The paper discusses the design of cyber-physical systems software around intelligent physical worlds (IPW). An IPW is the embodiment of control software functions wrapped around the external world processes. The IPW performs core domain-speci c activities while adapting its behavior to the changing environment conditions and user inputs. The IPW exhibits an intelligent behavior over a limited operating region of the system | in contrast with the traditional models where the physical world is basically dumb. To work over a wider range of operating conditions, the IPW interacts with an intelligent computational world (ICW) to patch itself with suitable control parameters and rules/procedures relevant in those changed conditions. The modular decomposition of a complex adaptive system into IPW and ICW lowers the overall software complexity, simpli es the system veri cation, and promotes an easier evolution of system features. As an intelligence functionality, a network system in our approach employs redundant sensing as a means to improve the quality of detection & aggregation of events occurring in the environment. The paper illuminates our concept of IPW with case study of vehicular tra c management network.
A cyber-physical system (CPS) allows the computational processes to interact with the physical world processes in a way to impact how the latter is structured and designed, and vice versa. We elevate the de nition of an embedded system by eliminating the hardware-centric boundaries of physical processes. An application B that is traditionally viewed as a non-embedded system because of its heavy software leaning can now be brought into the fold of CPS with a notion of intelligent physical world Ap. Here, Ap can be an embodiment of diverse software functions, with the embedded hardware instantiating the raw physical processes (RPP). The RPPs are dumb physical component ensembles through which a system interacts with its (hidden) external environment, such as: steering linkages to turn a car on the road, network link/router to transport data packets, and conveyor belt to move assembled parts.
The sub-system Ap is more than a collection of physical components RPP, but instead consists of a software wrapper that controls RPP in such a way to infuse a self-contained and intelligent behavior1. From a programming standpoint, the RPP is abstracted as a function g (I; O ; s ; E ) that takes an input I and responds with an output O , where s is the current state of RPP and E is the uncontrollable external environment incident on RPP. Here, O depicts the observation of a transition in the state of physical processes s , with the timescale of response hidden as part of the abstraction. For e.g., g ( ) may represent the end-to-end path in a data network, where I and O denote the injection of a packet ow and its delivery respectively, s is the available bandwidth, and E depicts a packet-loss phenomenon impacting the ow. As another example, g ( ) may be the motor in an industrial control system, where I and O denote the electrical signal and rotational speed respectively, s is the residual motor torque, and E depicts an electrical and/or mechanical disturbance impacting the motor speed. Our idea is to extend g (I; O ; s ; E ) into a coherent intelligent physical world Ap that is self-aware and can repair itself (in a limited way) from the damages caused by environment conditions E . Ap is augmented by an intelligent computational world Ac that manages the overall operations of Ap. Their composition to yield an adaptive application system B is denoted as: where Ap is wrapped around g (I; O ; s ; E ) and the operator ' ' depicts the inter-module ow of signals between Ap and Ac: which includes a managementoriented feedback from Ap to Ac. The signal ow is at a meta-level, while the Ac-Ap concrete interactions are determined by their programming boundaries. We allude to a 'monitor-and-control' interaction (M&C) initiated by Ac on Ap, and vice versa.
An example of Ap is a smart home that sets the heating and cooling parameters based on the occupancy, ambient conditions, comfort level, and the like. Here, Ac may be a Home Service Center outsourced with the task of managing the intelligent home remotely by setting the right parameters and operating procedures (say, di erent procedures for winter and summer operations). In a target tracking system as another example, the radar units reporting the images of objects in a terrain to a data fusion center may also notify the terrain characteristics to enable the choice of image processing algorithms: say, to meet the target detection accuracy needs. Here, Ap is the group of radar units implanted with parameter-adjustable image processing algorithms (say, track resolution) and Ac is the fusion center deciding on the right set of algorithms suitable for the terrain. 1 The physical world Ap in our CPS view includes software functions that were hitherto a part of the control system software external to the RPP.
We extend the functional boundary of physical world Ap to infuse the intelligence for a limited repair capability. The remaining part of system, assigned with a comprehensive repair capability, constitutes an intelligent computational world Ac. The paper describes the software engineering issues in supporting a harmonious co-existence of intelligent sub-systems: Ac and Ap. The o -loading of domain-speci c core adaptation functions into Ap enables the infusion of new functionalities and features in applications with less software complexity. The ease of veri cation and testing of such modularly structured systems lowers the development cost of distributed control software for complex systems.
