Proceedings Template - WORD - Department of Distributed and
Department of Distributed and Dependable Systems
Technical Report no. D3S-TR-2015-01
April 27th, 2015
Meta-Adaptation Strategies for Adaptation in CyberPhysical Systems
Ilias Gerostathopoulos, Tomas Bures, Petr Hnetynka, Adam Hujecek, Frantisek Plasil, and
Dominik Skoda
Charles University in Prague
Faculty of Mathematics and Physics
Prague, Czech Republic
Abstract: The dynamic nature of complex Cyber-Physical Systems (CPS) puts extra requirements on their functionality: they not only need to be dependable, but also resilient to and able to adapt to changing situations in their environment. When developing such CPS, however, it is often impossible to anticipate all potential situations upfront and
provide corresponding tactics. Situations that lie out of this “envelope of adaptability” can lead to problems that
range from single component malfunctioning to complete system failure. The existing approaches to self-adaptation
cannot typically cope with such situations – while they are adaptive (and can apply learning) in choosing a tactic,
they still rely on a fixed set of tactics, which in case of complex systems does not guarantee achieving correct functionality. To alleviate this problem, we propose the concept of meta-adaptation strategies, which extends the limits of
adaptability of a system by constructing new tactics at runtime to reflect the changes in the environment. Though the
approach is generally applicable to most approaches to self-adaptation, we demonstrate our approach on IRM-SA –
an existing architecture-based self-adaptation method – and exemplify it by providing three concrete meta-adaptation
strategies. We show the feasibility of the meta-adaptation strategies concept on an emergency coordination case
study.
Version: April 27th, 2015
This work was partially supported by the EU project ASCENS 257414. The research leading to these results has
received funding from the European Union Seventh Framework Programme (FP7-PEOPLE-2010-ITN) under grant
agreement n°264840.
D3S Technical Report no. D3S-TR-2015-01
1
As a remedy, focusing specifically on architecture-based selfadaptation, we propose to generate new tactics at runtime to
reflect the changes in the environment and increase the overall
system utilities, in particular safety, performance, and availability. We do so by introducing the concept of meta-adaptation
strategies (MAS). MAS allow us to enrich the adaptation logic
of the system (thus the “meta” prefix) by systematically generating new tactics. This provides a dynamic space of actions and
effectively extends the limits of adaptability of the system.
Introduction
The advent of cost-effective embedded devices with increased
computing capabilities and the proliferation of wireless networks have brought about the potential for value-added services
provided by a web of distributed interacting elements organized
into Cyber-Physical Systems (CPS). Examples include intelligent navigation systems, smart electric grids, and emergency
coordination systems. Modern CPS need to be able to operate in
dynamic or even hostile environments and yet remain dependable and efficient.
In particular, we present the idea of MAS and define their structure similar to design and adaptation patterns. On top of this
basis, we show three examples of MAS and demonstrate their
applicability. The three MAS examples of course do not cover
the whole space of potential MAS, however, we believe that by
introducing the idea of MAS as means for dynamically extending the limits of systems adaptability, we provide helpful inspiration for future research on self-adaptive systems.
An important feature of efficient and dependable CPS is selfadaptivity, i.e., the ability to change their behavior or structure
in response to changes in their environment. Self-adaptation in
software systems is usually achieved in three fundamental ways:
(i) by relying on a detailed application model, e.g., Markov
Decision Processes (MDP), and employing simulations or other
means of state-space traversal to infer the best response of the
system, (ii) by identifying control parameters and employing
feedback-based control techniques from control theory, and (iii)
by reconfiguring architecture models, typically with the help of
Event-Condition-Action rules – architecture-based selfadaptation.
Although our approach is to a large extent agnostic to a particular adaptation method, we illustrate the application of MAS
within an existing architecture-based adaptation method – IRMSA – in the context of an emergency coordination case study.
The rest of the paper is structured as follows. Section II describes the emergency coordination case study and its IRM-SA
model. Sections III and IV describe the MAS and give examples
of three such strategies. Section V reports on our initial experiments with the three strategies. Section VI surveys the related
work and Section VII reflects on the implications and the possible extensions of our approach.
A common denominator for all these three fundamental ways is
that they monitor the state of the environment and select an
operation to perform from a pre-designed fixed set of actions. In
(i), a model of the environment is assumed to be available (either known or learned) and the self-adaptation selects an action
(e.g., “go straight”, “turn left”, “turn right”) to maximize future
reward. In (ii) a fixed set of control parameters is given and the
actions consist of setting (increasing/decreasing) a parameter
value (e.g., Java heap size). In (iii), self-adaptation rules are
expressed as actions involving particular architecture reconfigurations applicable under certain conditions in the presence of
certain events or situations [1]–[3]. In order to quantify the
impact of the actions on the running system and choose the best
one for each situation, each action is typically associated with
the satisfaction of one or more system goals [4], [5]. Invariably,
an action activates or deactivates an activity, typically termed
tactic [1], in the form of a component, component process, or
binding between components. The self-adaptation in (iii) can be
thus seen as selecting one or more tactics from a fixed set.
2
Running Example and Background
To demonstrate the concept of MAS, we briefly overview below
the running example used in the paper and the IRM-SA selfadaptation method along with the DEECo component model,
which serve as the model and technological basis we use to
exemplify MAS.
2.1
Running Example: Firefighter Coordination
System
The firefighter coordination case study is a real-life real-scale
case study that has been proposed for the evaluation of distributed self-adaptive systems [12]. Firefighters belonging to tactical
groups are deployed on the emergency field. They communicate
via low-power nodes integrated into their personal protective
equipment. Each of these nodes is configured at runtime depending on the task assigned to its bearer. For example, a hazardous
situation might need closer monitoring of a certain parameter
(e.g., temperature).
These three ways have also been used both combined and together with learning-based approaches. For example, control
theory has been employed in the runtime modification of the
probabilities of a MDP [6]. Learning-based approaches have
been proposed to deduce the impact of adaptation actions at
runtime [7], and to mine the application model from system
execution traces [8].
In the realm of CPS, where we deal with large complex distributed systems, the high level view of architecture-based selfadaptation (i.e., (iii)) is generally favored [1], [2], [9], [10]. At
the same time, due to external uncertainty [11] (e.g., hardware
failures, temporary network unavailability), anticipating all
potential situations upfront is not an option. As a result, adapting
by switching between available tactics applicable in different
situations is problematic, as the CPS might arrive in a situation
where no combination of tactics applies. A similar problem of
selecting only from a fixed set of actions and parameters applies
also to (i) and (ii).
