Available online at www.sciencedirect.com
Procedia Computer Science 00 (2018) 000–000 www.elsevier.com/locate/procedia
22nd International Conference on Knowledge-Based and Intelligent Information & Engineering Systems
A Decomposition-based Approach of Global Norms for Hierarchical Normative Systems Ezzine Missaouia,∗, Belhassen Mazighb , Sami Bhiric , Vincent Hilaired a ENSI,
University of Manouba, 2010, Manouba, Tunisia of Computer Sciences, FSM, Monastir, Tunisia c OASIS-ENIT, Tunis, Tunisia d Univ Bourgogne Franche-Comt, UTBM IRTES-SET EA 7274/IMSI F-90010 Belfort cedex, France b Department
Abstract Holonic Multi-Agent System (HMAS) forms a promising approach to software engineering for the modeling and development of hierarchical autonomous systems (Intelligent transportation systems, Smart city management systems, etc.). One of the main challenges currently faced in HMAS research is that of non-functional requirements specification and verification. In particular, how to express and enforce non-functional requirements in hierarchical and critical autonomous systems? Among the solutions would be to use norms. Effectivly, norms concepts is well adapted to the definition of HMAS. Its can be considered as a powerful way to specify the non-functional requirements of these types of systems. Non-functional requirements can conflict with each other (for example, cost and quality, comfort and economy). The second challenge is the coherence checking of norms that specify nonfunctional requirements. However verification approaches are limited by the state-space of the system under study. Specifying and verifying a global normative model in a single level is then complex and difficult. However, most normative models for multi-agent systems do not take into account the complexity of coherence verification algorithms of norms. One of solutions is to employ the use of coherent refinement process of global norms. This paper proposes a Global Norms Decomposition (GND) approach for hierarchical and critical autonomous systems. Indeed, the GND approach allows (i) the specification of global norms in the abstract level of the studied system, (ii) the coherence checking of global norms in the abstract level, and (iii) the successive refinement of these norms using a set of refinement rules that preserve properties of the system already proven in the highest level, in order to arrive finally at a concrete normative context which constitutes the behaviour model of the system. The GND approach allows the simplification of specification of norms, for an incrimental specification using a refinement process, and the reduction of complexity of checking the coherence of norms, building verification using refinement rules. Our approach is also illustrated by a case study describing smart city management system. c 2018 The Authors. Published by Elsevier Ltd.
This is an open access article under the CC BY-NC-ND license (https://creativecommons.org/licenses/by-nc-nd/4.0/) Selection and peer-review under responsibility of KES International. Keywords: Holon; Holonic Multi-agents Systems; Hierarchical System; Non-Functional Requirements; Behavioral Requirements; Norms; Normative Models; Normative Conflict; Consistency Checking; Refinement.
∗
Corresponding author. Tel.: +216 20 927 340
c 2018 The Authors. Published by Elsevier Ltd. 1877-0509 This is an open access article under the CC BY-NC-ND license (https://creativecommons.org/licenses/by-nc-nd/4.0/) Selection and peer-review under responsibility of KES International.