The paper is organized as follows. Section 2 rationalizes the structuring of complex systems with intelligent physical worlds. Section 3 advocates the use of redundant sensing as a means to improve the quality of event detection (and hence the control actions therefrom). Section 4 provides a communication structure suitable for vehicular networks (say, in a city area). Section 5 discusses the existing frameworks for CPS. Section 6 studies a vehicular tra c management network using our CPS framework. Section 7 concludes the paper. 2
A traditional embedded system (TES) employs an asymmetric control relationship with the RPP: i.e., only the computational processes initiate the M&C interaction with RPP but not vice versa. The TES underscores an integrated software structure where the core adaptation functionality is entwined with high-level application features | which precludes rapid incremental software changes/con gurations. In contrast, the CPS employs a modular software structure where a self-aware physical world Ap that is wrapped around the RPP communicates with a set of computational processes Ac to coordinate supervisory control by Ac. Figure 1 illustrates the di erence between CPS and TES. 2.1
Existing designs cast through CPS view
Computational intelligence in the physical world requires the components to be
self-aware, i.e., a component needs to be able react to its external environment
| and possibly repair itself. Such an ensemble of self-aware components in Ap
need to work together to provide a coherent interface to Ac. In this light, existing
works on embedded control systems [
Given an adaptive application system B, the TES-based design depicts a composition:
B(tes) [A0p
g (I; O ; s ; E )]; where A0p refers to the computational processes (implemented in software) that interface with the RPP function g ( ). The composition depicts a M&C type of interaction, where A0p invokes g ( ) with a computed actuator signal I and Cyber-physical System (CPS) view
Wide range of adaptive operations 1. Executed over slow time-scales 2. Functions touched are non-separable
M & C interaction
world M & C processes interaction Physical world processes ) n sp tio (c ca B i lapp tseym s
C M
Software layer A”p with limited intelligence C C MM
RPP M M
C C
C M Limited-range adaptive operations 1. Executed over fast time-scales 2. Functions touched are separable
M & C: monitor-and-control Traditional Embedded System (TES) view
M & C
compounded effects of all types of adaptive operations RPP: Dumb physical world processes [abstracted as a function g*(I,O*,s*,E*)] n )se Com(pinuttealtliiognenalt wsoofrtwldaprerolcaeysesre)s A’p itacoBt( C C MM liapp tseym RPP s
M M
C C observing the output response O . The TES structure assigns intelligence to A0p, with the latter interfacing with g ( ) through signaling hooks to actuate the trigger mechanisms, thereby moving the RPP move from one operating point to another. Thus, CPS-based design depicts an alternate system composition: B(cps) [Ac
Ap]
B(tes); where Ap [A0p0 g (I; O ; s ; E )] depicting the CPS software functions that wrap local intelligence around the raw physical world process over a limited operating region, such that A0p0 A0p. Ac is the computational process to infuse a broader intelligence to the operations of B that are otherwise di cult in a TES-based design. B(cps) can easily be infused with new features and/or have its existing features augmented by algorithm plug-ins to modify the functionality of Ap, as orchestrated by policy-based mechanisms and adaptation logic programmed in Ac. For example, the QoS feature for packet transport over a network data path that hitherto allows controlling the mean packet delay can be augmented with delay jitter control as well, by implanting a modi ed packet scheduling algorithm along the path. The raw physical world g ( ) is itself considered as dumb, providing only the basic functional components. An invocation of these components comes from the upper layer processes: A0p0 in the CPS approach and A0p in the TES approach.
Due to the underlying state-machine complexity of the system as a whole, the TES-based integrated approach does not lend itself well for a seamless addition/removal of automated system features, entails di culty in incremental software changes, and makes the testing/maintenance of system software a laborintensive activity. 2.2
CPS-based structure of complex systems
We employ the principles of piece-wise linearity and separability of functions
describing the system model [
Ap operates over a much faster time-scale than Ac. This is because the control loop in Ap is self-contained to react to the smaller changes that typically occur frequently in the external environment. Whereas, Ac steps in only when larger changes occur in the external environment | which are less frequent (e.g., a network su ering a DOS attack, a car tire losing air due to a puncture). Ap embodies the core domain-speci c functionality, and Ac is delegated with an external management role using parameterized procedures and rules speci c to the domain. See Figure 2 for an illustration of the functional blocks to realize the hierarchical control relationship between Ac and Ap. Our software engineering approaches orchestrate such a delineation of Ap and Ac.
