Compositional Thinking in Cyber-Physical Systems Theory

Georgios Bakirtzis University of Virginia Eswaran Subrahmanian Carnegie Mellon University Cody H. Fleming Iowa State University

Abstract—Engineering safe and secure cyber-physical systems requires system engineers to develop and maintain a number of model views, both dynamic and static, which can be seen as algebras. We posit that verifying the composition of requirement, behavioral, and architectural models using category theory gives rise to a strictly compositional interpretation of cyber-physical systems theory, which can assist in the modeling and analysis of safety-critical cyber-physical systems.

APPLIED COMPOSITIONAL THINKING problem of composition between formal methods Lee [2], among others, recognized early in the and their corresponding model views in cyber- development of the field of cyber-physical sys- physical system design [5], [6]. tems that there is a need for developing competing The study of compositionality is not new methods to hybrid systems and process algebras. and certainly not only possible with categories. While this is true, an important observation is For example, compositionality is formalized and that both these formalisms form algebras. In fact, addressed with tools from control theory [7], the design of cyber-physical systems involves the contract-based design [8], or monotone co- study of different algebras (Figure1). design [9]. This is to say that we recognize There is significant research in developing that the cyber-physical systems field has had arXiv:2105.12911v1 [eess.SY] 27 May 2021 these individual algebras and implementing com- a long tradition in formalization for the study position within a particular algebra. However, of correctness and the management of design there is still an open problem about how to complexity. But the idea of category theory in relate those paradigms that in practice represent system science and formal methods is that those individual models and to examine the behavior approaches may be seen as operating implicitly of the system as a whole must be composed too. within a category and making that explicit can be Compositional cyber-physical systems theory [3], of use in developing scalable and general purpose [4] uses category theory to transform data from modeling tools that can operate across categories. one algebra to another and to ultimately relate Recently all these three areas of control [10], them formally, such that we can compose across contracts [4], and co-design [11, chapter 4] have domains. This provides one solution to the open been described, generalized, and unified with fun-

Published by the IEEE Computer Society © IEEE 1 Economics in the Loop

• Humans in the Loop

Environmentals in the Loop

POSSIBLY WITH POSSIBLY WITH Networked & Distributed Wireless Sensing & Actuation

Feedback THAT ARE • Adaptive & Predictive Systems Resilience

Intelligent ARE Cybersecurity Privacy

Real Time Malicious Attack Cyber-Physical REQUIRE • Systems Interoperability Intrusion Detection IMPERILS

IDENTIFIES Models Hazard Analysis Unsafe Control Actions Hybrid & of Computation Heterogeneous Safety Safety Constraint Models Continuous & Discrete

Clock Synchronization HAVE APPLICATIONS IN Losses

Specification, OF Improved Design Tools Modeling, • Networking & Analysis

ENABLES

Modularity Scalability & Composability THAT SUPPORTS THROUGH Design Methodology • & Complexity • Management Synthesis Robotics Consumer

Military Energy Assurance Interfacing with Legacy Systems • Verification Transportation Infrastructure & Validation Certification Communications Health Care

Simulation Smart Buildings Manufacturing

Stochastic Models Physical Security Figure 1: A cyber-physical systems concept map showing what these systems are, what they require, and where they are being used (adapted from Asare et al. [1]). Individual leaf nodes in this context map have been studied in detail but formal relationships between leaf node concepts are still sparse.

damental notions of category theory and mainly results in the field of engineering in general. using the notion of functoriality – structure pre- We will particularly concern ourselves with how serving maps between categories that can trans- research directions in applied category theory late a general syntax to the particular semantics of can be leveraged in system science and formal the application domain. This means that we need methods. Composition can mean different things not reconstruct the progress that has occurred in both depending on the engineering field as well each individual field or model view because we as the particular context in which composition is can use the algebras already in existence, but with studied. In cyber-physical systems the term com- the added benefit that we can compose between position can be understood as either horizontal or categories and, therefore, between model views. vertical. Applied compositional thinking brings for- Horizontal composition is relatively well stud- ward the practical dissemination of categorical ied and refers to things like the block diagram al-

