The SAFEPOST Screening System is a hardware-software infrastructure consisting of D-Tube, Raman and Radiak sensors, and an image recognition system4.

4The information related to some sensors is confidential so just a short overview of their specifications and functionalities can be published. 1) The D-Tube: The D-tube is used for detecting explosives or narcotics in real time; the prototype developed within the SAFEPOST project uses a multi-element detector for the generation of the chemical profiles and is suitable for integration into the sorting facility conveyor belt flow. It operates in near real time with high precision and specificity by examining vapor substances. The system also takes into account the varying background vapors ubiquitously present in the air. This D-Tube system consists of three different subsystems: • The Breathing Sub-system • The Air Supply Sub-system • The eNose Gas Sensor Sub-system The Breathing Sub-system is positioned over the conveyor belt. It uses a device to compress the packages in order to press out air from the inside of the packages. This procedure makes packages emit as much of the enclosed molecules as possible for further detection. This “active breathing” is key to make the system work consistently on a wide range of different packaging types. The Breathing System is designed to stay within the envelope of specifications for proper handling of the packages.

The Air Supply System is a “sniffer” system positioned after the breathing device to “sniff” any molecules being emitted from the packages. It consists of several silicon hoses and acts as a “vacuum cleaner” to vacuum the packages on its side and on the top. This is being done just after the breathing system has compressed the package. The hoses in the “sniffer” system are then connected and lead the air flow to the Gas Sensor Subsystem, also called the eNose. The eNose chamber consists of 18 separate electronic sensors (“noses”) capable of detecting different molecules such as explosives and narcotics.

based on a semiconductor detector of High Purity germanium (HPGe detector) which measures ionizing radiation by means of the number of charge carriers set free in the detector material, which is arranged between two electrodes, by the radiation. Ionizing radiation produces free electrons and holes. Under the influence of an electric field, electrons and holes travel to the electrodes, where they result in a pulse that can be measured in an outer circuit.

Recognition System in SAFEPOST (see a sketch in Figure 2) is to allow postal operators to screen the exterior of the parcels in order to detect damages and signs of tampering [ 58 ]. The Image Recognition System provides information to the CPSS as well as to the human postal operator. Information sent to the CPSS can be integrated with the results of other sensors or with previous scans of the same parcel in order to compare if and how the parcel changed over time and better evaluate its tampering risk. At the same time, as the system performs the parcel analysis on the fly, human operators can be immediately informed of suspicious parcel’s features and can intervene on the parcel, according to the risk management policies implemented by the postal operator.

The Targeting & Threat Handling Reasoning System is a high level decision support system which combines information from both the SAFEPOST sensors and other sources to conduct risk assessments. Risk assessment is driven by the work-flow of the package handling represented, in a simplified way, in Figure 3. Information gathered from sensors and from the stakeholders involved in the process is used to assess the risk that a parcel is a potential threat throughout the entire D2D postal delivery supply chain. The system discovers potential threats in real-time and assesses those not detectable by physical screening. When a threat is detected, the system helps users decide on which plan to follow based upon the threat, time and resources available. The Targeting and Treat Handling Reasoning System operates at the intermediate level and performs different fusion services onto data in the CPSS to address different phases of the risk management process as follows: • A risk assessment sub-system fuses all available information regarding letters and parcels to determine which parts of the sorting facility convey or belts should be subject to additional screening on top of the mandated ones. This step of the process uses available information from, e.g., alert levels set by security agencies, intelligence databases, information from cargo operators and customs, besides the information coming from SAFEPOST sensors. • The results of the detection are combined with other available data to determine what should be done with the suspicious parcels. In particular, using information about the uncertainties in the detection result and combining these with other available information enables the system to choose different handling strategies (with associated different delays in cycle time) for different risks.

The CPSS is shown in Figure 4 and is based on the PostEurop framework5 as operating model, which aligns EU Policy and Legislation with IT security management and industry wide best practice processes, through a shared network. The CPSS is integrated with the screening systems, target and threat handling reasoning and information sharing via the universally trusted Postal Security Stamp.

