Integrating Graceful Degradation and Recovery through Requirement-driven Adaptation

Cyber-physical systems (CPS) are subject to environmental uncertainties such as adverse operating conditions, malicious attacks, and hardware degradation. These uncertainties may lead to failures that put the system in a sub-optimal or unsafe state. Systems that are resilient to such uncertainties rely on two types of operations: (1) graceful degradation, to ensure that the system maintains an acceptable level of safety during unexpected environmental conditions and (2) recovery, to facilitate the resumption of normal system functions. Typically, mechanisms for degradation and recovery are developed independently from each other, and later integrated into a system, requiring the designer to develop an additional, ad-hoc logic for activating and coordinating between the two operations. In this paper, we propose a self-adaptation approach for improving system resiliency through automated triggering and coordination of graceful degradation and recovery. The key idea behind our approach is to treat degradation and recovery as requirement-driven adaptation tasks: Degradation can be thought of as temporarily weakening original (i.e., ideal) system requirements to be achieved by the system, and recovery as strengthening the weakened requirements when the environment returns within an expected operating boundary. Furthermore, by treating weakening and strengthening as dual operations, we argue that a single requirement-based adaptation method is sufficient to enable coordination between degradation and recovery. Given system requirements specified in signal temporal logic (STL), we propose a run-time adaptation framework that performs degradation and recovery in response to environmental changes. We describe a prototype implementation of our framework and demonstrate the feasibility of the proposed approach using a case study in unmanned underwater vehicles.


INTRODUCTION
Cyber-physical systems (CPS) encompasses systems with both physical and software components, such as autonomous vehicles, unmanned aerial vehicles (UAVs), smart grids, and robots.These systems are subject to environmental uncertainties such as adverse operating conditions (e.g., severe weather for vehicles), malicious attacks, and hardware faults (e.g., damaged or flaky sensors).Due to these uncertainties, CPS may encounter failures during their operation lifecycle.For example, an autonomous vehicle may deviate from the lane boundaries due to a distracted driver or bad road conditions, drones may enter unsafe airspace due to unexpected turbulences, and a city may encounter blackouts due to unexpectedly high demands on the electricity grid.
Achieving resiliency against such failures typically involves two types of operation [15]: (1) graceful degradation, for ensuring that the system maintains its most critical safety functions during unexpected environmental scenarios and (2) recovery, to enable the resumption of normal functions as the environment returns to its expected state.Typically, mechanisms for degradation and recovery are developed independently and later integrated into a single system.For instance, a designer of an automotive safety architecture may combine a degradation mechanism that uses secondary sensors (e.g., cameras) when primary ones fail (e.g., Lidar under inclement weather) and another mechanism for re-activating an optimal system function (e.g., self-driving mode) when the environmental conditions improve (e.g., Lidar providing accurate data again).There are two challenges with this approach: (i) The designer is responsible for developing and validating an application-specific logic that decides when degradation or recovery should be activated and (ii) as system requirements evolve over time, this logic may also need to be changed.
In this paper, we propose a self-adaptation approach for improving system resiliency through automated coordination of graceful degradation and recovery.The key idea behind our approach is to treat degradation and recovery as requirement-driven adaptation tasks: Degradation can be thought of as temporarily weakening an original system requirement to be achieved by the system, and recovery as strengthening a previously weakened requirement when the environmental conditions improve.Furthermore, weakening and strengthening can be regarded as dual operations: The former relaxes the set of system behaviors that are deemed acceptable, and the latter restricts it.Based on this idea, we propose a single, unified requirement-driven adaptation framework that is capable of automatically switching between degradation and recovery, depending on the changes that arise in the environment.Our proposed approach overcomes the above two challenges, by (i) removing the need to develop an application-specific logic for coordinating degradation and recovery, and (ii) allowing the designer to plug in a different requirement without modifying the underlying logic.
To concretize this approach, we propose a self-adaptation framework that takes system requirements specified in signal temporal logic (STL) [19], a type of temporal logic that is particularly wellsuited for specifying time-varying behaviors of CPS (e.g., "The vehicle must never deviate outside the lane for more than 2 seconds").We show how the weakening and strengthening operations can be formulated formally as the problem of relaxing and strengthening a given STL specification, respectively.In addition, it would be desirable to reduce the impact of degradation (i.e., apply minimal weakening necessary) and maximize the rate of recovery (i.e., strengthen the requirement as much as possible).To support such optimal degradation and recovery, we also describe how the problem of generating minimal weakening and maximal strengthening can be encoded and solved as an instance of mixed-integer linear programming (MILP).
We have developed a prototype implementation of our proposed adaptation framework.To demonstrate its feasibility, we have applied the framework to a case study involving an unmanned underwater vehicle (UUV), where the system may encounter environmental uncertainties such as low water visibility and thruster failures while on a mission to inspect an underwater pipeline [29].We compare our approach against the state-of-the-art adaptation framework called TOMASys [5].Our experimental results are promising, showing that our approach can achieve a higher level of requirement satisfaction throughout the adaptation process while incurring a reasonable amount of overhead.
In summary, our main contributions are as follows: (1) A theoretical framework that combines graceful degradation and recovery using incremental weakening and strengthening of STL-based requirements.(2) A runtime architecture that performs weakening and strengthening to support system adaptation given changing environmental conditions.(3) An approach for enabling optimal system behavior by finding a minimal weakening or maximum strengthening through MILP.(4) An implementation of the proposed adaptation framework and a case study involving UUVs.

