- Email: [email protected]
Towards modeling and runtime verification of self-organizing systems
Accepted Manuscript
Towards Modeling and Runtime Verification of Self-Organizing Systems Bahareh Abolhasanzadeh , Saeed Jalili PII: DOI: Reference:
S0957-4174(15)00621-1 10.1016/j.eswa.2015.09.008 ESWA 10278
To appear in:
Expert Systems With Applications
Received date: Revised date: Accepted date:
10 May 2014 8 September 2015 8 September 2015
Please cite this article as: Bahareh Abolhasanzadeh , Saeed Jalili , Towards Modeling and Runtime Verification of Self-Organizing Systems, Expert Systems With Applications (2015), doi: 10.1016/j.eswa.2015.09.008
This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.
ACCEPTED MANUSCRIPT
Highlights
AC
CE
PT
ED
M
AN US
A method for design and verification of self-organizing systems is proposed The proposed method is: modular , robust and scalable The proposed method does structural and safe adaptation A novel runtime verification method to verify self-organizing systems is employed A specific instance of self-organizing traffic management system is presented
CR IP T
ACCEPTED MANUSCRIPT
Towards Modeling and Runtime Verification of SelfOrganizing Systems
CR IP T
Bahareh Abolhasanzadeh*, Saeed Jalili Electrical and Computer Engineering Faculty, Tarbiat Modares University, Tehran, Iran
Self-organization,
Formal
modeling,
Runtime
verification,
ED
Keywords: HPobSAM
M
AN US
Abstract. According to the fact that the intrinsic dynamism of self-organizing systems challenges the existing methods of engineering for modeling reliable complex systems, in this paper, we propose a new formal-based method to model self-organizing systems. The capabilities of the proposed method which are used to address several challenges in design, development and analysis of self-organizing systems are: modularity and robustness, decentralized control and scalability, required adaptation types, flexible and adaptive control mechanism, separation of adaptation and business logic, and safe adaptation. To evaluate the proposed method, we use self-organizing traffic management system as a case study and exploit the proposed method for modeling this dynamic system. Moreover, we propose and employ a novel policy-based runtime verification mechanism to ensure that the safety properties are satisfied by the implementation at runtime. We provide our case study prototype using Java and the Ponder2 toolkit and apply our runtime verification method to show its proper reaction capabilities to the property violations. This benefit is the result of using dynamic policies in our method to control the behavior of systems.
Introduction
PT
1
AC
CE
The continuous advances in technology make computing environments dynamic, heterogeneous and more complex. To deal with such dynamics in the environmental conditions, systems should be given more degrees of autonomy, allowing them to continue operating without human intervention. To this aim, in recent years, there has been a significant growth of interest in new approaches based on bio-inspired metaphors to create powerful methodologies for designing systems and solving computational problems. In nature, biological systems are capable to enlarge in scale and behave autonomously without a centralized control; they are only influenced by local environment conditions and interactions with nearby entities (Seeley, 2002). This natural adaptation and loosely-coupled cooperation is the idea behind selforganizing mechanisms. Generally, self-organization is specified as the evolution of a *
Corresponding author. E-mail addresses: [email protected] (B. Abolhasanzadeh), [email protected] (S. Jalili).
2
ACCEPTED MANUSCRIPT
AC
CE
PT
ED
M
AN US
CR IP T
system into an organized state, in the presence of ever changing environments and in the absence of external or of centralized control. Self-organizing systems are generally made of multiple autonomous components which are able to self-organize their activity patterns toward a specified common goal (Macías-Escrivá, Haber, del Toro, & Hernandez, 2013). Such systems are expected to withstand disturbance and do structural adaptation in response to unexpected situations, where structure can be spatial, temporal, or functional. Motivation: Two main challenges faced by designers of self-organizing systems are (i) designing the autonomous system elements to achieve the intended system-level dynamics and (ii) providing assurances about the correctness of the emergent global behavior. Based on the degree of autonomy, three approaches are used for designing complex systems. In centralized approach, a system is managed in a top-down way using one control element. This approach comprises initiatives like Soft Computing (Zadeh, 1997). Centralized control imposes a single point of failure and needs a complete description of the desired properties and environment. Hierarchical approaches consider several control elements distributed over different levels of hierarchy. These control elements interact with each other to realize the goals. Organic Computing (Muller-Schloer, 2004; Schmeck, Müller-Schloer, Çakar, Mnif, & Richter, 2010) is the most notable initiative of such approaches which provides controlled autonomy for a system. However, this approach limits the system’s scalability. Current aims in development of self-organizing systems are mainly concentrated on employing decentralized approaches. In a decentralized approach, the control of a system is distributed between its components where the system-wide behavior is emerged from local interactions of its components in a bottom-up way. Different frameworks and models have been investigated by diverse research groups from different communities for designing self-organizing software systems. Among them agent-based modeling is generally considered a good paradigm to tackle complexity problems of self-organizing systems (Bernon, Chevrier, Hilaire, & Marrow, 2006; Gardelli, Viroli, Casadei, & Omicini, 2008). Considering the agent metaphor (Gershenson, 2007) provides a framework for designing self-organizing systems. This framework is built on the idea of achieving maximum global satisfaction by reducing the local friction. In (Sloman & Lupu, 2010) a robust software architecture for designing autonomic systems is proposed and policy-based computing has been selected as the core self-management technology. Furthermore, biologically inspired principles and mechanisms have recently seen a rapid increase research interest in the context (Villalba & Zambonelli, 2011; Yeom, 2010). Despite the inherent flexibility and capability of these models for supporting properties of self-organization, lack of formal foundation is their great defect. Formal models are one of the most important aspects of designing complex systems, used to ensure reliability of such systems and to guarantee the functional correctness, safety, and security of them. The intrinsic dynamism of self-organizing systems requires us to use formal methods at early stages of design process to ensure that the system is operating correctly. These approaches provide a systematic way for designing complex systems, and support the validation and verification of system’s adaptation before implementation (Adler, Schaefer, Schuele, & Vecchié, 2007).
3
ACCEPTED MANUSCRIPT
AC
CE
PT
ED
M
AN US
CR IP T
In spite of the fact that there is a considerable works on formal modeling of dynamic adaptation for complex systems, most of them do not support properties of self-organizing systems. For instance, (Bradbury, Cordy, Dingel, & Wermelinger, 2004; Hongzhen & Guosun, 2010; Wermelinger & Fiadeiro, 2002) only focus on system dynamic reconfiguration and description of dynamic changes at high levels of abstraction, whereas (Hadj-Kacem, Kacem, & Drira, 2009; Zhang & Cheng, 2006) concentrate on behavioral adaptation of dynamic systems. However, self-organizing systems are enabled to do structural adaptation. Therefore, it is essential for a model to support both behavioral adaptation and dynamic reconfiguration. So far, only few works pay attention to both aspects of adaptation which are necessary to develop selforganizing systems. Among them (Canal, Cámara, & Salaün, 2012) introduced a framework for dynamic reconfiguration of components with behavioral adaptation considerations; in this work behavioral adaptation is expressed through component reconfiguration. Also, (Costa-Soria, 2011) presents a framework which allows for the representation of hierarchical systems with adaptive component behaviors and dynamic reconfiguration. Another aspect of modeling self-organizing systems is the flexibility and scalability of the model. Most of the existing formal models have not focused on these features which are necessary to deal with complexity and evolution of such systems. For instance, graph transformation is used for modeling both dynamic reconfiguration and behavioral adaptation (Becker & Giese, 2008), but it is not flexible to address the requirements of modeling the long-term evolution of systems and complex environments. One of the most significant aspects of developing self-organizing systems is the challenge of providing assurance that the emergent behaviors adhere to key properties and the system operates correctly during and after reorganizations. Given a model of the system and a desired specification, formal verification aims to prove the correctness of design according to the defined specification. There has been a significant amount of work and different techniques devoted to formal verification of complex systems, such as model checking (Clarke, Grumberg, & Peled, 1999), theorem proving (Cook, 1971), etc. These techniques play an important role in validation and verification of complex systems, but the complexity of self-organizing systems, as well as their subsequent evolution makes verification of such systems a great deal with increasing difficulty. Contribution: To address the shortcomings of existing methods, we propose a new and flexible method for design and verification of self-organizing systems and discuss different capabilities of this model in supporting key properties of such systems. Our method is based on the Hierarchical PobSAM (HPobSAM) (Khakpour, Jalili, Sirjani, Goltz, & Abolhasanzadeh, 2012) which is a formal model for developing, modeling and verification of self-adaptive evolving systems. The main characteristics of the proposed method are (i) modularity and robustness, (ii) decentralized control and scalability, (iii) structural adaptation, (iv) flexible and adaptive control mechanism, (v) separation of the adaptation logic from the business logic and (vi) safe adaptation. We use the capabilities of HPobSAM and consider a system as a set of autonomous components which use policies to govern and adapt themselves. Behavioral adaptation and dynamic reconfiguration is supported through dynamically changing and modifying the policies.
4
ACCEPTED MANUSCRIPT
Related Work
PT
2
ED
M
AN US
CR IP T
To clarify our method in designing self-organizing systems, we have designed a specific instance of self-organizing traffic management system as a case study. Such systems have a dynamic nature and exhibit emergent properties. Moreover, they are composed of multiple autonomous components which have continuous interactions among themselves and try to accomplish a common goal in a self-organizing manner. Such properties as well as the increasing importance of Intelligent Transportation Systems make self-organizing traffic management system a suitable case study for our paper. Furthermore, we propose the employment of a novel runtime verification (Bauer, Leucker, & Schallhart, 2006; Montali, 2010) method to verify self-organizing systems at runtime and show its ability to handle violation of properties dynamically. Runtime verification is a solution to avoid formal verification difficulties (e.g. state explosion problem) and acts as a complement to static verification techniques. This kind of verification is an effective approach to ensure that the desired behavior of a system is met at runtime. In particular, since self-organizing systems often operate in unpredictable environments, it is infeasible to model the system behavior before deployment. Therefore, using runtime verification technique to assure the correctness of emergent behaviors, in self-organizing systems is inevitable. To illustrate the effectiveness of our runtime verification method and to show how it could react properly even in the time of violation, we have implemented our case study, using Java and the Ponder2 toolkit (Twidle, Dulay, Lupu, & Sloman, 2009), and have applied the runtime verification method on this system. The rest of this paper is organized as follows: In the following section we give an overview of related work. Section 3 describes HPobSAM, briefly. In section 4 we present our method for modeling self-organizing systems and discuss its capabilities in modeling such systems. We introduce and model our case study, self-organizing traffic management system, in section 5. Section 6 introduces our method for run-time verification and in Section 7 we conclude the paper.
CE
The presented work opens different perspectives which are related to the modeling, development and runtime verification of the next generation systems. Here, our objective is to present the diversity of approaches that are presented in literature and their appropriateness for modeling and runtime verification of self-organizing systems.
AC
2.1
Biologically Inspired Approaches
In this context different frameworks and models have been investigated by diverse research groups to design complex and large-scale software systems. Nature-inspired approaches and frameworks contrived through observation of natural systems and mechanisms have recently seen a rapid increase research interest (Balasubramaniam, Botvich, Donnelly, Foghlú, & Strassner, 2006; Schmickl, Hamann, Wörn, &
5
ACCEPTED MANUSCRIPT
2.2
ED
M
AN US
CR IP T
Crailsheim, 2009; Villalba & Zambonelli, 2011). Some of these mechanisms which have gained great interest in the context of self-organizing systems are: flocking, foraging, stigmergy, consensus local monitoring, and human immune system (Fernandez-Leon, et al., 2014; Krupitzer, Roth, VanSyckel, Schiele, & Becker, 2015). Typically, mechanisms based on social insects or human societies are considered as powerful problem-solving systems (e.g. digital pheromones or digital hormone models inspired by ant foraging or hormone diffusion are decentralized coordination mechanisms used to control systems (Camazine, 2003; Shen, Will, Galstyan, & Chuong, 2004)). Recently, (Zambonelli, et al., 2015) have proposed a naturedinspired coordination model using SAPERE to develop and design pervasive service systems. They use field data-structures to spread and aggregate information which can be used to produce distributed self-organized behavior and distributed property of the system. Moreover, (Zambonelli, 2015) has proposed a reference architecture which provides self-adaptivity and reconfiguration. This architecture supports a wide variety of nature-inspired self-organized coordination patterns. They consider autonomous components as agents that can provide resources and services to the environment and use the notion of pheromone in ant colonies for spreading information. (Yeom, 2010) proposed a framework to develop and manage self-organizing, distributed computing systems which is a combination of biologically inspired and agent-based approach. In this work, mobile agents exploit the adaptive behavior of biological systems. (Viroli, Casadei, Montagna, & Zambonelli, 2011) inspire from the notion of biochemical tuple spaces and define a coordination model. They use reaction and diffusion rules to achieve features like adaptivity and competition among services. These mechanisms appear interesting and flexible and able to mitigate the complexity of modeling complex systems. However, no formal foundation is considered for them. Similarly, our method is inspired by complex natural systems. According to the fact that providing evidence of correctness is vital for self-organizing systems, our method provides this necessity.
Agent-Based Approaches
AC
CE
PT
Agent-based computing is generally considered as an accurate approach for modeling complex systems which hides the complexity at system level by encouraging modular design (Bernon, Chevrier, Hilaire, & Marrow, 2006; Gardelli, Viroli, Casadei, & Omicini, 2008; Mamei & Zambonelli, 2004). For instance, (Ribeiro, Rocha, Veiga, & Barata, 2015) has proposed a multi-agent-based architecture which is inspired from the IDEAS reference architecture (Onori, Lohse, Barata, & Hanisch, 2012). They use a heterarchical agent-based model. (Merdan, Moser, Sunindyo, Biffl, & Vrba, 2013) has the same architecture as (Ribeiro, et al., 2015) but they use a contract net based negotiation in the time of failures. These approaches are suited to develop decentralized software systems, but they do not support adaptations and just focus on the interaction and coordination of system components. Moreover, they do not exploit formal foundation which makes them unreliable. But, our method is based on a formal method and supports structural adaptation of self-organizing systems. (de Abreu Netto, dos Santos Neto, & de Lucena, 2015) have proposed JASOF a pattern and a BDI-based framework which concerns self-organization through software engineering
6
ACCEPTED MANUSCRIPT
2.3
Architectures for Self-organizing Systems
CR IP T
techniques. JASOF, extends Jadex (Poukahr & Braubach, 2007) which considers agents as black boxes receiving and sending messages. The environment in Jadex is based on the agents-and-artifacts (A&A) approach (Gardelli, et al., 2008). JASOF, has provided patterns and necessary infrastructure for the agents to operate. (Verstaevel, Régis, Gleizes, & Robert, 2015) have proposed a multi-agents system which is based on ADELFE (Bonjean, Mefteh, Gleizes, Maurel, & Migeon, 2014). Again, these frameworks provide a mechanism for regulating interaction and coordination of self-organizing systems.
CE
PT
ED
M
AN US
Close to our work is the robust software architecture presented in (Sloman & Lupu, 2010) for designing autonomic systems. In this architecture the self-managed cells are the building blocks of the system and policy-based computing has been selected as the core self-management technology. Although they have used event calculus to analyze policies, their model is not based on a formal model which is considered in our model. PAGODA (Policy And GOal Based Distributed Autonomy) (Talcott, 2007) is a modular architecture based on the Russian Dolls model of policy-based coordination. This architecture is used to specify and prototype autonomous systems. In PAGODA intercepting and manipulating messages are the means of adaptation. PAGODA employs a two-layered architecture (the local nodes and the global system). However, this architecture does not support distributed coordinator and dynamic reconfiguration. Furthermore, (Bruni, Corradini, Gadducci, Lluch Lafuente, & Vandin, 2015) propose a conceptual framework for structuring adaptable systems. They have considered significant characteristics for their approach such as: a whitebox approach for adaptation, a hierarchical architecture, computational reflection, probabilistic rule-based specifications and quantitative verification techniques. They have specified and analyzed the adaptation logic in Maude and used different levels of adaptation which provide a flexible and modular way of realizing adaptive behaviors. Although (Bruni, et al., 2015) and our method share the idea of having rules as a highlevel object of adaptation, there are some differences in the architecture and in the use of reflection. Moreover, they do not consider dynamic reconfiguration and focus on the behavioral adaptation of agents.
2.4
Formal Modeling and Runtime Verification
AC
There already exist several approaches for formal modeling of dynamic systems, but most of them do not address both dynamic reconfiguration and behavioral adaptation which are necessary for self-organizing systems. For instance, formal models presented in (Bradbury, Cordy, Dingel, & Wermelinger, 2004; Hongzhen & Guosun, 2010; Oreizy, Medvidovic, & Taylor, 1998; Wermelinger & Fiadeiro, 2002) address dynamic reconfiguration as their main concern and have used graph-based or ADLbased approach for modeling dynamic reconfiguration. Instead, (Hadj-Kacem, Kacem, & Drira, 2009; Zhang & Cheng, 2006) proposed methods focus on behavioral adaptation. Among the recent researches, a formal model based on the CTL temporal
7
ACCEPTED MANUSCRIPT
AC
CE
PT
ED
M
AN US
CR IP T
logic is provided in (Aldewereld, Dignum, Dignum, & Penserini, 2011). This work considers the adaptation process in agent systems. (Canal, Cámara, & Salaün, 2012) have introduced a framework for reconfiguration of components with behavioral adaptation considerations, where component configurations are represented by LTSs. In this paper the concept of behavioral adaptation refers to the substitution of component and its adaptor while preserving system properties. Using graph transformation in (Becker & Giese, 2008), the authors model both aspects of adaptation i.e. dynamic reconfiguration and behavioral adaptation. But their method is not suitable for large-scale systems. The work provided in (Costa-Soria, 2011) enables adaptive component behaviors and reconfiguration; however it does not support decentralized components and their structure. (Sultan, Bentahar, Wan, & AlSaqqar, 2014) have proposed PCTLkc a multi-model logic which is a combination of two probabilistic logics called PCTLK and PCTLC. Modeling stochastic multi-agent systems is their main concern and they focus on the modeling of interactions and notions such as probability and knowledge. This approach is suitable for the design time and faces state explosion problem. However, we show that our method can cover all aspects of self-organizing systems and is applicable for the runtime of a system. (Merelli, Paoletti, & Tesei, 2015) develop a formal hierarchical model for adaptable systems in which S (structural level) describes the adaptation dynamics, and B (behavioral level) describes the admissible dynamics of the system. This model is based on a simple and general model of computation (state machines) and defines adaptation from B to S level by operational semantics rules. However, this model does not support dynamic reconfiguration which is necessary for modeling selforganizing systems. The runtime verification of self-organizing systems is another perspective of our work. Although runtime verification is not a new topic, there is no specific work on runtime verification of self-organizing systems. (Tamura, et al., 2013) discussed the challenges of verifying adaptable and self-managed systems as well as the necessity of runtime verification for these systems. Similar to our method (Khaxar, Jalili, Khakpour, & Jokhio, 2009) have used process algebra to verify web service compositions at runtime. However, we implement a policy-based monitor for our runtime verification method. (Callow, Watson, & Kalawsky, 2010) present a runtime verification method suitable for autonomous systems. Their framework is based on principles of Model Driven Architecture (MDA). Also, in (Goldsby, Cheng, & Zhang, 2008) a runtime verification method is proposed for monitoring adaptive systems. In this work, properties to be checked are specified using LTL and A-LTL. In this paper, we have used a policy-based method for runtime verification of self-organizing systems which uses algebra to verify properties at runtime. Flexibility, scalability and fault tolerance are some of the non-functional properties which can be achieved as a result of using our method for designing and verifying complex systems. Separation of adaptation logic from business logics, capability of modeling both dynamic reconfiguration and behavioral adaptation, in addition to supporting decentralized cooperation mechanism make our method preferable than the other works in the context of modeling self-organizing systems. Moreover, one of the significant properties of our method is the increase of fault tolerance which is a result of being able to handle violation of properties during runtime verification, dynamically.
