A Novel Reliability Assurance Method for Cyberphysical System Components Substitution

Reliability of cyberphysical system (CPS) components substitution is an important issue for CPS troubleshooting and system upgrading. In this paper, decision problem of components substitution is regarded as decision problem of services substitution through a service-oriented architecture of CPS. Further, a reliability assurance method for CPS service substitution is proposed, which comprises two parts. The first one is a qualitative judgment method for CPS service substitution according to the relationship between service compatibility and substitution based on time-space π-calculus with time and space operators. The other one is consisted of substitution processes from above judgment results based on service management theory. Finally, a case study is performed to show how to apply this method to ensure CPS components reliable substitution. The experimental result shows that this method is reasonable and feasible.


Introduction
Cyberphysical system (CPS) is a new concept in the information field in recent years.CPS is defined [1] as integration of computation with physical processes and consists of computation units, control units, communications network, sensors, and actuators.In a CPS, downsized and embedded devices execute physical processes by monitoring and controlling entities in the physical world.Computers, networks, devices, and their environments in which they are embedded have interacting physical properties, consume resources and contribute to the overall system behavior.Nowadays, CPS can be found in areas as diverse as transportation, defense, energy, and industrial automation, health, biomedical and critical infrastructure, agriculture, and so forth.Many countries have begun to pay high attention to CPS [2].The PCAST of USA in 2007 report found that cyberphysical systems "are now a national priority for Federal R&D."Hundreds of millions of dollars are invested into R&D efforts from then on.The European Union's Artemis (2008)(2009)(2010)(2011)(2012)(2013)(2014)(2015)(2016)(2017) is clearly aimed at the same fundamental problems in the embedded systems aspect of CPS research, with C2.7 billion.Others such as Japan and Korea have set up CPS research projects.Chinese government also attaches great importance and the 863 program "CyberPhysical Oriented System Platforms" has started, officially approved in 2011.
Since CPS has impact on physical processes and an unreliable operation may lead to disastrous consequences, CPS components' reliable substitution is an important issue for troubleshooting and system upgrading.The first problem is how to design the system architecture of CPS.However, the research on architecture is still at knowledge preliminary and exploratory stage both at home and abroad.Tan Ying proposed prototype architecture of CPS [3], but it lacks a comprehensive and deep description of the layers.Phan and Lee presented an approach towards a compositional multimodal framework of CPS [4], but composition analysis has been limited to uniprocessor processing elements and EDF/FP scheduling policies.Koubaa and Andersson provided a realistic vision to the concept of the Cyberphysical Internet [5], but it does not solve the problem of real time for CPS.In this paper, a service-oriented architecture [6] of CPS is put forward, in which software and hardware of CPS are designed and developed in the form of interoperable International Journal of Distributed Sensor Networks services.Based on this architecture, components substitution is equated to CPS service substitution, which is easy to realize formal analysis.
There are many formal modeling research on CPS, including Petri Net (PN) [7], Finite State Machines (FSM) [8], Process Algebra [9].PN and FSM are intuitive to be analyzed by using charts.However, the major problem is state-space-explosion.Π-calculus [10] is chosen in the paper which is a process calculus as a formal analysis tool, for its ability to describe concurrent computations whose network configuration may change during the computation like CPS.Since CPS is bound by time and space (position, energy) constraints, time-space π-calculus is proposed through introducing time operator and space operator into π-calculus.And a formal method for modeling CPS service is presented based on it.Starting with the relationship between service compatibility and substitution [11], a qualitative judgment method for CPS service substitution is put forward.Then, from process management perspective, a series of substitution processes are advanced from the judgment results above, referring to the best practice and international standard of service management (such as ITIL [12], ISO20000 [13]).There are some worthwhile research on service substitution management [14,15], and in this paper, the substitution processes combine service substitution requester, service substitution implementer, substituted CPS service and CPS, so that service substitution can be implemented according to standardized and normalized process.
The remainder of this paper is organized as follows.In Section 2, the conceptions of CPS service and CPS service compatibility are described in detail.In Section 3, a reliability assurance method is proposed, which consists of two parts, that is, a qualitative judgment theorem via Time-Space π-calculus for CPS service substitution and a series of substitution processes from the judgment results.In Section 4, a case study, Electronic Fence, is performed to show how to apply this method to ensure CPS components' reliable substitution.Finally, the conclusion is given.

