Introduction — Why Requirements Matter
Here is a statistic that should alarm every software professional: according to the Standish Group's CHAOS Report, over 60% of software project failures trace back not to bad code, not to poor architecture, not to infrastructure problems — but to requirements issues. Incomplete requirements. Ambiguous requirements. Wrong requirements. Missing requirements.
The cost multiplier is devastating. A requirements error caught during the requirements phase itself costs roughly $1 to fix. Caught during design, it costs $5. During coding, $10. During testing, $20. In production? $100 to $1,000. This is the famous "1-10-100" rule, validated repeatedly by researchers from Barry Boehm (1981) to modern empirical studies.
The Requirements Gap
The requirements gap is the distance between what stakeholders actually need and what the development team actually builds. This gap exists because:
- Stakeholders can't articulate what they want — they know it when they see it, but they can't describe it precisely in advance
- Engineers assume context — they fill in gaps with their own assumptions, often incorrectly
- Language is inherently ambiguous — the word "fast" means something different to a UX designer, a database administrator, and an end user
- Requirements change — the business environment shifts, competitors launch new features, regulations evolve
- Translation loss — every time requirements pass from one person to another (stakeholder → analyst → architect → developer), information degrades
flowchart LR
A[What stakeholders
actually need] --> B[What stakeholders
say they want]
B --> C[What analysts
document]
C --> D[What architects
design]
D --> E[What developers
build]
E --> F[What users
actually get]
style A fill:#3B9797,color:#fff
style F fill:#BF092F,color:#fff
At every arrow in this diagram, information is lost, assumptions are injected, and the gap widens. Requirements engineering exists to minimise this gap systematically.
What Are Requirements?
Requirements answer the question: "What should the system do?" — not "How should the system do it?" This distinction is fundamental. Requirements live in the problem space; solutions live in the solution space.
Consider these examples:
- Requirement: "Customers must be able to track their order status in real time."
- NOT a requirement: "The system shall use WebSockets to push order status updates to a React frontend component."
The first describes a user need. The second describes an implementation decision. Both are valid and necessary — but they belong in different documents, are owned by different people, and change for different reasons.
The Bridge Metaphor
Think of requirements as a bridge between two worlds that speak different languages:
- The Business World — speaks in terms of revenue, customers, compliance, competitive advantage, user satisfaction
- The Engineering World — speaks in terms of APIs, databases, latency, throughput, error handling, scalability
Requirements are the translation layer. They take business intent and express it in terms precise enough for engineers to build against, while remaining understandable to business stakeholders. This dual-audience nature is what makes requirements hard.
Requirements vs Specifications
Many engineers use "requirements" and "specifications" interchangeably. This is a mistake that leads to confusion, scope creep, and miscommunication. They are different artefacts with different purposes.
A requirement says what the user needs. A specification says precisely how the system will satisfy that need at the boundary between the system and its environment.
Here is a concrete example:
Notice the leap in precision. The specification adds timing constraints, security properties, rate limiting, and specific trigger conditions — all of which are engineering decisions that refine the original user need.
Comparison Across Dimensions
| Dimension | Requirements | Specifications |
|---|---|---|
| Audience | Business stakeholders, product owners, users | Engineers, architects, QA teams |
| Language | Natural language, business terminology | Precise, often using SHALL/SHOULD/MAY (RFC 2119) |
| Detail Level | High-level intent and constraints | Detailed behaviour at system interfaces |
| Ownership | Product owner / business analyst | Systems engineer / architect |
| Stability | Changes with business needs (moderate churn) | Changes with design decisions (higher churn) |
| Testability | Often qualitative ("easy to use") | Always quantitatively verifiable |
| Perspective | Problem space (what the world needs) | Solution space (what the system does) |
| Example Format | User stories, use cases | SRS sections, interface contracts |
Functional vs Non-Functional Requirements
Requirements divide into two fundamental categories: functional (what the system does) and non-functional (how well the system does it). This distinction shapes architecture, testing strategies, and project priorities.
Functional Requirements
Functional requirements describe specific behaviours or functions of the system — the features users interact with directly. They answer: "What should the system do when X happens?"
