Modeling and Verification of Uncertain Cyber-Physical System Based on Decision Processes ^†

Abstract

Currently, there is uncertainty in the modeling techniques of cyber-physical systems (CPS) when faced with the multiple possibilities and distributions of complex system behavior. This uncertainty leads to the system’s inability to handle uncertain data correctly, resulting in lower reliability of the system model. Additionally, existing technologies struggle to verify the activity and safety of CPS after modeling, lacking a dynamic verification and analysis approach for uncertain CPS properties.This paper introduces a generalized possibility decision process as a system model. Firstly, the syntax and semantics of generalized possibility temporal logic with decision processes are defined. Uncertain CPS is extended by modeling it based on time-based differential equations and uncertainty hybrid time automaton. After that, model checking is performed on the properties of activity and safety using fuzzy linear time properties. Finally, a cold–hot hybrid constant-temperature system model is used for simulation experiments. By combining theory and experiments, this paper provides a new approach to the verification of uncertain CPS, effectively addressing the state explosion problem. It plays a crucial role in the design of uncertain CPS and offers a key solution for model checking in the presence of uncertainty.

1. Introduction

The cyber-physical system (CPS) is a cutting-edge technology that combines computing, communication, and remote control functions [1,2]. It represents the latest advancement in complex embedded information and physical network systems [3]. The CPS comprises three main components: the physical entity, computing entity, and interactive entity [4], as illustrated in Figure 1. By incorporating artificial intelligence (AI) into its hardware, the CPS enables automatic control, decision-making, and judgment capabilities, thereby influencing both the computing entities and physical entities through a feedback mechanism. Furthermore, the CPS facilitates human–computer interaction [5] to achieve optimal outcomes.

Model checking [6,7], as a formal and automatic verification technique, has found extensive applications in diverse domains such as computer software and hardware systems, communication protocols, control systems, and security authentication protocols. During the verification process of complex concurrent systems, it is common to encounter uncertain and inconsistent information. For instance, complex computing tasks generated by autonomous vehicles in intelligent autonomous transport systems [8], among others. Classic model checking, which is based on the probability measure, may face challenges when dealing with uncertain verification problems in practical systems [7]. While it has been widely used for analyzing and verifying stochastic systems [9], there are situations where non-additivity problems arise, and these cannot be adequately addressed or measured by traditional probability-based models.

To overcome these limitations, Li et al. [10,11] proposed a possibility measure-based model-checking approach. The possibility measure is a branch of fuzzy set theory and a generalization of the probability measure. Unlike the probability measure, the possibility measure does not adhere to the principle of additivity. In their approach, Li et al. apply fuzzy mathematics, which is rooted in the possibility measure, to model checking [12]. By doing so, they provide a framework for analyzing and verifying uncertain systems that cannot be effectively measured or verified using traditional probability models. The possibility measure-based model-checking approach allows for a more flexible handling of uncertainty by considering the degree of membership or likelihood of events occurring. This approach expands the range of problems that can be addressed and provides an alternative method for analyzing and verifying stochastic systems in practical scenarios where non-additivity problems arise.

A lot of quantitative model-checking techniques have been proposed in the modeling of a system with uncertain information [13], but there are still some important unsolved issues. The problem lies in the uncertainty of system behavior when confronted with multiple possibilistic distributions of complex systems. For example, multi-agent systems possess complex dynamic structures and behavioral characteristics, necessitating the incorporation of additional quantifiable information to depict their dynamic behavioral features [14,15]. Moreover, these possibilistic distributions are not always measurable. The purpose of modeling is to interface with the environment by uncertain actions to satisfy the properties of the system. Thus, it is necessary to consider the uncertain information of those actions. In order to permit both possibilistic and uncertain choices, we introduce the notion of generalized possibilistic decision processes (GPDP) and schedulers selecting actions that will be performed [16]. The GPDP serves as a theoretical foundation for the uncertainty verification of complex systems by enabling transitions between states to satisfy multiple possibilistic distributions.

Ptolemy II is an open-source simulation modeling tool that has gained popularity for its ability to address challenges related to uncertainty modeling, management, and optimal decision control in CPS [3]. While other tools like Simulink/Stateflow and UML are widely used, their close integration and lack of specialized features make it difficult to effectively handle uncertainty in CPS. Ptolemy II [17], developed by researchers at UC Berkeley, offers a comprehensive solution for system design, modeling, and simulation in hierarchical and heterogeneous systems. It provides powerful functionalities and a design environment that supports the entire development phase. This integrated approach allows for a smooth transition from a conceptual model to a real system design, resulting in a shorter design process and improved component reuse. By leveraging Ptolemy II, designers and researchers can enhance the consistency between the authenticity of the system and its simulation results [18]. This capability is crucial for validating the performance and behavior of complex CPS, where uncertainty and dynamic interactions play a significant role.

The main contributions of this paper include the following aspects:

(1)

Construct a CPS system model based on the generalized possibility decision process, and define the CPS syntax and semantics of the generalized possibility linear temporal logic in the CPS system model;

(2)

By introducing clock invariants, the extended modeling of CPS system model is carried out based on differential equations of time and uncertainty hybrid time automaton, and the uncertain CPS extended model is obtained;

(3)

Based on the possibility measure theory and the CPS syntax and semantics of generalized possibility linear temporal logic, the activity and security of the uncertain CPS extended model are verified dynamically, and the execution path of the uncertain CPS extended model is optimized according to the dynamic verification results;

(4)

Used preset modeling tools to model and simulate the uncertain CPS extended model, analyze the CPS dynamic execution process of the uncertain CPS extended model, and refine the dynamic behavior output of the uncertain CPS extended model based on the analysis results of the CPS dynamic execution process.

This article includes the following sections, excluding the present introduction. In Section 2, the necessary basic concepts and definitions are provided. In Section 3, the semantics of the generalized possibility decision process are presented. In Section 4, the CPS syntax and semantics of generalized possibility linear temporal logic are defined. Section 5 introduces clock invariants to extend the uncertainty CPS. In Section 6, a dynamic verification analysis is carried out on the attributes of uncertain CPS. Section 7 uses preset modeling tools to model and simulate the extended model of uncertain CPS. Finally, our overall conclusions are presented in Section 8.

2. Preliminaries

In this section, we give some basic knowledge about the hybrid system and the generalized possibility theory introduced in [10,12].

2.1. Hybrid System

A hybrid system is a type of system that combines continuous dynamics and discrete events. It represents a system where both continuous processes, such as physical processes governed by differential equations, and discrete events, such as state changes or mode switches, are present. This combination allows for the modeling and analysis of complex systems that exhibit both continuous and discrete behaviors. A hybrid automaton is commonly used to describe the system’s behavior. A hybrid automaton is a mathematical model that captures the dynamics of a hybrid system. In the context of CPS, a hybrid system typically refers to a system that integrates physical processes with computational and communication elements. It can be defined as follows.

Definition  1. 

(see [19]). A hybrid automaton can be represented by a six-element tuple, denoted as $H=(I,O,T,Init,M,E)$, where:

 (1) 

I: The set of input ports represents external signals or inputs that can influence the behavior of the automaton. These inputs can trigger state transitions or affect the continuous dynamics of the system.

 (2) 

O: The set of output ports represents the signals or information that the automaton produces as a result of its internal dynamics and interactions with the environment. These outputs could be measurements, control signals, or any relevant information about the system.

 (3) 

T: The set of state variables represents the internal variables or parameters that define the state of the system, which capture the internal state of the system and can change continuously over time. The state set $Q_T$ is a mathematical representation of all possible values that these variables can take.

 (4) 

$Init$: This component is responsible for initializing the distribution operation within the hybrid automaton. It sets the initial conditions or constraints on the state variables.

 (5) 

M: The set of control modes represents different operational modes or behaviors that the automaton can exhibit. Each control mode specifies a set of continuous dynamics and discrete transitions that govern the system’s behavior in that mode.

 (6) 

E: The set of internal actions represents the transformational relations between between different control modes or states in the hybrid automaton. They describe the instantaneous transitions or jumps between modes that can occur based on certain conditions or events.

Remark  1. 

The port mentioned in the definition facilitates communication between the system and its external environment. The communication port operates in two modes: read and write, which are denoted by “?” and “!”, respectively. For example, “port?” indicates input data received by the port, while “port!” represents output data transmitted by the port.

Our hybrid process model is built upon extensive research on the hybrid automaton, which is considered as an encapsulated intelligent agent [20,21]. This research focuses on developing a formal model for hybrid systems by combining discrete transition systems with differential equations. By incorporating continuous evolution and discrete updating, CPS are capable of representing real-world scenarios and describing the system’s state transition relationships [22]. As a result, the hybrid automaton assumes a crucial role in establishing a strong foundation for CPS studies.

