A service-oriented software architecture for complex distributed and evolving systems, based on the open Intelligent Robust Architecture for Time Critical Systems (INAETICS) [ 5 ], provides the context of this work. We continue by introducing a somewhat simplified terminology related to this architecture.

A system based on the INAETICS architecture provides functionality by executing one or more independent applications. Applications are a dynamically combined collection of independent components. A large application, such as a multi-face radar, may have thousands of such components. Components can only be accessed through their defined services, which can be provided either through remote procedure calls or message passing. In the former case, the service interface is formally specified by a number of method signatures. In the latter case, which is the focus of this work, it is formally specified using message interfaces that define sets of valid message types. The protocol behavior is not formally specified in the service interface in either case, but is represented in code and documentation.

Messages in the INAETICS architecture can be sent either synchronously or asynchronously. In the synchronous case, the component sending a message blocks until it has received a response. In contrast, asynchronous communication posts messages in a message queue, which allows the component to continue executing immediately after sending a message. In this case, the component checks its message queue for incoming messages at appropriate times during its execution.

This work considers a case study based on a service in a radar system. The service has been somewhat simplified for ease of presentation. For reasons of confidentiality, we refer to the service as PeriodicTask. The PeriodicTask service schedules an optional task to be performed by the radar system periodically. The client component using the service can specify a maximum budget that has to be considered by the radar system when performing the task to prevent it from spending too many resources on it. The budget actually used by the radar when executing the PeriodicTask service should be less than or equal to the specified maximum budget. PeriodicTask periodically reports the actual used budget back to the client.

The PeriodicTask service communicates asynchronously with client components. The provided service interface is defined in terms of message types and protocol behavior, as illustrated by the communicating finite state machine (FSM) in Figure 1. In the figure, a label -x represents a message of type x being sent and +x received, respectively. As seen in the figure, a client component sends the PTON command message, specifying the maximum budget as an argument. PeriodicTask responds to this command by sending the PTSTATE response message with a status argument ACK back to the client, acknowledging the reception of the command. Now that PeriodicTask is activated and scheduled by the radar system, it periodically reports its used budget to the client. The same PTSTATE response message is used to report this UPDATE status, along with the actually used budget. When PeriodicTask is no longer required, the client can turn it off by sending the PTOFF signal. PeriodicTask responds to this command by sending the ACK response to the client. While in the ON state. it can also receive a new PTON message with a different maximum budget.

As described above, the current version of the PeriodicTask service uses the PTSTATE response message for two different purposes: 1) reporting status information to the client, and 2) periodically reporting the used budget. This has the disadvantage that the ACK response message, which only acknowledges the reception of a command, also has to report a used budget value even though it does not have a valid value yet. In this case, a used budget value of -1 is reported to signal that the value should not be considered. A better solution would be to introduce a separate PTPERFORMANCE message for periodically reporting the used budget and to remove it from the PTSTATE message. However, changing the service interface in this way would cause incompatibility with all components using the service. We will use this service update as a running example through this paper and discuss how the compatibility issue can be efficiently resolved, promoting continuous evolution of the system.

Compatibility between services and their client components may be defined in many different ways, but two kinds of compatibility are widely recognized and distinguished in the literature [ 6 ]–[ 9 ]: 1) Structural compatibility means that messages specified in the service interface, and their constituent fields, match those used by the client component in terms of name, type, and semantics. A similar notion of structural compatibility exists for services implemented through remote procedure calls, i.e. assuming matching names, parameters, and types in method signatures. Structural incompatibility may cause a client component to fail because of a type error or cause incorrect functional behavior if a compatible data type with, e.g. different precision, is used. 2) Behavioral compatibility means that the service and the client components agree on the protocol, i.e. the ordering requirements between messages or method calls. Behavioral incompatibility may affect functional correctness, e.g. through deadlock, livelock, or message loss.

