Formalizing Cyber--Physical System Model Transformation via Abstract Interpretation
Natasha Jarus, Sahra Sedigh Sarvestani, and Ali Hurson

TL;DR
This paper introduces a formal, sound approach to model transformation in cyber-physical systems using abstract interpretation, enabling consistent and domain-agnostic system modeling.
Contribution
It develops a foundational methodology for model transformation based on abstract interpretation, with formal proofs of correctness and domain transfer capabilities.
Findings
Proves soundness of the abstract interpretation-based transformation
Defines formalism for encoding model properties
Demonstrates cross-domain applicability of the approach
Abstract
Model transformation tools assist system designers by reducing the labor--intensive task of creating and updating models of various aspects of systems, ensuring that modeling assumptions remain consistent across every model of a system, and identifying constraints on system design imposed by these modeling assumptions. We have proposed a model transformation approach based on abstract interpretation, a static program analysis technique. Abstract interpretation allows us to define transformations that are provably correct and specific. This work develops the foundations of this approach to model transformation. We define model transformation in terms of abstract interpretation and prove the soundness of our approach. Furthermore, we develop formalisms useful for encoding model properties. This work provides a methodology for relating models of different aspects of a system and for…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Formalizing Cyber–Physical System Model Transformation via Abstract Interpretation
Natasha Jarus, Sahra Sedigh Sarvestani, and Ali Hurson
Department of Electrical and Computer Engineering
Missouri University of Science and Technology
Rolla, USA 65409
Email: {jarus, sedighs, hurson}@mst.edu
Abstract
Model transformation tools assist system designers by reducing the labor–intensive task of creating and updating models of various aspects of systems, ensuring that modeling assumptions remain consistent across every model of a system, and identifying constraints on system design imposed by these modeling assumptions. We have proposed a model transformation approach based on abstract interpretation, a static program analysis technique. Abstract interpretation allows us to define transformations that are provably correct and specific. This work develops the foundations of this approach to model transformation. We define model transformation in terms of abstract interpretation and prove the soundness of our approach. Furthermore, we develop formalisms useful for encoding model properties. This work provides a methodology for relating models of different aspects of a system and for applying modeling techniques from one system domain, such as smart power grids, to other domains, such as water distribution networks.
Index Terms:
Modeling, Model transformation, Formal methods, Abstract interpretation
I Introduction
The multitude of functional and non–functional requirements for critical infrastructure cyber–physical systems (CPSs) present many challenges to system designers. A smart grid must be able to supply all its customers; it must be fault–tolerant in the face of component failure; it must be secure against physical and cyber attacks; and it must achieve all these goals with efficient infrastructure. To meet all these requirements, designers must integrate physical components, cyber control software and hardware, and processes for human operators into a complete system. This is a truly daunting task, but one that can be facilitated by model-based design and evaluation.
A vast body of literature has been published on various modeling formalisms that capture system performance, dependability, safety, and security. No single modeling formalism can encompass all aspects of system performance and dependability, necessitating the labor–intensive and error–prone process of creating multiple system models and propagating changes across all of these models. Furthermore, designers must be careful that these models remain consistent with each other, i.e., that the assumptions made about the system by one model are not contradicted by those of any other model. For instance, a dependability model for a smart grid where two power lines are assumed to be connected in parallel is not compatible with a power flow analysis where the lines are placed in series.
One way to alleviate these challenges is through model transformation, which enables automated or semi-automated transformations between modeling formalisms. These transformations can ensure that modeling assumptions are consistent across every model of a system by verifying that any model can be transformed into any other. This approach can also identify constraints on system design imposed by these assumptions. Such a model transformation approach should meet two design constraints. First, it should be applicable to a broad range of systems and a variety of modeling formalisms in order to be useful to designers of complex systems. Second, it should be sound—it should be possible to prove that the result of a transformation is correct and consistent with the initial models.
In our earlier work [1], we proposed a model transformation approach based on abstract interpretation, a static program analysis technique. Models are seen as abstractions of the semantics of a system—its structure and behavior. Through this lens, provably correct model transformation becomes the problem of defining sound mappings from system semantics to model semantics and vice versa. By composing these mappings, we can develop sound transformations between modeling formalisms.
The research contribution of this work is twofold. We propose:
a formalization of system and model semantics, leading to a formalization of sound model transformation, and 2. 2.
a mathematical structure useful in the development of structures that capture system semantics.
Our first contribution formalizes the research approach we outlined in [1] and incorporates several improvements from feedback we have received since publication of that work. The second contribution lays the groundwork for integrating real–world modeling formalisms into this model transformation approach.
The structure of this paper is as follows: in Section II, we briefly summarize related model transformation and formalization techniques. Section III presents our formalization of system and model semantics and describes how we use this formalization to create a method for model transformation. Section IV presents tag–option lattices, a structure that we find to be useful when formalizing the semantics of systems. Section V summarizes our work and discusses future directions for our research.
II Related Work
In the literature, model transformation refers to two different but related concerns. One concern is integrating models of different parts of the system into a complete system model; this is more specifically called * heterogeneous model composition*. The other concern is transforming one type of model for a system to a different model of the same system or a related system.
Model transformation research specific to CPSs primarily focuses on building hierarchical models [2, 3, 4, 5]. Hierarchical models allow different model types to be combined together to model complex systems. Each component can be modeled in a convenient formalism; the hierarchical model is then simulated by simulating each sub-model in tandem.
The Ptolemy modeling software [6] performs hierarchical modeling and model composition [7, 8]. As such, Ptolemy makes it easy to build and link small models. Hierarchical models can consist of heterogeneous sub–models, allowing different parts of the system to be expressed using different types of models [9, 10, 11, 8]. Model composition is achieved in part by defining ontologies of system properties, e.g., units of model inputs and outputs. Based on these ontologies, Ptolemy can perform conversions of values transmitted between sub–models and check for incompatibilities which indicate modeling errors. Ptolemy also enables heterogeneous model evaluation: it provides choices for both the modeling language and the solution or simulation technique used to evaluate the model [12]. However, Ptolemy does not offer methods for transforming one system–level model to another. In addition, it is focused on models of system function and lacks facilities for modeling non-functional attributes.
OsMoSys [13] and SIMTHESys [14] are modeling systems motivated by model–driven engineering. Their approach to model transformation is based on techniques from software engineering. Graph–based models, such as Petri Nets and Fault Trees, are described using an object–oriented notation. Every model has associated interfaces which allow models of different types to be composed and evaluated. OsMoSys features compositional models and interfaces with external tools to evaluate them [15]. SIMTHESys provides a language in which users can describe new modeling formalisms for use with OsMoSys. Both are capable of modeling both functional and non-functional aspects of a system [16]. However, neither are focused on the problem of model transformation.
Möbius [17] is another modeling tool that supports hierarchical modeling. It supports several modeling formalisms, including block diagrams and Petri nets, and additional formalisms including stochastic timed systems can be included via external modeling tools [18, 19]. While this feature offers considerable flexibility in modeling, Möbius is constructed around a modeling workflow that builds and evaluates hierarchical models and has little support for model transformation. Its model composition method is based on object–oriented design principles and is applicable to many state–based model formalisms.
AToM3 [20] is capable of both model transformation and model composition. It uses metamodels to describe specific modeling languages, then defines transformations between metamodels to transform models [21]. Models are graph-based and transformations take the form of graph rewriting rules [22]. However, there is no hierarchy of models, so introducing a new model requires writing transformation rules from the new model to each model that AToM3 implements.
CHESS [23] provides a modeling language for describing systems and includes several model transformation methods specific to creating dependability models. CHESS is based on the Unified Modeling Language (UML); transformations are based on graph rewriting rules. CONCERTO [24] extends CHESS by introducing modeling techniques for non-functional system attributes such as dependability [25]. However, CONCERTO is focused on multicore processing systems [26, 27] and lacks the features necessary for modeling complex physical components.
Rosetta [28] is focused on functional multi–formalism modeling [29]. It takes an algebraic approach to relating models: each formalism is described as a coalgebra—a mathematical system useful for describing arbitrary transitions among arbitrary states [30, 31]. The coalgebras corresponding to each formalism are placed in a lattice, which provides a structure for determining how to transform one model into another. Model transformations can be used to relate different models of the same system; for example, it is possible to combine a functional system model with a model of that system’s power consumption. However, Rosetta lacks many features required for CPS modeling, especially support for hybrid discrete–continuous formalisms.
