Professional Documents
Culture Documents
An Ontological Model of An Information System: Yair Wand and Ron Weber - "
An Ontological Model of An Information System: Yair Wand and Ron Weber - "
11, N o
Abstracf-Theoretical developments in the CS and IS disciplines have Our approach is to model information systems within the
been inhibited by inadequate formalization of basic constructs. IO this context of a theory of ontology that is a modification ar,d
paper we propose an ontological model of aa information system that extension of one developed by Bunge [5], [6]. Because ontology
provides precise definitions of fundamental concepts like system, subsys-
tem, and coupling. We use this model to analyze some static and dynamic is concerned with the structure of the real world, its relevance to
properties of an information system and to examine the question of what the CS and IS fields is twofold. First, since information systems
constitutes a “good” decomposition of an information system. themselves are models of the real world, ontology identifies the
Index Terms-Cohesion, coupling, decomposition, hierarchy, level basic things in the real world that information systems ought tr,
structure, subsystem, system. be able to model. Second, since information systems are ~
things in the real world, ontology provides a basis for modeling
information systems themselves [3], [4]. Elsewhere we have used
I. I N TRODUCTION ontology in the former way [42]. In this paper, we use ontology
T HE computer science (CS) and information systems (IS) in the latter way.
fields are replete with fundamental concepts that are poorly Our approach differs from a number of other attempts to
defined. For example, concepts like system, subsystem, module, provide formal bases for modeling CS and IS constructs. For
object, interface, coupling, cohesion, hierarchy, input, output, example, specification languages such as Z and VDM seek tp pro.
environment, and decomposition are central to many theories vide a formal notation that describes the properties an informatiorr
in both fields, but inevitably they have not been articulated system must have without being constrained by implementatio,,
rigorously. In the absence of carefully formulated foundations, considerations [15], [ 181, [34]. Unlike our approach, however,
fields are unlikely to progress quickly. We concur with Pamas they do not seek to define a set of core constructs that underlie
[30, p. 191 who observes: “The use of . . . fuzzy terms (in the CS and IS fields. Users of formal specification languages
computer science) is not merely sloppy wording; it prevents . . . are assumed (implicitly) to know these constructs at the outset.
the systematic analyses made possible by precise definitions.” The languages can then be employed to express these constructs
Moreover, we believe the current debate on the status of both precisely. While rigorous specification of information systems is
the CS and IS fields reflects that progress has been undermined clearly an important goal, we see our objectives in modeling core
substantially by inadequate formalization of basic constructs [9], constructs as being more fundamental.
1251, 1431. The remainder of the paper proceeds as follows. Section II
In this paper we propose a formal model of an information provides a brief review of some major types of information
system. We have three primary objectives. First, we seek to systems formalisms that bear on our goals and their respective
define a set of core concepts that can be used to describe the strengths and weaknesses relative to our model. Section 111
structure and behavior of an information system. Ultimately, we articulates some of the fundamental notions that underlie our
hope these concepts will allow the similarities and differences model. Section IV uses these basic notions to examine the nature
between many constructs used in the CS and IS fields to be o f and some dynamics of system decompositions. Section V
elucidated. Second, we seek to better understand the static and provides several insights into the model’s predictive power via
dynamic properties of information systems. In this respect we are an analysis of some properties of good decompositions. In
viewing information systems as objects (artifacts) to be studied particular, we show how our model formalizes the intuitive
in their own right, independently of the characteristics of their notion that good decompositions have subsystems that behave
users, the organizations in which they are employed, or the relatively independently of one another. Finally, Section VI
technologies used to implement them [38], [43]. Third, we seek presents s u g g e s t i o n s for further research and our conclusions.
to make predictions about information systems based upon their
static and dynamic properties. For example, we have sought to
use our model to predict the behavior of information systems II. PRIOR R ESEARCH
based upon the characteristics of alternative decompositions of The motivation to formalize system concepts is not just
the system [41] and to predict the consequences of changes to the confined to the CS and IS domains. It is common to fields
information system for the reliability of controls that have been like engineering [ll], cybernetics [44], biology [23], physiology
implemented in the information system [40]. In short, we have [36], architecture [l], and general systems theory (211. Bun@
the usual goals for any model: understanding and prediction. [6] provides a brief review of the major types of system models
that have been proposed.