MOTIVATING EXAMPLE
Consider an UUV (illustrated in Figure 1) that is on a mission to inspect underwater pipelines, inspired by the SUAVE exemplar system [29].The mission involves the UUV simultaneously following and inspecting a pipeline.There are two mission objectives that the system aims to achieve.First, it must maintain a clear line of sight with the underwater pipeline; if the visual contact is lost, the UUV must regain the contact within the next few seconds.Second, the thruster in the UUV must continually provide enough thrust to allow the vehicle to complete the mission within given time  .
During the mission, the UUV is subject to two sources of uncertainties: ( 1 ) change in water visibility and ( 2 ) thruster failures.These uncertainties may result in the system failing to meet the mission objectives stated above.For example,  1 may result in the UUV losing visual contact with the pipeline and unable to regain the visual contact in time. 2 may result in the engine being unable to provide enough thrust to complete the mission in time.In either scenario, the violation of the mission objectives may result in hardware damage and loss of the mission entirely.
Existing Approach.To safely degrade the functionality of the UUV during an adverse environmental condition, the developer may first construct a monitor that raises a warning when water visibility falls below a certain threshold (e.g., 5 meters) and triggers a certain degradation action (e.g., reduce the speed of the system or remain stationary to prevent collision with surrounding obstacles).Separately, to support recovery, another monitor may be created to look for when the water visibility improves and perform appropriate recovery actions (e.g., dive deeper to regain its visual contact).
This approach, however, has some drawbacks.First, the developer is responsible for designing triggering conditions and response actions, and validating that these actions maintain a desirable level of system utility (e.g., safety); this requires considerable domain knowledge and manual effort on the developer's part.Second, when system requirements evolve, these conditions and response actions may also need to be changed.For example, suppose that the UUV is required to float back up to the surface instead of diving deeper when the visibility falls below a certain safe threshold.Supporting this new requirement would involve designing a new controller (specific to this requirement) that triggers degradation and recovery based on the changes in the environmental condition.
Proposed Approach.To overcome these drawbacks, we take a requirements-driven adaptation approach.Given a user-specified requirement, our approach automatically switches between degradation and recovery by weakening and strengthening the requirement, respectively, and adjusting the system behavior to adapt to the modified requirement.In addition, our approach can determine an optimal amount of weakening or strengthening that is needed to degrade the system safely or bring it back to a normal operational state.
For example, suppose that the user-specified requirements for the visibility and thruster features are as follows:    : Every time the visual contact with the submarine is lost, regain the contact within the next 5 seconds by diving deeper toward the pipeline. ℎ : The thruster should provide 100 N of thrust to allow it to complete the mission on time.
During an adverse environmental event, each of the requirements can be weakened to adapt to the changing environment.For example, the visibility requirement may be weakened by changing the time to regain contact from within the next 5 second to within the next 15 seconds in the case of severely low water visibility, as follows: ′   : Every time the visual contact with the submarine is lost, regain the contact within the next 15 seconds by diving deeper toward the pipeline.

This weakened requirement 𝑅 ′
allows the visibility monitor to either delay the action to regain visual contact or descend towards the pipeline at a slower rate to ensure the safety of the vehicle.The weakening of the requirement can, in turn, increase the range of control actions the system can select from, shown in Figure 1 (action space increases from   to  ′  after weakening).Then, once the visibility has improved significantly, the vehicle may want to resume normal operation by reducing the time it takes to regain contact, by strengthening  ′   back to    .Similarly, in the case of an engine failure, the thruster requirement can be weakened by changing the required thrust from 100 N to some value less than 100 N, under the premise that it still provides an acceptable level of utility.One such possible weakening is as follows: The thruster should provide 50 N of thrust to allow it to complete the mission on time.
This weakened requirement  ′ ℎ allows certain thrusters to be turned off.Once the engine recovers (through a repair), the framework again identifies the best possible requirement for the thruster feature, ensuring that the UUV completes the mission in the most timely manner-by strengthening  ′ ℎ and allowing the system to turn thrusters back on.
Challenges.Generally, given a requirement like    , there are numerous ways of weakening or strengthening this requirement (e.g., adjusting the time to regain visibility by different amounts).Weakening a requirement involves temporarily sacrificing a certain utility while strengthening leads to a regain of that utility.One challenge is how to systematically weaken the requirement no more than needed while strengthening the requirement to the maximum extent possible.Another challenge is given a weakened or strengthened requirement, how to reconfigure or adjust the behavior of the system to best fulfill the adjusted requirement.To tackle these challenges, we will describe (1) how requirement weakening and strengthening can be formalized using parametric signal temporal logic (PSTL) [3] and (2) how to perform optimal requirement adaptation by encoding it as a MILP problem.

