Abstract
An approach for modelling adaptive complex systems should be flexible and scalable to allow a system to grow easily, and should have a formal foundation to guarantee the correctness of the system behavior. In this paper, we present the architecture, and formal syntax and semantics of HPobSAM which is a model for specifying behavioral and structural adaptations to model largescale systems and address reusability concerns. Selfadaptive modules are used as the building blocks to structure a system, and policies are used as the mechanism to perform both behavioral and structural adaptations. While a selfadaptive module is autonomous to achieve its local goals by collaborating with other selfadaptive modules, it is controlled by a higherlevel entity to prevent undesirable behavior. HPobSAM is formalized using a combination of algebraic, graph transformationbased and actorbased formalisms.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
1 Introduction
The growth and adaptation of a system is realized by behavioral adaptation and/or structural adaptation. While structural adaptation aims to adapt the system behavior by changing its architecture, behavioral adaptation focuses on modifying the functionalities of computational entities. Behavioral adaptation is usually suitable for the cases that minor changes are required to adapt the system. Structural adaptation is more scalable and suitable for largescale and distributed adaptations. Yet changing the system structure to achieve minor changes is rather expensive. Hence, both behavioral and structural adaptations are often required to design complex adaptive systems.
A system must be able to evolve and grow continually even in unforeseen situations. Since an adaptation requirement might be unknown at design time, adaptive behavior must be built in a way that is flexible and modifiable at runtime. Furthermore, to guarantee the functionality of a complex software system, we have to provide mechanisms to ensure that the system is operating correctly. Here formal methods can play a key role.
Several frameworks and models have been inspired by natural systems to design largescale adaptive systems [5, 22, 26, 27]. Although, they support selforganization, selfadaptability and longlasting evolvability, they are not provided with a formal foundation. Moreover, specification and analysis of dynamic adaptation have been given lots of attention in the last decade [1, 2, 8, 14, 19, 20, 25] where most of the approaches deal with either behavioral adaptation or structural adaptation [6, 7]. However, dynamic adaptation and self* properties are restricted to responding to shortterm changes, while systems must be additionally able to evolve and grow to cover the longterm evolution of systems [9]. Therefore, we need an approach to design complex software systems which supports behavioral and structural adaptations to tackle the longterm evolution, flexibility, complexity, scalability and assurance problems.
The use of policies has been given attention as a powerful mechanism to achieve flexibility in adaptive and autonomous systems which allows one to “dynamically” specify the requirements in terms of high level goals. A policy is a rule describing under which conditions a specified subject must (can or cannot) perform an action on a specific object [15]. PobSAM (Policybased SelfAdaptive Model) is a policybased model with formal foundation for developing and modeling selfadaptive systems that supports behavioral adaptation. A PobSAM model consists of a set of managers and actors. Managers control the behavior of actors by enforcing policies. This model provides a high degree of flexibility at the behavioral level by allowing one to change policies dynamically. However, it only supports behavioral adaptation.
In this paper, we consider an extension of PobSAM [14, 15], called HPobSAM (Herarchical PobSAM) to support modeling largescale adaptive systems. In HPobSAM, selfadaptive modules have been added to PobSAM as a structuring feature. A selfadaptive module consists of managers, actors and possibly other selfadaptive modules. The notion of a role is introduced to specify structureindependent adaptations. Roles are dynamically assigned to selfadaptive modules and actors. Structural adaptation occurs by changing the roles of entities which leads to creation, removal or changing the interactions of entities. The managers are responsible to perform structural adaptations using structural adaptation policies that are defined in terms of roles.
HPobSAM is used in [13] to model a case study in the area of smart airports. In [13], we refer to an unpublished technical report for a complete description of HPobSAM. Here we present the description, architecture, and formal syntax and semantics of HPobSAM. We use prioritized hierarchical hypergraph (hhgraph) transition systems to specify the operational semantics of HPobSAM. Prioritized hhgraph transition systems are essentially classical prioritized state transition systems augmented with a function mapping states into hhgraphs and transitions into partial morphisms, i.e. a state is provided with a hhgraph indicating the current system structure.
Formal methods have been proposed for the modeling and analysis of adaptive software systems, but they are not always suitable for designing largescale software systems. We propose a flexible policybased approach with formal foundation to design largescale software systems. Compared to existing work, our approach has the following novel features:

1.
We present a formal extension of PobSAM to model largescale systems that is flexible and supports both structural and behavioral adaptations. We use structural adaptation policies as a mechanism for performing structural adaptation that can be modified at runtime, without the need to change the lowlevel programs.

2.
We present an operational semantics for HPobSAM whose semantics rules allow us to transform a substructure that is specified only partially, i.e. we can add or remove a selfadaptive module whose internal structure is not known completely. This feature is an advantage in open systems where limited knowledge is available about the entities.
2 Case Study
Here, we introduce the running example of the paper shown in Fig. 1. Consider a servicebased system that dynamically adapts its behavior to provide an appropriate quality of service to clients. The system includes several clusters of application servers that require data provided by the data servers. The cache handler is used to determine the best cluster for handling a request considering the quality of service constraints, and the logger monitors the incoming requests. The request receiver analyzes the requests and transmits them to the request dispatcher of the proper cluster. The latter forwards the request to an application server in the cluster. When a request is processed, the result is sent back to the request receiver component. This component sends the result back to the requester and/or to the cache handler.