In the setting of the complete case study, firefighters have to
communicate with the officers (their group leaders), who are
equipped with tablets; the software running on these tablets
provides a model of the current situation (e.g., on a map) based
on data measured at and aggregated from the low-power nodes.
Parameters measured at each low-power node are position,
external temperature, battery level, and oxygen level. The data
aggregation on the side of the group leaders is done with the
intention that each leader can infer whether any of his/her group
members is in danger and take strategic decisions.
2
D3S Technical Report no. D3S-TR-2015-01
system-to-be at every time instant. For example, consider invari1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
Fig. 1. Excerpt from the IRM-SA model of the running example.
component Firefighter features GroupMember
knowledge:
ID = 59
position = { 49.040606, 15.093519}
temperature = 45.2
…
process determinePositionFromGPS
out positoin
function:
position ← GPSSensor.read()
scheduling: periodic( 500ms )
mode: “outdoors”
… /* other process definitions */
ensemble PositionExchange:
coordinator: GroupLeader
member: GroupMember
membership:
member.missionID == coordinator.missionID
knowledge exchange:
coordinator.positionMap ← ( member.id, member.position )
scheduling: periodic( 1000ms )
Fig. 2. Excerpt from DSL of DEECo component and ensembles of the
firefighter coordination system.
Such a coordination system has increased safety and performance requirements. It needs to operate on top of opportunistic
ad-hoc networks, where no guarantees for end-to-end response
time exist, with minimum energy consumption, and without
jeopardizing its end-users. It also needs to respond to a number
of challenging situations: What if the temperature sensor starts
malfunctioning or completely fails at runtime? What if firefighters are deployed inside a building where GPS readings are
not available? What if the communication between members and
their leader is lost?
ant (1) in Error! Reference source not found., which specifies
that the leader of each firefighter group should have an up-todate view (encapsulated in the position Map field) of his/her
group members. This “necessity” is AND-decomposed into
invariants (2) and (3), which specify the necessities of propagating the position from each member to the leader and determining
the position on the side of each member, respectively. The refinement is finished when each leaf invariant of the refinement
tree is either an assumption or is a computation activity corresponding to a process or knowledge exchange. Alternative designs are captured by the OR-decomposition pattern, where each
variant is guarded by an assumption capturing the state of the
environment. For example, invariant (3) can be satisfied either
by determining the position through an indoors tracking system
– invariant (5) – or a global positioning system – invariant (7).
At runtime, the system monitors the satisfaction of assumptions
(4) and (6) and activates the activity corresponding to the chosen
branch in the tree.
In all these situations, each node has to adapt its behavior according to the latest information available. For example, if a
firefighter node detects that it is in the situation “indoors”, it has
to switch from the tactic of determining the position via the GPS
to the tactic of using an indoors tracking system. Other tactics
include increasing the sensing rate in face of a danger or even
relying on the nearby nodes for strategic actions when communication with the group leader is lost.
Obtaining an exhaustive list of situations that trigger adaptations
in the firefighter coordination system is not a realistic option, as
the environment is highly dynamic and unpredictable. We rather
need to be able to build a system that would dynamically change
its behavior by (i) generating new tactics on demand, and (ii)
using them in the adaptation actions in order to deal with unanticipated situations.
2.2
role GroupMember:
missionID, position
role GroupLeader:
missionID, positionMap
Although IRM-SA is a method that can be used independently,
it is very well aligned with the abstractions and mechanisms
featured by DEECo [14], [15]. DEECo is a component model
and corresponding framework that is tailored to the needs of
CPS. It features the two basic abstractions of autonomous components forming dynamic goal-driven collaboration groups
called ensembles. Components contain knowledge (their data)
and processes, whose periodic execution results in periodic
updates in the knowledge. Components are not bound to each
other; they can only indirectly communicate within an ensemble.
The communication takes the form of mapping a component’s
knowledge field into another component’s knowledge field –
knowledge exchange (e.g., Error! Reference source not
found., lines 25-26). Membership of a component in an ensemble is not static, but periodically evaluated at runtime based on a
condition specified over ensemble-specific interfaces that provide partial views over the components’ knowledge (e.g., Error! Reference source not found., lines 21-24).
IRM-SA and DEECo
Invariant Refinement Method for Self-Adaptivity (IRM-SA)
[12], [13] is a requirements-oriented design method tailored for
the CPS domain. IRM-SA features contractual design based on
the iterative refinement of system-level requirements, and provides both dependability in form of traceability of software
artifacts to system-level goals, and adaptability, as it captures
the design alternatives pertaining to different operational contexts/situations and translates them into different system and
component modes. IRM-SA captures goals and requirements of
the systems as invariants that describe the desired state of the
3
D3S Technical Report no. D3S-TR-2015-01
Architecture
Layer
Strategy
Executor
pre-defined strategies which themselves employ pre-defined
tactics. Our work introduces another entity in this architecture –
namely the “Meta-Adaptation Manager”. The Meta-Adaptation
Manager observes the system and dynamically introduces new
tactics (and potentially strategies) if the adaptation manager
cannot cope with a given situation. Error! Reference source
not found. illustrates the proposed meta-adaptation extension on
the Rainbow framework [1], [9], which is representative of
architecture-based self-adaptation.
Meta-Adaptation
Manager
Meta-Adaptation
Strategies
Adaptation
Manager
Architecture
Evaluator
To systematize the creation of new tactics, we rely on the concept of meta-adaptation strategies (MAS). MAS serve as patterns for extending the limits of adaptability of the system, with
each strategy extending the limits in a certain way. The goal of
such a strategy is twofold:
Model Manager
Gauges
Synchronize
1.
To provide an algorithm to systematically generate a set
of tactics at runtime.
2. To provide a metric on the generated set according to
which the tactics can be ranked.
To facilitate the presentation, understanding, and application of
Target System
System Layer
Fig. 3. The Rainbow framework, as described in [1], extended with
Meta-Adaptation Manager (the extension is highlighted by the dark
rounded rectangle).
Strategy Name: A unique handle that describes the strategy in a
succinct way.
In the IRM-SA–to–DEECo mapping, IRM-SA components
correspond to DEECo components; process invariants to component processes; exchange invariants to ensembles; and
assumptions to DEECo runtime monitors. Error! Reference
source not found. depicts the DEECo process and ensemble
that correspond to invariants (7) and (2) of the IRM-SA graph,
respectively. Finally, the IRM-SA graph corresponds to the
adaptation logic that DEECo applications use in order to switch
on and off certain features (according to the branches selected at
runtime on the IRM-SA graph). In this frame, an adaptation
action is choosing an applicable configuration by choosing
among the branches in the IRM-SA graph, whereas a tactic
corresponds to an individual leaf invariant. An adaptation action
thus consists of selecting a set of tactics. Technically, this is
achieved by a dedicated adaptation manager that internally uses
a SAT solver to find a satisfiable configuration.