Applying this terminology to the PeriodicTask service in Section II-B reveals that the proposed update to the service interface causes both structural and behavioral incompatibility for the client components. The structural incompatibility is caused by separating parts of the PTSTATE message into a separate PTPERFORMANCE message. The new message type affects the protocol of the service, causing a related behavioral change.

To be able to (semi-)automatically detect and correct both types of incompatibilities, we need to be able to formally specify both structure and behavior in service interfaces. Existing approaches for this are surveyed in the next section.

An important part of detecting incompatibilities is to have good means to specify and validate conformance with the service interface. Interfaces have been modeled in many programming, specification, and modelling languages over the years. In fact, a recent survey of the state-of-the-practice of ModelBased Engineering (MBE) in the embedded systems domain suggests that modelling interfaces is one of the most common functional aspects covered by current industrial applications of MBE, with structural aspects being more commonly specified than behavioral ones [ 10 ]. This suggests that problems and benefits related to interface specification are widely recognized in industrial practice. Industrial interest going back a long time is also suggested by IBM publishing in this area in the 90’s [ 11 ] and Motorola mentioning interface specification as a part of their MBE-based development process more than a decade ago [ 12 ].

Most interface specifications focus purely on structure. This is the case for programming languages, such as Java and C++, which typically specify method signatures provided by classes implementing the interface. Similarly, many Interface Definition Languages (IDLs), focus on purely structural aspects, such as declaring types and method signatures, allowing them to describe structural aspects of service interfaces. An example of an IDL in this category is Apache Avro1, which is used in the INAETICS architecture [ 5 ].

In contrast, there are also modelling languages and formalisms that focus on behavior and can be used to model the behavior of a service, or the behavior on its interface. This includes different kinds of transition systems, such as FSMs or Petri Nets [ 13 ]. Both of these formalisms have been extended for the case of communicating systems. Communicating Finite State Machines [ 14 ] are a variation of regular FSMs, where transitions have been labeled with communication actions that indicate that a message of a particular type is being sent or received. The model of the PeriodicTask service in Figure 1 is an example of a communicating FSM. Open (Workflow) Nets [ 4 ] are a variation of Petri Nets that include input and output interface places to model asynchronous messages of different types being received and sent on the interface of the service. Open Nets can be composed by connecting and fusing corresponding input and output places with matching labels (message types). If all input and output places of Open Nets have been connected, it becomes a closed net, which is amenable to behavioral analysis.

A benefit of behavioral formalisms like communicating FSMs and Petri Nets is that they have clear and unambiguous semantics describing their execution. This allows correctness properties relevant to behavioral compatibility, such as deadlock-freedom, to be established for the models expressed in the formalism. An important distinction between behavioral formalisms is whether they assume synchronous or asynchronous communication semantics. Strict synchronous communication semantics require that state transitions in communicating processes happen atomically [ 6 ], [ 11 ] to ensure that the state of the system is always consistent. Synchronous communication does not assume any message queues, so it is essential for deadlock-freedom that communicating services are designed such that one process is always ready to receive at least one message sent by the other.

The main benefit of synchronous communication semantics is that they are easier to analyze and validate than the asynchronous case [ 6 ], [ 8 ]. A reason for this is that deadlockfreedom is undecidable in the asynchronous case, unless there are guarantees that all messages sent by the processes can be buffered in a message queue until they are received. This in turn requires the maximum number of messages present at any time in the message queue to be bounded, and the message queue to be dimensioned accordingly, creating a dependency on the underlying platform. However, synchronous communication semantics also have a dependency on the system as they require these semantics to be supported in the system under analysis. This requirement may or may not be satisfied for a given system, and may be an undesirable constraint for systems that are built from scratch.