2.2. Generalized Possibility Theory

Possibility measure theory [23] deals with the incomplete information and uncertain information of the system. Unlike probability measure theory, possibility measure theory contains possibility measure and necessity measure, which can deal with fine information better. In addition, the possibility measure is non-additive, to deal with the practical application system makes more sense.

Definition  2. 

(see [16]). Let us assume that U is a nonempty set with measurable subsets. In this context, a possibility measure is defined as a function Π from the power set $2^U$ to the interval $[0,1]$ with the following properties.

 (1) 

$\mathrm{\Pi }(⌀)=0$;

 (2) 

$\mathrm{\Pi }\left(U\right)=1$;

 (3) 

$\mathrm{\Pi }(\bigcup E_i)=\bigvee \mathrm{\Pi }\left(E_i\right)$.

For any subset family $\left\{E_i\right\}$ of the universe set U, we can denote the supremum or least upper bound of the real number family ${\left\{a_i\right\}}_{i\in I}$ as ${\bigvee }_{i\in I}{a}_i$. Similarly, the infimum or largest lower bound of the real number family ${\left\{a_i\right\}}_{i\in I}$ can be represented as ${\bigwedge }_{i\in I}{a}_i$.

If Π satisfies only conditions (1) and (3), it is referred to as a generalized possibility measure.

2.3. Generalized Possibilistic Kripke Structure

A generalized possibilistic Kripke structure refers to an extension of the traditional Kripke structure that incorporates possibilistic reasoning. It combines the principles of Kripke semantics with possibilistic logic to capture uncertainty and possibility in a more flexible and nuanced manner. In a generalized possibilistic Kripke structure, the set of possible worlds represents different states or scenarios of a system, similar to a traditional Kripke structure. However, instead of assigning a binary truth value (true or false) to propositions in each world, a generalized possibilistic Kripke structure assigns a degree of possibility or belief to each proposition in each world. A generalized possibilistic Kripke structure is defined as follows.

Definition  3. 

A generalized possibilistic Kripke structure (GPKS, in short) is a tuple $M=(S,P,I,AP,L)$, where

 (1) 

S is a countable, nonempty set of states;

 (2) 

P: $S\times S\to [0,1]$ is a function, called a possibilistic transition distribution function;

 (3) 

I: $S\to [0,1]$ is a function, called a possibilistic initial distribution function;

 (4) 

$AP$ is a set of atomic propositions;

 (5) 

L: $S\times AP\to [0,1]$ is a possibilistic labeling function, which can be viewed as function mapping a state s to the fuzzy set of atomic propositions, which are possible in the state s, i.e., $L(s,a)$ denotes the possibility or truth value of atomic proposition a that is supposed to hold in s.

Furthermore, if the set S and $AP$ are finite sets, then $M=(S,P,I,AP,L)$ is called a finite GPKS.

Remark  2. 

If we require the transition possibility distribution and initial distribution to be normal, i.e., ${\bigvee }_{s^{\prime }\in S}P(s,s^{\prime })=1$ and ${\bigvee }_{s\in S}I\left(s\right)=1$, and the labeling function L is also crisp, i.e., $L:S\times AP\to \{0,1\}$, then we obtain the notion of possibilistic Kripke structure [16]. In this case, we also say that M is normal. This is one of the reasons why we call the structure a defined generalized possibilistic Kripke structure.

3. Generalized Possibility Decision Processes

The differences between GPDP and the Markov decision processes [24,25] are as follows: (1) the transfer weight of the Markov decision process reflects the frequency of events, while the transfer weight of GPDP feeds back the possibility of reaching the target state; (2) In the Markov decision processes, the sum of transfer weights starting from the same state is 1, but GPDP does not have this constraint; (3) The label function in the Markov decision process is clear, while the label function in GPDP is fuzzy. Therefore, in this paper, a GPDP similar to Markov decision processes is proposed as a model of uncertainty systems, which is specifically defined as follows.

Definition  4. 

(see [16]). A GPDP is a tuple with six elements $M^{\prime }=(S,Act,P,I^{\prime },AP,L)$ where

 (1) 

S is a countable, nonempty set of states;

 (2) 

Act is a set of actions;

 (3) 

P: $S\times Act\times S\to [0,1]$ is a transition possibility function such that for all states $s\in S$ and actions $\alpha \in$ Act, there is a state $t\in S$, such that $P(s,\alpha ,t)>0$;

 (4) 

$I^{\prime }$: $S\to [0,1]$ is a possibilistic initial distribution function, with an existing state s such that $I^{\prime }\left(s\right)>0$;

 (5) 

$AP$ is a set of the atomic propositions;

 (6) 

L: $S\times AP\to [0,1]$ is a possibilistic labeling function, where $L(s,a)$ denotes the possibility or truth value of atomic proposition a that is supposed to hold in s.

An action $\alpha$ is considered $enabled$ in state s if and only if ${\displaystyle \underset{t\in S}{\bigvee }}P(s,\alpha ,t)>0$. We define the set $Act\left(s\right)=\{\alpha \in Act|{\displaystyle \underset{t\in S}{\bigvee }}P(s,\alpha ,t)>0\}$. It is a requirement that for any state $s\in S$, the set $Act\left(s\right)\ne ⌀$. We refer to each state t for which $P(s,\alpha ,t)>0$ as an $\alpha -successor$ of s.

Remark 3. 

 (1) 

The possibilistic transition function P, which maps from $S\times Act\times S$ to the interval $[0,1]$, can be conveniently represented by a fuzzy matrix, also denoted as P, i.e.,

$$P_{\alpha }(s,t)={\left(P(s,\alpha ,t)\right)}_{s,t\in S}.$$

(1)

$P_{\alpha }$ is also called the fuzzy possibility $\alpha -$ transition matrix of $M^{\prime }$.

 (2) 

The direct successors and predecessors of a state can be defined as follows. For a given state s from the set S, an action α from the set $Act$, and a subset T of states from S, the possibility of transitioning from state s to a state in T via action α is denoted as $P(s,\alpha ,T)$, i.e.,

$$P(s,\alpha ,T)=\underset{t\in T}{\bigvee }P(s,\alpha ,t).$$

(2)

The set of $\alpha -successors$ of a state s, denoted as $Post(s,\alpha )$, can be defined as follows. $Post(s,\alpha )$ represents the collection of states that can be reached from state s by taking action α, i.e.,

$$Post(s,\alpha )=\{t\in S|P(s,\alpha ,t)>0\}.$$

(3)

It should be noted that the set of $\alpha -successors$ of state s, denoted as $Post(s,\alpha )=⌀$ if and only if action α is not a member of the enabled action set $Act\left(s\right)$. On the other hand, the set $Pre\left(t\right)$, which represents the pairs $(s,\alpha )$ where state s belongs to S and action α belongs to $Act\left(s\right)$ such that $t\in Post(s,\alpha )$, can be expressed as follows.

$$Pre\left(t\right)=\left\{\right(s,\alpha )\in S\times Act|P(s,\alpha ,t)>0\}.$$

(4)

Example  1. 

Figure 2 depicts a 3-state GPDP $M^{\prime }$, where the circle represents the state, the symbol outside the circle represents the state name, the symbol inside the circle represents the true value of the atomic proposition in the state, the labeled arc represents the transition, and the circle with the input arrow represents the initial state.

Then, the state space of $M^{\prime }$ is $S=\{s_0,s_1,s_2,s_3\}$;

State s is the only initial state, i.e., $I\left(s_0\right)=1$ and $I\left(s_1\right)=I\left(s_2\right)=0$;

The set of atomic propositions is $AP=\{A,B\}$;

The sets of enabled actions are $Act\left(s_0\right)=\{\alpha ,\beta \}$ with $P(s_0,\alpha ,s_1)=0.7,P(s_0,\beta ,s_2)=0.4$; $Act\left(s_1\right)=\{\alpha ,\beta \}$ with $P(s_1,\alpha ,s_1)=1,P(s_1,\beta ,s_0)=0.6,P(s_1,\beta ,s_2)=0.3$; $Act\left(s_2\right)=\{\alpha ,\beta \}$ with $P(s_2,\beta ,s_2)=0.8,P(s_2,\alpha ,s_0)=0.5,P(s_2,\alpha ,s_1)=0.7$;

The labeling functions are $L(s_0,A)=0.6,L(s_0,B)=0.3$, $L(s_1,A)=0.8,L(s_2,B)=0.4$;

For state $s_0,Post(s_0,\alpha )=\left\{s_1\right\},Post(s_0,\beta )=\left\{s_2\right\}$, $Pref\left(s_0\right)=\{(s_1,\beta ),(s_2,\alpha )\}$.

