Sage Journals: Discover world-class research

Abstract

Reliability of cyberphysical system (CPS) components substitution is an important issue for CPS troubleshooting and system upgrading. In this paper, decision problem of components substitution is regarded as decision problem of services substitution through a service-oriented architecture of CPS. Further, a reliability assurance method for CPS service substitution is proposed, which comprises two parts. The first one is a qualitative judgment method for CPS service substitution according to the relationship between service compatibility and substitution based on time-space π-calculus with time and space operators. The other one is consisted of substitution processes from above judgment results based on service management theory. Finally, a case study is performed to show how to apply this method to ensure CPS components reliable substitution. The experimental result shows that this method is reasonable and feasible.

1. Introduction

Cyberphysical system (CPS) is a new concept in the information field in recent years. CPS is defined [1] as integration of computation with physical processes and consists of computation units, control units, communications network, sensors, and actuators. In a CPS, downsized and embedded devices execute physical processes by monitoring and controlling entities in the physical world. Computers, networks, devices, and their environments in which they are embedded have interacting physical properties, consume resources and contribute to the overall system behavior. Nowadays, CPS can be found in areas as diverse as transportation, defense, energy, and industrial automation, health, biomedical and critical infrastructure, agriculture, and so forth. Many countries have begun to pay high attention to CPS [2]. The PCAST of USA in 2007 report found that cyberphysical systems “are now a national priority for Federal R&D.” Hundreds of millions of dollars are invested into R&D efforts from then on. The European Union's Artemis (2008–2017) is clearly aimed at the same fundamental problems in the embedded systems aspect of CPS research, with €2.7 billion. Others such as Japan and Korea have set up CPS research projects. Chinese government also attaches great importance and the 863 program “Cyber-Physical Oriented System Platforms” has started, officially approved in 2011.

Since CPS has impact on physical processes and an unreliable operation may lead to disastrous consequences, CPS components’ reliable substitution is an important issue for troubleshooting and system upgrading. The first problem is how to design the system architecture of CPS. However, the research on architecture is still at knowledge preliminary and exploratory stage both at home and abroad. Tan Ying proposed prototype architecture of CPS [3], but it lacks a comprehensive and deep description of the layers. Phan and Lee presented an approach towards a compositional multi-modal framework of CPS [4], but composition analysis has been limited to uniprocessor processing elements and EDF/FP scheduling policies. Koubaa and Andersson provided a realistic vision to the concept of the Cyberphysical Internet [5], but it does not solve the problem of real time for CPS. In this paper, a service-oriented architecture [6] of CPS is put forward, in which software and hardware of CPS are designed and developed in the form of interoperable services. Based on this architecture, components substitution is equated to CPS service substitution, which is easy to realize formal analysis.

There are many formal modeling research on CPS, including Petri Net (PN) [7], Finite State Machines (FSM) [8], Process Algebra [9]. PN and FSM are intuitive to be analyzed by using charts. However, the major problem is state-space-explosion. Π-calculus [10] is chosen in the paper which is a process calculus as a formal analysis tool, for its ability to describe concurrent computations whose network configuration may change during the computation like CPS. Since CPS is bound by time and space (position, energy) constraints, time-space π-calculus is proposed through introducing time operator and space operator into π-calculus. And a formal method for modeling CPS service is presented based on it. Starting with the relationship between service compatibility and substitution [11], a qualitative judgment method for CPS service substitution is put forward. Then, from process management perspective, a series of substitution processes are advanced from the judgment results above, referring to the best practice and international standard of service management (such as ITIL [12], ISO20000 [13]). There are some worthwhile research on service substitution management [14, 15], and in this paper, the substitution processes combine service substitution requester, service substitution implementer, substituted CPS service and CPS, so that service substitution can be implemented according to standardized and normalized process.

The remainder of this paper is organized as follows. In Section 2, the conceptions of CPS service and CPS service compatibility are described in detail. In Section 3, a reliability assurance method is proposed, which consists of two parts, that is, a qualitative judgment theorem via Time-Space π-calculus for CPS service substitution and a series of substitution processes from the judgment results. In Section 4, a case study, Electronic Fence, is performed to show how to apply this method to ensure CPS components’ reliable substitution. Finally, the conclusion is given.

2. Basic Conceptions

2.1. CPS Service

In this section, a service-oriented architecture is proposed that distributed and open-ended CPS is regarded as a combination of encapsulated CPS service, following some business logic and business processes. The service-oriented architecture is shown in Figure 1. In this framework, CPS is divided into four layers: application layer, business process layer, service abstraction layer, and service implementation layer. Each layer is described as follows.

Figure 1

SOA framework of CPS.

2.1.1. Service Implementation Layer

Service implementation layer is the foundation of this architecture, and it is also the implementation of CPS service interface. Details about how to implement it are hidden for service users, and different service providers can use different technology to implement the same service interface. Each CPS service implementation contains sense-actuate unit, communications unit, and computation-control unit. Sense unit monitors physical world and transfers monitoring information to computation unit through communications unit. Then computation unit determines strategies and sends them to control unit. Control unit gives instructions to actuate unit through communications unit, to control physical processes. Each unit is described as follows.

(1)

Sense-actuate unit contains sensors, actuators, and terminal computation module. Sensors monitor physical entities and physical environment. Actuators control physical processes. Terminal computation module contains basic executive rules of actuator and has small storage capacity of real-time data.

(2)

Communications unit provides ubiquitous communication mechanism by fusing 2G, 3G, 4G, and so forth. This unit also involves real-time interaction, integration of heterogeneous networks, security of communications, and communication quality.

(3)

Computation-control unit contains computation unit and control unit. Computation unit mixes discrete domain and continuous domain together. Control unit implements strict management to time and space. Strategies determined by this unit can be supported by cloud computing center and knowledge base.

