Modeling and Veriﬁcation of Uncertain Cyber-Physical System Based on Decision Processes

.


Introduction
The cyber-physical system (CPS) is a cutting-edge technology that combines computing, communication, and remote control functions [1,2].It represents the latest advancement in complex embedded information and physical network systems [3].The CPS comprises three main components: the physical entity, computing entity, and interactive entity [4], as illustrated in Figure 1.By incorporating artificial intelligence (AI) into its hardware, the CPS enables automatic control, decision-making, and judgment capabilities, thereby influencing both the computing entities and physical entities through a feedback mechanism.Furthermore, the CPS facilitates human-computer interaction [5] to achieve optimal outcomes.
Model checking [6,7], as a formal and automatic verification technique, has found extensive applications in diverse domains such as computer software and hardware systems, communication protocols, control systems, and security authentication protocols.During the verification process of complex concurrent systems, it is common to encounter uncertain and inconsistent information.For instance, complex computing tasks generated by autonomous vehicles in intelligent autonomous transport systems [8], among others.Classic model checking, which is based on the probability measure, may face challenges when dealing with uncertain verification problems in practical systems [7].While it has been widely used for analyzing and verifying stochastic systems [9], there are situations where non-additivity problems arise, and these cannot be adequately addressed or measured by traditional probability-based models.
To overcome these limitations, Li et al. [10,11] proposed a possibility measure-based model-checking approach.The possibility measure is a branch of fuzzy set theory and a generalization of the probability measure.Unlike the probability measure, the possibility measure does not adhere to the principle of additivity.In their approach, Li et al. apply fuzzy mathematics, which is rooted in the possibility measure, to model checking [12].By doing so, they provide a framework for analyzing and verifying uncertain systems that cannot be effectively measured or verified using traditional probability models.The possibility measure-based model-checking approach allows for a more flexible handling of uncertainty by considering the degree of membership or likelihood of events occurring.This approach expands the range of problems that can be addressed and provides an alternative method for analyzing and verifying stochastic systems in practical scenarios where non-additivity problems arise.
A lot of quantitative model-checking techniques have been proposed in the modeling of a system with uncertain information [13], but there are still some important unsolved issues.The problem lies in the uncertainty of system behavior when confronted with multiple possibilistic distributions of complex systems.For example, multi-agent systems possess complex dynamic structures and behavioral characteristics, necessitating the incorporation of additional quantifiable information to depict their dynamic behavioral features [14,15].Moreover, these possibilistic distributions are not always measurable.The purpose of modeling is to interface with the environment by uncertain actions to satisfy the properties of the system.Thus, it is necessary to consider the uncertain information of those actions.In order to permit both possibilistic and uncertain choices, we introduce the notion of generalized possibilistic decision processes (GPDP) and schedulers selecting actions that will be performed [16].The GPDP serves as a theoretical foundation for the uncertainty verification of complex systems by enabling transitions between states to satisfy multiple possibilistic distributions.Ptolemy II is an open-source simulation modeling tool that has gained popularity for its ability to address challenges related to uncertainty modeling, management, and optimal decision control in CPS [3].While other tools like Simulink/Stateflow and UML are widely used, their close integration and lack of specialized features make it difficult to effectively handle uncertainty in CPS.Ptolemy II [17], developed by researchers at UC Berkeley, offers a comprehensive solution for system design, modeling, and simulation in hierarchical and heterogeneous systems.It provides powerful functionalities and a design environment that supports the entire development phase.This integrated approach allows for a smooth transition from a conceptual model to a real system design, resulting in a shorter design process and improved component reuse.By leveraging Ptolemy II, designers and researchers can enhance the consistency between the authenticity of the system and its simulation results [18].This capability is crucial for validating the performance and behavior of complex CPS, where uncertainty and dynamic interactions play a significant role.
The main contributions of this paper include the following aspects: (1) Construct a CPS system model based on the generalized possibility decision process, and define the CPS syntax and semantics of the generalized possibility linear temporal logic in the CPS system model; This article includes the following sections, excluding the present introduction.In Section 2, the necessary basic concepts and definitions are provided.In Section 3, the semantics of the generalized possibility decision process are presented.In Section 4, the CPS syntax and semantics of generalized possibility linear temporal logic are defined.Section 5 introduces clock invariants to extend the uncertainty CPS.In Section 6, a dynamic verification analysis is carried out on the attributes of uncertain CPS.Section 7 uses preset modeling tools to model and simulate the extended model of uncertain CPS.Finally, our overall conclusions are presented in Section 8.

Preliminaries
In this section, we give some basic knowledge about the hybrid system and the generalized possibility theory introduced in [10,12].

