Model-Driven Engineering (MDE) has become popular for developing softwarebased systems and is widely adopted to various extents in the industry [ 10 ]. It is primary used in the design phase and possibly in connection with other development and testing phases using model transformation, code generation, model-based testing. The Uni ed Modelling Language (UML) has become the common general purpose modelling language in software engineering [ 18 ] and has been further extended into Systems Modeling Language (SysML) for system engineering applications [ 17 ].

UML and SysML are not perfect, of course. Their latest evolutions have improved by providing better de ned notations and related semantics using the UML superstructure. More formal semantics have also been de ned for a number of diagrams. In addition, the Object Constraint Language (OCL) improved expressiveness to state richer properties that cannot be captured using the graphical syntax [ 16 ].

Nevertheless, a weak point of UML is its limited support for requirements engineering: { about notations, UML has the concept of requirement. The Use Case diagram enables a partial capture of main functionalities with limited structuring and only coarse grained interactions between the system and its environment. The class Diagram enables to capture the domain model and a number of related properties, possibly with OCL. The dynamic behaviour of a system can be speci ed using more speci c diagrams such the sequence, activity or state machine diagrams, but those are already directed towards solution design. SysML improves slightly over UML by providing a Requirements diagram with limited structuring capabilities. { about the modelling process, a number of methods have been de ned and can be driven by use cases, business processes or a domain analysis. However, such methods usually fail to precisely record the rationale that triggered the identi cation of a concept which should be related to the expression of some properties, either descriptive (i.e. domain properties) or prescriptive (i.e. requirements).

In the scope of this paper, we will show how to achieve systematic identi cation and speci cation of requirements using standard UML class diagrams. Such diagrams can be used to build a domain model (i.e. at problem level) and/or a conceptual design of the information system (i.e. at solution level). In both cases, a key point is to model the relevant concepts without unnecessary noise. Our focus is on building high quality UML class diagrams (or equivalent) integrating a rich set of descriptive and prescriptive properties in a consistent way with pre and post-conditions. For this purpose, we will rely on goal-oriented requirements engineering (GORE) de ned in languages like KAOS [ 4 ], i* [ 25 ], or URN/GRN [ 11 ]. The key point of using such frameworks is that only the reference to goals make it possible to claim a speci cation is complete [ 26 ]. We will rely here on the KAOS variant which already includes a conceptual modelling close to UML class diagram and has a well documented process [ 13 ]. Our main contribution is to derive a more complete UML model using OCL to capture properties and pre/post conditions using the textual speci cation de ned by the UML Speci cation Environment (USE) has target language [ 7 ].

The structure of our paper follows a model construction process. We assume the reader is familiar with UML/OCL. Section 2 rst introduces the GORE modelling notations and presents the requirements of a small underground transportation system used as running example. Section 3 explains our mapping and implementation through USE. Section 4 and 5 respectively detail how to deal with operations and alternatives. Section 6 discusses the bene ts and limitation of our approach in the light of related work. Finally Section 7 concludes and present our future work. The whole paper will rely on di erent excerpts of a railway system in order to illustrate the proposed approach.

Goals capture, at di erent levels of abstraction, the various objectives the system under consideration should achieve. GORE is concerned with the use of goals for eliciting, elaborating, structuring, specifying, analysing, negotiating, documenting, and modifying requirements [ 12 ]. { The agent model identi es the agents of both the system and the environment as well as their interface and responsibilities. They can be shown as part of goal graphs or in more speci c diagrams. Agents are represented using an hexagonal shape. { The operations model describes how agents functionally cooperate to ensure the ful lment of the requirements assigned to them and hence the system goals. Operations are graphically represented using ovals. Functional ow diagrams can be used between them.

The di erent abstraction levels to express goals can range from high-level strategic goals like \Maintain[Underground Safety] " down to more operational goals such as \Avoid[travellers falling on tracks] " or \Avoid[train collisions] " as depicted in Figure 2. High-level goals can be progressively re ned into more concrete and operational ones through relationships linking a parent goal to several sub-goals, with di erent ful lment conditions using either \AND-re nement" (all sub-goals need to be satis ed) or \OR-re nement" (a single sub-goal is enough, i.e. possible alternatives). For example, to avoid train collision di erent design can be used like xed block systems or moving block systems. Later in the paper, we will also see how to address the problem of a train that is longer than the platform (modelled as an obstacle in Figure 2).

The \WHY" and \HOW" questions can be used to conveniently navigate to parent and sub-goals, respectively. The goal decomposition stops when reaching a goal controllable by an agent, i.e. answering the \WHO" questions about responsibility assignment. These goals are either requirements on software or hardware components to design, or expectations on the behaviour of agents in the environment (e.g. the train driver). Domain properties can also be involved in a re nement. Such properties are intrinsically valid, like \A train can only be at one location at a time" or be assumed like the fact that the train length is shorter than the length of all platforms. In this case they need to be challenged about their validity.