2.1.2. Service Abstraction Layer

Service abstraction layer defines service functions accessed outside and how to access them. However, this layer does not contain the details about how to implement them. This layer also involves service description, service registry, service discovery, and quality of service. Specially, it describes interfaces’ characteristics, operation's usability, parameters, data type, and access protocol. Through this layer, services or modules outside know what CPS service can do, how to find it, how to exchange message, how to invoke it, and what returned results may be. Specially, there must be physical properties in CPS service description, for example, timestamp, position information and energy information of physical entities, for service implementation layer contains physical unit (computation unit and control unit) and monitored information without temporal and spatial information is meaningless. There are two types of services in this layer, that is, business service and infrastructure service. Each type is described as follows.

(1)

Business service is part of business process and fine-grained subprocess of business requirement. It can fulfill a specific business task automatically and can be reused among different business processes. It is of two kinds: business function service and common service. The former is related to some business area for example, real-time positioning, driver monitor, and remote alarm in an intelligent transportation CPS. The latter one can be used in different business areas for example, common algorithm, data transformation, and so forth.

(2)

Infrastructure service is the foundation of standardized integration of CPS service. It involves time synchronization, space constraints, general technology, access adapter, service management, and interaction service. Time synchronization and space constraints are guaranteed to meet the temporal and spatial condition when physical units and cyber units are mixed together in multiple scales. General technology provides technology infrastructure for developing, delivering, maintaining CPS service, as well as the abilities of security, performance, availability, and so forth. Access adapter changes available resources of legacy systems into individual business service. Service management is to monitor CPS service's state and provide support for abnormal condition for example, SLA, capacity planning, cause analysis, and so forth. Interaction service is used for arranging interfaces of CPS service into intelligent device, not only for human-computer interaction.

2.1.3. Business Process Layer

Business process layer involves a number of business processes, where each business process is composed of CPS services following regular rules. It is necessary to set up a properly complicated and reliable layer like this, since a lot of fine-grained CPS services will lead to great cost and be ineffective. This layer also involves service collaboration, service composition, service substitution, and space-time constraints.

2.1.4. Application Layer

Application layer involves many industry applications of CPS, in which each system is composed of business processes. These business processes are cooperated with each other in order to fulfill higher level business goals. Compared with business process layer, this layer tend to be more focused on integrating all kinds of application requirements from combining professional knowledge with business model in different industries.

Interface of CPS service, containing interface characteristics, operation usability, parameters, data type and access protocol, is implemented with component technology. Service users can know what CPS service can do, how to find it, how to exchange message, how to invoke it, and what may returned results be through interface. However, details about how to implement it are hidden; therefore, service providers can implement a same service interface by different technologies. Since CPS service provides interface to receive and send messages and transit from initial state to final state by triggering of send-receive actions. Meanwhile, it takes time and consumes energy to complete these actions. Let us give the definition of CPS service view.

Definition 1 (CPS service view).

A CPS service view is defined as nine tuples: $CPSV = (S, s_{0}, F, Act, T, M, f_{m}, f_{t}, f_{e})$ , where $S = {s_{0}, s_{1}, \dots}$ : set of finite states.

: Initial state of CPS service.

F: Final states set of CPS service, $F \subseteq S$ .

$Act = A \cup \bar{A} \cup {τ}$ : Set of actions.

$A = {a ∣ a \in Σ}$ is set of receiving actions (Σ is alphabet).

$\bar{A} = {\bar{a} ∣ a \in Σ}$ is set of sending actions.

τ is internal action.

$T \subseteq S \times Act \times S$ : State transitions relation.

M: Set of CPS service messages.

$f_{m} : Act \to M$ action-message function. For all $a \in Act$ , $f_{m} (a)$ are receiving (resp., sending) messages of a.

$f_{t}$ : $Act \to R^{+}$ action-time function. For all $a \in Act$ , $f_{t} (a)$ is the time spending on completing a.



$f_{e}$ : $Act \to R^{+}$ action-energy function. For all $a \in Act$ , $f_{e} (a)$ is the energy consuming to complete a.

2.2. Compatibility of CPS Service

Performing complex business tasks typically needs to make a number of CPS services work together. It is therefore necessary to ensure that these services are able to interact properly, which is the notion of compatibility. Compatibility is aimed at interactive processes of CPS services. From the aspect of CPS service view, an interactive process represents a series of calls between two CPS services. When one CPS service sends (resp., receives) message, this means that the other CPS service simultaneously evolves by receiving it (resp., sending it). So in a sense the behavior of CPS service 2 should be the same as CPS service 1, but with receptions instead of emissions, and vice versa. The dual service $\bar{S}$ of CPS service S is defined that when the emissions are changed to receptions and vice versa, and the notation $\bar{a}$ represents opposite action of action a. Let us define interaction element, normal interaction element and abnormal interaction element as follows.

Definition 2 (interaction element/normal interaction element/abnormal interaction element).

There are two CPS service views $CPS V_{1} = (S_{1}, s_{0_{1}}, F_{1}, Ac t_{1}, T_{1}, M_{1}, f_{m_{1}}, f_{t_{1}}, f_{e_{1}})$ and $CPS V_{2} = (S_{2}, s_{0_{2}}, F_{2}, Ac t_{2}, T_{2}, M_{2}, f_{m_{2}}, f_{t_{2}}, f_{e_{2}})$ . An interaction element is defined as three tuples $i e = (a_{1}, {\bar{a}}_{2}, m)$ .

(1)

When $a_{1} \in A_{1}$ , ${\bar{a}}_{2} \in {\bar{A}}_{2}$ , $a_{1} = {\bar{\bar{a}}}_{2}$ , $m = f_{m_{1}} (a_{1}) = f_{m_{2}} ({\bar{a}}_{2})$ , $i e$ is called normal interaction element.