There are also MBE approaches that specify both structure and behavior of components. An industrial MBE approach to ensure correct behavior of software in light of changing components and interfaces is to apply the formal technique Dezyne, previously known as Analytical Software Design (ASD), supported by tools from the company Verum2. In Dezyne, interfaces and software designs are modelled as state machines. The Verum toolset supports model checking to ensure freedom of deadlock, livelock, race conditions, and that all components are compliant with their interfaces. Code can be generated from the models, creating a link from specification to implementation of correct code. The benefits and limitations of this approach have been evaluated in case studies at Philips [ 15 ], [ 16 ]. The main results suggest that the Verum approach improved defect density and software productivity compared to industrial standards. It was also concluded that the developed components were stable and reliable against frequent changes in requirements. The main limitation of the approach is that it only applies to event-based control components, as it does not support data-dependent behavior. It furthermore requires careful component design to avoid state-space explosion that prevents the model checking from completing in reasonable time.

Component Modelling and Analysis (ComMA)3 is another MBE approach developed in an industrial context that models both structure and behavior of components [ 17 ], [ 18 ]. The ComMA approach addresses the issue of system errors being caused by components that are not compliant with their interfaces. This is done through a modular and reusable set of Domain-Specific Languages (DSLs) for specifying interface signatures, behavior, timing, and data constraints. These DSLs, which are implemented in Xtext4, are used in several phases of the design process. In early phases, transformations to UML diagrams enable visualization of behavior, providing early feedback. Later phases benefit from generation of middleware code and synthesized monitors that verify compliance with the interface. The latter is done by providing execution traces to the monitor, which checks whether the events and their associated data values and timings are valid according to the interface specification for the current state of the component.

ComMA interfaces can be specified manually or supported by tooling that reverse-engineers the interface model from a set of valid execution traces [ 19 ]. Although the former method is suitable in environments where components are modeled from scratch, the latter is helpful when introducing the approach in environments with a large number of legacy components. It is also possible to automatically generate both ComMA and Dezyne models from Rhapsody models [ 20 ], providing a migration path for users of that tool. A key differentiator between ComMA and Dezyne is that ComMA only specifies and verifies compliance with interfaces and does not generate or validate correct implementations. As a result, ComMA imposes fewer restrictions on the implementation, allowing it to be applied to a wider class of systems.

Having discussed different approaches for specifying the structure and behavior of services and their interfaces, we continue by looking at approaches to detect and correct incompatibilities when a service is replaced by a newer version, or by an alternative service. To reason about compatibility across such replacements, a notion of substitutability is defined for communicating FSMs in [ 8 ]. Substitutability is a relation between two services that represents whether some notion of compatibility with partner services is preserved as the replacement service substitutes the original. Two types of substitutability are distinguished: 1) context-dependent, which focuses on compatibility between a particular pair of services, and 2) context-independent, where compatibility has to be preserved for all possible services that were compatible with the original. Intuitively, two services are substitutable if their interfaces are structurally compatible and if they are observationally indistinguishable [ 8 ] from each other. This means that there may be internal differences in behavior, but that these are completely transparent to an outside observer. The concept of context-free substitutability is similar to the notion of accordance, defined for Open Nets in [ 21 ], although this notion limits compatibility to consider deadlock-free execution. 3http://comma.esi.nl/ 4https://www.eclipse.org/Xtext/

If incompatibility between two services has been detected, there are three ways to correct the problem [ 21 ]: 1) replace one of the services with a compatible alternative, 2) change implementation of one of the services, and 3) introduce an adapter that mediates between them. This section focuses on the latter option.

eration has been done that considers the problem of interoperability between services that were not explicitly developed to interact. The problem of resolving structural incompatibilities is strongly related to the problem of schema matching. The schema matching problem has been widely studied and several approaches and supporting tools, some of which are commercial, have been developed.

A commonality among many adapter generation approaches is that they require some kind of mapping rules that specify how messages sent and received by one service relate to those of another [ 7 ], [ 11 ], [ 22 ]–[ 24 ]. These mapping rules bridge the structural differences between the services. For example, a message sent by one service may need to be transformed into another type, split up into multiple messages, merged with other messages, or hidden, to ensure a structural fit and provide correct functional behavior. This specification is typically done manually [ 7 ], [ 11 ], [ 22 ], [ 23 ], although semiautomatic approaches based on schema matching have been proposed and implemented in tools [ 24 ].