- Users can create an account with email and password
- The system processes credit card payments via Stripe
- Administrators can export reports as CSV files
- The search function returns results ranked by relevance
- Users receive email notifications when their order ships
Non-Functional Requirements (Quality Attributes)
Non-functional requirements (NFRs) describe qualities or constraints on how the system performs its functions. They are often called "quality attributes" or "-ilities" (reliability, scalability, maintainability, etc.).
| NFR Category | Description | Example | How to Measure |
|---|---|---|---|
| Performance | Speed and throughput | Page loads in <2 seconds at P95 | Load testing, APM metrics |
| Scalability | Handling growth in load | Support 10,000 concurrent users | Stress testing, auto-scaling metrics |
| Reliability | Consistency of correct operation | 99.9% uptime (8.76 hours downtime/year) | Uptime monitoring, MTBF |
| Security | Protection against threats | All data encrypted at rest (AES-256) | Penetration testing, audits |
| Usability | Ease of use | New users complete onboarding in <5 minutes | User testing, SUS score |
| Maintainability | Ease of modification | New payment provider integrates in <2 sprints | Code complexity metrics, change lead time |
| Portability | Adaptability to environments | Runs on AWS, Azure, and GCP | Deployment testing across platforms |
| Accessibility | Usability for all users | WCAG 2.1 AA compliance | Automated a11y scanning, manual audit |
The FURPS+ Model
Hewlett-Packard developed FURPS+ as a comprehensive classification system for requirements. It remains widely used in enterprise software:
- F — Functionality (features, capabilities, security)
- U — Usability (aesthetics, consistency, documentation, responsiveness)
- R — Reliability (availability, failure rate, recoverability, predictability)
- P — Performance (speed, throughput, capacity, resource consumption)
- S — Supportability (testability, extensibility, adaptability, maintainability, configurability)
- + — Design constraints, implementation constraints, interface requirements, physical requirements
The "+" covers constraints that don't fit neatly into the five categories — things like "must use Java 17", "must integrate with SAP", or "must run on hardware with ≤ 512MB RAM".
Requirements Elicitation Techniques
Elicitation is the process of drawing out requirements from stakeholders, domain experts, and existing systems. It's harder than it sounds — stakeholders often don't know what they need, can't articulate what they know, or disagree with each other.
| Technique | Description | Best For | Limitations |
|---|---|---|---|
| Interviews | One-on-one structured or semi-structured conversations | Deep understanding of individual perspectives | Time-intensive, subject to interviewer bias |
| Surveys | Questionnaires distributed to large groups | Gathering data from many stakeholders quickly | Shallow responses, low response rates |
| Observation | Watching users perform their current tasks | Uncovering implicit/tacit knowledge | Hawthorne effect, time-consuming |
| Prototyping | Building quick mockups for feedback | Validating UI/UX assumptions early | Can anchor stakeholders to prototype limitations |
| Workshops | Facilitated group sessions (JAD sessions) | Resolving conflicts, building consensus | Dominant personalities can skew outcomes |
| Use Cases | Structured descriptions of actor-system interactions | Complex workflows with multiple actors | Can become overly detailed, hard to maintain |
| User Stories | "As a [role], I want [goal] so that [benefit]" | Agile teams, incremental delivery | Too brief for complex or safety-critical systems |
| Domain Analysis | Studying existing systems, regulations, standards | Compliance-heavy domains (healthcare, finance) | May inherit legacy assumptions |
Choosing the Right Technique
In practice, you combine multiple techniques. A typical elicitation strategy might look like:
- Domain analysis first — understand the landscape before talking to people
- Interviews with key stakeholders — build rapport, uncover high-level needs
- Workshops to resolve conflicts between stakeholder groups
- Prototyping to validate understanding — "Is this what you meant?"
- User stories or use cases to document agreed requirements
- Observation to catch what people forgot to mention
The WRSPM Reference Model
The WRSPM model (pronounced "wrist-pm") is a formal reference framework from requirements engineering that clarifies where requirements fit in the relationship between the real world and software. It was developed by Gunter, Gunter, Jackson, and Zave (2000) and remains one of the most rigorous ways to think about what requirements really mean.
