Top

Published in:

Open Access 2022 | OriginalPaper | Chapter

Modeling IoT Design Patterns Proven Correct by Construction

Authors : Imen Tounsi, Najeh Khalfi, Abdessamad Saidi, Mohamed Hadj Kacem

Published in: Participative Urban Health and Healthy Aging in the Age of AI

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Patentsearch

Off

Abstract

Formal method techniques are used to model complex systems as mathematical entities. By building mathematical rigorous models of IoT design patterns, it is possible to verify their properties in a thorough fashion. In this paper, we propose a refinement-based approach for modeling IoT design patterns. It allows the modeling of correct by construction IoT design patterns. It takes advantage of formal methods by the specification of design pattern models with the Event-B method and checking the design correctness. Our goal is to design IoT patterns proven correct by construction to successfully apply them and promote their reuse. Our approach is experimented through pattern examples and we illustrate it with a case study in the health care domain.

1 Introduction

System architectures are becoming more complex in their understanding and analysis. Among these architectures, we find the architecture of Internet of Things (IoT). The IoT is a recent concept. It is a variety of smart objects interconnected via the internet. This variety of objects faces the problem of complexity of the system. This complexity opens the way to the use of a variety of IoT design patterns to address many issues [10]. They propose solutions for common and recurring problems to architects and designers in the IoT domain. Most of these patterns are presented visually and informally, there is no formal semantics associated with them. Hence, their meanings may be imprecise. They can lead to their misunderstanding and use.

Faced by this situation, and to remedy the problem, we propose an approach that allows to model and specify these patterns with a formal notation that allows to reuse them correctly. Our objective is to prove the relevance of these patterns. We propose an approach, allowing the formal modeling of these patterns in order to describe both their structural and behavioral features. Structural features are generally specified by the types of entities. The configuration of the entities is also described in terms of static relationships between them. Behavioral features describe successive interactions between the different entities of the IoT application. The proposed formal specification of IoT patterns is generic and it is based on the formal Event-B method. We apply our approach on different pattern examples and we illustrate it with a case study in the health care domain.

The rest of this paper is organized as follows. Section 2 discusses related works. Section 3 describes how to formally specify IoT design patterns with the Event-B method. In Sect. 4, we present an application to a case study of our approach. Section 5 concludes and gives future work directions.

2 Literature Review

Most of the proposed design patterns (Object-Oriented design patterns, Enterprise Application Integration (EAI) design patterns, Service-Oriented (SOA) design patterns, and Connected Object (IoT) design patterns) are described by a combination of a text description and a graphical representation sometimes using a proprietary notation in the aim of making them easy to understand like SOA design patterns [5] and Object Oriented design patterns [6]. However, these descriptions make patterns ambiguous and may lack details. Some work so have proposed the semi-formal representations of these patterns using modeling languages [4]. Some other works use or provide formal languages based on mathematical notation for a precise pattern specification [16]. However, these approaches require knowledge of mathematics and first order logic to use them. Some research has chosen to combine the semi-formal and formal representations of patterns. This representation ensures a better understanding and precision of patterns. Generally speaking, there is a consensus on the elements that make up and define a design pattern. However, there is no consensus on the specification of the patterns. Tounsi et al. [12, 13, 15] focused on both the modeling, the formal specification and the composition of SOA design patterns [14] and established the link between them with an automatic transformation. They used the SoaML language for the pattern modeling that ease the understanding of pattern models. For the pattern specification, they used the Event-B formal method in order to attribute formal notations to SOA design patterns for the purpose of checking their design correctness.

In this work, we are interested with the IoT design patterns. In this context we find several researchers who proposed a set of IoT design patterns in various categories. Eloranta et al. [3] proposed patterns for the construction of distributed control systems. Qanbari et al. [9] presented four patterns for the supply, deployment, orchestration and monitoring shipboard applications. Lukas et al. [10, 11] have published patterns for device power supply, operation and communication modes and a number of IoT design models. All these patterns are described with a visual and informal notation. There is no formal semantics associated. There are few numbers of research work that deals with the modeling of IoT patterns. Borelli et al. [2] proposed a language called BIoTA (Buildout IoT Application Language), to assist and streamline the building of software architectures for IoT. The specification and implementation of the BIoTA language involve a grammar and a compiler, responsible for syntax and semantic analysis, as well as code generation. This work facilitate the formalization of software architectures using automata, which would otherwise be created in an informal and ad-hoc manner but it addresses specific IoT scenarios. In this paper, we present the formal modeling of IoT patterns proposed by Reinfurt et al. [10].