A survey of work towards partial automation of schema matching is provided in [ 25 ]. The authors claim that full automation is generally not possible, because most schemas have semantics that are not expressed, or even documented. Matchers should hence propose candidate matches between schemas for manual review and selection. The survey presents a taxonomy that classifies existing approaches according to five criteria: 1) whether matching is based on the schema itself or data values from schema instances, 2) whether matching considers individual elements or more complex structures, 3) whether the matchers use a linguistic approach based on similarity of names and textual descriptions or a constraint-based approach based on keys and relationships, 4) the cardinality of the matching (1:1, 1:n or n:m), and 5) whether they use auxiliary information, such as information about previous matches. The survey concludes by discussing seven implementations and positions them with respect to the proposed taxonomy.

2) Behavioral Incompatibilities: Two methods for determining whether two services represented as Open Nets are in accordance are presented in [ 21 ]. The first method is based on projectional inheritance, which intuitively means to check if the services are observationally indistinguishable unless the differences between them, e.g. any newly added features, are explicitly used. Another way too look at this is as determining whether the updated service is a sub-protocol of the original, in the sense familiar from object-oriented programming. This notion of sub-protocol is also used to determine compatibility for communicating FSMs in [ 11 ]. Projectional inheritance between two Open Nets can be established by checking if they are branching bi-similar. This approach is a sufficient, but restrictive, method to verify accordance. The second approach is a precise condition based on operating guidelines, which is a characterization of the set of all compatible services. A benefit of both approaches is that they do not require any knowledge about the clients using the services, i.e. they are context-independent.

There has been a lot of work in the area of semi-automatic correction of behavioral incompatibilities, in particular protocol mismatches. A survey of different approaches to generate protocol adapters is provided in [ 6 ]. A distinguishing feature among different approaches to adapter generation is the formalism they use to model behavior. The most commonly used formalisms for this purpose are workflow languages [ 9 ], process algebras [ 7 ], communicating FSMs [ 11 ], [ 23 ], [ 24 ], Open Nets [ 22 ], and pseudo code [ 26 ]. The mentioned works based on workflow languages, pseudo code, process algebras, and Open Nets handle both synchronous and asynchronous communication semantics, while the approaches based on communicating FSMs only apply to the synchronous case.

Most approaches to generate protocol adapters execute at design time [ 9 ], [ 11 ], [ 22 ], [ 24 ], [ 26 ] and produce a model of an adapter in form of e.g. a communicating FSM or an Open Net, that can be connected to models of the services to make them interoperable. Although not frequently mentioned, these models can be used as input for code generation to generate an implementation of an adapter that connect the two services. In contrast, [ 23 ] proposes a service adaptation machine that executes at run time. In essence, this machine looks at messages that are expected to be sent and received by the communicating services in their current state. If there is no obvious match, it consults the set of specified mapping rules and see if there is any rule, or even sequence of rules, that can produce an expected message so that the interaction can progress. A benefit of this approach is that it does not generate a fixed adapter for a given pair of incompatible services, but dynamically adapt between any services, given the appropriate mapping rules. However, a drawback of the approach is that the adaptation is best effort, as it is not possible to a priori state whether or not the adaptation will be successful.

The essence of our methodology is based on specifying both structure and behavior in service interfaces to enable detection and correction of service incompatibilities using formal methods. An overview of the proposed five-step methodology is shown in Figure 2. We continue by briefly introducing the five steps:

havior of services is specified in the service interface.