By using the state order $s_0<s_1<s_2$, the matrix P and the vector I is given by:

$$P_{\alpha }=\left(\begin{array}{ccc}0& 0.7& 0\\ 0& 1& 0\\ 0.5& 0.7& 0\end{array}\right),P_{\beta }=\left(\begin{array}{ccc}0& 0& 0.4\\ 0.6& 0& 0.3\\ 0& 0& 0.8\end{array}\right), I=\left(\begin{array}{c}1\\ 0\\ 0\end{array}\right).$$

Definition 5. 

(Path in a GPDP). In GPDP $M=(S,Act,P,I,AP,L)$, an infinite path fragment is an infinite sequence $s_0{\alpha }_1{s}_1{\alpha }_2{s}_2{\alpha }_3\cdots \in {(S\times Act)}^{\omega },$ satisfying the condition that $P(s_i,{\alpha }_{i+1},s_{i+1})>0$ for all $i⩾0$. A finite path fragment is any finite prefix of π that ends in a state. The set $Paths\left(s\right)$ represents the collection of infinite path fragments that start in state s, while $Path{s}_{fin}\left(s\right)$ denotes the set of finite path fragments that start in s. Let $Paths\left(M\right)={\displaystyle \bigcup _{s\in S}}Paths\left(s\right)$ and $Path{s}_{fin}\left(M\right)={\displaystyle \bigcup _{s\in S}}Path{s}_{fin}\left(s\right)$.

Reasoning about the possibilities of path sets in a GPDP relies on the resolution of uncertainty. This resolution is performed by a scheduler. Once α has been chosen, there are no constraints imposed on the possibilistic choice that is resolved.

Definition  6. 

(Scheduler). In a GPDP $M=(S,Act,P,I,AP,L)$, a scheduler for M is a function $\mathfrak{S}:S^{+}\to Act$, where $\mathfrak{S}(s_0{s}_1\cdots s_n)$ belongs to $Act\left(s_n\right)$ for $s_0{s}_1\cdots s_n\in S^{+}$. A path (fragment)

$$\pi =s_0\stackrel{{\alpha }_1}{\to }{s}_1\stackrel{{\alpha }_2}{\to }{s}_2\stackrel{{\alpha }_3}{\to }\cdots$$

is referred to as an $\mathfrak{S}-$ path (fragment) if ${\alpha }_i=\mathfrak{S}(s_0\cdots s_{i-1})$ for all $i>0$.

Definition  7. 

Let $M^{\prime }$ be a GPDP with state space S. Scheduler $\mathfrak{S}$ on $M^{\prime }$ is memoryless if and only if for each sequence $s_0{s}_1\cdots s_n\in S^{+}$ and $t_0{t}_1\cdots t_m\in S^{+}$ with $s_n=t_m$, such that

$$\mathfrak{S}(s_0{s}_1\cdots s_n)=\mathfrak{S}(t_0{t}_1\cdots t_m).$$

In this case, $\mathfrak{S}$ can be viewed as a function $\mathfrak{S}$ : $S\to Act$. Stated in words, scheduler $\mathfrak{S}$ is memoryless if it always simply selects one alternative (i.e., action) per state while ignoring all others.

Example  2.

For instance, the scheduler ${\mathfrak{S}}_{\alpha }$ always selects the action α in state s. Scheduler ${\mathfrak{S}}_{\beta }$ always selects the action β in state s, as shown in Figure 3.

The only ${\mathfrak{S}}_{\alpha }-path$ in $M^{\prime }$ is $s\stackrel{\alpha }{\to }t\stackrel{\gamma }{\to }s\stackrel{\alpha }{\to }\cdots$. The path $s\stackrel{\beta }{\to }s\stackrel{\beta }{\to }s\stackrel{\beta }{\to }u\stackrel{\gamma }{\to }s\stackrel{\beta }{\to }u\cdots$ is a ${\mathfrak{S}}_{\beta }-path$. Let $\mathfrak{S}$ be a scheduler that selects action $\alpha$ when returning from state u, and action $\beta$ otherwise. Thus, $\mathfrak{S}(s_0\cdots s_{n}s)=\alpha$ if $s_n=u$, and $\mathfrak{S}(s_0\cdots s_{n}s)=\beta$ otherwise. Additionally, let $\mathfrak{S}\left(s\right)=\alpha$. It is important to note that this scheduler makes decisions based on the one-but-last visited state. In states u and t, the only enabled action $\gamma$ is chosen. The GPDP $M_{{\mathfrak{S}}_{\beta }}^{\prime }$ can be represented as an infinite chain: $s\stackrel{\beta }{\to }u\stackrel{\gamma }{\to }s\stackrel{\beta }{\to }u\cdots$.

Definition  8. 

Given a GPDP $M^{\prime }$, the cylinder set of $\widehat{\pi }=s_0{\alpha }_1{s}_1{\alpha }_2\cdots s_n{\alpha }_{n+1}\in \mathfrak{S}-Path{s}_{fin}\left(M\right)$ is defined as:

$$Cyl\left(\widehat{\pi }\right)=\{\pi \in \mathfrak{S}-Paths\left(M\right)|\widehat{\pi }\in Pref\left(\pi \right)\},$$

(5)

where $Pref\left(\pi \right)=\left\{{\pi }^{\prime }\right|{\pi }^{\prime }$ is a finite prefix of $\pi \}$. Then, as shown in [10], $\Omega =2^{\mathfrak{S}-Paths\left(M\right)}$ is an algebra generated by $\left\{Cyl\left(\widehat{\pi }\right)\right|\widehat{\pi }\in \mathfrak{S}-Path{s}_{fin}\left(M\right)\}$ on $\mathfrak{S}-Paths\left(M\right)$. That is to say, $\Omega =2^{\mathfrak{S}-Paths\left(M\right)}$ is the unique subalgebra of $2^{\mathfrak{S}-Paths\left(M\right)}$, which is closed under arbitrary unions and arbitrary intersections containing $\left\{Cyl\left(\widehat{\pi }\right)\right|\widehat{\pi }\in Pref\left(\pi \right)\}$.

Definition  9. 

For a GPDP $M^{\prime }$, a function $P{o}^{M^{\prime }}:\mathfrak{S}-Paths\left(M^{\prime }\right)\to [0,1]$ is defined as follows:

$$P{o}^{M^{\prime }}\left(\pi \right)=I\left(s_0\right)\wedge \underset{i=0}{\overset{\infty }{\bigwedge }}P(s_i,\mathfrak{S}\left({\widehat{\pi }}_i\right),s_{i+1})$$

(6)

for any $\pi =s_0{\alpha }_1{s}_1{\alpha }_2\cdots \in \mathfrak{S}-Paths\left(M\right)$. ${\widehat{\pi }}_n$ = $s_0{s}_1\cdots s_n$, such that $P(s_{n-1},\mathfrak{S}\left({\widehat{\pi }}_{n-1}\right),s_n)>0$. Hence, the execution sequence is

$$s_0\stackrel{\mathfrak{S}\left({\widehat{\pi }}_0\right)}{\to }{s}_1\stackrel{\mathfrak{S}\left({\widehat{\pi }}_1\right)}{\to }{s}_2\stackrel{\mathfrak{S}\left({\widehat{\pi }}_2\right)}{\to }\cdots .$$

We often identify $\pi =s_0\mathfrak{S}\left({\widehat{\pi }}_0\right)s_1\mathfrak{S}\left({\widehat{\pi }}_1\right)s_2\mathfrak{S}\left({\widehat{\pi }}_2\right)\cdots$ Furthermore, for any $E\subseteq \mathfrak{S}-Paths\left(M^{\prime }\right)$, we define

$$P{o}^{M^{\prime }}\left(E\right)=\bigvee \{P{o}^{M^{\prime }}\left(\pi \right)\mid \pi \in E\}.$$

(7)

Then, we have a well-defined function.

$$P{o}^{M^{\prime }}:2^{\mathfrak{S}-Paths\left(M\right)}\to [0,1],$$

$P{o}^{M^{\prime }}$ is called the generalized possibility measure over $\Omega =2^{\mathfrak{S}-Paths\left(M^{\prime }\right)}$.

4. Generalized Possibilistic Linear-Temporal Logic with Schedulers

Definition  10. 

(see [26]). Given the atomic proposition $AP$, the generalized possibilistic linear-temporal logic (GPoLTL) syntax of an uncertain CPS is defined as follows:

$$\mathfrak{S}\lfloor \phi \rfloor ::=r\left|a\right|\mathfrak{S}\lfloor {\phi }_1\wedge {\phi }_2\rfloor |\mathfrak{S}\lfloor \neg \phi \rfloor \left|\mathfrak{S}\lfloor ◯\phi \rfloor \right|\mathfrak{S}\lfloor {\phi }_1\bigsqcup {\phi }_2\rfloor ,$$

where $r\in [0,1]$ and $a\in AP$.