Basic Conceptions
2.1.CPS Service.In this section, a service-oriented architecture is proposed that distributed and open-ended CPS is regarded as a combination of encapsulated CPS service, following some business logic and business processes.The service-oriented architecture is shown in Figure 1.In this framework, CPS is divided into four layers: application layer, business process layer, service abstraction layer, and service implementation layer.Each layer is described as follows.
2.1.1.Service Implementation Layer.Service implementation layer is the foundation of this architecture, and it is also the implementation of CPS service interface.Details about how to implement it are hidden for service users, and different service providers can use different technology to implement the same service interface.Each CPS service implementation contains sense-actuate unit, communications unit, and computation-control unit.Sense unit monitors physical world and transfers monitoring information to computation unit through communications unit.Then computation unit determines strategies and sends them to control unit.Control unit gives instructions to actuate unit through communications unit, to control physical processes.Each unit is described as follows.
( Specially, there must be physical properties in CPS service description, for example, timestamp, position information and energy information of physical entities, for service implementation layer contains physical unit (computation unit and control unit) and monitored information without temporal and spatial information is meaningless.There are two types of services in this layer, that is, business service and infrastructure service.Each type is described as follows.
(1) Business service is part of business process and finegrained subprocess of business requirement.It can fulfill a specific business task automatically and can be reused among different business processes.It is of two kinds: business function service and common service.The former is related to some business area for example, real-time positioning, driver monitor, and remote alarm in an intelligent transportation CPS.The latter one can be used in different business areas for example, common algorithm, data transformation, and so forth.access adapter, service management, and interaction service.Time synchronization and space constraints are guaranteed to meet the temporal and spatial condition when physical units and cyber units are mixed together in multiple scales.General technology provides technology infrastructure for developing, delivering, maintaining CPS service, as well as the abilities of security, performance, availability, and so forth.Access adapter changes available resources of legacy systems into individual business service.
Service management is to monitor CPS service's state and provide support for abnormal condition for example, SLA, capacity planning, cause analysis, and so forth.Interaction service is used for arranging interfaces of CPS service into intelligent device, not only for human-computer interaction.Definition 1 (CPS service view).A CPS service view is defined as nine tuples: CPSV = (S, s 0 , F, Act, T, M, f m , f t , f e ), where S = {s 0 , s 1 , . ..}: set of finite states.s 0 : Initial state of CPS service.F: Final states set of CPS service, F ⊆ S. Compatibility is aimed at interactive processes of CPS services.From the aspect of CPS service view, an interactive process represents a series of calls between two CPS services.When one CPS service sends (resp., receives) message, this means that the other CPS service simultaneously evolves by receiving it (resp., sending it).So in a sense the behavior of CPS service 2 should be the same as CPS service 1, but with receptions instead of emissions, and vice versa.The dual service S of CPS service S is defined that when the emissions are changed to receptions and vice versa, and the notation a represents opposite action of action a.Let us define interaction element, normal interaction element and abnormal interaction element as follows.
Definition 2 (interaction element/normal interaction element/abnormal interaction element).There are two CPS service views CPSV 1 = (S 1 , s 01 , ).An interaction element is defined as three tuples ie = (a 1 , a 2 , m). ( , ie is called normal interaction element. ( Interaction element represents a step of interaction between two CPS services.Normal interaction element represents a successful interaction, in which the two interactive actions are dual with a same receiving (resp., sending) message.Abnormal interaction element represents an unsuccessful interaction, in which one CPS service has receiving action but the other does not have sending one.As shown in Figure 2, there are two interaction elements, that is, ie 1 = (a 1 , a 2 , m 1 ); ie 2 = (b 1 , b 2 , m 2 ), ie 1 is a normal interaction element, and ie 2 is an abnormal interaction element.
Compatibility between two CPS services arises at different levels, that is, static compatibility and dynamic compatibility.Static compatibility is the semantic and syntactic compatibility.Dynamic compatibility is that exchanges of messages are ordered in matched sequences without deadlock and livelock, and there are no sending messages that cannot be received by one of the two CPS services.Assuming that CPS service A and CPS service B are static compatible, and sending messages set of A is a subset of receiving messages set of B (i.e., A partially or fully uses the receiving message interfaces of B), if A and B are able to interact properly, they are called being compatible.Let us give the formal definition of compatible.
Definition 3 (compatibility degree).IE n represents set of a CPSV's normal interaction elements, and N(IE n ) represents the number of elements in IE n .IE a represents set of the CPSV's abnormal interaction elements, and N(IE a ) represents the number of elements in IE a .Compatibility degree is defined as Definition 4 (fully compatible/partially compatible/incompatible).Let M denote set of other CPSVs interacting with this CPSV, ω denote compatibility degree.If ω = 1, CPSV and M are fully compatible.If 0 < ω < 1, they are partially compatible.If ω = 0, they are incompatible.Fully compatible and partially compatible are referred to as compatible.

