-
Analyzing and Debugging Normative Requirements via Satisfiability Checking
Authors:
Nick Feng,
Lina Marsso,
Sinem Getir Yaman,
Yesugen Baatartogtokh,
Reem Ayad,
Victória Oldemburgo de Mello,
Beverley Townsend,
Isobel Standen,
Ioannis Stefanakos,
Calum Imrie,
Genaína Nunes Rodrigues,
Ana Cavalcanti,
Radu Calinescu,
Marsha Chechik
Abstract:
As software systems increasingly interact with humans in application domains such as transportation and healthcare, they raise concerns related to the social, legal, ethical, empathetic, and cultural (SLEEC) norms and values of their stakeholders. Normative non-functional requirements (N-NFRs) are used to capture these concerns by setting SLEEC-relevant boundaries for system behavior. Since N-NFRs…
▽ More
As software systems increasingly interact with humans in application domains such as transportation and healthcare, they raise concerns related to the social, legal, ethical, empathetic, and cultural (SLEEC) norms and values of their stakeholders. Normative non-functional requirements (N-NFRs) are used to capture these concerns by setting SLEEC-relevant boundaries for system behavior. Since N-NFRs need to be specified by multiple stakeholders with widely different, non-technical expertise (ethicists, lawyers, regulators, end users, etc.), N-NFR elicitation is very challenging. To address this challenge, we introduce N-Check, a novel tool-supported formal approach to N-NFR analysis and debugging. N-Check employs satisfiability checking to identify a broad spectrum of N-NFR well-formedness issues (WFI), such as conflicts, redundancy, restrictiveness, insufficiency, yielding diagnostics which pinpoint their causes in a user-friendly way that enables non-technical stakeholders to understand and fix them. We show the effectiveness and usability of our approach through nine case studies in which teams of ethicists, lawyers, philosophers, psychologists, safety analysts, and engineers used N-Check to analyse and debug 233 N-NFRs comprising 62 issues for the software underpinning the operation of systems ranging from assistive-care robots and tree-disease detection drones to manufacturing collaborative robots.
△ Less
Submitted 11 January, 2024;
originally announced January 2024.
-
Runtime Verification of Self-Adaptive Systems with Changing Requirements
Authors:
Marc Carwehl,
Thomas Vogel,
Genaína Nunes Rodrigues,
Lars Grunske
Abstract:
To accurately make adaptation decisions, a self-adaptive system needs precise means to analyze itself at runtime. To this end, runtime verification can be used in the feedback loop to check that the managed system satisfies its requirements formalized as temporal-logic properties. These requirements, however, may change due to system evolution or uncertainty in the environment, managed system, and…
▽ More
To accurately make adaptation decisions, a self-adaptive system needs precise means to analyze itself at runtime. To this end, runtime verification can be used in the feedback loop to check that the managed system satisfies its requirements formalized as temporal-logic properties. These requirements, however, may change due to system evolution or uncertainty in the environment, managed system, and requirements themselves. Thus, the properties under investigation by the runtime verification have to be dynamically adapted to represent the changing requirements while preserving the knowledge about requirements satisfaction gathered thus far, all with minimal latency. To address this need, we present a runtime verification approach for self-adaptive systems with changing requirements. Our approach uses property specification patterns to automatically obtain automata with precise semantics that are the basis for runtime verification. The automata can be safely adapted during runtime verification while preserving intermediate verification results to seamlessly reflect requirement changes and enable continuous verification. We evaluate our approach on an Arduino prototype of the Body Sensor Network and the Timescales benchmark. Results show that our approach is over five times faster than the typical approach of redeploying and restarting runtime monitors to reflect requirements changes, while improving the system's trustworthiness by avoiding interruptions of verification.
△ Less
Submitted 29 March, 2023;
originally announced March 2023.
