• Final Proceedings.
• Bob Hall slides.

The original CFP is given below.

Workshop on Requirements Engineering in Open Systems

Integration and interoperation have become the critical issues in engineering multi-stakeholder distributed systems (MSDS) like the Internet electronic mail system, networks of web services, modern telephone networks, and the Internet itself. MSDS require rethinking requirements engineering and validation, because they do not admit globally consistent high level requirements, requiring instead a personalized and time-dependent view of requirements, and because single stakeholders are largely ignorant of the detailed operation of nodes outside their sphere of control, making validation problematic.

Target audience. This workshop is intended to bring together researchers and practitioners in the fields of

• requirements engineering
• component-based design (including Enterprise Application Integration (EAI))
• verification and validation
• ontology engineering and knowledge representation
• web services
• XML-based standards for representation (DAML+OIL, DAML-S, RDF and OWL)

Goals and structure. Our goals for the workshop are both to improve awareness of how open systems create novel problems for requirements engineering and to begin to explore potential solutions. To help focus the discussion, we have selected some open system scenarios (see full call for participation) and encourage each presentation to discuss how its ideas address or relate to the problems illustrated in the scenarios. The format of the presentations will include extra time for audience discussion of each presentation, hopefully allowing the group both to better understand each set of ideas and to relate them to other presentations and to the workshop themes.

A minimum two-page abstract should be submitted via e-mail to either of the workshop co-chairs in pdf (preferred) or ascii text format. Please see The Call For Proposals (CFP) for more information.

Workshop papers due: June 27, 2003
Notification to authors: July 18, 2003
Camera-ready: August 4, 2003
Workshop date: September 8, 2003

The workshop will be part of the larger 2003 International Requirements Engineering Conference - see the conference web page at http://conferences.computer.org/RE/.

Detailed Description

Integration and interoperation have become the critical issues in engineering multi-stakeholder distributed systems (MSDS) like the Internet electronic mail system, networks of web services, modern telephone networks, and the Internet itself. Consistent, well defined protocols and other low level requirements enable these systems to function, but higher level requirements placed by diverse users are often ephemeral and typically inconsistent when viewed together. Thus, for the field of requirements engineering to deal with open MSDSs at all, we need to shift our thinking from systems having consistent, global requirements to those in which requirements can be user-relative and ephemeral.

Beyond that issue, however, lurks a second major challenge dubbed the "ignorance problem": since the nodes of an MSDS are controlled by stakeholders with different goals, priorities, and capabilities, just knowing what they all do is a challenge. For example, email features and functionality have grown so complex that merely knowing a host serves TCP port 25 (SMTP) does not give enough information to know whether one's email message will be handled correctly. Current web services provide the means to discover method signatures. However, formal service standards have yet to be defined.

This workshop is intended to bring together researchers and practitioners in requirements engineering, component-based design (including Enterprise Application Integration (EAI)), verification and validation, and related fields to discuss the challenges of designing and using open systems in which requirements are ephemeral and user-relative, and in which it is difficult or impossible to know the behaviors of all the parts of the system.

Topics of interest

1. In an open system, up front system analysis is at best of limited, heuristic usefulness. The system is amorphous and dynamic: it comprises whatever components are available at the moment. The best one might hope for is just-in-time analysis: can requirement R be met at this moment with system S?

2. Three new types of requirements are prevalent in open systems:
   1. How do we capture and reason about ephemeral requirements? Ephemeral requirements have a lifetime that can be measured in days, hours, minutes or even less. They may be recurring, but may also be one-off.
   2. How do we capture and reason about user-relative requirements, or what we might call "personal requirements"? Personal requirements are not global to the system, but are specific to a single user or stakeholder. They are highly contextual.
   3. When a system will be used by (or affect) multiple users with different personal requirements (personal utility functions), how do we reconcile their differing preferences in setting requirements for a system. For instance, in an email setting, spam can be explained as a clash between the sender's personal requirement (get a user to respond to the message) and the receiver's personal requirement (don't be bothered by material that's irrelevant, often offensive, and possibly fraudulent). How do we reason about utility-based requirements?

3. Requirements in open systems are often obstructed by the environment, i.e., by components not under the user's control. It is less interesting to know that a requirement R cannot be met than knowing how it might fail. Both runtime monitoring and failure-recovery mechanisms come to the fore.

4. Given that many components of the system will not be under a user's control, how can we reason about the system's behaviors that may be relevant to the user? Can components provide an external description that will allow us to reason about requirement achievement? Can components be made transparent (e.g., reflective) so we can directly reason about their behavior?

5. Can open modeling standards be established that would allow personal requirements validation tools to help a user discover and reason about personal requirements satisfaction? If so, how can communities of interest establish shared ontologies/theories that can support capabilities like semantically meaningful model composition, scenario simulation, animation, theorem proving, model checking, and other formal reasoning tools? What information (beyond the standard OO entity-relationship information) must be included in such shared theories? Are current web-based standards such as RDF, RDFS, or OWL, enough for these tasks in terms of expressiveness, tractability, ease-of-use, etc.?

6. Deceptive practice is turning out to be a problem with some web sites in todays competitive market. For instance, it is difficult to ascertain what the information-privacy policy is of some sites. Even when sites state their policy, it is difficult to verify it. How do privacy and security fit into the larger picture of MSDS? Should game theory be part of requirements analysis in an MSDS?