The true model of RPP may not be known to Ap, i.e., it is di cult to express g (I; O ; s ; E ) in a closed-form. So, the determination of I is governed by a computational model of RPP, denoted as g(I; O ; s; E), that is programmed into the controller module of Ap. This localized incremental adaptation strategy employed in Ap allows determining the nal input I needed to attain a stable output P 0 | where P 0 = O (L) with L depicting the control round when Ap reaches convergence. Any mismatch between P 0 and Pref is then noti ed to Ac for appropriate recovery. The intelligent behavior of Ap is however feasible only over a limited operating region, as determined by Ac.
The system output O , which is of interest to the controller modules in Ap
and Ac, is often easier to measure (e.g., packet transfer latency on a network
path). The uncontrolled external environment E , which impacts the system
output in complex ways, is however hard to measure (e.g., bandwidth depletion
along the path). Our partitioning of observation space into O and E arises
from these considerations. We assume a nite world where the parameter values
2 The update of controller sub-systems in Ap during run-time is known as patching
[
WORLD Ac module (SAM) ed rrro env[inroonnm-liennetaaristsyescshmeceknst,, . .] ilizb lreo ta t s con
TSF m e tsyS iton reference input
Pref m E
Contmroalnaalggoerrithm algoripthamram&peattecrhing(e.gp.l,asnetnmsooarddseaplpegtca(stIi,,oOn*r,su,lEe),,..) observer P’=M*(O*) state s* Pref-P’ controller inpplaunttI gR*ap(Iwr,Oopc*he,ssys*se,iEsca*l) leb tea tsa ts TSF tttsae l)epd s* lapn (sam s PHYSICAL WORLD Ap external environment (say,ccoonmdpitoinoennst Efa*ilures and outages)
TSF:
time-scale filter
system
output O*
physical
effects on
external
world
of E and O are bounded. A system designer may reduce output observation
errors by exactly measuring M (O ) with suitable tools. Environment observation
however is error-prone i.e. the observable environment space is: E E .
Our approach is distinct from the well-known supervisory control methods [
That a nal control error is stable but is not at the minimum depicts a controller with limited repair capability. When it is determined Ap has exceeded its repair capability at the current operating point, Ap seeks the services of Ac for a comprehensive repair, i.e., to bring down the error to a minimum. The comprehensive repair may involve, say, changing the plant and/or the controller parameters | and even the controller algorithm itself. Thus, a repair is collectively realized by Ap and Ac, with the invocations from Ap occurring infrequently on Ac in comparison to that on the RPP.
We focus on action errors in the controller of Ap, i.e., the deviations in actual RPP output from expected output jO Oj, arising from the inexact knowledge of controller about the computational model g (I; O ; s ; E ) of RPP. Regardless of an error-prone or error-free output observation, action errors do occur, i.e., the output of RPP O as a result of executing an action I may deviate from the controllers belief about the e ect of I, as captured by the model g(I; O; s; E). An3 error-free output observation, which we assume in this paper, yields an exact measurement of action errors | thereby allowing Ac to precisely evaluate the e cacy of controller rules/policies implanted in Ap, and install any changes therein. 2.4
Advantages of our approach The observe-adapt cycle executed by Ap is at the machine-level time-scales pertinent to the RPP. The operations of Ac occur at much slower time-scales. The separation of time-scales in the operations of Ac and Ap makes it easier to assert the correctness of application behavior with a high degree of con dence. In TES-based design, the time-scale separation is not easily extractable from a trace-analysis of the state-transitions in application software, which lowers the designer con dence in making correctness assertions. In this light, our CPSbased modular techniques purport to reduce the overall system development cost during the evolutionary and operational stages of system designs, in the face of increasing complexity of system operations (both hardware and software) to meet the enhanced demands for new and better functionalities.