This component consists of a real-time logistics optimization system that automatically reads GPS tracking data and updates the logistics plan accordingly. This is more than simply updating the Estimated Time of Arrival (ETA) of a vehicle, as the system automatically fixes resulting logistics problems using intelligent optimization algorithms. For example, if a vehicle is delayed so that it will not arrive at its destination in time to undertake the next planned work, the optimization component automatically reassigns the work to the next best resource available. The real-time rescheduling means that the logistics plan is constantly updated (working within operational constraints and rules) so that at any point in time the system “knows” what should be happening next, even if this is now different from the original plan at the start of the day.

5http://www.posteurop.org/VisionandMission

After the Yemen bomb plot in 20106, the postal security management entered its biggest reform in modern times. In 2012 the Universal Postal Union (UPU), the United Nations (UN) organization coordinating global postal policies, issued two postal security standards binding all of its 192 members countries: • S58, Postal Security Standards - General Security Measures which defines the minimum physical and process security requirements available to critical facilities within the postal network; • S59, Postal Security Standards - Office of Exchange and International Airmail Security which defines minimum requirements for security operations relating to the air transport of international mail.

Besides regional legislation in the transportation sector, which have been rapidly evolving as well over the past few years with major implications on postal security7, also academic literature on security in the supply chain has become huge after September 11, 2001: as observed by Ma¨nnist o¨ in [ 50 ], “The terrorist attacks of September 11, 2001 raised major concerns about the vulnerability of global transportation systems to transnational crime and terrorism. Although the attacks occurred in the context of passenger transport, they spurred unprecedented academic research on supply chain security (SCS)”. Ma¨nnist o¨ defines a supply chain crime taxonomy, carries out a deep literature review showing that the SCS discipline is more empirically grounded and diverse than the previous literature reviews suggest, and discusses a case study in the international postal service from the Swiss perspective. To the best of our knowledge, that work is one of the more recent and complete academic documents dealing with safety and security in the supply chain in general, and in the postal sector in particular. Compared to SAFEPOST8 it complements its practical results with a strong theoretical underpinning by providing a taxonomy which can serve as a unifying framework in the supply chain crime area, and which can be generalized and adapted to other domains. Although Ma¨nnist o¨’s work also includes a practical component, leading to concrete suggestions to the Swiss Post and Swiss authorities based on the results of the case analysis, it cannot compete with the practical solutions to threat handling proposed within such a large project as SAFEPOST.

Given that the SAFEPOST approach is fully compliant with the most recent regional and UPU standards, and that the academic literature we are aware of in the postal safety and security areas is connected and complementary to the project, we can assess that SAFEPOST findings are the state of the art in postal security.

6https://en.wikipedia.org/wiki/Cargo planes bomb plot 7https://ec.europa.eu/transport/modes/air/security/legislation en;https: //www.faa.gov/regulations policies/faa regulations/

8Ma¨nnisto¨’s Ph. D. Thesis is not fully disjoint from SAFEPOST: he received funding from SAFEPOST, as stated in his thesis acknowledgments. III. BEYOND SAFEPOST: TOWARDS AN IOSIP+T As discussed in Section II, SAFEPOST is a layered, distributed architecture with sophisticated sensors at the lowest level, organizations that must protect their data and privacy on the one hand, and must collaborate to reach a safer management of postal items on the other, complex interactions among the parties involved, reasoning and optimization systems at the top of the architecture. The holonic MAS metaphor [ 64 ] is extremely suitable to describe SAFEPOST: some sensors like the image recognition system depicted in Figure 2 are so sophisticated, that may be seen as MASs themselves. The same holds for the different providers of postal services, which could be seen as individual agents if we analyze the high level interactions among them, taking place within the CPSS, but can also be seen as MASs due to the many components they consist of, and their complex dynamics.

More intelligence can be added to SAFEPOST’s architecture, both at the sensor level – by making sensors smarter –, and at the global architecture level – by making it more flexible and adaptable, and by improving the existing optimization component, which could be based on agents [ 8 ], [ 29 ], [ 61 ], [ 70 ]. The reasoning component could take advantage of agents as well, along the lines of some recent proposals for agentbased distributed reasoning including [ 9 ], [ 38 ], [ 54 ].

But the “SAFEPOST of the future”, besides intelligent, must also be resilient.