PRELIMINARIES
Signals.In our approach, the behavior of CPS is modeled by real-valued continuous-time signals.Formally, a signal is a function s :  →  mapping from a time domain,  ⊆ R ≥0 , to a tuple of  real numbers,  ⊆ R  .The value of a signal s() = ( 1 , . . .,   ) represents different state variables of the system at time  (e.g.,  1 might represent the altitude of a drone).
Signal temporal logic (STL).STL extends linear temporal logic (LTL) [23] for specifying the time-varying behavior of a system in terms of signals.The basic unit of a formula in STL is a signal predicate in the form of  (s()) > 0, where  is a function from  to R; i.e., the predicate is true if and only if  (s()) is greater than zero.The syntax of an STL formula  is defined as: Robustness.Typically, the semantics of temporal logic such as LTL is based on a binary notion of satisfaction (i.e., formula  is either satisfied or violated by the system).Thanks to its signalbased nature, STL also supports a quantitative notion of satisfaction, which allows reasoning about how "close" or "far" the system is from satisfying or violating a property.This quantitative measure is called the robustness of satisfaction [13].
Informally, the robustness of signal s with respect to formula  at time , denoted by  (, s, ), represents the smallest difference between the actual signal value and the threshold at which the system violates .For example, if the property  says that "the drone should maintain an altitude of at least 5.0 meters," then  (, s, ) represents how close to 5.0 meters the drone maintains its altitude.Formally, robustness is defined over STL formulas as follows: where inf  ∈  () is the greatest lower bound of some function  :  → R (and sup the least upper bound).The robustness of satisfying predicate  (s()) > 0 captures how close signal s at time  is above zero.
Parametric signal temporal logic (PSTL).PSTL [3] is a logic obtained by replacing the constants in an STL formula with parameters.The syntax of PSTL is as follows: Note that the syntax is similar to that of STL except both  and the time interval  can either be a parameter or a constant.In addition, there are two types of parameters in PSTL formulas:  represents the value parameter for the atomic proposition  (s()) > , whereas  represents the time parameters [ 1 ,  2 ] (where  1 <  2 ).A PSTL formula is denoted as  (p), where p = ( 1 , ...,   ) ∈ P is the tuple of parameters appearing in the PSTL formula.
To instantiate a PSTL formula into an STL formula, a valuation function  is needed to map parameters to their corresponding concrete values.For example, it maps value parameters to the signal domain , and time parameters to the time domain  .A PSTL formula combined with a valuation function  for p defines an STL formula  ( (p)).We say that a PSTL formula  is satisfiable with respect to signal trace s if there exists an instantiated STL formula  ( (p)) such that it is satisfiable.It is formally denoted as follows: (s, ) For example, consider PSTL formula Validity Domain.The validity domain of a PSTL formula is the set of all the parameter values that yield satisfaction for an arbitrary signal s.We will be extending this concept in Section 5 for our adaptation framework.We present an overview of our proposed runtime adaptation architecture in Figure 2. The adaptation framework periodically observes the state of the environment, determines whether adaptation is needed, and generates actions based on requirements to affect the system and environmental states.

RUNTIME ADAPTATION ARCHITECTURE
There are three major components in the proposed adaptation architecture.First, the event detector looks for degradation or restoration events in the environment.Second, the requirement evaluator determines the achievable requirement based on the current environmental conditions.Third, the degradation and recovery planner plan future system actions based on the changing requirements.For example, if visibility decreases below a certain threshold and the weakened requirement states that "regain contact within the next 5 seconds", the degradation planner may institute a wait action instead of diving directly or diving with a lower speed.
When activated by the event detector, the requirement evaluator takes various inputs: (1) an environmental event, (2) the current system requirement, (3) the current state of the system, and (4) the environmental model, which captures how the state of the environment changes based on system actions.Using a model-predictive control (MPC) approach [24], the evaluator finds an optimal requirement either via strengthening or weakening of the current requirement and produces the corresponding control actions through the planner.
In the following, we describe (A) the environmental model in more detail, (B) how degradation or adaptation is triggered, and (C) building on these, a precise formulation of the requirements-driven adaptation problem.

