Stage 1: Local capability analysis

During this DECIDE stage, each component uses runtime quantitative verification to assemble a summary of its capabilities, as formally defined below.

Definition 5.1. Given a DECIDE distributed system with the characteristics specified earlier, a finite set CSi⊂ V1× V2× · · · × Vm+1 is an α-confidence capability summary

for the i-th system component iff for any (ai1, ai2, . . . , ai,m+1) ∈ CSi the local control

loop of the component can ensure that:

(i) attrij ./j aij, for1≤ j ≤ m

(ii) attr_{i,m+1≤ ai,m+1}

(iii) attrij = true, for m + 1 < j ≤ mi

The DECIDE method for calculating the α-confidence capability summary of the i-th system component, 1_{≤ i ≤ n, involves the local execution of the steps below.}

1. Configuration analysis— SelectNi > 0 disjoint configuration subsets Cfg1i, Cfg2i,

. . . , CfgNi_{i ⊂Cfgi} that correspond to different modes of operation for componenti. What constitutes a mode of operation for a component is application dependent. Possible examples include running different numbers of component instances, or operating with different degrees of accuracy. As illustrated later in this section, for the UUV system from our running example, using different sets of sensors corresponds to different modes of operation for a UUV.

2. Environment analysis— Identify subsets of environment states Env1_i, Env2 i, . . . ,

EnvNi_{i ⊆ Env}i associated with the Ni configuration subsets, such that the proba-

bility that the actual environment state of the component is in Envk_i is at leastα, for any1_{≤ k ≤ N}i. These subsets can be identical. However, in the most general

case, each configuration subset Cfgk_i may render different areas of the environment state irrelevant, and DECIDE exploits this as illustrated in Example 5.2.

3. Attribute analysis 1 — Check that for any1_{≤ k ≤ N}iand for any1≤ j ≤ m with

./j∈ {=, 6=}, the QoS attribute attrij(c, e) has a single value, ak_ij, for all (c, e)∈

(Cfgk_i, Envk_i). When this is not the case, further partition the configuration set Cfgk_i into disjoint subsets that satisfy this constraint. As shown in Table 5.3, one of the scenarios in which ./j∈ {=, 6=} is when Vj = B. In this case, Cfgki needs

to be partitioned into two subsets. For other scenarios, (e.g., when Vj = R+),

DECIDE can be applied only if this operation partitions Cfgk_i into a finite (and usually small) number of subsets. The rationale for this operation is that we want to associate each configuration set Cfgk_i with a “bound” ak

ij for each attrij,

1_{≤ j ≤ m, and the bounds a}k

ij are common values for QoS attributes attrij with

./j∈{=, 6=}.

4. Attribute analysis 2 — For all attributes attrij,1≤ j ≤ m, with ./j∈{<, ≤, ≥, >},

and for each configuration set Cfgk_i, find simultaneous bounds ak

ij ∈ Vj such that

∀e∈Envk

i • ∃c∈Cfgki • global(c, e) ∧ local(c, e), (5.5)

where global(c, e) =V 1 ≤ j ≤ m ./j∈ {=, 6=}/  attrij(c, e) ./jakij 

and

local(c, e) =V

m+2≤j≤mi−1attrij(c, e).

When there is a single system-level QoS attribute attr_ij with ./j∈ {<, ≤, ≥, >},

its associatedak

ij bound can be calculated as

ak ij=              max e∈Envk_i min c∈Cfgk_i local (c,e) attrij(c, e), if ./j∈ {<, ≤} min e∈Envk_i max c∈Cfgk_i local (c,e)

attrij(c, e), otherwise

(5.6)

Otherwise, a multi-objective optimisation technique such as [69, 81] needs to be used to calculate the ak

ij values.

5. Cost analysis— Calculate the cost upper bound

ak_i,m+1= max

e∈Envk_i

min

c∈Cfgk_i, global (c,e)∧local (c,e)

attri,m+1(c, e).

6. Capability summary assembly — Use theak

ij bounds from steps 3–5 to assemble

CSi ={cs1i, cs2i, . . . , csNii }, (5.7)

wherecsk

i = (aki1, aki2, . . . , aki,m+1), 1≤ k ≤ Ni.

Theorem 1. The setCSiin (5.7) is anα-confidence capability summary for component

i of a DECIDE system.

Proof. We show that for any csk_i = (ak

i1, aki2, . . . , aki,m+1)∈ CSi, the local control loop of

componenti can adjust the configuration of the component such that properties (i)–(iii) from Definition 5.1 are satisfied with probability at leastα. For 1≤j ≤m, the selection ofak

ij in Attribute analysis 1–2 ensures that, for any environment state e∈Envki:

• attrij./jaij for all configurations in Cfgk if ./j∈{=, 6=};

• there is an environment-dependent configuration c ∈ Cfgk _{(given by (5.5)), such}

By always selecting this configuration c, the local control loop can ensure that property (i) is satisfied whenever e _{∈ Env}k

i, which happens with probability at least

α (cf. the Environment analysis step). The Cost analysis step ensures that ak

i,m+1 ≥

attri,m+1(c, e) for all e∈ Envki, so the selection of configurationc also makes property

(ii) satisfied with probability at least α. Finally, c satisfies local (c, e), so using the configurationc ensures that property (iii) is satisfied with probability at least α too.

At the end of the local capability analysis stage of DECIDE, the local capability summary (5.7) is shared with the other components within the distributed system. On distributed systems with reliable and high-bandwidth communication mechanisms, capability summary sharing is achieved using these mechanisms directly. For distributed systems with limited and/or unreliable inter-component communication capabilities, DECIDE uses recently emerged platforms for the engineering of distributed systems such as Kevoree [84] and DEECo [28]. This is the case for the UUV system from our running example.