8
ACCEPTED MANUSCRIPT
3
Hierarchical PobSAM
CR IP T
Hierarchical PobSAM is a formal model for modeling complex systems. Using the following elements this model can support behavioral adaptation and dynamic reconfiguration of self-organizing systems. Computational actors which are responsible for the functional behavior of the system.
Autonomous components called Self-Adaptive Modules (SAM) which are the policy-based building blocks of the model. This model supports hierarchical relationships between sets of SAMs; so a SAM may contain a number of SAMs collaborating to achieve a specific goal or it may contain a composition of self-adaptive modules or actors governed by a manager.
A set of view variables used to provide an abstraction of the state of actors and self-adaptive modules for the managers. A view variable is the actual state variable, or a function or a predicate applied to state variables of actors.
Autonomous managers which are in charge of managing actors and lowerlevel self-adaptive modules. They can operate in different configurations. Each configuration consists of three sets of policies: governing policies, behavioral adaptation policies and structural adaptation policies. A manager uses the governing policies for controlling the behavior of lower-level selfadaptive modules (SAMs) and actors by sending messages to them. The behavioral adaptation policies are used for switching among the configurations. The structural adaptation policies are used for changing the structure of SAMs by adding or removing agents i.e. a self-adaptive module or an actor. Note that the precedence of behavioral/structural adaptation policies is higher than the precedence of governing policies. The notion of roles is used in hierarchical PobSAM to keep the specification of the manager policies unchanged at the time of joining or deleting actors or SAMs. A role is dynamically assigned to a group of SAMs or actors with the same functionality. The managers’ policies are specified in terms of roles.
AC
CE
PT
ED
M
AN US
Governing Policies. A simple governing policy gpi=⟨o, e, ψ⟩•a, gpi ∈ gp, consists of priority o ∈ N, event e ∈ E where E is the set of possible events, condition ψ (a Boolean term) and an action a. Actions of governing policies are specified using an a algebra CA defined as follows. We let a, a’ denote action terms, while an α is a primitive action. a = a ; a′ | a || a’ | a + a’ | ϕ : → a | α | δg
9
ACCEPTED MANUSCRIPT
CR IP T
Therefore an action term can be a sequential composition (;), a parallel composition (||), a non-deterministic choice (+), or a conditional choice (ϕ : → a). In addition, the special constant δg acts as the deadlock action for governing policies. A primitive action of a simple governing policy is of the forms r.msg to send the message msg to the agents with role r. Structural Adaptation Policies. A simple structural adaptation policy spi=⟨o, e, ψ⟩•a, spi ∈ sp consists of priority o ∈ N, event e ∈ E, condition ψ and an action a a which is specified as a CA term. Each manager uses structural adaptation policies for structural adaptation of its corresponding module.
The new Method for Modeling Self-Organizing Systems
M
4
AN US
Behavioral Adaptation Policies. A simple behavioral adaptation policy bpi = ⟨o, e, ψ, λ, ϕ ⟩•c, bpi ∈ bp consists of priority o ∈ N, event e ∈ E, and a condition ψ (a Boolean term) for triggering the adaptation. Moreover, the conditions for applying the adaptation is shown using a Boolean term ϕ, λ is the adaptation type. There are two kinds of adaptations called loose adaptation and strict adaptation. Under loose adaptation, the manager enforces old policies while in the strict adaptation all the events are ignored until the system passes the adaptation mode and reaches a safe state, and c is the new configuration.
CE
PT
ED
Based on the preceding definitions, self-organizing systems are composed of interacting autonomous components operate under decentralized control and no central point of failure to achieve the desired goal (Macías-Escrivá, Haber, del Toro, & Hernandez, 2013; Schmeck, Müller-Schloer, Çakar, Mnif, & Richter, 2010). This decentralization leads to non-functional properties such as robustness, scalability and failure recovery. In addition, individual components of such systems as well as the whole system respond to external influences by performing structural adaptation. In this section, we propose a new method for designing and modeling self-organizing systems which can support different properties of such systems.
4.1
The Proposed Modeling Method
AC
Our modeling process starts with an abstract representation of what may generally be expected from self-organizing systems and continued with the study of modeling their generic common features. This modeling method consists of the following steps undertaken: Step 1. We assume the system as a two-level entity. In the high level, we consider the external schema of the system. In this level, the autonomous components of the system are recognized. Components are assumed as the entities which are the subjects of duties and provide the main functionality of the system. We model each of the
10
ACCEPTED MANUSCRIPT
autonomous components of the system using self-adaptive modules (SAMs) of HPobSAM. These modules encapsulate the information and do interaction with each other which make the robustness and the self-* behaviors possible.
CR IP T
Step 2. We use the concept of role in HPobSAM and specify the main roles in the system. Here, a role is considered as an abstraction of a component's functionality and is assigned to a group of agents (i.e. actors and low-level self-adaptive modules) with the same task. Each role can be related to different tasks in the context of either being responsible for the task or simply as a collaborator. Afterwards, we assign an initial role to each autonomous component. In order to be able to restructure the system, agents are assigned to the roles, dynamically.
AN US
Step 3. In this step, we divide the main goal of the system into subgoals. Then, according to the specification and the role of each autonomous component, a local goal will be assigned to it. Each component is in charge of achieving its local goals.
AC
CE
PT
ED
M
Step 4. The modeling method should provide a control mechanism for a system which ensures that the controlled system performs the expected actions. Since our aim is to model self-organizing systems, this control mechanism must be internal and distributed. Therefore, we divide the control mechanism of such systems into smaller control units and dispatch them between system's modules. Each module must have the ability of controlling itself. In this method of modeling, we control the behavior and structure of the modules by using different classes of policies. Using policy is a simple and dynamic technique to achieve flexibility in autonomous systems. In fact, policies specify the way of conducting a module in the time of encountering environmental changes. Therefore, policies are considered as a tool to infer and are consulted to determine whether or not changes need to be made in the system. Managers in HPobSAM are the means that help us in achieving this aim. A set of different configurations is considered for managers. Each configuration encompasses three groups of policies, one of them is governing policies. Using governing policies for controlling the behavior of the system can be done in two ways: (i) in the direct way, in which performing policies is done directly on the actors or low-level modules. In this kind of control, the manager controls the actors or the managers of the lowlevel modules by sending messages to them, (ii) in the indirect way a manager can control the behavior of its under-control managers and consequently the behavior of the relevant modules by changing their managers' configurations. In the proposed method, we use a combination of the centralized and decentralized approach for the controlling mechanism of a module (Fig. 1). We consider a selfadaptive module as an indication of an autonomous component. Each manager of a self-adaptive module controls its low-level agents (i.e. actors and low-level selfadaptive modules) and provides an autonomous domain. Note that from the high-level point of view, the system is a collection of the same level self-adaptive modules and the controlling mechanism of the whole system is distributed among them. Hence, the main approach for controlling the system is decentralized.
11
ACCEPTED MANUSCRIPT
Self-Adaptive Module
Manager
CR IP T
Actor
Fig. 1. The typical representation of the self-organizing component
AN US
It is worth mentioning that although each module is important, it is not in the center of operation and adaptation of the whole system. Another advantage of this decentralization is the division of duties among self-adaptive modules. This division makes the manager of each module gather less information and process them locally which increase the overall performance.
M
Step 5. In the low level of the system, the internal schema is considered. In this step to provide self-awareness of modules, we define necessary observations for them. Here, observations mean the information that a manager of a module has access to it. This information contains the internal state and the information which is achieved from the surrounding environment. A manager should be aware of the internal state of its under control module to recognize any deviation from the goal. This awareness helps the manager to direct or adapt the behavior of its low-level agents. For modeling this part, we use the view variables of HPobSAM. These variables provide a manager an abstraction of the state of the relevant actors.
AC
CE
PT
ED
Step 6. The intrinsic dynamism and several interactions inside the system, as well as the interaction of the system with the environment, require a dynamic and adaptive control mechanism. In this section, we explain how modules can be adapted to the changeable conditions. To adapt the module and eventually the system's behavior and structure according to the current and possible conditions, (ii) behavioral adaptation policies and (iii) structural adaptation policies of HPobSAM are considered for managers. In different conditions, these adaptation policies put the proper policies at the manager's disposal by providing the ability of transition between different configurations. Having the capability of changing policies and configurations of a manager dynamically which is supported by HPobSAM makes the control mechanism of a self-organizing system adaptable and dynamic during its future evolution. Consequently, modules can obtain policies during runtime and without interrupting their functionality which results in changing the system's behavior, dynamically. Step 7. According to the fact that the main goal of self-organizing systems is divided into smaller and local goals which are assigned to their components, to achieve the main goal of the systems, interaction, cooperation and coordination among components plays the key role. These necessities lead to the better understanding of a component from the current circumstances. For modeling this important principle, we use two mechanisms which are supported by HPobSAM: (i) sending messages among managers and (ii) shared memory. Sending messages among
12
ACCEPTED MANUSCRIPT
4.2
CR IP T
managers gives the permission of having hierarchy in the model. This mechanism allows the top-level managers to inform and to control the behavior of the lower-level agents. In the shared memory mechanism, view variables are used as a space for coordinating interactions. A module can have controlled access to the view variables of other modules. Therefore, sharing information via view variables is a way of informing other modules about the information of the surrounding environment. In the following subsection, we discuss the advantages of our method for designing self-organizing systems and illustrate its capabilities by modeling a case study named self-organizing traffic management system, in the next section.
Discussion
AN US
In the following we discuss the significant capabilities of our method that can cater requirements for designing self-organizing systems.
Modularity and Robustness. The modeling concepts of our method hide the complexity at system level by supporting modular design. Modularity in this model is provided by the use of self-adaptive modules. Notice that each module is important but does not act as the center of functionality and adaptation of the system. Due to the distributed and modular design, the components’ failure can be handled, which results in increasing the robustness of the system.
ED
M
Decentralized Control and Scalability. In our method each system at the high level can be modeled as a set of self-adaptive modules placed at the same level of hierarchy. In this model, the control mechanism is distributed over the components (i.e. self-adaptive modules) and they collaborate with each other in the form of selforganization to accomplish the high-level goals. Decentralized control is one of the leading causes of scalability of a model for designing self-organizing systems which is provided in our method.
AC
CE
PT
Adaptation. The managers of self-adaptive modules which are used to model the components in our modeling method perform behavior adaptation by modifying the policies used to control the module’s behavior as well as sending messages to relevant actors. Furthermore, each manager can control and adapt the behavior of the lowerlevel self-adaptive modules by changing their managers’ configurations. This ability provides controlled self-organization for the lower-level self-adaptive modules. Dynamic reconfiguration is supported through changing the roles of entities which leads to joining/leaving an actor or a self-adaptive module to/from a self-adaptive module, dynamically. Flexible and Adaptive Control Mechanism. A control mechanism for a selforganizing system should be adaptive which is considered in our method. In this model a manager’s policies and configurations can be changed dynamically through the subsequent evolution of a system. This capability helps to handle the new situations and requirements without interrupting the system.
13
ACCEPTED MANUSCRIPT
CR IP T
The separation of the adaptation logic from the business logic. Having the ability of changing configurations and policies of managers dynamically and according to the fact that the adaptation logic of HPobSAM is specified in the form of policies, we can come to the conclusion that in the proposed method the adaptation logic is decoupled from the business logic. Thus, adaptation in our approach includes no recoding the system and influences only the managers’ layer, which results to a flexible model.
Illustrating Case Study
PT
5
ED
M
AN US
Safe adaptation. Safe adaptation is one of the most important issues that must be considered in modeling self-organizing systems. The time of performing reorganization in the system, the time of changing managers' policies, the time of applying new policies after changing policies and the way of limiting the system behavior during reorganization are matters that should be considered in a formal model describing self-organizing systems. Considering HPobSAM in our method, we can say, when an event occurs, the relevant managers are informed, but the adaptation does not occur immediately. When the system reaches the safe mode, the managers transit to the new configuration. Therefore, a new operation mode called adaptation mode is defined, in which a manager operates before transiting to a new configuration. When a manager is in the adaptation mode, occurring events that should be responded by the manager is possible. For managing these cases, two kinds of adaptations are introduced in HPobSAM: (i) loose adaptation and (ii) strict adaptation. In the loose adaptation, a manager performs old policies in the adaptation mode, whereas in the strict adaptation all the events are postponed to the time that the manager exits from the adaptation mode and the system reaches to the safe state. Above all, it can be concluded that the safe adaptation for self-organizing systems is achieved in this method. In the next section, we will apply the proposed method on the self-organizing traffic management system and show how different aspects of dynamic and complex systems can be modeled.
AC
CE
Since traffic congestion is one of the most pressing issues and causes of decreased standard of living throughout the world, several strategies have been proposed to cope with this problem. Recently, “self-organizing” traffic management has been receiving attention in the new transportation technologies known as Intelligent Transportation Systems (ITSs). These systems address the drawbacks of traditional approaches in the context of traffic management. Traditional traffic management approaches try to optimize the solution for static and basic configurations of traffic density. These mechanisms are computationally expensive and are not able to automatically consider dynamic environment conditions. ITSs include various subsystems that can be divided into intelligent traffic infrastructure and intelligent vehicles. In self-organizing traffic management, traffic control infrastructure would not only direct the traffic flow, but stay in constant interaction with street vehicles. Therefore, communication and coordination play a
14
ACCEPTED MANUSCRIPT
5.1
AN US
CR IP T
key role in this system. The global goal of the system is to optimize traffic throughput, in the way that vehicles reach their destination as fast as possible. Different components of the system interact locally according to simple rules and in a self-organizing manner. On the control infrastructure side, self-organizing traffic lights play a major role in keeping vehicles flowing along. At junctions, traffic lights use different technologies for communication and interaction with other components of the system (e.g. traffic lights and vehicles) to control competing flows of traffic. They help vehicles to find the current best path to their destination. Vehicles help traffic controllers to obtain more information about the traffic environment and become aware of the occurred events. Furthermore, traffic lights exploit information received by roadside sensors, cameras and other top-level entities. They provide a map of traffic density and negotiate with other traffic lights to determine the best sequence of actions according to the current traffic conditions. The global behavior of the system is the result of these local interactions (Gershenson, 2012).
Modeling the Self-Organizing Traffic Management System
Self-organizing Traffic Management Systems attempt to self-organize and adapt to constantly changing traffic conditions. In these systems, the aims are (i) to adapt drivers’ behavior according to current traffic condition, and (ii) to manage the controlling infrastructures such as traffic lights. Modeling the High Level Part of the System
M
5.1.1
AC
CE
PT
ED
This phase of modeling consists of the first four steps of our method. As a matter of efficiency in traffic management and in order to take advantage of self-organization, we divide traffic environment into smaller areas called regions. Each region contains some autonomous traffic lights positioned at road intersections. A number of relay units, roadside sensors and cameras collect information for the controlling infrastructure (actors). Vehicles are mobile components of the system when a vehicle leaves a region; it is removed from the list of components of that region. We consider regions, traffic lights and the device located in vehicles as self-adaptive modules (Fig. 2). In the following, we discuss how we can model them using the proposed method.
15
ACCEPTED MANUSCRIPT
Regional-SAM Manager TL-SAM Vehicle-SAM Router
AN US
Region
Actor
CR IP T
Actor
Fig. 2. The typical representation of the model of the self-organizing traffic management system
ED
M
Vehicles. Vehicles are moving part of the system. Each interactive component of vehicles is modeled as a self-adaptive module (vehicle-SAM). A vehicle-SAM includes a manager in charge of controlling a number of actors such as communication devices, sensors, etc. Also, we consider a lower-level self-adaptive module called router for the vehicle-SAM. The router’s manager is responsible for finding the best path to the destination and does this duty according to its governing policies. The vehicle-SAM’s manager is aware of the vehicle specification and temporal traffic density of its surrounding region. This data and the received information from the router and traffic lights help the vehicle-SAM’s manager direct the driver to reach the destination in a reasonable amount of time. Moreover, vehicleSAMs help traffic lights to achieve specific goals such as identification of a specific vehicle (e.g. emergency car).
AC
CE
PT
Traffic lights. Traffic lights are the main parts of this system. Each traffic light is modeled as a self-adaptive module (TL-SAM). We consider one manager for a TLSAM called TLcontroller. This manager controls actors and collaborates with other TLcontrollers to maintain or improve the overall performance of the whole system. A TL-SAM contains actors such as traffic light heads, camera, vehicle movement detectors and communication devices. Self-organizing traffic lights are set to minimize waiting times of road users and to help drivers find out how to drive through a city in order to minimize their waiting times. To achieve this goal, we consider vehicles approaching a traffic light within a distance d or waiting at a traffic light as lower-level self-adaptive modules of the relevant TL-SAM. TLcontroller has two configurations: normal configuration and congestion configuration. Each configuration encompasses three sets of policies (governing, structural adaptation and behavioral adaptation) which can be changed dynamically according to the new requirements. Fig. 3 shows the HPobSAM model of a traffic light partially. As a selforganizing solution for Urban Traffic Control, we consider normal configurations'
16
ACCEPTED MANUSCRIPT
governing policies of TLcontrollers based on the work described in (Gershenson, 2012). For instance, on the arrival of an emergency car at a red light,
AN US
CR IP T
MANAGER TLController{ statevars {byte TLId;} managedElements{ VehicleModule VMA; Camera CAM; TLheadControl TLhead; Relay relay1; TLController neighA; TLController neighB; // definition of other managed elements } roles { camera = {CAM}; adjacentTLs = { neighA, neighB }; //definition of the rest roles and role assignments } configurations{ normalConfL= [napAL][ngpAL,ngpBL,ngpCL,…][nspAL,nspBL]; congestionConfL= [capAL][cgpAL,cgpBL,…][cspAL,cspBL]; } policies{ napAL : on congestion if true switch to congestionConfL when true priority 1; if
(TLcolor==Red)
M
ngpAL : on Veharrival(VehStatus, TLcolor) && (VehStatus==Emergancy) do forall TL in adjacentTLs relay1.sendEmergancyMesg(TL); TLhead.changeTgreen() priority 1; nspAL : on onLeave(VM) if true do remove(VM) priority 1;
PT
}
ED
//definition of other policies } views { string VehAStatus = VMA.status; //definition of other views }
CE
Fig. 3. The HPobSAM specification of a traffic light
according to the governing policy ngpAL, the green light of the junction is sent a message for emergency color change to let the emergency car pass.