Intent: The rationale of the strategy and the goal(s) we want to
achieve by applying it.
Context: The non-application-specific conditions in which the
strategy can be applied.
Behavior: Description of the algorithm and/or related UML activity diagram (s) for generating new tactics and the metrics used for
the comparison of the generated tactics.
Contraindications: List of the trade-offs and possible drawbacks
of applying the strategy.
Example: One or more scenarios that illustrate the problem(s) to
be addressed and how the strategy helps to solve the problem(s).
Fig. 4. Meta-adaptation strategy template.
If the SAT solver cannot find any satisfiable configuration the
adaptation fails and thus the system cannot run as intended.
Effectively this means that a situation unanticipated by the designer has occurred.
3
the MAS, we use a template similar in style to the one used by
Ramirez et al. to document adaptation design patterns [19]
(which was in turn based on the template of Gamma et al. [20]).
Error! Reference source not found. depicts the MAS template
and explains each field’s intent.
Meta-Adaptation Strategies
4
As already discussed in the previous sections, a system, even a
self-adaptive one, can be designed to handle a limited number of
runtime situations. Interestingly, the number of new distinct
tactics that can be devised in response to an unanticipated situation is in principle infinite. Hence, apart from being able to
devise new tactics, it is important to be able to rank them according to their effect on the system, in order to be able to select
the most promising one, or, at least, to select the ones that are
worth trying. (Here, we assume the general adaptation loop in
which the adaptation mechanism activates a tactic, observes its
effect on the system and, depending on its impact, either keeps it
or tries another tactic.)
Examples of Meta-Adaptation
Strategies
In this section, we bring our meta-strategies template into action
by presenting three MAS. Note that the three strategies can be
applied sequentially or in parallel in the running system, since
they are by design orthogonal to each other.
4.1
Tactics Generated by Data Classification
In CPS, exploiting the interdependencies between sensed data is
an opportunity for introducing specific meta-adaptation strategies. A particular case is the location-dependency of data, i.e.,
the fact that the value of certain measurable system attributes
depends on the physical location of the sensors that provide the
The meta-adaptation thus complements the work typically assumed by an “Adaptation Manager” (such as in Stitch [1] and
further elaborated in [16][17][18]), which selects and executes
4
D3S Technical Report no. D3S-TR-2015-01
1. begin
2.
foreach Invariant from Processes.Invariants do
3.
Compute fitness for Invariant
4.
OldFit = *CombineFitness(Processes.Invariants.Fitnesses)
5.
Adaptees = *SelectProcessesToAdaptTheirPeriods(Processes)
6.
foreach Process from Adaptees do
7.
begin
8.
*Select the direction for period adjustment (up or down) for Process
9.
*Calculate period delta (difference between old and new period) for Process
10.
Change the period of Process
11. end
12. ObserveTime = CalculateObserveTime(Processes)
13. Run for ObserveTime with no further adaptations for changes to take effect
14. foreach Invariant from Processes.Invariants do
15.
Compute fitness for Invariant
16. NewFit = *CombineFitness(Processes.Invariants.Fitnesses)
17. if NewFit > OldFit then
18.
Keep changes
19. else
20.
Roll-back changes
21. end
22. end
data. Below we describe a strategy providing a way to automatically create knowledge exchange specifications (ensemble specifications in DEECo) that introduce “collaborative sensing”
(when direct sensing is not possible anymore) and feed them
into the running system. Hence, such new ensembles represent
new tactics.
Strategy Name: Knowledge Exchange by Data Classification
Intent: To increase the robustness of the system and prolong its
acceptable functioning (or, equivalently, achieve its graceful
degradation) in face of data unavailability and outdatedness.
Context: The strategy targets the case when values of a
knowledge field of a component become outdated to the extent
that they cannot be relied upon in terms of correct behavior of
the component. For instance, there is a sensor malfunction that
prevents value updates.
Behavior: To make up for losing the ability to obtain the actual
value of an outdated knowledge field, create a new ensemble
specification through which the field is assigned an approximated value based on the up-to-date related knowledge values of
other components. This specification consists of (i) a membership condition, which prescribes the condition under the components should interact, and (ii) a knowledge exchange function,
which specifies the knowledge exchange that takes place between the collaborating components. (For simplicity, we consider the knowledge exchange that just copies the data without
manipulating them in any other way.)
Fig. 5. Pseudocode capturing a single run of the Process Period Adjusting
strategy. “*” marks steps considered as variation points in the algorithm.
Example: In the firefighter coordination case study, each firefighter component features the knowledge fields of position and
temperature. Suppose that the temperature values are used to
control the suit cooling system. Obviously, when the temperature sensor breaks, a real-life threat arises. Since firefighters are
usually moving in groups so that those close to each other obtain
similar temperature readings, the temperature value of one component can be approximated based on the temperature values of
the others, when their positions are close. Technically, the
threshold of temperature proximity can be set (e.g., 20°C).
To be able to construct the membership condition when the
situation targeted by the strategy happens, observe first the system when it is healthy and log components’ knowledge (as a
time series of the knowledge evolution). Analyze (typically
offline) the logged knowledge and find conditional correlations
indicating that when values of some knowledge fields
𝐴1 , 𝐵1 , … , 𝐴𝑛 , 𝐵𝑛 are pairwise “close” then other values of other
knowledge fields 𝐶, 𝐷 are “close” as well. Formulate an ensemble (to be instantiated when the situation targeted by the strategy
happened), which uses the pairwise “closeness” of
𝐴1 , 𝐵1 , … , 𝐴𝑛 , 𝐵𝑛 as the membership condition and has the assignment 𝐷 ≔ 𝐶 as the knowledge exchange.
4.2
Tactics Generated by Period Adjusting
A CPS typically brings real-time requirements that are reflected
in schedulability parameters of component processes. The
schedulability parameters can be typically inferred by real-time
design via schedulability analysis. However, when schedulability parameters influence the systems in a complex manner (e.g.,
when there is a tradeoff between CPU utilization, battery, network utilization), it is not possible to infer them by systematic
analysis. Rather, the schedulability parameters are set manually,
based on the experience of the system’s architect. The strategy
below addresses the case when the manually set schedulability
parameters cannot cope with an unanticipated situation.