‘\
In the CS and IS fields, however, there now seems to be
Manuscript received June 1, 1989; revised June 6, 1990. Recommended by
hi. Deutsch. This work was supported in part by an NSERC operating grant
widespread acceptance of formal models that view sy~km
and by a grant from GWA Ltd. (programs) in terms of their specifications: specifically, as a pair
Y. Wand is with the Faculty of Commerce and Business Administration, of input and output assertions; or as a function mapping in@
University of British Columbia, Vancouver, B.C. V6T lY8, Canada. states to output states; or as a relation between input and output
R. Weber is with the Department of Commerce, University of Queensland,
St. Lucia, Queensland 4067, Australia.
states [12], [20], [22], [24], [35]. In turn, stufees are conceived as
IEEE Log Number 9038333. mappings between system (program) identifiers and values [ 131.
TABLE I
$ While these types of models have provided valuable insights STATE DESCIWTION OF F IVE THINGS
‘into such problems as design decomposition and proofs of
$rogram correctness, they are essentially black-box models. Thing Property State Variable
IAccordingly, they suffer the limitations of all black-box models
@ terms of our goals of understanding and predicting system Inventory Item Item N u m b e r Item-No
:&havior [6]. For example, since they do not model the internal
Quantity-on-Hand QOH
Unit Price Unit-Price
structure of a system, the relationship between the overall behav- I t e m D i s c o u n t (%) Discount
ior of the system and the behavior of its internal components is
difficult, if not impossible, to analyze. Customer Order Order Number Order-No
Customer Number Cut-No
To illustrate the problems of using these black-box models, Item Number Item-No
consider the objective of attaining a good design decomposition Quantity Ordered QtyOrd
during system implementation. If, say, the system to be designed Quantity Supplied QWUP’
is conceived as a mapping between input and output states, Sales Price Sole-Pr
Sales Amount Sale-Amt
various design decomposition rules can be derived based upon
Date Date
well-known mathematical results for decomposition of functions Processed Flag Proc
(141, [22]. The subfunctions that arise from the decomposition
can be conceived as subsystems of the system. A control hi- Customer Account Customer Number Cust-No
erarchy can then be defined among the function (system) and Customer Address Cut-Add
Balance Due B&-Due
subfunctions (subsystems) [ 141. Under this conceptualization, the Cr-Limit
Credit Limit
focus is on what the system is supposed to achieve rather than
bow it achieves it. Customer Repayment Customer Number Cust-No
On the other hand, if the system is conceived as a hierarchy Repayment Amount Amount
Date Date
;-of modules, our focus shifts to internal structural matters. A
Processed Flag Proc
bprogrammer, for example, spatially arranges the various compo-
-iaents of the system (e.g., program instructions and variables) and Inventory Shipment Number Ship-No
i~~nnects them via a control structure so they execute in particular Replenishment Item Number Item-No
:‘f@quences. Programmers are admonished to achieve objectives Date Date
Replenishment Amount Replen
like loose coupling between modules and tight internal cohesion
Processed Flag Proc
_ Within a module [26], [46].
With current systems formalisms that we have available,
however, the mapping between the external view (what is to
.be accomplished) and the internal view (how it is to be accom- A. Things, Properties of Things, and States of Things
“@shed) is not clear-cut. How do we know, for example, that The elementary notion in our formalism is a thing.’ We define
‘we have chosen and implemented subfunctions in such a way first the state space of a thing (definitions taken from or adapted
that the resulting modules are internally cohesive and loosely from Bunge [5], [6] are starred “*“).
coupled? Indeed, as Bergland [2, p. 351 points out in his review Definition I *: Let X be a thing modeled by a functional schema
of decomposition methodologies, “all of the methodologies rely X, = (M, p), and let each component of the function
v on some magic.”
We propose that the quality of the mapping between external
ad internal views of the system can only be examined and
evaluated when we have an integrated formalism for both views. represent a property of X. Then F,, 1 5 i < n, is called the ith
,.$urrently, we have well-developed formalisms for only the state function (variable) of X, E is called the total state function
-external view. However, formalisms that address the internal ofX, and S(X) = {(z,,.‘.,~,) E V, c~...c~V,,[LZ, = F,(M)}
view (e.g., concepts like coupling) are poorly developed [2]. is called the possible state space of X.’
