Requirements Engineering

Building any complex system, from a hospital's IT network to a self-driving car's software, begins not with code, but with conversation. The process of translating abstract human needs into a concrete, unambiguous, and testable blueprint is the essence of Requirements Engineering. It is the crucial and often unsung discipline that bridges the gap between intention and execution, ensuring that what we build is not only technically sound but also useful, usable, and safe. A failure in this early stage is the single greatest cause of project failure, leading to systems that are buggy, ineffective, or even dangerous.

This article demystifies this critical field. In the following chapters, we will journey from the core principles of the discipline to its real-world impact. First, under "Principles and Mechanisms," we will explore the foundational concepts of verification and validation, the power of logical precision in defining requirements, and the structured processes that govern safety-critical development. Subsequently, in "Applications and Interdisciplinary Connections," we will see these principles in action, examining their vital role in the high-stakes worlds of medical devices, automotive safety, and the complex human-AI interface.

Imagine you want to build something complex—not just a shed in your backyard, but say, a hospital. You wouldn't just show up with a pile of lumber and start hammering. You would begin with a conversation, a deep exploration of purpose. What is this hospital for? Who will use it? How do we ensure it is a place of healing and not of harm? This conversation, this act of translating abstract needs into a concrete, buildable plan, is the very soul of Requirements Engineering. It is the discipline of deciding, defining, and documenting what a system should do.

While it may sound like mere paperwork, this process is a fascinating intellectual journey, blending logic, psychology, and ethics. It's about asking the right questions, achieving profound clarity, and ultimately, building a bridge from human intention to technological reality.

At the heart of the entire endeavor lie two fundamental, and often confused, questions: "Did we build the right thing?" and "Did we build the thing right?" These are not philosophical riddles; they are the bedrock of quality, known formally as ​​validation​​ and ​​verification​​.

​​Validation​​ is the process of checking if you built the right thing. It asks whether the final product actually meets the true needs of the users. For our hospital, this would be asking doctors, nurses, and patients if the layout works, if the rooms are functional, if it truly supports the process of care. It is an outward-facing question, concerned with real-world effectiveness.

​​Verification​​, on the other hand, is the process of checking if you built the thing right. It asks whether the product conforms to its design and specifications—its blueprint. Did we use the specified grade of steel? Are the electrical systems wired according to the diagram? It is an inward-facing question, concerned with conformance to the plan.

A common scenario in procuring a complex software system, like a new ordering system for a hospital, makes this distinction crystal clear. The hospital might specify hundreds of ​​requirements​​—verifiable statements of needed capability. For instance, a critical requirement might be "The system must prevent a doctor from ordering a medication to which the patient has a known allergy." Verification would involve running specific, scripted tests to confirm that this feature was built exactly as specified. But validation would involve having actual doctors and pharmacists use the system in a simulated environment to see if it's intuitive, fast, and safe in the context of their chaotic, real-world workflow. You can perfectly verify a system that is completely unusable—one that technically meets every requirement but fails the ultimate test of validation. The goal is to succeed at both.

To build the thing right, our blueprint must be unambiguous. In everyday language, we get away with being vague. If you ask a friend to "turn down the music," they can use context to figure out what you mean. A computer cannot. It takes everything literally. Ambiguity in requirements is the single greatest cause of project failure, leading to systems that are buggy, unsafe, or simply don't work.

This is why requirements engineering has a deep connection to formal logic. Consider a seemingly simple rule for a software application: "The application is considered to be in a stable state if and only if all of its automated unit tests have passed.". What does it mean, precisely, for this rule to be violated?

Let's represent "The application is in a stable state" as the proposition $S$, and "All automated unit tests have passed" as $T$. The rule is the logical biconditional, $S \leftrightarrow T$. A violation is the negation of this statement, $\lnot(S \leftrightarrow T)$. The laws of logic tell us this is equivalent to $(S \land \lnot T) \lor (T \land \lnot S)$. This dry formula reveals something crucial: there are two distinct ways for the system to fail, not one.

1. The application is in a stable state, but not all tests have passed ($S \land \lnot T$). This indicates a flawed test that is failing on a stable system (a "false alarm").
2. All tests have passed, but the application is not in a stable state ($T \land \lnot S$). This is perhaps more dangerous—a "false negative," where the tests give a clean bill of health to a broken system.

Without this logical precision, an engineering team might only check for one of these conditions, leaving a critical failure path undiscovered. This isn't pedantry; it's the rigorous thinking that prevents disasters. To help achieve this clarity in practice, engineers often use frameworks like ​​SMART​​ requirements, ensuring each one is ​​S​​pecific, ​​M​​easurable, ​​A​​chievable, ​​R​​elevant, and ​​T​​ime-bound.