3 Pattern Specification

Ensuring the reliability and the correctness of IoT design patterns is a goal that we have fixed. For this, we propose an approach to formally specify IoT design patterns by using the formal method Event-B that is well suited to our needs and goals. This approach allows the validation of the modeling part and ensures the verification of the relevant properties of design patterns.

Event-B is a formal method for system-level modelling and analysis [1]. It is well-suited for specifying IoT design patterns because: The primary concept in doing formal developments in Event-B is that of a model. It is made of several components of two kinds: machines and contexts. Machines contain the dynamic parts of a model, whereas contexts contain the static parts of a model. Thanks to this classification, Event-B allows the specification of structural and behavioral features of design patterns. Refinement techniques proposed by this method allow us to build patterns gradually and at different abstraction levels. Mathematical proofs allow verifying model consistency and consistency between refinement levels. The most important reason to use Event-B method is the availability of a supporting tool called the Rodin platform for modeling and automated proof [1]. The platform is open source and is further extendable with plug-ins. A range of plug-ins have already been developed including ones that support animation and model checking like the Prob plug-in [8] that we used.

There are two general pattern models as instances of the proposed metatamodel depending on the location of the device. If the device is placed locally, we use the “Medium Based Bootstrap Pattern” as a solution to configure the new device. If it is placed at a distance, we use the “Remote Bootstrap Pattern” as a solution.

In the specification, we concentrate on two categories of design patterns; “Bootstrapping Design Patterns” and “Registration Design Patterns”. “Bootstrapping Design Patterns” allow configuring new devices. They are composed of “Medium Based Bootstrap Pattern” and “Remote Bootstrap Pattern”. “Medium Based Bootstrap Pattern” allows to configure a new device on-site through a removable storage medium inserted in the device. This support contains the necessary information for configuration. “Remote Bootstrap Pattern” is a configuration pattern used in case that a device is placed far away and is difficult to reach. The configuration in this case is done by downloading configuration information from a bootstrap server.

“Registration Design Patterns” allow to register the attributes and the features of a new device on the Back-end server. The registration is used to facilitate the communication and the interrogation with other connected objects. There are many registration patterns. In this work, we present two patterns. So “Registration Design Patterns” are composed of “Automatic Client Driven Registration Pattern” and “Server Driven Model Pattern”. The “Automatic Client Driven Registration Pattern” allows the device to register on the Back-end server via an API call. The “Server Driven Model Pattern” is used to create a device model that includes its description and functionality.

We model structural features of design patterns with contexts in the Event-B method. They describe by a set of concepts, the structure of an IoT architecture. We use it to describe the architecture of IoT design patterns. More specifically, it is to define the entities that can be involved in the pattern, their types and their dependencies (connections). We model behavioral features of design patterns with machines in the Event-B method. We describe through this Event-B component successive interactions between the different entities of the IoT application in order to represent the two categories of the design patterns.

3.1 Contexts and Machines Relationships

We present a specification of two categories of patterns. So, the specification will be too complicated and error prone if it is done in one shot. To reduce this complexity, we define specification levels. At the first level, we create a very abstract model (a context C0 and a machine M0). At the next levels, we use refinement techniques to gradually introduce detail and complexity into our model until obtaining the final pattern’s specifications. Our refinement strategy is explained in Fig. 1. First, we create a generic context C0. This generic context, presented in follows, plays the role of a metamodel to define types of IoT design pattern elements.

At level 1, we present contexts of the pattern category in general with their properties. These contexts extend the generic context. We specify in the context “BootstrappingPatterns”, which extends the “C0” context, the set of configuration patterns contained in the “MeduimBasedBootstrap” pattern and the “Remote Bootstrap” pattern. We also declare the location to specify the position of a device (Device) if it is locally located or remotely. In the context “RegistrationPatterns” which extends the context “C0”, we specify that in the “RegistrationDesignPatterns” category, we find the “AutomaticClientDrivenRegistration” and “ServerDrivenModel” patterns. At level 2, we present contexts of the different patterns belonging to these categories as an extension of their pattern category. These contexts are used by the corresponding machines in order to specify their appropriate behaviors.