Hybrid System
A hybrid system is a type of system that combines continuous dynamics and discrete events.It represents a system where both continuous processes, such as physical processes governed by differential equations, and discrete events, such as state changes or mode switches, are present.This combination allows for the modeling and analysis of complex systems that exhibit both continuous and discrete behaviors.A hybrid automaton is commonly used to describe the system's behavior.A hybrid automaton is a mathematical model that captures the dynamics of a hybrid system.In the context of CPS, a hybrid system typically refers to a system that integrates physical processes with computational and communication elements.It can be defined as follows.
Definition 1 (see [19]).A hybrid automaton can be represented by a six-element tuple, denoted as H = (I, O, T, Init, M, E), where: (1) I: The set of input ports represents external signals or inputs that can influence the behavior of the automaton.These inputs can trigger state transitions or affect the continuous dynamics of the system.(2) O: The set of output ports represents the signals or information that the automaton produces as a result of its internal dynamics and interactions with the environment.These outputs could be measurements, control signals, or any relevant information about the system.(3) T: The set of state variables represents the internal variables or parameters that define the state of the system, which capture the internal state of the system and can change continuously over time.The state set Q T is a mathematical representation of all possible values that these variables can take.(4) Init: This component is responsible for initializing the distribution operation within the hybrid automaton.It sets the initial conditions or constraints on the state variables.
(5) M: The set of control modes represents different operational modes or behaviors that the automaton can exhibit.Each control mode specifies a set of continuous dynamics and discrete transitions that govern the system's behavior in that mode.(6) E: The set of internal actions represents the transformational relations between between different control modes or states in the hybrid automaton.They describe the instantaneous transitions or jumps between modes that can occur based on certain conditions or events.
Remark 1.The port mentioned in the definition facilitates communication between the system and its external environment.The communication port operates in two modes: read and write, which are denoted by "? and "! , respectively.For example, "port?indicates input data received by the port, while "port!represents output data transmitted by the port.
Our hybrid process model is built upon extensive research on the hybrid automaton, which is considered as an encapsulated intelligent agent [20,21].This research focuses on developing a formal model for hybrid systems by combining discrete transition systems with differential equations.By incorporating continuous evolution and discrete updating, CPS are capable of representing real-world scenarios and describing the system's state transition relationships [22].As a result, the hybrid automaton assumes a crucial role in establishing a strong foundation for CPS studies.

Generalized Possibility Theory
Possibility measure theory [23] deals with the incomplete information and uncertain information of the system.Unlike probability measure theory, possibility measure theory contains possibility measure and necessity measure, which can deal with fine information better.In addition, the possibility measure is non-additive, to deal with the practical application system makes more sense.Definition 2 (see [16]).Let us assume that U is a nonempty set with measurable subsets.In this context, a possibility measure is defined as a function Π from the power set 2 U to the interval [0, 1] with the following properties. (1) For any subset family {E i } of the universe set U, we can denote the supremum or least upper bound of the real number family {a i } i∈I as i∈I a i .Similarly, the infimum or largest lower bound of the real number family {a i } i∈I can be represented as i∈I a i .
If Π satisfies only conditions (1) and (3), it is referred to as a generalized possibility measure.

Generalized Possibilistic Kripke Structure
A generalized possibilistic Kripke structure refers to an extension of the traditional Kripke structure that incorporates possibilistic reasoning.It combines the principles of Kripke semantics with possibilistic logic to capture uncertainty and possibility in a more flexible and nuanced manner.In a generalized possibilistic Kripke structure, the set of possible worlds represents different states or scenarios of a system, similar to a traditional Kripke structure.However, instead of assigning a binary truth value (true or false) to propositions in each world, a generalized possibilistic Kripke structure assigns a degree of possibility or belief to each proposition in each world.A generalized possibilistic Kripke structure is defined as follows.Definition 3. A generalized possibilistic Kripke structure (GPKS, in short) is a tuple M = (S, P, I, AP, L), where (1) S is a countable, nonempty set of states; (2) P: S × S → [0, 1] is a function, called a possibilistic transition distribution function; (3) I: S → [0, 1] is a function, called a possibilistic initial distribution function; (4) AP is a set of atomic propositions; (5) L: S × AP → [0, 1] is a possibilistic labeling function, which can be viewed as function mapping a state s to the fuzzy set of atomic propositions, which are possible in the state s, i.e., L(s, a) denotes the possibility or truth value of atomic proposition a that is supposed to hold in s.
Furthermore, if the set S and AP are finite sets, then M = (S, P, I, AP, L) is called a finite GPKS.
Remark 2. If we require the transition possibility distribution and initial distribution to be normal, i.e., s ∈S P(s, s ) = 1 and s∈S I(s) = 1, and the labeling function L is also crisp, i.e., L : S × AP → {0, 1}, then we obtain the notion of possibilistic Kripke structure [16].In this case, we also say that M is normal.This is one of the reasons why we call the structure a defined generalized possibilistic Kripke structure.