Realize this technically by looking for relations
⋀𝑖=1…𝑛 𝜇𝐴𝑖,𝐵𝑖 (𝑣𝐴𝑖 , 𝑣𝐵𝑖 ) < Δ𝐴𝑖 ,𝐵𝑖 → 𝜇𝐶,𝐷 (𝑣𝐶 , 𝑣𝐷 ) < 𝑇𝐶,𝐷 , which
can be established (based on the knowledge observed from the
system) on a given confidence level 𝛼. For this, assume userdefined domain-specific metrics 𝜇𝑋,𝑌 , which provide “distance”
between values of knowledge fields 𝑋, 𝑌 (typically a Euclidean
distance), and user-defined domain-specific tolerable distance
𝑇𝐶,𝐷 . Further, 𝑣𝑋 denotes a value of knowledge field 𝑋 and Δ𝐴,𝐵
is a parameter (output of the method), which denotes the maximal distance of knowledge field values that implies correspondence of values of 𝐶 and 𝐷.
Strategy Name: Process Period Adjusting
Intent: To optimize the scheduling of processes with respect to
overall system (application-specific) performance in a system
where processes are scheduled periodically.
Context: The strategy targets situations when the system starts
failing due to violated timing requirements and the schedulability parameters cannot be inferred a priori because they influence
the system in a complex manner.
Generate a number of possible membership conditions corresponding to different tactics. Then, select a tactic by applying
the metric of selecting the tactic which provides the most general condition given the target confidence level.
Behavior: Let R be the set of all active real-time processes in
the system. To be able to identify the situation when a requirement for a process ri in R with period pi is not satisfied anymore,
equip each ri with a runtime monitor returning a fitness value fi
(real number in [0-1]). Generate tactics that correspond to a new
real-time processes ri’ created from ri by adjusting (reducing or
enlarging within pre-defined permissible bounds) pi to pi’, when
fi drops below an acceptable threshold. To explore the search
space of possible period adjustments, employ the genetic algo-
Contraindications: The analysis of the collected time series can
be very resource demanding and therefore a dedicated hardware
infrastructure should be used. Similarly, the data collection may
be a rather resource-intensive process, especially when components’ knowledge is big or changes frequently. Also, introducing
superfluous new ensembles can overload the system with unnecessary replicated data.
5
D3S Technical Report no. D3S-TR-2015-01
rithm (1+1)-ONLINE EA [21] as shown in Fig. 5. Changing pi
(line 10) can be interpreted as generating a new tactic ri’ and
using it to substitute the tactic ri in the system. Terminate the
period adjusting procedure when the adjustment of each pi has
been exercised in both directions and no further benefit can be
achieved.
In this strategy, tactics (new processes) are compared to each
other by substituting them to the running system and calculating
the overall system fitness as a function of fi’s.
Contraindications: Reducing periods (a usual action) may have
a negative impact on other resources (CPU, battery, network). In
such a case, the impact would have to be modelled and taken
into consideration in the state-space search.
Fig. 6. Map of the example: blue lines delineate permissible paths for
firefighters, background colors depict the temperature at each tile (bright
colors correspond to high temperatures).
Example: Consider extending the design of our running example by a root invariant that specifies that “battery consumption
should be kept minimized”. In order to satisfy this invariant, the
system will try at runtime to tweak the processes’ periods to
invoke them as scarcely as possible. At the same time, when
there is high inaccuracy in the GPS readings (e.g., less than 3
satellites in sight), the GPS process may need to be invoked
more often to make sure the cumulative inaccuracy of the estimated position of a moving firefighter is within certain bounds.
(The cumulative inaccuracy is essentially the sum of the initial
inaccuracy of the GPS reading and the distance a firefighter has
moved since the last GPS reading.) It is thus a dynamic trade-off
between availability and dependability that has to be resolved at
runtime.
4.3
assumption ai’ created from ai by adjusting (reducing or enlarging each parameter value within pre-defined permissible
bounds) Vi to Vi’, when fi drops below an acceptable threshold.
To explore the search space of possible parameter adjustments,
employ the genetic algorithm (1+1)-ONLINE EA [21] (similar
to the application of the algorithm in the Process Period Adjusting Strategy).
In this strategy, tactics (new assumptions) are compared to each
other by substituting them to the running system and calculating
the overall system fitness as a function of fi’s.
Contraindications: Relaxing assumptions is not panacea; on
the contrary, it can be dangerous in safety critical applications
whose operation must not deviate from strict specifications. For
this, assumptions that can be relaxed (parametrized) have to be
carefully identified at design time, and parameter bounds have to
be chosen so that they do not jeopardize the system under any
circumstances.
Tactics Generated by Assumption Parameters
Adjusting
In order for a self-adaptive CPS to employ adaptation actions
that enable/disable tactics (execute phase of the MAPE-K loop
[22]), it first needs to identify the current situation it resides in
(monitor and analyze phases). For this, special-purpose tactics
continuously evaluate the assumptions that each situation corresponds to, regarding the CPS internal state and its environment.
However, these assumptions typically rely on domain
knowledge captured by pre-defined behavioral models (e.g.,
timed automata or state-space models), which may be invalidated at runtime when a CPS reaches an unanticipated situation.
The strategy below addresses the case when the manually set
parameters of an assumption fail to effectively identify the situation at hand.
Example: Consider extending the design of our running example by an assumption – sibling to invariant (7): “GM::position is
determined by GPS every 1 sec” in Fig. 1 – that specifies that
“position inaccuracy is within [0,t]”, where t is a parameter with
values in [5,20] and initial value set to 5. When the inaccuracy
of the GPS readings increases (e.g., because of less satellites
visible) the assumption will be violated and the activity corresponding to invariant (7) will be deactivated. If the firefighter is
outdoors, this will lead to a situation where no configuration is
applicable. In response, the system will try to tweak t in order to
obtain a new satisfied assumption and consequently an applicable configuration. Though this will yield lower system quality
than having the right number of satellites, it will be able to prevent the situation in which the position could not be determined
due to too strict system design.
Strategy Name: Assumption Parameters Adjusting
Intent: To enhance the monitoring and analysis phases (and
therefore prevent premature or delayed actions) by ensuring at
runtime that assumptions parameters are relevant to the current
situation.
5
Context: The strategy targets situations when domain
knowledge hardcoded in assumption-monitoring tactics fails to
frame the current situation leading, e.g., to very quick or late
adaptation actions. This may happen due to an unanticipated
situation which does not correspond to any of the assumptions
monitored by the system.
Experimental Evaluation
To evaluate the effects and performance of the above-described
MAS, we have implemented the meta-adaptation strategies in
the jDEECo framework [23], a Java implementation of the
DEECo component model. Each strategy was implemented as
an extension of the jDEECo’s IRM-SA plugin1.
