Compositional Thinking in Cyber-Physical Systems Theory Georgios Bakirtzis University of Virginia Eswaran Subrahmanian Carnegie Mellon University Cody H. Fleming Iowa State University Abstract—Engineering safe and secure cyber-physical systems requires system engineers to develop and maintain a number of model views, both dynamic and static, which can be seen as algebras. We posit that verifying the composition of requirement, behavioral, and architectural models using category theory gives rise to a strictly compositional interpretation of cyber-physical systems theory, which can assist in the modeling and analysis of safety-critical cyber-physical systems. APPLIED COMPOSITIONAL THINKING problem of composition between formal methods Lee [2], among others, recognized early in the and their corresponding model views in cyber- development of the field of cyber-physical sys- physical system design [5], [6]. tems that there is a need for developing competing The study of compositionality is not new methods to hybrid systems and process algebras. and certainly not only possible with categories. While this is true, an important observation is For example, compositionality is formalized and that both these formalisms form algebras. In fact, addressed with tools from control theory [7], the design of cyber-physical systems involves the contract-based design [8], or monotone co- study of different algebras (Figure1). design [9]. This is to say that we recognize There is significant research in developing that the cyber-physical systems field has had arXiv:2105.12911v1 [eess.SY] 27 May 2021 these individual algebras and implementing com- a long tradition in formalization for the study position within a particular algebra. However, of correctness and the management of design there is still an open problem about how to complexity. But the idea of category theory in relate those paradigms that in practice represent system science and formal methods is that those individual models and to examine the behavior approaches may be seen as operating implicitly of the system as a whole must be composed too. within a category and making that explicit can be Compositional cyber-physical systems theory [3], of use in developing scalable and general purpose [4] uses category theory to transform data from modeling tools that can operate across categories. one algebra to another and to ultimately relate Recently all these three areas of control [10], them formally, such that we can compose across contracts [4], and co-design [11, chapter 4] have domains. This provides one solution to the open been described, generalized, and unified with fun- Published by the IEEE Computer Society © IEEE 1 Economics in the Loop • Humans in the Loop Environmentals in the Loop POSSIBLY WITH POSSIBLY WITH Networked & Distributed Wireless Sensing & Actuation Feedback THAT ARE • Adaptive & Predictive Systems Resilience Intelligent ARE Cybersecurity Privacy Real Time Malicious Attack Cyber-Physical REQUIRE • Systems Interoperability Intrusion Detection IMPERILS IDENTIFIES Models Hazard Analysis Unsafe Control Actions Hybrid & of Computation Heterogeneous Safety Safety Constraint Models Continuous & Discrete Clock Synchronization HAVE APPLICATIONS IN Losses Specification, OF Improved Design Tools Modeling, • Networking & Analysis ENABLES Modularity Scalability & Composability THAT SUPPORTS THROUGH Design Methodology • & Complexity • Management Synthesis Robotics Consumer Military Energy Assurance Interfacing with Legacy Systems • Verification Transportation Infrastructure & Validation Certification Communications Health Care Simulation Smart Buildings Manufacturing Stochastic Models Physical Security Figure 1: A cyber-physical systems concept map showing what these systems are, what they require, and where they are being used (adapted from Asare et al. [1]). Individual leaf nodes in this context map have been studied in detail but formal relationships between leaf node concepts are still sparse. damental notions of category theory and mainly results in the field of engineering in general. using the notion of functoriality – structure pre- We will particularly concern ourselves with how serving maps between categories that can trans- research directions in applied category theory late a general syntax to the particular semantics of can be leveraged in system science and formal the application domain. This means that we need methods. Composition can mean different things not reconstruct the progress that has occurred in both depending on the engineering field as well each individual field or model view because we as the particular context in which composition is can use the algebras already in existence, but with studied. In cyber-physical systems the term com- the added benefit that we can compose between position can be understood as either horizontal or categories and, therefore, between model views. vertical. Applied compositional thinking brings for- Horizontal composition is relatively well stud- ward the practical dissemination of categorical ied and refers to things like the block diagram al- 2 gebra widely used in the control community. Ver- system modeling, the SysML V2 standard is a tical composition, in our definition, instead spans glimpse of the possible future of formal and com- different domains; a clear example in the appli- positional methods in a practice where the gap cation of systems modeling and formal methods between requirement, behavioral, and structural is how components compose and are abstracted formalisms is bridged. However, it is not clear or refined between requirements, behaviors, and how this relationship will be formally defined. architectures. In order to do this right we need This shows an increasing need for formal and to formally relate and verify the composition of compositional methods that verify the composi- different types of algebras present in the design tion and scale system models. and analysis of cyber-physical systems (the leaf While there are several applications of cate- nodes of Figure1). At the moment, engineering gory theory in engineering, in this paper we will researchers and practitioners attempt to address examine precisely this gap between requirements, this issue by developing naming spaces and con- behaviors, and architectures from the eye of com- ventions. The need to capture the relationships positional cyber-physical systems theory. This is between heterogeneous system representations in possible because composition here fundamentally contract-based design has led to the notion of gives us modularity and interoperability within vertical contracts [12]. The congruence between and across different types of models for free, our framework and contract-based design is that provided we model things within the stricter contracts in both senses are extensions of be- paradigm of categories and algebras. Specifically, havior types. Across paradigms, as long as types we will show how horizontal and vertical compo- agree, composition is possible. sition can be expressed as a formal method using Each of the individual formalisms or algebras categories. used in the design of cyber-physical systems have had whole fields dedicated to them with steady Compositional Cyber-Physical Systems research progress before and after the term cyber- Theory physical systems came to existence. However, Engineers and system designers use exper- the relationship between those algebras at the tise, intuition and inertia to decide how different moment is either ad-hoc or quasi-formal. Relating analyses factor into higher-level, harder questions algebras formally can lead to new insights, meth- about safety, resiliency, profitability and risk. We ods, and tools for the design of cyber-physical can formalize (some of) that expertise by recon- systems that operate as we expect. structing existing workflows and best practices Specifically, category theory is one mathe- in categorical terms. Though many individual matical tool that can verify the composition of features of cyber-physical systems are formal, differing views and therefore lead to another the relationship between these pieces has not yet dynamical computation systems theory founded been mapped. In general, putting systems together on the recognition that addressing composition is requires two things per Kalman [15]: important in understand the (mis-)behavior of the 1) Getting the physics right. system as a whole. Category theory is the study 2) The rest is mathematics. of mathematical structures from the perspective that, to better determine an object’s purpose and But that sparked Willems [15] to ask if we are us- behavior, we ought to study its relationship with ing the right mathematics to describe the science other objects instead of examining the object only of interconnection and he concludes that we need in itself. Categories are intuitively congruent with to represent systems as algebras. Category theory engineering cyber-physical systems because of goes even further by composing those algebras the existence of both dynamics and computation together. in those systems, which are modeled through a Instead of describing category theory in full, multitude of perspectives that need to be related. we want the reader to focus on the categorical Formal methods have taken an increasingly toolkit and refer to the many formal treatments important role in the design of systems both on the topic, including books such as Fong and in academic [13] and industry [14] settings. In Spivak [11]. However, we will give