The system should be able to adapt its behavior to provide the requested service properly. The behavioral adaptation is done by dynamically balancing the load of clusters/servers and can be effective to some extent. However, if the load of system becomes high enough such that the current number of servers cannot handle the requests, structural adaptations come into play. We need to adapt the system structure by adding or replacing the clusters to improve the system throughput.
3 Overview of PobSAM
A PobSAM model is composed of three layers [14, 15]:

The functional behavior of the system is implemented by the actor layer and contains computational entities, i.e., the actors.

The view layer consists of view variables that provide an abstraction of the actors’ states for the managers. A view variable is an actual state variable, or a function applied to state variables of actors.

The main layer of PobSAM is the manager layer containing the autonomous managers. Managers control the behavior of actors according to predefined policies. A manager may have different configurations of which one is active at a time. Behavioral adaptation is performed by switching among those configurations. A configuration contains two classes of policies: governing policies and behavioral adaptation policies. A manager directs the actors’ behavior by sending messages to them according to the governing policies. A governing policy is of the form \(\langle o ,e ,\psi \rangle {\bullet }a\) where \(o \in \mathbb {N}\) is the policy priority, \(e \in \mathcal {E}\) is an event, \(\psi \) is the policy condition defined over views, and a is the policy action. Whenever a manager receives an event e it identifies all the governing policies that are triggered by that event. For each of the triggered policies, if the policy condition evaluates to true and there is no other triggered governing policy with priority higher than o, action a is requested to be executed by instructing the relevant actors to do so (by sending them asynchronous messages). The behavioral adaptation policies are used to perform behavioral adaptations by switching among different configurations.
Example 1
We model the request dispatcher of a cluster as a manager that is responsible to manage and control the behavior of the cluster. This manager has two configurations and to control the cluster behavior respectively, in lowloaded and highloaded conditions. The servers are modeled as the actors responsible for handling incoming requests. The view layer provides some information about the processing power of each server, their current loads, the whole throughput of the cluster, and the average number of handled requests by each server. The following governing policy of with priority n defined for the request dispatcher of the cluster A states that when a new request x is received and the load of \(\mathsf {server1}\) is less than l, ask \(\mathsf {server1}\) to handle the request: \({ g = \langle n ,\mathsf {newreq}(x) ,\mathsf {load1}<l\rangle {\bullet } {\mathsf {(server1.handle}(x)) }}\).
4 The Architecture of HPobSAM
The components of a HPobSAM model are (i) selfadaptive modules, (ii) actors, (iii) the multilevel view layer, (iv) managers, and (v) roles. A system at the highest level is defined as a selfadaptive module. Figure 2 gives a schematic view of the HPobSAM architecture.
The concept of selfadaptive modules is inspired by SMC (SelfManaged Cells) [24] for structuring complex adaptive systems. A SelfAdaptive Module (SAM) is a policybased building block which is able to automatically adapt its behavior in a complex dynamic environment. A selfadaptive module contains (i) possibly other lowerlevel selfadaptive modules, (ii) the actors, (iii) a view layer, and (iv) a manager. To cater for largescale systems, multiple selfadaptive modules are composed and aggregated hierarchically into a single larger selfadaptive module. A selfadaptive module may provide services to other selfadaptive modules. Note that the services are provided and used by the manager of a selfadaptive module.
A manager is aware of its substructure and is responsible for performing structural and behavioral adaptations of its module. The managers are provided with a new type of policies, socalled structural adaptation policies to perform structural adaptation. When the system requires adaptation, different managers are informed and they plan various adaptations to adapt the system behavior to the current context. Hence, adaptation is performed in a distributed manner in the system and not a single entity is responsible for performing an adaptation.
In PobSAM, the view layer provides information about the actor layer to the managers. In HPobSAM, a view layer exists at multiple levels. Each selfadaptive module has a view layer defined based on the view layers of its selfadaptive modules in addition to the actors’ state variables of that module. The view layer acts as a tuple space to coordinate interactions of selfadaptive modules and a selfadaptive module can have controlled access to the view layer of other selfadaptive modules.
The structure of a system can change due to adding or removing an actor or a selfadaptive module, and modifying the actors and/or the selfadaptive modules interconnections. If the policies of a manager are described in terms of individual actors or selfadaptive modules, any modification of the manager’s underlying substructure (i.e. by joining or deleting actors or selfadaptive modules) influences the specification of its policies and the view layer, and subsequently, policies and view variables have to be redefined to become consistent with the new structure. To tackle this problem of structuredependent policies, we use the notion of roles to refer to the agents with the same functionality. The roles are assigned by a manager to the actors and the selfadaptive modules that it controls, and managers’ policies as well as view variables are described in terms of roles. A structural reconfiguration is realized by changing the roles assigned to the entities, and hence, the managers’ policies become structureindependent and do not have to be modified after a structural reconfiguration.
Example 2
Figure 3(a) partially shows the HPobSAM architecture of our example. The whole system is a selfadaptive module that contains (i) several lowerlevel selfadaptive modules each corresponding to a cluster, (ii) a manager modeling the request receiver, and (iii) two actors for the cache handler and the logger. The roles , , and are assigned by the request receiver to the cluster A (as a lowpower cluster), the logger, and the cache handler, respectively.
5 The Syntax of HPobSAM
In this section, we first briefly introduce hierarchical hypergraphs that are used to model the system structure; then we specify the structural modeling of HPobSAM; and,finally, we give the syntax of HPobSAM.
5.1 Hierarchical Hypergraphs Overview
A hypergraph is a generalization of a graph, where an edge can connect any number of nodes.