When the stakes are high—as in medicine, aviation, or finance—this need for precision is enshrined in a formal, regulated process. This process isn't about stifling creativity; it's a carefully choreographed dance designed to ensure that what is built is safe and effective. This dance often follows a "V-model," where we descend from high-level needs into detailed specifications, and then ascend back up through testing and integration.

The key steps in this dance, particularly for something like a Software as a Medical Device (SaMD), are meticulously defined:

1. ​​Design Inputs​​: The process begins by capturing all the user needs, the intended use of the device, and all the precise, measurable requirements derived from them. This forms the foundation of the entire project.

2. ​​Design Outputs​​: This is the creation of the blueprint. For software, this includes the software architecture, detailed algorithms, coding standards, and everything needed to actually write the code.

3. ​​Design Verification​​: As the design outputs are created, we are constantly checking them against the inputs. This is our first loop of "building the thing right." It includes activities like code reviews, static analysis, and unit testing, where individual components are tested in isolation.

4. ​​Design Validation​​: Once the system is fully built and integrated, the ultimate test begins. We hand the finished device to intended users in a realistic setting to confirm it meets their original needs. For a medical device, this involves rigorous usability testing and often a full ​​clinical evaluation​​ to generate objective evidence of its safety and clinical benefit.

The golden thread that holds this entire dance together is the ​​traceability matrix​​. Imagine a massive spreadsheet that links every single user need to one or more design inputs, which in turn are linked to specific design outputs, which are then linked to the verification tests that check them and the validation scenarios that confirm them. This matrix provides the "unambiguous evidence" that the job was done correctly. If a stakeholder asks, "How do we know the device is safe for calculating drug doses?", the traceability matrix allows you to point directly from the safety requirement to the risk analysis, the specific algorithm, the verification test that passed, and the clinical validation that confirmed it.

If requirements engineering were only about logic and process, it would be a dry affair. Its true richness comes from recognizing that we are building systems for and within a complex human world.

Who Decides? The Socio-Technical System

A hospital's electronic health record (EHR) is not just a piece of software; it's a socio-technical system that intertwines technology with clinical workflows, professional responsibilities, and patient lives. Deciding on its requirements is a political and organizational act. Who gets the final say?.

In a well-run organization, decision rights are carefully partitioned. The ​​Chief Medical Information Officer (CMIO)​​, representing the clinical side, must have final authority on anything touching clinical workflow and patient safety. The ​​Chief Information Officer (CIO)​​, representing the technology side, must have final authority on infrastructure, security, and budget. The ​​Clinical Informaticist​​ often acts as the crucial translator between these two worlds. A system where the CIO dictates clinical workflows is dangerous. A system where the CMIO dictates server architecture is unworkable. The requirements process must be a structured collaboration, a dialogue between these authorities, to balance the needs of medicine with the constraints of technology.

What is "Good"? The Plurality of Values

What happens when stakeholders fundamentally disagree on what the system should do? A project to build a global AI for clinical decision support will face different ethical landscapes. Some cultures may prioritize individual patient autonomy above all else, while others may prioritize communal benefit or beneficence. There may be no single, universally "correct" set of values to encode.

This is the challenge of ​​value pluralism​​. The most advanced approach to requirements in this context is not to "gather" requirements as if they were stones to be picked up, but to engage in ​​participatory design​​. This method treats stakeholders—patients, clinicians, community leaders—as co-researchers in a process of mutual discovery. The goal is not to force a consensus on a single set of value-weights ($\theta$), but to map the landscape of contested values ($P(\theta \mid c)$), understanding how trade-offs are made in different contexts. It is a humble, inclusive approach that acknowledges that "the right thing" is often a negotiated, contextual, and plural concept.

What's Important? The Logic of Risk

With limited time and resources, we cannot test and verify everything with the same intensity. We must focus our efforts where they matter most. The guiding principle here is ​​risk​​.

In regulated industries, software is often assigned a safety class based on the most severe outcome a failure could cause. For example, under the IEC 62304 standard, software whose failure could lead to death or serious injury is deemed ​​Class C​​. This classification has profound consequences. A Class C component demands the highest level of rigor—more documentation, more testing, and critically, independent verification.

This prioritization based on severity must often override simpler calculations of risk. A module with a high probability of failure but low severity of harm (e.g., a user interface glitch causing annoyance) may have a higher numerical "risk score" ($R \propto \text{Severity} \times \text{Probability}$) than a module with a very low probability of failure but catastrophic severity (e.g., a drug dose calculation error). The principles of medical ethics, especially non-maleficence ("first, do no harm"), demand that we focus our deepest scrutiny on the components that can do the most damage, regardless of their likelihood of failure. This risk-based approach ensures that our finite engineering effort is spent protecting against the worst possible outcomes.

