Getting the right software requirements under the right environment assumptions is a critical precondition for developing the right software. This task is intrinsically difficult. We need to produce a complete, adequate, consistent, and well-structured set of measurable requirements and assumptions from incomplete, imprecise, and sparse material originating from multiple, often conflicting sources. The system we need to consider comprises software and environment components including people and

more »

... devices. A rich system model may significantly help us in this task. Such model must integrate the intentional, structural, functional, and behavioral facets of the system being conceived. Rigorous techniques are needed for model construction, analysis, exploitation, and evolution. Such techniques should support early and incremental reasoning about partial models for a variety of purposes including satisfaction arguments, property checks, animations, the evaluation of alternative options, the analysis of risks, threats, and conflicts, and traceability management. The tension between technical precision and practical applicability calls for a suitable mix of heuristic, deductive, and inductive forms of reasoning on a suitable mix of declarative and operational specifications. Formal techniques should be deployed only when and where needed, and kept hidden wherever possible. The paper provides a retrospective account of our research efforts and practical experience along this route. Problem-oriented abstractions, analyzable models, and constructive techniques were permanent concerns.