Environment Model
Given the current requirement  0 , the goal of the evaluator is to search for an alternative requirement  1 that is satisfiable.Evaluating the satisfiability of an STL formula requires knowledge of certain future steps s, and the environmental model enables the generation of the predictive signals for these particular evaluations.
Formally, the environment model is represented as transition system  = (Q, A, , Q  ), where: For example, the environment model for the pipeline inspection case study captures the current location and the velocity of the vehicle, the relative location for the pipeline, the thrust of the engine, and how the engine configuration affects the thrust.The location of the vehicle changes during each transition depending on the current velocity, which, in turn, may be modified by a system action that accelerates or decelerates the vehicle (represented by a velocity vector).Suppose the state  is represented as a tuple (  ,   ,   ).The next state can be computed using the previous state , action , and transition function , such that  ′ =  (, ) The example below captures the environmental model for setting the velocity of the vehicle based on the acceleration provided by the engine thrust: Then, given a sequence of actions  1 ,  2 , ...,   and current state , the environment model can be executed over these actions to generate a corresponding state sequence,  0 ,  1 , ...  , which is then formed into predictive signal s.
We do not impose restrictions on one particular notation for specifying an environment model, as long as it can be used to generate signals in the format illustrated above.With a more powerful backend like Gurobi [26], one can encode more complex environmental models like non-linear dynamics.For our implementation, we use the MiniZinc modeling language [21], which provides declarative constraints for specifying relationships between different variables of a system.

Adaptation Trigger
A key decision in our adaptation process is determining when degradation or recovery should be triggered.Degradation takes place when the system is no longer capable of satisfying the given requirement  in the current environment.We state this condition more formally as follows: where S is the set of all signals,  0 is the current state of the system, ⊕ is an interleaving of two sequences of actions.In other words, the above statement says that the environment can behave in a certain way (through some sequence of actions, a  ) such that no matter how the system responds, it is unable to satisfy the property .The idea is then to carry out degradation to find and satisfy a weaker version of .
Similarly, the triggering condition for recovery is stated as follows: In other words, in the current environment, the system can guarantee the satisfaction of , no matter how the environment behaves.Since the environment is in such an agreeable condition, the system may then attempt to improve its utility by satisfying a stronger version of .
Evaluating the above conditions involves generating a predictive signal (s) that describes how the environment evolves given a sequence of system actions.However, carrying this out frequently may incur significant runtime overhead and possibly interfere with the system operations.Thus, instead of evaluating these conditions, our event detector looks for designated degradation and restoration events (  and   ) and uses these as proxy triggers for degradation and recovery, respectively.Degradation events are abnormal events that occur due to an unexpected change in the environment, such as a thruster failure or unusually low water visibility.On the other hand, a restoration event indicates the environment returning to its previous state, such as an improvement in visibility or recovery of an engine thruster.

Adaptation Problems
We provide a precise statement of our requirements-driven adaptation problems: Problem 4.1.Graceful Degradation Problem.Given degradation event  0 ∈ A  and current requirement   , find  ′  and action sequence a such that where  0 is the current state of the system (encoded in s  ) and ⌢ is the concatenation operator that is used to link two sequences together (i.e., ⟨ 1 ,  2 ⟩ ⌢ ⟨ 3 ,  4 ⟩ results in ⟨ 1 ,  2 ,  3 ,  4 ⟩).Degradation actions A  is a subset of all environmental actions A  (i.e., A  ⊆ A  ) defined in Section 4. s  represents the future signal generated by the sequence of actions a, and s  represents the signal that encompasses the current state, which is monitored by the sensor.Note also that the new requirement needs to be weaker than the current requirement to achieve degradation, using the definition in Eq. ( 2), which will be formally defined in Section 5.
Informally, this problem involves given a degradation event, how to find control actions that can satisfy an alternative requirement such that it still provides an acceptable level of system utility.Problem 4.2.Recovery Problem.Given restoration event  0 ∈ A  and current requirement   , find  ′′  and a such that Note that in the case of recovery, the new requirement needs to be stronger than the current requirement to achieve recovery, as defined in Eq. ( 5).The formalism for strengthening will be formally defined in Section 5. Informally, the recovery problem is framed as given a restoration event, how to find control actions that can satisfy an alternative requirement such that it can provide an improved level of system utility.

REQUIREMENT WEAKENING AND STRENGTHENING
In this section, we present an extension to PSTL to (1) incorporate the concept of requirement weakening and strengthening, and (2) restrict the search space of alternative requirements by providing upper and lower bounds for the validity domain of PSTL formulas.We also propose metrics to compare multiple PSTL instantiations.These metrics are then used by the MILP solver to find an optimal requirement; i.e., a minimally weakened or maximally strengthened version of the current requirement.