In summary, we argue that current CS/IS systems formalisms To illustrate our formalism, Table I shows a state description
for viewing systems are deficient in that they primarily use for five things: an inventory item, a customer order, a customer
black-box rather than white-box models. Until rigorous white-box account, a customer repayment, and an inventory replenishment.
models of information systems have been developed, progress in Note that Table I shows only one possible state description of
c %veloping mappings between requirements specifications and the things. For example, we have not used state variables to
mplementation structures will be impeded. In the model we describe the physical dimensions of the inventory item thing.
develOp below, we seek to provide the rudiments of a white- In this respect, we have chosen a specific functional schema to
box model that can a) accommodate current formalisms which reflect our particular purposes (simplicity) in modeling a subset
View systems as mappings between inputs and outputs, and of the real world. In short, our formalism recognizes that absolute
, b, rigorously describe the internal structure of systems. state variables do not exist. Instead, state variables are chosen to
i reflect our knowledge, goals, views, etc., at some time. Moreover,
different observers of the same thing may choose to model it
i III. B ASIC N OTIONS differently.
i h~ this section we develop some basic ontological notions
to analyze certain static and dynamic properties of ‘Note, we do not equate things with objects. Elsewhere we have argued
ion systems. To achieve generality, we formalize the that objects are special types of things [37]. A l l o b j e c t s a r e t h i n g s , b u t o n l y
some types of things are objects.
using standard mathematical notation. Our experience
‘The n a t u r e o f t h e d o m a i n M i s s o m e t i m e s c o m p l e x . I n systems theory it
e concepts, once understood, can easily be translated is often considered 10 be a set of time instants, or the Cartesian product of a
e syntax of a formal specification language like Z. set of reference frames and the real line 15. p . 1?0].
1284 IEEE TRANSACTIONS ON SOFIWARE ENGINEERING. VOL. 16. NO. 11, NOa
The possible state space of the inventory item thing would state space into itself that are given as luwfil in the system. -fhat
be represented by the set of all combinations of values that the is, GL(X) C_ S,(X) @ S,.(X).
state variables might assume-the Cartesian product (represented Hence we have the following.
by 8) of the ranges of the state variables. Furthermore, the state Definition 6*: Let S,(X) be the lawful state space of a
space of a thing must be modeled so it includes all possible states thing X, and let GL(X) be the set of lawful transformations
that the thing might assume from the beginning to the end of its on the state space into itself. Then a lawful event b x k
life. For the inventory item thing, for example, we must choose represented by the ordered pair (3, s’), where s,s’ E s,(x)
a total state function F so that some subsets of the state space and s’ = g(s),g E GL(X)-
reflect that the values of state variables describing the inventory Corollary 6*: The lawful event space of a thing X is the set of
item have been updated and others reflect new state variables ordered pairs: El, = GL(X) f~ [S,,(X)]‘.
have been chosen to describe the inventory item. This view of To illustrate these concepts, consider again our inventory item
the state space of a thing reflects what Bunge (5, p. 221) calls the thing. Assume at some time the state functions for the inventory
principle of nominal invariance: “a thing, if named, shall keep item thing map it into the following values: Item-No = pl.
its name throughout its history as long as the latter does not QOH = 10; Unit-Price = 15.00; Discount = 5. Thus, s = (PI:
include changes in natural kind--changes which call for changes 10, 15.00, 5).
of name.” Assume, also, that one lawful transformation on this
state updates the value of QOH in light of an inventory
replenishment. For example, if 5 more units of inventory
B. Laws and Lawful States are received, the following lawful event occurs: (s,~‘) =
We proceed, now, to recognize that not all states of a thing are ((P1,10,15.00,5),(Pl, 15,15.00,5)). Thus, a subset of the
lawful. The values of the attributes of a thing may be restricted lawful event space for the inventory item thing includes all
by various rules, and these rules define the lawful state space of events that arise as a result of an inventory replenishment and the
a thing. We begin with the notion of a law statement. “firing” of the lawful inventory replenishment transformation.