Ezzine Missaoui et al. / Procedia Computer Science 00 (2018) 000–000
2
1. Introduction New developments and emerging applications like autonomous software for intelligent transportation systems and smart city management systems provide new challenges for requirements specification, and verification approaches. Modeling critical aspect of hierarchical and critical autonomous systems require a high level of assurance of critical mission, safety, or security requirements. To provide solutions for achieving assurance for such critical systems, new approaches must be developed to address the formalization and validation of requirements for these types of systems. These systems require both a hierarchical structure which allows to bring together different levels of abstraction within the same system and require the maintenance of regulation and social control of the various entities involved in these systems by using a set of norms [1, 2]. Holonic Multi-Agent Systems (HMAS)[3, 4, 5] are recognized as effective technologies for modelling and building hierarchical autonomous systems. HMASs are considered as societies composed of autonomous and independent entities, called holons [6] - groups of agents, which interact in order to solve a problem or collectively performs a task. Therefore, the notion of holon makes it possible to describe systems of hierarchical nature [7]. HMASs involve heterogeneous and autonomous holons whose interactions must conform to certain norms and shared conventions to ensure the social control [8] of the system. Most normative models [9] for Multi-Agent Systems (MAS) [10] focus only on functional requirements and behavioral specifications, while non-functional requirements are crucial in the development of critical autonomous systems. Norms can be considered as a powerful way to specify the non-functional requirements of hierarchical critical systems. Non-functional requirements define the properties of the system, according to defined criteria. They act as constraints on the services rendered by this system. Non-functional requirements can conflict with each other (for example, cost and quality, comfort and economy). The second challenge in this paper is the coherence checking of norms that specify non-functional requirements. However verification approaches are facing the size of the states space. Specifying and verifying a global normative model in a single level is then complex and difficult. However, most normative models for multi-agent systems do not take into account the complexity of coherence verification algorithms of norms. One of the main solutions is to employ the use of coherent refinement process of global norms. In this paper, we propose a Global Norms Decomposition (GND) approach for specifying non-functional requirements of hierarchical critical systems. This approach provides: (i) a formalism for specifying non-functional requirements (system quality) using a set of global norms, and (ii) a coherent refinement process of these global norms. Our approach allows to simplify the specification of norms, to supports incrimental specification using a refinement process, and to reduce the complexity of checking the coherence of norms, building verification using refinement rules, that preserves the coherence checking of norms. The rest of this paper is organized as follows: Section 2 presents a motivating example; Section 3 makes an overview of works on normative models; Section 4 describes the basic concepts used in our approach and section 5 details our Global Norms Decomposition (GND) approach. The last section concludes our paper and gives some future works.
2. Motivating Example In this section, we present the Smart City Management System as a motivating example. It is used throughout this paper to illustrate our GND approach. Smart City is an innovative city that uses the Information and Communication Technology (ICT). Smart city must include: intelligent energy, smart buildings, intelligent transportation, smart security and safety, intelligent health care and intelligent education. It integrates the best existing concepts (materials, systems and technologies) to meet the requirements of managers and users. Smart City has a lot of features: (i) improved comfort in buildings (heating, air
E-mail address:
[email protected]
Ezzine Missaoui et al. / Procedia Computer Science 00 (2018) 000–000
3
Fig. 1. Normative Holonic Structure of Smart City Management System