The example used in our evaluation consists of three firefighters
(FF1, FF2, and FF3) moving in a building (Fig. 6). Each firefight-
Behavior: Let A be the set of all assumptions in the system. To
be able to identify the situation when an assumption ai in A is
not satisfied anymore, equip each ai with a runtime monitor
accepting parameters Pi with values Vi returning a fitness value fi
(real number in [0-1]). Generate tactics that correspond to a new
1
6
https://github.com/d3scomp/IRM-SA/tree/SASO2015
D3S Technical Report no. D3S-TR-2015-01
Fig. 7. IRM model of the evaluation example.
er is represented by a DEECo component, which senses its position, the surrounding temperature, and the battery level. FF1 and
FF2 are moving together in a group, whereas FF3 is moving
independently. The objectives of the system are represented by
the IRM-SA model of Fig. 7.
APA cannot find an improvement since the sensor is not
working at all. PA tries to change the periods, but it produces no effect. Nevertheless, DC (via CM) discovers that
there is a correlation between the distance of the firefighters and their surrounding temperatures (the closer the firefighters are, the more similar the temperature is). DC thus
deploys a new ensemble that injects the temperature
sensed in other firefighters to FF1. The new ensemble is
updated as CM finds new correlations: Primarily, the
temperature of FF2 is injected to FF1 as FF1 and FF2 move
in a group; when, however, FF3 gets closer to FF1 than
FF2, the ensemble is updated to inject the temperature
sensed by FF3.
Adaptations of the system are handled by IRM-SA. In the case
when IRM-SA cannot find any suitable configuration of the
system given the current situation, it triggers the metaadaptation. Specifically, the meta-adaptation manager determines the applicability of its meta-adaptation strategies in the
current context and uses the applicable ones to create new tactics
which are then applied by the adaptation manager.
In the evaluation example, two malfunctions were intentionally
introduced:
After 50 seconds, the position tracking system of FF1
starts to be inaccurate and inaccuracy of FF1’s position exceeds the given boundary (1.5 m). IRM-SA cannot find a
suitable configuration and thus meta-adaptation is triggered. Data Classification strategy (DC, Sect. A) is not
applicable since the sensor is inaccurate but still functional. However, both the Period Adjusting strategy (PA, Sect.
4.2) and the Assumption Parameters Adjusting strategy
(APA, Sect. 4.3) can improve the situation. PA identifies
invariant (8): “FF:position is determined every 1.25 secs”
as a candidate for improvement and decreases the period
of the corresponding process of FF1. The reduced period
lowers the uncertainty of the position between subsequent
position measurements. This partially mitigates the effect
of the increased inaccuracy of the position tracking system.
However, the period cannot be reduced below a given
lower limit (250 ms in our case), which means that the PA
strategy itself is not able to bring the inaccuracy back below the required boundary (1.5 m). This situation is addressed by the APA strategy, which identifies assumption
(7) as a candidate for requirement relaxation and increases
the threshold of the allowed inaccuracy (while still keeping it within designated bounds). These two changes result
into a system state which is again valid with respect to the
IRM-SA specification.
ii. After 150 seconds, the temperature sensor of FF1 breaks
completely and the meta-adaptation is again triggered.
i.
Error! Reference source not found. shows the influence of the
PA and APA on the system after the first malfunction (inaccuracy of the position measurements has significantly increased)
occurs at 50th second after beginning. The box plots contain the
difference between the actual position of the firefighter and
his/hers belief about the position. The first box depicts the difference in the interval from 0 to 50s of the simulation time.
Because the malfunction occurred at the time of 50s the values
there do not differ between the simulation with and the simulation without the meta-adaptation. The second and the third box
depict the difference in the interval from 50 to 300s of the simulation time. The second box corresponds to the simulation with
the meta-adaptation, while the third corresponds to the case
without it. Clearly, the increased inaccuracy of the position
measurements increases the difference between the actual position and the belief about the position (3rd box). The horizontal
dashed and dotted-dashed lines denote the assumed limit on the
inaccuracy of the position – the dashed line corresponds to the
original limit, the dotted-dashed line corresponds to the limit
relaxed by the APA strategy as described above.
The second malfunction (broken temperature sensor) occurs at
the time of 150s. The effect is shown in Error! Reference
source not found.. The red line represents the actual temperature of the firefighter’s surrounding. The blue line represents the
belief about the temperature in the simulation with the metaadaptation enabled. And the green line represents the belief
about the temperature when the meta-adaptation is disabled.
Before the temperature sensor malfunctions, the belief about the
7
D3S Technical Report no. D3S-TR-2015-01
Fig. 9. The distance between actual position and belief position. It is split into the case with and without meta-adaptation, and into the interval before and after the position sensor faults.
Fig. 8. The evolution of actual and belief temperature.
temperature is rather accurate – disturbed only by random noise
and movement of the firefighter between temperature sampling.
After the temperature sensor stops working the non-adapted
firefighter obtains no more updates of his/hers belief temperature and the belief becomes obsolete and unreliable. In case of
the meta-adaptation, (blue line), the belief about temperature is
being updated by the temperature sensed by a firefighter nearby.
This introduces a delay and inaccuracy, but still provides usable
belief.
6
Discussion
Problem space coverage: Generally, if a system is subject to
environment uncertainty, the extent of the problem space that
should be covered by systems adaptability is unknown. This
makes it impossible to devise all adaptation tactics at design
time. It of course makes it also impossible to presume all necessary meta-adaptation strategies, as each strategy covers only a
certain sub-space of the problem space. However, compared to
pre-designed tactics, the meta-adaptation strategy involves observation of system’s and environment’s evolution at runtime
and utilizes this to formulate new tactics. As such, it has the
potential to carry through higher expressive power than pre8
D3S Technical Report no. D3S-TR-2015-01
designed tactics and consequently achieve significantly higher
coverage of the problem space. Further, it is possible to combine
meta-adaptation strategies with orthogonal intent as we illustrated in the evaluation example; thus further increase the problem
space coverage.
proaches from (i)-(iii) that extend the limits of adaptability of a
system. For example, if a model-driven approach is able to generate new behavior models and select among them at runtime,
there is a good chance that it can be articulated as a MAS strategy. AVIDA-MDE stands as an inspiring approach towards this
direction [28]. Therein, a behavioral model of the system (a
UML state diagram) corresponds to a MAS tactic, whereas a
MAS strategy takes the form of generating behavioral models
via a digital evolution-based approach, backed by an evolutionary computation platform [34]. In AVIDA-MDE, a MAS metric
is expressed in terms of both the non-functional characteristics
and the latent functional properties that the generated models
exhibited. Although AVIDA-MDE is an offline approach, its
importance lies in the automatic generation of tactics, which our
proposal relies upon. Methods of synthetizing computationally
diverse program variants [35] have been similar sources of our
inspiration.