AC
Regions. As mentioned before, traffic environment is divided into several regions to control traffic more efficient. We model each region as a self-adaptive module, and assume a manager called regional traffic controller (RTcontroller) for it. The actor layer of regional-SAM contains several self-adaptive modules such as traffic lights and vehicles in addition to actors such as sensors and different devices for communication. We define two configurations (normal and congestion) to indicate different operational modes for regional traffic controller. In the normal configuration
17
ACCEPTED MANUSCRIPT
CR IP T
an RTcontroller is in charge of providing traffic information for traffic lights in its authority as well as its adjacent RTcontrollers. Fig. 4 depicts the HPobSAM model of a traffic region partially. There exist some policies that a typical RTcontroller uses to control the system. For instance, the following policies are some of the defined governing policies that the RTcontroller uses to handle the congestion in the congestion configuration. The policy cgpA is the specification of the first following policies. Inform the neighboring regions about the congestion situations Find an adjacent region with the lowest traffic density Tell the regional traffic lights about the specified region
5.1.2
AN US
The third policy makes traffic lights of the region collaborate and find the best sequence of actions to encourage traffic to flow toward the specified adjacent region. Modeling the Low Level Part of the System
AC
CE
PT
ED
M
Individual components of self-organizing systems perceive and have partial knowledge of their environment to fulfill their local goals. In order to enhance the capabilities of self-organizing traffic management systems to deal with the dynamic environment and exploit self-organization mechanisms, their modules should have the ability to become aware of their status, adapt themselves and collaborate with each other. Steps five to seven of our method provides these necessities for them. Self-awareness in the self-adaptive modules of this case study (e.g. TL-SAMs) is achieved via view layer of each manger. For example, the view layer of a TL-SAM includes view variables that reveal the number of vehicles approaching or waiting at the light, the color of the light, map of the traffic environment, specification of the vehicles beyond the light, etc. Using these variables a TLcontroller can detect any deviation from the local goal or find any defection in the TL-SAM. As mentioned before, managers in our method interact in two ways: message passing and shared memory. We know that TLcontrollers require to see the information provided by other traffic lights in their locality. For instance, consider a situation in which a traffic light wants to switch to green to let an emergency car pass, it should take into account status of other lights located at that junction. Since, the view layer of a TL-SAM reveals its status, the view layer acts as a shared space among TLcontrollers and the mentioned traffic light can gain its necessary information. Note that managers can have controlled access to the view layer of each other. As another example, consider an RTcontroller which gains its information via collaboration with traffic lights, other regional traffic controllers and vehicles, through their view layers. Each RTcontroller is aware of traffic density and status of its own and neighboring regions (e.g. high traffic jam condition). By using message passing for spreading this information, the RTcontroller helps its lower-level agents (i.e. traffic lights, vehicles, sensors, cameras and different devices for communication) to control traffic and fulfill the global goal.
18
ACCEPTED MANUSCRIPT
CR IP T
In our method structural and behavioral adaptation policies are used to address adaptation purposes, e.g. the structural adaptation policy nspAL (Fig. 3) considers removal of a vehicle-SAM from the actor layer of a TL-SAM. Also, a behavioral adaptation policy napAL (Fig. 3) is used in the case of congestion which switches the manager to the congestion configuration. Also, in the congestion configuration a behavioral adaptation policy is defined for switching the manager to normal configuration after solving congestion problem.
M
AN US
MANAGERS{ MANAGER RTcontroller{ statevars {byte RegionId;} managedElements{ TrafficLightModuleA TLA; VehicleModule VMA; Camera CAM; Relay relay1; RTcontroller neighA; RTcontroller neighB; // definition of other managed elements} roles { camera = {CAM}; allVhs = { VMA , …} adjacentRTs = { neighA, neighB }; //definition of the rest roles and role assignments } configurations{ normalConf= [napA][ngpA,ngpB,ngpC,…][nspA]; congestionConf= [capA][cgpA,cgpB][cspA];} policies{ cgpA : on congestion(RegionId , status) if true do forall RT in adjacentRTs relay1.inform (status, RT) priority 1 ;
PT
ED
nspA : on onJoin(VM) if true do add(VM); join(allVhs,VM) priority 1; //definition of policies } views { byte TLAstatus = TLA.status; byte TLAcolor = TLA.color; //definition of other views}
AC
CE
} MANAGER TLControllerA{ // definition of the manager } //definition of the rest of managers} ACTORS { reactiveclass TLhead() { knownrebecs {} statevars{public byte color; } msgsrv changetogreen() { ... } //definition of the rest of message servers} //definition of the rest of actors} SAMS{ SAM VehicleModule { Router Rot(); Sensor SenA; VController(Rot, SenA,..); }
19
ACCEPTED MANUSCRIPT
SAM TrafficLightModule { Camera CAM; // TLController TLC(VMA,CAM,..); } //definition of the rest of SAMs}
6
Runtime Verification Method
CR IP T
Fig. 4. The HPobSAM specification of a traffic region
Runtime Verification for Self-Organizing Systems
M
6.1
AN US
As mentioned before, dynamic nature, long-term evolution and lack of central control in self-organizing systems, impose great challenges in analyzing such systems statically. For example, dynamism and adaptiveness of self-organizing systems cause a huge state space which is the reason of state space explosion problem. Also, lack of a central control makes it impossible to provide a complete model for static verification of our system. Hence, runtime verification plays a major role in assuring certain correctness properties of self-organizing systems. In this verification technique a monitor is used to check the adherence of the system to the correctness property. Being performed during the execution time of a system and considering a single run are significant features of runtime verification that can be used to solve the problems of static verification.
AC
CE
PT
ED
We use an online monitoring approach developed in (Khakpour, Jalili, Sirjani, Goltz, & Abolhasanzadeh, 2012) to verify a self-organizing system at runtime. In the proposed method, a run of a system is verified against an algebraic specification. A monitor is a manager of our method whose policies are used to check the execution traces. Each execution trace is defined as a sequence of events in this model. We a specify properties to be checked using CA subalgebra (described in Section 3, presented in (Khakpour, Jalili, Talcott, Sirjani, & Mousavi, 2012; Khakpour, et al., 2010)). The monitor performs its task in two steps: first it listens to a set of events defined as its alphabet. Second it checks if the received event is expected to happen or not. According to the user-provided specification and the alphabet set, two classes of governing policies: negative policies and positive policies, are generated for the monitor. Negative policies are activated by unexpected events and are used to detect undesired traces. Positive policies are used to monitor the desired behavior of the system and they are activated by expected events. When an expecting event of the observing trace occurs and the positive policy condition holds then the policy action which represents the following trace to be observed is done. Notice that after triggering a positive policy all non-triggered positive policies will be removed from the list of monitor’s governing policies. a Each of the properties to be monitored is provided in the subalgebra CA and formulated as the monitor’s governing policies. Using the mentioned runtime verification method, a property to be observed is written as follows,
20
ACCEPTED MANUSCRIPT
A ≡ (a1 ; A1) + ... + (an ; An)
(1)
AN US
CR IP T
where ai is considered as a conditional term, i.e. ai = ϕi :→ ei and ei ∈ L. L ⊆ E denotes its alphabet, E is the set of events which may occur in the system. A sub-term (ai; Ai), 1 ≤ i ≤ n, models a bunch of events starting with ei when condition ϕi is true, and followed by Ai. The methods check and violated are considered for a monitor. These two methods are invoked respectively, in the time of triggering a positive and a negative policy. To monitor the sub-term (ai; Ai), a (positive) governing policy gi = 〈2 ,ei , ϕi 〉 • check(Ai, L, A, gi) in addition to a negative governing policy gj = 〈1 ,ej , ⊤〉 • violated(A) for each event ej ∈ L, will be defined. According to a positive governing policy, after occurring event ei under condition ϕi, the policy gi is triggered. Triggering a positive governing policy causes execution of action check(Ai, L, A, gi) which leads to replacing policy gi with a collection of new governing policies to monitor Ai. As an example and in order to illustrate our method for runtime verification, we choose a property from traffic light properties of our case study. Using two sequences of events, this property checks the adherence of traffic lights to the predefined light sequence: A ≡ ((TLhead.Color == Red) /\ (CAM.counter > n) /\ (TL.turn == lightId): → (CAM.resetCounter(); TLhead.Green()) + ((TLhead.Color == Green) /\ (TL.GreenTime> T) /\ ~(CAM.swarm): → (TLhead.Yellow(); TLhead.wait(m); TLhead.Red()));A
M
L = { resetCounter();wait(); Green();Yellow(); Red() }
PT
ED
In the first sequence, the color of the traffic light head (TLhead) is red, the number of vehicles observed by camera (CAM.counter) is more than n and there is no other traffic light in the turn of becoming green. Then, the counter of the camera resets and the traffic light turns green. In the second trace, the traffic light has been green for T time units and the camera observes no swarm of vehicles (q or fewer, but more than zero). Then, the traffic light turns yellow and remains at this color for m time units; afterwards, it turns red. Having given the above property, the execution of the first step of the runtime verification algorithm results in the following lines:
CE
A ≡ (TLhead.Color == Red) /\ (CAM.counter > n) /\ (TL.turn == lightId): → CAM.resetCounter () + (TLhead.Color == Green) /\ (TL.GreenTime > T) /\ ~(CAM.swarm): → TLhead.Yellow()
AC
therefore, the initial policy set is g = {g1, g2, g3, g4, g5, g6, g7} where g1 and g2 are positive policies and the others are negative policies: g1 = ⟨2; CAM.resetCounter(); ((TLhead.Color == Red) /\ (CAM.counter > n) /\ (TL.turn == lightId))⟩ • check (A1, L, A, g1) g2 = ⟨2; Yellow() ; ((TLhead.Color == Green) /\ (TL.GreenTime > T) /\ ~(CAM.swarm))⟩ • check(A2, L, A, g2) g3 = ⟨1; CAM.resetCounter(); ~((TLhead.Color == Red) /\ (CAM.counter > n) /\ (TL.turn == lightId))⟩ • violated(A) g4 = ⟨1; TLhead.wait(); ⊤⟩ • violated(A)
21
(2) (3) (4) (5)
ACCEPTED MANUSCRIPT
g5 = ⟨1; TLhead.Green(); ⊤⟩ • violated(A) g6 = ⟨1; TLhead.Yellow(); ~((TLhead.Color == Green) /\ (TL.GreenTime > T) /\ ~(CAM.swarm))⟩ • violated(A) g7 = ⟨1; Tlhead.Red(); ⊤⟩ • violated(A)
(6) (7) (8)
g11 = ⟨2; TLhead.wait(); ⊤⟩ • check(A11, L, A, g11)
CR IP T
Consider a situation in which a traffic light receives a resetCounter event for its counter and the condition part of the g1 policy is evaluated to true. As a result, policy g1 is triggered and the new policy set is created by removing g2 and adding the following positive policy: (9)
6.2
AN US
If the resetCounter event happens while the situation does not satisfy the condition of the policy g1, a negative policy g3 is triggered and a violation is reported.
Implementation
AC
CE
PT
ED
M
We use the Ponder2 policy execution environment to develop our case study. Ponder2 comprises a self-contained, stand-alone, general-purpose object management system (Twidle, Dulay, Lupu, & Sloman, 2009) which makes it suitable for the vast domains of applications. This policy framework uses message passing between objects exploiting a publish/subscribe event bus. Events trigger polices which are used to specify management rules and behavior of a system. The policy service provides two types of policies: obligation policies and authorization policies. The former one is in the form of event-condition-action rule which defines the management actions and the latter defines which activities are permitted on which resources and services. All entities of Ponder2 are defined as managed objects to facilitate management purposes. A high-level language called PonderTalk is used for configuring and controlling Ponder2 systems. User-extensible managed objects are programmed in Java. In order to implement a system which is designed via our method, in Ponder2 we consider actors as user defined managed objects. Actors can be sent messages to do the functional behavior of the system. Managers are implemented using the policy interpreter which is a built-in managed object of Ponder2 system. Different policy sets of a manager are defined using obligation policies which can be modified to change the behavior of a system without interrupting its functioning. To show the feasibility of runtime verification method, we have developed an instantiation of the self-organizing traffic management system (which is modeled in the previous section) with two regions and two RTcontrollers. In this prototype, three junctions are assigned to a region and four traffic lights are placed at each junction (Fig. 5).
22
ACCEPTED MANUSCRIPT
CR IP T
RTcontroller
AN US
RTcontroller
Fig. 5. The implemented traffic environment
CE
PT
ED
M
Fig. 6 depicts the architecture of the implemented system. It is worth mentioning that we consider a monitor to verify each property.
Fig. 6. The architecture of the implemented traffic management system
AC
The policies considered for traffic lights are based on the work presented in (Gershenson, 2012). Fig. 7 shows some of the policies used in our implementation, they are defined using PonderTalk and are located in the text files (.p2 files) for the ease of changing policies at runtime. As an example of a policy consider Fig. 8 which shows the HPobSAM and PonderTalk specifications of the sixth policy of Fig. 7. In this example, ComingVeh and Vspeed denote the event of observing a vehicle and the speed of the observed vehicle, respectively. The PonderTalk specification of other policies are given in (Abolhasanzadeh & Jalili, 2014).
23
ACCEPTED MANUSCRIPT
1. On every tick, add to the counter the number of vehicles approaching or waiting at a red light within distance d.
CR IP T
2. If a red light’s counter exceeds the threshold n, and there is no green light at that junction, switch the light. Otherwise, take a turn for becoming green and stay red. (Whenever the light switches, reset the counter to zero.)
3. If no vehicle is approaching a green light within a distance d after t time units, and at least one vehicle is approaching the red light within a distance d, then switch the light (optimization policy). 4. If there is a vehicle stopped on the road a short distance e beyond a green traffic light, then switch the light and announce the congestion situation.
AN US
5. If there is an emergency vehicle stopped on the road beyond a red traffic light that light must switch to green and others to red.
6. If a vehicle goes through a light at high speed (more than s), a notification should be sent to it by the corresponding traffic light controller. Fig. 7. Examples of the policies used in the implementation of the traffic management system HPobSAM:
M
ngpBL : on ComingVeh(Vspeed) if Vspeed > S do vehicle.inform(notification) priority 1;
PonderTalk:
PT
ED
policy := root/factory/ecapolicy create. root/policy at:"TLManager1" put: policy. root/policy/TLManager1 event:root/event/ComingVeh. root/policy/TLManager1 condition:[:Vspeed | Vspeed>S]. root/policy/TLManager1 action: [:Vid| root/Traffic/lightMid informVeh:Vid notification:"High Speed"].
CE
root/policy/TLManager1 active:true.
Fig. 8. The HPobSAM and PonderTalk specifications of a policy
AC
This runtime verification method provides our important requirements such as the ability to modify and define policies at runtime. To achieve this goal in addition to debug, test and interact with a Ponder2 system, its internal and interactive shell can be used. The Ponder2 shell accepts and executes internal commands and also PonderTalk statements. As an example and according to our case study, we can use the shell to handle changing policies in the urban traffic management. For instance, consider an undefined policy which states that moving special types of vehicles is forbidden for
24
ACCEPTED MANUSCRIPT
several days. In order to consider the new management policy, we use the following command to define a new event triggered by observing a violating vehicle: template :=root/factory/event create:#("Vehid""day"). root/event at:"InvalidCar " put:template.
AN US
CR IP T
where, Vehid denotes the type of the vehicle and day denotes the number of days. By defining the policy presented in Fig. 9 against a violating vehicle, a stop message will be sent to such a vehicle, in the time of observing it, afterwards its specifications will be sent to the RTcontroller. Another important feature supported as a result of using this method is the increase of modularity and efficiency in distributed systems. To this aim, the event bus of the ponder2 environment allows local policies to deal with the local events while maintaining the ability to react to the events from remote places (Twidle, et al., 2009). policy := root/factory/ecapolicy create. root/policy at:"TLManager2" put: policy. root/policy/TLManager2 event:root/event/InvalidCar. root/policy/TLManager2 condition:[true]. root/policy/TLManager2 action: [:Vehid|root/Traffic/lightMid stopMeg:Vehid. root/Traffic/lightMid informRT:Vehid].
M
root/policy/TLManager2 active:true.
ED
Fig. 9. An example of a policy defined in the shell of the ponder2 environment
AC
CE
PT
Due to the fact that we have implemented a prototype of a self-organizing traffic management system which is an instance of self-organizing systems with all their properties and requirements. We can get some statistics about the number of the performed structural adaptation policies. This statistics provides a clear view of selforganization in a self-organizing system. Fig. 10 shows the number of evoked structural adaptation policies according to the different number of performed policies in the system, when we ran the system for 300,600, 900,1200, 1500, 1800 and 2100s.
25
licies l Adaptation Po rmed Structura
ACCEPTED MANUSCRIPT
0 20 40 60 80 100 120 220
CR IP T
200 180 160 140 120
80 60
(m s)
2000 1800 1600 1400 1200 1000 800 600 400
40
Ti
me
20
1200
1000
Num ber o
f Per
800
forme d
600
400
Polic ie
To ta
1400
lR un
0
AN US
Number of Perfo
100
200
s
6.3
Runtime Analysis
M
Fig. 10. Number of performed structural adaptation polices
AC
CE
PT
ED
Policy analysis is one of the most important challenges arising during runtime verification of distributed and policy-based systems. Policy conflict detection and resolution is one aspect of policy analysis that can be done at runtime. To this aim we consider two governing policies (e.g. g 𝑖 = 〈𝑜, 𝑒, 𝜙𝑖 〉𝑎𝑖 and g 𝑗 = 〈𝑜, 𝑒, 𝜙𝑗 〉𝑎𝑗 ) and use the properties described in (Khakpour, Jalili, Sirjani, Goltz, & Abolhasanzadeh, 2012) for detection of conflicting policies. In the case of finding policy conflicts, different methods such as (Dunlop, Indulska, & Raymond, 2003; Hua & Jing, 2007) can be used to resolve the problem. In order to evaluate the performance of our runtime verification method based on the implemented prototype of the traffic management system, we consider various types of properties for the system and verify them at runtime. These properties can be selected from different categories: (i) traffic light properties related to adherence of each traffic light to the defined policies for these elements such as light sequence, conditions of changing the light and collaboration of traffic lights with different system components. (ii) Vehicle properties concerned with the correctness of vehicles’ operations such as finding the best path for the driver and collaboration with traffic lights. (iii) Regional properties used to check if the regional policies are respected by RTcontrollers, e.g., providing necessary information for traffic lights such as finding the best neighboring region for directing the traffic flow in congestion situations.
26
ACCEPTED MANUSCRIPT
Several properties, such as the followings, are provided to verify the correctness of the system and to evaluate the performance of the runtime verification method.
Light sequence must be green, yellow and red. If a red light’s vehicle counter exceeds the threshold and there is no other light in the turn of becoming green, the light should switch to green (This property tries to check the avoidance of having multiple green lights at a junction). An emergency car should not wait at a red light. The lights should not be green (red) for the vehicles and pedestrians simultaneously. Optimization policy should happen to help the emergence of the global goal.
CR IP T
ED
M
AN US
Fig. 11 shows the results of our experiments for measuring the performance of the runtime verification method. It is worth mentioning that the performance depends on the properties to be monitored, for some properties the overhead is lower than the others. So, we performed our experiments with different number of properties needed to be monitored and included various events. The last experiment is done using seven typical properties containing all the events used for traffic management. At the end we observe that the system adheres to all the properties and this adherence is written to the log file. In all the experiments we run the system for 9000000 milliseconds. According to Fig.11 the CPU time overhead varies between 0.1% and 0.4%. The experiments are performed on an Intel workstation running Windows 7 with Core 2 Duo 2.2GHz CPU and 4 Gbyte memory.
