COUPLING TEMPORAL CONSTRAINTS WITH REQUIREMENTS ANALYSIS IN CYBER-PHYSICAL SYSTEMS

Cyber-Physical System (CPS) requires networks with temporal semantics. The correct functioning of CPS depends crucially on temporal considerations, especially for time-critical requirements. It is an urgent need to couple temporal semantics into the requirement analysis in developing CPS. There have been past attempts at coupling temporal into designing reactive systems. Most of the current proposals, however, suffer from limitations when considered in CPS scenarios by ignoring temporal aspects of the behavior that are essential to the system. This leads naturally to the use of temporal automaton for modeling and verification of requirements of CPSs. The proposed method is simple, yet powerful to express the temporal semantics of CPS. We demonstrate the effectiveness of the proposed model by an engineering example.


Introduction
Cyber-Physical System (CPS) is a mechanism in which physical components and software systems are tightly intertwined, applied in many important application domains such as medical health, navigation, transportation, energy, and environmental monitoring systems, etc. [1]. Temporal is an important property in modeling CPS. Although quantitative time is not present in today's computing and networking abstractions, which has had many benefits as ever before, it is eventually opposite effective when reasoning about systems that must communicate with physical components, say CPS. Existing techniques for computing relational abstractions are time-agnostic: the relationship between the state transition of the target system and the elapsed time is absent, such as [2,3]. CPS requires networks with temporal semantics. The correct functioning of CPS depends crucially on temporal considerations, especially for time-critical requirements. Raising time to first class citizen status in modeling and implementations of CPS are found in [4][5][6]. In essence, CPS is the convergence of computation, communication and control, involving complex interactions between software and physical elements. To this end, CPS calls for being self-adaptive to the variation of environment. Therefore, there is an urgent need to couple temporal semantics into the requirement analysis in developing CPS. From the perspective of the interactive environment, the key features are its perception and control, which is time-sensitive. Endowing CPS with temporal semantics can reason about temporal influence on the evolution of CPS.
There have been past attempts at coupling temporal into designing reactive systems. An approach that integrates

Hua Wang and Jian Yu
School of Information and Electronic Engineering, Zhejiang University of Science and Technology, China Email: {wanghua96@126.com} temporal models into functional analysis with regards to closed-loop properties of control software was proposed in [7]. Ontologies are employed to reason about the temporal properties of CPS and temporal semantics were discussed in [8]. Derler and her colleagues considered to leverage clock synchronization in order to develop an entire distributed system as a synchronous system with one logical clock domain using PTIDES, an eventtriggered programming model [9]. Temporal definition language, such as [10][11][12], provides a potential method to describe the temporal semantics at language-level. The work [13] allows for verification and control from specifications given as Linear Temporal Logic (LTL) formulae over linear predicates in the state variables. Researchers argued that temporal is not just a quality factor, but also a correctness one; particularly, the temporal semantics in models and programs must be preserved during compilation [14]. This leads naturally to the use of temporal automaton for modeling and verification of requirements of CPSs. An optimization approach was proposed with end-to-end response time constraints in a multi-resource CPS [15]. Time-aware relational abstraction overcomes shortcomings of relational abstraction procedure based on exploiting the eigenstructure of the matrix of the linear ordinary differential equations [16].
Most of the current proposals, however, suffer from limitations when considered in CPS scenarios by ignoring aspects of the behavior that are essential to the system. Better specification and verification of temporal requirements are desired to decide whether the temporal constraints for a particular adaptation hold. As a result, an automata model is employed to consider the behavior of CPS over time to tackle the above predicament. The proposed method is simple, yet powerful to express the temporal semantics of CPS. The rich support for specification and verification of automaton theory paves a way to reconcile system behaviour with the requirements model of CPS. We demonstrate the usefulness of the proposed model by an engineering example.

The temporal automata
Temporal words is defined by assigning a real -valued time with each symbol in a word so that a behavior of a CPS system corresponds to a temporal word over the alphabet of even ts. A word v is coupled with a temporal sequence t defined as below: (1) over S and t is a temporal sequence, i.e., the time at which it occurs. A temporal language over S is a set of temporal words over S .
is treated as an input to an automaton and presents the symbol i ¶ at time i t . In our context, each symbol i ¶ is interpreted to indicate an event occurrence and the corresponding i t is explained as the time of occurrence of i ¶ .
Especially, one could allow a sys tem to assign the same time value to quite a little successive events in the sequence. One hereto could ameliorate slightly the meaning of temporal word to require a temporal sequence to increase only monotonically, i.e., demand for all . And all conclusions is also applicable in the alternative model. The logic language -level operations such as union, intersection, and complementation could be applied for temporal language as usual.
Definition 4 . For a temporal language L over S , Next, we can bring time constraints into the transition tables in order to read temporal words as a natural extension of untemporal transition tables. The state transition relies on the input symbol read according to the transition tables as indicated abov e. When considering time constraints, we want the transition to be built also on the time of the event occurrence bound up with the times of the preceding event occurrence. Therefore, a real -numbered clock is coupled with each state-transition entry in the transition table. Thus, the state transition is allowed only if the current clock value satisfies the constraint while presenting the desired input symbol, i.e., the expected event occurrence. Zero can be assigned to a clock accompanied by any state trans ition. Consider the following example for the Temporal Transition Table in Fig.1. requiring an input symbol c ensures that the delay between c and the preceding a is less than 2. There is a worth noting that no explicit bounds are placed on the time difference between b and the preceding a, or d and the preceding c. This presents a crucial benefit of setting multiple clocks independently of each other. The temporal transition table in Fig. 1  Also note that the clocks ck and ck are used 1 2 independently; therefore, the language L is the 1 2 intersection of the two languages L and L , each of which 1 can be expressed by an automanton employing just one clock, defined as follows.

