Proactive Self-Adaptation under Uncertainty: a Probabilistic Model Checking Approach Gabriel A. Moreno Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213, USA gmoreno@sei.cmu.edu Javier Cámara School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213, USA jcmoreno@cs.cmu.edu David Garlan School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213, USA garlan@cs.cmu.edu Bradley Schmerl School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213, USA schmerl@cs.cmu.edu ABSTRACT Self-adaptive systems tend to be reactive and myopic, adapt- ing in response to changes without anticipating what the subsequent adaptation needs will be. Adapting reactively can result in inefficiencies due to the system performing a suboptimal sequence of adaptations. Furthermore, when adaptations have latency, and take some time to produce their effect, they have to be started with sufficient lead time so that they complete by the time their effect is needed. Proactive latency-aware adaptation addresses these issues by making adaptation decisions with a look-ahead horizon and taking adaptation latency into account. In this paper we present an approach for proactive latency-aware adaptation under uncertainty that uses probabilistic model checking for adaptation decisions. The key idea is to use a formal model of the adaptive system in which the adaptation decision is left underspecified through nondeterminism, and have the model checker resolve the nondeterministic choices so that the accumulated utility over the horizon is maximized. The adaptation decision is optimal over the horizon, and takes into account the inherent uncertainty of the environment predictions needed for looking ahead. Our results show that the decision based on a look-ahead horizon, and the factoring of both tactic latency and environment uncertainty, consid- erably improve the effectiveness of adaptation decisions. Categories and Subject Descriptors D.2.m [Software Engineering]: Miscellaneous—self-adaptive systems General Terms Design, Management, Performance Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. WOODSTOCK ’97 El Paso, Texas USA Copyright 20XX ACM X-XXXXX-XX-X/XX/XX ...$15.00. Keywords Latency-aware, proactive, probabilistic model checking, self- adaptation 1. INTRODUCTION Software-intensive systems are increasingly expected to operate under changing conditions, including not only vary- ing user needs and workloads, but also fluctuating resource capacity and degraded or failed parts. Furthermore, con- sidering the scale of systems today, the high availability demanded of them, and the fast pace at which conditions change, it is not viable to rely mainly on humans to recon- figure, and change systems as needed. Self-adaptive systems aim to address this problem by incorporating mechanisms that allow them to change their behavior and structure to adapt to changes in themselves and in their operating envi- ronment [11, 43]. Current self-adaptive systems tend to be reactive and my- opic. Typically, they adapt in response to changes without anticipating what the subsequent adaptation needs will be. Furthermore, when deciding how to adapt, they focus on the immediate outcome of the adaptation. In general, this would not be a problem if adaptation tactics were instanta- neous, because the system could adapt swiftly to changes, and consequently, there would not be a need for preparing for upcoming environment changes. However, many adap- tation tactics are not instantaneous; that is, there is a lag between when a tactic is initiated and when the effect is produced. We call this time tactic latency. For example, adapting a system to shed load by producing results with- out including optional elements may be achieved quickly if it can be done by changing a simple setting in a component, whereas spinning up an additional server to share the load may take on the order of minutes. Such delays are not only prevalent in modern IT systems, but are also intrinsic in other domains requiring self- adapta- tion. For example, some tactics used in self-adaptive wireless sensor networks may require updating the firmware of the nodes [39], an operation that can take more than a minute for updating a single node [35]. Also, in a cyber-physical system, a GPS may be turned off as a power-saving tactic; however, turning it back on is not an instantaneous adapta-