Generalized Possibility Decision Processes
The differences between GPDP and the Markov decision processes [24,25] are as follows: (1) the transfer weight of the Markov decision process reflects the frequency of events, while the transfer weight of GPDP feeds back the possibility of reaching the target state; (2) In the Markov decision processes, the sum of transfer weights starting from the same state is 1, but GPDP does not have this constraint; (3) The label function in the Markov decision process is clear, while the label function in GPDP is fuzzy.Therefore, in this paper, a GPDP similar to Markov decision processes is proposed as a model of uncertainty systems, which is specifically defined as follows.
Definition 4 (see [16]).A GPDP is a tuple with six elements M = (S, Act, P, I , AP, L) where (1) S is a countable, nonempty set of states; (2) Act is a set of actions; (3) P: S × Act × S → [0, 1] is a transition possibility function such that for all states s ∈ S and actions α ∈ Act, there is a state t ∈ S, such that P(s, α, t) > 0; (4) I : S → [0, 1] is a possibilistic initial distribution function, with an existing state s such that I (s) > 0; (5) AP is a set of the atomic propositions; (6) L: S × AP → [0, 1] is a possibilistic labeling function, where L(s, a) denotes the possibility or truth value of atomic proposition a that is supposed to hold in s.
An action α is considered enabled in state s if and only if t∈S P(s, α, t) > 0. We define It is a requirement that for any state s ∈ S, the set Act(s) = ∅.We refer to each state t for which P(s, α, t) > 0 as an α-successor of s.
P α is also called the fuzzy possibility α-transition matrix of M .(2) The direct successors and predecessors of a state can be defined as follows.For a given state s from the set S, an action α from the set Act, and a subset T of states from S, the possibility of transitioning from state s to a state in T via action α is denoted as P(s, α, T), i.e., The set of α-successors of a state s, denoted as Post(s, α), can be defined as follows.Post(s, α) represents the collection of states that can be reached from state s by taking action α, i.e., It should be noted that the set of α-successors of state s, denoted as Post(s, α) = ∅ if and only if action α is not a member of the enabled action set Act(s).On the other hand, the set Pre(t), which represents the pairs (s, α) where state s belongs to S and action α belongs to Act(s) such that t ∈ Post(s, α), can be expressed as follows.Then, the state space of M is S = {s 0 , s 1 , s 2 , s 3 }; State s is the only initial state, i.e., I(s 0 ) = 1 and I(s 1 ) = I(s 2 ) = 0; The set of atomic propositions is AP = {A, B}; The sets of enabled actions are Act(s 0 ) = {α, β} with P(s 0 , α, s 1 ) = 0.7, P(s 0 , β, s 2 ) = 0.4; Act(s 1 ) = {α, β} with P(s 1 , α, s 1 ) = 1, P(s 1 , β, s 0 ) = 0.6, P(s 1 , β, s 2 ) = 0.3; Act(s 2 ) = {α, β} with P(s 2 , β, s 2 ) = 0.8, P(s 2 , α, s 0 ) = 0.5, P(s 2 , α, s 1 ) = 0.7; The labeling functions are L(s 0 , A) = 0.6, L(s By using the state order s 0 < s 1 < s 2 , the matrix P and the vector I is given by: Definition 5. (Path in a GPDP).In GPDP M = (S, Act, P, I, AP, L), an infinite path fragment is an infinite sequence s 0 α 1 s 1 α 2 s 2 α 3 • • • ∈ (S × Act) ω , satisfying the condition that P(s i , α i+1 , s i+1 ) > 0 for all i 0. A finite path fragment is any finite prefix of π that ends in a state Reasoning about the possibilities of path sets in a GPDP relies on the resolution of uncertainty.This resolution is performed by a scheduler.Once α has been chosen, there are no constraints imposed on the possibilistic choice that is resolved.Definition 6. (Scheduler).In a GPDP M = (S, Act, P, I, AP, L), a scheduler for M is a function Definition 7. Let M be a GPDP with state space S. Scheduler S on M is memoryless if and only if for each sequence s 0 s In this case, S can be viewed as a function S : S → Act.Stated in words, scheduler S is memoryless if it always simply selects one alternative (i.e., action) per state while ignoring all others.
Example 2. For instance, the scheduler S α always selects the action α in state s.Scheduler S β always selects the action β in state s, as shown in Figure 3.