The patching of Ap from Ac enables the autonomic switching of control algorithms (at run-time) as the system operating points change. Ap can be supplied by designers with domain-knowledge (such as OEM vendors for in-vehicle electronic systems and network platform developers for inter-vehicle communications). Ap is designed to be programmable, with appropriate signaling hooks, while meeting the inter-operability requirements. Whereas, the designers of Ac are software engineers with more expertise on the management functions (instead of the domain itself). Some of the computational intelligence in Ap are enabled by new applications. Ap may also realize some of the functions hitherto in the TES-based computational world. The migration is possible due to the availability of data processing and storage capabilities in the physical components. 3
From a service speci cation standpoint, the system performance, fault-tolerance,
and timeliness goals can be uni ed into a single set of application-level QoS
objectives. How well the application-level QoS specs are met in the presence of
hostile external conditions depicts the dependability of the system.
3 Action errors in a complex system arise as an artifact of system modeling inaccuracy,
which are di erent from the ones caused by software-induced bugs and failures [
Failure impact of system components Given an ensemble of K devices in the infrastructure, Ac chooses N devices to participate in the algorithm execution of Ap for a collaborative task, where 2 N K. An example is the reaching of consensus about an event occurrence. The choice of N is tied to an assumption made by Ac that at most fm devices can fail at run-time and an attacked device exhibits a fault severity of r | where 1 fm < N and 0 < r 1:0. A failure may be benign or malicious, which may be (partly) captured in the fault severity parameters.
An intruder potentially targets fa of the K devices for attacks to disrupt the system-level output, where 0 fa K. Furthermore, an attacked device exhibits a fault severity of r00, which depicts the probability of misbehavior by an attacked device when an input trigger occurs (r00 may be quanti ed in terms of how many operations the attacked device performs correctly before responding maliciously to an input trigger). The intruder does not have knowledge of systemlevel algorithm parameters [N; r; fm] (i.e., this information is protected in Ac): where N is the number devices participating in algorithm (2 N K), fm is the assumed number of faulty devices (1 fm < d N2 e), and r is the assumed aggressiveness of a faulty device (0 < r 1). So, the intruder randomly targets the attacks on fa devices and infuses a fault severity-level of r00 on an attacked device, in the hope of damaging the system output. The choice of [fa; r00] is based on the computational and other assets available at the intruder's disposal to orchestrate attacks and his/her empirical knowledge about the anticipated system-level damage caused by attacks.
Since [r00; fa] is not known to Ac, the algorithm designer needs to model the intruder's capability and pro le to get a probabilistic estimate of [fa; r00]. In general, the designer's decision about [N; r; fm] is based on his (domainspeci c) knowledge about the overall system: namely, the operating environment of infrastructure and the control loops implemented by Ap. 3.2
Managing sensor redundancy and heterogeneity
Resorting to sensor heterogeneity in system measurements interplays with the
control functions that rely on the accuracy and timely detection of events. A
device D may run di erent algorithms oa = g(D)a(M ); ob = g(D)b(M ); on a raw
input data M (sequentially or concurrently), and then extract an accurate
information oa; ob; about an event occurrence therefrom: say, by voting or outlier
analysis on oa; ob; . Furthermore, D may survive against software errors and/or
targeted attacks on a speci c algorithm, say, g(D)a(:), because the other functions
g(D)b(:); may continue running [
Voting among N -replicated sensor devices provides an overall con dence
level that is higher than the per-device con dence level in the system, i.e.,
max(fpi)gi=1;2; ;N ) < < 1:0, where pi is the confusion probability of Di in
QoS-oriented spec: USER
data miss rate { deliver data
how often [TTC > ' ] ?? (say, d-2, later)
bxo ‘data buffer’ controller
ign propose data
t
o
v
r
o
reporting an event. In an example of collision avoidance system for automobiles, a
combination of sensors may be employed to detect the presence of road obstacles
and fuse their results by voting (for improved vehicle safety) [
N 1 l1 [1 pi(e)]l1+1 l2 ) > ; (1) where l1/l2 are the number of consents/dissents about an event occurrence o 2 O generated by Di | assuming that all sensors have the same capability for event detection. For instance, pi = 0:85 and N = 10 can achieve a con dence level of 98% with replica voting. In the absence of exact knowledge about the ground truth on system measurements, the con dence measured in the above manner can be used as an indicator of sensing accuracy. More generally, the operating point of Ap determines the weights assigned to the various replicated sensors for accurate determination of event o.
