How to document system, software requirements

There are various formats you can use to document system and software requirements. However, no single one is sufficient to represent all requirements. You need to follow an integrated approach.

In the discipline of business analysis, the "hard skill" is writing (or modeling) and documenting the system or software requirements so that they are recorded, communicated and approved. Often, however, this important skill is also the one that is understood the least.

Various formats or deliverables are used to document system and software requirements. If you can understand them and how to combine them, you can produce a comprehensive set of requirements.

What is a system requirement?

A commonly agreed definition of a system requirement does not yet exist. This is my current favorite:

A requirement is a property that is essential for an IT system to perform its functions. Requirements vary (italics added) in intent and in the kinds of properties they represent. They can be functions, constraints, or other properties that must be provided, met, or satisfied so the needs are filled for the system's intended users.
-- Roger Abbott (1986)

This definition reminds us that systems are asked to do many things: perform calculations, store data, produce reports, run business processes, etc. How do you capture business requirements of such potential variety?

Documenting requirements

To support their communication and understanding, requirements must be documented. This has usually meant that they are written down. Because that prose was always too ambiguous for easy understanding, many different structured formats and diagrams have been used over the decades in attempt to capture the elusive system requirement. Much energy has been spent over those years by gurus and vendors trying to prove that their approach was the best way to document requirements. In fact, "religious" arguments have often erupted between competing camps as to why "my way" is better than "your way."

This history, combined with the above definition of system requirements, supports my thinking that no one format or diagram is sufficient to represent all requirements. Since systems are asked to do a variety of things, how requirements are documented needs to vary as well.

Using multiple formats (or deliverables) to support different types of requirements can lead to overlap and potential redundancy, so it is vital that the multiple deliverables be integrated in such a way that as a whole they present one overall view of the requirements.

So, what deliverables should you use? In fact, many well-known types that have previously been used independently are good candidates. Here's the set I currently use the most:

  • Declarative requirement statements
  • Use cases
  • Data models
  • Process models
  • Business rules

Declarative requirement statements

An occurrence of this deliverable is a direct assertion of a "...property that is essential for an IT system to perform its functions." They are "declarative" in that they do not imply any order or flow upon the system.

The common structure is "… the System must ."

Variations on this structure include the following:

  • Referring to the 'Solution' instead of 'System' as information or other type of 'System' is not always what is needed to meet the requirements of the business. Business analysis can identify the need for procedure or process change, for instance.
  • Variations on the verb "must," such as "shall" or "will." A "must" statement is often interpreted as a mandatory requirement, while statements using other verbs mean the requirement is optional or nice to have. If multiple verbs are used in a set of requirement statements, the specific meaning of the use of each verb should be clearly defined.


"The System must provide security that a Dealership can view purchase data only for their own Customers."

"The System must calculate the amortization schedule for a Mortgage, given the Interest Rate, the Amount Borrowed, and the Number of Payments & Payment Frequency."

Such statements are usually part of a group of requirement statements and can be documented at various levels -- from high-level requirements that are documented first in a project to assist in scope definition and planning to detailed statements used as input to design and as the source of test cases.

Gathering these statements can begin with a simple question to the business asking what it wants the expected system to do. Their declarative nature focuses the business on "what," steering clear of early assumptions about "how" the system should meet those requirements. If a business analyst can document 10 to 25 statements at the start of a project, the overall requirements for the system will begin to take shape.

However, one should also expect that the number of statements will grow as analysis continues, large enough to require some means of organizing them. The most common classification used today is functional vs. non-functional, with the latter further subdivided by types such as performance, security and legal. These tend towards how a system will operate or perform, which is fine, but that will still leave a business analyst with many functional requirements that need to be organized. Can another deliverable help?

Use Cases

Let us consider use cases, probably the best-known and widest-used deliverable in system development today -- both for analysis/requirements and design.

I am a relative newcomer to use cases, after working in analysis and requirements through structured analysis and design in the 1980s and information engineering in the 1990s. I found one author's description of use cases almost aesthetically appealing: Each one is a case (or example) of the use of a system.

After that, I have seen many variations and permutations and various "uses" of use cases. That is either a testament to their flexibility or a condemnation of their vagueness. If you are new to use cases, be aware that different flavors of use cases are out there. When I am feeling the need for some rigor or consistency, I always refer to Alistair Cockburn's writings.