-
A Property Specification Pattern Catalog for Real-Time System Verification with UPPAAL
Authors:
Thomas Vogel,
Marc Carwehl,
Genaína Nunes Rodrigues,
Lars Grunske
Abstract:
Context: The goal of specification pattern catalogs for real-time requirements is to mask the complexity of specifying such requirements in a timed temporal logic for verification. For this purpose, they provide frontends to express and translate pattern-based natural language requirements to formulae in a suitable logic. However, the widely used real-time model checking tool UPPAAL only supports…
▽ More
Context: The goal of specification pattern catalogs for real-time requirements is to mask the complexity of specifying such requirements in a timed temporal logic for verification. For this purpose, they provide frontends to express and translate pattern-based natural language requirements to formulae in a suitable logic. However, the widely used real-time model checking tool UPPAAL only supports a restricted subset of those formulae that focus only on basic and non-nested reachability, safety, and liveness properties. This restriction renders many specification patterns inapplicable. As a workaround, timed observer automata need to be constructed manually to express sophisticated requirements envisioned by these patterns. Objective: In this work, we fill these gaps by providing a comprehensive specification pattern catalog for UPPAAL. The catalog supports qualitative and real-time requirements and covers all corresponding patterns of existing catalogs. Method: The catalog we propose is integrated with UPPAAL. It supports the specification of qualitative and real-time requirements using patterns and provides an automated generator that translates these requirements to observer automata and TCTL formulae. The resulting artifacts are used for verifying systems in UPPAAL. Thus, our catalog enables an automated end-to-end verification process for UPPAAL based on property specification patterns and observer automata. Results: We evaluate our catalog on three UPPAAL system models reported in the literature and mostly applied in an industrial setting. As a result, not only the reproducibility of the related UPPAAL models was possible, but also the validation of an automated, seamless, and accurate pattern- and observer-based verification process. Conclusion: The proposed property specification pattern catalog for UPPAAL enables practitioners to specify qualitative and real-time requirements...
△ Less
Submitted 7 November, 2022;
originally announced November 2022.
-
Discrete-Event Controller Synthesis for Autonomous Systems with Deep-Learning Perception Components
Authors:
Radu Calinescu,
Calum Imrie,
Ravi Mangal,
Genaína Nunes Rodrigues,
Corina Păsăreanu,
Misael Alpizar Santana,
Gricel Vázquez
Abstract:
We present DeepDECS, a new method for the synthesis of correct-by-construction discrete-event controllers for autonomous systems that use deep neural network (DNN) classifiers for the perception step of their decision-making processes. Despite major advances in deep learning in recent years, providing safety guarantees for these systems remains very challenging. Our controller synthesis method add…
▽ More
We present DeepDECS, a new method for the synthesis of correct-by-construction discrete-event controllers for autonomous systems that use deep neural network (DNN) classifiers for the perception step of their decision-making processes. Despite major advances in deep learning in recent years, providing safety guarantees for these systems remains very challenging. Our controller synthesis method addresses this challenge by integrating DNN verification with the synthesis of verified Markov models. The synthesised models correspond to discrete-event controllers guaranteed to satisfy the safety, dependability and performance requirements of the autonomous system, and to be Pareto optimal with respect to a set of optimisation objectives. We use the method in simulation to synthesise controllers for mobile-robot collision mitigation and for maintaining driver attentiveness in shared-control autonomous driving.
△ Less
Submitted 27 March, 2023; v1 submitted 7 February, 2022;
originally announced February 2022.