0.0 0.1 0.2 0.3 0.4
0.4
0.3
0.1
Pr op e
5
400 4
of
6
Numb er o
r ty
800 600
7
Ev alu
1000 0.0
at io
ns
0.2
3
f Prop
2
erties
Nu mb er
AC
CE
he CPU Time over
PT
ad (percent)
0.5
200 1
Fig. 11. The experimental result on the traffic management system
27
ACCEPTED MANUSCRIPT
3. 4.
PT
5.
M
2.
In the time of passing a vehicle, the TLcontroller captures information about the violating vehicle. If there is a police vehicle in the vehicle list of the TLcontroller, this manager sends the information about the violating vehicle to the police. If a police vehicle is not available to the TLcontroller, it asks the RTcontroller to send the information to the nearest police vehicle. If there is a police vehicle in the relevant region, the RTcontroller sends the violating vehicle’s information to the police vehicle. If there is no police vehicle in the region, the RTcontroller sends the information to its neighboring RTcontrollers to be sent to the police.
ED
1.
AN US
CR IP T
Using the proposed method and exploiting its flexibility in modeling the monitor make it straightforward to response to the incorrect behavior of a system at runtime with apparent ease. To this aim, we can define and/or modify policies to handle the property violation without need to halt the system. This feature enhances our method with the capabilities such as fault recovery which results in the increase of fault tolerance. In the case of fault detection, applying the proper policy manages the occurred deviation between the observed behavior and the correct behavior and decreases the system failure rate. Moreover, the ability to modify policies at runtime allows us to react to the property violation according to the current context. The mentioned properties make this policy-based runtime verification method suitable for evolving systems whose subsequent evolution depends on the unpredictable environment. However, we can just verify safety properties i.e. check bad situations will not happen. Our runtime verification method does not support the liveness properties, so we are not able to check desired situations will happen at the end. For instance, we can not specify unenforceable policies. We consider two scenarios of unsafe real-life situations to demonstrate both selforganizing characteristics of our traffic management system and capabilities of the runtime verification method in handling property violations. In the first scenario, we assume a situation in which a driver has passed a red light for some reason such as losing control of the vehicle. The following policies are enforced under this scenario.
AC
CE
The first step is the result of a structural adaptation policy and the others are done by performing governing policies. As the second scenario, we assume that one of the traffic lights has not adhered to the specified light sequence. For example, it has not taken a turn for becoming green and has remained red even after the time that the red light’s vehicles counter exceeds the threshold n. Consequently, the number of vehicles increases and causes the congestion. The following policies are enforced to solve the problem of this scenario. 1. 2. 3.
The TLcontroller’s configuration is changed to the congestion configuration. The TLcontroller informs the RTcontroller about the occurred situation. The RTcontroller’s configuration is changed to the congestion configuration.
The first and the third steps are the results of behavioral adaptation policies and the second step is one of the governing policies specified for TLcontrollers. After
28
ACCEPTED MANUSCRIPT
Conclusions
AN US
7
CR IP T
changing the configuration of the relevant managers, they will have access to the proper policies to handle the congestion. After applying the runtime verification for both scenarios all the excepted violations were detected. In the time of violating a property, a negative policy is evoked to report the incorrect behavior. In order to manage the violation in the first scenario, we may define a policy for the manager of the vehicle-SAM to decrease the velocity of the vehicle, dramatically. As a result, the driver will be forced to stop the vehicle. Afterwards, the corresponding RTcontroller announces the location of the vehicle to the police. For the second scenario, we may define a policy that puts the id of the violating traffic light in the turn of becoming green, to manage the violation. PonderTalk specifications of the policies related to the above scenarios can be seen in (Abolhasanzadeh & Jalili, 2014).
AC
CE
PT
ED
M
Throughout this paper, we proposed a new method based on HPobSAM for designing and modeling self-organizing systems. The method can support different properties of self-organizing systems and the intrinsic dynamism of such systems. The distinguishing features of our method are: Modularity and robustness which is achieved using self-adaptive modules. Thanks to the modularity and decentralized control provided by our method, there is no central point of failure in the system which decreases the system failure rate. Scalability is the result of the decentralized control in our method. Since self-organizing systems can be in large scale, scalability is considered as an important feature that a model to design such systems should have. As mentioned in the paper, self-organizing systems operate in the ever changing environments, therefore structural adaptation is essential for them. Structural adaptation in these systems consists of behavioral adaptation and dynamic reconfiguration which are provided in our method with two different sets of policies (behavioral adaptation policies and structural adaptation policies). Due to the intrinsic dynamism of complex systems, flexible and adaptive control mechanism is vital for their modeling. This property is the significant feature of our method that is achieved through the ability of changing the managers' configuration and policies dynamically. Close to our work is the work presented in (Bruni, et al., 2015), however it does not support dynamic reconfiguration. Moreover, (Ribeiro, et al., 2015; Verstaevel, et al., 2015) have proposed methods which are suitable for development of decentralized software systems, but they do not support adaptations and just focus on the interaction and coordination of system components. In our proposed method the adaptation logic and the business logic are separated. This is due to the fact that we can change the configuration of mangers dynamically. Moreover, safe adaptation is supported in our method. Having the formal foundation is another aspect of our method which helps to verify the system during design time. While most of the interesting and flexible methods like (Viroli, Casadei, Montagna, & Zambonelli, 2011) are not based on formal models. Moreover, formal methods like (Costa-Soria, 2011) do not support decentralized components or dynamic reconfigurations like (Merelli, et al., 2015).
29
ACCEPTED MANUSCRIPT
PT
References
ED
M
AN US
CR IP T
In addition, we proposed the usage of an online monitoring algebraic policy-based runtime verification method to verify the adherence of the system to correctness properties at runtime. This method reacts properly in the case of property violation. If a deviation occurs, a proper policy will be triggered and manage the situation which will increase the fault tolerance of the system. Moreover, the capability of policy modification makes this runtime verification method suitable for evolving systems. Most of the runtime verification methods consider self-adaptive systems (Goldsby, Cheng, & Zhang, 2008) and there is no specific work on the runtime verification of self-organizing systems. To clarify our method and to show its ability to support behavioral adaptation and dynamic reconfiguration of self-organizing systems, we applied our method to the self-organizing traffic management system as a case study. We developed a prototype of our case study using Java based Ponder2 policy toolkit and applied the runtime verification method on it. Finally, we showed the ability of our method to increase fault tolerance of a system. Despite the significant advantages of our method we should note that the probabilistic aspects of self-organizing systems is not supported by our method. Moreover, the ordinary model checking of a model which is obtained from our method suffers from the state-space explosion problem, hence it must be limited to small scenarios. According to the fact that the runtime verification method does not consider all possible execution paths, therefore it is incomplete compared to (unbounded) model checking. Consequently, we are not able to check liveness properties and verify that something good finally will happen. The extension of our method which makes it intrinsically stochastic is an ongoing work. Moreover, the use of control theory concepts will help to improve the proposed method and suggest some guidelines to help the creation of new self-organizing patterns. Furthermore, as a future work, we intend to validate our ideas in more complex case studies.
AC
CE
Abolhasanzadeh, B., & Jalili, S. (2014). https://github.com/Abolhasanzadeh/Selforganizing-Traffic-Management-System-s-policies.git. Adler, R., Schaefer, I., Schuele, T., & Vecchié, E. (2007). From model-based design to formal verification of adaptive embedded systems. In Formal Methods and Software Engineering (pp. 76-95): Springer. Aldewereld, H., Dignum, F., Dignum, V., & Penserini, L. (2011). A formal specification for organizational adaptation. In Agent-Oriented Software Engineering X (pp. 18-31): Springer. Balasubramaniam, S., Botvich, D., Donnelly, W., Foghlú, M. Ó., & Strassner, J. (2006). Biologically inspired self-governance and self-organisation for autonomic networks. In Proceedings of the 1st international conference on Bio inspired models of network, information and computing systems (pp. 30): ACM.
30
ACCEPTED MANUSCRIPT
AC
CE
PT
ED
M
AN US
CR IP T
Bauer, A., Leucker, M., & Schallhart, C. (2006). Monitoring of real-time properties. In FSTTCS 2006: Foundations of Software Technology and Theoretical Computer Science (pp. 260-272): Springer. Becker, B., & Giese, H. (2008). Modeling of correct self-adaptive systems: a graph transformation system based approach. In Proceedings of the 5th international conference on Soft computing as transdisciplinary science and technology (pp. 508-516): ACM. Bernon, C., Chevrier, V., Hilaire, V., & Marrow, P. (2006). Applications of SelfOrganising Multi-Agent Systems: An Initial Framework for Comparison. Informatica (03505596), 30. Bonjean, N., Mefteh, W., Gleizes, M. P., Maurel, C., & Migeon, F. (2014). ADELFE 2.0. In M. Cossentino, V. Hilaire, A. Molesini & V. Seidita (Eds.), Handbook on Agent-Oriented Design Processes (pp. 19-63): Springer Berlin Heidelberg. Bradbury, J. S., Cordy, J. R., Dingel, J., & Wermelinger, M. (2004). A survey of selfmanagement in dynamic software architecture specifications. In Proceedings of the 1st ACM SIGSOFT workshop on Self-managed systems (pp. 28-33): ACM. Bruni, R., Corradini, A., Gadducci, F., Lluch Lafuente, A., & Vandin, A. (2015). Modelling and analyzing adaptive self-assembly strategies with Maude. Science of Computer Programming, 99, 75-94. Callow, G., Watson, G., & Kalawsky, R. (2010). System modelling for run-time verification and validation of autonomous systems. In System of Systems Engineering (SoSE), 2010 5th International Conference on (pp. 1-7): IEEE. Camazine, S. (2003). Self-organization in biological systems: Princeton University Press. Canal, C., Cámara, J., & Salaün, G. (2012). Structural reconfiguration of systems under behavioral adaptation. Science of Computer Programming, 78, 46-64. Clarke, E. M., Grumberg, O., & Peled, D. (1999). Model checking: MIT press. Cook, S. A. (1971). The complexity of theorem-proving procedures. In Proceedings of the third annual ACM symposium on Theory of computing (pp. 151-158): ACM. Costa-Soria, C. (2011). Dynamic evolution and reconfiguration of software architectures through aspects. Doctoral thesis. Department of Information System and Computation, University of Politecnica De Valencia. de Abreu Netto, M. T., dos Santos Neto, B. F., & de Lucena, C. J. P. (2015). Chapter 2 - A Pattern-Based Framework for Building Self-Organizing Multi-Agent Systems. In R. J. F. R. Liu (Ed.), Advances in Artificial Transportation Systems and Simulation (pp. 21-35). Boston: Academic Press. Dunlop, N., Indulska, J., & Raymond, K. (2003). Methods for conflict resolution in policy-based management systems. In Enterprise Distributed Object Computing Conference, 2003. Proceedings. Seventh IEEE International (pp. 98-109). Fernandez-Leon, J. A., Acosta, G. G., & Rozenfeld, A. (2014). How simple autonomous decisions evolve into robust behaviours?: A review from neurorobotics, cognitive, self-organized and artificial immune systems fields. Biosystems, 124, 7-20.
31
ACCEPTED MANUSCRIPT
AC
CE
PT
ED
M
AN US
CR IP T
Gardelli, L., Viroli, M., Casadei, M., & Omicini, A. (2008). Designing self-organising environments with agents and artefacts: a simulation-driven approach. International Journal of Agent-Oriented Software Engineering, 2, 171-195. Gershenson, C. (2007). Design and control of self-organizing systems: CopIt ArXives. Gershenson, C. (2012). Self-organizing urban transportation systems. In Complexity Theories of Cities Have Come of Age (pp. 269-279): Springer. Goldsby, H. J., Cheng, B. H., & Zhang, J. (2008). Amoeba-rt: Run-time verification of adaptive software. In Models in Software Engineering (pp. 212-224): Springer. Hadj-Kacem, N., Kacem, A. H., & Drira, K. (2009). A formal model of a multi-step coordination protocol for self-adaptive software using coloured petri nets. IJCIS, 7. Hongzhen, X., & Guosun, Z. (2010). RETRACTED: Specification and verification of dynamic evolution of software architectures. J. Syst. Archit., 56, 523-533. Hua, W., & Jing, Y. (2007). An Approach for Harmonizing Conflicting Policies in Multiple Self-Adaptive Modules. In Machine Learning and Cybernetics, 2007 International Conference on (Vol. 4, pp. 2379-2384). Khakpour, N., Jalili, S., Sirjani, M., Goltz, U., & Abolhasanzadeh, B. (2012). HPobSAM for modeling and analyzing IT Ecosystems–Through a case study. Journal of Systems and Software, 85, 2770-2784. Khakpour, N., Jalili, S., Talcott, C., Sirjani, M., & Mousavi, M. (2012). Formal modeling of evolving self-adaptive systems. Science of Computer Programming, 78, 3-26. Khakpour, N., Jalili, S., Talcott, C., Sirjani, M., & Mousavi, M. R. (2010). PobSAM: policy-based managing of actors in self-adaptive systems. Electronic Notes in Theoretical Computer Science, 263, 129-143. Khaxar, M., Jalili, S., Khakpour, N., & Jokhio, M. S. (2009). Monitoring safety properties of composite web services at runtime using csp. In Enterprise Distributed Object Computing Conference Workshops, 2009. EDOCW 2009. 13th (pp. 107-113): IEEE. Krupitzer, C., Roth, F. M., VanSyckel, S., Schiele, G., & Becker, C. (2015). A survey on engineering approaches for self-adaptive systems. Pervasive and Mobile Computing, 17, Part B, 184-206. Macías-Escrivá, F. D., Haber, R., del Toro, R., & Hernandez, V. (2013). Self-adaptive systems: A survey of current approaches, research challenges and applications. Expert Systems with Applications, 40, 7267-7279. Mamei, M., & Zambonelli, F. (2004). Self-organization in multi agent systems: A middleware approach. In Engineering Self-Organising Systems (pp. 233248): Springer. Merdan, M., Moser, T., Sunindyo, W., Biffl, S., & Vrba, P. (2013). Workflow scheduling using multi-agent systems in a dynamically changing environment. J of Sim, 7, 144-158. Merelli, E., Paoletti, N., & Tesei, L. (2015). Adaptability checking in complex systems. Science of Computer Programming. Montali, M. (2010). Run-Time Verification. In Specification and Verification of Declarative Open Interaction Models (pp. 289-304): Springer.
32
ACCEPTED MANUSCRIPT
AC
CE
PT
ED
M
AN US
CR IP T
Muller-Schloer, C. (2004). Organic computing-on the feasibility of controlled emergence. In Hardware/Software Codesign and System Synthesis, 2004. CODES+ ISSS 2004. International Conference on (pp. 2-5): IEEE. Onori, M., Lohse, N., Barata, J., & Hanisch, C. (2012). The IDEAS project: plug & produce at shop‐floor level. Assembly Automation, 32, 124-134. Oreizy, P., Medvidovic, N., & Taylor, R. N. (1998). Architecture-based runtime software evolution. In Proceedings of the 20th international conference on Software engineering (pp. 177-186): IEEE Computer Society. Poukahr, A., & Braubach, L. (2007). Jadex User Guide. Germany. Ribeiro, L., Rocha, A., Veiga, A., & Barata, J. (2015). Collaborative routing of products using a self-organizing mechatronic agent framework—A simulation study. Computers in Industry, 68, 27-39. Schmeck, H., Müller-Schloer, C., Çakar, E., Mnif, M., & Richter, U. (2010). Adaptivity and self-organization in organic computing systems. ACM Transactions on Autonomous and Adaptive Systems (TAAS), 5, 10. Schmickl, T., Hamann, H., Wörn, H., & Crailsheim, K. (2009). Two different approaches to a macroscopic model of a bio-inspired robotic swarm. Robotics and Autonomous Systems, 57, 913-921. Seeley, T. D. (2002). When is self-organization used in biological systems? The Biological Bulletin, 202, 314-318. Shen, W.-M., Will, P., Galstyan, A., & Chuong, C.-M. (2004). Hormone-inspired self-organization and distributed control of robotic swarms. Autonomous Robots, 17, 93-105. Sloman, M., & Lupu, E. (2010). Engineering policy-based ubiquitous systems. The Computer Journal, 53, 1113-1127. Sultan, K., Bentahar, J., Wan, W., & Al-Saqqar, F. (2014). Modeling and verifying probabilistic Multi-Agent Systems using knowledge and social commitments. Expert Systems with Applications, 41, 6291-6304. Talcott, C. L. (2007). Policy-based Coordination in PAGODA: A Case Study. Electron. Notes Theor. Comput. Sci., 181, 97-112. Tamura, G., Villegas, N. M., Müller, H. A., Sousa, J. P., Becker, B., Karsai, G., Mankovskii, S., Pezzè, M., Schäfer, W., & Tahvildari, L. (2013). Towards practical runtime verification and validation of self-adaptive software systems. In Software Engineering for Self-Adaptive Systems II (pp. 108132): Springer. Twidle, K., Dulay, N., Lupu, E., & Sloman, M. (2009). Ponder2: A policy system for autonomous pervasive environments. In Autonomic and Autonomous Systems, 2009. ICAS'09. Fifth International Conference on (pp. 330-335): IEEE. Verstaevel, N., Régis, C., Gleizes, M.-P., & Robert, F. (2015). Principles and Experimentations of Self-organizing Embedded Agents Allowing Learning from Demonstration in Ambient Robotic. Procedia Computer Science, 52, 194-201. Villalba, C., & Zambonelli, F. (2011). Towards nature-inspired pervasive service ecosystems: concepts and simulation experiences. Journal of Network and Computer Applications, 34, 589-602.
33
ACCEPTED MANUSCRIPT
AC
CE
PT
ED
M
AN US
CR IP T
Viroli, M., Casadei, M., Montagna, S., & Zambonelli, F. (2011). Spatial Coordination of Pervasive Services through Chemical-Inspired Tuple Spaces. ACM Trans. Auton. Adapt. Syst., 6, 1-24. Wermelinger, M., & Fiadeiro, J. L. (2002). A graph transformation approach to software architecture reconfiguration. Science of Computer Programming, 44, 133-155. Yeom, K. (2010). Bio-inspired self-organization for supporting dynamic reconfiguration of modular agents. Mathematical and Computer Modelling, 52, 2097-2117. Zadeh, J. (1997). What is Soft Computing? Soft Computing, 1. Zambonelli, F. (2015). Engineering self-organizing urban superorganisms. Engineering Applications of Artificial Intelligence, 41, 325-332. Zambonelli, F., Omicini, A., Anzengruber, B., Castelli, G., De Angelis, F. L., Serugendo, G. D. M., Dobson, S., Fernandez-Marquez, J. L., Ferscha, A., Mamei, M., Mariani, S., Molesini, A., Montagna, S., Nieminen, J., Pianini, D., Risoldi, M., Rosi, A., Stevenson, G., Viroli, M., & Ye, J. (2015). Developing pervasive multi-agent systems with nature-inspired coordination. Pervasive and Mobile Computing, 17, Part B, 236-252. Zhang, J., & Cheng, B. H. (2006). Model-based development of dynamically adaptive software. In Proceedings of the 28th international conference on Software engineering (pp. 371-380): ACM.