The only S
Let S be a scheduler that selects action α when returning from state u, and action β otherwise.Thus, S(s It is important to note that this scheduler makes decisions based on the one-but-last visited state.In states u and t, the only enabled action γ is chosen.The GPDP M S β can be represented as an infinite chain: where Pre f (π) = {π |π is a finite prefix of π}.Then, as shown in [10], Ω = 2 S-Paths(M) is an algebra generated by {Cyl( π) | π ∈ S-Paths f in (M)} on S-Paths(M).That is to say, Ω = 2 S-Paths(M) is the unique subalgebra of 2 S-Paths(M) , which is closed under arbitrary unions and arbitrary intersections containing {Cyl( π) | π ∈ Pre f (π)}.
Definition 9.For a GPDP M , a function Po M : S-Paths(M ) → [0, 1] is defined as follows: for any Hence, the execution sequence is Then, we have a well-defined function.
Po M is called the generalized possibility measure over Ω = 2 S-Paths(M ) .
Under GPDP, the semantics of the GPoLTL formula are related to schedulers, possibility information, and fuzzy logic on the set of atomic propositions AP.We give the semantics of GPoLTL in two aspects in the following.Definition 11.Let ϕ be a GPoLTL formula.The language semantics of ϕ over the alphabet Σ=[0, 1] AP (or Σ=l AP for some finite subset l ∈ [0, 1]) is a fuzzy ω-language; i.e., S ϕ : Then, the GPoLTL language semantics of an uncertain CPS is defined as follows.
For any path, the path semantics of GPoLTL with schedulers are interpreted as For a path formula ϕ, its semantics depend on the schedulers, and its path semantics over M are The until operator allows derivation of the temporal modalities ♦ ("eventually", sometimes in the future) and ("always", from now on forever) as usual.
Let Q be an uncertain CPS model operating under a specific scheduler.π represents an execution trace of Q, while ϕ denotes an attribute description formula.The notation ||ϕ||(π) represents the execution trace of Q that satisfies the attribute ϕ.In other words, ||ϕ||Q : Paths(Q) → [0, 1] quantifies the possibility of Paths(Q) satisfying the attribute ϕ.Here, π refers to an infinite path, π ∈ Paths(Q), which can be expressed as π = s 0 s 1 s 2 • • • .π j denotes the suffix of the trace starting from step j, i.e., π = s j s j+1 • • • .The value of the variable y in step j of x is denoted as V = (π, j, y).
In the uncertain CPS system Q, an infinite path is expressed as π = s 0 s 1 s 2 • • • ∈ S ω , and a finite path is denoted as π = s 0 s 1 • • • s n (n ∈ N).The notation Paths(Q) denotes the set of infinite paths in the uncertain CPS system Q, while Paths f in Q represents the set of finite paths.Definition 13.For a GPDP without terminal states, i.e., for any state s, there exists a state t such that P(s, t) > 0. The trace of the infinite path fragment π = s 0 α 0 s To simplify notation, we use L(π) to represent the trace of the infinite path π.Similarly, for a finite path fragment π = s 0 α 0 s The execution of a system model starts from an initial state and serves as a means to validate the model.During each step of execution, the model selects a single enabled action from the current state, and the actions are executed in an uncertain order.
The dynamic execution trace π of an uncertain CPS can be represented as either a finite or an infinite sequence: Here, each state s i is connected to the next state s i+1 by an action label l i .The sequence can continue indefinitely if it is an infinite trace, capturing the ongoing behavior of the system.In this representation, s k =< p k , v k > represents the state of the system, where p k is the control mode of the system and v k is the current variable value.Additionally, l k indicates the duration of time that the system stays at state s i .This trace captures the sequence of states, control modes, variable values, and durations of the system's behavior over time.Definition 14.Let P be a fuzzy linear-time property over AP and M = (S, Act, P, I, AP, L) be a finite GPDP without terminal states.Then, the possibility of M = (S, Act, P, I, AP, L) satisfies P at state s, denoted by Po S (s |= P), and is defined as

Extended of an Uncertain CPS Model
The Uncertain CPS Extended Model describes a CPS as a complex embedded network system that integrates physical, computing, and interactive entities.The motion process in the physical world is represented using dynamic time continuity.Meanwhile, the system behavior is modeled using a finite state machine to capture event-driven discrete processes in the computational world [4].This paper aims to perform CPS modeling and simulation by employing the uncertain hybrid time automaton.In this way, not only the informatization and discretization can be effectively achieved, but also the physicalization and continuation of the discrete event model can be realized.

Differential Equation Modeling Based on Time
In an uncertain CPS, the state of a physical entity exhibits a clear and continuous dynamic continuity, with its state transformation relying on continuous time [17].
For instance, let us consider the thermostat state model (as depicted in Figure 4) as an example.By utilizing time-based differential equations, the dynamic behavior of an uncertain CPS can be modeled in the following manner.In Equation ( 23) , the temperature variable T represents a continuous-time variable, with the constraint (T 40 • C).It is important to note that the dynamic behavior follows a linear pattern, with k 1 representing a constant quantity.In Equation ( 24) describes the dynamics of temperature change, with k 2 also being a constant quantity.

Hybrid Timed Automaton Modeling Based on Uncertainty
Uncertainty is crucial in the operation of a CPS [19].CPS components are interconnected rather than isolated.Modeling a CPS solely using the embedded control approach is inadequate due to the close integration of software and hardware [18].To address this challenge, introducing a clock invariant and incorporating the notion of possibility into the classic hybrid automaton becomes necessary.This approach helps resolve the issue of closeness and enables the definition of an uncertain hybrid timed automaton system model.