2 gebra widely used in the control community. Ver- system modeling, the SysML V2 standard is a tical composition, in our definition, instead spans glimpse of the possible future of formal and com- different domains; a clear example in the appli- positional methods in a practice where the gap cation of systems modeling and formal methods between requirement, behavioral, and structural is how components compose and are abstracted formalisms is bridged. However, it is not clear or refined between requirements, behaviors, and how this relationship will be formally defined. architectures. In order to do this right we need This shows an increasing need for formal and to formally relate and verify the composition of compositional methods that verify the composi- different types of algebras present in the design tion and scale system models. and analysis of cyber-physical systems (the leaf While there are several applications of cate- nodes of Figure1). At the moment, engineering gory theory in engineering, in this paper we will researchers and practitioners attempt to address examine precisely this gap between requirements, this issue by developing naming spaces and con- behaviors, and architectures from the eye of com- ventions. The need to capture the relationships positional cyber-physical systems theory. This is between heterogeneous system representations in possible because composition here fundamentally contract-based design has led to the notion of gives us modularity and interoperability within vertical contracts [12]. The congruence between and across different types of models for free, our framework and contract-based design is that provided we model things within the stricter contracts in both senses are extensions of be- paradigm of categories and algebras. Specifically, havior types. Across paradigms, as long as types we will show how horizontal and vertical compo- agree, composition is possible. sition can be expressed as a formal method using Each of the individual formalisms or algebras categories. used in the design of cyber-physical systems have had whole fields dedicated to them with steady Compositional Cyber-Physical Systems research progress before and after the term cyber- Theory physical systems came to existence. However, Engineers and system designers use exper- the relationship between those algebras at the tise, intuition and inertia to decide how different moment is either ad-hoc or quasi-formal. Relating analyses factor into higher-level, harder questions algebras formally can lead to new insights, meth- about safety, resiliency, profitability and risk. We ods, and tools for the design of cyber-physical can formalize (some of) that expertise by recon- systems that operate as we expect. structing existing workflows and best practices Specifically, category theory is one mathe- in categorical terms. Though many individual matical tool that can verify the composition of features of cyber-physical systems are formal, differing views and therefore lead to another the relationship between these pieces has not yet dynamical computation systems theory founded been mapped. In general, putting systems together on the recognition that addressing composition is requires two things per Kalman [15]: important in understand the (mis-)behavior of the 1) Getting the physics right. system as a whole. Category theory is the study 2) The rest is mathematics. of mathematical structures from the perspective that, to better determine an object’s purpose and But that sparked Willems [15] to ask if we are us- behavior, we ought to study its relationship with ing the right mathematics to describe the science other objects instead of examining the object only of interconnection and he concludes that we need in itself. Categories are intuitively congruent with to represent systems as algebras. Category theory engineering cyber-physical systems because of goes even further by composing those algebras the existence of both dynamics and computation together. in those systems, which are modeled through a Instead of describing category theory in full, multitude of perspectives that need to be related. we want the reader to focus on the categorical Formal methods have taken an increasingly toolkit and refer to the many formal treatments important role in the design of systems both on the topic, including books such as Fong and in academic [13] and industry [14] settings. In Spivak [11]. However, we will give an intuitive

3 F F C C ,,,,,,,,→ D C C ,,,,,,,,→ D

idA idB idX idA idB idX

A B X A B X

idC idY idC idY

C Y C Y

(a) A functor maps objects. (b) A functor also maps morphisms. Figure 2: A functor is a structure-preserving map.

explanation of the fundamental concepts of cate- product functor, which models processes and/or gory theory. operations that need to happen in parallel. The most general notion of a category is that As a representation of some data in a category, of an algebraic structure on a graph. A category see below a commutative diagram involving ob- contains a collection of objects and a collection jects X, Y , and Z identity morphism on objects, of arrows (including an identity arrow) which can id, as well as two morphisms f and g along with formally be joined by a composition rule. Ex- their composition rule g◦f. amples of useful categories include the category of sets and functions, of graphs and graph trans- idY formations, and of states and transitions between f idX X Y them. g The notion of functoriality between syntax g◦f

and semantics we talked about previously is im- Z idZ plemented through a structure preserving map between categories. Functors are a predefined way The objects and morphisms can take several of tranforming some data and their associated forms, the most familiar of which is perhaps interconnections to another form (figure2). For the category of sets and functions, where objects example, a functor can be taking the powerset are sets and morphisms are functions and com- of a set, where we have predefined operations on position is function composition. The example how to do that between the same category, namely of a category we will use to show the utility the category of sets. We can think of a functor in of category theory in engineering is the labeled the application of cyber-physical system design as boxes and wiring diagrams category [16], where preserving semantics across the currently distinct the objects are empty placeholders for processes, algebras that define different interpretations of and the morphisms are functions or relations that requirements, system behaviors, and system ar- construct input and output interfaces for each chitectures, meaning that they assign a particular labeled box. algebra to a specific model view. By having the mathematical structure of a Often we would like to model operations category it is now possible to translate between happening in parallel when speaking about cyber- model views as long as they form categories and physical systems. The constrained definition of their behavior can be represented as an algebra. a category is capable of modeling sequential This is achieved by defining a precise way, that processes but not parallel ones. A particularly can also be implemented algorithmically, of trans- useful type of category in system science is lating the objects from one category to another one that is monoidal. Monoidal categories extend (Figure 2a) and similarly for the morphisms (Fig- this definition precisely to equip with a tensor ure 2b). An example of a functorial operation

4 ℝ

e ¨ ℝ sensor s dynamics e ¨ s L s L ℝ D ℝ s ℝ C c d ℝ controller d C c D

UAV

3 2 5 ¨ ¨ in ∶ ℝ × ℝ → ℝ , (s , c, s, e, d) ↦ (s, e, s , d, c) 3 ¨ out ∶ ℝ → ℝ, (s , c, s) ↦ s Figure 3: A compositional model of an unmanned aerial vehicle (UAV) requires us to add extra data.   The functions in and out create the interfaces of expected types of inputs and outputs of each box ¨ and then combine them. They are in a sense the architecture of the wiring diagram. In this case s represents the calculated state, s the current state, e the environment, d the desired state, and c the control action. This operation does not tell us what processes actually inhabit the boxes, an additional step is needed by functorially assigning behavior algebras, in this case the algebra of linear time- invariant systems  to each box, parallelizing the operation, and then completely determining the L,C,D (f) operation of the overall box UAV, as in (L) × (C) × (D) ,,,,,,,,,,,,,,,,,,,,,,→ (L ⊗ C ⊗ D) ,,,,,,,,,,,,,,,,,→ (UAV). Both the left and right pictures form wiring diagrams. The left representation is better suited for incorporating this diagrammatic reasoning within modeling tools. between categories of sets is transforming a set sitions are also necessary to construct the desired to its power set. A monoidal functor comes with vertical composition structure. To achieves this, comparison morphisms that involve the tensor we are going to use the slice category of a wiring product, allowing us to use the same idea in diagram to decompose the model to a particular the setting of parallel operations. This might system architecture – the hardware composition seem like new and confusing jargon for those of the embedded system that implements the be- unfamiliar with category theory but once it is haviors we have assigned, particularly for a model understood it allows us to summarize a vast num- of an unmanned aerial vehicle (UAV). Finally, we ber of mathematical techniques as well as formal will restrict the behavior of the system using a methods and system models by allowing us to categorical description of contract-based design assign algebras that contain parallel processes. for behavior. In this respect, we regard contracts We use these algebraic structures to describe as representations of the system requirements. the syntax and semantics for cyber-physical sys- However, note that those requirements operate tems compositionally. We show how a wiring both as restrictions in behavioral and architectural diagram has an architecture; that is, how inter- system models. faces are constructed, and a behavior; that is, The general principle of applied composi- how the notion of functorial semantics takes the tional thinking is the following. architecture – the syntax – and assigns multiple 1) Wiring diagrams define how things ought semantics, in this case of linear time-invariant to be connected and in what way. system models. 2) Algebras assign a particular formalism or In other cases we could use the same struc- behavior to the empty processes (boxes) tures to assign other models of cyber-physical inhabiting the wiring diagram. system behavior, such as labelled transitioned sys- tems or Moore machines. Hierarchical decompo- Wiring diagrams are the theory of the class