34
Towards Modeling and Runtime Verification of Self-Organizing Systems Bahareh Abolhasanzadeh , Saeed Jalili PII: DOI: Reference:
S0957-4174(15)00621-1 10.1016/j.eswa.2015.09.008 ESWA 10278
To appear in:
Expert Systems With Applications
Received date: Revised date: Accepted date:
10 May 2014 8 September 2015 8 September 2015
Please cite this article as: Bahareh Abolhasanzadeh , Saeed Jalili , Towards Modeling and Runtime Verification of Self-Organizing Systems, Expert Systems With Applications (2015), doi: 10.1016/j.eswa.2015.09.008
This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.
ACCEPTED MANUSCRIPT
Highlights
AC
CE
PT
ED
M
AN US
A method for design and verification of self-organizing systems is proposed The proposed method is: modular , robust and scalable The proposed method does structural and safe adaptation A novel runtime verification method to verify self-organizing systems is employed A specific instance of self-organizing traffic management system is presented
CR IP T
ACCEPTED MANUSCRIPT
Towards Modeling and Runtime Verification of SelfOrganizing Systems
CR IP T
Bahareh Abolhasanzadeh*, Saeed Jalili Electrical and Computer Engineering Faculty, Tarbiat Modares University, Tehran, Iran
Self-organization,
Formal
modeling,
Runtime
verification,
ED
Keywords: HPobSAM
M
AN US
Abstract. According to the fact that the intrinsic dynamism of self-organizing systems challenges the existing methods of engineering for modeling reliable complex systems, in this paper, we propose a new formal-based method to model self-organizing systems. The capabilities of the proposed method which are used to address several challenges in design, development and analysis of self-organizing systems are: modularity and robustness, decentralized control and scalability, required adaptation types, flexible and adaptive control mechanism, separation of adaptation and business logic, and safe adaptation. To evaluate the proposed method, we use self-organizing traffic management system as a case study and exploit the proposed method for modeling this dynamic system. Moreover, we propose and employ a novel policy-based runtime verification mechanism to ensure that the safety properties are satisfied by the implementation at runtime. We provide our case study prototype using Java and the Ponder2 toolkit and apply our runtime verification method to show its proper reaction capabilities to the property violations. This benefit is the result of using dynamic policies in our method to control the behavior of systems.
Introduction
PT
1
AC
CE
The continuous advances in technology make computing environments dynamic, heterogeneous and more complex. To deal with such dynamics in the environmental conditions, systems should be given more degrees of autonomy, allowing them to continue operating without human intervention. To this aim, in recent years, there has been a significant growth of interest in new approaches based on bio-inspired metaphors to create powerful methodologies for designing systems and solving computational problems. In nature, biological systems are capable to enlarge in scale and behave autonomously without a centralized control; they are only influenced by local environment conditions and interactions with nearby entities (Seeley, 2002). This natural adaptation and loosely-coupled cooperation is the idea behind selforganizing mechanisms. Generally, self-organization is specified as the evolution of a *
Corresponding author. E-mail addresses: [email protected] (B. Abolhasanzadeh), [email protected] (S. Jalili).
2
ACCEPTED MANUSCRIPT
AC
CE
PT
ED
M
AN US
CR IP T
system into an organized state, in the presence of ever changing environments and in the absence of external or of centralized control. Self-organizing systems are generally made of multiple autonomous components which are able to self-organize their activity patterns toward a specified common goal (Macías-Escrivá, Haber, del Toro, & Hernandez, 2013). Such systems are expected to withstand disturbance and do structural adaptation in response to unexpected situations, where structure can be spatial, temporal, or functional. Motivation: Two main challenges faced by designers of self-organizing systems are (i) designing the autonomous system elements to achieve the intended system-level dynamics and (ii) providing assurances about the correctness of the emergent global behavior. Based on the degree of autonomy, three approaches are used for designing complex systems. In centralized approach, a system is managed in a top-down way using one control element. This approach comprises initiatives like Soft Computing (Zadeh, 1997). Centralized control imposes a single point of failure and needs a complete description of the desired properties and environment. Hierarchical approaches consider several control elements distributed over different levels of hierarchy. These control elements interact with each other to realize the goals. Organic Computing (Muller-Schloer, 2004; Schmeck, Müller-Schloer, Çakar, Mnif, & Richter, 2010) is the most notable initiative of such approaches which provides controlled autonomy for a system. However, this approach limits the system’s scalability. Current aims in development of self-organizing systems are mainly concentrated on employing decentralized approaches. In a decentralized approach, the control of a system is distributed between its components where the system-wide behavior is emerged from local interactions of its components in a bottom-up way. Different frameworks and models have been investigated by diverse research groups from different communities for designing self-organizing software systems. Among them agent-based modeling is generally considered a good paradigm to tackle complexity problems of self-organizing systems (Bernon, Chevrier, Hilaire, & Marrow, 2006; Gardelli, Viroli, Casadei, & Omicini, 2008). Considering the agent metaphor (Gershenson, 2007) provides a framework for designing self-organizing systems. This framework is built on the idea of achieving maximum global satisfaction by reducing the local friction. In (Sloman & Lupu, 2010) a robust software architecture for designing autonomic systems is proposed and policy-based computing has been selected as the core self-management technology. Furthermore, biologically inspired principles and mechanisms have recently seen a rapid increase research interest in the context (Villalba & Zambonelli, 2011; Yeom, 2010). Despite the inherent flexibility and capability of these models for supporting properties of self-organization, lack of formal foundation is their great defect. Formal models are one of the most important aspects of designing complex systems, used to ensure reliability of such systems and to guarantee the functional correctness, safety, and security of them. The intrinsic dynamism of self-organizing systems requires us to use formal methods at early stages of design process to ensure that the system is operating correctly. These approaches provide a systematic way for designing complex systems, and support the validation and verification of system’s adaptation before implementation (Adler, Schaefer, Schuele, & Vecchié, 2007).
3
ACCEPTED MANUSCRIPT
AC
CE
PT
ED
M
AN US
CR IP T
In spite of the fact that there is a considerable works on formal modeling of dynamic adaptation for complex systems, most of them do not support properties of self-organizing systems. For instance, (Bradbury, Cordy, Dingel, & Wermelinger, 2004; Hongzhen & Guosun, 2010; Wermelinger & Fiadeiro, 2002) only focus on system dynamic reconfiguration and description of dynamic changes at high levels of abstraction, whereas (Hadj-Kacem, Kacem, & Drira, 2009; Zhang & Cheng, 2006) concentrate on behavioral adaptation of dynamic systems. However, self-organizing systems are enabled to do structural adaptation. Therefore, it is essential for a model to support both behavioral adaptation and dynamic reconfiguration. So far, only few works pay attention to both aspects of adaptation which are necessary to develop selforganizing systems. Among them (Canal, Cámara, & Salaün, 2012) introduced a framework for dynamic reconfiguration of components with behavioral adaptation considerations; in this work behavioral adaptation is expressed through component reconfiguration. Also, (Costa-Soria, 2011) presents a framework which allows for the representation of hierarchical systems with adaptive component behaviors and dynamic reconfiguration. Another aspect of modeling self-organizing systems is the flexibility and scalability of the model. Most of the existing formal models have not focused on these features which are necessary to deal with complexity and evolution of such systems. For instance, graph transformation is used for modeling both dynamic reconfiguration and behavioral adaptation (Becker & Giese, 2008), but it is not flexible to address the requirements of modeling the long-term evolution of systems and complex environments. One of the most significant aspects of developing self-organizing systems is the challenge of providing assurance that the emergent behaviors adhere to key properties and the system operates correctly during and after reorganizations. Given a model of the system and a desired specification, formal verification aims to prove the correctness of design according to the defined specification. There has been a significant amount of work and different techniques devoted to formal verification of complex systems, such as model checking (Clarke, Grumberg, & Peled, 1999), theorem proving (Cook, 1971), etc. These techniques play an important role in validation and verification of complex systems, but the complexity of self-organizing systems, as well as their subsequent evolution makes verification of such systems a great deal with increasing difficulty. Contribution: To address the shortcomings of existing methods, we propose a new and flexible method for design and verification of self-organizing systems and discuss different capabilities of this model in supporting key properties of such systems. Our method is based on the Hierarchical PobSAM (HPobSAM) (Khakpour, Jalili, Sirjani, Goltz, & Abolhasanzadeh, 2012) which is a formal model for developing, modeling and verification of self-adaptive evolving systems. The main characteristics of the proposed method are (i) modularity and robustness, (ii) decentralized control and scalability, (iii) structural adaptation, (iv) flexible and adaptive control mechanism, (v) separation of the adaptation logic from the business logic and (vi) safe adaptation. We use the capabilities of HPobSAM and consider a system as a set of autonomous components which use policies to govern and adapt themselves. Behavioral adaptation and dynamic reconfiguration is supported through dynamically changing and modifying the policies.
4
ACCEPTED MANUSCRIPT
Related Work
PT
2
ED
M
AN US
CR IP T
To clarify our method in designing self-organizing systems, we have designed a specific instance of self-organizing traffic management system as a case study. Such systems have a dynamic nature and exhibit emergent properties. Moreover, they are composed of multiple autonomous components which have continuous interactions among themselves and try to accomplish a common goal in a self-organizing manner. Such properties as well as the increasing importance of Intelligent Transportation Systems make self-organizing traffic management system a suitable case study for our paper. Furthermore, we propose the employment of a novel runtime verification (Bauer, Leucker, & Schallhart, 2006; Montali, 2010) method to verify self-organizing systems at runtime and show its ability to handle violation of properties dynamically. Runtime verification is a solution to avoid formal verification difficulties (e.g. state explosion problem) and acts as a complement to static verification techniques. This kind of verification is an effective approach to ensure that the desired behavior of a system is met at runtime. In particular, since self-organizing systems often operate in unpredictable environments, it is infeasible to model the system behavior before deployment. Therefore, using runtime verification technique to assure the correctness of emergent behaviors, in self-organizing systems is inevitable. To illustrate the effectiveness of our runtime verification method and to show how it could react properly even in the time of violation, we have implemented our case study, using Java and the Ponder2 toolkit (Twidle, Dulay, Lupu, & Sloman, 2009), and have applied the runtime verification method on this system. The rest of this paper is organized as follows: In the following section we give an overview of related work. Section 3 describes HPobSAM, briefly. In section 4 we present our method for modeling self-organizing systems and discuss its capabilities in modeling such systems. We introduce and model our case study, self-organizing traffic management system, in section 5. Section 6 introduces our method for run-time verification and in Section 7 we conclude the paper.
CE
The presented work opens different perspectives which are related to the modeling, development and runtime verification of the next generation systems. Here, our objective is to present the diversity of approaches that are presented in literature and their appropriateness for modeling and runtime verification of self-organizing systems.
AC
2.1
Biologically Inspired Approaches
In this context different frameworks and models have been investigated by diverse research groups to design complex and large-scale software systems. Nature-inspired approaches and frameworks contrived through observation of natural systems and mechanisms have recently seen a rapid increase research interest (Balasubramaniam, Botvich, Donnelly, Foghlú, & Strassner, 2006; Schmickl, Hamann, Wörn, &
5
ACCEPTED MANUSCRIPT
2.2
ED
M
AN US
CR IP T
Crailsheim, 2009; Villalba & Zambonelli, 2011). Some of these mechanisms which have gained great interest in the context of self-organizing systems are: flocking, foraging, stigmergy, consensus local monitoring, and human immune system (Fernandez-Leon, et al., 2014; Krupitzer, Roth, VanSyckel, Schiele, & Becker, 2015). Typically, mechanisms based on social insects or human societies are considered as powerful problem-solving systems (e.g. digital pheromones or digital hormone models inspired by ant foraging or hormone diffusion are decentralized coordination mechanisms used to control systems (Camazine, 2003; Shen, Will, Galstyan, & Chuong, 2004)). Recently, (Zambonelli, et al., 2015) have proposed a naturedinspired coordination model using SAPERE to develop and design pervasive service systems. They use field data-structures to spread and aggregate information which can be used to produce distributed self-organized behavior and distributed property of the system. Moreover, (Zambonelli, 2015) has proposed a reference architecture which provides self-adaptivity and reconfiguration. This architecture supports a wide variety of nature-inspired self-organized coordination patterns. They consider autonomous components as agents that can provide resources and services to the environment and use the notion of pheromone in ant colonies for spreading information. (Yeom, 2010) proposed a framework to develop and manage self-organizing, distributed computing systems which is a combination of biologically inspired and agent-based approach. In this work, mobile agents exploit the adaptive behavior of biological systems. (Viroli, Casadei, Montagna, & Zambonelli, 2011) inspire from the notion of biochemical tuple spaces and define a coordination model. They use reaction and diffusion rules to achieve features like adaptivity and competition among services. These mechanisms appear interesting and flexible and able to mitigate the complexity of modeling complex systems. However, no formal foundation is considered for them. Similarly, our method is inspired by complex natural systems. According to the fact that providing evidence of correctness is vital for self-organizing systems, our method provides this necessity.
Agent-Based Approaches
AC
CE
PT
Agent-based computing is generally considered as an accurate approach for modeling complex systems which hides the complexity at system level by encouraging modular design (Bernon, Chevrier, Hilaire, & Marrow, 2006; Gardelli, Viroli, Casadei, & Omicini, 2008; Mamei & Zambonelli, 2004). For instance, (Ribeiro, Rocha, Veiga, & Barata, 2015) has proposed a multi-agent-based architecture which is inspired from the IDEAS reference architecture (Onori, Lohse, Barata, & Hanisch, 2012). They use a heterarchical agent-based model. (Merdan, Moser, Sunindyo, Biffl, & Vrba, 2013) has the same architecture as (Ribeiro, et al., 2015) but they use a contract net based negotiation in the time of failures. These approaches are suited to develop decentralized software systems, but they do not support adaptations and just focus on the interaction and coordination of system components. Moreover, they do not exploit formal foundation which makes them unreliable. But, our method is based on a formal method and supports structural adaptation of self-organizing systems. (de Abreu Netto, dos Santos Neto, & de Lucena, 2015) have proposed JASOF a pattern and a BDI-based framework which concerns self-organization through software engineering
6
ACCEPTED MANUSCRIPT
2.3
Architectures for Self-organizing Systems
CR IP T
techniques. JASOF, extends Jadex (Poukahr & Braubach, 2007) which considers agents as black boxes receiving and sending messages. The environment in Jadex is based on the agents-and-artifacts (A&A) approach (Gardelli, et al., 2008). JASOF, has provided patterns and necessary infrastructure for the agents to operate. (Verstaevel, Régis, Gleizes, & Robert, 2015) have proposed a multi-agents system which is based on ADELFE (Bonjean, Mefteh, Gleizes, Maurel, & Migeon, 2014). Again, these frameworks provide a mechanism for regulating interaction and coordination of self-organizing systems.
CE
PT
ED
M
AN US
Close to our work is the robust software architecture presented in (Sloman & Lupu, 2010) for designing autonomic systems. In this architecture the self-managed cells are the building blocks of the system and policy-based computing has been selected as the core self-management technology. Although they have used event calculus to analyze policies, their model is not based on a formal model which is considered in our model. PAGODA (Policy And GOal Based Distributed Autonomy) (Talcott, 2007) is a modular architecture based on the Russian Dolls model of policy-based coordination. This architecture is used to specify and prototype autonomous systems. In PAGODA intercepting and manipulating messages are the means of adaptation. PAGODA employs a two-layered architecture (the local nodes and the global system). However, this architecture does not support distributed coordinator and dynamic reconfiguration. Furthermore, (Bruni, Corradini, Gadducci, Lluch Lafuente, & Vandin, 2015) propose a conceptual framework for structuring adaptable systems. They have considered significant characteristics for their approach such as: a whitebox approach for adaptation, a hierarchical architecture, computational reflection, probabilistic rule-based specifications and quantitative verification techniques. They have specified and analyzed the adaptation logic in Maude and used different levels of adaptation which provide a flexible and modular way of realizing adaptive behaviors. Although (Bruni, et al., 2015) and our method share the idea of having rules as a highlevel object of adaptation, there are some differences in the architecture and in the use of reflection. Moreover, they do not consider dynamic reconfiguration and focus on the behavioral adaptation of agents.
2.4
Formal Modeling and Runtime Verification
AC
There already exist several approaches for formal modeling of dynamic systems, but most of them do not address both dynamic reconfiguration and behavioral adaptation which are necessary for self-organizing systems. For instance, formal models presented in (Bradbury, Cordy, Dingel, & Wermelinger, 2004; Hongzhen & Guosun, 2010; Oreizy, Medvidovic, & Taylor, 1998; Wermelinger & Fiadeiro, 2002) address dynamic reconfiguration as their main concern and have used graph-based or ADLbased approach for modeling dynamic reconfiguration. Instead, (Hadj-Kacem, Kacem, & Drira, 2009; Zhang & Cheng, 2006) proposed methods focus on behavioral adaptation. Among the recent researches, a formal model based on the CTL temporal
7
ACCEPTED MANUSCRIPT
AC
CE
PT
ED
M
AN US
CR IP T
logic is provided in (Aldewereld, Dignum, Dignum, & Penserini, 2011). This work considers the adaptation process in agent systems. (Canal, Cámara, & Salaün, 2012) have introduced a framework for reconfiguration of components with behavioral adaptation considerations, where component configurations are represented by LTSs. In this paper the concept of behavioral adaptation refers to the substitution of component and its adaptor while preserving system properties. Using graph transformation in (Becker & Giese, 2008), the authors model both aspects of adaptation i.e. dynamic reconfiguration and behavioral adaptation. But their method is not suitable for large-scale systems. The work provided in (Costa-Soria, 2011) enables adaptive component behaviors and reconfiguration; however it does not support decentralized components and their structure. (Sultan, Bentahar, Wan, & AlSaqqar, 2014) have proposed PCTLkc a multi-model logic which is a combination of two probabilistic logics called PCTLK and PCTLC. Modeling stochastic multi-agent systems is their main concern and they focus on the modeling of interactions and notions such as probability and knowledge. This approach is suitable for the design time and faces state explosion problem. However, we show that our method can cover all aspects of self-organizing systems and is applicable for the runtime of a system. (Merelli, Paoletti, & Tesei, 2015) develop a formal hierarchical model for adaptable systems in which S (structural level) describes the adaptation dynamics, and B (behavioral level) describes the admissible dynamics of the system. This model is based on a simple and general model of computation (state machines) and defines adaptation from B to S level by operational semantics rules. However, this model does not support dynamic reconfiguration which is necessary for modeling selforganizing systems. The runtime verification of self-organizing systems is another perspective of our work. Although runtime verification is not a new topic, there is no specific work on runtime verification of self-organizing systems. (Tamura, et al., 2013) discussed the challenges of verifying adaptable and self-managed systems as well as the necessity of runtime verification for these systems. Similar to our method (Khaxar, Jalili, Khakpour, & Jokhio, 2009) have used process algebra to verify web service compositions at runtime. However, we implement a policy-based monitor for our runtime verification method. (Callow, Watson, & Kalawsky, 2010) present a runtime verification method suitable for autonomous systems. Their framework is based on principles of Model Driven Architecture (MDA). Also, in (Goldsby, Cheng, & Zhang, 2008) a runtime verification method is proposed for monitoring adaptive systems. In this work, properties to be checked are specified using LTL and A-LTL. In this paper, we have used a policy-based method for runtime verification of self-organizing systems which uses algebra to verify properties at runtime. Flexibility, scalability and fault tolerance are some of the non-functional properties which can be achieved as a result of using our method for designing and verifying complex systems. Separation of adaptation logic from business logics, capability of modeling both dynamic reconfiguration and behavioral adaptation, in addition to supporting decentralized cooperation mechanism make our method preferable than the other works in the context of modeling self-organizing systems. Moreover, one of the significant properties of our method is the increase of fault tolerance which is a result of being able to handle violation of properties during runtime verification, dynamically.