Minimal, Optimal and Current requirements
To enable requirement adaptation, we introduce three new concepts that guide and restrict the range of the requirement space.The minimal requirement,   , represents the lower bound of the PSTL requirement, allowing for the loosening of constraints when necessary for system adaptability.Conversely, the optimal requirement,   , signifies the upper bound of the PSTL requirement, enabling the strengthening of the reference requirement.We assume that any requirements that are stronger than the optimal requirement do not provide additional utility for the system, and on the contrary, any requirement weaker than the minimal requirement will result in behavior that is deemed unacceptable to stakeholders.The current requirement, denoted as  0 , represents the requirement that the system is trying to achieve.Note that the current requirement should always be weaker than (or equal to) the optimal requirement, while always being stronger than (or equal to) the minimal requirement.
Recall the visibility requirement for the UUV example in Section 2. The optimal requirement, in this case, is   : Every time the visual contact with the submarine is lost, regain the visual contact within the next 5 seconds, formally denoted as visibility < 20 ⇒ [0,5] (distance_to_pipe < 10), assuming that visibility of 20 meters is the threshold that determines whether visual contact is maintained.
Suppose that the UUV designer is willing to accept a weakening of the time interval to regain visual contact to 15 seconds; any time above that threshold would be considered unacceptable.Thus, the requirement visibility < 20 ⇒ [0,15] (distance_to_pipe < 10) is designated as a minimal requirement, and any time in between can be set as the current requirement (for example, regaining visual contact within 7 seconds).

Extension to PSTL
Strengthening and weakening.Suppose  1 and  2 are two distinct instantiations of the PSTL formula , such that  1 =  ( 1 (p)),  2 =  ( 2 (p)), and  1 ≠  2 .We say that  1 is weaker than  2 if and only if Eq. 9 is true, denoted as  1 ≪  2 ; conversely,  1 is stronger than  2 if and only if Eq. 8 holds, denoted as Suppose we are given a PSTL formula , its reference requirement  0 , minimal requirement   and optimal requirement   .We define strong valuation as a set of valuation functions   such that  0 ≪  (  (p)) ≪   ; and weak valuation as a set of valuation functions   , such that   ≪  (  (p)) ≪  0 .The set of all instantiated STL formulas as a result of a strong valuation  (  (p)) are referred to as strengthened formulas; and all instantiated STL formulas as a result of a weak valuation  (  (p)) are referred to as weakened formulas.
Bounded Validity Domain.The validity domain of a PSTL formula [3], evaluated with respect to signal trace s, is the set of all the parameter values that yield satisfaction for the trace s.We extend the validity domain concept so that it is bounded by minimal and optimal requirements that we defined above in Section 5.1.
We first define the ⪯ operator: ).Additionally, v  and v  correspond to the valuations that instantiate the minimal and optimal requirements   and   , respectively.Then, the validity domain of PSTL formula  with respect to a signal s, bounded by v  and v  , is denoted as  (s, ) and defined in the following way: Note that  v and  v here either represent constants or the concrete value assignment of the parameter  and  using valuation tuple v.The resulting set,  (s, ), is a set of all 2-element tuples of form (,  (p)), where (s, ) |=  ( (p)).
Degree of Weakening and Strengthening.To quantitatively measure and compare the relative restrictiveness between two instantiated formulas (i.e.,  ( 1 (p)) and  ( 2 (p)), which will be abbreviated to  1 and  2 below), we introduce two metrics: degree of weakening (Eq.10), and its inverse metric, degree of strengthening (Eq.11).These metrics are defined based on the robustness of satisfaction, as follows: Note that for degree of weakening to be a positive number,  2 must be weaker than  1 , and vice versa for degree of strengthening.We will present an example below to illustrate how these metrics are used.

Runtime Adaptation as a MILP Formulation
The requirement adaptation process can be performed by reducing it to an instance of MILP, where the problem consists of solving for a set of decision variables that optimize certain objectives while fulfilling a set of hard constraints.We next show how minimizing the degree of weakening and maximizing the degree of strengthening can be formulated as MLIP objectives.
There are two decision variables to be solved in this MILP problem: parameters  ′ (p) and control action sequence a.Note that in Eq. ( 13), the past signal is defined up until the current time.Eq. ( 14) involves the prediction of a future signal from the next time step to time  +  using the transition system  that encodes an environment model. ∈ N is a finite predictive horizon inferred from the STL requirement .Eq. ( 15) guarantees that the new requirement is within the defined range of requirements by restricting the parameters of the PSTL formula to the validity domain.
Finally, by minimizing the degree of weakening from  ( (p)) to  ( ′ (p)) in Eq. ( 12), we guarantee that the system utility associated with the requirement is degraded by a minimal necessary amount.
The formulation of recovery as MILP mirrors that for degradation: Problem 5.2.Recovery MILP Formulation.Given the current requirement  ( (p)) and it strengthened version to be found,  ( ′ (p)), transition system = (Q, A, , Q  ), and state sequence   =  0 , . . .,   representing the signal observed from the environment so far, compute: . .
In comparison to the MILP formulation for the degradation problem, the objective here is to maximize the degree of strengthening between  ( (p)) and  ( ′ (p)), as shown in Eq. ( 16).This allows searching for the best possible requirement that allows the system to regain utility that was temporarily sacrificed during an earlier degradation step.