Definition 2*: Let X, = (M,F) be a functional schema Changes of state manifest a history of a thing. Thus we have
for a thing X. Any restrictions on the possible values of the the following.
components of E and any relation among two or more such Definition 7*: Let X be a thing modeled by a functional schema
components is called a law statement, I(X) E L(X). Thus, X, = (M, P), let t E M, t > 0 be a time instam. Then a h&dry
l(X) : v, c%3 *.f @ v, --t {unlawful, lawful}. of X is the set of ordered pairs, h(X) = {(t,F(t))}.
Laws reflect either natural or artificial constraints imposed In turn, the notion of a history allows US to determine when
upon things.3 For example: 1) the QOH state variable of the two things are bonded or coupled to each other. Intuitively, if two
inventory item thing might be restricted to values that are zero things are independent of each other, they will have independent
or positive (a natural law); 2) the Discount state variable may be histories. If they are coupled in some way, however, at least one
related to the Unit-Price state variable (an artificial law). Thus, of the things’ history will depend upon the other thing’s history.
laws provide information about things. As such, they are also Thus we have Definitions 8 and 9.
properties of things. Accordingly, if we choose, laws can be Dejinition 8*: A thing X acts on a thing Y, denoted X D Y
modeled via the total state function used to describe a thing. if h(Y / X) # h(Y).
Since we postulate the existence of laws, we recognize that Definition 9*: Two things X and Y are couple4 denoted
only a subset of the possible state space of a thing may be B(X,Y), iff (X D Y) V (Y D X).
deemed lawful. To illustrate these notions, consider the inventory item and the
Definition 3*: Let X, = (M, F) be a functional schema for customer order shown in Table I. If the customer order represents
a thingX, where p = (F],..-,F,) : M + V, @...@JV, is the a sale of inventory to a customer, the states of the inventory item
total state function, and let L(X) be the set of all law statements will depend upon the states of the customer order. Thus, the two
on X. Then the subset of the codomain V restricted under L(X) is things are coupled.
called the lawful state space of X in the representation X,. That
is, SL(X) = {(z,,...,z,,) E V, @...@V, 1F satisfies every
D. Systems and Subsystems
l(X) E L(X)l.
Thus, the lawful state space of the inventory item thing would The notions of things and couplings enable us to define
include all combinations of state variable values that we deem precisely the concept of a system. Intuitively, a system comprises
allowed. a set of things where each thing in the set is coupled to at least one
other thing in the set and where, in addition, it is impossible to
partition the set of things such that the histories of the two parti-
C. Events, History, and Coupling
tions are independent of each other. Thus we have the following.
When a thing undergoes change, the value of at least one of Definition 10: Let C be a set of things, and let Bc =
its properties must alter. A change of state constitutes an event. {(X,Y)JX,Y E CA B(X,Y)}.L.et ~(C,B~)beagraph,where
Definition 4*: An ordered pair (s, s’), where s, s’ E S(X), C is the set of vertices (things) and Bc is the set of edges
will be called an event. (couplings). Then cr(C, &) is a system iff it is a connects
However, not all changes of state are lawful, and so not graph. Henceforth, u(C, B,) will be denoted by 6.
all events are lawful. We define, first, the notion of a lawful Fig. 1 is a graph of a system. Consider the various couplings
transformation. that exist. First, the order thing is coupled to the inventory item
Definition 5*: Let SL (X) be the lawful state space of a thing X. thing and the customer account thing. When the order occur% the
We denote by GL(X) the set of transformations from the lawful value of Qty-Sup1 depends upon the value of QOH. The quantity
ordered can only be supplied if there is sufficient inventory On
hand. Furthermore, the maximum discount that the salesperson
3Laws correspond to the notion of invariants in Z.
AND WEBER: ONTOLQGlCAL MODEL OF AN INWKMAIKJN SXSLCM
where
B(u, t) = { B(z, y)i’x, y E c(a. t)}
16 = { 2 I x # &, t) A W(Y E @, t) A B(x, Y)) } 4This section may be skipped by those readers who are primarily interested
in our decomposition results in Section V.