Each of these model transformation tools offers a partial solution to the model transformation problem; however, none of them present a solution that is generally applicable. Some frameworks place constraints on the behavior of transformation functions (e.g., class inheritance transformation). Others apply only to specific formalisms. Furthermore, only Rosetta offers an approach that can be proven to be correct. The work presented in this paper aims to address these shortcomings by providing a model transformation approach that relates a wide variety of modeling formalisms in a provably sound fashion, and yields results that are sufficiently specific to be meaningful.
III Abstract Interpretation of Models
The foundation of our approach is abstract interpretation [32, 33], a formalism for developing sound semantic abstractions. In this work, system semantics are represented in terms of properties that hold for the system. Such properties might include information about components, their reliabilities, and how they are interconnected. Models are abstractions of system semantics—they concern certain properties of the system, but not others. Thus, generating a model from a system’s properties, then deriving properties of that system from the generated model, may result in some of the initial properties not being present in the derived properties. This is a necessary effect of abstraction—we cannot derive properties from a model if the model does not capture those properties. To define mappings from system properties to models and vice versa, both domains need to allow for this potential loss of precision.
III-A Properties
We first define how system semantics are represented. Lattices (see [34]) offer a useful formalism for describing the nature of approximation. We define a complete lattice ordered by specificity: for means that the constraints in and are not contradictory and that places the same or more constraints on a system than does. For example, could constrain the reliability of a component to fall in the range , whereas could require that component to have a reliability of .
The meet (denoted as ) of two elements of places the constraints of both elements on a system; the join (denoted as ) implies satisfaction of the constraints of either element. Suppose requires a component’s reliability to fall in and constrains it within . Then will require it to be in and within . \mathop{\mathchoice{\rotatebox[origin={c}]{180.0}{\displaystyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\textstyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\scriptstyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\scriptscriptstyle\bigsqcup}}} and extend this concept to subsets of .
For certain are contradictory, will result in a constraint that is impossible to satisfy. If requires a component to have a reliability in and requires it in , then it is impossible for any component to meet both constraints. In this paper, we require that every element of to be satisfiable except for , the “impossible” constraint. Therefore, for this example, . Note that .
To summarize, each element of the lattice describes one or more systems. In the general case, describes a set of systems, all of which meet the constraints in . If every constraint in has exactly one possible choice, will describe a single system.
III-B Models
We now consider how modeling formalisms can be represented in this lattice framework. As a given element of the lattice may not define a single system, we must account for the possibility that the lattice may not specify the system well enough for a single model to be abstracted from it. If does not constrain the reliability of a component to a single value, a single reliability model cannot be abstracted from . Instead, we abstract a set of models, one for each possible assignment of the component’s reliability, subject to the constraints of .
Therefore, in the same way that the lattice is defined, we also define the domain of each modeling formalism to account for the nature of potentially imprecise system specifications. To ensure that this approach is broadly applicable, we define this domain using structure external to the modeling formalism itself. Thus we do not have to require, say, that a reliability model formalism be able to express the concept of a component having a range of possible reliabilities.
We use a powerset lattice to provide this extra structure. For a given model formalism, the set contains all possible models expressible in that formalism. The powerset lattice then forms a lattice ordered by specificity: for , indicates that contains fewer possible models describing a system, and thus places more constraints on the system, than does. Likewise, produces a set of models that fit the constraints associated with and with ; produces a set of models where constraints from either may hold.
Singleton sets (i.e., sets of the form , ) correspond to fully-specified models, and corresponds to an “impossible” system—one with contradictory modeling requirements.
To make the notation clearer and more consistent, we will define , as the powerset lattice of the original set of models, . For the powerset lattice , we will use the rounded operators () to prevent confusion with the square operators of the lattice , and of lattices in the abstract.
III-C Correctness
In this work, we represent the set of systems by . We think of these systems abstractly; thus, we do not concern ourselves with the representation of or its elements. When we speak of a system , we understand to be the system to be modeled.
Any system is described by a number of elements of . To formalize this notion, we use a correctness relation to relate a system to properties (and later, models) that describe it. We suppose a relation where if and only if describes the system . We must assume the existence of , since the properties of the system being designed are determined by the designer. However, abstract interpretation allows us to induce correctness relationships between systems and models based on —in other words, abstract interpretation enables sound transformations between system properties and system models.