Ac embodies computational intelligence methods [
In this section, we describe the high level aggregation operations carried out by the on-tree nodes4. There are two reasons for the on-tree aggregation of events as they surface, instead of aggregating all the events at the root node. First, it enhances the scalability of event reporting system when large amounts of data are collected. Second, it entails a faster reaction to the events by overlay nodes as soon as a composite situation emerges that warrants an action (e.g., responding to tra c congestion events).
See Figure 4 for an illustration of the communication structure event notication. The overlay node at leaf point of the event aggregation tree maintains information about the capability of devices serviced by that node (such as encoding format, CPU speed, and display size). The node may, for instance, transcode the multimedia data describing an event for device-level rendering. The on-tree aggregation capabilities of overlay nodes is quite useful for vehicular networks (instead of doing only at end-point nodes). 4.1
Aggregation using syntactic rules Let 1 and 2 be the con dence intervals of the data delivered at an overlay node O from its two downstream segments. With only a syntactic processing of the two distinct events, a con dence measure associated with the combined data sent by O to its upstream node is: min(f 1; 2g).
Similarly, other types aggregation operators can be implemented in O such as
addition, maximum, average, median, set union & intersection, selection, and the
like. For instance, the congestion reports from two segments along the planned
route of a car with projected delays d1 and d2 will simply lead to an estimate of
the combined delay as d1 + d2 in traversing this route. Scalability considerations
require that the syntactic composition operators satisfy the commutativity and
associativity properties [
An aggregation of events at various nodes in the tree typically a ects the time-scale of changes in the resulting macro-level data. An example is to determine if there is a sustained packet loss in a multi-hop network (with k hops), based on the spatially separated per-hop measurements. The end-to-end loss is: [1 k Y(1 i=1 li)]; where li is the measured packet loss in ith hop. Since the 'loss composition' operator combines a set of uctuating per-hop loss rates with independent modes 4 The data aggregation functions in on-tree overlay nodes and the communication functions between overlay nodes can be structured independent of that in the adhoc network segments at leaf nodes. E E S E C W EIL SS CIV
LERI DTN ON Tree termination point at (maintains device receiver proxy nodes l,m,n,p configuration data) ON: multicast-capable overlay node path segment in wide-area distribution tree satellite link wireless access links wired links event data flows (original) (video, audio, image) transcoded soeuvrecnetB teevn rceuoA s subgroup-l1 l
ON ON subgroup-m1
ON ON p
ON
CLIWENIRTEDLEEVSISCES
subgroup-m2 m
ON netwxDorSkL subg roup-p1
user de-subscribes from source B CLIWENIRTEDLEESVSICE 1 n upo bgr u s ON
n WIRED CLIENT
DEVICES (e.g., metro residential area) at any given time, the end-to-end loss rate varies with a time-scale as determined by the highest mode in the per-hop loss rates. A spatial scale of changes may also be associated with event aggregations | such as the vehicular tra c congestion on a given route being the combination of the reported congestion levels in various stretches of roads along that route.
A domain-speci c interpretation of the events in di erent regions cannot be
adequately captured with the standard mathematical operators of aggregation
| as argued in [
As an example, consider the detection of a plane (in terms of speed and location) by the devices in region 1 followed by the detection of a plane by the devices in an adjacent region 2 after a certain time interval T . If the geographic distance between regions 1 and 2 depicts a ight time close to T at the given speed, then it is highly likely that the object detected in regions 1 and 2 refers to the same plane. So, when the detection reports from regions 1 and 2 arrive at the overlay node O, the latter may aggregate them into a single report with a con dence measure higher than max(f 1; 2g). The timing correlation in the two reports increases the con dence level of the combined report to higher than that of the individual reports.
Where semantic knowledge is used, the aggregation operations on two events may have to be carried out in a certain sequence (i.e., the operations may not satisfy the commutativity and/or associativity properties). Typically, each overlay node may implement the required synchronization between the arrival of various data items from its downstream nodes, based on the sequencing relationship between the data items | such as the causal relationship between events.