Reliability Assurance Method for CPS Service Substitution
In this section, time-space π-calculus is proposed to model CPS service.Then, a reliability assurance method for CPS service substitution is put forward, which consists of two parts, that is, a qualitative judgment theorem for CPS service substitution and a series of substitution processes from the judgment results.

Time-Space π-Calculus.
CPS service has a good corresponding relationship with process of π-calculus.Specifically, communication channels of process represent actions of CPS service, sending-receiving variables of process represent sending-receiving messages of actions, and process, summation, composition, replication in π-calculus represent sequence structure, case structure, parallel structure, and iterative structure of CPS service composition.However, πcalculus lacks syntax about time and space characteristics.So we put forward the notion of time-space π-calculus, through introducing time and space (position, energy) operators into π-calculus.Since relative accuracy of the time is enough to meet quality of CPS service requirement, discrete time domain is adopted to describe time characteristic of CPS in this paper.Properties of discrete time domain are defined as follows.

Definition 5 (properties of discrete time domain). Discrete time domain T has following properties.
(1) For all t ∈ T, t / = 0 ⇒ t > 0; (2) for all t ∈ T, t / = ∞ ⇒ ∞ > t; (3) for all t, t ∈ T, t > t ⇔ ∃Δt > 0, t + Δt = t; (4) for all t, t ∈ T, (t > 0) ∧ (t / = ∞) ⇒ t + t > t ; (5) for all t ∈ T, t + 0 = t, t + ∞ = ∞; (6)  All the observable energy, which supports physical components of CPS functioning well, is called energy information of CPS.It includes many kinds, for example, electric energy, heat energy, and so forth, and can be consumed and replenished.Assuming that process P contains n physical components, E i represents energy value of the ith physical component, E i max represents the maximum energy value of P, ∃m i ∈ [0, 100], this physical component can function properly only when it meets Energy operator is defined as follows.

Definition 8 (energy operator ≡ Ene[M]). Ene[M]P represents that process P can start only when truth-value of
Definition 9 (syntax of time-space π-calculus).
(1) 0 is nil process.a x • P, a(x) • P, τ • P are output prefix, input prefix, and silent prefix process.P + Q is sum process.P | Q is concurrency composition process.(x)P is restriction process.[x = y]P is match process.!P is replication process.Detailed meanings of the nine expressions above can be seen in [10].Meanings of the last three can be seen in Definitions 6, 7, and 8.
The performance influence of time-space π-calculus is poorer than classical π-calculus due to the additional time and space operators.Fortunately, the deduction procedures can be completed automatically by a software tool of πcalculus-MWB [18].
Definition 11 (weak simulation/weak bisimulation).Let R denote a binary relation in processes domain K.For all (P, Q) ∈ R, P ∈ K, Q ∈ K, if the following conditions are satisfied, Q is said to be weak simular with P.
(1) Whenever ( If symmetric requirements with P and Q interchange, the relationship between P and Q is said to be weak bisimulation, written P ≈ Q.
Properties of weak bisimulation can be seen in [10].Weak bisimulation is used to describe the situation that two processes are equivalent looking outside but have different internal structure and actions.