5 of systems we want to model but only insofar Adding this extra information is important but as they are assigned a behavioral model through the solution is straightforward: reduce sensor and an algebra (monoidal functor). The implication controller to trivial functions because they will of this statement is that for each wiring diagram, compose to the form of the linear time-invariant we can define many algebras and, therefore, can system representing the dynamics we expect (Fig- capture – in the same arrangement of components ure3). The main benefit of implementing this – a number of formalisms as well as translate algebra machinery is that it uniquely determines between formalisms. Additionally, any algebra is the description of the composite system in terms a monoidal functor from the category of wiring of its subsystems and their interconnections. diagrams to the category of sets. To deal with the One way of assigning requirements to this disparate leaf nodes (Figure1) that are needed for behavior is to translate them into contracts [17], the design of a complete cyber-physical system it [18]. As with behavior using the algebra of con- is useful to work in higher levels of abstraction, tract we can first think of contracts as a relation for example, topological spaces, graphs, vector of inputs and outputs of each box in the wiring bundles, but it is crucial to translate to a realizable diagram. design, which usually means that even if we do Then to each complex arrangement of boxes not do the original operations in the category assign the following pullback, which given sub- of sets, the result should be translatable to the systems contracts produces a composite contract category of sets. of the system model.

Horizontal Composition ∙ RX As an example we model an unmanned aerial vehicle compositionally (Figure3). There are two observations stemming from our UAV example: RY Yin × Xout Xin × Xout   (in,2) 1) The functions in and out create the in-  terfaces of input-output relationships that id× out completely determine the block UAV. Y × Y 2) But by knowing the types and values ex- in out pected at interfaces we do not really know Given an initial contract the preceding cat- how the system transforms this type of data. egorical construction says, given that we have We, therefore, need an algebra  that as- a restriction for my subsystem, namely we can signs precisely the behavior of linear time- write a set of allowable pairs that can be observed invariant systems. as inputs and outputs, we can then calculate A result of doing this categorically is the real- allowable input/output pairs for my composite ization that extra information is often necessary, system in terms of a specific wiring. which is often omitted or glossed over by other Horizontal composition is defined as the in- composition operators and methods. In order for terconnection of operations in one model type. the system to compose nicely it is paramount that The two step process is to use the theory of the type of system residing within all boxes in a interconnection to define the architecture of the wiring diagram are either the same, for example, base wiring diagram and then inhabit the boxes Moore machines inhabit all boxes, or that we of this arrangement with a particular behavioral know the results of the composition of two types, model [4]. This brings our compositional model for example, ordinary differential equations and into the same realm as behavioral diagrams in Moore machines. SysML but with the possibility of simulated This means that in our example, all boxes behavior as in MATLAB Simulink. The main must take the form of a linear time-invariant benefit of this approach is that we can assign system of the standard form, even though in a number of algebras by describing models in the block diagram algebra used in control de- categories. In this case, we assigned part of our scribes the totality of the control system behavior. requirements using the contracts algebra over the