Definition 1
(Hypergraph). A hypergraph is a tuple \(G=(N,E,\theta )\), where N is the set of nodes, E is the set of hyperedges, \(\theta : E \rightarrow N^*\) is the tentacle function mapping each hyperedge to a unique finite nonempty multiset of nodes.^{Footnote 1}
Given two hypergraphs \(G_1\) and \(G_2\) with \(G_i = (N_i,E_i,\theta _i)\) for \(i = 1, 2\), a hypergraph morphism \(m : G_1 \rightarrow G_2\) is a pair of mappings \(m=(m_N,m_E)\) with \(m_N: N_1 \rightarrow N_2\) and \(m_E: E_1 \rightarrow E_2\), such that for all \(e \in E_1\), the multiset defined by \(\theta _2(m_E(e))\) is the multiset defined by \(m_N(\theta _1(e))\).^{Footnote 2}
Such a morphism is injective (surjective, bijective) if both \(m_N\) and \(m_E\) are injective (respectively surjective, bijective, partial or total). If there is a bijective morphism \({m: G_2 \rightarrow G_1}\), then \(G_1\) and \(G_2\) are isomorphic.
Hierarchical hypergraphs [10] are hypergraphs in which some hyperedges, called frames, may refer to hypergraphs that can be hierarchical again, with an arbitrary but finite depth of nesting.
Definition 2
(Hierarchical Hypergraph). Let \(\mathcal {X}\) be a set of symbols called variables. Let \(\mathcal {H} = \mathcal {H}_0(\mathcal {X})\) be a set of triples \({H=\langle G, F, cts\rangle }\) where G is a hypergraph, \(F = \emptyset \), and cts the trivial function from F to \(\mathcal {X}\).
For \(i > 0\), \(\mathcal {H}_i(\mathcal {X})\) consists of all triples \({H=\langle G, F, cts\rangle }\) where \(G=(N,E,\theta )\) is a hypergraph, \(F \subseteq E\) is the set of frame hyperedges of G, and \(cts: F \rightarrow \mathcal {H}_{i1}(\mathcal {X})\cup \mathcal {X}\) assigns to each frame its content.
The class \({\mathcal {H({X})}=\bigcup _{i \ge 0} \mathcal {H}_i(\mathcal {X})}\) is the set of hierarchical hypergraphs (hhgraphs) derived from \(\mathcal {H}\) with variables in \(\mathcal {X}\).
Example 3
Figure 3(b) shows a hhgraph which has hyperedges \(\{e_1,e_2,e_3\}\), seven nodes depicted by circles, and two frames depicted using doublelined rectangles.
The concept of a graph morphism can be generalized to the hierarchical case [10]. Let \(\mathcal {X}\) be a set of variables. For \(i=\{1,2\}\), let \(H_i = \langle {G_i}, F_i, cts_i\rangle \) be two hypergraphs with variables in \(\mathcal {X}\), and let \(X_i\) denote the set \({\{f \in F_i \mid cts_i(f) \in \mathcal {X}\}}\) of variable (or primitive) frames of \(H_i\).
Definition 3
(Hierarchical Morphism). A hierarchical morphism m from \(H_1\) to \(H_2\) is a pair \({m=(\bar{m}, m^f)}\) where \({f \in F_1 \backslash X_1}\) and
(i) \({\bar{m} :{G_1} \rightarrow {G_2}}\) is a graph morphism;
(ii) for all frames \(f \in F_1\), \({\bar{m}_E(f)} \in F_2\), and if \(\bar{m}_E(f) \in X_2 \) then \({f \in X_1}\);
(iii) \({m^f: cts_1(f) \rightarrow cts_2( \bar{m}_E (f))}\) is a hierarchical morphism for all \({f \in F_1 \backslash X_1}\).
A hierarchical morphism is injective (surjective, bijective, partial or total) if both \(\bar{m}\) and \(m^f\) are injective (respectively surjective, bijective, partial or total).
With graph constraints, certain graph properties can be expressed. In particular, it can be formulated that a graph G must (or must not) contain a certain subgraph \(G'\). An atomic graph constraint (\(\textsf {gcons}(C,C')\)) informally states that if a graph G contains the subgraph C (premise), then it contains the subgraph \(C'\) (conclusion) too [11].
Definition 4
(Atomic Graph Constraint). Let C and \(C'\) be two graphs. An atomic graph constraint is specified as a graph morphism \(k: C \rightarrow C'\).
A graph G satisfies atomic graph constraint \(\textsf {gcons}(C,C')\) specified by the graph morphism \(k: C \rightarrow C'\). if, for every injective graph morphism \({p : C \rightarrow G}\), there exists an injective graph morphism \(q : C' \rightarrow G\) with \({q \circ k = p}\). A graph constraint is a boolean formula over atomic graph constraints: (i) True and every atomic graph constraint are graph constraints, and (ii) if c and \(c'\) are two graph constraints, then \(c \vee c'\), \(c \wedge c'\) and \(\lnot c\) are graph constraints.
5.2 HPobSAM Syntax
Structural Modeling. The system structure is modeled as a hhgraph. We model role assignments as nodes, selfadaptive modules as frames, and managers, actors and roles as hyperedges. The hhgraph \(H=(G,\mathcal {K},cts)\) describes how several elements of a selfadaptive module \(\kappa \) are connected together logically. The set of selfadaptive modules of \(\kappa \) is \(\mathcal {K}\), and cts gives their internal structure. The hypergraph G shows the firstlevel internal structure of \(\kappa \) defined as follows:
where m is the manager of \(\kappa \), A indicates the set of \(\kappa \)’s actors, and R indicates the set of roles assigned by m.