Example 5.2. Suppose that the i-th UUV from our running example has ni= 2 on-

board sensors whose operating ratesri1andri2are normally distributed with mean 2s−1

and standard deviation 0.2s−1, and with mean 4s−1 and standard deviation 0.3s−1, respectively. The UUVi environment state has the form (ri1, ri2), and the set of all

environment states is Envi= [0,∞]2. Also, assume that the UUV speed spi can be

adjusted in the range [1m/s, 5m/s]. Hence, the UUV configuration set is Cfgi= [1, 5]×

{0, 1}2_{, where for any configuration(sp}

i, xi1, xi2) ∈ Cfgi,xij = 1 if sensor j is switched

on and xij = 0 otherwise, for j ∈ {1, 2}. Finally, suppose that the bounds for local

QoS requirements R4 and R5 are emax

i = 1000J and pmini = 0.9, and that the energy

used by the sensor operations are: ei1= 3J, eoni1 = 15J, eoffi1 = 3J, ei2= 2J, eoni2 = 10J,

eoff

i2 = 2J. The DECIDE instance running on UUVi assembles an (α = 0.95)-confidence

capability summary as follows:

1. Configuration analysis— A UUV mode of operation corresponds to using different subsets of sensors, so there are four configuration subsets: Cfg1_i=_{(spi, 0, 0)_|spi∈ [1, 5]}, Cfg2

i ={(spi, 1, 0)|spi∈ [1, 5]}, Cfg3i ={(spi, 0, 1)|spi∈ [1, 5]} and Cfg4i =

Figure 5.3: Environment analysis Env2_i = [1.61, 2.39]_{×[0, ∞] and Env}4i = [1.55, 2.45]×

[3.33, 4.67] for configuration subsets Cfg2i and Cfg4i for a two-sensor UUV.

2. Environment analysis— Assuming that the sensor rates ri1 and ri2 are indepen-

dent of each other, the environment state subsets Envk_i, 1_{≤ k ≤ 4, are obtained} as the Carthesian product of α1 and α2 confidence intervals for ri1 and ri2, re-

spectively, where α1α2 = α = 0.95. If a sensor is switched off for a configuration

subset Cfgk_i, the confidence level associated with this sensor (α1 or α2) is set to

1.0 when calculating Envk

i. This allows the use of a smaller confidence level for

the other sensor, which is potentially active. The result is a narrower confidence interval for the rate of active sensors, and therefore a capability summary that reflects better the actual ability of the UUV. Informally, the UUV can “promise” a stronger contribution to achieving the system requirements for a configuration sub- set Cfgk_i if it disregards the state of the sensors switched off for the configurations in Cfgk_i. Figure 5.3 summarises the calculation of Env2_i= [1.61, 2.39]_{×[0, ∞] and} Env4_i= [1.55, 2.45]×[3.33, 4.67] for configuration subsets Cfg2

i and Cfg4i, respectively.

3. Attribute analysis 1 — The relational operators for the m = 2 system-level QoS requirements (5.4) are ./1=‘≥’ and ./2=‘=’, so DECIDE checks that the second

attribute from Table 5.4 takes a single value within each configuration subset Cfgk_i, 1_{≤k ≤4. This check is successful because attr}i2= false = a1i2for all configurations

in Cfg1_i (since both sensors are switched off) and attri2 = true = aki2 for all

configurations in Cfgk_i,2_{≤k ≤4. Hence, no further partition of any configuration} subset Cfgk_i is required.

(a) (b)

Figure 5.4: Verification of Φi1 and Φi3 from Table 5.4; shaded areas correspond to

configurations that violate local requirement R5.

4. Attribute analysis 2 — Requirement R1 in (5.4) is the only system-level require- ment whose associated relational operator ./1 belongs to the set {<, ≤, ≥, >}.

Accordingly, DECIDE uses runtime quantitative verification to derive the bounds ak

i1 in (5.6) for 1≤ k ≤ 4. Figure 5.4(a) illustrates the analysis carried out to

establish a2

i1 using the probabilistic model checker PRISM [149]. The minimum

number of (accurate) measurements attr_i1is obtained for the lowest measurement rate in Env2_i, i.e., ri1 = 1.61s−1; the bound a2i1 corresponds to this rate, and to

the most advantageous configuration, i.e., sp_i = 1m/s.

5. Cost analysis— As shown by the runtime quantitative verification results in Fig- ure 5.4(b), the cost attrk_i3is constant for each environment state in Envk_i. Hence, the maximum cost associated with thek-th configuration subset, ak

i3, corresponds

to the highest sensor rate in Envk_i, i.e., ri1= 2.39s−1.

6. Capability summary assembly — The bounds ak

ij, 1 ≤ j ≤ 3, 1 ≤ k ≤ 4, ob-

tained in steps 3–5 are organised into the four-element capability summaryCSi=

{(0, false, 5), (93, true, 433), (192, true, 532), (278, true, 984)}. Each summary ele- ment corresponds to a set of values for the system-level QoS requirements from Table 5.1. For instance, the element cs2

i = (93, true, 433) specifies that the i-th

UUV using configuration Cfg2_i can do93 accurate measurements (R1), at least one of its sensors is switched on (R2) and for this operation it consumes 433J (R3). These values have been extracted after executing steps 3–5 (see Figure 5.4). The derivation of the other capability summary elements follows similar reasoning.

In document Runtime Quantitative Verification of Self-Adaptive Systems (Page 145-151)