Modeling of storage processes using Petri nets

Cyber-physical systems are actively explored in the global and domestic scientific community. It is expected that cyber-physical systems will minimize human participation in the production process, as well as in many other areas of society. At the same time, the information security aspect of the interaction of elements remains insufficiently studied. The classical approach to ensuring security is aimed at counteracting a clear destructive information impact when information security breaches have obvious signs. The risk of failure of one object of the system can lead to critical conditions. Safety modeling of managerial structures is reduced to considering the operability of the functions of the intermediate link and the interaction between objects that make decisions on the management and generating teams. By analyzing these transitions in limiting cases, it allows the use of analysis and synthesis approaches based on structural schemes and logical relationships.


Introduction
Active use of the term "cyber-physical system" began relatively recently. The German government launched a program to support the development of high-tech technologies High-Tech Strategy [1], which became a prerequisite for the development of a new paradigm of the production process. A distinctive feature is the relationship between the elements of the technological process: in contrast to the classical approach, human participation is minimized, moreover, human participation in some processes can be dangerous both for the successful execution of the process and for the person himself.
Compatibility implies the possibility of interaction between a person and a system using various communication protocols. In this case, all the objects involved in the production process (machines, sensors, computers, networks, etc.) are combined into a single system. Moreover, it implies the active interaction of this system with a person who does not affect the production process itself, but starts it.
To control the functioning of the enterprise during the implementation of the technological process, information technologies are used to create a virtual production model. In turn, the virtual model allows you to control the functioning of the system in real time. Decentralization implies the absence of a central computing device, which allows us to talk about organizing such systems as systems like P2P [2][3]. A general view of the organization of the interaction of elements is shown in Figure 1.  The information obtained on the risk is the basis for the risk management -development and optimization of organizational and technical measures for reducing risk to a predetermined value. The task of risk management is the development of action plans for the risk reduction and control, development of alternative options, as well as assessment of the effectiveness of these plans and elaboration of recommendations for taking management decisions, up to and including refusal of planned activities. The implementation of this set of risk questions is often called risk management. Thus, an outline flow chart in the field of risk most often used in the field of industrial safety is shown in Figure 2.

Modeling of the command passage
Let us consider the elementary scheme of the command passage from CL to EL with the participation of MS operators. Suppose that there is a formed command for EL which should take a certain form after passing the transformation in the operator link (for example, being encoded or supplemented with some specifics). This can be shown using the flow chart in Figure 1  The further advancement of the command depends on MSO, since in accordance with the hierarchy of EL centralized control architecture, the closest paired link above the standing level is MSO. The following options are possible: a) the CLO command undergoes the required transformations in MSO and passes to ELE for execution; b) the CLO command reaches MSO, but then it is "lost" and does not enter ELE; c) the CLO command is transformed with a change in the information essence and enters ELE in a distorted form; d) the CLO command is delayed in CLO for more than the prescribed (normative) time and loses its information efficiency when entering ELE. Thus, the following options are possible: -passage of the command; -non-passage of the command; -distortion of the command; -unauthorized command delay. The reasons for the results may be different. They are associated with the level of training and the psychophysiological state of operators, the state of the interacting equipment, the pursuit of destructive goals. The first reasons are the subject of a study called engineering psychology (or ergonomics). The second reason is investigated from the standpoint of reliability theory. The last reason is associated with the goals and possibilities of causing damage by the human operator, who has the goal of disrupting the correct execution (or non-execution) of the command formed by the CPE for ELE.
The possibilities (probabilities) of results depend not only on the operators, but also on their grouping (i.e. ways of including them in MS). Let us consider two ways to include unique duplicated operators in a simple MS ( Fig. 1.4a), b)). If the comparison logic scheme performs addition functions of mod2, then the probability of passage of the command (if any) increases. At the same time, the probability of the appearance of an unauthorized command at the input of ELE (i.e. in case of its absence at the CLO output) remains unchanged compared to a single-operator flow chart.  In this case, the logical device (LD) performs the conjunction function. The risk of appearance of an unauthorized command in the presence of one intruder is reduced, and the risk of non-passage of an unauthorized command under the same conditions remains the same as for the flow chart with one operator (Fig. 1.3).
Operators can be grouped according to more complex schemes, which comprise of parallel and sequential inclusions.