Example 4
Figure 4 partially depicts the hhgraph of our example.
Views. A selfadaptive module \(\kappa \) has its own view layer V consisting of view variables defined over the state variables of its (immediate) actors (A) and the view variables of its (immediate) selfadaptive modules (\(\mathcal {K}\)), i.e., a view variable \(v \in V\) is a function over V, \(\mathcal {K}\), and the state variables of the actors in A.
Managers. A manager m is defined as a tuple \({m=\langle C,c_0,\kappa ,V, H\rangle }\), with C the (finite) set of configurations of m, \({{c_0}\in C}\) its initial configuration, \(\kappa \) the selfadaptive module of which m is the manager, V the (finite) set of view variables of \(\kappa \), and the hierarchical hypergraph \(H=(G,\mathcal {K},cts)\) describes how m is logically connected to other agents.
A configuration \(c \in C\) is defined as \(c=\langle {P_G}, {P_B},{{P_S}} \rangle \), where \({P_G}\), \({P_B}\) and \({P_S}\) indicate the governing policy set, the behavioral adaptation policies set, and the structural adaptation policy set of c, respectively. A primitive action of a governing policy is of the form \(\mathsf {r.msg}\) and is intended to send the message \(\mathsf {msg}\) to some actors/selfadaptive modules with role r. The behavioral adaptation policies are not influenced by this extension (See Sect. 3).
A structural adaptation policy \(sp \in {P_S}\) is defined as \({ sp\mathrm{\normalsize =} \langle o ,e ,\psi _H\rangle {\bullet }a_H}\) consists of priority \({o \in \mathbb {N}}\), event e, condition \(\psi _H\) and an action \(a_H\). The condition \(\psi _H\) can be defined as a combination of ordinary boolean expressions defined over the view layer and graph constraints defined over H, the internal structure of \(\kappa \). Let as be an actor or a selfadaptive module. The action \(a_H\) is a strategy to apply a dynamic reconfiguration with the primitive actions of the forms

\(\mathsf {r.msg}\) to send the message msg to the agents with role \(r \in R\),

\(\mathsf {join(r,as)}\) for assigning role r to as,

\(\mathsf {quit(r,as)}\) for releasing as from role r,

\(\mathsf {add(as)}\) for adding as to the substructure of m, and

\(\mathsf {remove(as)}\) for removing as from the substructure of m.
The condition \(\psi _H\) of a structural adaptation policy is defined as follows where \(\textsf {gcons}(Y,Y')\) is an atomic graph constraint:
Example 5
The policy \(\mathsf {PolicyA}\) states that when the request load is high, the cache handler is activated, i.e. the role \(\mathsf {cacheHandlerRole}\) is assigned to the cache handler by executing the action \(\mathsf {join(cacheHandlerRole,cachehandler)}\). Then, the logger is deactivated (\(\mathsf {quit(loggerRole,logger)}\)) and a new cluster with powerful servers (\(\mathsf {clusterD}\)) is added to the system. The operators ; and  are resp. the sequential and parallel composition of the algebra CA\(^a\) that is used to specify policy actions (See [15]):
Selfadaptive Modules. A selfadaptive module \(\kappa \) is formally defined as \(\kappa =\langle V, H_\kappa \rangle \) where V and \(H_\kappa \) respectively represent the view layer and the hhgraph of \(\kappa \). Observe that \(H_\kappa \) is a hyperedge with the content H as defined above.
6 Structural Operational Semantics
We present prioritized hhgraph transition systems to define the operational semantics of HPobSAM models. Prioritized hhgraph transition systems are essentially prioritized state transition systems [15] augmented with a function mapping states into hierarchical hypergraphs and transitions into partial hierarchical morphisms. Thus every state is provided with a graph indicating the current system structure.
Definition 5
(Prioritized State Transition System). A prioritized state transition system is a tuple \(T =\langle S, \delta , L, s_0 \rangle \) where \(S\) is a set of states, \(s_0\in S\) is the initial state, L is a set of labels, and \(\delta \subseteq S\times L\times S\) is a set of transitions.
Labels \(l \in L\) are of the form \((\phi ,\alpha ,n)\) and a transition \({s{{\xrightarrow {( \phi ,\alpha ,n)}}}s'}\) means that it is possible to perform action \(\alpha \) under condition \(\phi \) in state \(s\) when there is no enabled transition with higher priority than n in state \(s\), and then make a transition to \(s'\).
Definition 6
(Prioritized hhGraph Transition System). A prioritized hhgraph transition system is given by a pair \(\langle T, g\rangle \), where T is a prioritized state transition system and g is a pair \(g = \langle g_1, g_2 \rangle \) of mappings such that \(g_1(s)\) is a hhgraph for each state \(s\in S\), and \(g_2 (t) : g_1(s) \rightarrow g_1(s')\) is an injective partial hierarchical morphism for each transition \(t:{s\xrightarrow {l}s'} \in \delta \).
The conditions of a transition \(t:{s\xrightarrow {l}s'} \in \delta \) can contain graph constraints that are to be evaluated over \(g_1(s)\). The semantics of the actor layer remains unchanged by this extension. The semantics of the view layer is similarly defined as that of PobSAM [14, 15]. In this paper, we restrict ourselves to introduce the semantics of managers as the core part of HPobSAM.