8
ACCEPTED MANUSCRIPT
3
Hierarchical PobSAM
CR IP T
Hierarchical PobSAM is a formal model for modeling complex systems. Using the following elements this model can support behavioral adaptation and dynamic reconfiguration of self-organizing systems. Computational actors which are responsible for the functional behavior of the system.
Autonomous components called Self-Adaptive Modules (SAM) which are the policy-based building blocks of the model. This model supports hierarchical relationships between sets of SAMs; so a SAM may contain a number of SAMs collaborating to achieve a specific goal or it may contain a composition of self-adaptive modules or actors governed by a manager.
A set of view variables used to provide an abstraction of the state of actors and self-adaptive modules for the managers. A view variable is the actual state variable, or a function or a predicate applied to state variables of actors.
Autonomous managers which are in charge of managing actors and lowerlevel self-adaptive modules. They can operate in different configurations. Each configuration consists of three sets of policies: governing policies, behavioral adaptation policies and structural adaptation policies. A manager uses the governing policies for controlling the behavior of lower-level selfadaptive modules (SAMs) and actors by sending messages to them. The behavioral adaptation policies are used for switching among the configurations. The structural adaptation policies are used for changing the structure of SAMs by adding or removing agents i.e. a self-adaptive module or an actor. Note that the precedence of behavioral/structural adaptation policies is higher than the precedence of governing policies. The notion of roles is used in hierarchical PobSAM to keep the specification of the manager policies unchanged at the time of joining or deleting actors or SAMs. A role is dynamically assigned to a group of SAMs or actors with the same functionality. The managers’ policies are specified in terms of roles.
AC
CE
PT
ED
M
AN US
Governing Policies. A simple governing policy gpi=⟨o, e, ψ⟩•a, gpi ∈ gp, consists of priority o ∈ N, event e ∈ E where E is the set of possible events, condition ψ (a Boolean term) and an action a. Actions of governing policies are specified using an a algebra CA defined as follows. We let a, a’ denote action terms, while an α is a primitive action. a = a ; a′ | a || a’ | a + a’ | ϕ : → a | α | δg
9
ACCEPTED MANUSCRIPT
CR IP T
Therefore an action term can be a sequential composition (;), a parallel composition (||), a non-deterministic choice (+), or a conditional choice (ϕ : → a). In addition, the special constant δg acts as the deadlock action for governing policies. A primitive action of a simple governing policy is of the forms r.msg to send the message msg to the agents with role r. Structural Adaptation Policies. A simple structural adaptation policy spi=⟨o, e, ψ⟩•a, spi ∈ sp consists of priority o ∈ N, event e ∈ E, condition ψ and an action a a which is specified as a CA term. Each manager uses structural adaptation policies for structural adaptation of its corresponding module.
The new Method for Modeling Self-Organizing Systems
M
4
AN US
Behavioral Adaptation Policies. A simple behavioral adaptation policy bpi = ⟨o, e, ψ, λ, ϕ ⟩•c, bpi ∈ bp consists of priority o ∈ N, event e ∈ E, and a condition ψ (a Boolean term) for triggering the adaptation. Moreover, the conditions for applying the adaptation is shown using a Boolean term ϕ, λ is the adaptation type. There are two kinds of adaptations called loose adaptation and strict adaptation. Under loose adaptation, the manager enforces old policies while in the strict adaptation all the events are ignored until the system passes the adaptation mode and reaches a safe state, and c is the new configuration.
CE
PT
ED
Based on the preceding definitions, self-organizing systems are composed of interacting autonomous components operate under decentralized control and no central point of failure to achieve the desired goal (Macías-Escrivá, Haber, del Toro, & Hernandez, 2013; Schmeck, Müller-Schloer, Çakar, Mnif, & Richter, 2010). This decentralization leads to non-functional properties such as robustness, scalability and failure recovery. In addition, individual components of such systems as well as the whole system respond to external influences by performing structural adaptation. In this section, we propose a new method for designing and modeling self-organizing systems which can support different properties of such systems.
4.1
The Proposed Modeling Method
AC
Our modeling process starts with an abstract representation of what may generally be expected from self-organizing systems and continued with the study of modeling their generic common features. This modeling method consists of the following steps undertaken: Step 1. We assume the system as a two-level entity. In the high level, we consider the external schema of the system. In this level, the autonomous components of the system are recognized. Components are assumed as the entities which are the subjects of duties and provide the main functionality of the system. We model each of the
10
ACCEPTED MANUSCRIPT
autonomous components of the system using self-adaptive modules (SAMs) of HPobSAM. These modules encapsulate the information and do interaction with each other which make the robustness and the self-* behaviors possible.
CR IP T
Step 2. We use the concept of role in HPobSAM and specify the main roles in the system. Here, a role is considered as an abstraction of a component's functionality and is assigned to a group of agents (i.e. actors and low-level self-adaptive modules) with the same task. Each role can be related to different tasks in the context of either being responsible for the task or simply as a collaborator. Afterwards, we assign an initial role to each autonomous component. In order to be able to restructure the system, agents are assigned to the roles, dynamically.
AN US
Step 3. In this step, we divide the main goal of the system into subgoals. Then, according to the specification and the role of each autonomous component, a local goal will be assigned to it. Each component is in charge of achieving its local goals.
AC
CE
PT
ED
M
Step 4. The modeling method should provide a control mechanism for a system which ensures that the controlled system performs the expected actions. Since our aim is to model self-organizing systems, this control mechanism must be internal and distributed. Therefore, we divide the control mechanism of such systems into smaller control units and dispatch them between system's modules. Each module must have the ability of controlling itself. In this method of modeling, we control the behavior and structure of the modules by using different classes of policies. Using policy is a simple and dynamic technique to achieve flexibility in autonomous systems. In fact, policies specify the way of conducting a module in the time of encountering environmental changes. Therefore, policies are considered as a tool to infer and are consulted to determine whether or not changes need to be made in the system. Managers in HPobSAM are the means that help us in achieving this aim. A set of different configurations is considered for managers. Each configuration encompasses three groups of policies, one of them is governing policies. Using governing policies for controlling the behavior of the system can be done in two ways: (i) in the direct way, in which performing policies is done directly on the actors or low-level modules. In this kind of control, the manager controls the actors or the managers of the lowlevel modules by sending messages to them, (ii) in the indirect way a manager can control the behavior of its under-control managers and consequently the behavior of the relevant modules by changing their managers' configurations. In the proposed method, we use a combination of the centralized and decentralized approach for the controlling mechanism of a module (Fig. 1). We consider a selfadaptive module as an indication of an autonomous component. Each manager of a self-adaptive module controls its low-level agents (i.e. actors and low-level selfadaptive modules) and provides an autonomous domain. Note that from the high-level point of view, the system is a collection of the same level self-adaptive modules and the controlling mechanism of the whole system is distributed among them. Hence, the main approach for controlling the system is decentralized.
11
ACCEPTED MANUSCRIPT
Self-Adaptive Module
Manager
CR IP T
Actor
Fig. 1. The typical representation of the self-organizing component
AN US
It is worth mentioning that although each module is important, it is not in the center of operation and adaptation of the whole system. Another advantage of this decentralization is the division of duties among self-adaptive modules. This division makes the manager of each module gather less information and process them locally which increase the overall performance.
M
Step 5. In the low level of the system, the internal schema is considered. In this step to provide self-awareness of modules, we define necessary observations for them. Here, observations mean the information that a manager of a module has access to it. This information contains the internal state and the information which is achieved from the surrounding environment. A manager should be aware of the internal state of its under control module to recognize any deviation from the goal. This awareness helps the manager to direct or adapt the behavior of its low-level agents. For modeling this part, we use the view variables of HPobSAM. These variables provide a manager an abstraction of the state of the relevant actors.
AC
CE
PT
ED
Step 6. The intrinsic dynamism and several interactions inside the system, as well as the interaction of the system with the environment, require a dynamic and adaptive control mechanism. In this section, we explain how modules can be adapted to the changeable conditions. To adapt the module and eventually the system's behavior and structure according to the current and possible conditions, (ii) behavioral adaptation policies and (iii) structural adaptation policies of HPobSAM are considered for managers. In different conditions, these adaptation policies put the proper policies at the manager's disposal by providing the ability of transition between different configurations. Having the capability of changing policies and configurations of a manager dynamically which is supported by HPobSAM makes the control mechanism of a self-organizing system adaptable and dynamic during its future evolution. Consequently, modules can obtain policies during runtime and without interrupting their functionality which results in changing the system's behavior, dynamically. Step 7. According to the fact that the main goal of self-organizing systems is divided into smaller and local goals which are assigned to their components, to achieve the main goal of the systems, interaction, cooperation and coordination among components plays the key role. These necessities lead to the better understanding of a component from the current circumstances. For modeling this important principle, we use two mechanisms which are supported by HPobSAM: (i) sending messages among managers and (ii) shared memory. Sending messages among
12
ACCEPTED MANUSCRIPT
4.2
CR IP T
managers gives the permission of having hierarchy in the model. This mechanism allows the top-level managers to inform and to control the behavior of the lower-level agents. In the shared memory mechanism, view variables are used as a space for coordinating interactions. A module can have controlled access to the view variables of other modules. Therefore, sharing information via view variables is a way of informing other modules about the information of the surrounding environment. In the following subsection, we discuss the advantages of our method for designing self-organizing systems and illustrate its capabilities by modeling a case study named self-organizing traffic management system, in the next section.
Discussion
AN US
In the following we discuss the significant capabilities of our method that can cater requirements for designing self-organizing systems.
Modularity and Robustness. The modeling concepts of our method hide the complexity at system level by supporting modular design. Modularity in this model is provided by the use of self-adaptive modules. Notice that each module is important but does not act as the center of functionality and adaptation of the system. Due to the distributed and modular design, the components’ failure can be handled, which results in increasing the robustness of the system.
ED
M
Decentralized Control and Scalability. In our method each system at the high level can be modeled as a set of self-adaptive modules placed at the same level of hierarchy. In this model, the control mechanism is distributed over the components (i.e. self-adaptive modules) and they collaborate with each other in the form of selforganization to accomplish the high-level goals. Decentralized control is one of the leading causes of scalability of a model for designing self-organizing systems which is provided in our method.
AC
CE
PT
Adaptation. The managers of self-adaptive modules which are used to model the components in our modeling method perform behavior adaptation by modifying the policies used to control the module’s behavior as well as sending messages to relevant actors. Furthermore, each manager can control and adapt the behavior of the lowerlevel self-adaptive modules by changing their managers’ configurations. This ability provides controlled self-organization for the lower-level self-adaptive modules. Dynamic reconfiguration is supported through changing the roles of entities which leads to joining/leaving an actor or a self-adaptive module to/from a self-adaptive module, dynamically. Flexible and Adaptive Control Mechanism. A control mechanism for a selforganizing system should be adaptive which is considered in our method. In this model a manager’s policies and configurations can be changed dynamically through the subsequent evolution of a system. This capability helps to handle the new situations and requirements without interrupting the system.
13
ACCEPTED MANUSCRIPT
CR IP T
The separation of the adaptation logic from the business logic. Having the ability of changing configurations and policies of managers dynamically and according to the fact that the adaptation logic of HPobSAM is specified in the form of policies, we can come to the conclusion that in the proposed method the adaptation logic is decoupled from the business logic. Thus, adaptation in our approach includes no recoding the system and influences only the managers’ layer, which results to a flexible model.
Illustrating Case Study
PT
5
ED
M
AN US
Safe adaptation. Safe adaptation is one of the most important issues that must be considered in modeling self-organizing systems. The time of performing reorganization in the system, the time of changing managers' policies, the time of applying new policies after changing policies and the way of limiting the system behavior during reorganization are matters that should be considered in a formal model describing self-organizing systems. Considering HPobSAM in our method, we can say, when an event occurs, the relevant managers are informed, but the adaptation does not occur immediately. When the system reaches the safe mode, the managers transit to the new configuration. Therefore, a new operation mode called adaptation mode is defined, in which a manager operates before transiting to a new configuration. When a manager is in the adaptation mode, occurring events that should be responded by the manager is possible. For managing these cases, two kinds of adaptations are introduced in HPobSAM: (i) loose adaptation and (ii) strict adaptation. In the loose adaptation, a manager performs old policies in the adaptation mode, whereas in the strict adaptation all the events are postponed to the time that the manager exits from the adaptation mode and the system reaches to the safe state. Above all, it can be concluded that the safe adaptation for self-organizing systems is achieved in this method. In the next section, we will apply the proposed method on the self-organizing traffic management system and show how different aspects of dynamic and complex systems can be modeled.
AC
CE
Since traffic congestion is one of the most pressing issues and causes of decreased standard of living throughout the world, several strategies have been proposed to cope with this problem. Recently, “self-organizing” traffic management has been receiving attention in the new transportation technologies known as Intelligent Transportation Systems (ITSs). These systems address the drawbacks of traditional approaches in the context of traffic management. Traditional traffic management approaches try to optimize the solution for static and basic configurations of traffic density. These mechanisms are computationally expensive and are not able to automatically consider dynamic environment conditions. ITSs include various subsystems that can be divided into intelligent traffic infrastructure and intelligent vehicles. In self-organizing traffic management, traffic control infrastructure would not only direct the traffic flow, but stay in constant interaction with street vehicles. Therefore, communication and coordination play a
14
ACCEPTED MANUSCRIPT
5.1
AN US
CR IP T
key role in this system. The global goal of the system is to optimize traffic throughput, in the way that vehicles reach their destination as fast as possible. Different components of the system interact locally according to simple rules and in a self-organizing manner. On the control infrastructure side, self-organizing traffic lights play a major role in keeping vehicles flowing along. At junctions, traffic lights use different technologies for communication and interaction with other components of the system (e.g. traffic lights and vehicles) to control competing flows of traffic. They help vehicles to find the current best path to their destination. Vehicles help traffic controllers to obtain more information about the traffic environment and become aware of the occurred events. Furthermore, traffic lights exploit information received by roadside sensors, cameras and other top-level entities. They provide a map of traffic density and negotiate with other traffic lights to determine the best sequence of actions according to the current traffic conditions. The global behavior of the system is the result of these local interactions (Gershenson, 2012).
Modeling the Self-Organizing Traffic Management System
Self-organizing Traffic Management Systems attempt to self-organize and adapt to constantly changing traffic conditions. In these systems, the aims are (i) to adapt drivers’ behavior according to current traffic condition, and (ii) to manage the controlling infrastructures such as traffic lights. Modeling the High Level Part of the System
M
5.1.1
AC
CE
PT
ED
This phase of modeling consists of the first four steps of our method. As a matter of efficiency in traffic management and in order to take advantage of self-organization, we divide traffic environment into smaller areas called regions. Each region contains some autonomous traffic lights positioned at road intersections. A number of relay units, roadside sensors and cameras collect information for the controlling infrastructure (actors). Vehicles are mobile components of the system when a vehicle leaves a region; it is removed from the list of components of that region. We consider regions, traffic lights and the device located in vehicles as self-adaptive modules (Fig. 2). In the following, we discuss how we can model them using the proposed method.
15
ACCEPTED MANUSCRIPT
Regional-SAM Manager TL-SAM Vehicle-SAM Router
AN US
Region
Actor
CR IP T
Actor
Fig. 2. The typical representation of the model of the self-organizing traffic management system
ED
M
Vehicles. Vehicles are moving part of the system. Each interactive component of vehicles is modeled as a self-adaptive module (vehicle-SAM). A vehicle-SAM includes a manager in charge of controlling a number of actors such as communication devices, sensors, etc. Also, we consider a lower-level self-adaptive module called router for the vehicle-SAM. The router’s manager is responsible for finding the best path to the destination and does this duty according to its governing policies. The vehicle-SAM’s manager is aware of the vehicle specification and temporal traffic density of its surrounding region. This data and the received information from the router and traffic lights help the vehicle-SAM’s manager direct the driver to reach the destination in a reasonable amount of time. Moreover, vehicleSAMs help traffic lights to achieve specific goals such as identification of a specific vehicle (e.g. emergency car).
AC
CE
PT
Traffic lights. Traffic lights are the main parts of this system. Each traffic light is modeled as a self-adaptive module (TL-SAM). We consider one manager for a TLSAM called TLcontroller. This manager controls actors and collaborates with other TLcontrollers to maintain or improve the overall performance of the whole system. A TL-SAM contains actors such as traffic light heads, camera, vehicle movement detectors and communication devices. Self-organizing traffic lights are set to minimize waiting times of road users and to help drivers find out how to drive through a city in order to minimize their waiting times. To achieve this goal, we consider vehicles approaching a traffic light within a distance d or waiting at a traffic light as lower-level self-adaptive modules of the relevant TL-SAM. TLcontroller has two configurations: normal configuration and congestion configuration. Each configuration encompasses three sets of policies (governing, structural adaptation and behavioral adaptation) which can be changed dynamically according to the new requirements. Fig. 3 shows the HPobSAM model of a traffic light partially. As a selforganizing solution for Urban Traffic Control, we consider normal configurations'
16
ACCEPTED MANUSCRIPT
governing policies of TLcontrollers based on the work described in (Gershenson, 2012). For instance, on the arrival of an emergency car at a red light,
AN US
CR IP T
MANAGER TLController{ statevars {byte TLId;} managedElements{ VehicleModule VMA; Camera CAM; TLheadControl TLhead; Relay relay1; TLController neighA; TLController neighB; // definition of other managed elements } roles { camera = {CAM}; adjacentTLs = { neighA, neighB }; //definition of the rest roles and role assignments } configurations{ normalConfL= [napAL][ngpAL,ngpBL,ngpCL,…][nspAL,nspBL]; congestionConfL= [capAL][cgpAL,cgpBL,…][cspAL,cspBL]; } policies{ napAL : on congestion if true switch to congestionConfL when true priority 1; if
(TLcolor==Red)
M
ngpAL : on Veharrival(VehStatus, TLcolor) && (VehStatus==Emergancy) do forall TL in adjacentTLs relay1.sendEmergancyMesg(TL); TLhead.changeTgreen() priority 1; nspAL : on onLeave(VM) if true do remove(VM) priority 1;
PT
}
ED
//definition of other policies } views { string VehAStatus = VMA.status; //definition of other views }
CE
Fig. 3. The HPobSAM specification of a traffic light
according to the governing policy ngpAL, the green light of the junction is sent a message for emergency color change to let the emergency car pass.