Interface specifications are created for each new service and are updated whenever changes to the specification are required. The ComMA approach [ 17 ], [ 18 ] has been chosen as the service interface specification framework for our application of the methodology. 2) Generate Formal Service Model: A formal model is generated from the service interface specification in a formalism supported by existing methods for analysis and synthesis. In our instance of the methodology, we have selected Open Nets [ 4 ] for this purpose. 3) Check Accordance: When a service is updated or replaced, the generated Open Net models of both the original and the updated service is provided as input to a method that checks whether or not they are in accordance. For this purpose, we have selected the contextindependent method based on operating guidelines [ 27 ]. This approach does not require the two services to be completely equivalent, only that all possible previous clients are still supported. The updated service may hence allow a richer set of possible clients than the original. If the original and updated services are determined to be in accordance by this approach, the updated service can replace the original in all interactions with any possible clients without any further steps. If the two services are not in accordance, the following steps are taken. 4) Generate Adapter: For each partner service the updated service is interacting with, generate an adapter that ensures deadlock-free execution of the composition with the new adapter. For this step, we have selected the adapter generation approach based on controller synthesis [ 22 ] for our instance of the methodology. If no adapter can be found to correct the incompatibilities for any of the interacting services, the methodology has failed and no further steps are taken. Otherwise, if a model of an adapter is found for each partner service, the final step is taken. 5) Generate Adapter Code: This final step takes the models of the adapters and generates implementations for the target platform. In our instance, C++ code for the INAETICS architecture is generated.

The first step of the methodology is done at design time, as a service is first created or updated. The remaining four steps are done on the target platform as it is being updated. If the methodology fails to update a particular service, the update is rejected and the system continues executing with the existing version of the service.

Formal service interface specifications in the INAETICS architecture describe structure, such as message types and method signatures, but not behavior. It is hence not possible to determine whether or not an updated service interface is compatible with the original, or if interacting with a previously compatible client components could result in deadlock. To resolve this issue, the proposed methodology uses the ComMA language [ 17 ] to specify both structure and behavior of service interfaces.

The ComMA approach was selected for the following reasons: 1) it supports specification of both structure and behavior, which is required to validate both aspects of compatibility, 2) it can model both synchronous and asynchronous communication and does hence not restrict the communication options offered by INAETICS, 3) it only specifies the service interface and does not unnecessarily constrain the implementation of the service, 4) it has been successfully applied in industry before, i.e. at Philips [ 17 ]–[ 20 ], 5) the support for automatic generation of interface specification from traces simplifies industrial adoption on a wider scale, and 6) the tooling is based on Eclipse, which is one of the most commonly used modeling tools in the embedded domain [ 10 ]. This makes it easier to gain industrial acceptance.

Parts of a simplified ComMA interface specifying the structure and behavior of the PeriodicTask service from Section II-B are shown in Figures 3 and 4, respectively. Figure 3a specifies relevant types that are needed to specify the signature of the interface in Figure 3b. The signature contains two signals, PTON and PTOFF, that are sent from the client to the PeriodicTask service, and a notification, PTSTATE, that is sent from PeriodicTask back to the client component. Both signals and notifications are sent asynchronously. ComMA signatures also support synchronous commands, but these are not needed in the case study.

The behavior of the service interface is described in Figure 4. Behavior in ComMA is specified as an FSM, where events, such as commands and signals, trigger transitions between the states.

Unlike the model in Figure 1, we do not need the intermediate states for going on and going off, since ComMA can specify the received trigger signal and the response notification in a single transition. For brevity, Figure 4 does not include that the PTON signal can be received in the ON state. This transition is analogous to the shown transitions triggered by the PTON and PTOFF signals. As indicated in the figure,

PeriodicTasks starts in the OFF state and transitions to the ON state after receiving a PTON signal with an associated maximum budget. The specification also shows that the service implementing the interface must reply by sending a notification with an acknowledgement and a used budget of -1, which is the undesired coupling of concerns previously discussed in Section II-B that is the reason for updating the service interface. Conformance with this specified behavior can be validated using a monitor that is automatically generated from the ComMA specification. The ON state specifies a similar transition back to the OFF state after receiving a PTOFF signal from the client, as well as the periodic update. The periodic update is hence not triggered by an external event and does not have a transition trigger. It is possible to specify the period and maximum jitter constraints for the periodic update, but this has been omitted for simplicity. For the same reason, the current specification also does not constrain the used budget values to be non-negative. For more information about timing and data constraints, refer to [ 18 ].

