Formal Verification on the Safety of Internet of Vehicles Based on TPN and Z

Nowadays, the Internet of Vehicles has become the focus of global technological innovation and transformation in the automotive industry. Its flowmodelling appears to play a very important role for designing and controlling the transportation systems, since it is not only necessary for improving safety and transportation efficiency but also can yield a series of society, economy, and ecosystem environment problems. Considering the characteristics of the frame structure includes states and actions and discrete and continuous aspects of traffic flow dynamics, both petri net and Z have proved to be useful tools for modelling the Internet of Vehicles. It can formally describe the vehicle behavior accurately with petri net and more details with Z frame structure. A new integration formal method of time petri net and Z is presented in this paper for modelling the vehicle behaviors and traffic rules through taking into account state dependencies on external rules. Moreover, a case study in the Internet of Vehicles is proposed to deal with the accurate localization of events. It shows that this formal verification methods significantly improves the safety and intelligence of the Internet of Vehicles.


Introduction
With the development of communication technology, wireless sensing technology, automatics, artificial intelligence, and so on, the Internet of Vehicles techniques come out. It is the achievements combined with the latest technological of computers and the modern automobile industry. Because of the complex and dynamic environment when it is working, the control system becomes more and more complex. Since it is about life, the key safety factor, such as automotive engine, air bag control, brake system, sensor monitoring system, and traffic regulations, have very strict reliability requirements. Internet of Vehicles has made our life convenient; nevertheless, at the same time, accidents still happen often. Many researchers ensure the safety from different aspects [1][2][3] by different methods, such as control strategy, security factor, and intelligent platform. More and more experiences show that the formal method is very effective to ensure the safety of the Internet of Vehicles [4][5][6][7] systems.
In fact, the formal method is a good way to inspect the problems in system design or requirement design [8,9]. e running environment of the Internet of Vehicles is very complex and changes dynamically. It is hard to describe the Internet of Vehicle using only one single formal language. e traditional process analysis methods, such as Petri nets [10], CCS (Calculus of Communicating Systems) [11,12], and CSP (Communication Sequential Processes) [13,14], can model different aspects of the system from different angles and abstractions, but the powers of description for functional and nonfunctional attribute and constraint condition are deficient. e traditional model languages such as V [15,16], B [17], and Z [18,20] are good at modelling description, but poor at describing system concurrency. At present, the integrated specification languages are a hot topic, which produced CSPZ [21], TCOZ [22], PZN [23,24], and so on. However, it seems that these languages do not aim at the Internet of Vehicles. PZN has a good advantage in describing traditional systems, since specification Z has a good frame structure both in state description and operation description, and Petri nets [25][26][27][28] are very suitable to express the behavior of the parallel and concurrent system model. So, the hybrid methodology which combines the advantages of both specification Z and Petri nets is very suitable for modelling and analyzing the Internet of Vehicles system. PZN has been used to model and analyze validity and accessibility of networked software. Experimental results showed that PZN is very suitable to apply in it. In the Internet of Vehicles circumstance, except states and operation, time constraint is also very important. It not only has continuous part time but also has discrete time. Some researchers used time Petri nets to model the requirements and software of system [29][30][31][32][33][34], but it lacked specific rule descriptions and state depictions.
Motivated by the previous experience in formal verification of requirements modelling and analyzing of networked software, in this paper, TPZN (integration Time Petri Net and Z) is proposed to formal modelling and verifying the Internet of Vehicles systems. It is able to describe the concurrent process and fore-and-aft states in systems at different times. TPZN consists of two parts TPZN-TPN and TPZN-Z. TPZN-TPN defines the data flow of the whole structure, order, and behavior of process at one moment, while, TPZN-Z depicts the abstract data frame, specific rule restriction, and time constraint. So, based on enhancing the abstraction of the data and refinements by Z, the number of states of the Time Petri Nets can be decreased effectively. A case study shows the modelling method in detail. is formal method is proved greatly by improving the safety and validity of the intelligent vehicle systems.

Background
In this section, we recall some preliminary backgrounds that are necessary for the rest of the paper.