The Five Layers
W — World (Domain/Environment): The real-world environment in which the system operates. This includes physical laws, business rules, human behaviour, organisational policies, and domain knowledge that exists independently of the software. World assumptions are things we take for granted — gravity exists, users have email addresses, banks close on weekends.
R — Requirements: What stakeholders need the system to achieve in the world. Requirements describe desired changes to the world state. "Customers can track their packages" is a requirement — it describes something that should be true in the world.
S — Specifications: The precise description of system behaviour at the interface boundary between the software and the environment. Specifications describe what the system does in response to inputs and what outputs it produces — expressed solely in terms of phenomena observable at that interface.
P — Program (Software): The actual implementation — source code, algorithms, data structures, frameworks. The program is the engineer's creation that (hopefully) satisfies the specification.
M — Machine (Hardware/Platform): The computing platform on which the program executes — servers, operating systems, networks, devices. Machine properties include processing speed, memory limits, network latency, and failure modes.
flowchart LR
W["W
World
(Environment)"] <--> R["R
Requirements
(Stakeholder Needs)"]
R <--> S["S
Specifications
(System Interface)"]
S <--> P["P
Program
(Software)"]
P <--> M["M
Machine
(Hardware)"]
style W fill:#3B9797,color:#fff
style R fill:#16476A,color:#fff
style S fill:#132440,color:#fff
style P fill:#BF092F,color:#fff
style M fill:#666666,color:#fff
The Key Insight: Separation of Concerns
The power of WRSPM is that it forces you to ask: Which layer am I working in right now? Problems arise when layers are conflated:
- Confusing R with S: Writing specifications when you should be understanding requirements (premature solution design)
- Confusing W with R: Treating domain assumptions as requirements (they're not — they're givens)
- Confusing S with P: Putting implementation details in specifications (over-constraining the solution)
- Ignoring W: Building a system that works perfectly in theory but fails in the real world because world assumptions were wrong
Variables and Interfaces
WRSPM introduces four types of variables that describe how information flows between the world and the machine:
| Variable Type | Direction | Description | Example (Thermostat) |
|---|---|---|---|
| Monitored Variables | World → System | Real-world phenomena the system observes | Room temperature |
| Controlled Variables | System → World | Real-world phenomena the system changes | Heater on/off state |
| Input Variables | Environment → Machine | Data received by the program (sensor readings) | Digital temperature reading (22.5°C) |
| Output Variables | Machine → Environment | Data sent from the program (commands) | Relay control signal (HIGH/LOW) |
The distinction between monitored/controlled and input/output variables is crucial. Monitored and controlled variables exist in the world — they're real physical phenomena. Input and output variables exist at the machine interface — they're digital representations. The gap between them is where sensors, actuators, and physical constraints live.
Concrete Example: Smart Thermostat
Smart Home Thermostat
Let's apply all five WRSPM layers to a smart thermostat system:
- W (World): Rooms have thermal mass. Heat dissipates. Outside temperature varies. Humans have comfort preferences (typically 20-22°C). Heaters have lag time. Electricity costs vary by time of day.
- R (Requirements): The home should maintain a comfortable temperature. Energy costs should be minimised. Users should be able to set schedules. The system should learn user preferences over time.
- S (Specifications): The system SHALL maintain room temperature within ±1°C of the setpoint. The system SHALL activate the heater when temperature drops 0.5°C below setpoint. The system SHALL provide a REST API for schedule configuration. Response time for temperature queries SHALL be <200ms.
- P (Program): PID control algorithm, machine learning model for schedule prediction, REST API server, mobile app, database for historical data.
