Keywords

1 Introduction

Web/Internet of Things, Service Oriented Computing and Cloud Computing are considered as the main future enablers of both personal and professional applications. In this context, the composition of services, in particular those offered by heterogeneous connected things, is the suitable approach that allows creating more complex and ubiquitous services, which run an inter-organizational and heterogeneous environment called multi-domain [3]. In general, every domain has its own security and privacy policy and the configurations and interfaces description of the elementary services are completely heterogeneous from both data formatting and semantics point of views. Basically, composite services are specified by means of input, outputs, preconditions and post-conditions (i.e. effects) on elementary abstract services [5]. This context of heterogeneity makes that the correctness and soundness of the composite services at both operational and semantic levels are considered as the most complex issues in multi-domain environment with respect to robustness, safety and security [3]. Therefore, a knowledge driven methodology and formal framework can help composite services designers to ensure the soundness and correctness of services compositions with respect to the heterogeneity of the domains and the applications requirements, which can be critical in scenarios where automation and robotic services are involved such as Manufacturing, Ambient Assisted Living (AAL) or eHealth [1, 7]. The paper extends the proposed approach in [5] by implementing the complete framework with a sound formal system for multi-domain services composition specification. The proposed framework provides tools to verify the ability to compose services constructively by using Constructive Description Logics. The framework proposes also an extensible semantic model for multi-domain composition, with a set of software components enabling the automatic generation of \(\mathcal {BCDL}_0\) statements, and the automatic generation of correctness proofs lemmas of the composite services that should be interactively proved. The paper is organized as follows. In Sect. 2 the architecture of the proposed framework is presented. Section 3 presents the formal system specification of service composition operators in Isabelle/HOL theorem prover and the proof of its soundness. Section 4 presents how the formal system is used to constructively assert the environment conceptual model, and its state. This formal system enables to specify a semantic model represented by an ontology, while the services composition model is presented in Sect. 5. This latter, details the formal specification of the services composition description model in Isabelle/HOL and the correctness proof. Section 6 discusses the related work, while, Sect. 7 concludes the paper and presents the ongoing work.

2 Semantic Framework for Multi-domain Ubiquitous Applications

The Fig. 1 depicts the relationship between the various components of the proposed framework. Figure 1 describes also the methodology used to build an ambient intelligence service-based systems.

The proposed Formal System \(F_s\) is based on \(\mathcal {BCDL}_0\) [2]. This logic has several benefits such as providing computational capabilities and proof interpretation, and other mathematical properties such as soundness and completeness [4]. (1) Semantic Conceptual Model (SCM) consists of AmI ontology. It ensures, on the one hand, a common understanding of the shared concepts between the different heterogeneous entities in the environment such as sensors, actuators and agents, and formally represents the semantics of the multi-domain services. (2) \(\mathcal {BCDL}_0\) -Based specification, building the semantic conceptual model represents the first step of the proposed methodology. The conceptual model can be edited, maintained by using an ontology development tool such as ProtégéFootnote 1. The proposed framework includes an API to translate the designed ontology into \(\mathcal {BCDL}_0\)-based specification. Therefore, the resulting specification is used to specify the composite service according to the Service Composition Model. (3) Service Composition Model, this step enables the formal specification of the existing atomic and composite ubiquitous services in AmI environment and services behaviors. (4) Service Composition Proof, after constructing the composite service, the framework generates the lemmas of the applicability conditions to prove. The generated proofs statements are then proven interactively using Isabelle/HOL.

Fig. 1.
figure 1

Framework components

Full size image

3 Formal Constructive Description Logics Based System

The formal system is described by the tuple \(F_s = (L_{\mathcal {N}}, R)\), where, \(L_{\mathcal {N}}\) represents the SCM description language and R the inference rules enabling the consequence logic computation within \(L_{\mathcal {N}}\). \(F_s\) is specified within the assistant theorem prover Isabelle/HOL as a theory. Isabelle/HOL is a formal system based on higher order logic with a general natural deduction environment. It provides a sound meta-logic used for the specification of existing logics such as HOL or FOL and new formal systems. The main theory (Main.thy) is the elementary one that all theories are required to import.

3.1 Syntax Specification

\(F_s\) description language grammar (i.e. \(L_{\mathcal {N}}\)) is based on the basic description logic \(\mathcal {ALC}\). It enables to describe a domain in terms of concepts (i.e. classes) NC, roles (i.e. properties, relationships) NR, individuals (i.e. instances) NI and VAR, set of individual variables names. \(L_{\mathcal {N}}\) is defined as follows:

$$\begin{aligned} C, D{:=} A~~ |~~&\lnot&~C~ |~~ C~\sqcup ~D~|~~ C~ \sqcap ~D~|~~ \exists ~R.~C~|~~ \forall ~R.~C~ \\ K&{:=}&\bot ~|~ t~:~C ~|~ A~\sqsubseteq ~C~ | ~ \left( s~,~t\right) : R ~ \end{aligned}$$

where \(C,~D \in \) NC, \(~R \in \) NR, and \(s, t~ \in \) NI \(\cup \) VAR. K represents the generated formulas. NR, NC, NI and the generated formulas are specified within Isabelle/HOL as datatype constructors see Table 1.