(2)

When $a_{1} \in A_{1}$ , ${\bar{a}}_{2} \in \emptyset$ , $m = f_{m_{1}} (a_{1})$ , $i e$ is called abnormal interaction element.

Interaction element represents a step of interaction between two CPS services. Normal interaction element represents a successful interaction, in which the two interactive actions are dual with a same receiving (resp., sending) message. Abnormal interaction element represents an unsuccessful interaction, in which one CPS service has receiving action but the other does not have sending one. As shown in Figure 2, there are two interaction elements, that is, $i e_{1} = (a_{1}, {\bar{a}}_{2}, m_{1})$ ; $i e_{2} = (b_{1}, {\bar{b}}_{2}, m_{2})$ , $i e_{1}$ is a normal interaction element, and $i e_{2}$ is an abnormal interaction element.

Figure 2

Interaction between $CPS V_{1}$ and $CPS V_{2}$ .

Compatibility between two CPS services arises at different levels, that is, static compatibility and dynamic compatibility. Static compatibility is the semantic and syntactic compatibility. Dynamic compatibility is that exchanges of messages are ordered in matched sequences without deadlock and livelock, and there are no sending messages that cannot be received by one of the two CPS services. Assuming that CPS service A and CPS service B are static compatible, and sending messages set of A is a subset of receiving messages set of B (i.e., A partially or fully uses the receiving message interfaces of B), if A and B are able to interact properly, they are called being compatible. Let us give the formal definition of compatible.

Definition 3 (compatibility degree).

$I E_{n}$ represents set of a CPSV's normal interaction elements, and $N (I E_{n})$ represents the number of elements in $I E_{n}$ . $I E_{a}$ represents set of the CPSV's abnormal interaction elements, and $N (I E_{a})$ represents the number of elements in $I E_{a}$ . Compatibility degree is defined as $ω = N (I E_{n}) / (N (I E_{n}) + N (I E_{a}))$ .

Definition 4 (fully compatible/partially compatible/incompatible).

Let M denote set of other CPSVs interacting with this CPSV, ω denote compatibility degree. If $ω = 1$ , CPSV and M are fully compatible. If $0 < ω < 1$ , they are partially compatible. If $ω = 0$ , they are incompatible. Fully compatible and partially compatible are referred to as compatible.

In Figure 2, $CPS V_{1}$ and $CPS V_{2}$ are partially compatible, and $ω = 1 / 2$ .

3. Reliability Assurance Method for CPS Service Substitution

In this section, time-space π-calculus is proposed to model CPS service. Then, a reliability assurance method for CPS service substitution is put forward, which consists of two parts, that is, a qualitative judgment theorem for CPS service substitution and a series of substitution processes from the judgment results.

3.1. Time-Space π-Calculus

CPS service has a good corresponding relationship with process of π-calculus. Specifically, communication channels of process represent actions of CPS service, sending-receiving variables of process represent sending-receiving messages of actions, and process, summation, composition, replication in π-calculus represent sequence structure, case structure, parallel structure, and iterative structure of CPS service composition. However, π-calculus lacks syntax about time and space characteristics. So we put forward the notion of time-space π-calculus, through introducing time and space (position, energy) operators into π-calculus.

Since relative accuracy of the time is enough to meet quality of CPS service requirement, discrete time domain is adopted to describe time characteristic of CPS in this paper. Properties of discrete time domain are defined as follows.

Definition 5 (properties of discrete time domain).

Discrete time domain T has following properties.

(1)

For all $t \in T$ , $t \neq 0 \Rightarrow t > 0$ ;

(2)

for all $t \in T$ , $t \neq \infty \Rightarrow \infty > t$ ;

(3)

for all t, $t^{'} \in T$ , $t > t^{'} \Leftrightarrow \exists Δ t > 0$ , $t^{'} + Δ t = t$ ;

(4)

for all t, $t^{'} \in T$ , $(t > 0) \land (t^{'} \neq \infty) \Rightarrow t^{'} + t > t^{'}$ ;

(5)

for all $t \in T$ , $t + 0 = t$ , $t + \infty = \infty$ ;

(6)

for all $t_{1}$ , $t_{2} \in T$ , $t_{1} > t_{2}$ , ${t ∣ t_{1} \leq t \leq t_{2}}$ is expressed as $[t_{1}, t_{2}]$ , which is called time interval;

(7)

for all $t_{2}$ , $t_{3} \in T$ , for all $[t_{1}, t_{4}]$ , $\exists t^{'}$ , $t^{'} \in T$ , $t_{2} \leq t^{'} \leq t_{4}$ , then $t^{'} \in [t_{1}, t_{2}]$ .

Definition 6 (time operator $\equiv Int (t_{r}, Δ t)$ ).

$t_{r}$ is benchmark time, $Δ t \geq 0$ . $Int (t_{r}, Δ t) P$ represents that process P can start only when it meets $t \in [t_{r}, t_{r} + Δ t]$ .

Physical components of CPS are abstracted to spatial objects based on OGC [16] (Open Geospatial Consortium) and topological relation theory of spatial database [17]. The topological relations between two spatial objects, which are regarded as point sets, are expressed by a quaternion formed by boundary and interior of point set. Here, A and B represent two spatial objects. Let $\partial A, A^{0}, \partial B, B^{0}$ denote boundary and interior of A and B. The quaternion is $R (A, B) = (\begin{smallmatrix} \partial A \cap \partial B & \partial A \cap B^{0} \\ A^{0} \cap \partial B & A^{0} \cap B^{0} \end{smallmatrix})$ . Topological relations include eight kinds, that is, disjoint, meet, equal, overlap, inside, contain, covered by, and cover, which are represented by $S_{pos} = {s_{d}, s_{m}, s_{e}, s_{o}, s_{i n}, s_{c t}, s_{c b}, s_{c}}$ . Assuming that process P contains n physical components and $c_{i}$ represents the relation between the ith physical component and benchmark region, $\exists S_{i} \subseteq S_{pos}$ , this physical component can function properly only when it meets $c_{i} \in S_{i}$ . Let $S = {S_{1}, S_{2}, \dots S_{n}}$ . Position operator is defined as follows.