3.2 Structural Features

There are two major types of entities in the Internet of Things. The first is an «Object» or a “thing” which you intend to make smart by providing connectivity. The other is the «Component» or embedded system which provides this connectivity. Sensors, Actuators, SmartThings, and Devices are examples of Objects. Using Event-B, we specify in the context C0 the two entities as constants. The set Entity is composed of the set of all Components and the set of all Objects (Entity = \(Component\)

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-031-09593-1_3/529824_1_En_3_IEq2_HTML.gif

\(Object\) \(\wedge \) \(Component\)

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-031-09593-1_3/529824_1_En_3_IEq6_HTML.gif

\(Object\) = \(\emptyset \)). This is specified by using a partition in the AXIOMS clause (\(Entity\_partition\)).

Components name C\(_{i}\) are specified as constants in the CONSTANTS clause. Formally, we specify {C\(_{1}\),...,C\(_{n}\)} \(\in \) Component \(\wedge \) C\(_{1}\) \(\ne \) C\(_{2}\) \(\wedge \)...\(\wedge \) C\(_{n-1}\) \(\ne \) C\(_{n}\).

Objects name O\(_{i}\) are also specified as constants. Formally, we specify {O\(_{1}\),...,O\(_{n}\)} \(\in \) Object \(\wedge \) O\(_{1}\) \(\ne \) O\(_{2}\) \(\wedge \)...\(\wedge \) O\(_{n-1}\) \(\ne \) O\(_{n}\).

The communication path between Entities within an architecture is called a «Connector». It ensures the link between a «Provided» port and a «Required» port to form a complete and coherent system. «Ports» constitute the interaction points with entities environment. A required interface on a port specifies one or more operations required by behaviors of the object. A provided interface on a port specifies one or more operations that an object must provide.

A «Connector» PushE\(_{i}\)E\(_{j}\) is a link between two entities. It can be between two components (PushC\(_{i}\)C\(_{j}\)), two objects (PushO\(_{i}\)O\(_{j}\)) or between a component and an object. When the direction of the connection is from a component to an object, it is named PushC\(_{i}\)O\(_{j}\) and if it is from an object to a component, it is named PushO\(_{i}\)C\(_{j}\). Formally, Connectors are specified with an Event-B relation between two entities. Connector’s name PushE\(_{i}\)E\(_{j}\) are specified with constants in the CONSTANTS clause. The set of Connectors is composed of all Connectors name. This is specified formally with a partition (\(Connector\_partition\)).

To define the source and the target of a connector, two axioms must be added, namely the domain and the range.

Internet of Things (IoT) architecture requires a message-based communication. Formally, «MessageType» is the type of messages exchanged between different entities, it is declared in the SETS clause. Messages name M\(_i\) are specified in the CONSTANTS clause. They are attributed with their type with a partition in the AXIOMS clause (\(Message\_partition\)).

3.3 Behavioral Features

A machine of a pattern specification Mi has a state defined by means of a number of variables and invariants. Some variables can be general as the variable Send, which denotes the sent message. The state can be modified by means of events. Events are instantaneous and their effect can cause the occurrence of other events. This copes well with the behavior of IoT design patterns. The sending of a message is instantaneous and thus can lead to the sending of other messages.

The structure of a machine PMi is presented in follows. Machine PMi sees context PCi. Variables V1 are defined to know the availability of entities, sent messages, processed messages, etc. Invariants INV1(V1, S, X, Y) are defined to specify the various predicates which the variables must obey. Events (Evt1.1, Evt1.2, ...) are the various events of the machine.

Entity activation is specified with a variable Dispo in the VARIABLES clause. It is used in order to know the availability of each entity (available or not). Thus, it is declared with a partial function between the Entity type and a the Boolean type. This is expressed with the invariant Dispo_Function.

Internet of Things (IoT) architecture requires a different kind of message queue based communication than other types of software systems or big data solutions. With IoT, the messaging needs are more complex since IoT requires two way message communication between the server-side or cloud components and the IoT hardware devices. Formally, the variable Send is defined with the invariant Send_Relation which specify that Send is a relation between a Connectors and a MessageType. In this way, we know how is the sender, the receiver and the sent message.

Each pattern has its own behavior but some events can be general like the event of sending a message \(Sending\_M_{i}\).

If the transition is reflexive, the event includes an action of the form: For example, the transition of message processing is a reflexive transition. Then the event \(Processing\_M_{i}\) includes the following action: Process \(:=\) Process

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-031-09593-1_3/529824_1_En_3_IEq65_HTML.gif

\(\{O_{i}\) \(\mapsto \) \(M_{i}\) \(\}\). That is, object \(O_{i}\) processes message \(M_{i}\).