Interplay of meta-adaptation strategies: We assume that metaadaptation strategies may overlap in their context of applicability. This brings up the question of the combined effect of the
meta-adaptation strategies. Specifically, the interesting case is
when two or more meta-adaptation strategies generate tactics
that themselves are not mutually exclusive; thus the adaptation
manager can potentially exploit them both at the same time. In
the running example, this is illustrated by the interplay of PA
and APA strategies to address the problem of low inaccuracy of
the position estimation. The PA meta-adaptation strategy creates
a tactic of sensing position more frequently, while the APA
meta-adaptation strategy creates a tactic of relaxing the requirements on inaccuracy. Obviously, each tactic has an impact on
the cost and risk in the system – e.g. more frequent sensing of
position increases power consumption, while relaxing the requirements may increase the risk of the system not promptly
reacting to changing conditions. It is the responsibility of the
meta-adaptation mechanism to strike a balance between the
overlapping strategies. For instance, in the context of our running example, this is achieved by associating the APA strategy
with a priority lower than PA strategy, which effectively applies
APA strategy only when PA strategy hits its limits (in terms of
boundary below which a period cannot be lowered). Also, the
meta-adaptation mechanism periodically checks the system’s
performance and cost and proposes tactics that can optimize the
system – e.g. the APA strategy may strengthen a previously
relaxed requirement.
To deal with uncertainty at runtime, a method that uses evolutionary computation to adapt test cases has been recently proposed [36], and was the inspiration for our Assumption Parameters Adjusting strategy. The main idea of Veritas is to apply
(1+1)-ONLINE algorithm to generate new test cases that better
reflect the changes in the behavior of a self-adaptive system, i.e.,
produce less false negatives when exercised in the running system. In comparison, a test case corresponds to a MAS tactic,
whereas a MAS strategy takes the form of generating new test
cases by iterative application of the evolutionary algorithm. The
overall system fitness is measured by fitness functions (similarly
to our Assumption Parameters Adjusting strategy) and can be
interpreted as the MAS metric of this strategy. Veritas has been
integrated in a framework that addresses assurance at run time in
face of uncertainty called Proteus [37]. Apart from online adaptive testing as overviewed above, component-based integration
testing has also been advocated to support runtime compliance
checking of self-adaptive systems [38].
Generality of the approach: Though the combination of IRMSA and DEECo was used in this paper to demonstrate the concept of MAS, this is only a single approach of many possible
ones to self-adaptation to which MAS can be embedded. Another possibility would be to demonstrate the MAS concept on the
basis of Rainbow [9] and Stitch [1] (by extending Rainbow as
depicted in Fig. 3). Stitch is a language for specifying adaptation
strategies, tailored for the domain of system administration. A
strategy in Stitch consists of tactics, which in turn consist of
operators, i.e., system-provided configuration commands (e.g.,
“start new VM”). A tactic is a specification of an activity with a
pre- and post-condition and an associated action, while a strategy is a specification of a process, each step of which involves
the conditional execution of a tactic. In this respect, a Stich
strategy loosely corresponds to an IRM-SA model (but not to a
MAS strategy, as it does not generate new tactics), while a
Stitch tactic to an IRM-SA invariant (and therefore to a MAS
tactic). With this in mind, embedding the MAS concept into
Stitch is a viable and interesting option.
7
Extending the envelope of adaptability of a system in order to
deal with uncertainty (that effectively “drives” self-adaptation)
has been pursued at different levels. Important ideas have been
spurred at the requirements engineering community in approaches such as FLAGS [39], [40] and Evolution Requirements
[41], [42].
FLAGS focuses on modeling “adaptation requirements”, i.e.
requirements that concern countermeasures to be taken when
application requirements fail. FLAGS relies on the goal, operation, and object models of KAOS [43] and extends them. The
main concept is an adaptation goal, a special type of goal that
corresponds to a countermeasure to be applied when a “conventional” goal fails to meet its satisfaction criteria. To model such
criteria, FLAGS introduces the notion of fuzzy goal, whose
satisfaction, as opposed to a crisp goal, is the result of a fuzzy
membership function. For the formal specification of fuzzy
goals, RELAX language [44] has been employed [45]. According to the degree of satisfaction of goals at runtime, adaptation
goals can be triggered, resulting into counteractions that include
adding/removing goals, operations, or objects, modifying the
membership function of goals, and adjusting the pre- and postconditions of operations [40].
Related Work
Self-adaptation has been a flourishing research topic within the
software engineering community [24]–[26] and has been primarily tackled by (i) modeling and model-driven engineering [4],
[27], [28], (ii) control theory [6], [29]–[31], and (iii) software
architecture [1], [9], [32], [33].
Evolution Requirements (EvoReqs) focuses on modeling the
requirements that cause the evolution of other requirements. It is
model-based, as (traditional) requirements are modeled as goals;
evolution requirements are then modeled as event-conditionaction rules that refer to the events acting as guard conditions for
Although tailored to architecture-based self-adaptation, the
proposed MAS concept can be used to model different ap9
D3S Technical Report no. D3S-TR-2015-01
the goals. The main idea is that when a requirement cannot be
satisfied anymore, it is changed. Examples of changes include
retrying after some time, relaxing the requirement, delegating it
to a human actor, and replacing a domain assumption with a
system task [42].
[8]
[9]
The main differences of FLAGS and EvoReqs (and similar
approaches, e.g. [46]) to our approach is that (i) they focus primarily on requirements specification, while our approach focuses on runtime behavior, and (ii) they cannot handle unanticipated situations, as each situation and corresponding tactic (plan or
task) has to be anticipated and modeled upfront – in other words,
they allow for design and runtime flexibility, but do not themselves specify, how this flexibility is to be achieved.
8
[10]
[11]
Conclusion
[12]
In this paper, we have suggested a way to address the problem
of limited adaptability caused by a fixed set of tactics. To this
end, we have introduced the concept of meta-adaptation strategies (MAS) as a means for creating new tactics by observing the
behavior of a system at runtime. In addition to laying out the
general concept of MAS, we have exemplified the concept by
three rather diverse instances of MAS. We have implemented
the proposed approach on top of IRM-SA and DEECo as plugins
to the IRM-SA and provided an indicative evaluation, which
shows that a combination of such meta-adaptation strategies
have a potential to extend the system’s adaptability and robustness.