Definition 7 (position operator $\equiv Pos [S]$ ).

$Pos [S] P$ represents that process P can start only when truth-value of $\prod_{i = 1}^{n} c_{i} \in S_{i}$ is true.

All the observable energy, which supports physical components of CPS functioning well, is called energy information of CPS. It includes many kinds, for example, electric energy, heat energy, and so forth, and can be consumed and replenished. Assuming that process P contains n physical components, $E_{i}$ represents energy value of the ith physical component, $E_{i \max}$ represents the maximum energy value of P, $\exists m_{i} \in [0,100]$ , this physical component can function properly only when it meets $E_{i} \geq (E_{i \max} \cdot m_{i} %)$ . Let $M = {m_{1}, m_{2}, \dots, m_{n}}$ . Energy operator is defined as follows.

Definition 8 (energy operator $\equiv Ene [M]$ ).

$Ene [M] P$ represents that process P can start only when truth-value of $\prod_{i = 1}^{n} E_{i} \geq (E_{i \max} \cdot m_{i} %)$ is true.

Definition 9 (syntax of time-space π-calculus).

\begin{array}{l} P : ∶ = 0 | \bar{a} 〈 x 〉 \cdot P | a (x) \cdot P | τ \cdot P | P \\ + Q | P ∣ Q | (x) P | [x = y] P |! P | Int (t_{r}, Δ t) P | \\ \times Pos [S] P I . \end{array}

(1)

0 is nil process. $\bar{a} 〈 x 〉 \cdot P$ , $a (x) \cdot P$ , $τ \cdot P$ are output prefix, input prefix, and silent prefix process. $P + Q$ is sum process. $P ∣ Q$ is concurrency composition process. $(x) P$ is restriction process. $[x = y] P$ is match process. $! P$ is replication process. Detailed meanings of the nine expressions above can be seen in [10]. Meanings of the last three can be seen in Definitions 6, 7, and 8.

Definition 10 (operational semantics of time-space π-calculus).

(1)

Time operator ( $α \in {τ, a (x), \bar{a} 〈 x 〉}$ , other “α” below are identical with this one). Consider

\begin{matrix} \frac{P \overset{α}{\to} P^{'}}{Int (t_{r}, Δ t) P \overset{α}{\to} P^{'}}, t \in [t_{r}, t_{r} + Δ t], \\ \frac{P \overset{α}{\to} P^{'}}{Int (t_{r}, Δ t) P \overset{α}{\to} 0}, t \notin [t_{r}, t_{r} + Δ t] . \end{matrix}

(2)

Position operator. Consider

\begin{matrix} \frac{P \overset{α}{\to} P^{'}}{Pos [S] P \overset{α}{\to} P^{'}}, c_{i} \in S_{i}; \frac{P \overset{α}{\to} P^{'}}{Pos [S] P \overset{α}{\to} 0}, c_{i} \notin S_{i} . \end{matrix}

(3)

Energy operator. Consider

\begin{matrix} \frac{P \overset{α}{\to} P^{'}}{Ene [M] P \overset{α}{\to} P^{'}}, E_{i} \geq (E_{i \max} \cdot m_{i} %), \\ \frac{P \overset{α}{\to} P^{'}}{Ene [M] P \overset{α}{\to} 0}, E_{i} < (E_{i \max} \cdot m_{i} %) . \end{matrix}

(4)

Operational semantics of PREFIX, SUM, PAR, COM, MATCH, RES, and OPEN can be seen in [10].

The performance influence of time-space π-calculus is poorer than classical π-calculus due to the additional time and space operators. Fortunately, the deduction procedures can be completed automatically by a software tool of π-calculus—MWB [18].

Definition 11 (weak simulation/weak bisimulation).

Let R denote a binary relation in processes domain K. For all $(P, Q) \in R$ , $P \in K$ , $Q \in K$ , if the following conditions are satisfied, Q is said to be weak simular with P.

(1)

Whenever $P \to P^{'}$ , then $\exists Q^{'} \in K$ such that $Q \Rightarrow Q^{'}$ and $(P^{'}, Q^{'}) \in R$ .

(2)

Whenever $P \overset{λ}{\to} P^{'}$ , then $\exists Q^{'} \in K$ such that $Q \overset{λ}{\Rightarrow} Q^{'}$ and $(P^{'}, Q^{'}) \in R$ .

If symmetric requirements with P and Q interchange, the relationship between P and Q is said to be weak bisimulation, written $P \approx Q$ .

Properties of weak bisimulation can be seen in [10]. Weak bisimulation is used to describe the situation that two processes are equivalent looking outside but have different internal structure and actions.

3.2. Qualitative Analysis Method for CPS Service Substitution

Substitutability is closely related to compatibility. Combining related research results, sufficient conditions of CPS service substitution are proposed. Let S, $S^{'}$ denote two CPS services. If $S^{'}$ is compatible with all CPS services which are compatible with S, sending-receiving messages set of S is subset of $S^{'}$ , and $S^{'}$ can meet time and space constraints, then $S^{'}$ can be substituted for S.

Let $CPS V_{S^{'}}$ denote CPS service view of $S^{'}$ which has n interaction elements, $T_{r} = {t_{r 1}, t_{r 2}, \dots t_{r n}}$ and $Δ T = {Δ t_{1}, Δ t_{2}, \dots Δ t_{n}}$ denote benchmark time set and delay time set of all interactions. And let $P_{S^{'}}$ denote $CPS V_{S^{'}}$ , $P_{\bar{M}}$ denote dual service set, $Q_{F}$ denote final states set of $S^{'}$ , α denote external and internal actions. Then let emissions $(S)$ and receptions $(S)$ denote name sets of sending and receiving messages. Let us give CPS service substitution judgment theorem as follows.