Table 1. Syntax specification
Full size table

3.2 Constructive Semantics Specification

Let’s define \( \mathcal{N} \) as a subset of NI (\(\mathcal{N} \subseteq NI\)), and \( L_{\mathcal {N}} \) as the list of formulas generated by the finite subset \(\mathcal{N}\). An Interpretation (Model) \(\mathcal{M}\) for \(\mathcal{L}_N \) consists of the pair \( \left( \mathcal{D}^\mathcal{M},~.^\mathcal{M}\right) \). \(\mathcal{D}^\mathcal{M}\) defines the domain, corresponding to an not empty set, and \(.^\mathcal{M}\) is a valuation function which associates to \( \mathrm {every}~c \in \mathcal{N}\) \(,~c^\mathcal{M} \in \mathcal{D}^\mathcal{M} \), \( \mathrm {for~every}~A \in \) NC\(,~A^\mathcal{M} \subseteq \mathcal{D}^\mathcal{M} \), and \(\mathrm {for~every}~R \in \) NR, \(R^\mathcal{M} \subseteq \mathcal{D}^\mathcal{M} \times \mathcal{D}^\mathcal{M}\). The specification of the classical interpretation and the validity notions are implemented in this work. However, the focus in this section is on the specification of the constructive interpretation and the proof of the soundness property of the proposed formal system. The constructive interpretation of \( \mathcal{BCDL}_0 \) is based on information terms semantics. Let’s consider that \(\mathcal{N} \subseteq NI\) and K closed formula of \(\mathcal{L_N}\). A closed formula is defined as a formula that does not contain individual variables names. Formally, an information term is the piece of information, called also a type of a given formula that gives a witness justifying the validity of this formula. The set of information terms \(IT_\mathcal{N} (K)\) can be defined by induction on the structure of K. This algorithm is implemented by the function ITc (see Table 2).

Table 2. Information terms algorithm
Full size table

The information terms represent a structured mathematical object that gives witnesses about the validity of these formulas in a classical model. When an information term \(\eta \) proves the validity of K formulas, this implies that the information term \(\eta \) realize the formula K. We write \(M \rhd \left\langle \eta \right\rangle K\). More information can be found in [2]. \(\mathcal {BCDL}_0\) reasoning technique is compatible with the realisability relation of K formula by a given information term. The realisability relation is defined as follows: Let \(\mathcal{M}\) be a Model for \(\mathcal{L}_N \), K a closed formula and \(\eta \in IT_\mathcal{N}(K)\). The realisability relation is defined as \(M \rhd \left\langle \eta \right\rangle K\) by induction on the structured of K. A part of the realisability relation specification is given in Table 3.

Table 3. Realisability relation specification
Full size table

3.3 Inference Rules and Soundness Proof

The natural deduction calculus \(\mathcal {ND}\) is the proof calculus for \( \mathcal {BCDL}_0\), and gives the soundness theorem according to realisability relation and the natural deduction proofs of \(\mathcal {ALC}\) formulas [2, 4]. The formal system must be sound, i.e. it ensures that all computed inferences are valid. In the following, the soundness theorem is specified and proved in Isabelle/HOL using cases tactics on the different logical constructors of the constructive logics \(\mathcal{BCDL}_0\).

Theorem (Soundness) Let \(\mathcal {N}\) be a finit subset of NI and let \(\pi {{:}{:}} \varGamma \vdash K \) be a proof of \(\mathcal {ND}\) over \(\mathcal {L_N}\) such that the formulas K in \(\varGamma \) are closed. Then, we have:

  • \(\varGamma \vDash K\), K is logical consequence of \(\varGamma \)

  • For every model \(\mathcal {M}\) and \(\gamma ~\in ~IT(\varGamma )\), \(\mathcal{M} \rhd \left\langle \phi \right\rangle \varGamma \) implies \(\mathcal{M} \rhd \left\langle \phi ^{\pi }_{N}(\gamma ) \right\rangle K\)

The Isabelle/HOL formalisation of the soundness theorem, and its proof is given in Table 4. The soundness property shows that when a formula K is proven by assuming a set of formulas \(\varGamma \), the evidence of giving an information terms for the K formula based on the information terms extracted from \(\varGamma \) set is assumed. In such way the inference rules prove only formulas that are valid with respect to information terms semantics.

Table 4. Soundness theorem proof
Full size table

4 Semantic Conceptual Model

The Semantic Conceptual Model (SMC) consists of a set of concepts and relationships for representing the AmI ontology. The SCM is proposed to formalise the shared knowledge in multi-domain environment according to \(\mathcal {BCDL}_0\)-based specification.

Considering the knowledge base of an ambient intelligence environment where a companion robot assists people at home. The robot interacts with several services at home, and with services from other domains. The robot performs also different types of notifications, and can be located in one of the home’s rooms. The formalization of this knowledge is formalized in Table 5.