The formal, dance-like process described above can feel rigid in a world that values speed and adaptability. How do these principles survive in modern ​​Agile​​ development? The beautiful answer is that the principles remain, but the practices evolve. Instead of creating massive, separate specification documents, an Agile team might capture a requirement in the acceptance criteria of a user story in their backlog. The verification test might be a fully automated script that runs with every single code change. The traceability matrix isn't a separate document; it's a living web of links within the team's software tools. The goal is a "single source of truth," where compliance and quality are not a phase you enter, but a continuous state you maintain.

And for systems where failure is simply not an option—like an airplane's flight control system or a self-driving car's braking logic—we can take precision to its ultimate conclusion. Using ​​formal methods​​ like Linear Temporal Logic (LTL), we can describe required behaviors with mathematical certainty. We can formally distinguish between ​​safety properties​​ (e.g., $G(\text{"the two trains are never on the same track segment"})$, a bad thing that must never happen) and ​​liveness properties​​ (e.g., G(\text{button_pressed} \rightarrow F(\text{elevator_arrives})), a good thing that must eventually happen). These mathematical statements can then be used to prove that a system's design is correct, offering the highest possible level of assurance.

From a simple conversation about needs to a mathematical proof of correctness, the field of requirements engineering is a quest for clarity in a complex world. It is the essential, and often unsung, art and science of ensuring that the things we build are not just clever, but are also useful, usable, and safe.

Having journeyed through the principles and mechanisms of requirements engineering, we might be left with the impression of a somewhat formal, perhaps even bureaucratic, process. A set of rules to be followed, boxes to be ticked. But to see it this way is to see the architectural blueprints for a grand cathedral as merely a collection of lines on paper. The true beauty and power of this discipline emerge when we see it in action, when we witness how these structured principles become the invisible guardians of our health, our safety, and our trust in the complex technological world we inhabit.

Requirements engineering is the art of foresight. It is the practice of imagining all the ways a system might fail, especially when interacting with the messy, unpredictable real world, and then methodically building a fortress of logic and evidence to prevent that failure. Let us now explore some of the arenas where this art is practiced at its highest level.

Nowhere are the stakes higher than in medicine. When software is not merely running on a server but is actively involved in diagnosis and treatment, it ceases to be just code—it becomes a medical device. This "Software as a Medical Device" (SaMD) is a frontier where requirements engineering is not just good practice; it is a profound ethical and regulatory obligation.

Imagine a sophisticated AI designed to analyze CT scans and flag pulmonary nodules that might be malignant. How do we ensure it is safe and effective? The process begins not with code, but with questions. What is the clinical problem we are trying to solve? Who will use this tool—a radiologist, a technician? In what environment—a quiet reading room or a bustling emergency department? These questions define the ​​user needs​​.

From these needs, we distill a set of precise, testable ​​design inputs​​. This is where the abstract becomes concrete. A user need for an "accurate" device is translated into a measurable engineering requirement: for instance, the algorithm must achieve an Area Under the Receiver Operating Characteristic Curve (AUC) of at least $0.85$ on a specific, pre-defined dataset. A need for a "fast" tool becomes a requirement that the risk score must be presented within $5$ seconds of receiving the data. Crucially, this is also where we build in requirements for safety and fairness, such as specifying that the performance should not have a significant gap across different demographic groups.

The resulting software architecture, the source code, the trained AI model, and the user manual—these are the ​​design outputs​​. Now comes the moment of truth, which is elegantly split into two distinct checks. First is ​​verification​​: we test our outputs against our inputs. Does the code run in under $5$ seconds? Does it meet the $0.85$ AUC target on our test bench? The question we answer is, "Did we build the device right?"

But this is not enough. The second, and arguably more important, check is ​​validation​​. Here, we take the finished device and test it against the original user needs. We conduct studies with real radiologists in simulated environments to see if the device actually helps them and doesn't mislead them. We answer the question, "Did we build the right device?". This subtle distinction between verification and validation is the bedrock of building medical technology you can trust.

The complexity of modern software, especially AI, presents unique challenges. For a piece of MRI reconstruction software, a subtle bug could create an image artifact that either mimics a tumor or hides one. The potential for harm is severe. To manage this, standards like IEC 62304 force us to classify software based on the worst credible harm a failure could cause. Class A is for software that can cause no injury, Class B for non-serious injury, and Class C for death or serious injury. An MRI analysis tool could initially be considered Class C. However, if there are robust external risk controls—like the fact that a trained radiologist will always interpret the image in the context of multiple other scans—one might be able to justify a Class B classification. The key insight is that the level of required rigor, documentation, and testing is directly proportional to the potential harm.

