A Language for Self-Adaptive System Requirements

Jon Whittle, Pete Sawyer, Nelly Bencomo
Computing Department,
InfoLab21,
Lancaster University,
Lancaster LA1 4AW, UK
Betty H.C. Cheng
Department of Computer Science and
Engineering,
Michigan State University,
East Lansing, MI 48824, USA

ABSTRACT
Self-adaptive systems have the capability to autonomously
modify their behaviour at run-time in response to changes in
their environment. Such systems are now commonly built in
domains as diverse as enterprise computing, automotive control
systems, and environmental monitoring systems. To date,
however, there has been limited attention paid to how to
engineer requirements for such systems. As a result, self-
adaptivity is often constructed in an ad-hoc manner. In this
paper, we argue that a more rigorous treatment of requirements
relating to self-adaptivity is needed and that, in particular,
requirements languages for self-adaptive systems should include
explicit constructs for specifying and dealing with the
uncertainty inherent in self-adaptive systems. We present some
initial thoughts on a new requirements language for self-
adaptive systems and illustrate it using examples from the
services domain.
1. Introduction
A system has goals that must be satisfied and, whether these
goals are explicitly identified or not, system requirements should
be formulated to guarantee goal satisfaction. This fundamental
principle has served systems development well for several
decades but is founded on an assumption that goals are fixed. In
general, goals can remain fixed if the environment in which the
system operates is stable. Hence, for example, using
conventional development techniques and systems
infrastructures, banking systems can be developed on the
assumption that the fundamental characteristics of the financial
services industry remain stable. However, in the 1980s,
deregulation caused fundamental changes to the UK financial
services industry. So significant were these environment
changes that UK banking systems had new goals. Many existing
systems had to undergo costly changes and completely new
systems had to be developed to adapt to the new environment.
Deregulation of the UK financial services industry caused
fundamental changes to banks’ operating environments but this
change took place over a period of time that was sufficiently
long to allow developers to make the necessary system
adaptations. Increasingly, there is a demand for systems whose
environment changes at a rate that necessitates the system to
adapt in real time and with minimal intervention of developers.
As an example, a mobile device may need the ability to adapt in
order to take advantage of new services as they come in range
and become available. The goals of such a system may remain
constant (e.g., to provide users with access to communication
and information services) but subtle trade-offs in how they are
satisfied may be necessary. For example, the choice of service to
use may be constrained by a preference for certain service
providers that may not always be available. The need for such
trade-offs poses significant challenges for system developers but
it is also possible to envisage systems where the environment is
so volatile that the goals themselves change, and change so fast
that systems need to adapt at run-time. (We acknowledge,
however, that at the highest level of abstraction, invariant goals
exist that indicate the fundamental services that must be
provided by an adaptive system.)
Consider, for example, an autonomous vehicle designed for use
in hazardous environments. One of its goals is to extinguish
fires. It is a valuable vehicle so it also has a goal to preserve its
capability to fight future fires, perhaps specified as (amongst
others) a requirement that the temperature of the vehicle’s
casing must be maintained below some threshold value. If
operating at the scene of a chemical fire (say) where the fire is in
danger of reaching a tank of explosive chemicals, however, the
second goal may have to be relaxed or disappear. Hence, in such
circumstances, it may be better to allow the vehicle to remain in
position spreading fire-suppressant chemicals for longer than
guarantees the vehicle’s survival, if this offers the best chance of
avoiding an explosion. Note that there is an implicit trade-off
between the two goals and it is easy to hypothesise
circumstances where, even in non-emergency situations, the
state of the environment might mean that achieving both goals
was infeasible.
Quite aside from the obvious challenges of implementing such a
self-adaptive system (although great strides in developing
adaptive infrastructures have been made in recent years [9]), it is
difficult to specify requirements to satisfy goals that:
ξ may change in the sense that their priority in relation to
other goals may evolve;
ξ may disappear, as in the case of the self-preservation goal
above;
ξ may have been unanticipated by the analyst.