[13]
[14]
Obviously, the MAS instances presented in the paper serve only
as an illustration of the concept. A comprehensive identification
of MAS instances is beyond the scope of this paper. Nevertheless, it constitutes an interesting and highly relevant research
challenge.
[15]
[16]
References
[1]
[2]
[3]
[4]
[5]
[6]
[7]
S.-W. Cheng, D. Garlan, and B. Schmerl, “Stitch: A
language for architecture-based self-adaptation,” J. Syst.
Softw., vol. 85, no. 12, pp. 1–38, 2012.
P.-C. David, T. Ledoux, M. Léger, and T. Coupaye,
“FPath and FScript: Language support for navigation and
reliable reconfiguration of Fractal architectures,” Ann.
Telecommun., vol. 64, no. 1–2, pp. 45–63, Feb. 2009.
T. Batista, A. Joolia, and G. Coulson, “Managing Dynamic Reconfiguration in Component-Based Systems,”
in Software Architecture, R. Morrison and F. Oquendo,
Eds. Springer Berlin Heidelberg, 2005, pp. 1–17.
M. Morandini and A. Perini, “Towards Goal-Oriented
Development of Self-Adaptive Systems,” in Proc. of
SEAMS ’08, 2008, pp. 9–16.
M. Salehie and L. Tahvildari, “Towards a Goal-driven
Approach to Action Selection in Self-adaptive Software,”
Softw Pr. Exper, vol. 42, no. 2, pp. 211–233, Feb. 2012.
A. Filieri, C. Ghezzi, A. Leva, M. Maggio, and P. Milano, “Self-Adaptive Software Meets Control Theory: A
Preliminary Approach Supporting Reliability Requirements,” in Proc. of ASE ’11, 2011, pp. 283–292.
A. Elkhodary, N. Esfahani, and S. Malek, “FUSION: A
Framework for Engineering Self-tuning Self-adaptive
Software Systems,” in Proc. of FSE ’10, 2010, pp. 7–16.
[17]
[18]
[19]
[20]
[21]
10
E. Yuan, N. Esfahani, and S. Malek, “Automated Mining
of Software Component Interactions for SelfAdaptation,” in Proc. of SEAMS ’14, 2014, pp. 27–36.
D. Garlan, S.-W. Cheng, A.-C. Huang, B. Schmerl, and
P. Steenkiste, “Rainbow: Architecture-Based SelfAdaptation with Reusable Infrastructure,” Computer, vol.
37, no. 10, pp. 46–54, 2004.
D. Hirsch, J. Kramer, J. Magee, and S. Uchitel, “Modes
for Software Architectures,” in Software Architecture, V.
Gruhn and F. Oquendo, Eds. Springer Berlin Heidelberg,
2006, pp. 113–126.
N. Esfahani, E. Kouroshfar, and S. Malek, “Taming
Uncertainty
in
Self-Adaptive
Software,”
in
SIGSOFT/FSE ’11: Proceedings of the 19th ACM
SIGSOFT symposium and the 13th European conference
on Foundations of software engineering, 2011, pp. 234–
244.
Tomas Bures, Ilias Gerostathopoulos, Petr Hnetynka,
Jaroslav Keznikl, Michal Kit, Frantisek Plasil, and Noël
Plouzeau, “Adaptation in Cyber-Physical Systems: from
System Goals to Architecture Configurations,” Department of Distributed and Dependable Systems, Tech. Rep.
D3S-TR-2014-01, March 2014, D3S-TR-2014-01, March
2014.
J. Keznikl, T. Bures, F. Plasil, I. Gerostathopoulos, P.
Hnetynka, and N. Hoch, “Design of Ensemble-Based
Component Systems by Invariant Refinement,” in Proc.
of CBSE’13, 2013, pp. 91–100.
T. Bures, I. Gerostathopoulos, P. Hnetynka, J. Keznikl,
M. Kit, and F. Plasil, “DEECo – an Ensemble-Based
Component System,” in Proc. of CBSE’13, 2013, pp. 81–
90.
R. Al Ali, T. Bures, I. Gerostathopoulos, P. Hnetynka, J.
Keznikl, M. Kit, and F. Plasil, “DEECo: An Ecosystem
for Cyber-Physical Systems,” in Companion Proc. of
ICSE ’14, 2014, pp. 610–611.
S.-W. Cheng, D. Garlan, B. R. Schmerl, J. P. Sousa, B.
Spitnagel, and P. Steenkiste, “Using Architectural Style
As a Basis for System Self-repair,” in Proceedings of the
IFIP 17th World Computer Congress - TC2 Stream / 3rd
IEEE/IFIP Conference on Software Architecture: System
Design, Development and Maintenance, Deventer, The
Netherlands, The Netherlands, 2002, pp. 45–59.
D. Garlan, S.-W. Cheng, and B. Schmerl, “Increasing
system dependability through architecture-based selfrepair,” in Architecting Dependable Systems, R. De
Lemos, C. Gacek, and A. Romanovsky, Eds. Berlin, Heidelberg: Springer-Verlag, 2003, pp. 61–89.
S.-W. Cheng, D. Garlan, and B. Schmerl, “Making selfadaptation an engineering reality,” in Self-star Properties
in Complex Information Systems, O. Babaoglu, M.
Jelasity, A. Montresor, C. Fetzer, and S. Leonardi, Eds.
Berlin, Heidelberg: Springer-Verlag, 2005, pp. 158–173.
A. J. Ramirez and B. H. C. Cheng, “Design Patterns for
Developing Dynamically Adaptive Systems,” in Proc. of
SEAMS ’10, New York, NY, USA, 2010, pp. 49–58.
Erich Gamma, Richard Helm, Ralph Johnson, and John
Vlissides, Design Patterns: Elements of Reusable ObjectOriented Software. Addison Wesley Professional, 1994.
N. Bredeche, E. Haasdijk, and A. E. Eiben, “On-Line,
On-Board Evolution of Robot Controllers,” in Artifical
Evolution, P. Collet, N. Monmarché, P. Legrand, M.
Schoenauer, and E. Lutton, Eds. Springer Berlin Heidelberg, 2010, pp. 110–121.
D3S Technical Report no. D3S-TR-2015-01
[22]
[23]
[24]
[25]
[26]
[27]
[28]
[29]
[30]
[31]
[32]
[33]
[34]
[35]
IBM, “An architectural blueprint for autonomic computing,” IBM White Pap., no. June, 2006.
“jDEECo Website,” 2015. [Online]. Available:
https://github.com/d3scomp/JDEECo. [Accessed: 23Apr-2015].