Research
The considered schemes are determined, since based on Boolean logic and operate with the concepts of 0 -command not available and 1 -command available. However, even when describing them, there is the word "risk", which is approximately equivalent to the concepts described in the probability space.
In order to concretize the approaches, we consider determined and stochastic models of various operators. To do this, we introduce a four-digit matrix with certain names of columns and rows. The columns contain operator inputs. The rows contain outputs.
The fields of the matrix contain the correct and erroneous probabilities of formation of outputs according to the state of inputs. S R 1 0 1 P 11 1-P 0 1-P P 00 Fig. 6. Matrix of probability of correct and erroneous formation of outputs according to the state of inputs. Where: S is a signal (command) at the input; R is a signal (command) at the output; 0 is the absence of a signal (command);1 is the presence of a signal (command).
In Fig. 1.6, in the fields of the matrix, there are probability of the correct fulfillment of functions by the operator (P 11, P 00 ) and the probability of erroneous results, (P 10 , P 01 ). Such a matrix characterizes the probabilistic approach to assessment of the operators' activities.
If we assign the loyal values of correct actions to the probabilities, we get the matrix of an ideal operator ( Fig. 1.7) or, for the opposite case (limit false actions), the matrix of an ideal intruder ( Transfers to limiting cases make it possible to apply analysis and synthesis approaches based on structural schemes and logical relationships. In order to construct structural schemes, the concepts of operators and units are introduced. Operators are functional elements of the management structure that receive information through one or several inputs for converting it into some output form, which is sent either for further transformations or to the output for transfer to performers. Operators can perform the following types of operations: generalization; refinement; addition; adjustment; coordination; sight aiming; conformity control; comparison; registration; decoding (decryption), etc.
Depending on the operations, for the formation of the output document (instruction for the command, guidelines, etc.), the operator may need informational materials from the system inputs or after passage of the corresponding operations from other operators. Operators in the management structure with several inputs and one output are called units by us. The functioning of the units depends on the availability of information at their inputs. If for the formation of the output information (output) of a unit during its normal operation it is necessary to have some meaningful information at all inputs, then such a unit can be called a conjunctive type unit (in accordance with the truth table, the operation of such a link is described by the conjunction function). If for the formation of the unit output information it is sufficient to have significant information at least at one input, then such a link can be called a disjunctive link. If the conjunctive type unit (CTU) has two inputs, then the truth table for the case of its normal operation has the following form:

Input 1 Input 2 Output
The disjunctive type link (DTL) during normal operation is described by the truth table having the following form:

Input 1 Input 2 Output
In accordance with the mathematical model given earlier (Fig. 1.3), for the case when the intruder performs the function of a unit, the output information in the tables is inverted. Note 1. In the considerations above, by default, a designation through 1 of the meaningful information is introduced (i.e., different from 0, which is associated with the absence of any information packages).
Note 2. The matrix model of the intruder in the general case can be complicated due to the asymmetric reaction of the intruder to the inputs excitation. For example, for the case of the presence of an intruder in CTU, the options described by the following tables are possible.  The total will be 2 2n -1 2 -1 variants (n is the number of inputs). Similar reasoning can be carried over to DTU, where deviations from normal functioning are also possible in case of two inputs 2 -1.
In case of three inputs, the number of possible reactions to the "intruder" increases according to the exponential law.
To simplify further considerations, we introduce the concept of an admissible and unacceptable reaction of a unit to input states. A reaction that coincides with the values of the truth table is acceptable for the case of normal functioning of this unit. Accordingly, the opposite reaction will be unacceptable. This allows passing to the dual system and will not contradict the truth, because there can be only one combination of states at a time at the unit input, which can always be associated with the permissible and unacceptable output state.
Example of a logical description of the management structure under the conditions of one intruder Let a certain hypothetical structure be given that has two control inputs, three performing outputs and a certain structure that displays the movement and logical transformation of the command information. The vector flow chart of the investigated structure is shown in Figure 9. Inputs х , х are for management. Outputs х , х , х are for performance. Unit 5 is of the disjunctive type ("DTU", and unit 6 is of the conjunctive type ("CTU"). The remaining DT CT graph operators are single-input, and therefore perform only the functions of converting input information into its output form. We assume that there may be no intruder in the structure (let us call it the zero state or an intruder can present, but no more than one (the number of such states will be 8).
Syndromes of system states can be displayed by the presence (let us denote it as 1) or the absence (let us denote it as 0) of command information at the performance outputs for various combinations of control commands at outputs (1 -command presence, 0command absence). The table of syndromes takes the following form: Tables of syndromes can be used to build test sequences for determining the intruder's location Figure 10. Length of the test sequence can be different, and in some cases it can even consist of one step. Thus, the intruder with number 6 is detected immediately in case of absence of input influences and appearance of an х unauthorized signal at the output.