Definition III.1
A correctness relation relates systems to elements of a lattice . Two attributes hold for :
- (i)
If and , then . 2. (ii)
If , then s\,R_{\mathbb{\StrLeft{L}{1}}\mathbf{\StrGobbleLeft{L}{1}}}\,\mathop{\mathchoice{\rotatebox[origin={c}]{180.0}{\displaystyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\textstyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\scriptstyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\scriptscriptstyle\bigsqcup}}}\mathbf{L^{\prime}}.
In terms of and its correctness relation , Property (i) states that we can relax correct constraints without violating their correctness. The reverse does not hold, otherwise, the inconsistent constraint would describe every system. The formalization of relaxation of constraints as described by Property (i) allows us to generalize constraints and therefore plays a crucial role in modeling abstraction.
Property (ii) requires that for any set of constraints there exist a “best” constraint that correctly describes any system described by every constraint in . We can apply this property to the constraints derived from several models to narrow down our description of a given system’s properties. In this sense, it allows us to derive a specific result from a number of more general results. Note that the converse of (ii) follows from (i), so (ii) could also be written as a biconditional.
III-D Abstraction and Concretization
Given a correctness relation for , we desire to define a mapping between and a modeling formalism that induces a correctness relation . Furthermore, this mapping must allow for the modeling domain to abstract system constraints. For instance, a topology model should be able to discard constraints on component reliability.
The formalism of choice for this task is a Galois connection:
Definition III.2
A Galois Connection between two complete lattices and consists of a pair of monotone functions and for which the following relationships hold:
[TABLE]
We refer to as the concrete domain, as the abstract domain, as the abstraction operator, and as the concretization operator.
In terms of models and properties, abstracts a model, , from a set of constraints on a system, , and derives, or concretizes, system constraints from a model of that system. Relationship (1) states that abstracting the model from constraints , then concretizing constraints from that model, results in constraints that are at most more general than those of . In other words, abstraction may relax constraints irrelevant to the model formalism, but it cannot produce a model that implies constraints that contradict . Relationship (2) requires that be able to completely capture the constraints imposed by each model formalism, meaning that if constraints are concretized from a model, , of a system, any other model abstracted from these constraints will be as least as specific as the original model, . Concretization may introduce additional constraints, but in practice, the of (2) will often be strict equality in practice.
Next, we show that each Galois connection induces a correctness relation on the abstract domain.
Theorem III.1
Given a Galois connection and a correctness relation , the relation defined by is a correctness relation.
Proof:
We must show that properties (i) and (ii) from Definition III.1 hold for . Take and .
[TABLE]
The proof of (ii) uses the fact that is completely multiplicative, that is, \mathop{\mathchoice{\rotatebox[origin={c}]{180.0}{\displaystyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\textstyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\scriptstyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\scriptscriptstyle\bigsqcup}}}\{\gamma(m)\mid m\in\mathbf{M^{\prime}}\}=\gamma\left(\mathop{\mathchoice{\rotatebox[origin={c}]{180.0}{\displaystyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\textstyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\scriptstyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\scriptscriptstyle\bigsqcup}}}\mathbf{M^{\prime}}\right). Take and .
[TABLE]
∎
Put in terms of models and system properties, if we define a Galois connection between and the lattice for a given modeling formalism , then every correct collection of system constraints abstracts to a correct model and every correct model concretizes to a correct collection of system constraints. Therefore, we have developed a provably sound definition of the nature of model abstraction.
III-E Model Transformation
Given this formalization of system and model semantics, we can now formalize the problem of model transformation. Suppose we have a properties domain and two modeling formalisms with associated Galois connections to the properties domain ) and ). Furthermore, we have a correctness relation which induces correctness relations and .
Definition III.3
A model transformation from to is a semantically sound mapping . That is, if is correct, then is also correct.
We can define by first concretizing constraints from , then abstracting an element of from it.
Theorem III.2
The mapping is sound.
Proof:
Take and .
[TABLE]
∎
To sum up the transformation process: begin with a model . Concretize properties of the system from , then apply to produce a set of models . Finally, select a model from by introducing information about the system not present in .
Figure 1 illustrates the domains, mappings, and relationships present in this formalization of model transformation.