AC
Regions. As mentioned before, traffic environment is divided into several regions to control traffic more efficient. We model each region as a self-adaptive module, and assume a manager called regional traffic controller (RTcontroller) for it. The actor layer of regional-SAM contains several self-adaptive modules such as traffic lights and vehicles in addition to actors such as sensors and different devices for communication. We define two configurations (normal and congestion) to indicate different operational modes for regional traffic controller. In the normal configuration
17
ACCEPTED MANUSCRIPT
CR IP T
an RTcontroller is in charge of providing traffic information for traffic lights in its authority as well as its adjacent RTcontrollers. Fig. 4 depicts the HPobSAM model of a traffic region partially. There exist some policies that a typical RTcontroller uses to control the system. For instance, the following policies are some of the defined governing policies that the RTcontroller uses to handle the congestion in the congestion configuration. The policy cgpA is the specification of the first following policies. Inform the neighboring regions about the congestion situations Find an adjacent region with the lowest traffic density Tell the regional traffic lights about the specified region
5.1.2
AN US
The third policy makes traffic lights of the region collaborate and find the best sequence of actions to encourage traffic to flow toward the specified adjacent region. Modeling the Low Level Part of the System
AC
CE
PT
ED
M
Individual components of self-organizing systems perceive and have partial knowledge of their environment to fulfill their local goals. In order to enhance the capabilities of self-organizing traffic management systems to deal with the dynamic environment and exploit self-organization mechanisms, their modules should have the ability to become aware of their status, adapt themselves and collaborate with each other. Steps five to seven of our method provides these necessities for them. Self-awareness in the self-adaptive modules of this case study (e.g. TL-SAMs) is achieved via view layer of each manger. For example, the view layer of a TL-SAM includes view variables that reveal the number of vehicles approaching or waiting at the light, the color of the light, map of the traffic environment, specification of the vehicles beyond the light, etc. Using these variables a TLcontroller can detect any deviation from the local goal or find any defection in the TL-SAM. As mentioned before, managers in our method interact in two ways: message passing and shared memory. We know that TLcontrollers require to see the information provided by other traffic lights in their locality. For instance, consider a situation in which a traffic light wants to switch to green to let an emergency car pass, it should take into account status of other lights located at that junction. Since, the view layer of a TL-SAM reveals its status, the view layer acts as a shared space among TLcontrollers and the mentioned traffic light can gain its necessary information. Note that managers can have controlled access to the view layer of each other. As another example, consider an RTcontroller which gains its information via collaboration with traffic lights, other regional traffic controllers and vehicles, through their view layers. Each RTcontroller is aware of traffic density and status of its own and neighboring regions (e.g. high traffic jam condition). By using message passing for spreading this information, the RTcontroller helps its lower-level agents (i.e. traffic lights, vehicles, sensors, cameras and different devices for communication) to control traffic and fulfill the global goal.
18
ACCEPTED MANUSCRIPT
CR IP T
In our method structural and behavioral adaptation policies are used to address adaptation purposes, e.g. the structural adaptation policy nspAL (Fig. 3) considers removal of a vehicle-SAM from the actor layer of a TL-SAM. Also, a behavioral adaptation policy napAL (Fig. 3) is used in the case of congestion which switches the manager to the congestion configuration. Also, in the congestion configuration a behavioral adaptation policy is defined for switching the manager to normal configuration after solving congestion problem.
M
AN US
MANAGERS{ MANAGER RTcontroller{ statevars {byte RegionId;} managedElements{ TrafficLightModuleA TLA; VehicleModule VMA; Camera CAM; Relay relay1; RTcontroller neighA; RTcontroller neighB; // definition of other managed elements} roles { camera = {CAM}; allVhs = { VMA , …} adjacentRTs = { neighA, neighB }; //definition of the rest roles and role assignments } configurations{ normalConf= [napA][ngpA,ngpB,ngpC,…][nspA]; congestionConf= [capA][cgpA,cgpB][cspA];} policies{ cgpA : on congestion(RegionId , status) if true do forall RT in adjacentRTs relay1.inform (status, RT) priority 1 ;
PT
ED
nspA : on onJoin(VM) if true do add(VM); join(allVhs,VM) priority 1; //definition of policies } views { byte TLAstatus = TLA.status; byte TLAcolor = TLA.color; //definition of other views}
AC
CE
} MANAGER TLControllerA{ // definition of the manager } //definition of the rest of managers} ACTORS { reactiveclass TLhead() { knownrebecs {} statevars{public byte color; } msgsrv changetogreen() { ... } //definition of the rest of message servers} //definition of the rest of actors} SAMS{ SAM VehicleModule { Router Rot(); Sensor SenA; VController(Rot, SenA,..); }
19
ACCEPTED MANUSCRIPT
SAM TrafficLightModule { Camera CAM; // TLController TLC(VMA,CAM,..); } //definition of the rest of SAMs}
6
Runtime Verification Method
CR IP T
Fig. 4. The HPobSAM specification of a traffic region
Runtime Verification for Self-Organizing Systems
M
6.1
AN US
As mentioned before, dynamic nature, long-term evolution and lack of central control in self-organizing systems, impose great challenges in analyzing such systems statically. For example, dynamism and adaptiveness of self-organizing systems cause a huge state space which is the reason of state space explosion problem. Also, lack of a central control makes it impossible to provide a complete model for static verification of our system. Hence, runtime verification plays a major role in assuring certain correctness properties of self-organizing systems. In this verification technique a monitor is used to check the adherence of the system to the correctness property. Being performed during the execution time of a system and considering a single run are significant features of runtime verification that can be used to solve the problems of static verification.
AC
CE
PT
ED
We use an online monitoring approach developed in (Khakpour, Jalili, Sirjani, Goltz, & Abolhasanzadeh, 2012) to verify a self-organizing system at runtime. In the proposed method, a run of a system is verified against an algebraic specification. A monitor is a manager of our method whose policies are used to check the execution traces. Each execution trace is defined as a sequence of events in this model. We a specify properties to be checked using CA subalgebra (described in Section 3, presented in (Khakpour, Jalili, Talcott, Sirjani, & Mousavi, 2012; Khakpour, et al., 2010)). The monitor performs its task in two steps: first it listens to a set of events defined as its alphabet. Second it checks if the received event is expected to happen or not. According to the user-provided specification and the alphabet set, two classes of governing policies: negative policies and positive policies, are generated for the monitor. Negative policies are activated by unexpected events and are used to detect undesired traces. Positive policies are used to monitor the desired behavior of the system and they are activated by expected events. When an expecting event of the observing trace occurs and the positive policy condition holds then the policy action which represents the following trace to be observed is done. Notice that after triggering a positive policy all non-triggered positive policies will be removed from the list of monitor’s governing policies. a Each of the properties to be monitored is provided in the subalgebra CA and formulated as the monitor’s governing policies. Using the mentioned runtime verification method, a property to be observed is written as follows,
20
ACCEPTED MANUSCRIPT
A ≡ (a1 ; A1) + ... + (an ; An)
(1)
AN US
CR IP T
where ai is considered as a conditional term, i.e. ai = ϕi :→ ei and ei ∈ L. L ⊆ E denotes its alphabet, E is the set of events which may occur in the system. A sub-term (ai; Ai), 1 ≤ i ≤ n, models a bunch of events starting with ei when condition ϕi is true, and followed by Ai. The methods check and violated are considered for a monitor. These two methods are invoked respectively, in the time of triggering a positive and a negative policy. To monitor the sub-term (ai; Ai), a (positive) governing policy gi = 〈2 ,ei , ϕi 〉 • check(Ai, L, A, gi) in addition to a negative governing policy gj = 〈1 ,ej , ⊤〉 • violated(A) for each event ej ∈ L, will be defined. According to a positive governing policy, after occurring event ei under condition ϕi, the policy gi is triggered. Triggering a positive governing policy causes execution of action check(Ai, L, A, gi) which leads to replacing policy gi with a collection of new governing policies to monitor Ai. As an example and in order to illustrate our method for runtime verification, we choose a property from traffic light properties of our case study. Using two sequences of events, this property checks the adherence of traffic lights to the predefined light sequence: A ≡ ((TLhead.Color == Red) /\ (CAM.counter > n) /\ (TL.turn == lightId): → (CAM.resetCounter(); TLhead.Green()) + ((TLhead.Color == Green) /\ (TL.GreenTime> T) /\ ~(CAM.swarm): → (TLhead.Yellow(); TLhead.wait(m); TLhead.Red()));A
M
L = { resetCounter();wait(); Green();Yellow(); Red() }
PT
ED
In the first sequence, the color of the traffic light head (TLhead) is red, the number of vehicles observed by camera (CAM.counter) is more than n and there is no other traffic light in the turn of becoming green. Then, the counter of the camera resets and the traffic light turns green. In the second trace, the traffic light has been green for T time units and the camera observes no swarm of vehicles (q or fewer, but more than zero). Then, the traffic light turns yellow and remains at this color for m time units; afterwards, it turns red. Having given the above property, the execution of the first step of the runtime verification algorithm results in the following lines:
CE
A ≡ (TLhead.Color == Red) /\ (CAM.counter > n) /\ (TL.turn == lightId): → CAM.resetCounter () + (TLhead.Color == Green) /\ (TL.GreenTime > T) /\ ~(CAM.swarm): → TLhead.Yellow()
AC
therefore, the initial policy set is g = {g1, g2, g3, g4, g5, g6, g7} where g1 and g2 are positive policies and the others are negative policies: g1 = ⟨2; CAM.resetCounter(); ((TLhead.Color == Red) /\ (CAM.counter > n) /\ (TL.turn == lightId))⟩ • check (A1, L, A, g1) g2 = ⟨2; Yellow() ; ((TLhead.Color == Green) /\ (TL.GreenTime > T) /\ ~(CAM.swarm))⟩ • check(A2, L, A, g2) g3 = ⟨1; CAM.resetCounter(); ~((TLhead.Color == Red) /\ (CAM.counter > n) /\ (TL.turn == lightId))⟩ • violated(A) g4 = ⟨1; TLhead.wait(); ⊤⟩ • violated(A)
21
(2) (3) (4) (5)
ACCEPTED MANUSCRIPT
g5 = ⟨1; TLhead.Green(); ⊤⟩ • violated(A) g6 = ⟨1; TLhead.Yellow(); ~((TLhead.Color == Green) /\ (TL.GreenTime > T) /\ ~(CAM.swarm))⟩ • violated(A) g7 = ⟨1; Tlhead.Red(); ⊤⟩ • violated(A)
(6) (7) (8)
g11 = ⟨2; TLhead.wait(); ⊤⟩ • check(A11, L, A, g11)
CR IP T
Consider a situation in which a traffic light receives a resetCounter event for its counter and the condition part of the g1 policy is evaluated to true. As a result, policy g1 is triggered and the new policy set is created by removing g2 and adding the following positive policy: (9)
6.2
AN US
If the resetCounter event happens while the situation does not satisfy the condition of the policy g1, a negative policy g3 is triggered and a violation is reported.
Implementation
AC
CE
PT
ED
M
We use the Ponder2 policy execution environment to develop our case study. Ponder2 comprises a self-contained, stand-alone, general-purpose object management system (Twidle, Dulay, Lupu, & Sloman, 2009) which makes it suitable for the vast domains of applications. This policy framework uses message passing between objects exploiting a publish/subscribe event bus. Events trigger polices which are used to specify management rules and behavior of a system. The policy service provides two types of policies: obligation policies and authorization policies. The former one is in the form of event-condition-action rule which defines the management actions and the latter defines which activities are permitted on which resources and services. All entities of Ponder2 are defined as managed objects to facilitate management purposes. A high-level language called PonderTalk is used for configuring and controlling Ponder2 systems. User-extensible managed objects are programmed in Java. In order to implement a system which is designed via our method, in Ponder2 we consider actors as user defined managed objects. Actors can be sent messages to do the functional behavior of the system. Managers are implemented using the policy interpreter which is a built-in managed object of Ponder2 system. Different policy sets of a manager are defined using obligation policies which can be modified to change the behavior of a system without interrupting its functioning. To show the feasibility of runtime verification method, we have developed an instantiation of the self-organizing traffic management system (which is modeled in the previous section) with two regions and two RTcontrollers. In this prototype, three junctions are assigned to a region and four traffic lights are placed at each junction (Fig. 5).
22
ACCEPTED MANUSCRIPT
CR IP T
RTcontroller
AN US
RTcontroller
Fig. 5. The implemented traffic environment
CE
PT
ED
M
Fig. 6 depicts the architecture of the implemented system. It is worth mentioning that we consider a monitor to verify each property.
Fig. 6. The architecture of the implemented traffic management system
AC
The policies considered for traffic lights are based on the work presented in (Gershenson, 2012). Fig. 7 shows some of the policies used in our implementation, they are defined using PonderTalk and are located in the text files (.p2 files) for the ease of changing policies at runtime. As an example of a policy consider Fig. 8 which shows the HPobSAM and PonderTalk specifications of the sixth policy of Fig. 7. In this example, ComingVeh and Vspeed denote the event of observing a vehicle and the speed of the observed vehicle, respectively. The PonderTalk specification of other policies are given in (Abolhasanzadeh & Jalili, 2014).
23
ACCEPTED MANUSCRIPT
1. On every tick, add to the counter the number of vehicles approaching or waiting at a red light within distance d.
CR IP T
2. If a red light’s counter exceeds the threshold n, and there is no green light at that junction, switch the light. Otherwise, take a turn for becoming green and stay red. (Whenever the light switches, reset the counter to zero.)
3. If no vehicle is approaching a green light within a distance d after t time units, and at least one vehicle is approaching the red light within a distance d, then switch the light (optimization policy). 4. If there is a vehicle stopped on the road a short distance e beyond a green traffic light, then switch the light and announce the congestion situation.
AN US
5. If there is an emergency vehicle stopped on the road beyond a red traffic light that light must switch to green and others to red.
6. If a vehicle goes through a light at high speed (more than s), a notification should be sent to it by the corresponding traffic light controller. Fig. 7. Examples of the policies used in the implementation of the traffic management system HPobSAM:
M
ngpBL : on ComingVeh(Vspeed) if Vspeed > S do vehicle.inform(notification) priority 1;
PonderTalk:
PT
ED
policy := root/factory/ecapolicy create. root/policy at:"TLManager1" put: policy. root/policy/TLManager1 event:root/event/ComingVeh. root/policy/TLManager1 condition:[:Vspeed | Vspeed>S]. root/policy/TLManager1 action: [:Vid| root/Traffic/lightMid informVeh:Vid notification:"High Speed"].
CE
root/policy/TLManager1 active:true.
Fig. 8. The HPobSAM and PonderTalk specifications of a policy
AC
This runtime verification method provides our important requirements such as the ability to modify and define policies at runtime. To achieve this goal in addition to debug, test and interact with a Ponder2 system, its internal and interactive shell can be used. The Ponder2 shell accepts and executes internal commands and also PonderTalk statements. As an example and according to our case study, we can use the shell to handle changing policies in the urban traffic management. For instance, consider an undefined policy which states that moving special types of vehicles is forbidden for
24
ACCEPTED MANUSCRIPT
several days. In order to consider the new management policy, we use the following command to define a new event triggered by observing a violating vehicle: template :=root/factory/event create:#("Vehid""day"). root/event at:"InvalidCar " put:template.
AN US
CR IP T
where, Vehid denotes the type of the vehicle and day denotes the number of days. By defining the policy presented in Fig. 9 against a violating vehicle, a stop message will be sent to such a vehicle, in the time of observing it, afterwards its specifications will be sent to the RTcontroller. Another important feature supported as a result of using this method is the increase of modularity and efficiency in distributed systems. To this aim, the event bus of the ponder2 environment allows local policies to deal with the local events while maintaining the ability to react to the events from remote places (Twidle, et al., 2009). policy := root/factory/ecapolicy create. root/policy at:"TLManager2" put: policy. root/policy/TLManager2 event:root/event/InvalidCar. root/policy/TLManager2 condition:[true]. root/policy/TLManager2 action: [:Vehid|root/Traffic/lightMid stopMeg:Vehid. root/Traffic/lightMid informRT:Vehid].
M
root/policy/TLManager2 active:true.
ED
Fig. 9. An example of a policy defined in the shell of the ponder2 environment
AC
CE
PT
Due to the fact that we have implemented a prototype of a self-organizing traffic management system which is an instance of self-organizing systems with all their properties and requirements. We can get some statistics about the number of the performed structural adaptation policies. This statistics provides a clear view of selforganization in a self-organizing system. Fig. 10 shows the number of evoked structural adaptation policies according to the different number of performed policies in the system, when we ran the system for 300,600, 900,1200, 1500, 1800 and 2100s.
25
licies l Adaptation Po rmed Structura
ACCEPTED MANUSCRIPT
0 20 40 60 80 100 120 220
CR IP T
200 180 160 140 120
80 60
(m s)
2000 1800 1600 1400 1200 1000 800 600 400
40
Ti
me
20
1200
1000
Num ber o
f Per
800
forme d
600
400
Polic ie
To ta
1400
lR un
0
AN US
Number of Perfo
100
200
s
6.3
Runtime Analysis
M
Fig. 10. Number of performed structural adaptation polices
AC
CE
PT
ED
Policy analysis is one of the most important challenges arising during runtime verification of distributed and policy-based systems. Policy conflict detection and resolution is one aspect of policy analysis that can be done at runtime. To this aim we consider two governing policies (e.g. g 𝑖 = 〈𝑜, 𝑒, 𝜙𝑖 〉𝑎𝑖 and g 𝑗 = 〈𝑜, 𝑒, 𝜙𝑗 〉𝑎𝑗 ) and use the properties described in (Khakpour, Jalili, Sirjani, Goltz, & Abolhasanzadeh, 2012) for detection of conflicting policies. In the case of finding policy conflicts, different methods such as (Dunlop, Indulska, & Raymond, 2003; Hua & Jing, 2007) can be used to resolve the problem. In order to evaluate the performance of our runtime verification method based on the implemented prototype of the traffic management system, we consider various types of properties for the system and verify them at runtime. These properties can be selected from different categories: (i) traffic light properties related to adherence of each traffic light to the defined policies for these elements such as light sequence, conditions of changing the light and collaboration of traffic lights with different system components. (ii) Vehicle properties concerned with the correctness of vehicles’ operations such as finding the best path for the driver and collaboration with traffic lights. (iii) Regional properties used to check if the regional policies are respected by RTcontrollers, e.g., providing necessary information for traffic lights such as finding the best neighboring region for directing the traffic flow in congestion situations.
26
ACCEPTED MANUSCRIPT
Several properties, such as the followings, are provided to verify the correctness of the system and to evaluate the performance of the runtime verification method.
Light sequence must be green, yellow and red. If a red light’s vehicle counter exceeds the threshold and there is no other light in the turn of becoming green, the light should switch to green (This property tries to check the avoidance of having multiple green lights at a junction). An emergency car should not wait at a red light. The lights should not be green (red) for the vehicles and pedestrians simultaneously. Optimization policy should happen to help the emergence of the global goal.
CR IP T
ED
M
AN US
Fig. 11 shows the results of our experiments for measuring the performance of the runtime verification method. It is worth mentioning that the performance depends on the properties to be monitored, for some properties the overhead is lower than the others. So, we performed our experiments with different number of properties needed to be monitored and included various events. The last experiment is done using seven typical properties containing all the events used for traffic management. At the end we observe that the system adheres to all the properties and this adherence is written to the log file. In all the experiments we run the system for 9000000 milliseconds. According to Fig.11 the CPU time overhead varies between 0.1% and 0.4%. The experiments are performed on an Intel workstation running Windows 7 with Core 2 Duo 2.2GHz CPU and 4 Gbyte memory.