conditioning, ventilation and electric lighting); (ii) enhanced surveillance and security in the building; (iii) reduced energy consumption. Smart city is composed of multiple heterogeneous and complex entities interacting with each other. In order to meet the needs of all these entities, smart city must anchor its development in respect of a set of social norms and shared agreements. The smart city management system is hierarchical and requires social control. Developments of autonomous softwares for smart city management system provide new challenges for specification and verification of the requirements. Fig.1 describes the holarchy of the smart city. From a holonic point of view, at the highest level (level n), we can decompose smart city (H1) into several smart neighborhoods. In the same way, a smart neighborhood (H2) can be decomposed into a three holons as substructure (road network (H3), green space management system (H4), and smart buildings (H5)). At the lowest level (level n-4) there are intelligent sensors and meters, digital media and information devices, where n is the hierarchical level number of our system - Smart City Management System, n = 5 levels here. From a normative point of view, we define a set of norms that specify the requirements of a smart city management system. Since norms are associated with hierarchical entities, the normative context (set of global norms) is also specified in a hierarchical structure using successive refinements. The normative context of a holon is specified by the set of norms that directly affect the properties associated to this holon. Refinement allows to develop the normative context of a system in an incremental way starting from an abstract context which constitutes a specification of the system. During the refinement, global norms are decomposed. An informal specification of some global norms in the smart city management system is reported below: Norm 1: Smart City is obliged to improve surveillance and safety of the users. Norm 2: Smart City is obliged to reduce energy consumption. Norm 3: Smart City is obliged to improve comfort of the users. 3. Related Work Several works on normative approaches for MAS have been proposed in order to design agent societies in environments governed by norms. The use of norms allows to regulate and influence the agents behaviour. According to the regulated entities, we can classify these approaches into three main groups: (1) Norms applied to an agent [11, 12, 13], (2) norms applied to a role [14, 15, 16], and (3) norms applied to an organization [17, 18, 19]. Norms regulate the behaviour of agents by defining obligations and prohibitions, and by creating rewards and penalties to encourage the agents to meet these constraints. Indeed, [11] proposes an agent architecture, called BeliefsObligations-Intention-Desires (BOID) architecture, that contains feedback loops to consider all effects of actions before committing them. In [12], dos et al. propose an architecture model to build motivation-oriented agents that can
4
Ezzine Missaoui et al. / Procedia Computer Science 00 (2018) 000–000
reason about norms of a society in an autonomous way. This architecture extends the BDI model by including norms related functions to support normative reasoning. In [13] Kagal and Finin introduce a policy based framework to help agent communication to filter inappropriate messages. Norms are descriptive information for a role. They determine the obligations and social constraints for an agent’s actions. Indeed, the work described in [14] by Gunay and Yolum represents obligations and prohibitions of roles of an organization through commitments. Pacheco and Carmo [15] describe the modelling of complex organisations and organisational behaviour based on roles and normative concepts. The work described in [16] proposes a metamodel, called NCRIO (Norm, Capacity, Role, Interaction, and Organization), for the design of Normative Holonic MultiAgent Systems (NHMAS). The NCRIO metamodel retains the properties of the HMASs and adds normative concepts (Norms and Contracts) to maintain social control in these systems. Organisation-oriented approaches to the formation of multi-agent systems use norms to describe an agent’s social position within an artificial society or Virtual Organisation. For example, the work described in [17] provides a serviceoriented methodology, called GORMAS, which defines a set of activities for the analysis and design of organizational systems, including the design of the norms that govern the behavior of the system entities. The work described in [18] proposes a methodology, called ROMAS, for the analysis and the design of normative open MAS. In ROMAS, organizations are defined by a social structure based on a service-oriented open MAS architecture. Garcia et al. [19] propose a CASE tool for developing complex systems in which heterogeneous and autonomous agents may need to coexist in a complex social and legal framework. Organizations impose limits on the actions that the agents can perform by means of Norms and Contracts. According to the regulated behaviour, normative approaches can be classified into three categories. (1) Norms related to actions: an agent’s actions [20] within an activity may have consequences in the form of normative positions (i.e. obligations, permissions, and prohibitions) that may constrain its future behaviour. Obligations, permissions and prohibitions are modeled as operators that characterize either actions. (2) Norms related to states: the work described in [21] considers norms as the states of affairs that an agent is obliged to bring, permitted to do, or prohibited from doing. (3) Norms related to missions : MOISE+ [22] is based on the concepts of missions (a set of global goals ) and global plans (the goals in a structure). A mission is a set of coherent goals that an agent can commit to. Most normative models for MAS focus only on behavioral specifications governed by norms (behavioral norms), while non-functional requirements are crucial in the development of critical intelligent systems. The GND approach that we propose in this paper is able to deal with these limitations.