Examples

We list some examples to help with the focus of the workshop. Ideally, a submission would explicitly explain how their approach, tool, idea, etc, would handle similar examples.

EXAMPLE 1: an email request and reply.

This example is drawn from a real project (contact fickas@cs.uoregon.edu for more details). User A wishes to get a ride to the doctor from user B. User A decides to send an email request to B asking for the ride. In slightly more formal terms, A's requirement is a yes or no answer from B to the ride request, in time to do A some good. The requirement is ephemeral: it endures for this ride request only, and may never come up again. The requirement is personal: it is A's requirement and contextualized to the components in place, at the request moment, to get a question to and reply from B.

It is an open system problem in that neither the Internet connectivity of A and B, the communication channel (the SMTP servers and post-office server) between A and B, nor the email client of A and B are under the control of all parties. In particular, A and/or B can be disconnected, email servers on either A's or B's side may filter email under administrative policy, the actual email clients themselves can filter email. Further, from A's point of view, B (the human) is part of the environment: B can ignore the request. In summary, the ride-request requirement can fail in many ways and it is impractical to attempt to guarantee success.

The questions this example raise in terms of the workshop are as follows:

1. Can we reason at all about the potential success or failure of the ride request? Do we know or can we discover what system components must be involved in the request? If we know the components, can we also know their behavior? If we know their individual behavior, can we reason about success and failure from a system-wide level?
2. Once we know how the request can fail, can we do more than hope for the best? Can we monitor its progress? Can we be warned of impending failure and potentially circumvent it? If failure does occur, can we recover in a way that keeps the request alive?
3. Is it feasible, in a limited domain like email, to develop a shared ontology, one that all email server and client vendors might adopt?
4. Privacy issues arise in this problem. It may be the case that B's email client is willing to make explicit the general rules it follows, (e.g., email from certain domains on a watch-list are deleted) without providing details (e.g., whether A's domain is on the watch list).

EXAMPLE 2: A Web Services Example

This example comprises four stakeholders:

1. User C has a web browser. C knows what Internet web services he or she wishes to access. One of these is UpToTheMinuteNews.com (U2M).
2. Corporate IT (IT) requires that all web requests traverse a web proxy on the corporate firewall.
3. A company called Acme Web Speedup Services (AWS) provides a caching proxy web service that is billed as "speeding up the average web access by N%!!!"
4. UpToTheMinuteNews.com provides (for a fee) the very latest news stories on their web site.

IT decides to improve everyone's life (on average) by connecting the corporate web proxy to AWS. Soon after that decision, C notices he or she is no longer receiving the latest news from U2M. This example has several relevant characteristics for the workshop:

• No single stakeholder has the information necessary to anticipate or even diagnose the problem. Can we come up with ways of decreasing the ignorance in this MSDS?
• The problem arises dynamically. One day U is happily receiving the service for which he or she is paying, and the next day an invisible (to C) change causes it to stop working. Thus, any analytic tool must be sensitive to change. How can any proposed solution deal with the constant change that is prevalent in MSDSs?
• IT is making design decisions based upon imperfect understanding of the requirements or other stakeholders and/or the implementations of other nodes.
• AWS and U2M may not be implemented optimally or even correctly. Thus, can one stakeholder's tools compensate for ignorance and imperfect design?

Note that it is difficult to know without detailed debugging knowledge what causes the problem. Here are some alternative hypotheses. (1) AWS's contract has fine print explaining that it does not guarantee freshness of its pages, (2) AWS's contract is purposely inaccurate or unclear on this point. This would be an example of deception in MSDSs (see Example 3 below). (3) AWS's implementation is buggy, old, or incorrectly configured so that it does not honor "no-cache" header information. Note that AWS's service would still be acceptable for all users who don't access time critical sites. (4) U2M's implementation is buggy or incorrectly configured, so that it does not produce "no-cache" headers with its pages. Note that in this case, U2M would still work perfectly well for all clients who do not use caching. (5) IT failed to read or correctly interpret the AWS contract. (6) IT failed to realize that some of its users required freshness. (7) C failed to communicate to IT that it needed access to a time critical web site, even though IT surveyed its users on this point at some time previously. (Or maybe C's needs changed since the survey.)

Requirements and validation tools must deal with all these issues, since it is not reasonable to assume every node is implemented well or even in compliance with published standards; it is not reasonable to assume all requirements are accurately known, or that all stakeholders are honest; and it is not reasonable to assume that contracts (e.g. published interfaces) are correct, complete, and unambiguous. Clearly, a stakeholder needs ways to discover actual behavioral details, and to monitor plans as they execute for failures. How can we support these needs?

EXAMPLE 3: Deception

The previous two examples have shown the problems when well-intentioned components/stakeholders must be brought together to meet a personal requirement. But components in either example could have hidden goals. For instance, an SMTP server could be monitoring the email that it processes for marketing opportunities, harvesting email addresses for further bulk mailing. The AWS component could be monitoring visited pages and making the information available, for a price, to those interested in the surfing habits of the IT corporation. Ideally, we would like to be able to have a clear-box view into the behavior of the components, thus making hidden goals transparent. Barring that, are there other means of reasoning about deception in open systems? Are there ways to discourage it? Can we borrow reasoning methods from other fields that deal with potentially dishonest agents, e.g., game theory?

Submissions

Workshop papers due: June 27, 2003
Notification to authors: July 18, 2003
Camera-ready: 8/4/03
Workshop date: September 8, 2003

Workshop committee

Workshop co-chairs: