A Method for Cyber-Physical System Behavior Modeling and Safety Verification Based on Extended Hybrid System Description Language

. The safety of Cyber-physical system(CPS) is up to its behavior, and it is a key property for CPS to be applied in critical application fields. A method for CPS behavior modeling and safety verification is put forward in this paper. The behavior model of CPS is described by extended hybrid system description language(E-HYSDEL).The formal definition of hybrid program(HP) is given, and the behavior model is transformed to HP based on the definition. The safety of CPS is verified by inputting the HP to KeYmarea. The advantage of the approach is that it models CPS intuitively and verify it’s safety strictly avoiding the state space explosion


Introduction
Cyber Physical System(CPS) are new type of hybrid systems which characterized by deeper integrations of computation with physical processes [1].Application fields of CPS are very wide, such as Intelligent transportation, telemedicine, the smart-grid, aeronautics and astronautics, and so on [2].
Safety is a key property for CPS to be applied in critical application fields. Whether the properties of CPS can satisfies the requirements can be analyzed in the system design stage by model verification technology. This helps to find the defects of deign as early as possible, so it can reduce the risk of system development effectively.

Studies of CPS analysis and verification
With the widely used of CPS,the study for CPS analysis and verification becomes more and more deeply.To extend the classical verification methods is one of the ways,such as extention of FSM,optimization of fault tree,etc [3] [4].There are also researchers use colored petri nets(CPN) to model and verify CPS.
Formal verification methods,such as model checking and theorem proving,are used to verify safety and other properties of CPS recently [5].Model checking technology determines the authenticity of a proposition by traversing the state space.it's main advantage is a high degree of automation. Furthermore,it can generate counterexample. However, It is difficult to overcome the sate space explosion problem. Cyber-physical systems usually are hybrid systems. They include both discrete states transitions and dynamic continuous variation processes, that is to say the sates of most CPS are infinite.
From the practical point of view, theorem proving method is more suitable for safety verification of CPS [6]. Differential dynamic logic(dL), put forward by Platzer, is one of theorem proving methods. It has been successfully used in fields such as the air traffic control system, European train control system because of its rigorous syntax and clear semantics. The operational model of dL is hybrid program(HP). dL is well supported by KeYmarea, a famous theorem prover.

The framework of the method for CPS behaviour modelling and safety verification
In this paper,We extend HYSDEL, a traditional hybrid system description language, and name it E-HYSDEL. Furthermore, we use it to model the behavior of CPS. Based on this, the safety of CPS is verified. The framework of this new method for CPS behavior modeling and safety verification can be depicted as figure 1. According to this framework, the process for CPS behavior modeling and safety verification can be divided into four steps. In the first, the transformation rules between meta-model of E-HYSDEL and meta-model of HP are established. Then, the behavior model of a specific CPS is described by E-HYSDEL code. Next, the behavior model is transformed to the corresponding HP based on the transformation rules. Finally, the formula that describes the constraints of variables affecting safety of system and the HP are inputted into KeYmarea to verify whether the safety related constraints are met.

The formal definition of HP
The formal definition of HP is given as follows. HPM=(PD VD PC SHPS) PD represents parameter declaration. VD represents dynamic variables declaration. PC represents precondition, in other word, the constraints of variables before system runs. SHP=( MS DTS CTS) MS represents set of discrete states. DTS represents set of transitions of discrete states, that is transitions between modes.
CTS represents set of dynamic processes, it describes the continuous change in a single mode.
Some transformational rules are set up based on this formal definition.

Application case
Room temperature control system is one of typical CPS (Fig 2).There two persons, a heater, a air conditioning, a window in room. These equipments can affect the room temperature.T1 represents the temperature of place where person 1 stay.T2 represents the temperature of place where person 2 stay. Tamb represents the temperature outside the window. Uhot represents heater power flow when it is on. Ucold represents air conditioning power flow when it is on.
We will verify the conclusion that state 10 T1,T2 15 is not reachable on condition that 10 Tamb 30 and the initial state is 35 T1,T2 40.

Conclusion
The main idea of the given method for behavior modeling and safety verification of CPS is that modeling the behavior of CPS by hybrid automata, which is described by E-HYSDEL language, then transform this model to a corresponding dL model, described by HP, and verify the safety of the dL model by means of KeYmaera.
The advantage of this method is that it models CPS intuitively and verifies it's safety strictly. The method can also be used to verify other property of CPS, such as realtime, reliability.