Under GPDP, the semantics of the GPoLTL formula are related to schedulers, possibility information, and fuzzy logic on the set of atomic propositions $AP$. We give the semantics of GPoLTL in two aspects in the following.

Definition  11. 

Let φ be a GPoLTL formula. The language semantics of φ over the alphabet Σ=${[0,1]}^{AP}$ (or Σ=$l^{AP}$ for some finite subset $l\in [0,1]$) is a fuzzy ω-language; i.e., $\parallel \mathfrak{S}\lfloor \phi \rfloor \parallel$: ${\Sigma }^{\omega }\to [0,1]$, which is defined iteratively as follows, for $\sigma =A_0{A}_1\cdots \in {\Sigma }^{\omega }$, write ${\sigma }_j=A_j{A}_{j+1}\cdots$.

Then, the GPoLTL language semantics of an uncertain CPS is defined as follows.

$$\parallel r\parallel \left(\sigma \right)=r;$$

(8)

$$\parallel a\parallel \left(\sigma \right)=A_0\left(a\right);$$

(9)

$$\parallel \mathfrak{S}\lfloor {\phi }_1\wedge {\phi }_2\rfloor \parallel \left(\sigma \right)=\parallel \mathfrak{S}\lfloor {\phi }_1\rfloor \parallel \left(\sigma \right)\wedge \parallel \mathfrak{S}\lfloor {\phi }_2\rfloor \parallel \left(\sigma \right);$$

(10)

$$\parallel \mathfrak{S}\lfloor \neg \phi \rfloor \parallel \left(\sigma \right)=1-\parallel \mathfrak{S}\lfloor \phi \rfloor \parallel \left(\sigma \right);$$

(11)

$$\parallel \mathfrak{S}\lfloor ◯\phi \rfloor \parallel \left(\sigma \right)=\parallel \mathfrak{S}\lfloor \phi \rfloor \parallel \left({\sigma }_1\right);$$

(12)

$$\parallel \mathfrak{S}\lfloor {\phi }_1\bigsqcup {\phi }_2\rfloor \parallel \left(\sigma \right)=\underset{j⩾0}{\bigvee }(\parallel \mathfrak{S}\lfloor {\phi }_2\rfloor \parallel \left({\sigma }_j\right)\wedge \underset{i<j}{\bigwedge }\parallel \mathfrak{S}\lfloor {\phi }_1\rfloor \parallel \left({\sigma }_i\right));$$

(13)

$$\parallel \mathfrak{S}\lfloor ◊\phi \rfloor \parallel \left(\sigma \right)=\underset{j⩾0}{\bigvee }\parallel \mathfrak{S}\lfloor \phi \rfloor \parallel \left({\sigma }_j\right);$$

(14)

$$\parallel \mathfrak{S}\lfloor \square \phi \rfloor \parallel \left(\sigma \right)={\displaystyle \underset{j⩾0}{\bigwedge }}\parallel \mathfrak{S}\lfloor \phi \rfloor \parallel \left({\sigma }_j\right).$$

(15)

Definition  12. 

Let $M^{\prime }=(S,Act,P,I,AP,L)$ be a GPDP, $a\in AP$, and $\mathfrak{S}$ be the scheduler defined in $M^{\prime }$. For atomic propositions r, a, regardless of resolution of the uncertainty, its path semantics over $M^{\prime }$ are fuzzy sets on Paths($M^{\prime }$); i.e., $\parallel \phi \parallel$:$Paths\left(M\right)\to [0,1]$.

For any path, the path semantics of GPoLTL with schedulers are interpreted as

$$\parallel r\parallel \left(\pi \right)=r;$$

(16)

$$\parallel a\parallel \left(\pi \right)=L(s_0,a).$$

(17)

For a path formula φ, its semantics depend on the schedulers, and its path semantics over M are $\parallel \mathfrak{S}\lfloor \phi \rfloor \parallel :\mathfrak{S}-Paths\left(M\right)\to [0,1]$, which is defined recursively for $\pi =s_0\mathfrak{S}\left({\widehat{\pi }}_0\right)s_1\mathfrak{S}\left({\widehat{\pi }}_1\right)s_2\cdots$ as follows.

$$\parallel \mathfrak{S}\lfloor {\phi }_1\wedge {\phi }_2\rfloor \parallel \left(\pi \right)=\parallel {\phi }_1{\parallel }_{\mathfrak{S}}\left(\pi \right)\wedge {\parallel {\phi }_2\parallel }_{\mathfrak{S}}\left(\pi \right);$$

(18)

$$\parallel \mathfrak{S}\lfloor {\phi }_1\bigsqcup {\phi }_2\rfloor \parallel \left(\pi \right)={\displaystyle \underset{j⩾0}{\bigvee }}(\parallel {\phi }_2{\parallel }_{\mathfrak{S}}\left({\pi }_j\right)\wedge {\displaystyle \underset{i<j}{\bigwedge }}\parallel {\phi }_1{\parallel }_{\mathfrak{S}}\left({\pi }_i\right));$$

(19)

$$\parallel \mathfrak{S}\lfloor \neg \phi \rfloor \parallel \left(\pi \right)=1-{\parallel \phi \parallel }_{\mathfrak{S}}\left(\pi \right);$$

(20)

$$\parallel \mathfrak{S}\lfloor ◯\phi \rfloor \parallel \left(\pi \right)={\parallel ◯\phi \parallel }_{\mathfrak{S}}\left(\pi \right);$$

(21)

The until operator allows derivation of the temporal modalities ◊ (“eventually”, sometimes in the future) and □ (“always”, from now on forever) as usual.

$◊\phi =true\bigsqcup \phi$, $\square \phi =\neg ◊\neg \phi$, here, $true$ = 1.

Let Q be an uncertain CPS model operating under a specific scheduler. π represents an execution trace of Q, while φ denotes an attribute description formula. The notation $\left|\right|\phi \left|\right|\left(\pi \right)$ represents the execution trace of Q that satisfies the attribute φ. In other words, $\left|\right|\phi \left|\right|Q:Paths\left(Q\right)\to [0,1]$ quantifies the possibility of $Paths\left(Q\right)$ satisfying the attribute φ. Here, π refers to an infinite path, $\pi \in Paths\left(Q\right)$, which can be expressed as $\pi =s_0{s}_1{s}_2\cdots$. ${\pi }_j$ denotes the suffix of the trace starting from step j, i.e., $\pi =s_j{s}_{j+1}\cdots$. The value of the variable y in step j of x is denoted as $V=(\pi ,j,y)$.

In the uncertain CPS system Q, an infinite path is expressed as $\pi =s_0{s}_1{s}_2\cdots \in S^{\omega }$, and a finite path is denoted as $\pi =s_0{s}_1\cdots s_n(n\in N)$. The notation $Paths\left(Q\right)$ denotes the set of infinite paths in the uncertain CPS system Q, while $Path{s}_{fin}Q$ represents the set of finite paths.

Definition  13. 

For a GPDP without terminal states, i.e., for any state s, there exists a state t such that $P(s,t)>0$. The trace of the infinite path fragment $\pi =s_0{\alpha }_0{s}_1{\alpha }_1\cdots$ is defined as $trace\left(\pi \right)=L\left(s_0\right)L\left(s_1\right)\cdots$.

To simplify notation, we use $L\left(\pi \right)$ to represent the trace of the infinite path π. Similarly, for a finite path fragment $\widehat{\pi }=s_0{\alpha }_0{s}_1{\alpha }_1\cdots s_n$, the trace is defined as $L\left(\widehat{\pi }\right)=L\left(s_0\right)L\left(s_1\right)\cdots L\left(s_n\right)$.

The execution of a system model starts from an initial state and serves as a means to validate the model. During each step of execution, the model selects a single enabled action from the current state, and the actions are executed in an uncertain order.

The dynamic execution trace $\pi$ of an uncertain CPS can be represented as either a finite or an infinite sequence:

$s_0\stackrel{l_1}{\to }{s}_1\stackrel{l_2}{\to }{s}_2\cdots s_{k-1}\stackrel{l_k}{\to }\cdots$

Here, each state $s_i$ is connected to the next state $s_{i+1}$ by an action label $l_i$. The sequence can continue indefinitely if it is an infinite trace, capturing the ongoing behavior of the system. In this representation, $s_k=<p_k,v_k>$ represents the state of the system, where $p_k$ is the control mode of the system and $v_k$ is the current variable value. Additionally, $l_k$ indicates the duration of time that the system stays at state $s_i$. This trace captures the sequence of states, control modes, variable values, and durations of the system’s behavior over time.

Definition  14. 