-
Body Sensor Network: A Self-Adaptive System Exemplar in the Healthcare Domain
Authors:
Eric Bernd Gil,
Ricardo Caldas,
Arthur Rodrigues,
Gabriel Levi Gomes da Silva,
Genaína Nunes Rodrigues,
Patrizio Pelliccione
Abstract:
Recent worldwide events shed light on the need of human-centered systems engineering in the healthcare domain. These systems must be prepared to evolve quickly but safely, according to unpredicted environments and ever-changing pathogens that spread ruthlessly. Such scenarios suffocate hospitals' infrastructure and disable healthcare systems that are not prepared to deal with unpredicted environme…
▽ More
Recent worldwide events shed light on the need of human-centered systems engineering in the healthcare domain. These systems must be prepared to evolve quickly but safely, according to unpredicted environments and ever-changing pathogens that spread ruthlessly. Such scenarios suffocate hospitals' infrastructure and disable healthcare systems that are not prepared to deal with unpredicted environments without costly re-engineering. In the face of these challenges, we offer the SA-BSN -- Self-Adaptive Body Sensor Network -- prototype to explore the rather dynamic patient's health status monitoring. The exemplar is focused on self-adaptation and comes with scenarios that hinder an interplay between system reliability and battery consumption that is available after each execution. Also, we provide: (i) a noise injection mechanism, (ii) file-based patient profiles' configuration, (iii) six healthcare sensor simulations, and (iv) an extensible/reusable controller implementation for self-adaptation. The artifact is implemented in ROS (Robot Operating System), which embraces principles such as ease of use and relies on an active open source community support.
△ Less
Submitted 27 March, 2021;
originally announced March 2021.
-
A Hybrid Approach Combining Control Theory and AI for Engineering Self-Adaptive Systems
Authors:
Ricardo Diniz Caldas,
Arthur Rodrigues,
Eric Bernd Gil,
Genaína Nunes Rodrigues,
Thomas Vogel,
Patrizio Pelliccione
Abstract:
Control theoretical techniques have been successfully adopted as methods for self-adaptive systems design to provide formal guarantees about the effectiveness and robustness of adaptation mechanisms. However, the computational effort to obtain guarantees poses severe constraints when it comes to dynamic adaptation. In order to solve these limitations, in this paper, we propose a hybrid approach co…
▽ More
Control theoretical techniques have been successfully adopted as methods for self-adaptive systems design to provide formal guarantees about the effectiveness and robustness of adaptation mechanisms. However, the computational effort to obtain guarantees poses severe constraints when it comes to dynamic adaptation. In order to solve these limitations, in this paper, we propose a hybrid approach combining software engineering, control theory, and AI to design for software self-adaptation. Our solution proposes a hierarchical and dynamic system manager with performance tuning. Due to the gap between high-level requirements specification and the internal knob behavior of the managed system, a hierarchically composed components architecture seek the separation of concerns towards a dynamic solution. Therefore, a two-layered adaptive manager was designed to satisfy the software requirements with parameters optimization through regression analysis and evolutionary meta-heuristic. The optimization relies on the collection and processing of performance, effectiveness, and robustness metrics w.r.t control theoretical metrics at the offline and online stages. We evaluate our work with a prototype of the Body Sensor Network (BSN) in the healthcare domain, which is largely used as a demonstrator by the community. The BSN was implemented under the Robot Operating System (ROS) architecture, and concerns about the system dependability are taken as adaptation goals. Our results reinforce the necessity of performing well on such a safety-critical domain and contribute with substantial evidence on how hybrid approaches that combine control and AI-based techniques for engineering self-adaptive systems can provide effective adaptation.
△ Less
Submitted 24 April, 2020;
originally announced April 2020.
-
Taming Uncertainty in the Assurance Process of Self-Adaptive Systems: a Goal-Oriented Approach
Authors:
Gabriela Félix Solano,
Ricardo Diniz Caldas,
Genaína Nunes Rodrigues,
Thomas Vogel,
Patrizio Pelliccione
Abstract:
Goals are first-class entities in a self-adaptive system (SAS) as they guide the self-adaptation. A SAS often operates in dynamic and partially unknown environments, which cause uncertainty that the SAS has to address to achieve its goals. Moreover, besides the environment, other classes of uncertainty have been identified. However, these various classes and their sources are not systematically ad…
▽ More
Goals are first-class entities in a self-adaptive system (SAS) as they guide the self-adaptation. A SAS often operates in dynamic and partially unknown environments, which cause uncertainty that the SAS has to address to achieve its goals. Moreover, besides the environment, other classes of uncertainty have been identified. However, these various classes and their sources are not systematically addressed by current approaches throughout the life cycle of the SAS. In general, uncertainty typically makes the assurance provision of SAS goals exclusively at design time not viable. This calls for an assurance process that spans the whole life cycle of the SAS. In this work, we propose a goal-oriented assurance process that supports taming different sources (within different classes) of uncertainty from defining the goals at design time to performing self-adaptation at runtime. Based on a goal model augmented with uncertainty annotations, we automatically generate parametric symbolic formulae with parameterized uncertainties at design time using symbolic model checking. These formulae and the goal model guide the synthesis of adaptation policies by engineers. At runtime, the generated formulae are evaluated to resolve the uncertainty and to steer the self-adaptation using the policies. In this paper, we focus on reliability and cost properties, for which we evaluate our approach on the Body Sensor Network (BSN) implemented in OpenDaVINCI. The results of the validation are promising and show that our approach is able to systematically tame multiple classes of uncertainty, and that it is effective and efficient in providing assurances for the goals of self-adaptive systems.