Table 5. AmI ontology concepts specification
Full size table

Let us consider the formula which associates a robot to a location in the smart home, such as: \(K = Robot \sqcap \exists isLocatedOn.Location\). Let’s assume that NI is the set of all individuals in the knowledge base. The computation of the information terms interpretation of K is the following. Let N be the names of individuals in the model defined in Table 5. An example of an element \( IT_N (Ax1) \) is a function \( \phi \) which associates to each element c of N an element \(\gamma \). Formally:

Let’s consider the definition of a new concept from the axioms that identifies a location of the robot by issuing a notification. In other words, the robot performs a notification action when it is in a specific location. The knowledge base of the Table 5 is considered and the following proof is constructed:

\(\pi {{:}{:}} \mathcal {T} \vdash (NotificationAction \sqsubseteq \exists isPerformedBy. (Robot \sqcap \exists isLocatedOn.Location)) \)

In the literature, several conceptual model (i.e. ontologies) have been designed for the AmI environment description purpose. For this reason, a transformation API to our formal system is added by the proposed framework (Fig. 1). The ontology specified is then used by the composition description model, which is detailed in the next section.

5 Composition Description Model

The composite service is constructed by using the atomic services and the composition rules (Table 7) as well as the applicability conditions (AC) associate to each rule. The correctness proof of the composite service requires the proof of the applicability conditions of the composite service.

5.1 Service Composition Specification

The service specification is an expression of the form \( p \left( x \right) \,{{:}{:}}\,P \Longrightarrow Q \) where: p is a label that identifies the service; x is the input parameter of the service (to be instantiated with an individual name from \( \mathcal {N}\)); P and Q are concepts over \(\mathcal{L}_N \). P is called the service pre-condition, denoted by Pre(s), and Q the service post-condition, denoted by Post(s). The service implementation is modelled as a function \(\varPhi _s: \bigcup _{t \in \mathcal {N}}^{}{IT_{\mathcal {N}} (t : P)} \mathop {\rightarrow }\limits ^{} \bigcup _{t \in \mathcal {N}}^{}{IT_{\mathcal {N}} (t : Q)}\). We denote by the pair \((p(x)\,{{:}{:}}\,P \Longrightarrow Q, \varPhi _s)\) (or with (p, \(\varPhi _p\))) a service definition over \(\mathcal {L_N}\). The service’s specification is formalised in Isabelle/HOL (Table 6).

Table 6. Service definition & implementation
Full size table

5.2 Correctness Proof

The service specification provides the formal description of a service behaviour in terms of pre- and post- conditions. The function \(\varPhi _s\) represents a formal description of service implementation (i.e. of the input/output function). Essentially, a service definition corresponds to an effective Web service. The behaviour of the service depends on the environment where it is executed. Besides, the behaviour correctness of a service in such environment must be proved. This refers to the correctness property that is formalised by means of the following function \(Unformaly\_solv\) (Table 8).

Table 7. Control flow rules and their applicability conditions
Full size table
Table 8. Uniformaly solve
Full size table

6 Related Work

More recently, approaches combining ontologies and formal methods have been proposed specifically to describe the service composition flows. These approaches allow the description of the interaction of web services that represents an important condition for achieving dynamic composition of services. In this section, approaches based on theorem proving for service composition are investigated. These techniques apply deduction rules on a goal specified as a mathematical theorem in order to prove it. In general, theorem proving technique is a set of inference steps that can be used to simplify an objective proof to a list of simple sub-goals. These latter can be automatically proved by the primitive tactics of a proof assistant tool such as Coq, HOL4, Isabelle/HOL. These techniques have been little used in the field of service composition [8]. The majority of the proposed approaches are based on the web-semantic language (e.g. DAML-S or OWL-S) that offers no way to verify the correction. Therefore, other approaches have been used to transform these service descriptions into different formalism (e.g. \(\pi \)-calculus, Petri nets, Linear Logics) to enable the automatic reasoning, and therefore to prove several service composition properties [6, 8]. Recently, research on alternative interpretations of classical formal representation of description logics has been conducted and the need to explore this area, which can improve the modeling techniques of the system, and we can also exploit its capabilities calculation [4]. Recall that the main problem with all these approaches composition and those proposed in the industrial part is checking the correction [9]. Moreover, a constructive description logic or intuitionistic called \( \mathcal {BCDL} \) has been proposed [4]. Bozzato applied this logic for the composition of semantic Web services [2]. This approach deals with the composition of semantic web services, based on a subsystem of the basic logic of constructive description, called \(\mathcal {BCDL}_0\). On the contrary of the proposed approaches, the proposed framework is based on sound and complete formal system. It benefits from the mathematical computation capabilities of the constructive description logic and correctness proof. In addition, the framework proposes also a reliable methodology to realise a proved correct application in multi-domain context.

7 Conclusion and Ongoing Work

The paper presents a semantic framework, and a formal methodology for developing multi-domain ambient intelligent applications. The framework is based on sound and complete formal system for sharing knowledge among multiple domains as Semantic Conceptual Model. The framework provides also a formal services composition model for the specification and the correction proof within Isabelle/HOL. In the future work, we study the dynamic aspects of changing the composite services and its impacts on the methodology. The framework’s performances and development of AAL use cases will also be considered.