1286 IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, VOL. 16, NO. 11,
d: (.si) = ci; (a;,) = qsg = d; (sfr) = $200 H(4) = H((.q:,.Q) = {(a~,.a~)} = {(O,O)}
s; = {s ;,,s&s;}; d&,) = dgs,:) = f&s;;) =$ 0 H(s:,) = H((.sf,.s;)) = {(s;,s;)} = ( ( 0 , 1 0 0 ) )
$2, = {si. .s;l, 3:); cq.s(q = dgsi) = fqs:,) = $100 H(sl) = H((s:,si)) = {(a:,a~)) = ((0,200))
Si = {si~,s~,.$}; di(ai) = di(.si) = di(si) = $200 H(4) = H((.sl,ai)) = {(sl,s:)} = {(0,3Oo)}
S,” = {s~,s~,af}; do = di(si) = di(ai) = $300. H@) = Iq(s:,.s:)) = {(s:,s:)} = {(100,0)}
H(4) = H((.sf,.$)) = {(sf,ai)} = {(lOO,lOO)}
H(s;;) = H((.s;,s;)) = {(s;,*&} = {(100,2oo)}
In light of the concept of the set of subsystem equivalence
H(4) = H((s~~s~)) = {(a:,si)} = {(100,300)}
states, we now define the decomposition condition.
Definition 29: Let g be a transformation on a system, and let H(.+) = H((s;.s;)) = {(s;,s;)} = {(200,0)}
5’: be a set of subsystem equivalence states. The decomposition H($) = H((sf,sz)) = {(~~,a~)} = {(200,100)}
condition holds for transformation g and subsystem X, if, for every
H (a;,‘) = H ((sf, si)) = { (sf, s;)} = { (200, LOO)}
s,” of xi a state 51 of X, exists such that: s E S: + g(s) E S,“,
k and h are not necessarily distinct (i.e., h is a function of k and H(.s;;) = H((s;,.s;)) = {(s;,s;)} = ((200,300)).
g and i but not of s).
Corollary 29: If the decomposition condition holds, then
d!(a) = d:“(d) + d,(g(s)) n d,(g(s’)) # 0.
In other words, for the set of all system states that map into the The set of subsystem equivalence states are
same ith subsystem state, the decomposition condition requires
that the set of new system states which arise from an event
will also map into the same ith subsystem state. In short, for
S: = {s& si, sj;, a:}:
the decomposition condition to hold, subsystems must “behave”
independently in the following sense. If we know that the ith df(ab) = di(si) = di(si) = d!(st) = $ O
subsystem is in state y = d:(a) when the system is in state SF = {s~,sR,a~,s~};
s, we have sufficient knowledge to predict what the new state
t = df(g(s)) will be. d: (si) = di (SF;) = dl (s:) = di (a:) = $100
We formalize these notions in terms of the concepts of a Sf = {a~~s~l(),.s~~‘,.s~}:
well-defined, induced transformation and a good decomposition. d; (s;) = d; (s;;) = d; (sb’ ) = d; (s;‘) = $200
Definition 30: Let g be a transformation on a system (T. Then
the transformation g, induced on the subsystem z, < (T is well- s; = {sb. s& s;;}: d&s;) = d;(s;) = d;(s;) =$ O
defined iff g, is a function, i.e., g,(s) = s’ A gl(s) = s” a s’ = s: = {sg,sf;,s:;‘}; d;(s;) = d;(s;) = d;(s;‘) = $100
s” for every s?s’.s” E S(Z*).
Definition 31: A decomposition D(n) of a system is a good s; = {si. s;. sb’}; d:(si) = di(s:) = di(ai’) = $200
decomposition with respect to a transformation g on the system s; = {S;.R;, SF}; di (si) = di (si) = di (a:‘) = $300.
iff the transformation g induces a well-defined internal transfor-
mation g, in every subsystem X, of the decomposition.
