each of the pairs:

Call Waiting and Call Forwarding No Answer

Originating Call Screening and Call Waiting

do not conflict.


Conflicting, In Fact

The elements of each of the pairs:

Call Waiting and Call Forwarding on Busy

Call Waiting and Three-Way Calling

do conflict.


How to Tell

It is impossible to detect the conflicts withoutgoing into greater detail about thefunctionality, sometimes, as far as having towork with a How specification.

The key is to describe only enough of the Howto detect the conflicts, in order to be able todescribe What is and What is not.


How Specifications Critical

Here again, What specifications areinadequate for answering requirements-related questions.

How specifications are needed in order toanswer these questions.


Architecture & Requirements

Bashar Nuseibeh* and Michael Jackson* haverecognized that often architecture andrequirements have to be built together.

hhhhhhhhhhhhhhhhhhhhhhhh*B.A. Nuseibeh, “Weaving Together Requirements andArchitecture”, IEEE Computer 34:3, 115–117, 2001.

*M.A. Jackson, “The Impossibility of Requirements: AnInvitation to Join Discussion”, talk given at IFIP WG2.9Meeting, Lugano, CH, 2007.


Twin Towers

You cannot know one without knowing theother.

So, we have a high level how, the architecture,and a what, the requirements, being builttogether in what Nuseibeh calls “twin towers”.


Three Ways to Specify

There are actually three ways to specifysomething:

g Whatg Howg Test


Chewy Bagels

Let us use the New York (NY) bagel as anexample.

How many of you have ever had one?


Where to Get Them

In Waterloo, unless you have gone to Rise andShine Bagels on Bridgeport Road, you havenot.

Blue Dog Bagels, Great Canadian Bagels,Manhattan Bagels, McDonald’s, NorthernBagels, Royal Bagels, Sobey’s, Tim Horton’s,and Zehr’s do not make them.


A What Specification

On the next slide is a blueprint* for a NY bagelfrom a U.S. company, Bruegger’s Bagels, thatmakes genuine NY bagels.

Notice Detail 1-A. It is shown, blown up, on theslide after that

hhhhhhhhhhhhhhhhhhhhhhhh* Copyright by and a registered trademark of Bruegger’sBagels Corporation; reprinted with permission.


Detail 1-A and Chewiness

It specifies the inner mantle to withstand up to45 psi and the core to maintain 20 to 25moisture content.

These define the chewiness of the bagel.


Chewiness Is an NFR?

Is this chewiness functional or nonfunctional?

I think it is functional, because it ain’t a NYbagel without the chewiness.


Bagels and Donuts

Without the chewiness, it’s bread with a holein it or a donut*.

Indeed, in my mind, a bagel and a donut haveliterally nothing in common!

hhhhhhhhhhhhhhhhhhhhhhhh*When the Israeli Dunkin’ Donuts began to sell donuts, Isaid that Dunkin’ Donuts was diversifying into other holeyproducts in the Holy Land!


How Specification

Here is a recipe for NY bagels:

1. Use high gluten flour dough that has risen.2. Make a ring with outer diameter 4 inches

and inner diameter 1 inch and with a crosssection of 1.5 inches in diameter.

3. Put the ring into boiling water for 30seconds.

4. Bake the ring at 400°F (200°C) for 10minutes or until golden brown.

This How specification is clearly an algorithm.


Mile High Modification

In Denver, Colorado, which is a mile (1.6 kms)high, the ring must be boiled for 90 seconds!


Why What is Better than How

The What specification is preferred to the Howbecause the What says only what is desiredand allows the implementor freedom toachieve it any way he or she can. It spurscompetition to find more efficient ways toachieve the What than originally conceived.


Other Kinds of Bagels

Some of the companies that fail to makegenuine New York bagels do so because theyhave decided to make different kind of bagels;these include Royal Bagels that makesMontreal bagels, a different kind of bagel withits own fans.


Breads with Holes

Others that fail to make genuine New Yorkbagels do so because they simply decidedthat the boiling is unnecessary; they do notget the proper surface yield or interiormoisture content.

These are non-bagels, breads-with-a-hole.


Steamed!

Others, e.g., Einstein’s, The Great CanadianBagel, McDonald’s and Tim Horton’s (if thewords of clerks working there can be believed)have tried steaming in place of boiling. Italmost works, but the surface yield is not highenough and the interior moisture content istoo high. These are buns-with-a-hole.

Note the headline that appeared afterMcDonald’s introduced its steamed bagels:


Steamed, Cont’d

“McDonald’s bagels are steamed; so arepurists” (San Jose Mercury News, Sunday,April 25, 1999).

Among the steamed purists was none otherthan Eli Zabar of New York’s famous Zabar’sDelicatessen, one of the prime sources ofgenuine New York bagels along with H&H!


Bagel House Slogan

The slogan of the Bagel House in Sydney,NSW, Australia, says it all:

“If it’s not boiled it’s not a bagel”


Trying to Optimize

These attempts to steam are clearly examplesof trying to find a cheaper way to achieve theWhat than the standard How.

However, to date, no algorithm other than thestandard How has succeeded to achieve thedesired What.


How is Better than What

Here is an example in which a Howspecification may be better than a Whatspecification. It is certainly simpler in thesense that it is easier to tell what needs to bedone.


Discouraging Innovation

However, in opting for this How specification,one is discouraging innovation.

However, in the case of the NY bagel, perhapsinnovation should be discouraged!


Test Specification

The third method of specifying, called the Testmethod, is to use an acceptance test. Forbagels the standard test for bagelhood is:

“A genuine New York bagel can be used by ababy for teething for at least 10 minuteswithout its disintegrating into a ball of mush.”


Validity of Test

All the bagels that fail the surface yield andinterior moisture content specification fail thistest.

All the bagels, including the steamed ones,made without boiling fail this test.


More Test Specifations

Another test is that chewing a genuine NewYork bagel expends as many calories as areingested by eating the bagel.

Still another test is that only a genuine NewYork bagel stands up to and does not getsquished by the Bagel Biter bagel cuttingguillotine.


Still More Test Specs

Still another test is that if you bite down on asandwich made with a genuine New Yorkbagel, the filling squishes out.

With a steamed bagel, the sandwich fillingdoes not squish out; thus, a steamed bagelmakes a GREAT bun!


Similarity of What and Test Specs

A Test specification is closer to a Whatspecification in the sense that it allows anyimplementation that achieves the test.


Conclusions

Sometimes, a How specification issignificantly clearer or briefer than a Whatspecification.

Sometimes, a How specification is needed forinformation that is not in a What specification.

It is really difficult to figure out that bagelshave to be boiled from the blueprint.


Use How if Appropriate

So, when it is appropriate to use a Howspecification, do so without guilt and in goodhealth!


Acknowledgments

Thanks to Jo Atlee, Nancy Day, MartinFeather, Mike Godfrey, Leah Goldin, MichaelJackson, and Don Knuth for ideas,discussions, and comments.


“what”?dberry/html.documentation/...2007 daniel m. berry requirements engineering what, not how?...

Documents