Let P be a fuzzy linear-time property over $AP$ and $M=(S,Act,P,I,AP,L)$ be a finite GPDP without terminal states. Then, the possibility of $M^{\prime }=(S,Act,P,I,AP,L)$ satisfies P at state s, denoted by $P{o}_{\mathfrak{S}}(s\vDash P)$, and is defined as

$$P{o}_{\mathfrak{S}}(s\vDash P)={\displaystyle \underset{\pi \in \mathfrak{S}-Paths\left(s\right)}{\bigvee }}Po\left(\pi \right)\wedge P\left(L\left(\pi \right)\right).$$

(22)

5. Extended of an Uncertain CPS Model

The Uncertain CPS Extended Model describes a CPS as a complex embedded network system that integrates physical, computing, and interactive entities. The motion process in the physical world is represented using dynamic time continuity. Meanwhile, the system behavior is modeled using a finite state machine to capture event-driven discrete processes in the computational world [4]. This paper aims to perform CPS modeling and simulation by employing the uncertain hybrid time automaton. In this way, not only the informatization and discretization can be effectively achieved, but also the physicalization and continuation of the discrete event model can be realized.

5.1. Differential Equation Modeling Based on Time

In an uncertain CPS, the state of a physical entity exhibits a clear and continuous dynamic continuity, with its state transformation relying on continuous time [17].

For instance, let us consider the thermostat state model (as depicted in Figure 4) as an example. By utilizing time-based differential equations, the dynamic behavior of an uncertain CPS can be modeled in the following manner.

$$\dot{T}=k_1(40{}^{\circ }\mathrm{C}-T)$$

(23)

$$\dot{T}=-k_2$$

(24)

In Equation (23) , the temperature variable T represents a continuous-time variable, with the constraint $(T⩽40{}^{\circ }$C). It is important to note that the dynamic behavior follows a linear pattern, with $k_1$ representing a constant quantity. In Equation (24) describes the dynamics of temperature change, with $k_2$ also being a constant quantity.

5.2. Hybrid Timed Automaton Modeling Based on Uncertainty

Uncertainty is crucial in the operation of a CPS [19]. CPS components are interconnected rather than isolated. Modeling a CPS solely using the embedded control approach is inadequate due to the close integration of software and hardware [18]. To address this challenge, introducing a clock invariant and incorporating the notion of possibility into the classic hybrid automaton becomes necessary. This approach helps resolve the issue of closeness and enables the definition of an uncertain hybrid timed automaton system model.

Definition  15. 

The uncertain hybrid timed automaton $H_P$ is defined by a tuple consisting of nine elements, as shown below.

$H_p=(I,O,T,Init,M,A_x|x\in I,A_y|y\in O,A,CI).$

• I represents a set that includes the values of the input ports. For example, an input set $x?v$ contains input values v, where $x\in I$.
• O represents a set that includes the values of the output ports. For instance, an output set $y!v$ contains output values v, where $y\in O$.
• T represents the set of state variables, and $Q_T$ represents the defined state set.
• Init represents the possibility initialization distribution operation, which determines the possibility of the initial state set, denoted as $\left[Init\right]\le Q_T$.
• M corresponds to the set of control modes.
• $\left\{A_x\right|\in I\}$ signifies that, for each input port x, the input task set $A_x$ describes the input actions using a guard condition on T. The update of the input action set is defined as $t\stackrel{x?v}{\to }{t}^{\prime }$ , transitioning from the read set $T\cup \left\{x\right\}$ to the write set T. In other words, it follows the pattern $Guard\stackrel{x?v}{\to }Update$.
• $\left\{A_y\right|y\in O\}$ indicates that, for each output port y, each output task in the output task set $A_y$ defines the update description of the output action set as $t\stackrel{y!v}{\to }{t}^{\prime }$ , transitioning from the read set $T\cup \left\{y\right\}$ to the write set T based on the guard condition on T. In other words, it follows the pattern $Guard\stackrel{y!v}{\to }Update$.
• A represents the set of internal actions, where each action is determined by a guard condition on T and is updated from the read set T to the write set T. These internal actions may also include an output action in the form of $t\stackrel{\epsilon }{\to }{t}^{\prime }$.
• CI represents a clock invariant, which is a Boolean expression on the state variable T. Given a state t and a positive real value of time $\delta >0$, if the state $t+\delta$ satisfies the expression $CI$ for all values of $t^{\prime }$ within the range $0\le t^{\prime }\le \delta$, then the transition $t\stackrel{\delta }{\to }t+\delta$ is considered a time action.

6. Uncertain CPS Dynamic Verification and Analysis

A reactive CPS can be impacted by factors like fairness issues, input/output handling, and system execution correctness. These problems could be solved by temporal logic, which is a very effective formal method. Fuzzy temporal logic is capable of extending propositional and predicate logic for it takes the infinite behavior of feedback in uncertain CPS into consideration. A fuzzy (or possibilistic) temporal logic, say, the fuzzy liner-time property (LT property), provides an intuitive and accurate annotation system for establishing relationships and execution as well.

6.1. Activity

Activity indicates that something good will happen eventually in the operation of an uncertain CPS. Checking whether an attribute satisfies the activity involves evaluating whether a model fulfills the properties specified by temporal logic. GPoLTL is used here in this paper to describe the activity. The definition of GPoLTL suggests that there are four types of activity, namely, eventually reachability, always reachability, repeated reachability, and persistence reachability.

Remark 4. 

 (1) 

Eventually reachability can be represented by the “eventually” operator, which is symbolized as ◊. The “eventually” operator can be nested to enforce a sequence of events in a specific order. When an assignment on a path satisfies a formula φ, it means that the path conforms to the GPoLTL formula $◊\phi$. For example, if an assignment in the path $\pi =(x_1,y_1)(x_2,y_2)\cdots$ satisfies the expression $(x=y)$, indicating that for some j, $x_j=y_j$, the path π satisfies the GPoLTL formula $◊(x=y)$. Thus, the formula $◊(x=y)$ represents the requirement that eventually, at a certain step, the values of variables x and y are equal.

 (2) 

Always reachability is represented by the “always” operator, which is symbolized as □ . When all assignments on the path meet the requirement of φ, the path satisfies the GPoLTL formula $\square \phi$. For instance, if all assignment on path $\pi =(x_1,y_1)(x_2,y_2)\cdots$ satisfy the expression $(x=y)$, meaning that $x_j=y_j$ for each j, then the path satisfies the GPoLTL formula $\square (x=y)$. That is to say that the formula $\square (x=y)$ represents the requirement that variables x and y should always be equal.

 (3) 

Repeated reachability is represented by the “always-eventually” operator , which is symbolized as $\square ◊\phi$. If every position i on the path satisfies the formula $◊\phi$, it implies that for each position i, there exists a future position $j\ge i$, where φ is satisfied. Moreover, there exists an infinite sequence of positions $j_1<j_2<j_3\cdots$, where φ is satisfied at each position. In simpler terms, if φ is satisfied recursively or repeatedly, then the formula $\square ◊$ is satisfied. For instance, the path $\pi =(x_1,y_1)(x_2,y_2)\cdots$ satisfies the recursive formula $\square ◊(x=0)$. For an infinite number of positions j, when $x_j=0$, x needs to be repeatedly assigned 0.

 (4) 

Persistence reachability is represented by “eventually always” , which is expressed as $◊\square \phi$. If there exists a position j that satisfies the always formula $\square \phi$, meaning that every position after j satisfies φ, then $◊\square \phi$ is satisfied. In other words, the formula $◊\square \phi$ must be continuously satisfied and held. For example, if for a specific position j, every $k\ge j$ satisfies $x_k=0$ (or if it is not equal to 0, for a finite number of positions), then the path $\pi =(x_1,y_1)(x_2,y_2)\cdots$ has the persistence formula $◊\square \phi (x=0)$.

An uncertain CPS is a system that incorporates a perception and control feedback loop to achieve repeated environmental perception for controlling physical equipment. In an uncertain CPS, each program within the system will repeatedly enter its key part. The key part represents the state of the system, denoted as $s_i$, forming an execution trace $\pi$, which can be a finite or infinite sequence: $<s_0,t_0>\mapsto <s_1,t_1>\mapsto \cdots \mapsto <s_n,t_n>\mapsto \cdots$ The system needs to run continuously to maintain its activity. The primary challenge lies in calculating the measure of the system satisfying the desired path to a specific state set B.

Definition  16. 

Suppose that Q is an uncertain CPS model that satisfies the property φ, where φ is a GPoLTL formula. The possibility measure of Q is denoted as $Po(Q\vDash \phi )$, which is defined as $Po(Q\vDash \phi )=P{o}_s\{\pi \in Paths\left(s\right)|\pi \vDash \phi \}$. Here, $B\subseteq S$ represents a state set within the uncertain CPS model.

The reachability analysis using GPDP Q as the system model calculates the possibility of reaching state set B. The state set B refers to the possibility of rarely accessing to the bad state set or the possibility of repeatedly accessing to the good state set. It is expressed by the mapping function as $B:S\to [0,1]$.