Recall from Definitions 18 and 19 that we have identified two
types of events that can occur in a system: an external (input) Note, the set of decomposition states into which each system
event and an internal event. Since external events in a system state maps comprises only one element, i.e., Id(a)\ = 1. Thus,
arise from the actions of the environment, they may not be there is a one-one mapping (injection) between a system state
described by a well-defined transformation. For example, given
and a state of the decomposition.
a certain level of inventory, it may be impossible to predict
Assume, now, that the organization which operates the ac-
the new level of inventory that arises after an order has been
counting system has only one customer and that the customer
satisfied because the amount ordered cannot be predicted. Once always orders inventory in $100 lots as either a cash order or
the external event has occurred, however, we require that the
a credit order. Replenishment of inventory occurs on a regular
subsequent internal events that occur in each subsystem be well
time schedule as the organization produces inventory at its
defined if the decomposition is to be good. In summary, although manufacturing facility. From time to time, stockout situations
external events in a system may not be well defined, all internal may occur if the customer orders more inventory than normal
events in a well-decomposed system must be well-defined.
during a time period.
Assume, first, that the organization has a policy of generating
a rush production order if a stockout situation occurs because it is
B. An Example concerned about losing goodwill if it cannot meet a future order
To illustrate the notion of a good dedomposition, consider once from the customer. Rush production orders occur in $200 lots.
more our accounting system example. Assume again that we A transformation g’ which effects an inventory replenishment in
represent the state of the inventory management subsystem via light of a rush production order when the inventory level reaches
the state variable Inv and the state of the revenue and receivables zero can be represented as follows:
system via the state variable Rec. However, assume now that we
represent the state of the system via the state vector (fnv,Rec).
Clearly, a mapping H from the state of the system to the state g’((O,.)) = (200,.);g’((100,.)) = (loo,.);
of the decomposition is trivial: g’((200, .)) = (200, .).
‘WAND AND WEBER: ONTOLOGICAL MODEL OF \&‘I INFORMATION SYSTEM
The transformation g’ induces the following internal transfor- each transformation in the set. We have not shown how this task
mations on xl, the inventory management subsystem, and x2, the can be undertaken in this paper, but the answer lies in identifying
revenue and receivables subsystem? which couplings are important under each transformation that is
of interest. This issue has been addressed elsewhere [31], [41].
s: (0) = 200 d(O) = 0
g!(lOO) = 100 gi(100) = 100 VI. R ESEARCH DIRECTIONS AND C ONCLUSIONS
g; (200) = 200 gi(200) = 200 As we indicated in the introduction to this paper, two major
gi(300) = 300. tests of the quality of a model are its ability to facilitate
understanding and to aid prediction. In terms of understanding,
Note that a well-defined internal transformation has been in- we believe our model clarifies some previously fuzzy but funda-
duced in each subsystem. Thus, the decomposition is a good mental constructs in the CS and IS fields. It also shows rigorously
decomposition under the inventory replenishment transformation. how these constructs are related to one another. In addition,
Assume now that the organization changes its policy with elsewhere we believe we have used the model successfully to
respect to stockout situations. It will generate a production order analyze the meaning of concepts like batch systems, real-time
for stock replenishment purposes only if the credit limit of $200 systems, system controls, data, programs, abstract data types,
has not been reached. It is not willing to bear the extra costs and objects [37]-(401. An important attribute of these analyses is
associated with a rush production order if its customer is in debt that they have been independent of implementation or technology
at or beyond the credit limit amount. Consider a transformation considerations. Thus, we believe they will prove to be robust in
g’ which effects the inventory replenishment under this policy: the long run.
In terms of prediction, we have used the model to forecast the
g*(( 0, 0)) = (200, 0), i.e., g’(sh) = si locus of control and audit procedure change when an information
g*(( 0.100)) = (200, loo), i.e., g’(si) = sA” system is modified [40] and to identify some necessary attributes
of a good requirements specification (391, (421. In light of the
g*(( 0 , 2 0 0 ) ) = (200,200), i . e . , g’(si) = s : analysis of the characteristics of a good decomposition that we
g*(( 0,300)) = ( 0,300), i.e., g’(sd) = st have undertaken in this paper, we believe the model can now
be used to make predictions about the efficacy of the various
g’((100. 0)) = (100, 0), i.e., g’(si) = si decomposition rules and heuristics that have been proposed in
g2(~100,100)) = (100, loo), i.e., g2(si) = s,” the literature. For example, we can address the question of
how well functional decomposition, data flow decomposition,
g*((lOO, 200)) = (100,200), i.e., g2(si) = si and data structure decomposition meet the requirements of a
g*((100,300)) = (100,300), i.e., g’(si) = s”, good decomposition that have been articulated in this paper. Our
current research is directed toward these issues.