Overview of a Manager’s Semantics. We use the notation \([{M} ]^c\langle b, p, a, q,H \rangle \) to describe a manager M where \(c =\langle P_G , P_B,P_S\rangle \) is its current configuration, \(b \in P_B\) is its triggered behavioral adaptation policy, \({p \subseteq P_G \cup P_S}\) is its set of triggered governing/structural adaptation policies, a is its current executing action (that can belong to a governing policy or a structural adaptation), q is its input message queue, and H is a hhgraph denoting the substructure of M. The semantics of triggering structural policies is identical to that of governing policies presented in [15]. Hence, we focus on their enforcement and use the notation \({M}\langle p, a, q,H \rangle \) for the sake of simplicity. The notation \(\surd \) is used to show an empty action. The operational semantics of managers in HPobSAM is described by the transition rules for PobSAM proposed in [15] and the transition rules given in Figs. 5 and 7 which we explain later. The conditions of transitions specifying managers’ semantics (e.g. \(\phi \) in Fig. 5) are evaluated on M’s view and its substructure.
The Semantics of a Manager’s Interactions is presented in Fig. 5 that contains graph constraints presented in Fig. 6. The rules description and the definition of symbols are described in the following. A primitive action of a PobSAM manager is sending an asynchronous message msg to an actor a that results in putting the message msg in a’s queue. In HPobSAM, there are three types of interactions that a manager may initiate: (i) sending a message to an actor with the role r, (ii) sending a message to a lowerlevel selfadaptive module with the role r, and (iii) sending a message to the sibling selfadaptive modules with the role r. The operational semantics of case (i) is expressed using the rule \({ \textsc {MSR1}}\) where \(G_1\) is a graph depicted in Fig. 6(a), \(\textsf {gcons}(\emptyset ,G_1)\) is a graph constraint that holds if the actor a has the role r, and \(s_a\) and \(s'_a\) indicate the local states of a before and after receiving the message msg. The rule \({ \textsc {MSR2}}\) expresses the semantics of case (ii). In this rule, a message is sent to a lowerlevel selfadaptive module \(\kappa '\) with the role r that contains a manager \(M_2\). The graph \(G_2\) is defined in Fig. 6(b). The manager \(M_1\) in the selfadaptive module \(\kappa \) has assigned the role r to its sibling selfadaptive module \(\kappa '\) that contains the manager \(M_2\). The manager \(M_1\) uses the rule \({ \textsc {MSR3}}\) to send a message to \(M_2\) (case (iii)) where \(\textsf {gcons}(\emptyset ,G_3)\) is a graph constraint with graph \(G_3\) as defined in Fig. 6(c) and \(H_{\kappa '} \cup H_\kappa \) is the union of \(H_{\kappa '}\) and \(H_\kappa \).
The Semantics of Structural Adaptation is presented in Fig. 7. In this figure, a function \(f' = f  \{(e_1,v_1),\ldots ,(e_2,v_n)\}\) is defined as \(f'(x)=\left\{ \begin{array}{lc} v_k&{}x=e_k\\ f(x) &{}  \end{array} \right. \). The predicate \(\mathsf {conn}(e,n,e')= n \in \theta (e) \cap \theta (e')\) informally states that the hyperedges e and \(e'\) are connected through the node n in a hypergraph G. The underlying substructure of M before and after a reconfiguration is respectively H and \(H'\) where \(H=\langle G,F,cts \rangle \), \(G=(N,E,\theta )\), and \(H'=\langle G',F',cts' \rangle \), \(G'=(N',E',\theta ')\). Note that for the sake of readability, only updated components of H are given in the rules.
When the action \(\mathsf {add}(as)\) is executed by the manager M, the actor or the selfadaptive module as is added to its underlying structure (Rule AAR). The hyperedge as is added to the hyperedge set (\( E'=E \cup \{as\} \)), and it becomes connected to the predefined role \(\iota \) through the node \(n_2\). If as is associated to a hhgraph with the content \(G_{as}\) (\(\mathsf {hhyper}(as,G_{as})\)), it is added to the frame set (\(F'=F \cup \{as\}\)) and cts is updated to reflect the content of as. The rule RAR is used to remove an actor or a selfadaptive module as (\( E'=E \backslash \{as\} \)). If as is a selfadaptive module, it is removed from the frame set (\(F'=F \backslash \{as\}\)) and cts is updated correspondingly.
The rule JAR is used to assign the role r to as. This rule adds the node \(n_2\) to the set of nodes connecting by the hyperedge as (\(\theta ' = \theta  \{(as,\theta (as) \cup \{n_2\})\}\)). Similarly, execution of the primitive action \(\mathsf {quit}(r,as)\) results in quitting as from the role r using the rule \({ \textsc {QAR}}\). In this rule, as is connected to r through the node \(n_2\) and this connection is removed by eliminating \(n_2\) from the nodes connected by as, i.e., (\(\theta '(as)=\theta (as) \backslash \{n_2\}\)). If an actor or a selfadaptive module quits from all of its roles, since it has the predefined role \(\iota \), will remain as an underlying actor of the manager m.
Example 6
Let Fig. 4 show the current structure of our example. Figure 8(a) illustrates the structure after the execution of \(\mathsf {add}(\mathsf {clusterD})\) in Example 5 that assigns the default role r to the selfadaptive module \(\mathsf {clusterD}\). Then, execution of the action \(\mathsf {join(powerfuleClusterRole,clusterD)}\) leads to the system structure shown in Fig. 8(b). To remove or add a cluster, the request receiver does not need to know the internal structure of the cluster which is an advantage of our model.