Then, $◊B,\square B,\square ◊B,◊\square B$ can be regarded as a fuzzy linear property on the set of state s. The definition is as follows: $◊B\left(\pi \right)={\displaystyle \underset{j\ge 0}{\bigvee }}B\left(s_j\right)$,$\square B\left(\pi \right)={\displaystyle \underset{j\ge 0}{\bigwedge }}B\left(s_j\right)$,

$\square ◊B\left(\pi \right)={\displaystyle \underset{i\ge 0}{\bigwedge }}{\displaystyle \underset{j\ge i}{\bigvee }}B\left(s_j\right)$, $◊\square B\left(\pi \right)={\displaystyle \underset{j\ge i}{\bigvee }}{\displaystyle \underset{i\ge 0}{\bigwedge }}B\left(s_j\right)$.

With a given GPDP and fuzzy linear property P, calculate the probability that the path with scheduler $\mathfrak{S}$ satisfies P. We consider four properties, namely, eventually reachability, always reachability, repeated reachability, and persistence reachability.

(1)

The possibility measure for eventually reachability in an uncertain system model Q, satisfying the property $◊B$, is expressed as follows.

$$\begin{array}{c}\hfill \begin{array}{cc}& P{o}_{\mathfrak{S}}(◊B)=P{o}_{\mathfrak{S}}{(s\vDash ◊B)}_{s\in S}\hfill \\ & =\underset{\pi \in \mathfrak{S}-Paths\left(s\right)}{\bigvee }P{o}_{\mathfrak{S}}\left(\pi \right)\wedge ◊B\left(\pi \right)\hfill \\ & =\underset{\pi =s_0{s}_1\cdots \in \mathfrak{S}-Paths\left(s\right)}{\bigvee }\wedge \underset{j=0}{\overset{\infty }{\bigvee }}P(s_j,\mathfrak{S}\left({\widehat{\pi }}_j\right),s_{j+1})\wedge \underset{j=0}{\overset{\infty }{\bigvee }}B\left(s_j\right);\hfill \end{array}\end{array}$$

(2)

The possibility measure for always reachability in an uncertain system model Q, satisfying the property $\square B$, is expressed as follows.

$$\begin{array}{c}\hfill \begin{array}{cc}& P{o}_{\mathfrak{S}}(\square B)=P{o}_{\mathfrak{S}}{(s\vDash \square B)}_{s\in S}\hfill \\ & =\underset{\pi \in \mathfrak{S}-Paths\left(s\right)}{\bigvee }P{o}_{\mathfrak{S}}^{M_s}\left(\pi \right)\wedge \square B\left(\pi \right)\hfill \\ & =\underset{\pi =s_0{s}_1\cdots \in \mathfrak{S}-Paths\left(s\right)}{\bigvee }P{o}_{\mathfrak{S}}^{M_s}\left(\pi \right)\wedge \underset{j=0}{\overset{\infty }{\bigwedge }}P(s_j,\mathfrak{S}\left({\widehat{\pi }}_j\right),s_{j+1})\wedge \underset{j=0}{\overset{\infty }{\bigwedge }}B\left(s_j\right);\hfill \end{array}\end{array}$$

(3)

The possibility measure of repeated reachability in an uncertain system model Q, satisfying the property $\square ◊B$, is expressed as follows.

$$\begin{array}{c}\hfill \begin{array}{cc}& P{o}_{\mathfrak{S}}(\square ◊B)=P{o}_{\mathfrak{S}}{(s\vDash \square ◊B)}_{s\in S}\hfill \\ & ={\displaystyle \underset{\pi \in \mathfrak{S}-Paths\left(s\right)}{\bigvee }}P{o}_{\mathfrak{S}}\left(\pi \right)\wedge \square ◊B\left(\pi \right)\hfill \\ & ={\displaystyle \underset{\pi =s_0{s}_1\cdots \in \mathfrak{S}-Paths\left(s\right)}{\bigvee }}P{o}_{\mathfrak{S}}\left(\pi \right)\wedge {\displaystyle \underset{i\ge 0}{\bigwedge }}{\displaystyle \underset{j\ge i}{\bigvee }}B\left(s_j\right);\hfill \end{array}\end{array}$$

(4)

The possibility measure for persistence reachability in an uncertain system model Q, satisfying the property $◊\square B$, is expressed as follows.

$$\begin{array}{c}\hfill \begin{array}{cc}& P{o}_{\mathfrak{S}}(◊\square B)=P{o}_{\mathfrak{S}}{(s\vDash ◊\square B)}_{s\in S}\hfill \\ & ={\displaystyle \underset{\pi \in \mathfrak{S}-Paths\left(s\right)}{\bigvee }}P{o}_{\mathfrak{S}}\left(\pi \right)\wedge ◊\square B\left(\pi \right)\hfill \\ & ={\displaystyle \underset{\pi =s_0{s}_1\cdots \in \mathfrak{S}-Paths\left(s\right)}{\bigvee }}P{o}_{\mathfrak{S}}\left(\pi \right)\wedge {\displaystyle \underset{i\ge 0}{\bigvee }}{\displaystyle \underset{j\ge i}{\bigwedge }}B\left(s_j\right).\hfill \end{array}\end{array}$$

Property  1. 

In an uncertain CPS model Q with the PoLTL formula φ, if a state is reachable along any path starting from the initial state $q_0$, then the following condition applies:

(1)

$\square \phi \leftrightarrow \phi \wedge ◯\square \phi$

(2)

$\square ◊\phi \leftrightarrow ◯\square ◊\phi \leftrightarrow ◊\square ◊\phi$

The first equivalent expression of the property can be summarized by the following three points. (i) If a path satisfies the formula $\square \phi$, it implies that the path satisfies $\phi$ at all positions, regardless of the specific choice of $\phi$. (ii) The formula $\square \phi$ is more expressive than $\phi$, meaning it captures a broader range of possible behaviors. (iii) If both the current position satisfies $\phi$ and the next position satisfies $\square \phi$, then $\square \phi$ is considered satisfied, indicating a persistent satisfaction of the property.

The second equivalent of the property can be summarized as follows. (i) Irrespective of the position, if a path satisfies the recursive formula $\square ◊\phi$ at a specific position (e.g., the first position), then the subsequent position along the path also satisfies the same recursive formula $\square ◊\phi$, and vice versa. (ii) In fact, for any given path $\pi$ and any positions i and j along that path, the satisfaction of $\square ◊\phi$ at position $(\pi ,i)$ is equivalent to the satisfaction of $\square ◊\phi$ at position $(\pi ,j)$.

Please note that these equivalences have been provided in a more concise form. For a detailed explanation and proof, please refer to the specific reference [27] mentioned.

6.2. Safety of the Fuzzy Regular Language

The safety possibility measure of a fuzzy regular language is determined by assessing whether the language satisfies the defined safety requirements. It involves analyzing the behaviors exhibited during limited execution and verifying if they violate the specified requirements. The aim is to ensure that no harmful or unwanted outcomes occur. This analysis helps in evaluating the degree of possibility for the fuzzy regular language to be considered safe, based on the absence of bad prefixes in infinite strings that satisfy the $LT$ property $P_{safe}$ [10].

This study analyzes nonconforming behaviors using limited execution to verify if they violate safety requirements. Safety requirements aim to prevent any undesirable outcomes. In classic examples, the security property is defined such that if any infinite string $\sigma$ in the $LT$ property $P_{safe}$ does not contain a bad prefix, then this $LT$ property is considered safe (i.e., $\sigma \in P_{safe}$). In general, we can express this property as follows.

Let $P_{safe}$ be a fuzzy $LT$ property. If, for every $\sigma \in P_{safe}$, there exists a finite prefix $\widehat{{\sigma }_i}$ (where $i\in N$) such that every infinite string ${\sigma }^{\prime }$ in the form ${\sigma }^{\prime }={\theta }_1{\theta }_2\cdots {\theta }_i\cdots$, where ${\theta }_i$ belongs to the set $\widehat{{\sigma }_i}$, is contained in $P_{safe}$, then the fuzzy language ${\Sigma }^{*}⟶[0,1]$ satisfying $P_{safe}$ is considered safe. Here, each finite string $\widehat{{\sigma }_i}$ is referred to as a good prefix of $P_{safe}$. In other words, if every string $\sigma$ in $P_{safe}$ can be extended indefinitely by appending symbols from its corresponding good prefix $\widehat{{\sigma }_i}$, and all resulting infinite strings are also contained within $P_{safe}$, then the fuzzy language ${\Sigma }^{*}⟶[0,1]$ satisfying $P_{safe}$ is deemed safe.

Definition  17. 