g*((200, 0)) = (200, 0), i . e . , g’(si) = s”,
g*((200,100)) = (200, loo), i.e., g2(Q) = s:” AC K N O W L E D G M E N T
g2((200, 200)) = (200,200), i.e., g’(si’) = sil We are indebted to P. Bailes and A. Street for helpful com-
g’((200,300)) = (200,300), i.e., g2(sr) = sy. ments on this paper. We are especially grateful to G. Dromey and
three reviewers for their detailed comments and to K. Raymond
The transformation g* induces the following internal transfor- for helpful discussions on the Z language.
mations on the two subsystems:
R EFERENCES
!J:c 0) = { 0,200) d( 0) = 0
1121 R. G. Dromey, “Systematic program development,” IEEE Trans. I391 -, “A deep structure theory of information systems,” urtf,,
Software Eng, voc SE-14, no. 1; pp. 12-29,-Jan. 1988. British Columbia, unpublished working paper, Mar. 1988. ’
[131 J. D. Gannon. R. G. Hamlet. and H. D. Mills. “Theory of modules,” [40] -, “A model of control and audit procedure change in evob,-
IEEE Trans. ‘Software Eng, vol. SE-13, no. 7, pp. 820-829, July ing data processing systems,” Accounting Rev., vol. WV, no. 1
1987. pp. 87-107, Jan. 1989.
[141 M. Hamilton and S. Zeldin, “Higher order software-A methodol- [41] -, “A model of systems decomposition,” in Proc. Tenth 1:
ogy for defining software,” IEEE Trans. Software Eng., vol. SE-2, Conf btformation Systems, Dec. 1989, pp. 41-51.
no. 1, pp. 9-32, Mar. 1978. [42] -, ” An ontological evaluation of systems analysis and design
[W 1. J. Haves, Ed., Specification CuseStudies. Englewood Cliffs, NJ: methods,” in Information Systems Concepts-& In-DepthA+,sts
Prenti&Hail, 1987. - E. Falkenberg and P. Lindgreen, Eds. Amsterdam, The Nether:
VI C. A. R. Hoare, “An overview of some formal methods for program lands: North-Holland, 1989, pp. 79-107.
design,” Computer, vol. 20, no. 9, pp. 85-91, Sept. 1987. 1431 R. Weber, “Toward a theory of artifacts: A paradigmatic base
1171 M. A. Jackson. Principles of Program Design. New York: Aca- for information systems research,” J. Inform. Syst., vol. 1, no. 2,
demic, 1975. ’ . - - pp. 3-19, Spring 1987.
WI C. B. Jones, Systematic Software Development Using VDM. En- [44] N. Wiener, Cybernetics: Or Control and Communication in the
glewood Cliffs, NJ: Prentice-Hall, 1986. Animal and the Machine, 2nd ed. Cambridge, MA: MIT Press,
J. Karimi and B.R. Konsynski, “An automated software design 1961.
assistant,” IEEE Trans. Sofhvare Eng., vol. 14, no. 2, pp. 194-210, [45] J. L. Whitten, L. D. Bentley, and T. I. M. Ho, Systems Analysis and
Feb. 1988. Design Methods. St. Louis, MO: Times Mirror/Mosby, 1986.
PI R. C. Linger, H. D. Mills, and B. 1. Witt, Structured Programming: [46] E. Yourdon and L. L. Constantine, Structared Design: Fundamen.
Theory and Practice. Reading, MA: Addison-Wesley, 1979. tals of a Discipline of Computer Program and System Design,
WI M. D. Mesarovic and Y. Takahara, General Systems Theory. New Englewood Cliffs, NJ: Prentice-Hall, 1979.
York: Academic, 1975. [47] P. &ve, “The operational versus the conventional approach to soft-
VI A. Mili, J. Desharnais, and J. R. Gagne, “Formal models of stepwise ware development,” Commun. ACM, vol. 30, no. 2, pp. 104-118,
refinement of orocrams.” ACM Comout. Surveys. vol. 18. no. 3.
.Y . Feb. 1984.
pp. 231-276, Sept. 1986.