IMPLEMENTATION 6.1 Simulator
To illustrate our proposed requirement adaptation approach, we have developed a prototype implementation1 based on SUAVE [29], an unmanned underwater vehicle that supports the customization of self-adaptation logic.It uses a ROS2-based platform and implements a pre-defined mission that detects, follows, and inspects a pipeline on the seabed.The backend of the simulator uses Ar-duSub [34], which provides various controller APIs to control the trajectory of the underwater vehicle.The vehicle trajectory and environmental setup can be visualized through the Gazebo simulator [20] with the UI shown in Fig. 3 where the seabed pipe is indicated with the yellow cylinder, while the UUV is illustrated by the rectangular box to the left side of the pipe.Various environmental entities (i.e., lighting, terrain) are listed on the panel to the right, and can be adjusted as needed.Features.For evaluation, we implemented two mission-related features in the UUV.When these features are activated, they generate propulsion actions (in the form of velocity vectors) or system reconfiguration actions that override those from the path planner.The implemented features are as follows: • Visibility Monitor ensures that the UUV maintains sufficient visibility to the pipelines.To achieve this, it generates actions to enforce the UUV to close in on the pipelines when the visibility is below a safety threshold.• Thrust Monitor ensures that the UUV maintains enough thrust to support the timely completion of the mission.The thrust monitor may change the system configuration dynamically (i.e., turning on additional thrusters when the actual thrust falls below the expected thrust.)Environmental Anomalies.Next, we randomly injected abnormal environmental events throughout the operation of the UUV.We list two failures that we investigated: • Loss of visual contact with the underwater pipeline: The low water visibility makes it difficult for the UUV to detect and follow the underwater pipeline.When it occurs during the pipeline inspection, it may result in the UUV losing sight of the pipeline and requiring it to dive deeper in the short term, regain the visual line of sight, and continue the inspection progress.The change in the water visibility is introduced randomly during the simulation.• Thruster failure: A thruster failure causes the engine of the UUV to provide partial propulsion, move erratically, or shut down completely.Similarly, thruster failures are modeled and injected in a stochastic manner.

Environment Model
Our framework leverages a model of the environment during the adaptation process.For the UUV system, the environmental model captures the (1) physical dynamics of the system (2) thruster estimation from the engine, and (3) the estimated coordinates of the seabed pipeline.The dynamics model is used to estimate the velocity of the UUV based on the accelerating or decelerating actions.The thruster estimation is based on the configuration of the thrusters (i.e., which ones are turned on or off).Lastly, the estimated coordinates of the seabed pipeline are based on information received via onboard sensors.The coordinate information is also used to keep track of the inspection progress and guide the diving operation toward the pipeline.All aspects of the environmental model are specified in the MiniZinc modeling language, translated to linear constraints and solved using MILP during the adaptation process.

EVALUATION
This section describes the evaluation of our proposed approach.We present the following: • RQ1: Does our approach achieve a higher overall system utility than existing state-of-the-art approaches?• RQ2: What is the runtime overhead of the proposed approach?Does it interfere with system operations?

Experimental Design
We conducted a set of experiments to evaluate the proposed adaptation approach through comparison against with state-of-the-art self-adaptation method in TOMASys [5].To ensure that our adaptation approach generalizes across various scenarios, we randomly generated 100 different system setups and failure scenarios, including the duration of the simulation, times when failures are injected, changes in the water visibility, number of usable thrusters, the initial position of the UUV, and the location of the underwater pipeline.
To compare our proposed method and the baseline approach, we use the cumulative utility as the metric, which is measured by calculating the robustness of the minimal requirement for the signal collected during the degradation and recovery process.The reason why we chose to measure the satisfaction of the minimal requirement is that it is the lower bound of the instantiated STL formula under which the system feature ceases to function and provides useful utility.We assume that the robustness metric is a suitable medium to reflect the desirability of the system behavior.The robustness is measured upon the start of the degradation events and ends upon the satisfaction of the optimal requirement (  ) which indicates the end of the recovery.If the optimal requirement is never reached due to persistent environmental disruptions, the cumulative robustness measurement will continue until the end of the simulation life cycle.
Before we conducted the experiments for the case studies, we created the following hypotheses to be tested: • H1: Our approach results in a higher cumulative utility throughout degradation and recovery processes than the existing method.• H2: Our approach results in a higher run-time overhead but it does not disrupt normal system operations.
All our experiments were run on a Ubuntu desktop machine with 16 GB RAM, 6-core Intel Core i5, and a NVIDIA GeForce RTX 3060 graphics card.