Hybrid Petri Net Extension.
Hybrid petri net extension for traffic road modelling is proposed by Riouali et al. in [7]. It brought discrete parts and continuous parts which include discrete and continuous places and transitions. e moving and evolution of the Internet of Vehicles depend on the state of places and are governed by various function, namely, creation, destruction, merging, and splitting; meanwhile, it defined the speed, maximum density, length, and maximum flow of the traffic road modelling.
A hybrid petri net consists of three kinds of objects: places, transitions, and directed arcs. However, unlike the traditional petri net, here places are divided into two kinds: discrete places and continuous places. Transitions as well as places also fall into discrete transitions and continuous transitions. Arcs still show the state dynamic from places to transitions or from transitions to places. Hybrid petri net extension is defined 6-tuplet N � (P, T, Pre, Post, Υ, Time).
(1) P is a set of places, P � Pc ∪ Pd, where Pc represents continuous places and Pd represents discrete places. (2) T is a set of transitions.
(3) Pre is the backward incidence matrix P × T ⟶ N.
(4) Post is the forward incidence matrix T × P ⟶ N. (5) c represents the batch place function. It associates with each batch place 4-tuplet (Vi: speed; di: a maximum density; Si: length; Φ max : a maximum flow). (6) Time represents the firing delay in case of continuous or batch transitions.
Here, we consider the time factor, while the c is more suitable to be used in more intelligent vehicle concurrent environment.

Z Frame
Structure. Z is a good formalism for modelling and designing. Compared with Petri Net, Z has better abilities in type definition and data abstraction and model refining. Its basic frame contains states and operations as Figure 1. Every operation has relative states and constrain rules. However, it does not describe the dynamic behavior of the systems.
Although Ding et al. and Wei et al. proposed a method that models systems by both Z and Petri Nets in [27,28] and the authors also showed that using PZN (Z and Petri Nets) to model the requirements of software is an effective and feasible way [9], it is still not good enough to model the Internet of Vehicles. e reason is that PZN does not have the ability to describe the real-time performance which is very important in vehicle systems. In transportation systems, time is a very important factor. So, all previous works have to be improved and time constraints will be added in PZN [9]. TPZN stands for the integration of PZN and time factor. In Section 3, we will introduce the modelling and analysis methods by TPZN.

Modelling with TPZN
For satisfying the real-time capability and dynamic evolution and data abstraction and type definition capabilities of the Internet of Vehicles, the integrated specification TPZN is presented in this paper. Based on enhancing the abstraction of the data and refinements by Z, the state-of-the-time Petri Nets can be decreased effectively. Compared with time petri nets, color petri nets, PZN, and CSPZ, TPZN is more suitable to define the intelligent vehicle systems.  Mathematical Problems in Engineering (8) Z T is a set of the operation frame based on Z.
(9) S: P⟶Zp is a set of the one-to-one map relationship between P and Zp. (10) C: T⟶Z T is a set of the one-to-one map relationship between T and Z T . (11) M 0 : is the initial mark, and ∃t ∈ T, To ensure the compatibility and validity of the design, TPZN-Z frame is used to describe the sign, property, rules, and so on. e corresponding relation of TPN and Z is shown in Figure 2. e green dashed box is the precondition of transition. e rules and constraints are formally described by Z in Z t . e purple dashed box represents the postcondition by Z.

Time Constrained in TPZN.
is paper introduces global time and relative time for TPZN. e global time proves the standard system time, and the relative time supplies the time relative to previous status M i . Here, it needs to define two variables. One is the earliest occurrence time, EAR(t), the other one is the latest occurrence time, LAT(t). SI i contains the earliest occurrence time EAR(t i ) and the latest occurrence time LAT(t i ).
For example, in Figure 3, relative time is marked. For example, "t7 [15,25]" means that t7 can be triggered in 15 seconds at least and 25 seconds at most. If it exceeds 25 seconds, the automatic delivery truck will stop working. Accordingly, the system will be warning. e global time is always synchronized with the time of the system.