B. Cheng, R. de Lemos, H. Giese, P. Inverardi, J. Magee,
J. Andersson, B. Becker, N. Bencomo, Y. Brun, B.
Cukic, G. D. M. Serugendo, S. Dustdar, A. Finkelstein,
C. Cacek, K. Geihs, V. Grassi, G. Karsai, H. M. Kienle,
J. Kramer, M. Litoiu, S. Malek, R. Mirandola, H. A. Muller, S. Park, M. Shaw, M. Tichy, M. Tivoli, D. Weyns,
and J. Whittle, “Software Engineering for Self-Adaptive
Systems: A Research Roadmap,” in Software Engineering for Self-Adaptive Systems, Springer Berlin Heidelberg., 2009, pp. 1–26.
R. de Lemos, H. Giese, H. A. Muller, M. Shaw, J. Andersson, M. Litoiu, B. Schmerl, G. Tamura, N. M. Villegas, T. Vogel, D. Weyns, L. Baresi, B. Becker, N. Bencomo, Y. Brun, B. Cukic, R. Desmarais, S. Dustdar, G.
Engels, K. Geihs, K. Goschka, A. Gorla, V. Grassi, P. Inverardi, G. Karsai, J. Kramer, R. Mirandola, J. Mylopoulos, O. Nierstrasz, M. Pezze, C. Prehofer, W. Schafer, R.
Schlichting, D. B. Smith, J. Pedro Sousa, L. Tahvildari,
K. Wong, and J. Wuttke, “Software Engineering for SelfAdaptive Systems: A Second Research Roadmap,” in
Software Engineering for Self-Adaptive Systems II, 2013,
pp. 1–32.
M. Salehie and L. Tahvildari, “Self-Adaptive Software:
Landscape and Research Challenges,” ACM Trans. Auton. Adapt. Syst., vol. 4, no. 2, May, pp. 1–40, 2009.
J. Zhang and B. H. C. Cheng, “Model-based Development of Dynamically Adaptive Software,” in Proc. of
ICSE ’06, New York, NY, USA, 2006, pp. 371–380.
H. Goldsby and B. Cheng, “Automatically generating
behavioral models of adaptive systems to address uncertainty,” in Proc. of MODELS’08, 2008, pp. 568–583.
T. Patikirikorala, A. Colman, J. Han, and L. Wang, “A
systematic survey on the design of self-adaptive software
systems using control engineering approaches,” in Proc.
of SEAMS’12, 2012, pp. 33–42.
A. Filieri, H. Hoffmann, and M. Maggio, “Automated
design of self-adaptive software with control-theoretical
formal guarantees,” in Proc. of ICSE ’14, 2014, pp. 299–
310.
A. Filieri, M. Maggio, K. Angelopoulos, N. D’Ippolito, I.
Gerostathopoulos, A. B. Hempel, H. Hoffmann, P. Jamshidi, E. Kalyvianaki, C. Klein, F. Krikava, S. Misailovic,
A. V. Papadopoulos, S. Ray, A. M. Sharifloo, S. Shevtsov, M. Ujma, and T. Vogel, “Software Engineering
Meets Control Theory,” in Proc. of SEAMS ’15, 2015.
D. Sykes, W. Heaven, J. Magee, and J. Kramer, “From
goals to components: a combined approach to selfmanagement,” in Proc. of SEAMS ’08, 2008, pp. 1–8.
J. Kramer and J. Magee, “A Rigorous Architectural Approach to Adaptive Software Engineering,” J. Comput.
Sci. Technol., vol. 24, no. 2, pp. 183–188, Apr. 2009.
C. Ofria and C. O. Wilke, “Avida: a software platform
for research in computational evolutionary biology,” Artif. Life, vol. 10, no. 2, pp. 191–229, 2004.
B. Baudry, M. Monperrus, C. Mony, F. Chauvel, F.
Fleurey, and S. Clarke, “DIVERSIFY: Ecology-inspired
software evolution for diversity emergence,” in Proc. of
CSMR-WCRE ’14, 2014, pp. 395–398.
[36]
[37]
[38]
[39]
[40]
[41]
[42]
[43]
[44]
[45]
[46]
11
E. M. Fredericks, B. DeVries, and B. H. C. Cheng, “Towards Run-Time Adaptation of Test Cases for SelfAdaptive Systems in the Face of Uncertainty,” in Proc. of
SEAMS ’14, 2014, pp. 17–26.
Erik M. Fredericks and Betty H. C. Cheng, “Automated
Generation of Adaptive Test Plans for Self-Adaptive Systems,” in Proc. of SEAMS ’15.
C. E. da Silva and R. de Lemos, “Dynamic Plans for
Integration Testing of Self-adaptive Software Systems,”
in Proc. of SEAMS ’11, New York, NY, USA, 2011, pp.
148–157.
L. Baresi and L. Pasquale, “Live Goals for Adaptive
Service Compositions,” in Proc. of SEAMS ’10, New
York, NY, USA, 2010, pp. 114–123.
L. Baresi, L. Pasquale, and P. Spoletini, “Fuzzy Goals for
Requirements-driven Adaptation,” in Proc. of RE ’10,
2010, pp. 125–134.
V. E. S. Souza, A. Lapouchnian, and J. Mylopoulos,
“(Requirement) evolution requirements for adaptive systems,” in Proc. of SEAMS ’12, 2012, pp. 155–164.
V. E. S. Souza, A. Lapouchnian, K. Angelopoulos, and J.
Mylopoulos, “Requirements-driven software evolution,”
Comput. Sci. - Res. Dev., vol. 28, no. 4, pp. 311–329,
Oct. 2012.
A. V. Lamsweerde, “Requirements Engineering: from
Craft to Discipline,” in Proc. of FSE ’08, 2008, pp. 238–
249.
J. Whittle, P. Sawyer, N. Bencomo, B. H. C. Cheng, and
J.-M. Bruel, “RELAX: a language to address uncertainty
in self-adaptive systems requirement,” Requir. Eng., vol.
15, no. 2, pp. 177–196, Mar. 2010.
L. Baresi and L. Pasquale, “Adaptation Goals for Adaptive Service-Oriented Architectures,” in Relating Software Requirements and Architectures, P. Avgeriou, J.
Grundy, J. G. Hall, P. Lago, and I. Mistrík, Eds. Springer
Berlin Heidelberg, 2011, pp. 161–181.
B. H. C. Cheng, P. Sawyer, N. Bencomo, and J. Whittle,
“A Goal-Based Modeling Approach to Develop Requirements of an Adaptive System with Environmental
Uncertainty,” in Proc. of MODELS ’09, 2009, pp. 468–
483.
© Copyright 2024