III-F Selection and Specificity
Recall that the elements of are sets of models. To concretize properties of a single model , we first map it to , then apply . Conversely, for a set of models produced from an abstraction operation, each model in that set equally captures the system constraints from which was abstracted. If , then the chosen modeling formalism cannot reason about the given system constraints. If , then the abstraction process has produced a single model describing the system. Otherwise, the system constraints lack some information about the system that is relevant to this modeling formalism. In this case, the user must introduce new information about the system by selecting one model from this set. For example, one may have to provide information about component reliability when selecting a reliability model.
We represent this selection process as a function ; the definition of depends entirely upon the exact system being modeled. While the known system constraints may not be precise enough to indicate exactly which model in the set is correct, they still indicate that the correct model is in the given set of models. Therefore we can constrain to not produce a model which we know is incorrect even when we do not have enough information about the system to produce a single model.
Definition III.4
The function is a selection operator if the following conditions hold:
- (i)
** 2. (ii)
If , then
Given a selection operator, we can incorporate the newly introduced information back into the system properties domain, allowing future transformations to include these constraints and therefore produce more specific results. Take such that . Derive the exact model of formalism by letting . By definition of we know , so . Finally, we can construct a more specific element by . The correctness of follows from property (ii) for , and by definition of , .
Figure 2 depicts the relationship between these given functions and domains.
IV Tag-Options Lattice
In our formalization of systems and models, we assume a properties domain that is a lattice of constraints on a system; its elements are ordered by specificity. A common pattern arises when defining this domain: a lattice that assigns a set of potential values to each element of a set of names or tags. Two examples are assigning possible reliabilities to components and defining whether a state is considered functional or failed. We will refer to this type of lattice as a Tag–Options Lattice; it is comprised of a tag lattice and a family of options lattices. For instance, one may use a tag lattice where each element is a set of components known to be part of a system; each element of the corresponding options lattice is a function that assigns possible reliabilities to each component.
IV-A Tag Lattice
Let be a set of tags.
Definition IV.1
The tag lattice is the dual of the powerset lattice of , where , \mathop{\mathchoice{\rotatebox[origin={c}]{180.0}{\displaystyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\textstyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\scriptstyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\scriptscriptstyle\bigsqcup}}}:=\bigcup, and .
In this lattice, corresponds to a system where no tags are known to apply—for example, a system with no known components. Thus, every system is described by . Lattice elements are ordered by specificity; if and , then contains more information than about tags that apply to a system.
IV-B Options Lattice Family
Let denote the set of options—potential values—for each tag.
Definition IV.2
For each set of tags we can define a corresponding options lattice . The elements of are functions that assign a set of possible options to each tag. For any , if and only if for all .
We can alternatively view the elements as sets of tuples where and . Each set contains exactly one tuple per tag.
For any set of elements of an options lattice, , we define
- i)
, and 2. ii)
\mathop{\mathchoice{\rotatebox[origin={c}]{180.0}{\displaystyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\textstyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\scriptstyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\scriptscriptstyle\bigsqcup}}}\mathbf{O^{\prime}}=\lambda t.\bigcap\{f(t)\mid f\in\mathbf{O^{\prime}}\}.
We refer to the family of options lattices associated with tag set by .
For example, if and , then and are elements of . Furthermore,
[TABLE]
Theorem IV.1
* is a complete lattice.*
Proof:
The proof that is a partial order on follows directly from being a partial order on for all . Likewise, the proof that \mathop{\mathchoice{\rotatebox[origin={c}]{180.0}{\displaystyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\textstyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\scriptstyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\scriptscriptstyle\bigsqcup}}} and are complete follows from the completeness and . ∎
From these definitions it follows that and for all . We can always imagine a system where any of the given options holds for each tag; a system where no tag corresponds to any of the options is a system about which our abstractions cannot reason.
Hasse diagrams for and are shown in Figure 3 and Figure 4, respectively.
Thus far, we have defined a lattice of system tags and a family of options lattices consisting of mappings of tags to options. What remains is to combine these lattices into a single tag–options lattice.
IV-C Options Lattice Homomorphisms
Before we can develop a tag–options lattice, we must define how elements of different options lattices are related. The tool of choice is a lattice homomorphism: a mapping between lattices that preserves meets and joins.
Definition IV.3
For all sets of tags we define a function by
[TABLE]
Or, from a sets-of-tuples perspective,
[TABLE]
allows us to convert a function with one domain to a related function with a different domain: if , then .