Resilience is the capacity to quickly recover from difficulties; in a supply chain context, it can be seen as the ability to react in a timely fashion to unexpected external events including delayed delivery, reduced exchange of information with other companies in the chain, hardware/software failures, but also more disruptive ones such as floods, earthquakes, acts of terrorism. Dependability of a system reflects the user’s degree of trust in that system: it measures the numerical extent of the user’s confidence that the system will operate as expected. Implementing dependable and resilient supply chains is a strategic choice for mitigating the risks [ 35 ]. The notion of dependability9, together with responsiveness, agility, cost, and assets, is one of the five Standard Strategic Metrics of the Supply Chain Operations Reference model, SCOR10. Delivery dependability, also known as delivery reliability [ 63 ] is the ability, for supply chains,“to exactly meet quoted or anticipated delivery dates and quantities” [ 72 ]. Specific sensors and relative fusion algorithms can help extracting several kinds of contextual data, raising the system context awareness which represents a key ingredient of the IoT. Quoting [ 53 ], “...smart connectivity with existing networks and context-aware computation using network resources is an indispensable part of IoT. With the growing presence of WiFi and 4G-LTE wireless Internet access, the evolution towards ubiquitous information and communication networks is already evident”. Today’s companies are already adopting resilience and dependability 9Named “reliability” and meaning “Perfect Order Fulfillment”. 10http://www.apics.org/apics-for-business/products-and-services/ apics-scc-frameworks/scor for obtaining an immediate reaction to unpredictable events through smart organizations: both resiliency and dependability imply safety and security requiring advanced forms of contextawareness. The meaning of context depends on the application domain and may involve many aspects, including location, time of day, emotional state of the user, orientation, and even the preferences or identities of people within an environment. In an IoSIP+T, the context is also represented by data coming from advanced physical sensors. In order to be useful, sensory data need to be located, described, measured, and analysed on the fly in real-time, which requires sophisticated approaches to sensor fusion. SAFEPOST already provides a first answer to the need of dependability, resilience and context awareness; in its current setting, context- and self-awareness are supported by the specific safety sensors discussed in Section II-A whose outputs are fused within the targeting and threat handling reasoning system discussed in Section II-B.

In a more general IoSIP+T perspective, SAFEPOST could be extended to integrate other sensors into a single MAS made secure by design [ 31 ] and supporting different levels of awareness operated in an IoT, within a Cloud environment. In the following we discuss approaches, methods and techniques that could be integrated within the existing SAFEPOST framework, to transform it into an IoSIP+T.

SAFEPOST safety sensors operate in real-time and are designed with the dependable and resilient architecture of fullyprotected Cyber Physical System (CPS). Safety and security are design dimensions of a CPS: safety is aimed at protecting the systems from accidental events while security is limited to hostile actions, and both share the goal of protecting a CPS from failures. As pointed out in [ 62 ] when safety and security are aligned, namely when actions performed for enforcing safety do not contrast with actions performed for enforcing security, they make the enclosing CPS almost inviolable. A theoretical concept which has recently emerged as an evolution of CPS and sensors in the direction of real time and contextaware tracking, is that of the spime11 a uniquely identifiable object whose real-time attributes can be continuously tracked. Smart objects [ 39 ], namely computers equipped with sensors and/or actuators, and a communication device, are examples of spimes. They are described as the building blocks for the IoT [ 43 ] and can be embedded in cars, light switches, thermometers, billboards, or machinery. The gap between a smart object and an intelligent software agent is very small: the smarter the object, the closer to an agent [ 60 ]. The integration of smart objects in SAFEPOST would definitely increase not only its context awareness, but also its ability to self-adapt and self-repair thanks to the smart objects actuators which can play an active role, differently from traditional, passive sensors. The ability to manage itself is a “must” for the SAFEPOST of the future, given that SAFEPOST should be able to survive 11Spime is a neologism introduced by B. Sterling (2005) as the contraction of space and time. to disasters, to continue keeping the infrastructure as safe as possible. The opportunities to increase SAFEPOST reliability thanks to self* approaches are huge: self-adaptive and selforganizing MASs [ 1 ], [ 28 ], [ 55 ], [ 65 ] are very close to autonomic computing systems, namely systems that “manage themselves according to an administrators goals. New components integrate as effortlessly as a new cell establishes itself in the human body” [ 41 ]. An “autonomic SAFEPOST” would give many advantages, but would also raise many challenges. In particular, autonomy in self-adapting, self-organizing and self-repairing should balance compliance to existing technical, legal, and even ethical constraints. To reach this goal, designers should be able to verify in advance (at design time, when the system is still under test) as many properties of the “autonomic SAFEPOST” as possible via traditional techniques based on model-checking. At runtime, when the system has been deployed, it should undergo a continuous monitoring to early detect those anomalies that static verification techniques could not capture, and report them to a human controller. While these problems are far to be solved, in particular for large and complex systems as an “autonomic SAFEPOST” would be, some results achieved within the MAS community seem to go in the right direction. Model checking MASs has a long tradition which dates back to the beginning of the millenium [ 11 ], [ 12 ], [ 47 ], [ 74 ] and, although not scaling well to large systems, could be used for the design-time static verfication. Recently, runtime verification mechanisms suitable for MASs in particular, and for distributed system in general, have been proposed [ 2 ], [ 4 ], [ 23 ]. Attempts to integrate static and runtime verification techniques in the MAS domain are discussed in [ 3 ] and in [ 24 ], [ 25 ]: while the first work deals with the relationships between Linear Temporal Logic and the trace expression formalism used for MAS runtime verification, the last ones address the problem of validating an abstract environment designed for model checking purposes, at runtime.