△ Less
Submitted 6 May, 2019;
originally announced May 2019.
-
A Learning Approach to Enhance Assurances for Real-Time Self-Adaptive Systems
Authors:
Arthur Rodrigues,
Ricardo Diniz Caldas,
Genaína Nunes Rodrigues,
Thomas Vogel,
Patrizio Pelliccione
Abstract:
The assurance of real-time properties is prone to context variability. Providing such assurance at design time would require to check all the possible context and system variations or to predict which one will be actually used. Both cases are not viable in practice since there are too many possibilities to foresee. Moreover, the knowledge required to fully provide the assurance for self-adaptive s…
▽ More
The assurance of real-time properties is prone to context variability. Providing such assurance at design time would require to check all the possible context and system variations or to predict which one will be actually used. Both cases are not viable in practice since there are too many possibilities to foresee. Moreover, the knowledge required to fully provide the assurance for self-adaptive systems is only available at runtime and therefore difficult to predict at early development stages. Despite all the efforts on assurances for self-adaptive systems at design or runtime, there is still a gap on verifying and validating real-time constraints accounting for context variability. To fill this gap, we propose a method to provide assurance of self-adaptive systems, at design- and runtime, with special focus on real-time constraints. We combine off-line requirements elicitation and model checking with on-line data collection and data mining to guarantee the system's goals, both functional and non-functional, with fine tuning of the adaptation policies towards the optimization of quality attributes. We experimentally evaluate our method on a simulated prototype of a Body Sensor Network system (BSN) implemented in OpenDaVINCI. The results of the validation are promising and show that our method is effective in providing evidence that support the provision of assurance.
△ Less
Submitted 3 April, 2018;
originally announced April 2018.
-
Pragmatic Requirements for Adaptive Systems: a Goal-Driven Modelling and Analysis Approach
Authors:
Felipe Pontes Guimarães,
Genaina Nunes Rodrigues,
Raian Ali,
Daniel Macêdo Batista
Abstract:
Goal-models (GM) have been used in adaptive systems engineering for their ability to capture the different ways to fulfill the requirements. Contextual GM (CGM) extend these models with the notion of context and context-dependent applicability of goals. In this paper, we observe that the interpretation of a goal achievement is itself context-dependent. Thus, we introduce the notion of Pragmatic Go…
▽ More
Goal-models (GM) have been used in adaptive systems engineering for their ability to capture the different ways to fulfill the requirements. Contextual GM (CGM) extend these models with the notion of context and context-dependent applicability of goals. In this paper, we observe that the interpretation of a goal achievement is itself context-dependent. Thus, we introduce the notion of Pragmatic Goals which have a dynamic satisfaction criteria. We also developed and evaluated an algorithm to decide the Pragmatic CGM's achievability. Finally, we performed several experiments to evaluate and to compare our algorithm against human judgment and concluded that the specification of context-dependent goals' applicability and interpretations make it hard for domain stakeholders to decide whether the model covers all possibilities, both in terms of time and accuracy, thus showing the importance and contribution of our algorithm.
△ Less
Submitted 24 March, 2015;
originally announced March 2015.