Uncertain CPS Dynamic Verification and Analysis
A reactive CPS can be impacted by factors like fairness issues, input/output handling, and system execution correctness.These problems could be solved by temporal logic, which is a very effective formal method.Fuzzy temporal logic is capable of extending propositional and predicate logic for it takes the infinite behavior of feedback in uncertain CPS into consideration.A fuzzy (or possibilistic) temporal logic, say, the fuzzy linertime property (LT property), provides an intuitive and accurate annotation system for establishing relationships and execution as well.

Activity
Activity indicates that something good will happen eventually in the operation of an uncertain CPS.Checking whether an attribute satisfies the activity involves evaluating whether a model fulfills the properties specified by temporal logic.GPoLTL is used here in this paper to describe the activity.The definition of GPoLTL suggests that there are four types of activity, namely, eventually reachability, always reachability, repeated reachability, and persistence reachability.

Remark 4.
(1) Eventually reachability can be represented by the "eventually" operator, which is symbolized as ♦.The "eventually" operator can be nested to enforce a sequence of events in a specific order.When an assignment on a path satisfies a formula ϕ, it means that the path conforms to the GPoLTL formula ♦ϕ.For example, if an assignment in the path π = (x 1 , y 1 )(x 2 , y 2 ) • • • satisfies the expression (x = y), indicating that for some j, x j = y j , the path π satisfies the GPoLTL formula ♦(x = y).Thus, the formula ♦(x = y) represents the requirement that eventually, at a certain step, the values of variables x and y are equal.(2) Always reachability is represented by the "always" operator, which is symbolized as .When all assignments on the path meet the requirement of ϕ, the path satisfies the GPoLTL formula ϕ.For instance, if all assignment on path π = (x 1 , y 1 )(x 2 , y 2 ) • • • satisfy the expression (x = y), meaning that x j = y j for each j, then the path satisfies the GPoLTL formula (x = y).That is to say that the formula (x = y) represents the requirement that variables x and y should always be equal.
(3) Repeated reachability is represented by the "always-eventually" operator , which is symbolized as ♦ϕ.If every position i on the path satisfies the formula ♦ϕ, it implies that for each position i, there exists a future position j ≥ i, where ϕ is satisfied.Moreover, there exists an infinite sequence of positions j 1 < j 2 < j 3 • • • , where ϕ is satisfied at each position.In simpler terms, if ϕ is satisfied recursively or repeatedly, then the formula ♦ is satisfied.For instance, the path π = (x 1 , y 1 )(x 2 , y 2 ) • • • satisfies the recursive formula ♦(x = 0).For an infinite number of positions j, when x j = 0, x needs to be repeatedly assigned 0. (4) Persistence reachability is represented by "eventually always" , which is expressed as ♦ ϕ.If there exists a position j that satisfies the always formula ϕ, meaning that every position after j satisfies ϕ, then ♦ ϕ is satisfied.In other words, the formula ♦ ϕ must be continuously satisfied and held.For example, if for a specific position j, every k ≥ j satisfies x k = 0 (or if it is not equal to 0, for a finite number of positions), then the path π = (x 1 , y 1 )(x 2 , y 2 ) • • • has the persistence formula ♦ ϕ(x = 0).
An uncertain CPS is a system that incorporates a perception and control feedback loop to achieve repeated environmental perception for controlling physical equipment.In an uncertain CPS, each program within the system will repeatedly enter its key part.The key part represents the state of the system, denoted as s i , forming an execution trace π, which can be a finite or infinite sequence: The system needs to run continuously to maintain its activity.The primary challenge lies in calculating the measure of the system satisfying the desired path to a specific state set B. Then, ♦B, B, ♦B, ♦ B can be regarded as a fuzzy linear property on the set of state s.The definition is as follows: With a given GPDP and fuzzy linear property P, calculate the probability that the path with scheduler S satisfies P. We consider four properties, namely, eventually reachability, always reachability, repeated reachability, and persistence reachability.along that path, the satisfaction of ♦ϕ at position (π, i) is equivalent to the satisfaction of ♦ϕ at position (π, j).Please note that these equivalences have been provided in a more concise form.For a detailed explanation and proof, please refer to the specific reference [27] mentioned.