0.0 0.1 0.2 0.3 0.4
0.4
0.3
0.1
Pr op e
5
400 4
of
6
Numb er o
r ty
800 600
7
Ev alu
1000 0.0
at io
ns
0.2
3
f Prop
2
erties
Nu mb er
AC
CE
he CPU Time over
PT
ad (percent)
0.5
200 1
Fig. 11. The experimental result on the traffic management system
27
ACCEPTED MANUSCRIPT
3. 4.
PT
5.
M
2.
In the time of passing a vehicle, the TLcontroller captures information about the violating vehicle. If there is a police vehicle in the vehicle list of the TLcontroller, this manager sends the information about the violating vehicle to the police. If a police vehicle is not available to the TLcontroller, it asks the RTcontroller to send the information to the nearest police vehicle. If there is a police vehicle in the relevant region, the RTcontroller sends the violating vehicle’s information to the police vehicle. If there is no police vehicle in the region, the RTcontroller sends the information to its neighboring RTcontrollers to be sent to the police.
ED
1.
AN US
CR IP T
Using the proposed method and exploiting its flexibility in modeling the monitor make it straightforward to response to the incorrect behavior of a system at runtime with apparent ease. To this aim, we can define and/or modify policies to handle the property violation without need to halt the system. This feature enhances our method with the capabilities such as fault recovery which results in the increase of fault tolerance. In the case of fault detection, applying the proper policy manages the occurred deviation between the observed behavior and the correct behavior and decreases the system failure rate. Moreover, the ability to modify policies at runtime allows us to react to the property violation according to the current context. The mentioned properties make this policy-based runtime verification method suitable for evolving systems whose subsequent evolution depends on the unpredictable environment. However, we can just verify safety properties i.e. check bad situations will not happen. Our runtime verification method does not support the liveness properties, so we are not able to check desired situations will happen at the end. For instance, we can not specify unenforceable policies. We consider two scenarios of unsafe real-life situations to demonstrate both selforganizing characteristics of our traffic management system and capabilities of the runtime verification method in handling property violations. In the first scenario, we assume a situation in which a driver has passed a red light for some reason such as losing control of the vehicle. The following policies are enforced under this scenario.
AC
CE
The first step is the result of a structural adaptation policy and the others are done by performing governing policies. As the second scenario, we assume that one of the traffic lights has not adhered to the specified light sequence. For example, it has not taken a turn for becoming green and has remained red even after the time that the red light’s vehicles counter exceeds the threshold n. Consequently, the number of vehicles increases and causes the congestion. The following policies are enforced to solve the problem of this scenario. 1. 2. 3.
The TLcontroller’s configuration is changed to the congestion configuration. The TLcontroller informs the RTcontroller about the occurred situation. The RTcontroller’s configuration is changed to the congestion configuration.
The first and the third steps are the results of behavioral adaptation policies and the second step is one of the governing policies specified for TLcontrollers. After
28
ACCEPTED MANUSCRIPT
Conclusions
AN US
7
CR IP T
changing the configuration of the relevant managers, they will have access to the proper policies to handle the congestion. After applying the runtime verification for both scenarios all the excepted violations were detected. In the time of violating a property, a negative policy is evoked to report the incorrect behavior. In order to manage the violation in the first scenario, we may define a policy for the manager of the vehicle-SAM to decrease the velocity of the vehicle, dramatically. As a result, the driver will be forced to stop the vehicle. Afterwards, the corresponding RTcontroller announces the location of the vehicle to the police. For the second scenario, we may define a policy that puts the id of the violating traffic light in the turn of becoming green, to manage the violation. PonderTalk specifications of the policies related to the above scenarios can be seen in (Abolhasanzadeh & Jalili, 2014).
AC
CE
PT
ED
M
Throughout this paper, we proposed a new method based on HPobSAM for designing and modeling self-organizing systems. The method can support different properties of self-organizing systems and the intrinsic dynamism of such systems. The distinguishing features of our method are: Modularity and robustness which is achieved using self-adaptive modules. Thanks to the modularity and decentralized control provided by our method, there is no central point of failure in the system which decreases the system failure rate. Scalability is the result of the decentralized control in our method. Since self-organizing systems can be in large scale, scalability is considered as an important feature that a model to design such systems should have. As mentioned in the paper, self-organizing systems operate in the ever changing environments, therefore structural adaptation is essential for them. Structural adaptation in these systems consists of behavioral adaptation and dynamic reconfiguration which are provided in our method with two different sets of policies (behavioral adaptation policies and structural adaptation policies). Due to the intrinsic dynamism of complex systems, flexible and adaptive control mechanism is vital for their modeling. This property is the significant feature of our method that is achieved through the ability of changing the managers' configuration and policies dynamically. Close to our work is the work presented in (Bruni, et al., 2015), however it does not support dynamic reconfiguration. Moreover, (Ribeiro, et al., 2015; Verstaevel, et al., 2015) have proposed methods which are suitable for development of decentralized software systems, but they do not support adaptations and just focus on the interaction and coordination of system components. In our proposed method the adaptation logic and the business logic are separated. This is due to the fact that we can change the configuration of mangers dynamically. Moreover, safe adaptation is supported in our method. Having the formal foundation is another aspect of our method which helps to verify the system during design time. While most of the interesting and flexible methods like (Viroli, Casadei, Montagna, & Zambonelli, 2011) are not based on formal models. Moreover, formal methods like (Costa-Soria, 2011) do not support decentralized components or dynamic reconfigurations like (Merelli, et al., 2015).
29
ACCEPTED MANUSCRIPT
PT
References
ED
M
AN US
CR IP T
In addition, we proposed the usage of an online monitoring algebraic policy-based runtime verification method to verify the adherence of the system to correctness properties at runtime. This method reacts properly in the case of property violation. If a deviation occurs, a proper policy will be triggered and manage the situation which will increase the fault tolerance of the system. Moreover, the capability of policy modification makes this runtime verification method suitable for evolving systems. Most of the runtime verification methods consider self-adaptive systems (Goldsby, Cheng, & Zhang, 2008) and there is no specific work on the runtime verification of self-organizing systems. To clarify our method and to show its ability to support behavioral adaptation and dynamic reconfiguration of self-organizing systems, we applied our method to the self-organizing traffic management system as a case study. We developed a prototype of our case study using Java based Ponder2 policy toolkit and applied the runtime verification method on it. Finally, we showed the ability of our method to increase fault tolerance of a system. Despite the significant advantages of our method we should note that the probabilistic aspects of self-organizing systems is not supported by our method. Moreover, the ordinary model checking of a model which is obtained from our method suffers from the state-space explosion problem, hence it must be limited to small scenarios. According to the fact that the runtime verification method does not consider all possible execution paths, therefore it is incomplete compared to (unbounded) model checking. Consequently, we are not able to check liveness properties and verify that something good finally will happen. The extension of our method which makes it intrinsically stochastic is an ongoing work. Moreover, the use of control theory concepts will help to improve the proposed method and suggest some guidelines to help the creation of new self-organizing patterns. Furthermore, as a future work, we intend to validate our ideas in more complex case studies.
AC
CE
Abolhasanzadeh, B., & Jalili, S. (2014). https://github.com/Abolhasanzadeh/Selforganizing-Traffic-Management-System-s-policies.git. Adler, R., Schaefer, I., Schuele, T., & Vecchié, E. (2007). From model-based design to formal verification of adaptive embedded systems. In Formal Methods and Software Engineering (pp. 76-95): Springer. Aldewereld, H., Dignum, F., Dignum, V., & Penserini, L. (2011). A formal specification for organizational adaptation. In Agent-Oriented Software Engineering X (pp. 18-31): Springer. Balasubramaniam, S., Botvich, D., Donnelly, W., Foghlú, M. Ó., & Strassner, J. (2006). Biologically inspired self-governance and self-organisation for autonomic networks. In Proceedings of the 1st international conference on Bio inspired models of network, information and computing systems (pp. 30): ACM.
30
ACCEPTED MANUSCRIPT
AC
CE
PT
ED
M
AN US
CR IP T
Bauer, A., Leucker, M., & Schallhart, C. (2006). Monitoring of real-time properties. In FSTTCS 2006: Foundations of Software Technology and Theoretical Computer Science (pp. 260-272): Springer. Becker, B., & Giese, H. (2008). Modeling of correct self-adaptive systems: a graph transformation system based approach. In Proceedings of the 5th international conference on Soft computing as transdisciplinary science and technology (pp. 508-516): ACM. Bernon, C., Chevrier, V., Hilaire, V., & Marrow, P. (2006). Applications of SelfOrganising Multi-Agent Systems: An Initial Framework for Comparison. Informatica (03505596), 30. Bonjean, N., Mefteh, W., Gleizes, M. P., Maurel, C., & Migeon, F. (2014). ADELFE 2.0. In M. Cossentino, V. Hilaire, A. Molesini & V. Seidita (Eds.), Handbook on Agent-Oriented Design Processes (pp. 19-63): Springer Berlin Heidelberg. Bradbury, J. S., Cordy, J. R., Dingel, J., & Wermelinger, M. (2004). A survey of selfmanagement in dynamic software architecture specifications. In Proceedings of the 1st ACM SIGSOFT workshop on Self-managed systems (pp. 28-33): ACM. Bruni, R., Corradini, A., Gadducci, F., Lluch Lafuente, A., & Vandin, A. (2015). Modelling and analyzing adaptive self-assembly strategies with Maude. Science of Computer Programming, 99, 75-94. Callow, G., Watson, G., & Kalawsky, R. (2010). System modelling for run-time verification and validation of autonomous systems. In System of Systems Engineering (SoSE), 2010 5th International Conference on (pp. 1-7): IEEE. Camazine, S. (2003). Self-organization in biological systems: Princeton University Press. Canal, C., Cámara, J., & Salaün, G. (2012). Structural reconfiguration of systems under behavioral adaptation. Science of Computer Programming, 78, 46-64. Clarke, E. M., Grumberg, O., & Peled, D. (1999). Model checking: MIT press. Cook, S. A. (1971). The complexity of theorem-proving procedures. In Proceedings of the third annual ACM symposium on Theory of computing (pp. 151-158): ACM. Costa-Soria, C. (2011). Dynamic evolution and reconfiguration of software architectures through aspects. Doctoral thesis. Department of Information System and Computation, University of Politecnica De Valencia. de Abreu Netto, M. T., dos Santos Neto, B. F., & de Lucena, C. J. P. (2015). Chapter 2 - A Pattern-Based Framework for Building Self-Organizing Multi-Agent Systems. In R. J. F. R. Liu (Ed.), Advances in Artificial Transportation Systems and Simulation (pp. 21-35). Boston: Academic Press. Dunlop, N., Indulska, J., & Raymond, K. (2003). Methods for conflict resolution in policy-based management systems. In Enterprise Distributed Object Computing Conference, 2003. Proceedings. Seventh IEEE International (pp. 98-109). Fernandez-Leon, J. A., Acosta, G. G., & Rozenfeld, A. (2014). How simple autonomous decisions evolve into robust behaviours?: A review from neurorobotics, cognitive, self-organized and artificial immune systems fields. Biosystems, 124, 7-20.
31
ACCEPTED MANUSCRIPT
AC
CE
PT
ED
M
AN US
CR IP T
Gardelli, L., Viroli, M., Casadei, M., & Omicini, A. (2008). Designing self-organising environments with agents and artefacts: a simulation-driven approach. International Journal of Agent-Oriented Software Engineering, 2, 171-195. Gershenson, C. (2007). Design and control of self-organizing systems: CopIt ArXives. Gershenson, C. (2012). Self-organizing urban transportation systems. In Complexity Theories of Cities Have Come of Age (pp. 269-279): Springer. Goldsby, H. J., Cheng, B. H., & Zhang, J. (2008). Amoeba-rt: Run-time verification of adaptive software. In Models in Software Engineering (pp. 212-224): Springer. Hadj-Kacem, N., Kacem, A. H., & Drira, K. (2009). A formal model of a multi-step coordination protocol for self-adaptive software using coloured petri nets. IJCIS, 7. Hongzhen, X., & Guosun, Z. (2010). RETRACTED: Specification and verification of dynamic evolution of software architectures. J. Syst. Archit., 56, 523-533. Hua, W., & Jing, Y. (2007). An Approach for Harmonizing Conflicting Policies in Multiple Self-Adaptive Modules. In Machine Learning and Cybernetics, 2007 International Conference on (Vol. 4, pp. 2379-2384). Khakpour, N., Jalili, S., Sirjani, M., Goltz, U., & Abolhasanzadeh, B. (2012). HPobSAM for modeling and analyzing IT Ecosystems–Through a case study. Journal of Systems and Software, 85, 2770-2784. Khakpour, N., Jalili, S., Talcott, C., Sirjani, M., & Mousavi, M. (2012). Formal modeling of evolving self-adaptive systems. Science of Computer Programming, 78, 3-26. Khakpour, N., Jalili, S., Talcott, C., Sirjani, M., & Mousavi, M. R. (2010). PobSAM: policy-based managing of actors in self-adaptive systems. Electronic Notes in Theoretical Computer Science, 263, 129-143. Khaxar, M., Jalili, S., Khakpour, N., & Jokhio, M. S. (2009). Monitoring safety properties of composite web services at runtime using csp. In Enterprise Distributed Object Computing Conference Workshops, 2009. EDOCW 2009. 13th (pp. 107-113): IEEE. Krupitzer, C., Roth, F. M., VanSyckel, S., Schiele, G., & Becker, C. (2015). A survey on engineering approaches for self-adaptive systems. Pervasive and Mobile Computing, 17, Part B, 184-206. Macías-Escrivá, F. D., Haber, R., del Toro, R., & Hernandez, V. (2013). Self-adaptive systems: A survey of current approaches, research challenges and applications. Expert Systems with Applications, 40, 7267-7279. Mamei, M., & Zambonelli, F. (2004). Self-organization in multi agent systems: A middleware approach. In Engineering Self-Organising Systems (pp. 233248): Springer. Merdan, M., Moser, T., Sunindyo, W., Biffl, S., & Vrba, P. (2013). Workflow scheduling using multi-agent systems in a dynamically changing environment. J of Sim, 7, 144-158. Merelli, E., Paoletti, N., & Tesei, L. (2015). Adaptability checking in complex systems. Science of Computer Programming. Montali, M. (2010). Run-Time Verification. In Specification and Verification of Declarative Open Interaction Models (pp. 289-304): Springer.
32
ACCEPTED MANUSCRIPT
AC
CE
PT
ED
M
AN US
CR IP T
Muller-Schloer, C. (2004). Organic computing-on the feasibility of controlled emergence. In Hardware/Software Codesign and System Synthesis, 2004. CODES+ ISSS 2004. International Conference on (pp. 2-5): IEEE. Onori, M., Lohse, N., Barata, J., & Hanisch, C. (2012). The IDEAS project: plug & produce at shop‐floor level. Assembly Automation, 32, 124-134. Oreizy, P., Medvidovic, N., & Taylor, R. N. (1998). Architecture-based runtime software evolution. In Proceedings of the 20th international conference on Software engineering (pp. 177-186): IEEE Computer Society. Poukahr, A., & Braubach, L. (2007). Jadex User Guide. Germany. Ribeiro, L., Rocha, A., Veiga, A., & Barata, J. (2015). Collaborative routing of products using a self-organizing mechatronic agent framework—A simulation study. Computers in Industry, 68, 27-39. Schmeck, H., Müller-Schloer, C., Çakar, E., Mnif, M., & Richter, U. (2010). Adaptivity and self-organization in organic computing systems. ACM Transactions on Autonomous and Adaptive Systems (TAAS), 5, 10. Schmickl, T., Hamann, H., Wörn, H., & Crailsheim, K. (2009). Two different approaches to a macroscopic model of a bio-inspired robotic swarm. Robotics and Autonomous Systems, 57, 913-921. Seeley, T. D. (2002). When is self-organization used in biological systems? The Biological Bulletin, 202, 314-318. Shen, W.-M., Will, P., Galstyan, A., & Chuong, C.-M. (2004). Hormone-inspired self-organization and distributed control of robotic swarms. Autonomous Robots, 17, 93-105. Sloman, M., & Lupu, E. (2010). Engineering policy-based ubiquitous systems. The Computer Journal, 53, 1113-1127. Sultan, K., Bentahar, J., Wan, W., & Al-Saqqar, F. (2014). Modeling and verifying probabilistic Multi-Agent Systems using knowledge and social commitments. Expert Systems with Applications, 41, 6291-6304. Talcott, C. L. (2007). Policy-based Coordination in PAGODA: A Case Study. Electron. Notes Theor. Comput. Sci., 181, 97-112. Tamura, G., Villegas, N. M., Müller, H. A., Sousa, J. P., Becker, B., Karsai, G., Mankovskii, S., Pezzè, M., Schäfer, W., & Tahvildari, L. (2013). Towards practical runtime verification and validation of self-adaptive software systems. In Software Engineering for Self-Adaptive Systems II (pp. 108132): Springer. Twidle, K., Dulay, N., Lupu, E., & Sloman, M. (2009). Ponder2: A policy system for autonomous pervasive environments. In Autonomic and Autonomous Systems, 2009. ICAS'09. Fifth International Conference on (pp. 330-335): IEEE. Verstaevel, N., Régis, C., Gleizes, M.-P., & Robert, F. (2015). Principles and Experimentations of Self-organizing Embedded Agents Allowing Learning from Demonstration in Ambient Robotic. Procedia Computer Science, 52, 194-201. Villalba, C., & Zambonelli, F. (2011). Towards nature-inspired pervasive service ecosystems: concepts and simulation experiences. Journal of Network and Computer Applications, 34, 589-602.
33
ACCEPTED MANUSCRIPT
AC
CE
PT
ED
M
AN US
CR IP T
Viroli, M., Casadei, M., Montagna, S., & Zambonelli, F. (2011). Spatial Coordination of Pervasive Services through Chemical-Inspired Tuple Spaces. ACM Trans. Auton. Adapt. Syst., 6, 1-24. Wermelinger, M., & Fiadeiro, J. L. (2002). A graph transformation approach to software architecture reconfiguration. Science of Computer Programming, 44, 133-155. Yeom, K. (2010). Bio-inspired self-organization for supporting dynamic reconfiguration of modular agents. Mathematical and Computer Modelling, 52, 2097-2117. Zadeh, J. (1997). What is Soft Computing? Soft Computing, 1. Zambonelli, F. (2015). Engineering self-organizing urban superorganisms. Engineering Applications of Artificial Intelligence, 41, 325-332. Zambonelli, F., Omicini, A., Anzengruber, B., Castelli, G., De Angelis, F. L., Serugendo, G. D. M., Dobson, S., Fernandez-Marquez, J. L., Ferscha, A., Mamei, M., Mariani, S., Molesini, A., Montagna, S., Nieminen, J., Pianini, D., Risoldi, M., Rosi, A., Stevenson, G., Viroli, M., & Ye, J. (2015). Developing pervasive multi-agent systems with nature-inspired coordination. Pervasive and Mobile Computing, 17, Part B, 236-252. Zhang, J., & Cheng, B. H. (2006). Model-based development of dynamically adaptive software. In Proceedings of the 28th international conference on Software engineering (pp. 371-380): ACM.
34