6 D aileron X L IMU I1 rudder Y processor airframe P1 F throttle Z IMU I2 elevator W

processor servos C P2 V

UAV Figure 4: The architecture of the system resides within the slice category of our initial system behavior diagram (Figure3) producing a formal trace between the two, thereby allowing us to perform more analyses formally. While this decomposition focuses on the one possible implementation of the embedded system aspects, this is only because it was modeled by a computer engineer. An aerospace engineer could augment this model with further decompositions of the airframe or motors as long as they got the physics right. same model. of refinement, but by using the slice category it forms a formal trace between behaviors and Vertical Decomposition architectures. There are cases where the behavioral inter- pretation of the system is not sufficient to exam- ine certain properties about a system. One such case is security, where one approach to finding Vertical decomposition does not only refer vulnerabilities is to traverse a graph of the ex- to decomposing system models but also that it pected or implemented system architecture [19]. relates different algebras, in this case as an ex- However, those approaches are static and often ample the algebra of behavior with the algebra of are behaviorally unaware, meaning that there is contracts. A similar argument could be made for no way to know what behavior is being affected applying contracts to the eventual architecture and by a particular successful exploit. This is not its associated algebra (with its own corresponding necessarily an issue in information technology architecture and behavior in the wiring diagram (IT) systems but in the case of cyber-physical representation). systems, where the dynamics are richer it is necessary to know what physical behaviors the exploit might affect. One way of understanding what a slice cate- gory is in a given wiring diagram is to think about To understand the disjointedness of the cur- it as splitting. We split or open up morphisms rent modeling process we can think about how (the arrows) within the wiring diagram category we might mathematically assign behaviors and in order to allow a higher degree of refinement. restrictions to an empty process. To the same We can think of this as working with hyper graphs wiring diagram (a collection of empty processes but with the extra structure of a category. Visually and wired between them) we can assign different this morphism split is opening up the model of formalisms. This is the reason for studying empty system behavioral (Figure3) to a model of system processes, namely that it gives us a way of architecture (Figure4). The splitting is a form decoupling syntax from semantics.

7 X (X) (X) (X)

(f) (f) (f) X Y (Y ) (Y ) ( )  Y 

f The same argument has also implications for scalability. Knowing when a change in one Y (X) modeling paradigm causes something else to be (f) changed, augmented, or rethought within a mod- eling tool could reduce errors and increase effi- (Y ) ciency in the system modeling process. However, This represents the way a system design- while we can make a clear mathematical argu- ers might approach developing contracts over ment for verified composition, scalability requires an already known behavior. We would instead that we build the tools and test our assumptions prefer a more formal relationship of these two with practicioners in the field. algebras. In the categorical case we have been The promise of category theory is not that explicit in assigning behavior and contracts in it will change the mathematics of a particular the form of algebras. This allows us to use a application field but, rather, that it will organize natural transformation – a map between functors the information such that there might be new – to reflect changes from the behavioral paradigm insights and techniques associated with trans- to the contracts paradigm, which can be seen lating between data (verified composition) and as the relationship between (distinct) algebraic managing complexity (scalability). representations, precisely as the behavior algebra () and contracts algebra () in our work. Category Theory for the Engineer Compositionality is one of the open problems in cyber-physical system design, as is argued in the NIST cyber-physical system framework [5, FA pages 11-12]. In general, we perceive that cate- A gorical models in engineering are currently rather F f GA unfledged and category theory is a ripe field with F ℎ FB B Gf developed mathematical tools that can be transi- tioned to formal methods in the design of cyber- F g Gℎ GB physical systems. The main benefits of applied FC Gg C compositional thinking is verified composition and scalability of different system models. GC As practitioners of formal methods, we would like to know if our contracts or linear temporal specifications agree with our linear time-invariant Assume that we assign to an empty process system or labelled transition state space models. a particular formalism of behavior and contracts Therefore, the problem in cyber-physical systems in the form of algebras. But, then, as it so often is not only contained on which algebra to use happens within design a change must occur in to examine or assure a particular property of the the behavior, a range of outputs from one box system but also how to relate those algebras. The has changed. By having a clearly defined natural importance of this perspective is that algebras, transformation – that moreover behaves well with even implicitly, exist at any given level of system the parallel operation – it is possible to reflect design and their composition gives rise to well- what that means in the contracts we have defined defined traces in models. for the same system model. By using the above Further, as we move throughout the lifecycle, relationship between functors; that is, the natural system architecture models must be developed transformation, we are doing precisely that. and tested for behavioral bisimilarity with the