Theorem 12 (CPS service substitution judgment theorem).

Let $M = {S_{1}, S_{2}, S_{3}, \dots, S_{n}}$ denote set of all CPS services compatible with S. If following conditions are satisfied, $S^{'}$ can be substituted for S.

(1)

$Int (T_{r}, Δ T) Pos [S] Ene [M] P_{S^{'}} \overset{α}{\to} Q_{F}$ ;

(2)

$S^{'}$ is static compatible with M;

(3)

$P_{\bar{S^{'}}} \approx P_{M}$ ;

(4)

$emissions (S) \subseteq emissions (S^{'})$ , $receptions (S) \subseteq receptions (S^{'})$ .

Proof.

According to condition one and Definitions 6, 7, and 8, $S^{'}$ meets time and space constraints. According to condition two, condition three, Definition 11, and definition of compatibility, $S^{'}$ is compatible with M. And with condition four, the sufficient conditions of CPS service substitution are satisfied—QED.

When Theorem 12 is used in practice, it is easy to decide whether conditions two and four are satisfied. But for condition one and three, we need to build a time-space π-calculus-based ideal model with time and space constraints of CPS. Then, utilizing time and space characteristics of actual CPS service, we can judge whether this process expression is deadlock or livelock, and whether it can reach final state by syntax and operational semantics of time-space π-calculus.

3.3. Substitution Processes Based on Service Management

Substitution processes presented in this paper consist of service desk, event management, problem management, change management, configuration management, and knowledge base management. As shown in Figure 3, all substitution requests are accepted by unified service desk, and lifecycle of substitution request is whole monitored. From the analysis results of Theorem 12, according to Definitions 3 and 4, for CPS service incompatible, substitution request is rejected. For $ω = 1$ , event management is adopted to implement service substitution. And for $0 < ω < 1$ , problem management is adopted. Solutions and experience of substitution are shared by knowledge base. Changes of CPS are logged and supervised comprehensively in CMDB (configuration management database). Each process is described as follows.

Figure 3

Whole flowchart of CPS service substitution.

3.3.1. Service Desk

Based on this unified access point, all substitution requests are recorded completely and supported preliminarily, and then they are passed to substitution implementer to ensure timeliness of request handing. Service desk can provide accurate process information from start to finish.

3.3.2. Event Management

For requests about CPS services fully compatible, this process provides substitution corresponding service according to SLA.

3.3.3. Problem Management

For requests about CPS services partially compatible, abnormal interaction elements are found out by assessment and analysis in this process. Then, substitution solution is formulated and implemented. Problem management minimizes the effects of abnormal interaction elements to improve service quality and customer satisfaction and also provides support to change management process.

3.3.4. Change Management

This process coordinates with problem management process to implement changes of CMDB. Change management reduces failure rate caused by system changes.

3.3.5. Configuration Management

In this process, description information of CPS service, for example, states, actions, messages, time and space characteristics, and so forth, are centrally managed in CMDB. Configuration management records and controls the changes of CPS.

3.3.6. Knowledge Base Management

This process supports storing, auditing, filtering, updating, and abolishing substitution-related knowledge and accumulates experience about past events and problems solutions.

4. Experiments and Results

In this section, we take Electronic Fence in hazardous chemicals transport CPS for example (shown in Figure 4), to illustrate how to use the reliability assurance method for CPS components substitution.

Figure 4

Real pictures of Electronic Fence in hazardous chemicals transport CPS.

4.1. Problem Description

Business case descriptions of electronic fence are as follows. When a tank vehicle loading hazardous chemical products has traffic accident, once sensors in it monitor unusual states, vehicle terminal would send alarms to accident handling center. The center can decide whether it is necessary to set electronic fence by analyzing remote monitoring information, including tank temperature, gas strength, tank liquid level, tank pressure, and so forth. If needed, electronic fence would be set. Then tank vehicles inside the electronic fence are given early warnings periodically. Meanwhile, tank vehicles outside are informed periodically.

Based on the models proposed in Section 2.1, electronic fence is designed to a business process consisting of five CPS services that is, Vehicle Alarm, Remote Diagnosis, Electronic Fence, Early Warning and Accident Told, as shown in Figure 5. Sending and receiving messages are also shown in Figure 5.

Figure 5

Primal business process of the Electronic Fence.

Because of user requirements changing, the system upgrades and agent of traffic accident treatment platform is added. Specifically, after remote diagnosing, traffic accident information must be reported to this agent, and when electronic fence setting is completed, electronic fence information must be reported to this agent too. As shown in Figure 6, after upgrading CPS service, that is, agent of traffic accident treatment platform, is added, Remote Diagnosis and Electronic Fence are changed, and other CPS services stay the same.

Figure 6

Upgraded business process of the Electronic Fence.

The problem to be solved is described as that whether $S^{'}$ in Figure 6 can be substituted for S in Figure 5 and how to ensure reliability of this substitution. In order to make this substitution with universality, Electronic Fence is not upgraded to the status in Figure 6 that it cannot send message of ElectronicFenceInf. In such situation, $S^{'}$ is partially compatible with system. Otherwise, if fully upgraded, $S^{'}$ is fully compatible with system, and this situation is idealized without universality.