Safety of the Fuzzy Regular Language
The safety possibility measure of a fuzzy regular language is determined by assessing whether the language satisfies the defined safety requirements.It involves analyzing the behaviors exhibited during limited execution and verifying if they violate the specified requirements.The aim is to ensure that no harmful or unwanted outcomes occur.This analysis helps in evaluating the degree of possibility for the fuzzy regular language to be considered safe, based on the absence of bad prefixes in infinite strings that satisfy the LT property P sa f e [10].
This study analyzes nonconforming behaviors using limited execution to verify if they violate safety requirements.Safety requirements aim to prevent any undesirable outcomes.
In classic examples, the security property is defined such that if any infinite string σ in the LT property P sa f e does not contain a bad prefix, then this LT property is considered safe (i.e., σ ∈ P sa f e ).In general, we can express this property as follows.
Let P sa f e be a fuzzy LT property.If, for every σ ∈ P sa f e , there exists a finite prefix σi (where i ∈ N) such that every infinite string σ in the form , where θ i belongs to the set σi , is contained in P sa f e , then the fuzzy language Σ * −→ [0, 1] satisfying P sa f e is considered safe.Here, each finite string σi is referred to as a good prefix of P sa f e .In other words, if every string σ in P sa f e can be extended indefinitely by appending symbols from its corresponding good prefix σi , and all resulting infinite strings are also contained within P sa f e , then the fuzzy language Σ * −→ [0, 1] satisfying P sa f e is deemed safe.Definition 17.Let H P = (I, O, T, Init, M, {A x |x ∈ I}, {A y |y ∈ O}, A, CI) represent an uncertain hybrid timed automaton, and N = (Q, Σ, δ, J, F) denote a fuzzy finite automaton.The tensor product of these two automata is defined as Here, for any (m, q) ∈ M × Q, A (m, q) = (m, q), I (m, q) = I(m) ∧ q 0 ∈Q J(q 0 ) ∧ δ(q 0 , A(m), q).The transfer possibility distribution of H p ⊗ N is given by P sa f e ((m, q), (m , q )) = P sa f e (m, m ) ∧ δ(q, A(m ), q ).Theorem 1. Suppose that P sa f e is a fuzzy regular safety attribute that ensures the acceptance of Pre f (P sa f e ) by a deterministic fuzzy finite automaton N. H P represents an uncertain hybrid timed automaton, where m is a state within H P .Then, Po H P (m |= P sa f e ) = Po H P ⊗N (m, q m ) |= B, which q m = δ(q 0 , A(m)), B = M × F = ∑ m∈M,q∈Q F(q)/(m, q).
In this context, we are considering a scenario in which P sa f e guarantees that the requirements specified by Pre f (P sa f e ) are fulfilled by the deterministic fuzzy finite automaton N. In simpler terms, for any state (m, q) in the combined automaton H P ⊗ N, the value B(m, q) is equal to F(q).This means that the possibilisty of satisfying P sa f e in H P is determined by the possibilistic of satisfying the corresponding property B in the tensor product, where B is calculated based on the states and accepting states of N. For a more detailed understanding and comprehensive analysis, it is recommended to refer to the specific literature [10] mentioned.
Theorem 2. Suppose P sa f e is a fuzzy ω regular property, guaranteeing that it is accepted by the fuzzy Buchi finite automaton N, denoted as A ω (N) = P sa f e .In this case, we can define Po H P (m |= P sa f e = P H Pm ⊗N (I |= ♦B)), where B = M × F = ∑ m∈M,q∈Q F(q)/(m, q).

•
The system does not have any input variables.

•
The system includes an output variable, T, of continuous type (cont type, in short) that undergoes continuous changes over time.

•
The system has a discrete state variable, M, which can take values from the set {cooling, heating}.

•
There is an initial possibility value assigned to the variable M, which is set to cooling.
The initial possibility value for T can be any value within the range of 30 There is no discrete action involved in transmitting the temperature value as an output task.

•
Two internal tasks are present for two-mode switching.The first task guards the condition (M = cooling ∧ T 32 • C) and updates M to heating.The second task guards the condition (M = heating ∧ T 38 • C) and updates M to cooling.

•
The output variable T is identical to the state variable T.

•
The derivative of T is defined as −k 2 if assigning the value cooling to M, otherwise it is defined as k 1 (40 The continuous time invariant CI is defined as M = cooling implies T 30 • C and M = heating implies T 40 • C. The thermostat operates in two modes: (1) when M is set to heating, the heater is activated, and (2) when M is set to cooling, the heater is turned off.In the heating mode, the initial temperature value generates a unique response signal, reflecting how the temperature changes over time based on the continuous temperature variation described by the differential equation Ṫ = k 1 (40 • C−T).It is important to note that the system can only remain in the heating mode if the constraint (T 40 • C) is satisfied.If the constraint is violated, the mode must be switched to the cooling mode.The condition (T 38 • C) ensures the mode switching, meaning that whenever the temperature exceeds 38 • C, the mode will immediately switch to cooling.
When the thermostat is in cooling mode, the temperature follows the differential equation Ṫ = −k 2 , resulting in a linear decrease over time.If the temperature falls below 30 • C, the system must switch to the heating mode to meet the constraint (T 30 • C).The mode switching from cooling to heating occurs whenever the temperature drops below 32 • C, as indicated by the guard condition (T 32 • C).It is important to note that the system temperature ranges between 30 • C and 40 • C, which is influenced not only by the temperature itself but also by the system's state.When the temperature is around the desired set value, there may be small fluctuations or jitter caused by the switching on or off of the heater.This jitter occurs because the system is trying to maintain the temperature within a narrow range.As the temperature approaches the set value, the heater may turn on to raise the temperature or turn off to prevent overheating.However, the overall strategy of switching between cooling and heating modes effectively manages these fluctuations .
In this thermostat model, mode switching takes place at unpredictable times.This means that, even with a fixed initial temperature, there are multiple possible operational scenarios.The presence of uncertain transitions is particularly valuable for modeling malfunctions in CPS where fault information may be unavailable.