Qualitative Analysis Method for CPS Service Substitution.
Substitutability is closely related to compatibility.Combining related research results, sufficient conditions of CPS service substitution are proposed.Let S, S denote two CPS services.If S is compatible with all CPS services which are compatible with S, sending-receiving messages set of S is subset of S , and S can meet time and space constraints, then S can be substituted for S.
Let CPSV S denote CPS service view of S which has n interaction elements, T r = {t r1 , t r2 , . . .t rn } and ΔT = {Δt 1 , Δt 2 , . . .Δt n } denote benchmark time set and delay time set of all interactions.And let P S denote CPSV S , P M denote dual service set, Q F denote final states set of S , α denote external and internal actions.Then let emissions(S) and receptions(S) denote name sets of sending and receiving messages.Let us give CPS service substitution judgment theorem as follows.
Proof.According to condition one and Definitions 6, 7, and 8, S meets time and space constraints.According to condition two, condition three, Definition 11, and definition of compatibility, S is compatible with M. And with condition four, the sufficient conditions of CPS service substitution are satisfied-QED.When Theorem 12 is used in practice, it is easy to decide whether conditions two and four are satisfied.But for condition one and three, we need to build a time-space πcalculus-based ideal model with time and space constraints of CPS.Then, utilizing time and space characteristics of actual CPS service, we can judge whether this process expression is deadlock or livelock, and whether it can reach final state by syntax and operational semantics of time-space π-calculus.

Substitution Processes Based on Service Management.
Substitution processes presented in this paper consist of service desk, event management, problem management, change management, configuration management, and knowledge base management.As shown in Figure 3, all substitution requests are accepted by unified service desk, and lifecycle of substitution request is whole monitored.From the analysis results of Theorem 12, according to Definitions 3 and 4, for CPS service incompatible, substitution request is rejected.For ω = 1, event management is adopted to implement service substitution.And for 0 < ω < 1, problem management is adopted.Solutions and experience of substitution are shared by knowledge base.Changes of CPS are logged and supervised comprehensively in CMDB (configuration management database).Each process is described as follows.

Service Desk.
Based on this unified access point, all substitution requests are recorded completely and supported preliminarily, and then they are passed to substitution implementer to ensure timeliness of request handing.Service desk can provide accurate process information from start to finish.

Event Management.
For requests about CPS services fully compatible, this process provides substitution corresponding service according to SLA.

Problem Management.
For requests about CPS services partially compatible, abnormal interaction elements are found out by assessment and analysis in this process.Then, substitution solution is formulated and implemented.Problem management minimizes the effects of abnormal interaction elements to improve service quality and customer satisfaction and also provides support to change management process.

Change
Management.This process coordinates with problem management process to implement changes of CMDB.Change management reduces failure rate caused by system changes.

Configuration Management.
In this process, description information of CPS service, for example, states, actions, messages, time and space characteristics, and so forth, are centrally managed in CMDB.Configuration management records and controls the changes of CPS.

Knowledge Base
Management.This process supports storing, auditing, filtering, updating, and abolishing substitution-related knowledge and accumulates experience about past events and problems solutions.

Experiments and Results
In this section, we take Electronic Fence in hazardous chemicals transport CPS for example (shown in Figure 4), to illustrate how to use the reliability assurance method for CPS components substitution.Based on the models proposed in Section 2.1, electronic fence is designed to a business process consisting of five CPS services that is, Vehicle Alarm, Remote Diagnosis, Electronic Fence, Early Warning and Accident Told, as shown in Figure 5. Sending and receiving messages are also shown in Figure 5.
Because of user requirements changing, the system upgrades and agent of traffic accident treatment platform is added.Specifically, after remote diagnosing, traffic accident information must be reported to this agent, and when electronic fence setting is completed, electronic fence information must be reported to this agent too.As shown in Figure 6, after upgrading CPS service, that is, agent of traffic accident treatment platform, is added, Remote Diagnosis and Electronic Fence are changed, and other CPS services stay the same.
The problem to be solved is described as that whether S in Figure 6 can be substituted for S in Figure 5 and how to ensure reliability of this substitution.In order to make this substitution with universality, Electronic Fence is not upgraded to the status in Figure 6 that it cannot send message of ElectronicFenceInf.In such situation, S is partially compatible with system.Otherwise, if fully upgraded, S is fully compatible with system, and this situation is idealized without universality.