4. Preliminaries In this section, we describe the basic concepts used in our approach. We present an overview on the concepts, holon, norm, requirement, and refinement. Holon - A holon is usually defined as an auto-similar structure that is stable, coherent and composed of holons as substructures. For this reason, it can be seen from different points of view, whether as an autonomous atomic entity or as a holons organization. Therefore, the notion of holon makes it possible to describe systems of hierarchical nature. A holon has the same properties assigned to agents such as autonomy, social empowerment and proactivity. Norms - Norms [1] can be used in MAS [10] to define behavioural models. The main interest of norms is to compromise between the need for autonomy and the need for control. The use of norms induces a positive impact on the coordination by reducing the uncertainty of the interactions due to the holons autonomy (decides if its own process should run a required action, or not). Representation of norms involves deontic expressions such as obligation, permission and prohibition. The formalization of these notions gave birth to the deontic logic [23]. This logic introduces the following modal operators (O) for OBLIGATION, (P) for PERMISSION and (I) for PROHIBITION. Norms can be considered as a powerful way to specify the non-functional requirements of hierarchical critical systems. They define the system’s properties (security, performance, quality of service, etc.). Norm is the expression of a deontic concept (obligation, permission, prohibition) for a property (the object of the norm). It assigns a deontic value to a property. The properties to which norms can affect a deontic value are modeled by parameterized predicates. formally a norm is defined as follows: DC(Pr(H, OP, V)), with DC = {O, I, P}: deontic concept, Pr : Predicate. For example, in our case study, the Smart City Management System, we can associate a deontic concept on the energy saving property with the following norm:
Ezzine Missaoui et al. / Procedia Computer Science 00 (2018) 000–000
5
Norm 1: Smart neighborhood is obliged to reduce energy consumption (the energy consumption per day must be lower than a given value, for example 100 KW per day). And it is formally written in the form O(energy saving(H2 , ≤, 100)). Requirements - Requirements define the properties or capabilities of the required system in order to solve the problem for which it was designed. The requirements are generally classified into two categories: functional and non-functional. Functional Requirements define the functionalities or processes that the system must perform. NonFunctional Requirements define the properties of the system to be designed, according to defined criteria. They act as constraints on the services rendered by the system. For example, for the smart city management system, the quality criteria are security, comfort, energy saving, availability, response time, etc. Refinement - Refinement is the process of transforming abstract specifications of complex system into more concrete specifications. This refinement mechanism ensures that all proven properties on abstract models are preserved on concrete models. In the literature, we distinguish two types of refinement: decomposition and augmentation methods. Decomposition Methods allow a progressive decomposition of global constraints and global goals of the system. The main idea is that each global constraint Ci is decomposed into a set of n local constraints c1 , c2 , ..., cn . This process is formalized by a set of decomposition generic rules. Augmentation methods allow to present additional information about a system event or functionality. Each abstract event can be refined by one or many concrete events. Each step of refinement is validated by mechanisms of proof guaranteeing their correction.