A real-time management of threats, like in SAFEPOST’s Targeting and Threat Handling Reasoning System, requires a real-time analysis of the acquired data and new forms of dependable data mining algorithms. As observed in [ 68 ], “data mining has typically been applied to non-real-time analytical applications. Many applications, especially for counterterrorism and national security, need to handle real-time threats. [...] This means that the data mining algorithms have to have the ability to recover from faults as well as maintain security, and meet real-time constraints all in the same program.” Real time data mining is a hot research topic, as witnessed by many existing tools [ 10 ], [ 56 ], papers [ 22 ], [ 37 ], [ 44 ], [ 71 ], and even patents [ 20 ]. In the same way as massive data generated by the IoT can be analysed and managed with data mining techniques adapted to cope with big data and data streams [ 17 ], existing data mining algorithms operating in real-time could be adopted to manage data generated by an IoSIP+T system, in order to cope with its complexity and to increase its dependability, in particular when boosted by agents [ 46 ]. A challenging research direction is “real-time weak signal detection mining”, and its integration with the results obtained by a more traditional mining of IoT data. In fact, a really safe logistic system, should also take weak signals of threats coming from news, social networks, the web, into account. As observed in [ 14 ], “Lone wolf terrorists pose a large threat to modern society. The current ability to identify and stop these kinds of terrorists before they commit a terror act is limited since they are hard to detect using traditional methods. However, these individuals often make use of Internet to spread their beliefs and opinions, and to obtain information and knowledge to plan an attack. Therefore there is a good possibility that they leave digital traces in the form of weak signals that can be gathered, fused, and analyzed”. An agent-based approach might turn useful to tackle the last tasks, as discussed for example in [ 57 ], [ 76 ].

Although IoT and cloud computing are different paradigms, they play complementary roles in tackling emerging needs of the current world, and both are recognized as being extremely suitable to supply chain management. While the IoT mainly consists of device connections via the Internet, the role of the cloud is to deliver data, applications, streams, images, and other digital objects in a distributed context. The huge implications of IoT for logistics have been explored by Cisco and DHL [ 48 ] among the others and are raising more and more attention [ 40 ], [ 52 ], [ 66 ], mainly when combined with big data management [ 42 ]. A similar or maybe even greater interest can be observed for the adoption of cloud computing for logistics and supply chain management, which - besides many scientific and popular articles (see for instance the recent works [ 16 ], [ 67 ]) - also lead to patents [ 36 ]. The integration of IoT with cloud computing [ 13 ] offers an additional potential benefit to significantly reduce costs on a pay-per-use base and with an improved customer service based on rationalization of operations, through optimization and increased operating and economic efficiencies and supporting the development of new services and business models. Several postal and logistic companies are already offering their service from the cloud and the combination of IoT with intelligent CPSs makes them accessible anytime and anywhere. This combination will be a key enabler of the IoSIP+T, and agents will play a relevant role to add intelligence, security, and flexibility to it, as discussed for example in [ 45 ], [ 75 ], [ 77 ].