Run-time requirements verification for reconfigurable systems
Introduction
Over the past few years we experienced a significant growth on the deployment of highly interconnected systems operating in a number of domains such as banking, commerce, and government to name a few. These systems encompass complex requirements yielding thus large and complex models [1]. In addition to the complex requirements these systems entail, advances in virtualization technology make also possible the continuous evolution, dynamic provision, and dynamic adaptation of system resources, in a quest for these systems to constantly meet their numerous, and possibly diverse, functional and non-functional requirements. The problem has been recognized in the related research literature as an important one [2], [3], both from the requirements verification perspective and, from the policy compliance perspective. Hence, it is important to develop techniques, and tools for assessing at run time whether changes in the system structure, and, operating environment violate requirements set forth by its stakeholders.
To date, the software engineering community has responded by investigating models, and frameworks allowing for the specification, analysis, and evaluation of system requirements. In this respect, research efforts have focused so far on the off-line static analysis and reasoning in such models for the purpose of evaluating the completeness, and validity of system requirements against stakeholder goals [4], [5]. However, as business processes become more complex requiring highly inter-connected and inter-dependent services (e.g. Systems-of-Systems), issues related to the run-time verification of global system properties have emerged as very timely, important and challenging [6], [7], [8]. Work in the area of adaptive systems is attempting to address some of these issues, and research efforts aiming to model and analyze the run-time behavior of such systems have started emerging in the related literature [9], [10]. However, there is still limited work on dealing with large requirements models, especially when the dependencies and impact of one design decision or system requirement cannot be fully and deterministically modeled due to the high complexity of structural and behavioral inter-dependencies present in such complex systems. It is therefore important to investigate analysis techniques that are tractable so that can be applied at run-time, and allow for reasoning on large requirements models, especially in the presence of incomplete knowledge related to the impact changes in one system or component may have on the behavior and requirements of other interconnected systems or components.
For this paper, we adopt a goal-driven view of this run-time verification problem aiming to assess whether a system that operates in a specific context is compliant to a set of requirements. This issue entails a number of challenges that have to be considered and addressed. First, an appropriate modeling notation for denoting goals that should hold in the running system under various contexts must be used. Such a modeling notation should be expressive enough to capture dependencies that exist between goals, allow for the definition of multiple variations of the model under different contexts, and allow for modeling the way design decisions and system properties affect these goals. Such a notation must also have well defined semantics so as to enable the use of tools and algorithms that can automate the processing of the models. Second, as dependencies in a complex system may not be fully known, or properly recorded, a fuzzy approach should be used for specifying such dependencies within an acceptable degree of ambiguity. Third, a reasoning framework is required to evaluate at run-time how and to what degree system changes affect the requirements taking into account events collected from the running system.
In a nutshell, the proposed framework allows for a) system goals and their variations under multiple contexts, hereinafter referred to as views, to be modeled as conditional goal trees [11], whose nodes hold with a degree of truth; b) dependencies between goals to be modeled as weighted contributions [12], [13], where weights are interpreted as the degree by which a stakeholder’s belief for the target node satisfaction/dissatisfaction is increased given the satisfaction status of the source node; c) transformations to be utilized in order to map conditional goal trees to weighted fuzzy rules [14] and; d) fuzzy reasoning to be applied in order to tractably verify whether, and to what degree, specific system goals hold at run-time.
The paper is organized as follows. Section 2 formally defines the requirements-based view of the verification problem. Section 3 summarizes key concepts in the areas of Goal Models and weighted fuzzy rules. Section 4 briefly describes the details of our approach, and Section 5 presents a running example used throughout the paper. Section 6 introduces the semantics of the notation utilized to model system goals and views, and Section 7 describes the transformation of goal models to rules that can be used by the proposed inference engine. Subsequently, a lab experiment is presented in Section 8, and the performance of the proposed framework is evaluated against randomly generated models of varying size and complexity in Section 9. Finally, Section 10 presents related work and Section 11 concludes the paper.
Section snippets
Formal definition of the problem
Run-time verification is the process of evaluating, while the system operates, whether it meets certain expected behavior and goals [15], [16]. In this paper we adopt a requirements-based view of the run-time verification problem that we refer to as the ReqRV problem. To formally define it, we use as a starting point the seminal study by Zave and Jackson on software requirements [17].
According to this study, given a set of requirements R, and a set of domain assumptions D, the requirements
AND/OR goal trees
AND/OR goal trees are a modeling formalism extensively utilized in requirements engineering, where its basic concept is the top-down AND/OR decomposition of goals into sub-goals. An AND-decomposed goal can be satisfied if all of its sub-goals are true, while an OR-decomposed goal is fulfilled if at least one of its sub-goals holds.
Additionally, two goals may be connected by a contribution link. More specifically, a goal may potentially contribute to other goals in four ways, namely, SP, SN, DP
Process outline
We address the ReqRV problem by introducing a framework which is based on the principles of fuzzy controllers. A fuzzy controller is composed of four elements [23]: FC-a) a rule-base, i.e. rules describing the experts’ knowledge of the domain; FC-b) a fuzzification process for the transformation of the input in a processable form; FC-c) an inference mechanism which combines the rule-base with the input to deduce membership degrees for a set of output variables; and FC-d) a defuzzification
Running example
To better illustrate the proposed process for the ReqRV problem, we employ a running example which is partially based on examples used in [26], [27], [28]. The example is illustrated in Fig. 5, and describes a fraction of system goals of a simplified, yet realistic, data records management software.