Theorem IV.2
* is a lattice homomorphism. That is, for all ,*
- i)
\mathop{\mathchoice{\rotatebox[origin={c}]{180.0}{\displaystyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\textstyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\scriptstyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\scriptscriptstyle\bigsqcup}}}\left\{\phi_{A}^{B}(f)\mid f\in\mathbf{O^{\prime}}\right\}=\phi_{A}^{B}\left(\mathop{\mathchoice{\rotatebox[origin={c}]{180.0}{\displaystyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\textstyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\scriptstyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\scriptscriptstyle\bigsqcup}}}\mathbf{O^{\prime}}\right)* and* 2. ii)
.
Proof:
To show \mathop{\mathchoice{\rotatebox[origin={c}]{180.0}{\displaystyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\textstyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\scriptstyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\scriptscriptstyle\bigsqcup}}}\left\{\phi_{A}^{B}(f)\mid f\in\mathbf{O^{\prime}}\right\}=\phi_{A}^{B}\left(\mathop{\mathchoice{\rotatebox[origin={c}]{180.0}{\displaystyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\textstyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\scriptstyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\scriptscriptstyle\bigsqcup}}}\mathbf{O^{\prime}}\right), suppose and and take arbitrary .
Case 1: .
[TABLE]
Case 2: .
[TABLE]
The proof that is analogous. ∎
We now prove a corollary necessary to show the completeness of the tag–option lattice:
Theorem IV.3
If such that and and such that , then .
Proof:
Take arbitrary .
Case 1: . Then , , and . Therefore .
Case 2: . Then and . ∎
IV-D Tag-Options Lattice
So far, we have developed a lattice that relates sets of tags that apply to a given system and a family of lattices that relate option values given a set of tags. Now we combine these into a lattice that can relate option values between sets of tags.
Definition IV.4
A tag–options lattice is a lattice of tuples where is an element of and is an element of . Given elements and , if and only if and .
(Note that if , , so and .)
For any subset , let . Then we can define
- i)
, and 2. ii)
\mathop{\mathchoice{\rotatebox[origin={c}]{180.0}{\displaystyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\textstyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\scriptstyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\scriptscriptstyle\bigsqcup}}}\mathbf{\Lambda}:=\left(\mathop{\mathchoice{\rotatebox[origin={c}]{180.0}{\displaystyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\textstyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\scriptstyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\scriptscriptstyle\bigsqcup}}}\mathbf{V},\mathop{\mathchoice{\rotatebox[origin={c}]{180.0}{\displaystyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\textstyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\scriptstyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\scriptscriptstyle\bigsqcup}}}\left\{\phi_{T^{\prime}}^{\mathop{\mathchoice{\rotatebox[origin={c}]{180.0}{\displaystyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\textstyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\scriptstyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\scriptscriptstyle\bigsqcup}}}\mathbf{V}}(f)\mid(T^{\prime},f)\in\mathbf{\Lambda}\right\}\right).
In this lattice, is the system where no options are valid for any tag. corresponds to the system where no tags are known to apply.
For example, suppose we have a set of tags and take elements where , and . Let the options set be .
Let be an element of where . Let be an element of where . Then and are elements of .
Furthermore, we can compute the meet of and as follows:
[TABLE]
Theorem IV.4
* is a complete lattice.*
Proof:
That is a partial order follows from the partial orders defined on and the lattices of .
To show that \mathop{\mathchoice{\rotatebox[origin={c}]{180.0}{\displaystyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\textstyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\scriptstyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\scriptscriptstyle\bigsqcup}}} is a well–defined meet operator, take an arbitrary subset , and let .
Take arbitrary such that . Thus, T^{\prime}\sqsubseteq\mathop{\mathchoice{\rotatebox[origin={c}]{180.0}{\displaystyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\textstyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\scriptstyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\scriptscriptstyle\bigsqcup}}}\mathbf{V}. Furthermore,
[TABLE]
Therefore (T^{\prime},f^{\prime})\sqsubseteq\mathop{\mathchoice{\rotatebox[origin={c}]{180.0}{\displaystyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\textstyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\scriptstyle\bigsqcup}}{\rotatebox[origin={c}]{180.0}{\scriptscriptstyle\bigsqcup}}}\mathbf{\Lambda}. The proof that is a well–defined join operator is analogous. ∎
For an example of how a tag–options lattice might be used to construct a concrete properties domain, consider the task of assigning reliabilities to components. In this case, we define a set of component names to use as tags. The elements of the tag lattice consist of sets of component names. If an element of applies to a given system, then we know that the system consists of at least those components. The set of options is . Finally, the tag–options lattice consists of pairs where is a set of components known to comprise a given system and assigns a range of possible reliabilities to each . Thus is a lattice of constraints on component reliability ordered by specificity. It can be used as part of a definition of a properties domain in conjunction with other lattices that capture other relevant system properties.