8 models we construct in the early concept design 6. J. B. Michael, G. W. Dinolt, and D. Drusinsky, “Open phase, for example, to assure that our safety questions in formal methods,” Computer, 2020. 7. R. Alur, S. Moarref, and U. Topcu, “Compositional and analysis holds. Additionally, we might at that symbolic synthesis of reactive controllers for multi-agent point want to check qualities that heavily depend systems,” Information and Computation, 2018. upon the composition of the system in hardware 8. P. Nuzzo, A. Sangiovanni-Vincentelli, D. Bresolin, and software, such as security [20]. Additionally, L. Geretti, and T. Villa, “A platform-based design even later in the lifecycle we want to test our methodology with contracts and related tools for the models with data harvested from the designed and design of cyber-physical systems,” Proceedings of the deployed system. Here too, the same algebraic IEEE, vol. 103, no. 11, Nov. 2015. structures can be extended by this data gathered 9. A. Censi, “Uncertainty in monotone codesign problems,” in the field. IEEE Robotics and Automation Letters, 2017. One way to partially combat the increasing 10. J. Culbertson, P. Gustafson, D. E. Koditschek, and P. F. but necessary complexity of those systems we Stiller, “Formal composition of hybrid systems,” Theory need to make sure that all these algebras are and Applications of Categories, 2019. traceable. By being traceable we are therefore 11. B. Fong and D. I. Spivak, An invitation to applied able to apply several lightweight formal methods category theory: seven sketches in compositionality. within one overarching model. The recent devel- Cambridge University Press, 2019. opment of algebraic software based on category 12. P. Nuzzo and A. L. Sangiovanni-Vincentelli, “Hierarchi- theory can assist us in developing modeling tools. cal system design with vertical contracts,” in Principles By developing compositional modeling tools we of Modeling. Springer, 2018. can manage and make formal all diverse views 13. M. Sirjani, E. A. Lee, and E. Khamespanah, “Verification for design, thereby bringing to practice all this of cyberphysical systems,” Mathematics, 2020. theoretical work. 14. C. Newcombe, T. Rath, F. Zhang, B. Munteanu, REFERENCES M. Brooker, and M. Deardeuff, “Use of formal 1. P. Asare, G. Bakirtzis, R. Bernard, D. Broman, methods at Amazon web services,” 2014. [On- E. Lee, G. Prinsloo, M. Torngren, and S. Sunder, line]. Available: http://research.microsoft.com/en-us/ “Cyber-physical systems – a concept map,” URL um/people/lamport/tla/formal-methods-amazon.pdf https://cyberphysicalsystems.org or https://perma.cc/ 15. J. C. Willems, “The behavioral approach to open and NQ6T-AVH5, 2020. interconnected systems,” IEEE Control Systems Maga- 2. E. A. Lee, “Cyber-physical systems – Are computing zine, 2007. foundations adequate,” Position paper for NSF work- 16. P.Schultz, D. I. Spivak, and C. Vasilakopoulou, “Dynam- shop on cyber-physical systems: Research motivation, ical systems and sheaves,” Applied Categorical Struc- techniques and roadmap, 2006. tures, 2020. 3. G. Bakirtzis, C. Vasilakopoulou, and C. H. Fleming, 17. A. Benveniste, B. Caillaud, D. Nickovic, R. Passerone, “Compositional cyber-physical systems modeling,” in J. Raclet, P. Reinkemeier, A. L. Sangiovanni-Vincentelli, Proceedings of the 2020 Applied Category Theory W. Damm, T. A. Henzinger, and K. G. Larsen, “Con- Conference (ACT 2020), ser. Electronic Proceedings tracts for system design,” Foundations and Trends in in Theoretical Computer Science. Open Publishing Electronic Design Automation, 2018. Association, 2020. 18. I. Filippidis and R. M. Murray, “Layering assume- 4. G. Bakirtzis, C. H. Fleming, and C. Vasilakopoulou, guarantee contracts for hierarchical system design,” “Categorical semantics of cyber-physical systems the- Proceedings of the IEEE, 2018. ory,” ACM Transactions on Cyber-Physical Systems, 19. G. Bakirtzis, B. J. Simon, A. G. Collins, C. H. Fleming, 2021. and C. R. Elks, “Data-driven vulnerability exploration for 5. E. R. Griffor, C. Greer, D. A. Wollman, and M. J. design phase system analysis,” IEEE Systems Journal, Burns, “Framework for cyber-physical systems: Volume 2020. 1, overview,” NIST, Special Publication (NIST SP) - 20. G. Bakirtzis, F. Genovese, and C. H. Fleming, “Yoneda 1500-201, 2017. hacking: The algebra of attacker actions,” 2021.

9