The set of nodes connected by a set X is defined as \(\theta (X)= \underset{e \in X}{\bigcup }\theta (e)\). Let a selfadaptive module \(\kappa \) contain a manager M, the set of actors A, the set of selfadaptive modules \(\mathcal {K}\) and the set of roles R assigned by M. We define the wellformedness of \(\kappa \)’s structure as follows:
Definition 7
Wellformed structure. The hhgraph \(H=(G,\mathcal {K},cts)\) describing \(\kappa \)’s internal architecture, is wellstructured if (1) H has at least a managed element, i.e. \(A \cup \mathcal {K}\ne \emptyset \), (2) the manager M is only connected to the roles, i.e. \(\theta (M) \subseteq \theta (R)\), (3) every role \(r \in R\) is connected to M (i.e. \(\exists n. \theta (M) \cap \theta (r) =\{n\}\)) in addition to the actors and the selfadaptive modules (i.e. \(\theta (r) \subseteq \theta (\mathcal {K}) \cup \theta (A)\)), (4) every actor \(a \in A\) is only connected to other actors or roles, i.e. \(\theta (a) \subseteq \theta (R) \cup \theta (A \backslash \{a\})\), (5) every selfadaptive module \(\kappa \in \mathcal {K}\) is connected to the role hyperedges, i.e. \(\theta (\kappa ) \subseteq \theta (R)\), and (6) every selfadaptive module \(\kappa \in \mathcal {K}\) is wellformed.
The following lemma states that the transformation rules used to specify the reconfiguration semantics are sound:
Lemma 1
If H is a wellformed hhgraph showing the underlying structure of M, then \(H'\) obtained after some structural adaptations by M is also a wellformed hhgraph.
Proof
We prove this by induction on the number of performed structural adaptations. We show the structure after n structural adaptations by \(H_n\).
Base Case. If there is no structural adaptation, \({H'=H=H_0}\) and the conclusion is obvious.
Inductive Step. Assume it holds for n adaptations, i.e. \(H_n\) is wellformed. We should prove that \(H_{n+1}\) is wellformed. To prove this, we should prove that all six conditions are preserved by each of the rules in Fig. 7.
None of the rules changes the manager M, the roles and the nodes connected by M, i.e. \(\theta '(M)=\theta (M)\) and \(\theta '(R)=\theta (R)\), therefore, (1), (2) and the first part of (3) are preserved by all the rules. In the first rule, two cases can happen:

if as isn’t aframe, this rule adds a new edge as that connects only the node \(n_2\) where \(n_2\) belongs to \(\theta (\iota )\), i.e. \(n_2 \in \theta (\iota )\). The updates performed by this rule include adding the new hyperedge as and setting \(\theta '(as)\) to \(\{n_2\}\), i.e. \(\theta '(as)=\{n_2\}\). From, \(n_2 \in \theta (\iota )\) and \(\iota \in R\), we can conclude \(\theta '(as) \subseteq \theta '(R)\) and subsequently the item (4) holds. The selfadaptive modules do not change, i.e. \(\theta '(\mathcal {K})=\theta (\mathcal {K})\), hence (5) and (6) are followed from the inductive step hypothesis and the fact that \(\theta '(\kappa )=\theta (\kappa )\) for all \(\kappa \in \mathcal {K}\).

if as is a frame, the proof of (5) will be similar to that of (4) in the previous case. This rule also adds as to the frames and (6) is trivially followed from the sideconditions of this rule (i.e. \(\mathsf {wellFormed(G_{as})}\)) and the inductive step hypothesis.
The proof for the rule RAR is similar to that of AAR. The rule JAR only updates the graph by adding \(n_2\) to the nodes connected by as, i.e. \(\theta '(as) = \theta (as) \cup \{n_2\}\). If as is a selfadaptive module, from \(n_2 \in \theta '(r)\) and the assumption that \(\theta (as) \subseteq \theta (R)\), it follows \(\theta '(as) \subseteq \theta '(R)\) (i.e. (5) holds). The conditions (4) and (6) are respectively followed from the facts that this rule does not change nodes connected by the actors (i.e. \(\theta '(A)=\theta (A)\)) and no frame is added or modified by this rule (i.e. \(\theta '(R)=\theta (R)\)). Similarly, we can prove QAR.
7 Discussion and Related Work
In [13], the suitability of HPobSAM for modeling largescale selfadaptive systems has been discussed, particularly, it was discussed how the hierarchical structure of this model to support centralized and decentralized adaptations, improves scalability. In [17], the authors refer to [13] and mention that how the hierarchical structure offers a form of controlled autonomy and balances agent autonomy and system controllability, for example to prevent unsafe situations caused by a selfish acting ATV. Since we use hierarchical hypergraphs and a type of graph transformation rules which allows us to add or remove components with no need to be aware of their internal structure, this feature enables us to model open evolving systems where components enter or leave at any time, while their internal structure is unknown. Moreover, we use roles to specify structureindependent adaptation logic which allows us to adapt the system without changing the adaptation logic.