Seabed Pipe Inspection Case Study
Recall the example mentioned in Section 2, where a UUV is conducting a mission to inspect underwater pipes on the seabed.The optimal STL formula   and the minimal requirement   for the water visibility and thrust requirement are specified as follows: ℎ _ : □ [0,1] (thrust > 100) ( 22) The visibility requirement    ensures that the UUV can closely observe the pipelines upon the visibility falling below the safety threshold 20.The thrust requirements allow the system to continuously provide adequate propulsion to ensure a timely mission completion.for both the visibility and thruster monitor feature while the system is encountering thruster failures or low water visibility events.The results show that our adaptation approach achieves a higher cumulative robustness value than the baseline self-adaptive approach.Specifically, in the case of the water visibility monitor, it achieves an approximately 2-fold increase in cumulative robustness (with a 26.9 increase in robustness).In the case of the thruster monitor feature, our approach has a 24.3 lead in cumulative robustness.
The SUAVE artifact [29] also comes with a set of mission-related metrics that measure the quality of the mission completion.We reused some of the metrics, namely, the distance of the pipeline inspected.We discovered that our approach, on average, can inspect 86.10 meters of the pipeline while the baseline approach can only inspect 49.63 meters, an increase of about 74%.However, the standard deviation of our approach (36.68) is slightly worse than the baseline approach (23.30), meaning that the actual performance fluctuates more across various failure scenarios in the 100 experiment runs.
There are two main reasons for this increase in the cumulative utility and the quality of the mission completion.First, it is the dynamic nature of the action planning based on the specific scenario or context.For instance, TOMASys relies on a fixed set of actions (determined at design time) to address each scenario.To satisfy the objective of regaining contact with the pipeline after losing visuals, TOMASys simply has a predefined action to dive several meters down the seabed, whereas our approach predicts all possible signals given available actions using an environmental model.Then it chooses the actions that result in the most desirable signals.Second, it is the ability to flexibly adapt goals in different situations-namely, adjusting the requirements when they are not attainable or have the potential for improvements.The dynamic action planning and the requirement adjustments result in a more measurable system utility, and therefore, more robust and desirable system actions.

Performance Overhead
Since the requirement adaptation approach requires the use of MILP to search for requirements and plan actions at run time, it has a higher overhead than the baseline approach that uses actions that are defined at design time.We measure the overhead as the average additional time the system uses per control cycle as a result of deploying our adaptation approach compared to the baseline approach using TOMASys.Consequently, we measured the average overhead across both the visibility and thrust monitor features as 0.35 seconds.We have not observed noticeable delays or disruptions to our UUV during the operation, as the UUV controller was running at 2Hz, resulting in a window of 0.5 seconds for each cycle of the controller update.
Furthermore, the performance overhead is subject to the complexity of both the feature requirements and the environmental model.For example, the visibility monitor feature incurs a higher overhead because the encoding of the STL formula results in a more complex set of constraints for the MILP solver at runtime.

Threats to Validity
Internal Validity: The sampled configuration space is partial and may not capture all exceptional scenarios exhaustively.However, we have mitigated selection biases by randomizing the configuration parameters.For example, at which point failures occur, the initial location of the UUV, the setup of the underwater pipelines, etc.In addition, we are using a deterministic environmental model that captures simple physical dynamics.This is to simplify the scope of the problem and reduce the search space for the changed requirements and corresponding actions.However, the model may not capture the dynamic of the real world caused by external factors (i.e., UUVs may deviate from the direction it is accelerating towards due to water currents).We attempted to mitigate this discrepancy by manually inspecting the source code of the ArduSub simulator to ensure the model largely captures the logic of the simulator.
External Validity: The overhead of the simulation is applicationspecific and hardware-dependent.More restrictive hardware or outdated MILP solver may increase the runtime overhead of our framework and therefore require more performance tuning than our existing software artifacts.
Furthermore, the result of the case study may not be generalized to all applications of CPS.Depending on the specific applications (i.e., electricity grids, UAVs), the system requirement may be expressed differently, and so does the way to degrade the systems.However, we believe the concept of using requirement weakening and strengthening to perform degradation and recovery is requirement-agnostic, and that it can be generalized across different domains.