Simulation Based on Ptolemy II
Ptolemy II, as an open-source modeling and simulation tool, stands out from other modeling tools by offering support for hierarchical modeling of heterogeneous systems.As a result, Ptolemy II serves as a suitable modeling environment for designing uncertain CPS.In this study, Ptolemy II is utilized to model a CPS thermostat with uncertainty and failure, as depicted in Figure 5.In the heating state of the Finite State Machine (FSM), both outgoing transitions become feasible when their execution conditions (i.e., both being true) are satisfied.The two uncertain transitions are highlighted in red.
The results of executing the uncertain thermostat model are presented in Figures 6 and 7.It is important to note that the heater can only be activated for a brief period, maintaining the temperature around the threshold of 30 • C. The initial temperature of the system (T 0 ) is set within the range of 30 • C to 40 • C, and the system mode is initially set to cooling.Taking T 0 = 40 • C, k 1 = 0.1, and k 2 = −0.05 as constants, the execution of the thermostat process can be divided into two stages: cooling and heating.The system mode remains unchanged within each stage, while the temperature varies continuously over time according to the differential equation corresponding to the current mode.Any mode switch results in a discontinuous change in the system's state.If the system switches to cooling mode at time t * , with the temperature at that time denoted as T * , the temperature remains at T * − k 2 (t − t * ) until the next mode switch.Assuming T * is at least 32 • C, the process remains active in cooling mode for a duration ranging from (T * − 32)/k 2 seconds to (T * − 30)/k 2 seconds.
On the other hand, if the system switches to heating mode at time t * with the temperature at that time as t * , the temperature at time t remains at 40 − (40 − T * )e −k 1 (t−t * ) until the next mode switch occurs.Assuming T * is at least 38 • C, the process remains active for a minimum duration of ln(2/(40 − T * ))/k 1 seconds in the heating mode.If the temperature remains below 40 • C, the system may stay in this mode indefinitely.

Uncertain CPS Dynamic Execution Based on the Hybrid Timed Automaton
The results of the uncertain CPS thermostat model depicted in Figures 6 and 7 demonstrate the initiation of CPS possibility execution within the hybrid timed automaton, starting from the initial state.At each step, the execution requires the performance of an input action, an output action, an internal action, or a time action.A dynamic execution sequence of the model corresponding to the alternating time and internal actions is shown as follows: (cooling, 36) During each time action, the hybrid process consistently generates the temperature value as output.For example, in the first time action lasting 0.14 units of time, the temperature signal is determined by T(t) = 36 − (−0.05)t.Similarly, in the second time action with a duration of 0.1 units of time, the temperature signal is defined by 40 − 9e −0.1t .
A CPS combines the event-driven, discrete behavior model of a state machine with a dynamic continuous model based on time.This integration involves refining the current state of an uncertain hybrid timed automaton by considering the dynamic behavior of the output in relation to the dynamic behavior of the next input [4].In most CPS applications, a clock variable is used to measure the system's dynamic changes at specific times.The transition state of this clock variable is linear, enabling the timed automaton to construct both simple and complex systems based on the clock.
In conclusion, the behavior of the system is contingent upon the mode it operates in, whether it is cooling or heating.It is important to acknowledge that the precise mechanism and algorithm for mode switching may vary depending on the system's complexity.Realworld implementations might incorporate additional factors such as hysteresis, which helps prevent frequent mode toggling, and feedback control loops to ensure stable and efficient temperature regulation.These details offer a deeper comprehension of the cooling and heating modes, their respective temperature dynamics, and the conditions that determine their activation and duration.
This paper integrates the uncertainty of intelligent thermostats in typical feedback control systems in CPS based on the framework of generalized possibility measures.It demonstrates the application of model checking techniques in the decision-making process under generalized possibility and analyzes how uncertain CPS can integrate physical systems with digital intelligence, real-time data analysis, and autonomous decision-making to enhance efficiency, reliability, and performance in various environments.However, there are certain limitations.In the next steps, we will combine possibility model checking techniques and their related attributes, along with specific real-world examples, to investigate the uncertainty of CPS in complex uncertain environments.