Three different features  separation of concerns, computational reflection and componentbased design  guarantee th flexibility of the apporach to develop selfadaptive systems. Policies are used to adapt the system behavior and the system structure which can be changed and loaded dynamically. This feature provides a highdegree of flexibility and makes HPobSAM a suitable model to model evolving software systems. We believe this work is original in using both structural and behavioral adaptations which are directed by an identical flexible mechanism. The applicability of this model has been shown by applying it on two case studies in the areas of server clusters and an autonomous transportation system in a smart airport [13].
In [14, 15], we have compared PobSAM with existing approaches for modeling behavioral adaptation in terms of flexibility, separation of concerns and formal foundation. The main aim of the research presented here is to extend our formal approach for architectural modeling and structural adaptation of software intensive systems. Hence we focus here on related work concerned with the design of softwareintensive systems and formal modeling of structural adaptation.
Another related area of research is structural adaptation which has been given strong attention. Formal techniques have been extensively used to model and analyze dynamic structural adaptation (see [7]). Structural adaptation (or dynamic reconfiguration) is usually modeled using graphbased approaches (e.g. [8, 25]) or ADLbased approaches (e.g. [18, 21]). Compared to the proposed approaches based on graph transformation, we use hierarchical hypergraphs and a type of graph transformation rule which allows us to add or remove components without need to be aware of their internal structure. Moreover, most existing work concentrates on modeling structural changes [6, 7], while we have integrated both behavior and architecture in our model. The authors in [6] model the system as graphs and use graph transformation to model the system behavior. In this work, both behavior and structure are modeled with the same formalism, however handling large and complex graphs would be difficult for largescale systems. We take the benefit of both an ordinary statebased formalism for specifying behavioral information in addition to graphs as a natural model to express the system structure.
In [3, 4], a coordinated actor model for selfadaptive trackbased traffic control systems is introduced which is inspired from PobSAM and Rebeca language [23]. In coordinated actor model, unlike HPobSAM we have a centralised coordinator. Creol is a formal objectoriented language to develop open distributed systems that supports dynamic upgrading of classes [28]. While this language supports some limited levels of dynamism that can be used for behavioural adaptations (e.g. by upgrading a method) or structural adaptations (e.g. by defining new interfaces), however, (i) it is not flexible as HPobSAM is, and (ii) its supported adaptations are limited and finegrained, e.g. one cannot remove a whole subsystem. DRBIP [12] is a component framework for programming reconfigurable systems that supports structural adaptations. In contrast to HPobSAM, this framework does not support behavioural adaptation and is not flexible.
8 Conclusion
We provided a formal semantics for HPobSAM which is a formal model to specify structural and behavioral adaptations in largescale systems. In this model, selfadaptive modules are used as autonomous building blocks to structure a system. We used hierarchical hypergraphs to model the system structure. The proposed semantics rules enable us to add or remove a component of which the internal structure is not given. To support reasoning about systems designed using HPobSAM, we plan to extend a tool developed in [13] to generate Maude specifications from HPobSAM models which will allow us to use the reasoning techniques provided by Maude (e.g. model checking). Furthermore, the behavioural equivalence theory proposed for PobSAM [15, 16] can be slightly extended to support graph morphisms and reason about behavioural/structural equivalence.
Notes
 1.
Note that we choose to represent multisets as elements of \(N^*\), i.e. strings of occurrences of elements from N. Thus, e.g., the string bab represents the multiset \(\{a,b,b\}\) as do abb and bba. Moreover, for every hyperedge e the string \(\theta (e)\) is not empty; and for every hyperedge \(e' \ne e\), the multisets represented by \(\theta (e)\) and \(\theta (e')\) are not the same.
 2.
Note that the application of \(m_N\) to the string \(\theta _1(e)\) yields a string in \(N_2^*\).
References
Arcaini, P., Riccobene, E., Scandurra, P.: Modeling and analyzing MAPEK feedback loops for selfadaptation. In: 10th IEEE/ACM International Symposium on Software Engineering for Adaptive and SelfManaging Systems, SEAMS 2015, Florence, Italy, May 18–19, 2015, pp. 13–23 (2015)
Arcaini, P., Riccobene, E., Scandurra, P.: Formal design and verification of selfadaptive systems with decentralized control. TAAS 11(4), 25:1–25:35 (2017)
Bagheri, M., et al.: Coordinated actors for reliable selfadaptive systems. In: Kouchnarenko, O., Khosravi, R. (eds.) FACS 2016. LNCS, vol. 10231, pp. 241–259. Springer, Cham (2017). https://doi.org/10.1007/9783319576664_15
Bagheri, M., et al.: Coordinated actor model of selfadaptive trackbased traffic control systems. J. Syst. Softw. 143, 116–139 (2018)