- M (Machine): Raspberry Pi 4, DHT22 temperature sensor (±0.5°C accuracy), relay module, Wi-Fi connectivity, 5V power supply.
flowchart TD
subgraph World
A[Room Temperature
Monitored Variable]
B[Heater State
Controlled Variable]
C[User Comfort
Preference]
end
subgraph Interface
D[Sensor Reading
Input Variable]
E[Relay Signal
Output Variable]
F[API Request
Input Variable]
end
subgraph Machine
G[PID Algorithm]
H[Schedule Engine]
I[REST API Server]
end
A -->|DHT22 Sensor| D
D --> G
G --> E
E -->|Relay Module| B
C -->|Mobile App| F
F --> H
H --> G
Notice how the world assumptions (thermal mass, lag time) affect the specification (±1°C tolerance, 0.5°C hysteresis). If we ignored the world — for instance, assuming instant heating — our specification and program would fail in reality.
WRSPM Applied: Real-World Systems
Example 1: ATM System
Automated Teller Machine (ATM)
The ATM is a classic requirements engineering example because it has clear physical-digital boundaries.
- W (World): Banks have accounts with balances. Customers have PINs and cards. Physical cash exists in denominations. Banks have daily withdrawal limits. Network connections can fail. Criminals attempt fraud.
- R (Requirements): Customers must be able to withdraw cash from their account. The system must prevent unauthorised access. Transactions must be atomic (no partial withdrawals). The system must be available 24/7.
- S (Specifications): The system SHALL authenticate users via 4-digit PIN with max 3 attempts before card capture. Withdrawals SHALL be dispensed in multiples of £10. The system SHALL communicate with the bank's core system via ISO 8583 messages. If network connectivity is lost, the system SHALL queue transactions for ≤ 5 minutes before declining.
- P (Program): Transaction processing engine, PIN verification module, cash dispensing controller, receipt printer driver, network communication stack, transaction log.
- M (Machine): Industrial PC, card reader (EMV chip + magnetic stripe), PIN pad (encrypted, PCI-DSS compliant), cash dispenser (note counter, reject bin), receipt printer, network interface (primary + fallback).
Where WRSPM catches gaps: Consider the world assumption "physical cash exists in denominations." If the ATM only stocks £20 notes, a customer requesting £30 cannot be served — even though the requirement ("withdraw cash") is met and the software is correct. The gap is between W (available denominations) and R (any amount withdrawal). Without explicitly modelling the world, this gap hides until deployment.
Example 2: Ride-Sharing Application
Ride-Sharing App (Uber-like)
A modern ride-sharing app demonstrates WRSPM in a complex distributed system context.
- W (World): Roads have traffic. GPS has ±5m accuracy in cities (worse in urban canyons). Drivers are independent contractors (not employees). Passengers may cancel. Surge pricing depends on supply/demand. Local regulations vary by city. Payment processors have latency.
- R (Requirements): Passengers can request rides and be matched with nearby drivers. Passengers can see estimated arrival time and fare. Drivers can accept or decline ride requests. Payments are processed automatically after ride completion. Both parties can rate each other.
- S (Specifications): The system SHALL match passengers with the nearest available driver within a 5km radius within 30 seconds. ETA estimates SHALL be accurate within ±3 minutes for trips under 30 minutes. The system SHALL process payment within 60 seconds of ride completion. Driver location SHALL be updated every 4 seconds via GPS. The system SHALL handle 100,000 concurrent ride requests globally.
- P (Program): Microservices architecture — matching service (graph algorithms), pricing service (dynamic pricing ML model), payment service (Stripe/payment gateway integration), location service (geospatial indexing), notification service (push notifications), rating service.
- M (Machine): Cloud infrastructure (AWS/GCP), CDN for static assets, Redis for real-time location cache, PostgreSQL for transactional data, Kafka for event streaming, mobile devices (iOS/Android) with GPS and cellular connectivity.
Where WRSPM catches gaps: The world assumption "GPS has ±5m accuracy" directly impacts the specification. If the matching algorithm assumes exact driver positions, it will make poor matches in areas with GPS inaccuracy (tunnels, downtown high-rises). By explicitly modelling the world, the specification accounts for location uncertainty — perhaps requiring drivers to confirm they've arrived rather than relying purely on GPS proximity.
Requirements Documentation
Once requirements are elicited and analysed, they must be documented in a form that's accessible, unambiguous, and maintainable.
