Commands are an important part of large scale industrial software specifications, especially where the specification is separated from its implementation as in open software standards. Commands can be complex because of large numbers of parameters, dependencies among parameters, subtle side effects, and lack of abstraction. We present a formal approach for command modeling and apply it to IBM's Distributed Data Management Architecture (DDM), a complex, large scale specification of data access on remote and heterogeneous IBM systems. Our approach consists of three parts: a declarative, executable command specification language, an incremental specification technique, and automated reasoning tools. The command specification language provides a formal interpretation of the structural (input-output) and behavioral properties (state constraints/change) of commands. To manage the details of complex commands with numerous inter-dependent arguments, a novel incremental specification technique and several tools for incremental definition and browsing are presented. Two forms of automated reasoning are also demonstrated: type checking to ensure "well-typed" expressions and target system tracing to simulate command execution. Lessons learned from our experience with the DDM are also discussed.