5. GND Approach In this section, we propose a Global Norms Decomposition (GND) approach for specifying and verifying nonfunctional requirements of hierarchical critical systems from high-level norms. GND approach provides both a formalism for specifying non-functional requirements using a set of global norms, and a refinement process of these global norms. First, we clarify how we specify the non-functional requirements of critical hierarchical systems using norms. Then, we consider the consistency check of norms. Finally, we consider the coherent refinement of these global norms using a correction criteria and a set of refinement rules. 5.1. Formalism Description of Norms The formalism which we use for the norms description is based on the deontic logic. We describe the norms definition grammar. The specification of norms related to non-functional requirements is given by the following grammar: < norm >::=< deontic concept > (< f ormula >) < deontic concept >::= OBLIGAT ION|PROHIBIT ION|PERMIS S ION < f ormula >::=< atom > | < f ormula >< connector >< f ormula > | < quanti f ier >< variable >< f ormula > | < f ormula >< operator >< f ormula > < atom >::=< predicate > (< term >, ...) < term >::=< constant > | < variable > | < f unction > (< term >, ...) < operator >::=⊆ | > | > | < | 6 | = V W < connector >::= ¬| ⇒ | ⇐⇒ | | | |= < quanti f ier >::= ∃|∀ where deontic concept = {O, I, P} and formula is a predicate that specifies a property. We show how to use this grammar through several examples. All these examples, along with the rest of the examples in this paper, are based on a Smart City Management System. This system has several non-functional requirements (system quality), that define the system’s properties, according to defined criteria. Among the quality criteria, there are : security, comfort, economy of energy, performance, quality of service, availability, response time, etc. We can associate a deontic concept on the system’s properties with the following norms: Norm 1: O(security(H2 , ≤, 2)) /* Smart Neighborhood (H2) is obliged to improve the users security. */ Norm 2: O(energy saving(H2 , ≤, 500)) /*Smart Neighborhood (H2) is obliged not to exceed 500 KW per day.*/ Norm 3: O(comfort(H2 , ≥, 3)) /*Smart Neighborhood (H2) is obliged to improve the users comfort.*/
6
Ezzine Missaoui et al. / Procedia Computer Science 00 (2018) 000–000
Norm 4: O(response time(H2 , ≤, 10)) /*Smart Neighborhood (H2) is obliged to satisfy a service in a delay not exceeding 10 seconds.*/ 5.2. Coherence Checking of Norms We clarify the meaning that we give to the coherence of a normative context in our approach. First we consider the local consistency of a norm. Local Coherence of Norms - To be locally coherent, a norm must describe a quality model (non-functional requirements) that is feasible by a holon, i.e. that the same property is not simultaneously permitted and prohibited (or optional and obligatory). In order that the normative context is coherent, it is necessary that each of the norms be locally coherent, and also we must consider the dependencies that exist between the norms. Global Coherence of Norms - A norm is globally coherent iff: (i) it is locally coherent, and (ii) the union of its explicit and implicit constraints does not simultaneously attribute a permission and a prohibition to a property. A normative context is coherent iff all its norms are globally coherent. Non-functional requirements can conflict with each other (for example, cost and quality, comfort and economy). Due to the massive number of norms used to specify non-functional requirements of a hierarchical and critical system, an important issue that has been considered by several normative approaches is the verification and the resolution of the coherence of norms. In our approach, we use the technique of unification [24] and constraint satisfaction [25] to detect and resolve normative incoherence (conflict) in normative models for holonic multi-agent systems. Unification allows us to detect if the norms are in normative conflict and to detect all the properties that are under the influence of a norm. 5.3. Coherent Refinement of Norms In a holonic multi-agent system, when a norm is applied to a super-holon, it is applied to all sub-holons members of the super-Holon. Our GND approach provides a refinement process for different types of norms. This process is formalized by a set of decomposition generic rules and correction criteria, to allow the automation of the decomposition process by guaranteeing their correction. 5.3.1. Correction Criteria Correction criteria allow to verify that the refinement effectively guarantees the satisfaction of lower-level norms by higher-level ones. A refinement is correct iff the satisfaction of the refined norm has the semantic consequence of the satisfaction of the refining norms. P |= Q : a formula Q is a semantic consequence of a formula P iff any interpretation that satisfies P also satisfies Q. A formula P is satisfiable iff it takes the value True for at least an interpretation i; we say that i satisfied P. Definition (Correction of a refinement): let N be a norm and {ni }i∈I a set of norms, such as {ni }i∈I refines N. Then the refinement is correct iff: N |= {ni }i∈I 5.3.2. Refinement Rules We propose a set of generic refinement rules that allow to decompose the global norms while respecting the coherence of the normative system. There are four types of properties aggregation functions: sum-type (e.g. Cost, energy saving), min-type (e.g. Reputation, Throughput, Comfort ), max-type (e.g. Response Time, Security), and product-type (e.g. Availability, Reliability, Successful execution rate). Norm is the expression of a deontic concept (O: Obligation, P: Permission, and I: prohibition) for a property (sum-type, min-type, max-type, and product-type). So, we will define 12 generic rules for decomposing global norms. m X O(Pd,s (H, OP, V)) |= ∀hi ∈ H, O(P(hi , OP, vi )) ∧ vi ≤ V (1) i=0