4.2. Problem Modeling

Let $P_{v a}, P_{r d}, P_{e f}, P_{e w}, P_{a t}$ denote CPS services in Figure 5, with channels names shown in it. In respect of position constraints, let electronic fence be benchmark region. Early Warning is inside of the benchmark that is, $S_{e w} = {{s_{i n}}, {s_{i n}}, \dots {s_{i n}}}$ . Accident Told is outside of the benchmark, that is, $S_{a t} = {{s_{d}}, {s_{d}}, \dots {s_{d}}}$ . The other three CPS services are with no limit, that is, $S_{v a} = S_{r d} = S_{e f} = {S_{pos}, S_{pos}, \dots S_{pos}}$ . In respect of energy constraints, let $M_{v a}, M_{r d}, M_{e f}, M_{e w}, M_{a t}$ denote M of Definition 8. Time constraints are described in detail below. Each process expression is modelled as follows.

(1) Vehicle Alarm

Within $t_{0} + 1$ seconds (unit below the same) of traffic accident, alarm message must be sent. After that, answer must received in $t_{1} + 60$

\begin{array}{l} P_{v a} = Int (t_{0}, 1) Pos [S_{v a}] Ene [M_{v a}] \bar{x} 〈 AlarmReq 〉 \\ \cdot (Int (t_{1}, 60) Pos [S_{v a}] Ene [M_{v a}] x (AlarmConf) \\ + Int (t_{1}, 60) Pos [S_{v a}] Ene [M_{v a}] [S_{pos}] x (Ignorance)) . \end{array}

(5)

(2) Remote Diagnosis

Within $t_{2} + 30$ of receiving alarm message, this CPS service must make diagnosis and immediately respond. If confirmed as corresponding accident level, electronic fence application must be submitted within $t_{3} + 1$ . After that, confirmation must be got in $t_{4} + 60$

\begin{array}{l} P_{r d} = Pos [S_{r d}] Ene [M_{r d}] x (AlarmReq) \\ \cdot (Int (t_{2}, 30) Pos [S_{r d}] Ene [M_{r d}] \bar{x} 〈 AlarmConf 〉 \\ + Int (t_{2}, 30) Pos [S_{r d}] Ene [M_{r d}] \bar{x} 〈 Ignorance 〉) \\ \cdot [msg = AlarmConf] \\ \times (Int (t_{3}, 1) Pos [S_{r d}] Ene [M_{r d}] \bar{y} \\ \times 〈 ElectronicFenceReq 〉 \\ \cdot Int (t_{4}, 60) Pos [S_{r d}] Ene [M_{r d}] y \\ \times (ElectronicFenceConf)) . \end{array}

(6)

(3) Electronic Fence

Within $t_{5} + 30$ of receiving electronic fence application, setup must be finished. Then, electronic fence information must be sent to tank vehicles in different regions in $[t_{6}, t_{6} + 30]$ periodically ( $t_{6} = t_{6} + 30$ , increasing constantly). We only take A inside of electronic fence and B outside for example. Confirmation from A must be got in $t_{A e} + 30$ ( $t_{A e}$ is electronic fence information sending time each time), and so is B

\begin{array}{l} P_{e f} = Pos [S_{e f}] Ene [M_{e f}] y (ElectronicFenceReq) \\ \cdot Int (t_{5}, 30) Pos [S_{e f}] Ene [M_{e f}] \bar{y} 〈 ElectronicFenceConf 〉 \\ \cdot (! (Int (t_{6}, 30) Pos [S_{e f}] Ene [M_{e f}] \bar{z} 〈 ElectronicFenceInf A 〉 \cdot Int (t_{A e}, 30) Pos [S_{e f}] Ene [M_{e f}] \\ \times z (Conf A)) ∣! (Int (t_{6}, 30) Pos [S_{e f}] Ene [M_{e f}] \bar{u} 〈 ElectronicFenceInf B 〉 \\ \cdot Int (t_{B e}, 30) Pos [S_{e f}] Ene [M_{e f}] u (Conf B))) . \end{array}

(7)

(4) Early Warning and Accident Told

Since not directly interact with S, they are regarded as internal services.

Let $P_{a g}$ denote CPS service “agent of traffic accident treatment platform” in Figure 6. Space constraints are $S_{a g} = {S_{pos}, S_{pos}, \dots S_{pos}}$ and $M_{a g}$ . Let $P_{r d}^{'}$ , $P_{e f}^{'}$ denote upgraded CPS services Remote Diagnosis and Electronic Fence, and other CPS services remain unchanged.

(1) Remote Diagnosis

Within $t_{3} + 1$ of confirming as corresponding accident level, traffic accident information must be sent to agent of traffic accident treatment platform, and other flows remain unchanged

\begin{array}{l} P_{r d}^{'} = Pos [S_{r d}] Ene [M_{r d}] x (AlarmReq) \\ \cdot (Int (t_{2}, 30) Pos [S_{r d}] Ene [M_{r d}] \bar{x} 〈 AlarmConf 〉 + Int (t_{2}, 30) Pos [S_{r d}] Ene [M_{r d}] \bar{x} 〈 Ignorance 〉) \\ \cdot [msg = AlarmConf] \\ \times (Int (t_{3}, 1) Pos [S_{r d}] Ene [M_{r d}] \bar{v} \\ \times 〈 AccidentInf 〉 ∣ (Int (t_{3}, 1) Pos [S_{r d}] Ene [M_{r d}] \bar{y} 〈 ElectronicFenceReq 〉 \\ \cdot Int (t_{4}, 60) Pos [S_{r d}] Ene [M_{r d}] y (ElectronicFenceConf))) . \end{array}

(8)