Let $H_P=(I,O,T,Init,M,\left\{A_x\right|x\in I\},\left\{A_y\right|y\in O\},A,CI)$ represent an uncertain hybrid timed automaton, and $N=(Q,\Sigma ,\delta ,J,F)$ denote a fuzzy finite automaton. The tensor product of these two automata is defined as $H_P\otimes N=(M\times Q,I^{\prime },O^{\prime },T^{\prime },Ini{t}^{\prime },\left\{A_x^{\prime }\right|x\in I^{\prime }\},\left\{A_y^{\prime }\right|y\in O^{\prime }\},A^{\prime },C{I}^{\prime })$. Here, for any $(m,q)\in M\times Q,A^{\prime }(m,q)=(m,q),I^{\prime }(m,q)=I\left(m\right)\wedge {\displaystyle \underset{q_0\in Q}{\bigvee }}J\left(q_0\right)\wedge \delta (q_0,A\left(m\right),q)$. The transfer possibility distribution of $H_p\otimes N$ is given by $P_{safe}^{\prime }((m,q),(m^{\prime },q^{\prime }))=P_{safe}(m,m^{\prime })\wedge \delta (q,A\left(m^{\prime }\right),q^{\prime })$.

Theorem  1. 

Suppose that $P_{safe}$ is a fuzzy regular safety attribute that ensures the acceptance of $Pref\left(P_{safe}\right)$ by a deterministic fuzzy finite automaton N. $H_P$ represents an uncertain hybrid timed automaton, where m is a state within $H_P$. Then, $P{o}^{H_P}(m\vDash P_{safe})=P{o}^{H_P\otimes N}(m,q_m)\vDash \square B$, which $q_m=\delta (q_0,A\left(m\right)),B=M\times F={\displaystyle \sum _{m\in M,q\in Q}}F\left(q\right)/(m,q)$.

In this context, we are considering a scenario in which $P_{safe}$ guarantees that the requirements specified by $Pref\left(P_{safe}\right)$ are fulfilled by the deterministic fuzzy finite automaton N. In simpler terms, for any state $(m,q)$ in the combined automaton $H_P\otimes N$, the value $B(m,q)$ is equal to $F\left(q\right)$. This means that the possibilisty of satisfying $P_{safe}$ in $H_P$ is determined by the possibilistic of satisfying the corresponding property $\square B$ in the tensor product, where B is calculated based on the states and accepting states of N. For a more detailed understanding and comprehensive analysis, it is recommended to refer to the specific literature [10] mentioned.

Theorem  2. 

Suppose $P_{safe}$ is a fuzzy ω regular property, guaranteeing that it is accepted by the fuzzy $Buchi$ finite automaton N, denoted as $A_{\omega }\left(N\right)=P_{safe}$. In this case, we can define $P{o}^{H_P}(m\vDash P_{safe}=P^{H_{P_m}\otimes N}(I^{\prime }\vDash \square ◊B))$, where $B=M\times F={\displaystyle \sum _{m\in M,q\in Q}}F\left(q\right)/(m,q)$.

Proof. 

$Po(m\vDash P_{safe})={\displaystyle \underset{\pi \in Paths\left(M\right)}{\bigvee }}P{o}^{H_{P_m}\left(\pi \right)}\wedge P_{safe}\left(A\left(\pi \right)\right)$

$={\displaystyle \underset{\pi \in Paths\left(M\right)}{\bigvee }}P{o}^{H_{P_m}}\left(\pi \right)\wedge A\left(N\right)\left(A\left(\pi \right)\right)$

$={\displaystyle \underset{\pi =m_0{m}_1\cdots \in Paths\left(M\right)}{\bigvee }}P{o}^{H_{P_m}}\left(\pi \right)\wedge \bigvee \{J\left(q_0\right)\wedge {\displaystyle \underset{i\ge 0}{\bigwedge }}\delta (q_i,{\sigma }_{i+1},q_{i+1})\wedge {\displaystyle \underset{i\ge 0}{\bigwedge }}{\displaystyle \underset{j\ge i}{\bigvee }}F\left(q_j\right)\setminus q_i\in Q(\forall i\ge 0)\}$

$={\displaystyle \underset{\pi \in m_0{m}_1\cdots \in Paths\left(M\right)}{\bigvee }}{\displaystyle \underset{q_0\in Q}{\bigvee }}{\displaystyle \underset{q_1{q}_2\cdots \in {\delta }^{\omega }(q_0,A\left(\pi \right))}{\bigvee }}J\left(q_0\right)\wedge \delta (q_0,A\left(m_0\right),q_1)\wedge {\displaystyle \underset{i\ge 0}{\bigwedge }}{P}_{safe}(m_i,m_{i+1})\wedge \delta (q_i,A\left(m_i\right),q_{i+1}){\displaystyle \underset{i\ge 0}{\bigwedge }}{\displaystyle \underset{j\ge i}{\bigvee }}F\left(q_j\right)$

$={\displaystyle \underset{q_1\in Q}{\bigvee }}{\displaystyle \underset{{\pi }^{\prime }=(m_0,q_1)(m_1,q_2)\cdots \in Paths(H_{P_m}\otimes N(m,q_1))}{\bigvee }}{I}^{\prime }(m_0,q_1)\wedge {\displaystyle \underset{i\ge 0}{\bigwedge }}{P}_{safe}^{\prime }((m_i,q_{i+1},(m_{i+1},q_{i+2}))\wedge {\displaystyle \underset{i\ge 0}{\bigwedge }}{\displaystyle \underset{j\ge i}{\bigvee }}B(m_j,q_{j+1})$

$=P{o}^{H_{P_m}\otimes N}(I^{\prime }\vDash \square ◊B)$

Hence, $P{o}^{H_P}(m\vDash P_{safe}=P^{H_{P_m}\otimes N}(I^{\prime }\vDash \square ◊B))$.    □

In simpler terms, this indicates that in the uncertain hybrid timed automaton, we can calculate the possibility $Po(m\vDash P_{safe})$ by considering the possibilistic of event $\square ◊B$ in the $H_{P_m}\otimes N$ structure, where B is defined as the Cartesian product of M and F.

6.3. Model Checking Algorithm

For the properties of reachability, f = $Po(◊B)$, f = $Po(\square B)$, f = $Po(\square ◊B)$, f = $Po(◊\square B)$, we could use the fixpoint techniques to calculate the value, see Algorithm 1.

Algorithm 1 The Fixpoint.

Input: A function f from the set of possibility distributions over the state set S into itself. Output: The fixpoint f.  procedure FIXPOINT(B,f)   $B:=False$        *the Least Fixpoint*   $B:=True$        *the Greatest Fixpoint*   $B^{\prime }:=f\left(B\right)$     while $B\ne B^{\prime }$ do           $B\leftarrow B^{\prime }$           $B^{\prime }\leftarrow f\left(B\right)$     end while     return B end procedure

What is the time complexity of possibilities-based model checking? Different properties bear different time complexity. For the fixpoint techniques of $Po(◊B)$, $Po(\square B)$, $Po(\square ◊B)$, $Po(◊\square B)$, each fixpoint requires $O\left(\right|S{|}^3)$, see [12].

7. Case-Study

In this section, we use the example of uncertainty thermostats in CPS to illustrate the application of model checking techniques in generalized possibility decision processes. We can describe the thermostat model by an uncertain hybrid time automaton, and use Ptolemy II for modeling and simulation. A dynamic execution sequence of the uncertain CPS thermostat system is analyzed using a simulation diagram to ensure their consistency and effectiveness.

7.1. Hybrid Timed Automaton Model Based on Uncertain

The thermostatic control system is a feedback control system in CPS that regulates heating and ventilation automatically. It can be represented by an uncertain hybrid timed automaton, as depicted in Figure 4. The output of the thermostat model process is the temperature. The formal model of the system can be expressed as follows.

• The system does not have any input variables.
• The system includes an output variable, T, of continuous type ($cont$ type, in short) that undergoes continuous changes over time.
• The system has a discrete state variable, M, which can take values from the set $\{cooling,heating\}$.
• There is an initial possibility value assigned to the variable M, which is set to $cooling$. The initial possibility value for T can be any value within the range of $30{}^{\circ }$C to $40{}^{\circ }$C.
• There is no discrete action involved in transmitting the temperature value as an output task.
• Two internal tasks are present for two-mode switching. The first task guards the condition $(M=cooling\wedge T⩽32{}^{\circ }$C) and updates M to $heating$. The second task guards the condition $(M=heating\wedge T⩾$ 38 ${}^{\circ }$C) and updates M to $cooling$.
• The output variable T is identical to the state variable T.
• The derivative of T is defined as $-k_2$ if assigning the value $cooling$ to M, otherwise it is defined as $k_1(40{}^{\circ }C-T)$.
• The continuous time invariant $CI$ is defined as $M=cooling$ implies $T⩾30{}^{\circ }$C and $M=heating$ implies $T⩽40{}^{\circ }$C.