This principle of proportionate rigor is even more pronounced when AI models are used to make recommendations in clinical trials, for instance, in selecting a drug dose. Here, the regulatory environment demands an almost perfect chain of evidence. To ensure reproducibility and integrity, we must treat the creation of the AI model itself like a high-tech manufacturing line. Every ingredient must be documented and version-controlled: the exact version of the source code, the specific snapshot of the training data (with a cryptographic checksum to prove it hasn't changed), the configuration files, and even the random seeds used in training. This entire process must be governed by a secure, time-stamped audit trail that records who did what, when, and why, often requiring electronic signatures for critical changes. This is the essence of Good Machine Learning Practice (GMLP), ensuring that a recommendation from an AI in a GxP (Good Practice) regulated setting is as traceable and reliable as a pill from a bottle.

Perhaps the most fascinating frontier of requirements engineering lies at the interface between human and machine. A "perfect" algorithm can be rendered useless or even dangerous if its user interface is poorly designed. Consider an AI that recommends antibiotics. If clinicians begin to blindly trust its outputs—a phenomenon known as "automation bias"—they may fail to apply their own clinical judgment, leading to errors.

Usability engineering, guided by standards like IEC 62366, is not about making software pretty; it's about systematically identifying and mitigating these use-related risks. The guiding principle is a "hierarchy of controls." The best way to control a risk is to design it out completely. Failing that, add a protective measure (like an alert). Only as a last resort should you rely on "information for safety," such as a warning in the user manual or training, as these are the least effective controls.

This leads to fascinating design questions. For a system that recommends initiating life-sustaining vasopressors in an ICU, how much control should the human have? In a ​​human-in-the-loop (HITL)​​ model, the clinician must explicitly approve the recommendation before the system acts. In a ​​human-on-the-loop (HOTL)​​ model, the system might act automatically, but the clinician has a window to intervene and override.

Which is safer? We don't guess; we test. We create detailed validation studies with representative users (physicians, residents, nurses) in high-fidelity simulations of a chaotic ICU. We define strict, risk-based acceptance criteria: for the HITL task, the probability of a user mistakenly approving a bad recommendation must be less than $0.01$. For the HOTL task, the mean time to override a bad auto-order must be less than $10$ seconds, even under high workload. By measuring these outcomes, we gather objective evidence to determine which interface design is acceptably safe.

The principles forged in the crucible of medical device design are universal. Consider the anti-lock braking system in your car. This is a cyber-physical system where software commands physical actuators, and failure is not an option. The automotive industry uses a standard called ISO 26262, which defines Automotive Safety Integrity Levels (ASIL), ranging from ASIL A (low risk) to ASIL D (highest risk, e.g., for braking or steering).

For a system rated ASIL C or D, developers cannot simply state that their software works. They must construct a ​​safety case​​—a structured, formal argument, supported by a mountain of evidence, that the system is acceptably safe. This evidence includes a rigorous software development plan, architectural designs that prove freedom from interference between critical and non-critical components, exhaustive verification test reports (often using digital twins for simulation), and proof that all the software tools used in development are themselves qualified for the task. It is a profound demonstration that for technology we bet our lives on, "it works" is not a sufficient answer. We must be able to prove, with auditable evidence, how we know it works and why it is safe.

What happens when this careful process of foresight breaks down? Imagine an infusion pump whose software interface defaults to milligrams when a dose should be in micrograms. A busy nurse, under pressure, accepts the default and administers a 1000-fold overdose. The manufacturer might argue the nurse made an error. But the law, echoing the principles of human factors engineering, sees it differently.

In negligence and product liability law, a key concept is the risk-utility test, often expressed by the famous Learned Hand formula: a precaution is required if its burden ($B$) is less than the probability of harm ($P$) multiplied by the severity of that harm ($L$). In our scenario, if a proper usability study to catch this design flaw would have cost B = \100,000$, while the anticipated annual expected loss from such errors was$PL = $200,000$, then the failure to conduct the study was a breach of duty. The "human error" was not an unforeseeable event that broke the chain of causation; it was a predictable, foreseeable consequence of a poor design. Compliance with standards like IEC 62366 is not an automatic shield from liability, but a failure to follow them, especially when the stakes are high and the cost of prevention is reasonable, is damning evidence.

As we can see, modern requirements engineering is a deeply interdisciplinary symphony. It brings together systems engineering, risk management, human factors psychology, cybersecurity, and even law. The ever-expanding checklist of required documentation—the risk management file, the usability engineering file, the software bill of materials, the cybersecurity threat model—is not an exercise in bureaucracy. It is the score for this symphony. It is the objective evidence, the auditable trail that demonstrates that a device was not merely thrown together, but was composed with care, foresight, and a profound respect for the safety of those who will depend on it. In a world racing toward ever more powerful and autonomous technologies, this deliberate, rigorous, and deeply human process of asking "What if?" is more beautiful and more vital than ever.