(2) Electronic Fence

Within $t_{6} + 1$ of setting electronic fence, electronic fence information must be sent to agent of traffic accident treatment platform, and other flows remain unchanged

\begin{array}{l} P_{e f}^{'} = Pos [S_{e f}] Ene [M_{e f}] y (ElectronicFenceReq) \\ \cdot Int (t_{5}, 30) Pos [S_{e f}] Ene [M_{e f}] \bar{y} 〈 ElectronicFenceConf 〉 \\ \cdot ((Int (t_{6}, 1) Pos [S_{e f}] Ene [M_{e f}] \bar{w} 〈 ElectronicFenceInf 〉) ∣! \\ \times (Int (t_{6}, 30) Pos [S_{e f}] Ene [M_{e f}] \bar{z} 〈 ElectronicFenceInf A 〉 \\ \cdot Int (t_{A e}, 30) Pos [S_{e f}] Ene [M_{e f}] z (Conf A)) ∣! \\ \times (Int (t_{6}, 30) Pos [S_{e f}] Ene [M_{e f}] \bar{u} 〈 ElectronicFenceInf B 〉 \\ \cdot Int (t_{B e}, 30) Pos [S_{e f}] Ene [M_{e f}] u (Conf B))) \end{array}

(9)

(3) Agent of Traffic Accident Treatment Platform

\begin{array}{l} P_{a g} = Pos [S_{a g}] Ene [M_{a g}] v (AccidentInf) \\ \cdot Pos [S_{a g}] Ene [M_{a g}] w (ElectronicFenceInf) . \end{array}

(10)

From the results of above analysis, $P_{S} = P_{r d}$ , $P_{S^{'}} = P_{r d}^{'} ∣ P_{a g}$ .

4.3. Analysis Results

In order to decide whether $S^{'}$ can be substituted for S, it is needed to determine if $S^{'}$ meets the four conditions in Theorem 12.

(1)

For condition 1, taking software and hardware attributes of actual CPS services into $P_{S^{'}}$ to deduce formally, then we can judge whether $S^{'}$ can reach final state. If applicable, $S^{'}$ meets condition 1.

(2)

For condition 2, let $M = {Vehicle Alarm, Electronic Fence}$ denote set of all CPS services compatible with S. As can be seen from Figure 6, $S^{'}$ is static compatible with Vehicle Alarm and Electronic Fence, therefore $S^{'}$ meets Figure 6.

(3)

For condition 3, assuming $S^{'}$ meets condition 1, then

\begin{array}{l} P_{\bar{S^{'}}} = \bar{P_{r d}^{'} ∣ P_{a g}} = \bar{x} 〈 AlarmReq 〉 \cdot (x (AlarmConf) + x (Ignorance)) \cdot [msg = AlarmConf] \\ \times (v (AccidentInf) ∣ (y (ElectronicFenceReq) \cdot \bar{y} 〈 ElectronicFenceConf 〉)) \\ ∣ (\bar{v} 〈 AccidentInf 〉 \cdot \bar{w} 〈 ElectronicFenceInf 〉) \\ = \bar{x} 〈 AlarmReq 〉 \cdot (x (AlarmConf) + x (Ignorance)) \cdot [msg = AlarmConf] ((y (ElectronicFenceReq) \\ \cdot \bar{y} 〈 ElectronicFenceConf 〉) ∣ \bar{w} 〈 ElectronicFenceInf 〉) . \end{array}

(11)

We use MWB software tool to derive that $P_{\bar{S^{'}}} \approx P_{v a}$ , $P_{\bar{S^{'}}} \approx P_{e f}$ , and for $P_{M} = {P_{v a}, P_{e f}}$ , $S^{'}$ meets condition 3.

(4)

For condition 4, seen from Figures 5 and 6,

\begin{array}{l} emissions (S) \\ = {AlarmConf, Ignorance, ElectronicFenceReq}; \\ receptions (S) = {AlarmReq, ElectronicFenceConf}; \\ emissions (S^{'}) \\ = {AlarmConf, Ignorance, ElectronicFenceReq}; \\ receptions (S^{'}) \\ = {AlarmReq, ElectronicFenceConf, ElectronicFenceInf} . \end{array}

(12)

Obviously, $emissions (S) \subseteq emissions (S^{'})$ , $receptions (S) \subseteq receptions (S^{'})$ , so $S^{'}$ meets condition 4.

From the above, as long as $S^{'}$ meets condition 1, $S^{'}$ can be substituted for S directly.

As can be seen from Figure 6, there are five normal interaction elements and one abnormal interaction element in $S^{'}$ . According to Definition 3, $N (I E_{n} (S^{'})) = 5$ , $N (I E_{a} (S^{'})) = 1$ , $ω = N (I E_{n} (S^{'})) / (N (I E_{n} (S^{'})) + N (I E_{a} (S^{'}))) = 5 / 6$ . By the substitution processes mentioned in Section 3.3, problem management process and change management process are adopted to minimize the effects of abnormal interaction elements and ensure the substitution reliability.

In actual operation, after three rounds testing and half year's test running, substituted electronic fence runs well, which fully proves that the above analysis results are correct. This case study shows that the reliability assurance method mentioned in the paper can assist users in CPS components substitution and ensure the reliability of upgraded CPS; therefore, this method is reasonable and feasible.

5. Conclusions

In this paper, CPS components substitution is equated to CPS service substitution, and a reliability assurance method for CPS service substitution is provided. Thecasestudyproves that the method is innovative and practical. Our future works will focus on two aspects: (1) how to realize incompatible CPS service substitution through adding process adapter, so as to expand the sample selection space. (2) Take further study on action-time function and action-energy function, construct time and energy state space, then we can make optimal service composition decision in this state space, and provide reference for the optimization selection of CPS service substitution.

Footnotes

Acknowledgments

The authors would like to respectively thank Dr. Xing Zhao and Dr. Liwei Sheng from College of Computer Science and Technology, Fudan University for providing useful insights. This work is supported by National High Technology Research and Development Program of China (no. 2011AA010101), National Natural Science Foundation of China (no. 71171148), and key research project of Shanghai Science and Technology Committee (no. 11DZ1501703).