Relevant parts of the service interface after the update are shown in Figures 5 and 6, respectively. Figure 5 shows that there has been a structural modification. The state message has been simplified to only include the response, as the used budget has been moved to the newly introduced PTPERFORMANCE notification. The updated behavior is specified in Figure 6. As seen in the figure, it is no longer necessary to monitor that the invalid budget is correctly sent in state messages when transitioning to the ON and OFF states. Similarly, the periodic update now sends a dedicated performance notification and does not have to include other state information. This decouples the concerns of responding to a signal from sending periodic updates, as desired in Section II-B, at cost of behavioral and structural incompatibility.

To address incompatibilities, we choose to base our approach on Open Nets [ 4 ]. The three main reasons for this choice are: 1) it is conceptually possible to translate a ComMA specification into a corresponding Open Net, 2) Open Nets can model both synchronous and asynchronous communication semantics, supported by both INAETICS and ComMA, and 3) there are existing analysis methods, supported by prototype academic tools5, available for both detection and correction of 5http://service-technology.org/tools/index.html, https://github.com/nlohmann/service-technology.org incompatibilities.

A disadvantage of choosing Open Nets is that this formalism is much less common than FSMs among industrial practitioners in the embedded domain [ 10 ]. This is a concern since best practices for MDE state that it is essential for acceptance that notation and terminology are familiar to the users [ 28 ], [ 29 ]. However, users of the proposed methodology specify behavior as FSMs in the ComMA language, and the transformation to Open Nets and the behavioral analysis happen automatically under the hood, which mitigates the concern. The generation of Open Nets will be implemented as a model-to-model transformation in the ComMA framework. The generated Open Net model will then pass through modelto-text transformations to create the required input models for the tools performing detection and correction.

Having chosen Open Nets as the formalism for our application of the proposed methodology, it makes sense to select the precise method for determining accordance based on operating guidelines. This method is implemented in the prototype tool Fiona [ 30 ].

For correction of incompatibilities, we select the adapter generation method based on controller synthesis [ 22 ]. We continue by giving a brief overview of this approach. The basic idea is to create an adapter between two services represented as Open Nets by synthesizing an adapter with two key components, an engine and a controller. This adapter architecture is shown in Figure 7. The engine is responsible for the flow and transformation of data and has the input and output places required to connect to the two services according to the set of specified mapping rules. It also has connections to the controller, which is responsible for ordering of events such that behavioral properties, like deadlock-freedom, are satisfied. The engine notifies the controller when messages have arrived and allows it to determine when to trigger transformations of the data, e.g. splitting up an incoming PTSTATE message into separate PTSTATE and PTPERFORMANCE messages in our case study, and in what order to send messages.

Adapter generation following this approach starts by composing the models of the two services with the model of the engine, which follows directly from the provided mapping rules. This composition results in a larger Open Net, where the only unconnected interface places are those between the engine and the controller. Using techniques for controller synthesis, a controller is then synthesized such that the desired behavioral property is satisfied. There are two possible adapter architectures that differ in whether the connections between the engine and controller are asynchronous or synchronous [ 31 ]. The latter typically results in smaller adapters with shorter synthesis times without any particular drawbacks.

In addition to being based on Open Nets, giving it the benefits listed above, this adapter generation approach has also been evaluated in a number of case studies [ 22 ], [ 31 ], [ 32 ] and shown to be able to efficiently generate adapters within seconds. This is particularly true for the architecture with synchronous controllers, which has been selected for our methodology. The adapter generation approach supporting asynchronous controller synthesis is available in the existing tool Marlene6 [ 22 ].