V Conclusion and Future Work
In this paper, we have demonstrated a formalization of model and system semantics. Models abstract system semantics; therefore, we can derive, or concretize, constraints on a system from models of it. Conversely, given constraints on a system, we can abstract a set of models that are consistent with those constraints.
To formalize the soundness of this approach, we apply abstract interpretation, which defines a correctness relation between systems and constraints. If our abstraction and concretization mappings between a given modeling formalism and system constraints form a Galois connection between the two domains, we can show that these mappings and the correctness relation for system constraints induce a correctness relation between systems and the models of the modeling formalism.
Through this lens, the process of model transformation becomes the process of concretizing system properties from one model, then abstracting a second model from these properties. We show that this process is sound; that is, if the initial model is correct, then the final model will also be correct.
Future work will take several directions. We are currently working on relating models of different aspects of a system—in this case, reliability and topology. This work will demonstrate both how topology affects system reliability by introducing dependencies between components and how reliability, via the same dependencies and the constraints on system functionality, constrains the choice of topologies for which that definition of reliability holds.
We plan to further extend the work of this paper to other model types and other choices of system properties. Expanding the possible transformations will allow us to relate modeling techniques from various system domains; for example, we may apply a water distribution network analysis technique to a power grid, or incorporate both cyber and physical models into a cyber–physical model.
Another avenue of research is to expand the formalization of models and systems to other metamodeling tasks. A salient challenge in the design of complex systems is that of heterogeneous model composition: combining component models that use various modeling formalisms into a single model of a complete system. The abstraction and concretization functions defined in this work provide a basis for developing these connections. It may even be possible to perform this composition at a higher level, enabling the creation of hybrid modeling formalisms and associated solution and evaluation techniques.
Finally, the task of developing this approach into a tool for system designers will certainly present its own challenge. Such a tool must be interactive and scalable to complex, real–world systems, all without requiring the user to have a deep understanding of the underlying theory.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] N. Jarus, S. Sedigh Sarvestani, and A. R. Hurson, “Models, metamodels, and model transformation for cyber–physical systems,” in 7 th International Green and Sustainable Computing Conference , pp. 1–8, Nov. 2016.
- 2[2] P. Derler, E. A. Lee, and A. L. Sangiovanni-Vincentelli, “Addressing modeling challenges in cyber–physical systems,” tech. rep., Mar. 2011.
- 3[3] T. H. Feng and E. A. Lee, “Scalable models using model transformation,” tech. rep., July 2008.
- 4[4] K. Wan, D. Hughes, K. L. Man, and T. Krilavicius, “Composition challenges and approaches for cyber–physical systems,” in 2010 IEEE International Conference on Networked Embedded Systems for Enterprise Applications (NESEA) , pp. 1–7, Nov. 2010.
- 5[5] A. Bhave, B. Krogh, D. Garlan, and B. Schmerl, “Multi–domain modeling of CPS using architectural views,” 2010.
- 6[6] C. Ptolemaeus, ed., System design, modeling, and simulation: using Ptolemy II . Berkeley, Calif: UC Berkeley EECS Dept, 1. ed., version 1.02 ed., 2014.
- 7[7] Y. Xiong, E. Lee, X. Liu, Y. Zhao, and L. Zhong, “The design and application of structured types in Ptolemy II,” in 2005 IEEE International Conference on Granular Computing , vol. 2, pp. 683–688 Vol. 2, July 2005.
- 8[8] B. Lickly, C. Shelton, E. Latronico, and E. A. Lee, “A practical ontology framework for static model analysis,” in Proceedings of the Ninth ACM International Conference on Embedded Software , EMSOFT ’11, (New York, NY, USA), pp. 23–32, ACM, 2011.
