Tropos Methodology: A Goal-Oriented Framework

• Tropos Methodology is a goal-oriented, agent-based framework that explicitly models both functional and non-functional requirements in complex socio-technical systems.
• It employs the ISTAR framework to map actors, goals, dependencies, and resources, extending its utility through SIGs for transparency and auditability.
• Applications like the LawDisTrA case study showcase its scalability, achieving efficient distribution processes and comprehensive audit trails.

The Tropos methodology is a goal-oriented, agent-based software engineering framework designed to facilitate the explicit modeling, analysis, and operationalization of both functional and non-functional requirements (NFRs) within complex organizational and socio-technical systems. Tropos models system stakeholders as "actors" with interrelated goals, encompassing both hardgoals—fully specifiable objectives—and softgoals—objectives representing qualities or constraints such as auditability or transparency that admit multiple forms of operationalization. Recent research has extended Tropos to systematically specify and enforce auditability requirements using tailored NFR catalogs, notably through the introduction of the Transparency Softgoal Interdependency Graph (SIG) and empirical validation in high-stakes contexts such as judicial case distribution (Albuquerque et al., 2020).

1. Methodological Principles of Tropos

At its core, Tropos employs the ISTAR (i*) framework to model actors, goals, dependencies, resources, and their interrelationships. Actors can represent either autonomous system components or organizational roles. Goals are distinguished as either hardgoals, which can be fully operationalized and tested, or softgoals, reflecting high-level qualities that require further refinement and trade-offs. Dependencies in Tropos denote how actors rely on each other to achieve their goals or provide resources.

The methodological workflow encompasses the following phases:

• Early requirements: Elicitation of system stakeholders and their high-level goals.
• Late requirements: Refinement of domain-specific requirements and system boundaries.
• Architectural design: Decomposition of the system into interacting agents and subsystems.
• Detailed design: Specification of agent behaviors, plans, and interactions.

A recently proposed extension involves inserting a dedicated transparency and auditability analysis step at the onset of the late requirements phase, enabling systematic identification and prioritization of NFRs such as auditability.

2. Softgoal Interdependency Graphs (SIGs) and Transparency Decomposition

The Transparency SIG functions as a non-functional requirements catalog, decomposing the overarching concept of transparency into five constituent characteristics: accessibility, usability, informativeness, understandability, and auditability. Each characteristic is represented as a softgoal, further refined into sub-characteristics and ultimately operationalizations—concrete system-level mechanisms or activities.

For auditability, the SIG delineates five subgoals:

• Traceability: The capacity to register and track temporal and causal linkages in data and actions.
• Verifiability: The assurance that actions or data can be checked against corroborating evidence or sources.
• Controllability: Mechanisms enabling intervention, simulation, or replay of processes for oversight.
• Validity: Processes ensuring the correctness and integrity of registered information.
• Accountability: The capacity to register decisions, justifications, and responsible agents.

The SIG not only structures NFR elicitation but also forces systematic mapping from abstract qualities to concrete system tasks, plans, and interfaces.

3. Auditability Requirements Specification in Agent-Based Systems

Operationalizing auditability within Tropos involves translating the softgoals and operationalizations from the SIG into explicit agent behaviors, task assignments, and architectural components.

During requirements analysis, each auditability subgoal is mapped as follows:

Auditability Subfeature	Operationalization Example	Tropos Plan/Implementation
Traceability	Register date, actor, action, etc.	"Record perceptions and actions" for each agent
Verifiability	Check information sources, register actions	Register actions, enable cross-checking by DA
Controllability	Simulation, activity logging	Log start/end of actions, record outcomes
Accountability	Log decisions and justifications	"Apply distribution rules", log rule fired
Validity	Register/check validity of information	DA/MA information checks registered in DB

Actors are instantiated as Protocol Agents (PAs), Distribution Agents (DAs), and Magistrate Agents (MAs), each responsible for plans which realize specific operationalizations. For example, DAs and MAs log every perception and action, apply distribution rules, and register which rules were triggered for each case. Entity-relationship models define persistent database support for audit logs, while interface components such as the Distribution Auditor and Agent Tracker expose transparency artifacts for external audit.

Every inter-agent message and rule-based decision is registered, ensuring exhaustive traceability and verifiability. Drools is leveraged to capture and expose rule activation patterns and dependencies for each distribution event.

4. Application to Large-Scale Judicial Systems: LawDisTrA Case Study

The LawDisTrA system operationalizes the enhanced Tropos methodology in the context of lawsuit distribution at the Brazilian Superior Labor Court (TST), with 309,332 electronic lawsuits distributed by 55 agents among 27 magistrates. Each phase of the Tropos lifecycle is instantiated:

• Early requirements: Identification of actors (PA, DA, MA) and their roles.
• Late requirements: Mapping of Transparency SIG auditability softgoals to agent tasks.
• Architectural design: Modeling agent interactions aligned with the legal process.
• Detailed design: Specification of data and control flows supporting auditability.
• Implementation: Realized with Java/JADE agents, Drools for business rule execution, and web interfaces for auditability.

Empirically, LawDisTrA achieved a throughput of 3.15 lawsuits per second, completing the distribution task in under 29 hours. Approximately 27.5 million audit log entries were generated, enabling users to verify the provenance and rationale of each distribution. The Distribution Auditor and Agent Tracker interfaces permit external oversight of system actions in real time.

Over 94% of distributions followed the standard rule ("ordinary"), yet the system tracked all exceptions and special procedures, with logged justifications and traceable message histories.

5. Implications for NFR Specification and System Accountability

This instantiation validates that auditability requirements can be systematically specified, operationalized, and enforced using Tropos when driven by an explicit SIG-based NFR catalog. Softgoals and their operationalizations guide the mapping from domain-level transparency obligations to concrete agent tasks and system artifacts. The LawDisTrA paper demonstrates that agent-based approaches, combined with goal-oriented modeling and SIG-driven analysis, can furnish scalable audit trails and actionable transparency for both process and information domains.

The methodology is generalizable to other transparency characteristics (e.g., usability, understandability); only auditability and understandability have been empirically validated to date. A plausible implication is that similar approaches could extend to other non-functional domains, provided the NFR decomposition is carefully articulated.

6. Limitations and Future Research Directions

Formal evaluation has thus far been confined to two of the five transparency characteristics in the SIG, indicating the need for broader empirical validation. While LawDisTrA exhibits extensive audit logging and tractable audit interfaces, further user studies are needed to assess real-world audit and oversight efficacy.

A possible avenue for expansion includes formalizing SIGs for other cross-organizational NFRs, automating their mapping within agent-oriented methodologies, and integrating downstream audit processes more tightly with citizen or third-party oversight requirements.

7. Key Notational and Modeling Elements

Tropos and ISTAR notation are central for diagramming actor goals, dependencies, softgoals, and operationalizations:

Actor [Softgoal] [Hardgoal] | | / \ [Task/Plan] [Resource] {---} [Contribution] [Dependency]

For transparency:

Auditability / | | | \ Controllability Verifiability Traceability Validity Accountability (Each with linked operationalization nodes)

These form the backbone for mapping transparency-related softgoals to action plans and concrete implementation artifacts, as demonstrated empirically in the LawDisTrA project.