RELATED WORK
Graceful Degradation and Recovery.Graceful degradation is the ability of a system to maintain an acceptable level of functionality even when a significant portion of the system is rendered inoperable due to environmental disturbances.Recovery refers to the ability of the system to restore to a safe or desired state after a failure.Both areas are well-studied in control systems and humanmachine interfaces.Many degradation frameworks have been developed for different applications and domains, such as adaptive cruise control [22], autonomous drones [10,35], software user interfaces [14], industrial control systems [6,12], and design patterns for degradation [27], respectively.There is also a large body of work on system recovery.[9] proposed an STL-based resilient framework that enables analysis of trade-offs between time-to-recovery and durability in a cruise control system using multi-objective optimization, while [17] and [31] propose checkpointing techniques (i.e., storing system traces with a finite horizon leading up to the current state).Lastly, [16] and [1] use system restart and reset to recover the system from a failure.As far as we know, no prior work provides a coordination mechanism to facilitate these two processes in a single system.
Self-adaptive Systems.Self-adaptive systems aim to design systems that are capable of adjusting to changes in the environment.The most influential reference control model in autonomic and selfadaptive systems is the MAPE-K [2] architecture, which stands for Monitor-Analyze-Plan-Execute over a shared Knowledge, on which our resolution architecture is based.Self-healing systems [28] have been proposed by Shaw, et al. to address the problem of coping with fluctuations and uncertainties in the environment.The idea is that the system always keeps a background maintenance process running regardless of the current state of the system and the environment (i.e.garbage collection, optimized network routing, etc.).This way, the system will eventually maintain internal stability and continuous improvement despite external changes.This state is also known as a homeostasis state.Our approach draws inspiration from this idea, in that we attempt to ensure that the system aims to achieve the most desirable requirement relative to the current requirement.
The concept of meta-control has been used for design-time analysis.For example, OpenODD [25] has been used as a scenario-based analysis framework for autonomous systems, especially in selfdriving cars.TOMASys [5] provides a comprehensive set of reconfiguration strategies ranging from architectural reconfiguration, to monitor construction, and then to scenario-based definition of adaptation tactics.
Requirement Adaptation.Requirement adaptation has been investigated in the context of self-adaptive systems.The idea of weakening a requirement has been studied for feature interaction resolution [10], handling a violation of environmental assumptions and safety properties [6,35], controller synthesis [7,8], and goal adjustment for security-critical systems [30].As far as we know, however, these existing works focus on how to gracefully degrade the system using requirement relaxation, instead of combining both degradation and recovery stages or attempting to coordinate them using requirement adaptation.
RELAX [32] is designed to support expressing requirements that explicitly capture uncertainties about runtime system behavior based on fuzzy temporal logic.For example, with RELAX, users can specify requirements like, "Once a user request is sent, it should be processed as early as possible".Although our approach differs in that it relies on STL as the underlying specification formalism, an interesting future work would be to investigate the utility of RELAX for the type of degradation-recovery loop that we have explored.
Both [33] and [18] study goal adaptation in the context of changing stakeholder goals or user preferences.However, their proposed methods are designed to be dependent on human inputs, not for automatically adapting to changing environments.[4] focuses on requirement adaptation based on resource constraints and proposes a 2-tier adaptation framework that (1) first tries to fulfill goals by finding alternative resources and (2) if needed, deviates the goal slightly from the original one to compensate for limited resources.Our approach differs from these approaches in that our utility is represented as the desirability of requirements over run-time signals, instead of adequate resources being allocated.

LIMITATIONS AND FUTURE WORK
We propose a requirement-driven runtime adaptation framework that coordinates between grace degradation and recovery.Through the case study on UUVs, we have demonstrated our proposed approach can result in more desirable system behaviors during periods of degradation and recovery.
However, our approach makes several assumptions about the system that may limit its applicability.First, our approach tackles the class of requirements can be specified using STL [19].These requirements are specific to cyber-physical systems, where the system is time-sensitive, and sensor inputs can be monitored and transformed into continuous signals and quantified using state predicates.Thus, the framework is currently not designed to handle other classes of requirements (e.g., discrete behavioral specifications in LTL or stochastic ones in PCTL [11]).
Secondly, we assume the system has a meaningful way of quantifying the satisfaction of its requirements, these requirements can be weakened, and the user is willing to tolerate temporary degradation in the associated system utility.Thus, this framework is not well-suited for safety-critical requirements, which tend to be hard constraints and cannot be negotiated (i.e., a collision avoidance system for smart vehicles).
Thirdly, we assume that interactions between the system and the external environment (i.e.how a UUV move around the water based on an actuator command) can be predicted by a deterministic environmental model.However, the estimation from the environmental model may deviate from reality, due to environmental disturbance and other uncertainties.To address this, we used model predictive control [24], which involves repeated prediction and planning on a short horizon to reduce the effect of deviation in the estimation.
Another limitation of our approach is that a MILP solver may fail to find a satisfiable solution.This can be due to an overly restrictive environmental model, a limited range of alternative requirements that the solver can search for, or an unresolvable system state at the time of the adaptation.While this happened rarely in our case studies (less than 2% of adaptation cycles), we can cope with the problem through some minor tuning of the adaptation frameworks like reducing constraints to the environmental model, increasing the ranges of requirements available, or defining some simple fallback adaptation approaches, etc.
In future work, we also plan to investigate the applicability of our approach in our domains, such as robotics and cyber-security, where the ability to gracefully degrade and recover is critical for system autonomy and resilience.

Figure 2 :
Figure 2: Proposed adaptation framework is the set of environment states.Each state is a combination of values for signal variables, represented as a k-dimensional tuple;  = ( 1 , ...  ) ∈ Q. • A is the set of all actions, A = A  ∪ A  , where A  is the set of actuator actions and A  is the set of environmental actions.Note that A  and A  are disjoint, meaning that A  ∩ A  = ∅.•  : Q × A → Q is the transition function that captures how the system moves from one state to another by performing an action.• Q  is the set of initial states.

Figure 3 :
Figure 3: A screenshot of the Gazebo UUV simulator.

Figure 4 :
Figure 4: Cumulative robustness for visibility and thruster monitor features for the pipeline inspection case study