Model Refining.
e environment of the Internet of Vehicles running is always complex, dynamic, and unexpected so that model refining and topological evolution capability is to be very important. Suppose TPZN 11 and TPZN 12 are the subnet of TPZN 1 : (1) en, (TPZN 11 ∩ TPZN 12 ) ⊂ TPZN 1 . ∀p i , p i ∈ P, P ∈ TPZN 11 /(TPZN 11 ∩ TPZN 12 ) are all the new additional virtual states which represent the possible states before or after the subnet TPZN 11 . ∀t i , t i ∈ T, T ∈ TPZN 11 / (TPZN 11 ∩ TPZN 12 ) are all the new additional virtual transitions which represent the possible preconditions or postconditions. Of course, new Z frame structure Z p ′ and Z t ′ should be redefined by additional rules. In the similar way, a new TPZN′ can substitute a transition t i , when the control structure change.
On the contrary, when one model is needed to be abstracted, it can be seen as a new transition t ′ ; then adding its precondition and postcondition and reserving input and output are relative to the conterminal model. Because TPZN integrates TPN and Z, the refined TPN can maintain behavioral consistency with the original one and has been proved in [35][36][37].

Modelling Analysis
4.1. Accessibility. Traditionally speaking, there are two ways to analysis the accessibility of the model. One way is using   Mathematical Problems in Engineering the reachability tree which is used to analysis the accessibility of model states. Because the accessibility of the TPZN involves limited time and there are lots of the state classes, some methods to reduce the state classes are necessary. For instance, Bourdil and Berthomieu have proposed some methods to reduce the state classes [28,31]. Based on their work, we use Z frame to abstract the system so to reduce the state number. e layer can be subdivided into smaller layers. If the lowest layers can be verified to be correct, accessible, and safe, the whole upper layer will have the same character. e reachability tree can be built by φ f based on TPZN. From φ fi to φ fj , the path from the node φ fi of the tree to the node φ fj shows the transition sequence ( Figure 4). e other way is using the incidence matrix marked C(C � D + − D − ). Here, the output matrix-D + is defined as where D + [i, j] � 0 means there does not exist an arc from the t i to p j . While, D + [i, j] � n means that there is an arc from the t i to p j , and it will produce n same type elements with the transfer. e (i, j) entry of Dis defined as where D − [i, j] � 0 means there is not an arc from the p i to t j , while D − [i, j] � n means that there is an arc from the p i to t j and the transition can happen only if there is n same type elements in the p j . Supposing M i is a marked state. From M i to M j , if there is an transition sequences σ � t i t i+1 , . . . , t j marked by X-vector quantity and it satisfies M j � M i + X•(D + − D − ), it proves that the Mi state is accessibility. However, in TPZN, it must consider the limited time. e time constrained rules are described by Z frame. In the automotive vehicles system, time constrained rules must be built strictly because subtle time change may cause serious traffic accident. So, modelling the vehicles' system, it needs to abstract the whole system, then subdivide the whole system into specific layers, and go on subdividing until it is subdivided into atom modules. By φ f which represents the state class containing timestamp, we can get the possible behavior information of the system in certain time interval and then predict the next step. e algorithm of accessibility is designed as Algorithm 1 which shows the accessibility decision from Mi to Mj, and the case study explains how to use it in Figure 5.

Validity.
e validity of the control structure can be analyzed by the transfer matrix L DP of TPZN. From the L DP , concurrent transition can be obtained by the same column and row. As the following in L DP1 , t 1

(4)
So, the data flow structure can be mapped into the transfer matrix L DP . If there exist several transitions in the same row p i , it means when the system arrives into the state p i , these transitions will be simultaneously triggered. While if there exist several transitions in the same column p i , it means only under the condition that all the transitions are triggered, and p i can be reached.
After getting the initial model and parameters, the sampled data or historical data can be used to correct the model and parameters. Of course, real time data also can be used to modify the model and parameters, but more often, it is used to predict possible state of the future. e process of modelling the Internet of Vehicles with TPZN is as Figure 6. First, the node device information and traffic rules and evaluation indicators are obtained from the initial system model. Meanwhile, the data flow structure of the system should be obtained, and divide the initial system into subsystem. Second, the foregoing information is described by Z frame structures, and the latter is described by TPN. ird, the subsystem should be refined. en, the whole system can be formally modelled by TPZN. Next, the related parameters such as L DP , φ f , D + , and D − can be obtained from the TPZN model. Combined with the current information of the system, the initial parameters are used to analyze the character. At last, the future behavior of the vehicle system can be predicted. If the prediction shows, it will be in danger, and some strategies can be adopted. If the danger is caused by some traffic rules, these rules will be modified.