Overall, I have seen and used two basic types of use cases:

  1. A multiple-step interaction between actor and system, which relates to user interface design and captures the required functionality the system must provide to support the interaction. I saw this a lot when working with co-workers who were object-oriented designers and programmers.
  2. A single step or occurrence format where an actor initiates the use case (which is provided some input and/or preconditions), and it executes a set of actions (calculate something, retrieve or store something else) that produces a result of interest to the actor. (There may be multiple actors.) The set of actions that are first defined are those that will normally execute if no exceptions or other variations occur. I call this the happy path, as some author or instructor in my past called it.

However, if one or more exceptions/variations from the "happy path" could occur (due to certain input values or combinations of preconditions), these are documented as alternative paths. Creators of these types of use cases don't like to see path selection in their use cases. No "IF-THEN-ELSE" statements; use your alternatives instead.

Finally, both of the above types differentiate between the use case itself as the definition or template of the "use of the system" and scenarios, which are specific instances of the use case given one set of possible input values or preconditions. Changing the input values produces another scenario, so a large number of scenarios could be defined for one use case, all of which will help the testers of the system developed.

I mainly use the second type of use case as part of documenting information system requirements. That type is extremely valuable as a widely accepted deliverable for documenting the results of analysis. Anything that effectively assists in communicating business requirements to one or more audiences is something that should be used.

Now, that type is not perfect, and it is not the ultimate deliverable for documenting requirements. It is only one deliverable out of many (five at my last count). One issue I had with use cases early on was identifying them in the first place. What was the scope of each use case? How many use cases do you need? There will definitely be more than one. What I can say now is that one way use cases can be identified is by their relationship with process models, which I address later in this article.

Once you have a set of use cases defined that cover the scope of the business you are analyzing, you can also use them to organize the declarative requirements statements. As I described earlier, I often start an analysis effort by creating a list of high-level requirement statements based on initial discussions with the business subject matter experts.

Once I have moved ahead to capture the necessarily detailed description of the business in use cases, I allocate those declarative requirement statements to the use cases that will actually support the requirements. (If you end up with requirements that don't match up to any of your use cases, you might be missing some use cases.) Detailed analysis will also support the definition of more requirement statements, again associated with particular use cases.

It might be argued that the detail provided in a use case supersedes the need for requirement statements, but I believe they still play an important role in communicating the essence of the use case. Requirement statements are often preferred by testers as documentation of what they must test, and the statements provide traceability from analysis through design/development to testing.

Using data models for requirements

Data models are used to define the data needed for a system to use and/or control, and they often form the basis for the definition and creation of databases. The most common format used to capture data requirements is the entity-relationship diagram, which was popularized by James Martin's and Clive Finkelstein's Information Engineering Methodology.

In my use of data models for requirements, the main component is the data entity, a subject of interest to the business that is associated by the business relationships between them. Each entity contains data items/attributes that relate to or describe the Entity. Each attribute belongs to only one entity, so requirements duplication is reduced.

Entity-relationship data models are also commonly classified as "conceptual" or "logical" in that they are intended to communicate the data requirements of the business. Such models can then be transformed into a "physical" data model that is used to design a database.

If a data model is used in conjunction with use cases, the latter's data items can be defined by a cross-reference to the data model. As a result, a data item used in multiple use cases will be defined only once, eliminating duplication and inconsistency.

Process models: Are they a systems requirement deliverable?

As a format for documenting system requirements, process models can have a negative impact on the resulting system. The process as it exists at the time of requirements documentation has often been "hard-coded" into delivered systems. When the process needs to change, the system cannot support a different process, and the business starts to adapt or create workarounds to get the work done despite the constraints of the system.

This situation occurs frequently because it is not recognized that some aspects of the business are less stable than others. It has been shown that the process of a business, especially the order of separate steps, is the least stable aspect of a business. At the other end of the scale, the data items and their definitions as used by a business are the most stable aspect of that business. In between the two are things like specific procedures (units of work) and business rules.

So, automation of the current business process should not be a system requirement. In fact, more generic process and workflow software have been developed over the years to specifically support rapid change in process, adding or changing or reordering process steps as needed. These tools are enjoying a new high-profile a Business Process Management (BPM) products, as companies look for ways to integrate disparate systems and vendors look for a front-end to service-oriented architecture (SOA) approaches.

