Specification-Based Monitoring of Cyber-Physical Systems: A Survey on Theory, Tools and Applications
Lecture Notes in Computer Science
The term Cyber-Physical Systems (CPS) typically refers to engineered, physical and biological systems monitored and/or controlled by an embedded computational core. The behaviour of a CPS over time is generally characterised by the evolution of physical quantities, and discrete software and hardware states. In general, these can be mathematically modelled by the evolution of continuous state variables for the physical components interleaved with discrete events. Despite large effort and
... in the exhaustive verification of such hybrid systems, the complexity of CPS models limits formal verification of safety of their behaviour only to small instances. An alternative approach, closer to the practice of simulation and testing, is to monitor and to predict CPS behaviours at simulation-time or at runtime. In this chapter, we summarise the state-of-the-art techniques for qualitative and quantitative monitoring of CPS behaviours. We present an overview of some of the important applications and, finally, we describe the tools supporting CPS monitoring and compare their main features. 137 Monitoring Real Systems and Monitoring Simulated Models. Before going further, let us distinguish between two major contexts in which the monitoring of dynamic behaviours can take place (see a more elaborate discussion in  ). The first is the monitoring of real systems during their execution via online measurements. Here the role of monitoring is to alert in real time in order to trigger corrective actions, either by a human operator or by a supervisory layer of control. A primitive form of this type of monitoring exists in many domains: indicators on the control panel of a car, airplane or electronic device, monitors for physiological conditions of patients in a hospital and SCADA (Supervisory Control and Data Acquisition) systems for controlling complex large-scale systems such as airports, railways or industrial plants. In fact, any information system can be viewed as performing some kind of a monitoring activity. The other context is during model-based system design and development where all or some of the system components do not exist yet in flesh and blood and their models, as well as the model of the environment they are supposed to interact with, exist as virtual objects of mathematical and computational nature. The design process of such systems is typically accompanied by an extensive simulation and verification campaign where the response of the system to numerous scenarios is simulated and evaluated. Most of the work described in this chapter originates from the design-time monitoring context, where simulation traces constitute the input of the monitoring process. Many techniques and considerations are shared, nevertheless, with the monitoring of real systems. The activity of simulating a system and checking its behaviour is part of the verification and validation process whose goal is to ensure, as much as possible, that the system behaves as expected and to avoid unpleasant surprises after its deployment. In some restricted contexts of simple programs or digital circuits, this process can be made exhaustive and "formal" in the sense that all possible classes of scenarios are covered. When dealing with cyber-physical systems, whose existence and interaction scope are not confined to the world inside a computer for which practically exact models exist, complete formal verification is impossible, if not meaningless. In this domain, simulation-based lightweight verification is the common practice, accompanied by the hope of providing a good finite coverage of the infinite space of behaviours. Rigorous Specification Formalisms. Part of the runtime verification movement is coming from formal verification circles, attempting to export to the simulation-based verification domain another ingredient of formal verification, namely, the rigorous specification of the system requirements. In the context of discrete systems, software or digital hardware, formalisms such as temporal logic or regular expressions are commonly used. They can specify in a declarative manner which system behaviours, that is, sequences of states and events, conform with the intention of the designer in terms of system functionality, and which of these behaviours do not. Such specifications can be effectively translated into monitoring programs that observe behaviours and check whether the requirements are satisfied. As such they can replace or complement tedious manual inspection of simulation traces or ad hoc programming of property testers.