In a way, replica voting on fuzzy data (where the device-level confusion probability pi satis es the condition: 0:5 pi < 1:0) may be viewed as a knowledgebased 'data aggregation' procedure executed at a leaf node. Here, the goal is to generate a single event noti cation with a base con dence measure that is higher than pi. The semantic knowledge is that when two devices report the same datum with con dence levels of pi1 and pi2 , the leaf node can accept the datum with a con dence level higher than min(fpi1 ; pi2 g).
Latency measurements for voting-based data collection can provide the baseline timing information to enforce the synchronization of data, while meeting the overall timeliness constraints . This however requires knowledge of the overlay tree topology and the data delays incurred in the various path segments. 5
At an abstraction level meaningful for applications, today's embedded systems
embody both adaptation behaviors and functional behaviors. The former deals
with adjusting the system operations according to the environment conditions
(e.g., reducing the video send rate to deal with bandwidth congestion in the
network). Whereas, the latter deals with requirements such as fault-tolerance,
security, and timing. For system speci cation and analysis purposes, We treat
the adaptation and functional behaviors separately. In this light, we categorize
the existing works as dealing with:
{ Systems engineering for the control-theoretic aspects of adaptation (such as
stability, convergence) [
There have also been system-level tools developed to aid these studies: such
as probabilistic monitoring and analysis [
Our work falls in a distinct category of model-based engineering of complex embedded systems. Our CPS model treats the adaptation processes in a target system as a black-box: Ap. The I/O mapping is procedurally realized by a sequence of sense-and-act steps executed by Ap on the RPP. Ac then incorporates the enhanced management functionality needed for complex systems (such as QoS assurance).
Vehicular networks often consist of computational devices, i.e., ECUs, that collect data representing the road tra c conditions and then generate tra c alerts for use by drivers. The data may include road tra c volume, terrain scenarios (e.g., hill tracks, slippery road), weather conditions, and vehicle motion tracking (e.g., car speed, inter-car spacing). These data, some of which constitute the external environment parameters E, are collected by various sensors mounted on the cars and the roadside, and then processed to generate corrective actions: say, tra c alerts and tra c re-routing.
IPW in vehicular tra c- ow system The physical world is the road infrastructure itself, through which vehicular trafc ows. The topological parameters of infrastructure describe the interconnection of various road segments: such as the number of lanes along a road segment, posted speed limits, and tra c signal intersections, and the merge/branch points of di erent road segments. Such a road infrastructure is augmented with tra c monitoring and alert functions to enable an intelligent behavior: 1. Drivers may be noti ed of prevailing or anticipated congestion levels (via roadside displays, radio broadcasts, and SMS to phone subscribers); 2. Road crew may reduce congestion by opening and/or closing selected road segments and lanes (with a quick setup of dividers and road-blocks)5. Infusing a capability for congestion noti cation and (limited) relief is based on computational models of the tra c- ow system, as executed by the local transportation hubs of crews that collectively manage the road infrastructure.
Given the above delineation of IPW functions, supervisory control functions can then be assigned to other units in the tra c- ow system higher in the management hierarchy: such as regional transportation centers. The latter, which constitutes the ICW, enforces policy decisions on tra c ows such as road closures and tra c prioritization. The ICW takes cognizance of the e ectiveness of current infrastructure in adapting to various congestion levels, and takes recovery actions therein (e.g., authorizing the conversion of a two-way lane to a one-way lane). Such computational intelligence functions of ICW supply the con guration inputs to the IPW functions that invoke the tra c- ow system.
The tra c data collected is prone to errors for two reasons: First, the processing algorithms in sensor devices may often have only limited capabilities, and also exhibit diversity due to vendor-speci c implementations. The tra c reports generated therein may be fuzzy, providing an imprecise representation of the ground truth: namely, the congestion state. Second, some of the devices may be maliciously faulty mis-reporting the tra c ow. In such a setting, replication of devices and voting on the tra c data collected by them enhances the trust-worthiness of congestion reports generated. 5 Closing a road or lane may sometime reduce congestion if the tra c merge from the o ending road/lane onto a main road creates local vortex e ects at the intersection.