Temporal Transition Table
We are now in a position to define the Temporal Transition Table. Notice how, in the transition, temporal constraints could be applied into the definition. Before diving into how this is done, we need to make a distinction between those times at which events are available and those at which they can become ready to be available. In this sense, two ways are needed to record event that might occur: when a process can communicate an event, we use a to indicate it at any time for aÎå while use the special notation â to specify an event on the moment when it become available. Thus, we have the notation and ¶ is a typical member in å The sequence of observable Definition 6. All temporal events in temporal transition table can be formulated by two types of events, basic temporal event and composite temporal event. Basic temporal events are an atomic observable occurence, while the composite temporal event is logical operation of basic or other composite events using the following operators extended from our previous work by coupling the temporal semantics as in Table 1: events in a process is defined as trace. For instance, pressing the brake pedal in an automotive electronics system or opening automatically the gate at a railroad crossing could identified as an event. Now we have the definition of temporal traces.

Verification of implementation
Assume without loss of generality that all temporal events are considered to be instantaneous and asked for the cooperation while communicating. The earliest and latest times of any temporal event are noted as technique Communication Sequential Processes (CSP) proposed in [18], which is employed to prove correctness of the temporal automaton. The verification of correctness comes down to an inclusion problem [19], namely whether the implementation I meets the specification S, noted as I S Í . The implementation is given as temporal processes and could be considered as composition of several i components, each of which is treated as a temporal process P i . At the same time, the specification of the CPS is described as a temporal language L. Now the verification problem is posed as the result of (|| ) i P L Í is true or false. Temporal processes are considered as a set of temporal traces. As a first step, we should find a way to extend untemporal processes to temporal processes as illustrated in Fig. 2.

Motivating scenario
To validate the effectiveness of our approach, we show an actual project while employing the proposed approach. We consider an example of a motivating industry project in our previous work [17]. A Pervasive Health Management Director (PHmD) system for providing real-time personal health evaluations based on the medical health knowledge database by analyzing health data collected from remote wireless health devices, such as JOGGER Monitor, Electrocardiogram Measurement Instrument, Blood-glucose Meter and so on. Health service providers supply the health evaluation service based on QoS (Quality of Service) requirements subscribed by different customers who receive relevant services to monitor and improve their health level.
The health management and service system is deployed in Cyber-physical System based on cloud computing environment. The physical information collected from remote devices or wearable textiles is sent to PHmD system by means of wireless sensor networking technology. The expert system in PHmD is employed to analyze and process the individual physiological information applying underlying health knowledge warehouse. Then the risk evaluation is performed to know about the health level of customer. Eventually, home monitor, disease prevention, emergency rescue and remoting diagnose would bear the promising fruits cooperatively.

Modeling the PHmD
To illustrate how the proposed formalism described above works in practice, we use Jogging Monitor to specify the Wearable Device communicating with the Health APP. hosted in wireless cellphones. The data of JOGGER, Body Temperature, Respiratory Frequency and Oxygen Consumption are fetched from the wearable device in every 20 seconds spam. Then Vital Signs date are conveyed to the hosting App. If there is any exception after analysis, it will be sent to the jogger. The jogger will act on the results of the analysis report. We consider a simple situation where the APP will alarm when the JOGGER of continue to exceed a threshold value for a duration of 30 seconds. The situation is composed of two components: JOGGER AND APP. The jogger is modeled as an automaton shown in Fig. 4. The event set is {approach, keep, leave, E }. We use idle bp ckbp to express the temporal requirements. JOGGER communicates with APP with two events approach and leave. The event keep denotes the event of the increasement of the blood pressure above the threshold value and keep for a period of time. JOGGER is required to send the signal keep if it keeps the above-thresholdvalue for at least 30s. The event leave would be sent if the blood pressure falls within the range of the normal values. The union of the event sets of both components is the event set of the entire system. The automaton of the system is built by composing the two components. The correctness requirements of the system is the safety property: when the JOGGER has the blood pressure above the threshold value, it should be alarmed when meeting the temporal constraints, as specified in Fig 6. The event label "recover, ~keep" stands for any event set not containing keep, but containing recover. The safety property implies alarm after keep. The safety property could be checked by employing the algorithm Check Inclusion ( ).

Conclusion and future works
A temporal automata is proposed based on basic automata theory by adding the formal semantics to the definition of timing requirements in CPS. Furthermore, the verification method of implementation of requirements of CPS is put forward according to its specification using communicating sequential processes. Contribution includes: the temporal traces are used to record the event occurrence under the uniform clock skeleton work; temporal event operators provide a way to describe possible composition when needed; verification algorithm is simple but efficient employing region automata.
Future works include the scale of verification model should be controlled. In addition, technology would be borrowed to how to reduce the temporal transition entries in order to scale to complicated application environment. Also, we plan to increase the quantitative relationship at the clock level. Finally, automated tool support of modeling process is under development.