The Software Requirements Specification (SRS)
The IEEE 830-1998 standard (now superseded by ISO/IEC/IEEE 29148:2018) defined the classic SRS document structure:
- Introduction — Purpose, scope, definitions, references, overview
- Overall Description — Product perspective, functions, user characteristics, constraints, assumptions
- Specific Requirements — Functional requirements, non-functional requirements, interface requirements
- Appendices — Supporting information, analysis models
While formal SRS documents are still used in regulated industries (aerospace, medical devices, defence), most modern software teams use lighter-weight alternatives.
Modern Alternatives
User Stories with Acceptance Criteria:
Story: As a customer, I want to reset my password so that I can
regain access to my account.
Acceptance Criteria:
- Given I am on the login page
When I click "Forgot Password"
Then I see a form asking for my email address
- Given I enter a registered email address
When I submit the form
Then I receive a password reset email within 2 minutes
- Given I click the reset link in the email
When the link is less than 30 minutes old
Then I can set a new password
- Given I click the reset link in the email
When the link is more than 30 minutes old
Then I see an "expired link" message with option to request againBDD (Behaviour-Driven Development) Format:
# Feature: Password Reset
# Scenario: Successful password reset request
Given the user "john@example.com" has a registered account
And the user is on the login page
When the user clicks "Forgot Password"
And enters "john@example.com" in the email field
And clicks "Send Reset Link"
Then the system sends a password reset email to "john@example.com"
And the email contains a unique token valid for 30 minutes
And the system displays "Check your email for reset instructions"Decision Records (ADRs) for NFRs:
{
"title": "ADR-007: Response Time Requirements",
"status": "accepted",
"context": "Users report frustration with page load times. Analytics show 40% bounce rate when pages take >3s.",
"decision": "All API endpoints must respond within 200ms at P95. Page loads must complete within 2s on 4G connections.",
"consequences": "Requires caching layer, CDN for static assets, database query optimisation. May limit feature complexity per page."
}Requirements Validation
Validation ensures that documented requirements actually represent what stakeholders need and that they're of sufficient quality to build against. The "VCCUUT" qualities of good requirements are:
| Quality | Question | Red Flag |
|---|---|---|
| Valid | Does this represent a genuine stakeholder need? | "Gold plating" — features nobody asked for |
| Consistent | Does this contradict any other requirement? | "The system must be open-source" + "The system must use proprietary DRM" |
| Complete | Are all scenarios covered? Are edge cases addressed? | No mention of error handling, timeouts, or failure modes |
| Unambiguous | Can this be interpreted in only one way? | "The system should be fast" — fast means what? |
| Verifiable | Can we write a test that proves this is met? | "The system should be user-friendly" — how do you test this? |
| Traceable | Can we trace this to a business need and forward to tests? | Orphan requirements with no known origin or purpose |
Validation Techniques
- Requirements Reviews: Formal inspections where stakeholders, analysts, and engineers walk through requirements together, checking for completeness and consistency
- Prototyping: Building throwaway or evolutionary prototypes to validate understanding — "Is this what you meant?"
- Model Validation: Using formal models (state machines, sequence diagrams, Petri nets) to check for impossible states or deadlocks
- Test-First Validation: Writing acceptance tests before implementation — if you can't write a test, the requirement isn't clear enough
- Traceability Matrices: Mapping every requirement to its source (business need) and its verification method (test case)
Common Requirements Pitfalls
After decades of requirements engineering practice, the same failure patterns repeat across organisations and industries:
1. Scope Creep
Requirements grow continuously without corresponding adjustments to timeline, budget, or team size. Each individual addition seems small, but cumulatively they transform the project. The antidote: a formal change control process and a definition of "done" for the requirements phase.
2. Gold Plating
Engineers adding features that weren't requested because they seem "obvious" or "cool." This wastes effort and complicates testing. The antidote: strict adherence to documented requirements — if it's not written down, it doesn't get built.
3. Ambiguous Language
- "The system should be fast" — fast means what? 100ms? 1 second? 10 seconds?
- "The system should handle many users" — many means 100? 10,000? 10 million?
- "The system should be easy to use" — for whom? A developer? A grandmother?