For this example, we consider the goals stemming from two stakeholders, namely “Data Consumer” and “System Admin”. The former may correspond to an assistant trying to retrieve patients’ records and
Modeling stakeholder goals and views
To model the expected behavior of a system (i.e. system goals) under various contexts we utilize conditional goal models (an example is depicted in Fig. 5). What follows is a formal definition of these models in order to ease the formulation of their transformation to wf-rules. More specifically:
Definition 1 A Goal Model Rule (gm-rule) is a tuple of the form 〈Rt, gt, Gs, w〉, where Rt ∈ {AND, OR, SP, DP, SN, DN} is the type of the rule, gt is the target goal of the rule, Gs is a non-empty set of source
Reasoning on system goals
SEB models presented above provide the theoretical foundation for the ReqRV problem, and enable system goals to be expressed under various contexts. However, for reasoning to take place, the following actions must be performed (also see Section 4) :
- 1.
conditional wf-rules generation,
- 2.
rule-base determination and fuzzification of system observable characteristics’ values extracted via monitoring techniques,
- 3.
inference, i.e reasoning for all system goals using an appropriate inference mechanism,
- 4.
Lab experiment
As a proof of concept we developed a prototype of the ReqRV inference engine, and a simulator for a data management application1 which uses the SEB model of Fig. 5. We designed the SEB model using Eclipse ecore tools, and we applied model to model and model to text transformation techniques to generate the conditional wf-rules. The parameters of the membership functions were set to aL=5, bL
Experiments and discussion
The performance of the proposed framework is evaluated by a series of experiments with randomly generated SEB models of varying size and complexity.
More specifically, we evaluate the proposed framework with respect to execution time and amount of memory required for models of different sizes in order to prove that time and memory requirements remain low even for large models, enabling thus its application to large models at run-time. Subsequently, we investigate the effect of membership
Related work
Approaches that utilize goal models for run-time analysis and adaptive software include [37] where the distinction between Design-time and Run-time Goal Models is made, [38] which proposes a set of extensions for the Tropos methodology related to failures and environment modeling, [39], [40] where the notions of awareness (AwReqs) and evolution (EvoReqs) requirements are introduced as meta-requirements allowing to model requirements adaptation at run-time, and [21] that provides a general
Conclusion and future work
In this paper, we presented an approach that utilizes conditional weighted goal models to denote system goals related to requirements that should hold in the running system. The choice of goal models as the modeling notation for the proposed framework is based on the fact that it is a notation extensively used in requirements engineering to represent functional and non-functional requirements. Additionally, its well defined semantics enable the development of an automated algorithmic
Acknowledgments
This research has been co-financed by the European Union (European Social Fund ESF) and Greek national funds through the Operational Program “Education and Lifelong Learning” of the National Strategic Reference Framework (NSRF) – Research Funding Program: Heracleitus II. Investing in knowledge society through the European Social Fund. We would also like to thank A. Chortaras for providing as with the implementation of his reasoner for weighted logic programs.
References (54)
- et al.
Runtime verification of safety-progress properties
- et al.
A goal driven framework for software project data analytics
- et al.
Assessing requirements-related risks through probabilistic goals and obstacles
Requir. Eng.
(2013) Goal-oriented requirements enginering: a roundtrip from research to practice
Proceedings of the 12th IEEE International Conference on Requirements Engineering (RE 2004), 6–10 September 2004, Kyoto, Japan
(2004)- et al.
LOVER: light-weight formal verification of adaptive systems at run time
- et al.
Runtime verification of component-based systems
- et al.
Reasoning with goal models
- et al.
Evaluating goal models within the goal-oriented requirement language
Int. J. Intell. Syst.
(2010) - et al.
Interaction-based runtime verification for systems of systems integration
J. Log. Comput.
(2010) When the requirements for adaptation and high integrity meet
Proceedings of the 8th Workshop on Assurances for Self-adaptive Systems, ASAS ’11
(2011)
Requirements-aware systems: a research agenda for RE for self-adaptive systems
Proceedings of the 18th IEEE International Requirements Engineering Conference, RE 2010, Sydney, New South Wales, Australia, September 27–October 1, 2010
Engineering evolving and self-adaptive systems: an overview
A goal-based framework for contextual requirements modeling and analysis
Requir. Eng.
Evaluating goal models within the goal-oriented requirement language
Int. J. Intell. Syst.
On eliciting contribution measures in goal models
Definition and adaptation of weighted fuzzy logic programs
Int. J. Uncertain. Fuzziness Knowl.-Based Syst.
A brief account of runtime verification
J. Log. Algebric Program.
Four dark corners of requirements engineering
ACM Trans. Softw. Eng. Methodol.
Self-adaptive software needs quantitative verification at runtime
Commun. ACM
Reasoning about agents and protocols via goals and commitments
From object-oriented to goal-oriented requirements analysis
Commun. ACM
Fuzzy goals for requirements-driven adaptation
Proceedings of the Requirements Engineering Conference, RE
Fuzzy Control
Domain independent event analysis for log data reduction
Features selection for intrusion detection systems based on support vector machines
Proceedings of the 6th IEEE Consumer Communications and Networking Conference, CCNC 2009
Cited by (8)
Stability in Software Engineering: Survey of the State-of-the-Art and Research Directions
2021, IEEE Transactions on Software EngineeringGoal and Feature Model Optimization for the Design and Self-Adaptation of Socio-Cyber-Physical Systems
2021, Journal of Integrated Design and Process ScienceAn Optimization Modeling Method for Adaptive Systems Based on Goal and Feature Models
2020, Proceedings - 10th International Model-Driven Requirements Engineering Workshop, MoDRE 2020Arithmetic semantics of feature and goal models for adaptive cyber-physical systems
2019, Proceedings of the IEEE International Conference on Requirements EngineeringEfficient parallel reasoning on fuzzy goal models for run time requirements verification
2018, Software and Systems Modeling