Conclusions
This paper presents the modeling and verification of uncertain CPS based on decision processes, building upon a previous international conference paper [27].Considering the complexity and uncertainty factors in real-life scenarios, along with the uncertainty and dynamic characteristics of CPS, this paper proposes new methods for handling uncertain data using possibility processing.We first introduce the concept of GPDP to describe uncertain CPS behavior.Furthermore, we define the syntax and semantics of CPS using GPoLTL with decision processes.The theoretical validation of the system's liveness and safety properties is performed, and a model checking algorithm is presented.Finally, an intelligent thermostatic system is modeled, and simulation experiments are conducted.The dynamic continuous properties of the system are described using time-based differential equations, and the modeling of uncertain hybrid systems is represented using time-based state machines, allowing for the refinement of each state using time-based state refinement [28].This paper ensures the consistency between theory and experiments by combining both approaches.
The uncertainty in CPS is effectively addressed by utilizing the uncertain hybrid timed automaton as a formal modeling tool.The establishment of a formal modeling language using GPoLTL for uncertain CPS attributes is a significant contribution.This language enables precise specification and reasoning about uncertain CPS properties, facilitating a thorough analysis of system behavior.The syntax and semantics of GPoLTL are precisely defined, providing a solid foundation for reasoning about uncertain CPS.The utilization of possibility measure calculation in the proposed model serves as a means of verification.This approach quantitatively measures the likelihood of different system behaviors, considering the uncertainties present in the CPS.By incorporating possibility measures, the model enhances the verification process, providing a more comprehensive understanding of system reliability, liveness, and safety properties.
This study effectively utilizes decision processes to address the problem of handling possibility information in uncertain CPS.It not only mitigates the issue of state space explosion but also provides a solution for dealing with possibility information in CPS.This provides a significant opportunity for advancing the design of uncertain CPS and holds great importance in the study of uncertainty in CPS within complex systems.While this research has shed light on several important aspects, it has also raised numerous questions that warrant further investigation.Future studies should delve into exploring uncertainty in CPS within the context of fuzzy mathematics, while considering the relevant properties of its algorithm and computation tree logic.

( 2 )
By introducing clock invariants, the extended modeling of CPS system model is carried out based on differential equations of time and uncertainty hybrid time automaton, and the uncertain CPS extended model is obtained; (3) Based on the possibility measure theory and the CPS syntax and semantics of generalized possibility linear temporal logic, the activity and security of the uncertain CPS extended model are verified dynamically, and the execution path of the uncertain CPS extended model is optimized according to the dynamic verification results; (4) Used preset modeling tools to model and simulate the uncertain CPS extended model, analyze the CPS dynamic execution process of the uncertain CPS extended model, and refine the dynamic behavior output of the uncertain CPS extended model based on the analysis results of the CPS dynamic execution process.

) Example 1 .
Figure 2 depicts a 3-state GPDP M , where the circle represents the state, the symbol outside the circle represents the state name, the symbol inside the circle represents the true value of the atomic proposition in the state, the labeled arc represents the transition, and the circle with the input arrow represents the initial state.
. The set Paths(s) represents the collection of infinite path fragments that start in state s, while Paths f in (s) denotes the set of finite path fragments that start in s.Let Paths(M) = s∈S Paths(s) and Paths f in (M) = s∈S Paths f in (s).

Definition 16 .
Suppose that Q is an uncertain CPS model that satisfies the property ϕ, where ϕ is a GPoLTL formula.The possibility measure of Q is denoted as Po(Q |= ϕ), which is defined as Po(Q |= ϕ) = Po s {π ∈ Paths(s)|π |= ϕ}.Here, B ⊆ S represents a state set within the uncertain CPS model.The reachability analysis using GPDP Q as the system model calculates the possibility of reaching state set B. The state set B refers to the possibility of rarely accessing to the bad state set or the possibility of repeatedly accessing to the good state set.It is expressed by the mapping function as B : S → [0, 1].

Figure 6 .
Figure 6.Temperature variation of the uncertain CPS thermostat model.

Figure 7 .
Figure 7. Rate variation of the uncertain CPS thermostat model.

Definition 15 .
The uncertain hybrid timed automaton H P is defined by a tuple consisting of nine elements, as shown below.H p = (I, O, T, Init, M, A x |x ∈ I, A y |y ∈ O, A, CI).
• {A x | ∈ I} signifies that, for each input port x, the input task set A x describes the input actions using a guard condition on T. The update of the input action set is defined as t • {A y |y ∈ O} indicates that, for each output port y, each output task in the output task set A y defines the update description of the output action set as t • A represents the set of internal actions, where each action is determined by a guard condition on T and is updated from the read set T to the write set T. These internal actions may also include an output action in the form of t ε − → t .• CI represents a clock invariant, which is a Boolean expression on the state variable T. Given a state t and a positive real value of time δ > 0, if the state t + δ satisfies the expression CI for all values of t within the range 0 ≤ t ≤ δ, then the transition t δ − → t + δ is considered a time action.