Rule (1) allows to decompose a global norm that defines an obligation (O) associated with a sum-type property. For example: O(energy saving(H2 , ≤, 500)) |= O(energy saving(H3 , ≤, v1 )) ∧ O(energy saving(H4 , ≤, v2 )) ∧ P O(energy saving(H5 , ≤, v3 )) ∧ 3i=0 vi ≤ 500 O(P(H, OP, V)) |= ∀hi ∈ H, O(P(hi , OP, vi )) ∧ max({vi }) ≤ V
(2)
Ezzine Missaoui et al. / Procedia Computer Science 00 (2018) 000–000
7
Rule (2) allows to decompose a global norm that defines an obligation (O) associated with a max-type property. For example: O(response time(H2 , ≤, 10)) |= O(response time(H3 , ≤, v1 )) ∧ O(response time(H4 , ≤, v2 )) ∧ O(response time(H5 , ≤, v3 )) ∧ max({v1 , v2 , v3 }) ≤ 10 The same for the security property: O(security(H2 , ≤, 2)) |= O(security(H3 , ≤, v1 )) ∧ O(security(H4 , ≤, v2 )) ∧ O(security(H5 , ≤, v3 )) ∧ max({v1 , v2 , v3 }) ≤ 2 O(P(H, OP, V)) |= ∀hi ∈ H, O(P(hi , OP, vi )) ∧ min({vi } ≥ V
(3)
Rule (3) allows to decompose a global norm that defines an obligation (O) associated with a min-type property. For example: O(com f ort(H2 , ≥, 3)) |= O(com f ort(H3 , ≥, v1 ))∧O(com f ort(H4 , ≥, v2 ))∧O(com f ort(H5 , ≥, v3 ))∧min({v1 , v2 , v3 }) ≥ 3 O(P(H, OP, V)) |= ∀hi ∈ H, O(P(hi , OP, vi )) ∧
n Y
vi ≥ V
(4)
i=0
Rule (4) allows to decompose a global norm that defines an obligation (O) associated with a product-type property. These four rules allow to decompose the norms that define an obligation (O) associated with all types of properties (sum-type, min-type, max-type, product-type). I(Pd,s (H, OP, V)) |= ∀hi ∈ H, I(P(hi , OP, vi )) ∧
m X
vi ≥ V
(5)
i=0
Rule (5) allows to decompose a global norm that defines a Prohibition (I) associated with a sum-type property. I(P(H, OP, V)) |= ∀hi ∈ H, I(P(hi , OP, vi )) ∧ max({vi }) ≥ V
(6)
Rule (6) allows to decompose a global norm that defines a Prohibition (I) associated with a max-type property. I(P(H, OP, V)) |= ∀hi ∈ H, I(P(hi , OP, vi )) ∧ min({vi }) ≥ V
(7)
Rule (7) allows to decompose a global norm that defines a Prohibition (I) associated with a min-type property. I(P(H, OP, V)) |= ∀hi ∈ H, I(P(hi , OP, vi )) ∧
n Y
vi ≥ V
(8)
i=0
Rule (8) allows to decompose a global norm that defines a Prohibition (I) associated with a product-type property. These four rules ((5), (6), (7) and (8)) allow to decompose the norms that define a Prohibition (I) associated with all types of properties (sum-type, min-type, max-type, product-type). P(Pd,s (H, OP, V)) |= ∀hi ∈ H, P(P(hi , OP, vi )) ∧
m X
vi ≤ V
(9)
i=0
Rule (9) allows to decompose a global norm that defines a Permission (P) associated with a sum-type property. P(P(H, OP, V)) |= ∀hi ∈ H, P(P(hi , OP, vi )) ∧ max({vi }) ≤ V
(10)
Rule (10) allows to decompose a global norm that defines a Permission (P) associated with a max-type property. P(P(H, OP, V)) |= ∀hi ∈ H, P(P(hi , OP, vi )) ∧ min({vi }) ≥ V
(11)
Rule (11) allows to decompose a global norm that defines a Permission (P) associated with a min-type property. P(P(H, OP, V)) |= ∀hi ∈ H, P(P(hi , OP, vi )) ∧
n Y
vi ≥ V
(12)
i=0
Rule (12) allows to decompose a global norm that defines a Permission (P) associated with a product-type property. These four rules ((9), (10), (11) and (12)) allow to decompose the norms that define a Permission (P) associated with all types of properties (sum-type, min-type, max-type, product-type).
Ezzine Missaoui et al. / Procedia Computer Science 00 (2018) 000–000
8
5.4. GND Algorithm We propose an algorithm for decomposing global norms. Our algorithm, Algorithm 1, allows first to check and resolve the incoherence of the norms in the abstract level, using existing verification techniques (Unification and Constraint Satisfaction). Then it allows to decompose these norms while preserving the coherence using a correction criteria (semantic consequence) and a set of 12 generic rules of coherent refinement that covers all types of properties (sum-type, min-type, max-type, product-type) and all the deontic concepts (O, I, P). Algorithm 1: GND Algorithm 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Input: ANC ={ Ni } : Abstract Normative Context (set of abstract level global norms) N = DC(P(H, OP, V)) : Norm N’= DC(P’(H, OP, V)) : Norm DC={ O, I, P } P(H, OP, V), P’(H, OP, V) : Predicates H={hi } : H is a super-holon that is composed of several sub-holons hi OP ∈ { =, ,, >, >,