Vehicle intelligent terminal Tank vehicle Sensors
Screenshot of call center system Screenshot of vehicle terminal system which fully proves that the above analysis results are correct.This case study shows that the reliability assurance method mentioned in the paper can assist users in CPS components substitution and ensure the reliability of upgraded CPS; therefore, this method is reasonable and feasible.

Conclusions
In this paper, CPS components substitution is equated to CPS service substitution, and a reliability assurance method for CPS service substitution is provided.The case study proves that the method is innovative and practical.Our future works will focus on two aspects: (1) how to realize incompatible CPS service substitution through adding process adapter, so as to expand the sample selection space.
(2) Take further study on action-time function and actionenergy function, construct time and energy state space, then we can make optimal service composition decision in this state space, and provide reference for the optimization selection of CPS service substitution.

Figure 4 :Figure 5 :Figure 6 :
Figure 4: Real pictures of Electronic Fence in hazardous chemicals transport CPS.
Interface of CPS service, containing interface characteristics, operation usability, parameters, data type and access protocol, is implemented with component technology.Service users can know what CPS service can do, how to find it, how to exchange message, how to invoke it, and what may returned results be through interface.However, details about how to implement it are hidden; therefore, service providers can implement a same service interface by different technologies.Since CPS service provides interface to receive and send messages and transit from initial state to final state by triggering of send-receive actions.Meanwhile, it takes time and consumes energy to complete these actions.Let us give the definition of CPS service view.
2.1.3.Business Process Layer.Business process layer involves a number of business processes, where each business process is composed of CPS services following regular rules.It is necessary to set up a properly complicated and reliable layer like this, since a lot of fine-grained CPS services will lead to great cost and be ineffective.This layer also involves service collaboration, service composition, service substitution, and space-time constraints.2.1.4.Application Layer.Application layer involves many industry applications of CPS, in which each system is composed of business processes.These business processes are cooperated with each other in order to fulfill higher level business goals.Compared with business process layer, this layer tend to be more focused on integrating all kinds of application requirements from combining professional knowledge with business model in different industries.
Figure 2: Interaction between CPSV 1 and CPSV 2 .Set of CPS service messages.f m : Act → M action-message function.For all a ∈ Act, f m (a) are receiving (resp.sending) messages of a. f t : Act → R + action-time function.For all a ∈ Act, f t (a) is the time spending on completing a. f e : Act → R + action-energy function.For all a ∈ Act, f τ is internal action.T ⊆ S × Act × S: State transitions relation.M: e (a) is the energy consuming to complete a.2.2.Compatibility of CPS Service.Performing complex business tasks typically needs to make a number of CPS services work together.It is therefore necessary to ensure that these services are able to interact properly, which is the notion of compatibility.
for all t 1 , t 2 ∈ T, t 1 > t 2 , {t | t 1 ≤ t ≤ t 2 } is expressed as [t 1 , t 2 ], which is called time interval; (7) for all t 2 , t 3 ∈ T, for all [t 1 , t 4 ], ∃t , t ∈ T, t 2 ≤ t ≤ t 4 , then t ∈ [t 1 , t 2 ].Definition 6 (time operator ≡ Int(t r , Δt)).t r is benchmark time, Δt ≥ 0. Int(t r , Δt)P represents that process P can start only when it meets t ∈ [t r , t r + Δt].Physical components of CPS are abstracted to spatial objects based on OGC [16] (Open Geospatial Consortium) and topological relation theory of spatial database [17].The topological relations between two spatial objects, which are regarded as point sets, are expressed by a quaternion formed by boundary and interior of point set.Here, A and B represent two spatial objects.Let ∂A, A 0 , ∂B, B 0 denote boundary and interior of A and B. The quaternion is R(A, B) = ∂A∩∂B ∂A∩B 0 A 0 ∩∂B A 0 ∩B 0 .Topological relations include eight kinds, that is, disjoint, meet, equal, overlap, inside, contain, covered by, and cover, which are represented by S pos = {s d , s m , s e , s o , s in , s ct , s cb , s c }. Assuming that process P contains n physical components and c i represents the relation between the ith physical component and benchmark region, ∃S i ⊆ S pos , this physical component can function properly only when it meets c i ∈ S i .Let S = {S 1 , S 2 , . . .S n }.Position operator is defined as follows.
i ∈ S i is true.