Beal, J., Bachrach, J.: Infrastructure for engineered emergence on sensor/actuator networks. IEEE Intell. Syst. 21(2), 10–19 (2006)
Becker, B., Giese, H.: Modeling of correct selfadaptive systems: a graph transformation system based approach. In: Proceedings of the 5th International Conference on Soft Computing as Trans Disciplinary Science and Technology, pp. 508–516 (2008)
Bradbury, J.S., Cordy, J.R., Dingel, J., Wermelinger, M.: A survey of selfmanagement in dynamic software architecture specifications. In: Proceedings of 1st ACM SIGSOFT Workshop on Selfmanaged Systems, pp. 28–33. ACM (2004)
Cansado, A., Canal, C., Salaün, G., Cubo, J.: A formal framework for structural reconfiguration of components under behavioural adaptation. Electr. Notes Theor. Comput. Sci. 263, 95–110 (2010)
Deiters, C., et al.: Demsy  a scenario for an integrated demonstrator in a smart city. Technical report, NTH  Niedersachsische Technische Hochschule (2010)
Drewes, F., Hoffmann, B., Plump, D.: Hierarchical graph transformation. J. Comput. Syst. Sci. 64(2), 249–283 (2002)
Ehrig, H., Ehrig, K., Prange, U., Taentzer, G.: Fundamentals of Algebraic Graph Transformation. MTCSAES. Springer, Heidelberg (2006). https://doi.org/10.1007/3540311882
El Ballouli, R., Bensalem, S., Bozga, M., Sifakis, J.: Programming dynamic reconfigurable systems. In: Bae, K., Ölveczky, P.C. (eds.) FACS 2018. LNCS, vol. 11222, pp. 118–136. Springer, Cham (2018). https://doi.org/10.1007/9783030021467_6
Khakpour, N., Jalili, S., Sirjani, M., Goltz, U., Abolhasanzadeh, B.: Hpobsam for modeling and analyzing it ecosystems  through a case study. J. Syst. Softw. 85(12), 2770–2784 (2012)
Khakpour, N., Jalili, S., Talcott, C., Sirjani, M., Mousavi, M.R.: Pobsam: policybased managing of actors in selfadaptive systems. Electr. Notes Theor. Comput. Sci. 263, 129–143 (2010)
Khakpour, N., Jalili, S., Talcott, C.L., Sirjani, M., Mousavi, M.R.: Formal modeling of evolving adaptive systems. Sci. Comput. Program. 78, 3–26 (2012)
Khakpour, N., Sirjani, M., Goltz, U.: Contextbased behavioral equivalence of components in selfadaptive systems. In: Qin, S., Qiu, Z. (eds.) ICFEM 2011. LNCS, vol. 6991, pp. 16–32. Springer, Heidelberg (2011). https://doi.org/10.1007/9783642245596_4
Lee, E.A., Sirjani, M.: What good are models? In: Bae, K., Ölveczky, P.C. (eds.) FACS 2018. LNCS, vol. 11222, pp. 3–31. Springer, Cham (2018). https://doi.org/10.1007/9783030021467_1
J. Magee, J. Kramer: Dynamic structure in software architectures. In: Proceedings of the Fourth ACM SIGSOFT Symposium on the Foundations of Software Engineering (1996)
Merelli, E., Paoletti, N., Tesei, L.: Adaptability checking in complex systems. Sci. Comput. Program. 115–116, 23–46 (2016)
Moreno, G.A., Cámara, J., Garlan, D., Schmerl, B.R.: Proactive selfadaptation under uncertainty: a probabilistic model checking approach. In: Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering, ESEC/FSE 2015, Bergamo, Italy, August 30  September 4, 2015, pp. 1–12 (2015)
Oreizy, P., Medvidovic, N., Taylor, R.N.: Architecturebased runtime software evolution. In Proceedings of the 20th International Conference on Software Engineering, ICSE 1998, pp. 177–186. IEEE Computer Society, Washington, DC (1998)
Shen, W.M., Will, P.M., Galstyan, A., Chuong, C.M.: Hormoneinspired selforganization and distributed control of robotic swarms. Auton. Robots 17(1), 93–105 (2004)
Sirjani, M., Movaghar, A., Shali, A., de Boer, F.S.: Modeling and verification of reactive systems using rebeca. Fundam. Inform. 63(4), 385–410 (2004)
Sloman, M., Lupu, E.C.: Engineering policybased ubiquitous systems. Comput. J. 53(7), 1113–1127 (2010)
Taentzer, G., Goedicke, M., Meyer, T.: Dynamic change management by distributed graph transformation: towards configurable distributed systems. In: Ehrig, H., Engels, G., Kreowski, H.J., Rozenberg, G. (eds.) TAGT 1998. LNCS, vol. 1764, pp. 179–193. Springer, Heidelberg (2000). https://doi.org/10.1007/9783540464648_13
Villalbaa, C., Zambonelli, F.: Towards natureinspired pervasive service ecosystems: concepts and simulation experiences. J. Network Comput. Appl. 34(2), 589–602 (2011)
Viroli, M., Casadei, M., Nardini, E., Omicini, A.: Towards a pervasive infrastructure for chemicalinspired selforganising services. In: Weyns, D., Malek, S., de Lemos, R., Andersson, J. (eds.) SOAR 2009. LNCS, vol. 6090, pp. 152–176. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642144127_8
Yu, I.C., Johnsen, E.B., Owe, O.: Typesafe runtime class upgrades in creol. In: Gorrieri, R., Wehrheim, H. (eds.) FMOODS 2006. LNCS, vol. 4037, pp. 202–217. Springer, Heidelberg (2006). https://doi.org/10.1007/11768869_16
Acknowledgment
We thank the anonymous reviewers for their helpful comments that improved the paper.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 IFIP International Federation for Information Processing
About this paper
Cite this paper
Khakpour, N., Kleijn, J., Sirjani, M. (2019). A Formal Model to Integrate Behavioral and Structural Adaptations in Selfadaptive Systems. In: Hojjat, H., Massink, M. (eds) Fundamentals of Software Engineering. FSEN 2019. Lecture Notes in Computer Science(), vol 11761. Springer, Cham. https://doi.org/10.1007/9783030315177_1
Download citation
DOI: https://doi.org/10.1007/9783030315177_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783030315160
Online ISBN: 9783030315177
eBook Packages: Computer ScienceComputer Science (R0)