In terms of our CPS-based design approach, the voting/fusion component is a part of the observer module M (O) which maps the tra c reports from various sources onto composite descriptors of congestion events. These event noti cations are annotated with quanti ers that depict the quality of congestion reports q as a percentile scale: i.e., q 2 (0; 1). Figure 5-(a) illustrates how the event-report accuracy q impacts the decision-making process of controller module C. 6.2
Improving the accuracy of tra c reports
We employ k-out-of-N consensus voting [
Consider a case of tra c monitoring on roads with the sensing devices mounted on police vehicles. One device may report a 80% tra c congestion on the road, whereas, another device may report a 75% congestion. The di erence may arise in their tra c sampling rates and observation intervals. Besides, a malicious intruder device that poses as a police vehicle may report a tra c congestion when there is none. In the presence of such error-prone tra c reports, a central monitoring station should be able to take adequate measures to relieve the congestion | such as controlling the tra c in ow into the congested area by diverting the tra c in the upstream feeder roads. Here, a control measure taken based on incorrect reports can lead to tra c chaos | such as admitting more tra c on the feeder roads when a mis-reported congestion is acted upon by the monitoring station. Figure 5-(b) illustrates the role of replica voting in improving the accuracy of tra c reports.
With replica voting as the building-block, a data fusion mechanism based on
semantic composition of the tra c reports from di erent regions may be
employed to further improve the quality of inference about congestion. The data
fusion may be based on tree-structured overlays set up over a vehicular network
[
Event quality q is a parametric input to the computational model executed by the controller C. Thereupon, C assimilates the parameter q as part of its iffc irao tra scen start of voting TIME car traffic in-fOlow
IPW q congestion report [X,q] supervisory module (ICW)
Raw parameter plug-in [N,k,B] transportation C OtoofNpiTonTlfRorRagAsOictFraLuFlcLmItuCEordeRel C arcetliioenfs I(nrifonrtaeadrssste&rcutlicaontnuess,r,e traffic monitor traffic rules, . .) X=congestion report: M(O ) congestion inference setrnasfofirc1 setrnasfofirc2 s(etfranausfolftiryc3) pre-dpraotacess notify(1, `not_detected’)
(b) traffic sensor 4 notify(3, `not_detected’) notify(4,
`detected’) false negative !! notify(2, `detected’) # ofmfaaxuilmtyusmenpsoorsssibflme=1
transportation management center (implements controller C) traffic voting sensor 5 apparatus notify(5, `detected’) decision-making on the tra c management actions6. Typically, the degree of sensor replication N and the consensus level k for voting on tra c data are controllable parameters, with 1 < k N . While improving the accuracy of tra c reports, a higher k lowers the time to generate a report due to the increased parallelism among sensor units but increases the network bandwidth consumption B to exchange synchronization messages.
The choice of [N; k; B] is aided by a calibration of the sensors vis-a-vis their event reporting quality and a computational model of the voting sub-system therein. The calibration data is maintained by the ICW for dynamically loading into the IPW. The parameter patching enables IPW to recon gure its operations under various environment conditions. 7
As embedded systems become complex, there is a need to explicitly incorporate diverse physical computing systems (both hardware and software) in a coherent abstraction. Removing the explicit hardware-centric boundaries as part of the currently prevalent de nitions of an embedded system, our paper introduced a concrete notion of intelligent physical world (IPW), and an intelligent computational world (ICW) therein, as the modules of an embedded system. 6 In a multi-agent based realization of C, q is viewed as the belief probability of an agent about the existence of a reported congestion. With epistemic reasoning about the belief states of agents, a tra c control action over di erent geographic regions can be realized by various agents with a certain con dence level. Study of how the accuracy parameter q impacts tra c ow-related decisions of C, and the underlying epistemic reasoning process, is deferred as a future work.
The paper described the software engineering issues in orchestrating a harmonious co-existence of the IPW and ICW. With the aid of a software structural model of a CPS, the paper studied a complex network application: viz., vehicular tra c congestion monitoring in a transportation network, through the prism of ICW-IPW partitioning.
The advantages of our CPS-style structure of an application are that it reduces the development cost of distributed control software via software reuse and modular programming. The CPS-style structure also enables easier system evolutions in the form of adding and/or modifying the controller functionalities in applications without weakening the software correctness goals.