Based on properties expressed in the goal model, one can start identifying concepts and structuring them into the relevant concepts of the object model (i.e. UML class diagram). Analysing the requirement Maintain[Door Closed While Moving] will result in the identi cation of a Train entity. Moreover the Train entity will be bound to a Door entity through a composition relationship with obviously at least one door. The modelling approach is minimalist: only what is strictly needed is modelled. For instance, at this point there are no other concept identi ed and only two attributes are necessary the Door state (e.g. a Boolean to represent a Door is closed) and the Train movement state (e.g. a Real representing its speed). The resulting object model is depicted in Figure 2. Note that a trace link between the Train entity and requirements involving it is added using the \Concerns" link. This also allows to formalise that requirement in the context of that Entity using the following OCL statement (also depicted has pop-up property in Figure 2):

UML Speci cation Design Environment (USE) was mainly designed to validate and verify speci cations consisting of class diagrams together with OCL invariants and pre- and postconditions [ 7 ]. It provides support for instance of class diagrams (i.e. UML object diagrams), including the ability to generate model instances. It also has a nice textual syntax both for model and instance levels. Once loaded into the tool, those models can be inspected visually using di erent standard diagrams and with some automated layout support. The tool also provide a control over the instance level and a command line interface allowing one to load models and perform checks. The USE tool is implemented in Java and available in Open Source license [ 5 ].

Table 1 de nes how to map a GORE object model into a UML class diagram. This mapping covers the various constructs like entities, associations, inheritance, di erent kind of goal concepts (Requirement, DomProp,...) and operations. It was implemented using a Java plug-in for the Objectiver tool that supports the KAOS method [ 21 ]. GORE (KAOS) UML (USE) Entity/Agent class Obj1 isA Obj2 ; Obj1 isA Obj3 class Obj1 <Obj2, Obj3 Binary Association without attributes but association with association type, ie. association, com- composition position, aggregation aggregation Binary Association with attributes associationclass N-ary Association rel without attributes association N-ary Association rel with attributes associationclass Operation Operation of the class associated to the (and related pre/post-condition) agent performing the operation FormalDomInvar of Entity/Agent Clause inv: in the class of the entity/Agent FormalDomInvar of N-AryAssociation Clause inv: in the association class FormalDef of Requirement/DomProp Clause inv: in the constraints section

Applying the above mapping to the KAOS object model of Figure 2 yields the following UML model. At this point, traceability is ensured by the same naming convention, although more speci c identi er could also be added later to guarantee a better and round-trip model synchronisation.

A KAOS operation is a state transition inside the system that can be controlled by some agent. The unconstrained operation is speci ed using domain preconditions (i.e. necessary condition) and post-conditions (resulting state). Note that we will not consider trigger conditions (i.e. su cient conditions) because it is not supported by UML. For the OpenDoors operation, the domain pre and postconditions are: tr.doors->forAll(closed) and tr.doors->forAll(not closed)

We need to be sure that the operation ful ls all the invariant properties dened (through the requirements). Hence, each time we introduce an operation with its domain pre- and postconditions into a formal system, we need to be sure that the operation execution will preserve the system invariant in any circumstances. This can induce to specify complementary conditions that must be ful lled before the operation execution (additional preconditions) and/or specify complementary conditions that must be ful lled by the result of the operation to be compliant with the requirements. In those cases, the conditions are named required pre- and postconditions.

Such required conditions can actually be computed using speci c reasoning techniques called goal regression detailed in [ 15 ]. Speci c patterns are also available. To illustrate, let us start by the comparison of Requirement 1: tr.doors->exists (not closed) implies (tr.speed = 0) (1) As speci ed above, the OpenDoors operation opens all doors:

post: tr.doors->forAll(not closed) (2) As there is at least one door in the train, we can assert:

tr.doors->forall(not closed) implies tr.doors->exist(not closed) (3) Hence, when TCS performs an OpenDoors operation for a train tr, we get a state in which the following assertion is veri ed:

tr.doors->forAll (not closed) (4) Due to (3), this implies that:

tr.doors->exist (not closed) (5) And in order to preserve Requirement 1, we need to have: pre DoorsClosedWhileMoving: tr.speed = 0 (6)

The resulting UML operation corresponding to the KAOS operation (as dened in the mapping of Table 1) is described below. It is bound to the T CS UML class which is mapped on the T CS agent in KAOS. Note that the rationale for this additional precondition is explicitly traced in the OCL speci cation. Model 2 Strengthened OpenDoors Operation openDoors (tr: Train) pre: tr.doors->forAll (closed) -- DoorsClosedWhileMoving: The train must be stopped. pre DoorsClosedWhileMoving: tr.speed = 0 post: tr.doors->forAll (not closed) 5

Now let us focus on a more speci c safety goal that our system should enforce in the case the train is stopped at a station.