231 J. G. Miller. Livine Svstems. New York: McGraw-Hill. 1978.
I 241 H.G. Mills, V. R. ‘Basili, J.D. Gannon, and R.G. Hamlet,
Principles of Computer Programming: A Muthematicul Approach.
Boston, MA: Ailyn and Bacon, 1987.
1251 J. Moses, “Computer science as the science of discrete man-made Yair Wand received the B.Sc. degree in mathe-
systems,” in The Study oflnformution: Interdisciplinary Messuges, matics and physics from the Hebrew Universitv.
F. Machlup and U. Mansfield, Eds. New York: Wiley, 1983. Jerusalem, israel, in 1966, the M.Sc. degree in
WI G. J. Myers, Reliable Sofrware Through Composite Design. New nhvsics from the Weizmann Institute of Sciencp
York: Petrocelli/Charter, 1975. kehovot, Israel, in 1970, and the D.Sc. de;;
[271 T. W. Olle, J. Hagelstein, LG. Macdonald, C. Rolland, H.G. Sol, in operations research from the Technion, Haifa,
F. J. M. Van Assche, and A. A. Verrijn-Stuart, Information System Israel, in 1977.
Methodologies: A Framework for Understanding. Reading, MA: Since 1977 he held positions at the Faculty
Addison-Wesley, 1988. of Management, the University of Calgary; the
1281 D. L. Pamas, “On the criteria to be used in decomposing systems Faculty of Commerce, the University of British
into modules,” Commun. ACM, vol. 15, no. 12, . pp. _ 1053-1058, Columbia; and the Faculty of Industrial Engi-
Dec. 1972. neering and Management, the Technion. His industry experience includes
f291 -, “On a ‘buzzword’: Hierarchical structure,” in fnform. Pro- working with IBM (Israel) Ltd. and as an independent consultant.
cessing 74. Amsterdam, The Netherlands: North-Holland, 1974, Presenfiy he is on faculty at the MIS Division, Faculty of Commerce
pp. 336-339. and Business Administration, the Universitv of British Columbia. His
1301 “Education for computing professionals,” Computer, vol. 23, research interests are modehng of information systems and formal
no.1 pp. 17-22, Jan. 1990. foundations of systems analysis-and design. -
[311 J.D. Paulson, “Reasoning tools to support system analysis and Dr. Wand is a member of the Association for Computing Machinery
design,” Ph.D. dissertation, Univ. British Columbia, 1988. and the IEEE Computer Society.
1321 S. B. Roeers. “A simnie architecture for consistent aonlication
design,” TBi Syst. J., ;ol. 22, no. 3, pp. 19%213, 1983: ’
(331 H. A. Simon, The Sciences of the Artificial, 2nd ed. Cambridge,
MA: MIT Press, 1981.
I341 J. M. Spivey, The 2 Notation: A Reference Manual. Englewood
Cliffs, NJ: Prentice-Hall, 1989.
[351 T. H. Tse, “The identification of program unstructuredness: A
formal approach,” Comput. J., vol. 30, no. 6, pp. 507-511, 1987.
P.A. M. Van Dongen and J.H. L. Van Den Bercken, “Structure Ron Weber received the B. Com.(Hons.) degree
[361
and function in neurobiology: A conceptual framework and the and University Medal from the ‘University of
localization of functions,” Int. J. Neurosci., vol. 16, pp. 49-68, Oueensland. Oueensland. Australia. in 1972 and
1981. the M.B.A. degree and Ph.D. degree in manage-
1371 Y. Wand, “A proposal for a formal model of objects,” in ment information systems from the University
Object-Oriented Concepts, Applications, and Databases, W. Kim of Minnesota in 1976 and 1977, respectively.
and F. Lochovsky, Eds. Reading, MA: Addison-Wesley, 1989, He is currently GWA Professor of Commerce
pp. 537-559. at the University of Queensland. His current
1381 Y. Wand and R. Weber, “An ontological analysis of some fun- research interests are in the areas of formal mod-
damental information system concepts,” in Proc. Ninth Int. Conf eling of information systems, computer control
lnformution Systems, Dec. 1988, pp. 213-226. and audit, and systems analysis and design.