Advantage.
Compared with TPN, PZN, and Z, TPZN has better dynamic structure and more convenient time constraint which are very important to the Internet of Vehicles. Except these, TPZN has better frame structure which can abstract the system to reduce the number of the states to avoid the explosive growth usually happened in traditional Petri Net. So, the advantage of modelling with TPZN is shown very clearly in Table 1.

A Case Study
To verify effectiveness of our modelling methods to analyze our verification algorithms, in this section, a simple case study is offered. Suppose that an intelligent car has 4 lidars, 4 radars, 4 side vision, 1 full vision, image processing system, radar system, lidar system, brake system, and so on. It is running on the straight road, as shown in Figure 7. For modelling the system, the first step is to obtain the Z frame structure of every node device. Here, parts of the system model's, such as Z p and Z t , are put forward as space is limited. e above frame is the same parts of one element of the Z p , which is defined as one kind of state of the system. As the blue dashed box shows, it formally defines relative devices. e following one defines one node device of the system.  {1, 1, 1, 1}) ... So, at the first step, every node device's Z frame structure and every transition can be defined. In second step, the TPN model of the Internet of Vehicles system will be built. Parts of the TPN model are shown in Figure 8.
(4) Z pi is the element of the set of Z p , and it represents the state of Z frame of the node devices as CAR and FrontLeftLi. (5) Z ti is the element of the set of Z T , and it represents the transition of Z frame of the system as BEGIN. (6) S maps the relationship from state pi to Z frame of the state, as p 0 -> CAR.
(7) C maps the relationship from transition ti to Z frame of the transition, as t 0 -> BEGIN.
(8) M 0 �(1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0) represents the initial condition of the system. SI i is shown in Table 2, which represents the temporal interval under M i . Some of the details of each p i and t i are shown as Table 3. Figure 7 shows parts of the case study, so, the p 9 and p 10 are not the real final states. In fact, p 9 and p 10 can turn into normal state by some steps.
Print φ fi , t n , φ fi+1 , t n+1 , . . . , t n+c , φ fj ; } ALGORITHM 1: e algorithm of accessibility. Accessibility decision from M i to M j .     Processed normal data by lidar system P 5 Radar 2 t 2 Processed abnormal data by lidar system P 6 Detected obstacles ahead by radar t 3 Processed normal data by radar system P 7 Detected obstacles ahead by lidar t 4 Processed abnormal data by radar system P 8 Detected normal environment by radar t 5 Decelerating P 9 Brake t 6 Braking P 10 Deceleration t 7 Process by vision-front P 11 Detected normal environment by lidar t 8 Process by wide-angle P 12 Vision-front t 9 Check information P 13 Wide-angle From the matrix L DP , the concurrent behavior can be easily found. By the D + , D − , M i , M j , φ fi , and φ fj , the next behavior can be deduced exactly. e exact arrival time can also be obtained from SI i and SI j from the reachability tree as shown in Figure 5. e rules can be amended through the Z p and Z t with the new data coming as well. Every Z frame structure can be coded by high-level programming language so to reason the logic relationship easily.

Conclusions
In this paper, we propose a new way that uses TPN and Z frame structure to formally model and analyze the safety and accessibility of the Internet of Vehicles. e method has been explained in detail by a case study. Although it promotes the efficiency of finding problem when the system goes wrong and can predict the future behavior, the multiple intelligent vehicles working cooperatively are not taken into account, which is an important and intriguing topic that we are working on.
Data Availability e case study data used to support the findings of this study are included within the article.

Conflicts of Interest
e authors declare that they have no conflicts of interest.