Previous work has already considered how to bridge the gap between requirements and UML. As stated in the introduction, use cases are quite popular and usually combine the Use Case diagram with more speci c templates with approaches like Cockburn's explicitly capturing relevant goals [ 3 ]. However this approach is lightweight, mainly functional and does not cope with any formalisation of the domain.

Another approach is to try to develop a GORE approach directly inside UML through the stereotype-based extension mechanisms provided by UML. Such an approach was proposed by Heaven and Finkelstein [ 8 ]. It eases the translation with UML. However, the GORE notations can only partially be captured using such mechanisms. For example, AND-OR relationships for alternatives are difcult to represent, especially to capture the strengthened pre/post-conditions. It also comes at the price of developing the extension, unless it is already available, for example the RE tool provides GORE support for i* and KAOS inside StarUML [ 23 ]. Even in this case this still requires to develop more complex features such as the alternative selection mechanism.

Problem Frames, another famous requirements based approach, has also considered an UML mapping [ 14 ]. Problem Frames have less commonalities with UML than methods such as KAOS whose object model is a superset of the UML class diagram. As a result, they are rarely adopted in UML-based software development processes employing UML. A UML bridge has thus potentially a larger impact here but the adoption can be also more di cult so we believe an approach based on a closer language like KAOS, i* or GRL is probably better. Nevertheless the mapping implemented is interesting because it considers components diagrams which can lay good architectural grounds rather than going into conceptual modelling which usually result jumping too fast in an objectoriented development.

Interestingly, the problem frame mapping does not consider OCL for formalising properties but OTL Object Temporal Logic. This removes our limitation of only addressing invariants (i.e. safety requirements in our running example). However this extension is not standard; actually, other temporal extensions for OCL have been proposed, e.g. TOCL [ 27 ], OCL/RT [ 2 ], as part of ReqMon for goal monitoring [ 22 ]. They lack tool support which limits their usefulness. This limitation can be alleviated to some extend by translating such extension in standard OCL over an enhanced UML model using the so-called lmstripping technique, i.e. explicitly modelling state snapshots. It was applied to the USE framework [ 9 ]. However we did not try to consider it at this point because enforcing liveness properties would also require to introduce trigger-conditions which is not part of the standard UML speci cation of operations. As invariants are the most critical properties to consider, hence to model formally, we believe this limitation is acceptable. Actually other formal languages like Event-B [ 1 ] su er from the same limitation. For this language, UML and GORE mappings are also available [ 19 ][ 24 ].

For fully dealing with formalised requirements, it is still possible to carry out the reasoning at the GORE level. A number of frameworks have developed speci c tool support for temporal logic for example Formal Tropos [ 6 ] or the FAUST toolset for verifying mission critical systems [ 20 ]. Such early formalisation tools do not however seem to receive industrial adoption. Our approach to address most critical requirements with decent guidelines and support using standard UML seem to make sense. For system requiring high assurance, formal methods and tools will be applied by experts in that area starting from good requirements model consistently coupled with a UML design model as we are advocating for here. 7

Building high quality UML class diagrams is a di cult task because modelling needs to be carried out with a speci c purpose in mind. Without analysing the requirements while building the model, it is easy to miss important concepts or introduce irrelevant ones. In this paper, we have shown how to conduct such a process guided by a speci c goal-oriented requirements engineering method and relying on the USE framework for easing the mapping. However, we believe the methods and guidelines detailed here can be applied more widely with the limitation they only consider safety properties. A key point is that the explicit capture of properties helps to expose their degree of robustness and to decide how to improve the design. Using obstacle analysis, a systematic questioning can be applied, e.g. what is the doors would not close (due to mechanical failure), how should the system react in this case, what information is required, etc. This will result in an update of the UML model in terms of its structure and operations.

Our mapping has been implemented as a plugin for the Objectiver tool. However, it is currently limited to the export from a requirements to UML while it would be interesting to retro-engineer existing UML models or more tightly integrate both approaches for a full roundtrip engineering. This would also enable the use of veri cation and validation tools available at both levels. Dealing the larger set of progress properties would also be interesting but would require nonstandard temporal extensions to OCL and add more complexity, reducing the interest of the approach. This work was also limited to functional requirements and dealing with non-functional requirements (NFR) can also be investigated, for example in the way they drive the identi cation of alternatives. Although less easy to manage in a model, OCL can be helpful to query model characteristics than can drive the evaluation of some categories of NFR. Last but not least, we plan to conduct a comparative validation experiment to assess the quality of the resulting model with and without the use of the proposed technique and plugin. This will take place in the scope of the training and coaching the authors are organising both at academic and industrial levels in Belgium and France.