- "The system should be secure" — against what threats? At what cost?
- "The system may support..." — is this required or optional?
- "The system should usually respond..." — what about when it doesn't?
4. Missing Non-Functional Requirements
Teams document what the system does but not how well it should do it. Performance, security, scalability, and maintainability requirements are left implicit — which means they're left to individual developers' judgement (which varies wildly).
5. Assumption Bias
Both stakeholders and engineers bring assumptions from their previous experience. A stakeholder who previously used System A assumes the new system will work similarly. An engineer who previously built microservices assumes the new system needs them. These assumptions go unexamined until they clash with reality.
6. Stakeholder Conflicts
Different stakeholders want different things. Sales wants features fast. Security wants everything locked down. Operations wants simplicity. Finance wants cost minimisation. Without explicit conflict resolution, requirements become contradictory.
7. Requirements Churn
Requirements changing faster than the team can implement them. This indicates either premature implementation (building before requirements are stable) or a genuinely volatile domain (where iterative/agile approaches are essential).
AI-Enhanced Requirements Engineering
Large Language Models and AI tools are beginning to augment (not replace) requirements engineering practices. Here's how practitioners are using them today:
- Generating acceptance criteria from user stories: Given a user story, AI can generate comprehensive Given/When/Then scenarios including edge cases that humans often miss
- Ambiguity detection: AI can flag vague language ("should be fast", "many users") and suggest quantitative alternatives
- Completeness checking: AI can identify categories of requirements that are missing — "You have performance requirements but no security or accessibility requirements"
- Consistency analysis: AI can detect contradictions between requirements documents written by different teams
- Test case generation: AI can generate test cases directly from specifications, improving requirements-to-test traceability
- Requirements rewriting: Converting informal stakeholder language into structured, testable specifications
Exercises
Write 5 functional requirements and 5 non-functional requirements for a university library management system. For each non-functional requirement, specify the category (performance, security, usability, etc.) and provide a measurable acceptance criterion.
Hint: Consider scenarios like book checkout, overdue returns, inter-library loans, search, and accessibility compliance.
Apply the WRSPM model to a smart home thermostat that supports: multi-zone control, energy-saving schedules, voice commands, and weather-based pre-heating. For each layer (W, R, S, P, M), write at least 3 specific items. Identify at least 2 monitored variables and 2 controlled variables.
Hint: Think about what world assumptions (W) could invalidate your specifications — e.g., what if the weather API is unavailable?
The following requirements contain ambiguities. Identify each ambiguity and rewrite the requirement to be testable and unambiguous:
- "The system should respond quickly to user requests."
- "The application must support a large number of concurrent users."
- "Data should be backed up regularly."
- "The interface should be intuitive for all users."
- "The system should handle errors gracefully."
Convert these vague requirements into precise, testable specifications using the SHALL keyword and quantitative measures:
- "The website should load fast."
- "The system should be secure."
- "The app should work on mobile."
- "Reports should be generated quickly."
Hint: For each, ask: Who? What? When? How much? How do we verify?
Conclusion & Next Steps
Requirements engineering is where software projects are won or lost. The WRSPM model gives you a rigorous framework for understanding where requirements sit in the chain from real-world needs to running software. By separating world assumptions from requirements, requirements from specifications, and specifications from implementation, you prevent the most common and costly class of software failures.
Key takeaways from this article:
- Requirements ≠ specifications — requirements describe what stakeholders need; specifications describe precise system behaviour
- Non-functional requirements often matter more than functional ones for system success
- The WRSPM model separates World, Requirements, Specifications, Program, and Machine into distinct layers with clear interfaces
- Monitored and controlled variables bridge the gap between the physical world and the digital system
- Validation ensures requirements are complete, consistent, unambiguous, verifiable, and traceable
- Ambiguous language is the enemy — always quantify, always ask "how would we test this?"
Next in the Series
In Part 6: Software Architecture & Design Patterns, we'll explore architectural patterns like Client-Server, Pipe-and-Filter, Layered, and Master-Slave — and learn how to make design decisions that shape entire systems.