Where process models can play a role in documenting system requirements is to provide a context for use cases. Most steps in a process map will state that some work is done in that step, before the process flow continues. Often this work involves use of a system, which can be documented as a use case. The use case then provides context for declarative requirement statements, as well as a cross-reference to data items and their definitions in a data model. In the end, knowing the overall process of the business or its subsets solves the issue common with use cases: How many do you need and how do you know when you have enough? Process context provides the answer.

Just a few years ago, this would have been the last deliverable that I would have discussed. However, a new emphasis on methods and formats for documenting business rules has recently emerged.

Business rules

As a concept, business rules are not new to the business or IT. What is new is the focus on separating them from other forms of documentation so they can better defined and managed.

Business rules are similar to process models/maps in that they are subject to more frequent change than other aspects of the business, frequent enough that if rules are hard-coded into a system, the effort and elapsed time to change the system can be too large to be tolerated by the business over time. So, just as generic process "systems" are emerging to support rapid process change, so are business rule systems and vendors that support business rule management and change independent of the systems that use them.

What is a business rule? 

"A business rule is a statement that defines or constrains some aspect of the business. It is intended to assert business structure or to control or influence the behavior of the business. The business rules that concern (a systems) project are atomic –- that is, they cannot be broken down further."
-- "Defining Business Rules -- What Are They Really?" Copyright ©2001, the Business Rules Group.

I would add the word "declarative" to the definition, as in "a business rule is a declarative statement that defines…" emphasizing that business rules do not imply and process, procedure, flow or other "system" structure. If business rules are separately defined and managed, they can then be used as needed by any process/procedure/flow that needs a rule's guidance or constraint.


  • The insurance coverage for a 10-year Term Life Insurance Policy must be $50,000- or higher.
  • Premiums paid by PreAthorized Payment must have a monthly payment frequency.
  • A person may be the life insured on multiple policies, but only if the total coverage of all the policies does not exceed $1,000,000.

To ensure that business rules are meaningful and clear, they are always based on a defined set of "terms and facts," which are used as the language of the rules. Terms from the above examples include insurance coverage, premium, policy and person. An example of a fact would be, "a person may be the life insured on multiple policies." It's when you add the constraint "but only if the total coverage of all the policies does not exceed $1,000,000" that you have a rule, using that fact and the relevant terms.

Defining terms and facts can also be seen as a role of an Entity-Relationship Data Model, such that the entities/attributes and relationships of such a data model can readily be used as the terms and facts for defining business rules. The two types of models are different in many ways, but they are similar enough that if you have one, you can easily use it to drive the creation of the other.


  • Process maps identify all steps of a process, and a process step can indicate when a use case is used in the business. One use case may be used by multiple steps.
  • Use cases can include one or more declarative requirements for the system/solution. Each requirement statement is allocated to one and only one use case.
  • A data model will document all data items used within the scope of a set of use cases, and it is cross-referenced in the use case for the data items used by the latter. So, a data item is defined once but can be used in multiple use cases.
  • Business rules can also be documented across the scope of the business being analyzed, including both the set of use cases and the overall process map; a business rule may be invoked at different points and times within business operations. Use to date has shown they can then best cross-referenced in the following:
    • In the use cases whose execution is impacted by one or more Business Rules
    • In process maps at decision points, as business rules may play a role in deciding which path within a map should be followed in any one execution of the process

Combining requirements deliverables

The integration described above can be illustrated in the following diagram:

Used together as an integrated set, I find these requirements deliverables present a comprehensive set of system requirements. But requirement deliverable formats and deliverables come and go, so in the long run it is not as important to use the "best" deliverables as it is that you use multiple types of deliverables that can be integrated to reduce duplication, and present multiple views of the same business domain.

About the author: David Wright has more than 20 years' experience as a business analyst, working with various methods over the years, from structured analysis to use cases and business rules. David's experience has primarily been in the insurance/financial sectors, and he is currently an IT business analyst at the finance arm of an international agriculture and construction equipment manufacturer.

Dig Deeper on Software development lifecycle

Cloud Computing
App Architecture