The thermostat operates in two modes: (1) when M is set to $heating$, the heater is activated, and (2) when M is set to $cooling$, the heater is turned off. In the heating mode, the initial temperature value generates a unique response signal, reflecting how the temperature changes over time based on the continuous temperature variation described by the differential equation $\dot{T}=k_1(40{}^{\circ }$C $-T)$. It is important to note that the system can only remain in the heating mode if the constraint $(T⩽40{}^{\circ }$C) is satisfied. If the constraint is violated, the mode must be switched to the $cooling$ mode. The condition $(T⩾38{}^{\circ }$C) ensures the mode switching, meaning that whenever the temperature exceeds $38{}^{\circ }$C, the mode will immediately switch to $cooling$.

When the thermostat is in $cooling$ mode, the temperature follows the differential equation $\dot{T}=-k_2$, resulting in a linear decrease over time. If the temperature falls below $30{}^{\circ }$C, the system must switch to the $heating$ mode to meet the constraint $(T⩾30{}^{\circ }$C). The mode switching from $cooling$ to $heating$ occurs whenever the temperature drops below $32{}^{\circ }$C, as indicated by the guard condition $(T⩽32{}^{\circ }$C). It is important to note that the system temperature ranges between $30{}^{\circ }$C and $40{}^{\circ }$C, which is influenced not only by the temperature itself but also by the system’s state. When the temperature is around the desired set value, there may be small fluctuations or jitter caused by the switching on or off of the heater. This jitter occurs because the system is trying to maintain the temperature within a narrow range. As the temperature approaches the set value, the heater may turn on to raise the temperature or turn off to prevent overheating. However, the overall strategy of switching between $cooling$ and $heating$ modes effectively manages these fluctuations .

In this thermostat model, mode switching takes place at unpredictable times. This means that, even with a fixed initial temperature, there are multiple possible operational scenarios. The presence of uncertain transitions is particularly valuable for modeling malfunctions in CPS where fault information may be unavailable.

7.2. Simulation Based on Ptolemy II

Ptolemy II, as an open-source modeling and simulation tool, stands out from other modeling tools by offering support for hierarchical modeling of heterogeneous systems. As a result, Ptolemy II serves as a suitable modeling environment for designing uncertain CPS. In this study, Ptolemy II is utilized to model a CPS thermostat with uncertainty and failure, as depicted in Figure 5. In the heating state of the Finite State Machine (FSM), both outgoing transitions become feasible when their execution conditions (i.e., both being true) are satisfied. The two uncertain transitions are highlighted in red.

The results of executing the uncertain thermostat model are presented in Figure 6 and Figure 7. It is important to note that the heater can only be activated for a brief period, maintaining the temperature around the threshold of $30{}^{\circ }$C. The initial temperature of the system ($T_0$) is set within the range of $30{}^{\circ }$C to $40{}^{\circ }$C, and the system mode is initially set to $cooling$. Taking $T_0=40{}^{\circ }$C, $k_1=0.1$, and $k_2=-0.05$ as constants, the execution of the thermostat process can be divided into two stages: $cooling$ and $heating$. The system mode remains unchanged within each stage, while the temperature varies continuously over time according to the differential equation corresponding to the current mode. Any mode switch results in a discontinuous change in the system’s state.

If the system switches to $cooling$ mode at time $t^{*}$, with the temperature at that time denoted as $T^{*}$, the temperature remains at $T^{*}-k_2(t-t^{*})$ until the next mode switch. Assuming $T^{*}$ is at least $32{}^{\circ }$C, the process remains active in $cooling$ mode for a duration ranging from $(T^{*}-32)/k_2$ seconds to $(T^{*}-30)/k_2$ seconds.

On the other hand, if the system switches to $heating$ mode at time $t^{*}$ with the temperature at that time as $t^{*}$, the temperature at time t remains at $40-(40-T^{*})e^{-k_1(t-t*)}$ until the next mode switch occurs. Assuming $T^{*}$ is at least $38{}^{\circ }$C, the process remains active for a minimum duration of $ln(2/(40-T^{*}))/k_1$ seconds in the $heating$ mode. If the temperature remains below $40{}^{\circ }$C, the system may stay in this mode indefinitely.

7.3. Uncertain CPS Dynamic Execution Based on the Hybrid Timed Automaton

The results of the uncertain CPS thermostat model depicted in Figure 6 and Figure 7 demonstrate the initiation of CPS possibility execution within the hybrid timed automaton, starting from the initial state. At each step, the execution requires the performance of an input action, an output action, an internal action, or a time action. A dynamic execution sequence of the model corresponding to the alternating time and internal actions is shown as follows:

$(cooling,36)\stackrel{0.14}{\to }(cooling,30)\stackrel{\epsilon }{\to }(heating,30)\stackrel{0.1}{\to }(heating,40)\stackrel{\epsilon }{\to }(cooling,40)\stackrel{0.3}{\to }(cooling,30)\stackrel{\epsilon }{\to }(heating,30)\stackrel{0.1}{\to }(heating,40)$.

During each time action, the hybrid process consistently generates the temperature value as output. For example, in the first time action lasting 0.14 units of time, the temperature signal is determined by $\overline{T}\left(t\right)=36-(-0.05)t$. Similarly, in the second time action with a duration of 0.1 units of time, the temperature signal is defined by $40-9e^{-0.1t}$.

A CPS combines the event-driven, discrete behavior model of a state machine with a dynamic continuous model based on time. This integration involves refining the current state of an uncertain hybrid timed automaton by considering the dynamic behavior of the output in relation to the dynamic behavior of the next input [4]. In most CPS applications, a clock variable is used to measure the system’s dynamic changes at specific times. The transition state of this clock variable is linear, enabling the timed automaton to construct both simple and complex systems based on the clock.

In conclusion, the behavior of the system is contingent upon the mode it operates in, whether it is $cooling$ or $heating$. It is important to acknowledge that the precise mechanism and algorithm for mode switching may vary depending on the system’s complexity. Real-world implementations might incorporate additional factors such as hysteresis, which helps prevent frequent mode toggling, and feedback control loops to ensure stable and efficient temperature regulation. These details offer a deeper comprehension of the $cooling$ and $heating$ modes, their respective temperature dynamics, and the conditions that determine their activation and duration.

This paper integrates the uncertainty of intelligent thermostats in typical feedback control systems in CPS based on the framework of generalized possibility measures. It demonstrates the application of model checking techniques in the decision-making process under generalized possibility and analyzes how uncertain CPS can integrate physical systems with digital intelligence, real-time data analysis, and autonomous decision-making to enhance efficiency, reliability, and performance in various environments. However, there are certain limitations. In the next steps, we will combine possibility model checking techniques and their related attributes, along with specific real-world examples, to investigate the uncertainty of CPS in complex uncertain environments.

8. Conclusions

This paper presents the modeling and verification of uncertain CPS based on decision processes, building upon a previous international conference paper [27]. Considering the complexity and uncertainty factors in real-life scenarios, along with the uncertainty and dynamic characteristics of CPS, this paper proposes new methods for handling uncertain data using possibility processing. We first introduce the concept of GPDP to describe uncertain CPS behavior. Furthermore, we define the syntax and semantics of CPS using GPoLTL with decision processes. The theoretical validation of the system’s liveness and safety properties is performed, and a model checking algorithm is presented. Finally, an intelligent thermostatic system is modeled, and simulation experiments are conducted. The dynamic continuous properties of the system are described using time-based differential equations, and the modeling of uncertain hybrid systems is represented using time-based state machines, allowing for the refinement of each state using time-based state refinement [28]. This paper ensures the consistency between theory and experiments by combining both approaches.

The uncertainty in CPS is effectively addressed by utilizing the uncertain hybrid timed automaton as a formal modeling tool. The establishment of a formal modeling language using GPoLTL for uncertain CPS attributes is a significant contribution. This language enables precise specification and reasoning about uncertain CPS properties, facilitating a thorough analysis of system behavior. The syntax and semantics of GPoLTL are precisely defined, providing a solid foundation for reasoning about uncertain CPS. The utilization of possibility measure calculation in the proposed model serves as a means of verification. This approach quantitatively measures the likelihood of different system behaviors, considering the uncertainties present in the CPS. By incorporating possibility measures, the model enhances the verification process, providing a more comprehensive understanding of system reliability, liveness, and safety properties.

This study effectively utilizes decision processes to address the problem of handling possibility information in uncertain CPS. It not only mitigates the issue of state space explosion but also provides a solution for dealing with possibility information in CPS. This provides a significant opportunity for advancing the design of uncertain CPS and holds great importance in the study of uncertainty in CPS within complex systems. While this research has shed light on several important aspects, it has also raised numerous questions that warrant further investigation. Future studies should delve into exploring uncertainty in CPS within the context of fuzzy mathematics, while considering the relevant properties of its algorithm and computation tree logic.