3.4 Formal Verification

During our development, we use refinement techniques, they consist on developing a series of more and more accurate models of the pattern we build [1]. By using refinement techniques, we enrich the pattern model, and we make sure that refined models are not contradictory. As a result, when the last model is finished, we will be able to say that this model is correct by construction [1].

Four formal verification steps have been developed for checking design patterns; type checking, model checking, animation and theorem proving. Type checking is a technique controlling low level properties of variables in a specification. It is achieved within the compiler. Model checking and animation are two techniques used to show the dynamic behavior of a model, and they allow one to systematically exploring all its reachable states. We use them to check the correctness of the behavior of the pattern. Some temporal/behavioral properties are verified like liveness (no deadlocks present in the model) and reachability (prove that an event whose guard is not necessarily true now will nevertheless certainly occur within a certain finite time) properties. This is achieved by the model checker ProB [8]. Theorem proving technique allows checking properties which can be experimented either as predicates (INVARIANTS, AXIOMS, THEOREMS) or with guards in the events. It is also ensured by proof obligations generated by the Rodin platform. They define what is to be proved to ensure the consistency of an Event-B pattern model. As example of consistency constraints, we check that no entity can send a message if it is not authorised. This is controlled by an invariant called Can_Send_INV. For sequence diagrams, we require that every message must start activation. Our approach ensures that the specified IoT design patterns are correct by construction. It offers architects the ability to reuse correct pattern models, which saves their efforts to prove the correctness of the patterns.

4 Case Study: Smart Hospital

Smart hospitals are hospitals which build new infrastructure. In this infrastructure, all are enabled by underlying digitized networking infrastructure of interconnected assets and remote-controlled automated components which can be medical sensors, medical devices, etc. It can include several other components that can be monitored and controlled remotely to offer providers a continuous stream of real-time health data such as heart rate, blood pressure, oxygen concentration level, and glucose monitoring. Most of these components can be controlled by a mobile device or a computer. In our case study, we add a new device (a camera) to a smart hospital patient room. This device makes it possible to control the various rooms of the hospital for safety issues. For example, the camera can recognize when a patient sits up or even has a restless night’s sleep. Then it informs the nurse immediately through a notification sent to their smart phone. It can also send alerts when it detects big problems. First, the camera is added without any information to initiate its first connection. We then apply the Medium Based Bootstrap design pattern to have its configuration information. This information is inserted into the device through a memory card. Second, we go through the registration procedure on the main server (BackEndServer). This procedure is done through the use of the two patterns of the Registration Design Patterns category which are the automatic client driven registration pattern and the server driven model pattern which allow registering the device on the main server. Finally, the camera became able to communicate and create connection links with its communication partners. The camera communicates with the nurse’s smartphone to notify him of what is happening in real-time.

We model this application through the use of the model shown in Fig. 2. The camera is associated with an object of type “Device”, the memory card is defined as an object of type “Storage Medium” and the Smart phone is associated as an object of type “SmartThing”. The propagation of events between objects is done through a DeviceGateway.

In Fig. 3, we specify the static part of the design patterns of the model applied in the Smart-Hospital case study using contexts. We first specify the generic context C0. We change the generic concepts previously defined by the concepts of our case. A Camera is a Device of type object. A Smart phone is a Smart Thing of type object and a Memory card is a Storage Medium of type object. Then we specify the other contexts belonging to the Bootstrapping and the Registration patterns. In Fig. 4, we specify the dynamic aspect in the machine part of the Event-B method. We specify a part of the behavior of objects constituting the smart hospital model of our case. We describe this behavior of the configuration in the machine named BootstrappingPatterns. At the end of the specification Event-B models are proved. This case study shows that our approach is able to be applied while also taking the quality of results and performance into account.

5 Conclusions

In this paper, we presented an approach that allows to formally specify connected object architecture design patterns. In particular, specifying the “Bootstrapping Design Patterns” category and the “Registration Design Patterns” category. We formally specified these design patterns using the formal Event-B method and we described their structural and behavioral features. In our stage, we are working at a high level of abstraction, so there is no connection between the theoretical model and physical devices for machine learning. In our current work, we are working in it. The generalization of our approach is an objective that we have fixed. In previous work [7] our approach was validated with a Smart Home case study. In this paper, we applied our approach in a health care case study. As future work, we are working on applying our approach on other categories of IoT design patterns.

Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

previous chapter Digital Twin Driven Smart Home: A Feasibility Study

next chapter IoT Architecture with Plug and Play for Fast Deployment and System Reliability: AMI Platform

Abrial, J.R.: Modeling in Event-B: System and Software Engineering, 1st edn. Cambridge University Press, New York (2010)CrossRef

Borelli, F., Biondi, G., Kamienski, C.: Biota: a buildout IoT application language. IEEE Access 8, 126443–126459 (2020). https://doi.org/10.1109/ACCESS.2020.3003694CrossRef

Chandra, G.S.: Pattern language for IoT applications. In: PLoP Conference, USA (2016)

Dong, J., Alencar, P., Cowan, D.D., Sheng, Y.: Composing pattern-based components and verifying correctness. J. Syst. Softw. 80, 1755–1769 (2007)CrossRef

Erl, T.: SOA Design Patterns (The Prentice Hall Service-Oriented Computing Series from Thomas Erl), 1st edn. Prentice Hall (2009)

Gamma, E., Helm, R., Johnson, R.E., Vlissides, J.: Design Patterns: Elements of Reusable Object-Oriented Software. Addison-Wesley, Reading (1994)MATH

Hadj Kacem, M., Tounsi, I., Khalfi, N.: Modeling and specification of bootstrapping and registration design patterns for IoT applications. In: Jmaiel, M., Mokhtari, M., Abdulrazak, B., Aloulou, H., Kallel, S. (eds.) ICOST 2020. LNCS, vol. 12157, pp. 55–66. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-51517-1_5CrossRef

Leuschel, M., Butler, M.: ProB: a model checker for B. In: Araki, K., Gnesi, S., Mandrioli, D. (eds.) FME 2003. LNCS, vol. 2805, pp. 855–874. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45236-2_46CrossRef

Qanbari, S., et al.: IoT design patterns: computational constructs to design, build and engineer edge applications. In: 2016 IEEE First International Conference on Internet-of-Things Design and Implementation (IoTDI), pp. 277–282 (2016)

10.

Reinfurt, L., Breitenbücher, U., Falkenthal, M., Leymann, F., Riegg, A.: Internet of things patterns for device bootstrapping and registration. In: Proceedings of the 22nd European Conference on Pattern Languages of Programs, EuroPLoP 2017, pp. 15:1–15:27. ACM, New York (2017)

11.

Reinfurt, L., Falkenthal, M., Breitenbücher, U., Leymann, F.: Applying IoT patterns to smart factory systems. Advanced Summer School on Service Oriented Computing, Summer SOC (2017)

12.

Tounsi, I., Hadj Kacem, M., Hadj Kacem, A.: An approach for modeling and formalizing SOA design patterns. In: Proceedings of the 22nd IEEE International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises, WETICE 2013, Hammamet, Tunisia, pp. 330–335. IEEE Computer Society (2013)

13.

Tounsi, I., Hadj Kacem, M., Hadj Kacem, A., Drira, K.: A refinement-based approach for building valid SOA design patterns. IJCC, Int. J. Cloud Comput. 4(1), 78–104 (2015)CrossRef

14.

Tounsi, I., Hadj Kacem, M., Hadj Kacem, A., Drira, K.: Transformation of compound SOA design patterns. In: The 8th International Conference on Ambient Systems, Networks and Technologies (ANT 2017), Madeira, Portugal, 16–19 May 2017, pp. 408–415 (2017)

15.

Tounsi, I., Hadj Kacem, M., Hadj Kacem, A., Drira, K., Mezghani, E.: Towards an approach for modeling and formalizing SOA design patterns with Event-B. In: Proceedings of the 28th Annual ACM Symposium on Applied Computing, SAC 2013, Coimbra, Portugal, pp. 1937–1938. ACM, March 2013

16.

Zhu, H., Bayley, I.: Laws of pattern composition. In: Dong, J.S., Zhu, H. (eds.) ICFEM 2010. LNCS, vol. 6447, pp. 630–645. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-16901-4_41CrossRef

Title: Modeling IoT Design Patterns Proven Correct by Construction
Authors: Imen Tounsi
Najeh Khalfi
Abdessamad Saidi
Mohamed Hadj Kacem
Publisher: Springer International Publishing
Book: Participative Urban Health and Healthy Aging in the Age of AI
Print ISBN: 978-3-031-09592-4

Electronic ISBN: 978-3-031-09593-1

Copyright Year: 2022
DOI: https://doi.org/10.1007/978-3-031-09593-1_3

Springer Professional