References

Lee

E. A.

Cyber physical systems: design challenges

Proceedings of the 11th IEEE Symposium on Object/Component/Service-Oriented Real-Time Distributed Computing (ISORC '08)

May 2008

Orlando, Fla, USA

363 369

2-s2.0-49649119406

10.1109/ISORC.2008.25

Rajkumar

Lee

Sha

Stankovic

Cyber-physical systems: the next computing revolution

Proceedings of the 47th Design Automation Conference (DAC '10)

June 2010

New York, NY, USA

731 736

2-s2.0-77956217277

10.1145/1837274.1837461

Tan

Goddard

Perez

L. C.

A prototype architecture for cyber-physical systems

ACM SIGBED Review 2008 5 1 56 60

Phan

L. T. X.

Lee

Towards a compositional multi-modal framework for adaptive cyber-physical systems

Proceedings of the 17th International Conference on Embedded and Real-Time Computing Systems and Applications

2011

Toyama, Japan

67 73

Koubaa

Andersson

A vision of cyber-physical internet

Proceedings of the 8th International Workshop on Real-Time Networks

2009

Porto, Portugal

75 80

Erl

Service-Oriented Architecture: Concepts, Technology, and Design 2005

Upper Saddle River, NJ, USA

Prentice Hall PTR

Thacker

R. A.

Jones

K. R.

Myers

C. J.

Zheng

Automatic abstraction for verification of cyber-physical systems

Proceedings of the 1st ACM/IEEE International Conference on Cyber-Physical Systems (ICCPS '10)

April 2010

New York, NY, USA

12 21

2-s2.0-77954618612

10.1145/1795194.1795197

Lee

E. A.

Tripakis

Modal models in ptolemy

Proceedings of the 3rd International Workshop on Equation-Based Object-Oriented Modeling Languages and Tools

2010

Oslo, Norway

11 21

Akella

McMillin

B. M.

Model-checking BNDC properties in Cyber-physical systems

Proceedings of the 33rd Annual IEEE International Computer Software and Applications Conference (COMPSAC '09)

July 2009

Seattle, Wash, USA

660 663

2-s2.0-70449642871

10.1109/COMPSAC.2009.101

10.

Milner

Communicating and Mobile Systems: The π-Calculus 1999

Cambridge University Press

11.

Bordeaux

Salaün

Berardi

Mecella

When are two web services compatible?

Proceedings of the 5th International Workshop on Technologies for E-Services (TES '04)

August 2004

Toronto, Canada

15 28

2-s2.0-23944499075

12.

Iqbal

Nieves

ITIL Service Strategy 2007

London, UK

The Stationery Office

13.

ISO/IEC 20000-1: 2005 Information Technology Service Management-Part 1: Specification 2005

International Organization for Standardization

14.

Perez

J. M. M.

Bernabe

J. B.

Manzano

D. J. M.

Perez

G. M.

Skarmeta

A. F. G.

Towards the definition of a web service based management framework

Proceedings of the 2nd International Conference on Emerging Security Information, Systems and Technologies

2008

Cap Esterel

362 367

15.

Machiraju

Sahai

Moorsel

A. V.

Web services management network: an overlay network for federated service management

Proceedings of the 8th International Symposium on Integrated Network Managemen

2003

Ghent, Belgium

351 364

16.

OPEN GIS CONSORTIUM

OpenGIS geography markup language(GML) encoding standard

Version 3. 3, 2007

17.

Egenhofer

M. J.

Herring

J. R.

A mathematical framework for the definition of topological relationships

Proceedings of the 4th International Symposium on Spatial Data Handling

1990

Zurich, Switzerland

803 813

18.

Bjorn

Faron

The mobility workbench-a tool for the π-calculus

Computer Aided Verification 1994 818 428 440

A Novel Reliability Assurance Method for Cyberphysical System Components Substitution

Abstract

1. Introduction

2. Basic Conceptions

2.1. CPS Service

2.1.1. Service Implementation Layer

2.1.2. Service Abstraction Layer

2.1.3. Business Process Layer

2.1.4. Application Layer

Definition 1 (CPS service view).

2.2. Compatibility of CPS Service

Definition 2 (interaction element/normal interaction element/abnormal interaction element).

Definition 3 (compatibility degree).

Definition 4 (fully compatible/partially compatible/incompatible).

3. Reliability Assurance Method for CPS Service Substitution

3.1. Time-Space π-Calculus

Definition 5 (properties of discrete time domain).

Definition 6 (time operator ≡ Int ( t r , Δ t ) ).

Definition 7 (position operator ≡ Pos [ S ] ).

Definition 8 (energy operator ≡ Ene [ M ] ).

Definition 9 (syntax of time-space π-calculus).

Definition 10 (operational semantics of time-space π-calculus).

Definition 11 (weak simulation/weak bisimulation).

3.2. Qualitative Analysis Method for CPS Service Substitution

Theorem 12 (CPS service substitution judgment theorem).

Proof.

3.3. Substitution Processes Based on Service Management

3.3.1. Service Desk

3.3.2. Event Management

3.3.3. Problem Management

3.3.4. Change Management

3.3.5. Configuration Management

3.3.6. Knowledge Base Management

4. Experiments and Results

4.1. Problem Description

4.2. Problem Modeling

(1) Vehicle Alarm

(2) Remote Diagnosis

(3) Electronic Fence

(4) Early Warning and Accident Told

(1) Remote Diagnosis

(2) Electronic Fence

(3) Agent of Traffic Accident Treatment Platform

4.3. Analysis Results

5. Conclusions

Footnotes

Acknowledgments

References

Definition 6 (time operator $\equiv Int (t_{r}, Δ t)$ ).

Definition 7 (position operator $\equiv Pos [S]$ ).

Definition 8 (energy operator $\equiv Ene [M]$ ).