Discussion risk analysis tree
It is believed that it is possible to minimize test checks in which, according to certain rules, the states of inputs change, and the states of outputs are analyzed. The described model is determined, but a probabilistic approach is possible too. According to the results of the syndromes analysis, the possibility of solving several tasks can be assumed: The first one is related to minimization of the number of test checks for the identification of the place of violation, i.e. during the testing process there is an opportunity to submit any possible combinations to outputs in any sequence; for the combination of inputs "01", four possible places of violation are identified within one step; another combination of "00" in one step shows the result of "0" (no violations), also in the eighth category. Another task may be obtaining information on the presence or violation in one of the maximum set of units for the only test combination of inputs; such a combination, with the help of which information about possible violations in five units is obtained, refers to "10". Another test task may be the one that detects violations without special input influences on the system. In this example, such a task allows checking the sixth unit "00" only. If there is a task of minimal changes in input influences for controlling a specific unit, then this task is solved and its result will depend on which control unit is subject to verification. In the considered example, for testing units six and eight, it is 10 100 (0) 000 (1,2,3) 111 (4) 100 (5) 110 (6) 101 (7,8) 01 000 (7) 010 (8) 11 100 (7) 110 ( 110 (6) 110 (8) enough to change the test values at only one input from two, and for checking the fourth and seventh ones, it is also enough to change the test information at one (already another) input. If it is necessary to make sure that the solution to the task is reliable for any unit, the tests can be carried out in the way to exclude the sign or in one or more tests for the final result. In the considered example, the combination "01" with the subsequent input combination "00" identifies the fourth and seventh units as a possible place of violations, and also corresponds to the state without violations. Carrying out test combinations "00" and "11" from the set of zero, four and seven, seven are allocated if there is "000" at the input; in order to select the zero or fourth, one can use the test combination "11"; when receiving "011" at the input, which state corresponds to a working zero one, "100" is a violation in the fourth unit. Such a task is not one-valued. Other combinatorial tasks are also possible, which allow increasing the resolution of the test or the reliability of the final solution.
In case if the violations are random in nature, the task acquires a probabilistic meaning and its solutions are possible only with the use of appropriate stochastic approaches.   . . . . . .  Here, the degree of confidence is the point p j = d j . After triggering, if μ>τ, the marker is transferred from the position p j to p k and the degree of confidence will be equal to the following: d k = d j × w × μ.

Modeling of the fuzzy hierarchical petri nets
But Figure  But the transition of the mark to any position is unclear. For triggering of this type of transition, it is necessary to use mathematical modeling of probabilistic inference based on maximile logic, Bayes Theory, or Dempster-Schafer Theory.
According to the theory of fuzzy inference using a maximile model, the inference process is as follows. First, there is a determination of a fuzzy relation representing the knowledge output through operations of max and min.
The U ratio is calculated according to the formula and can be obtained in the form: When constructing a system using a modified Petri net, the following advantages can be distinguished: a description using the rules and properties of Petri nets; no need for inverted transitions; clarity of presentation of events; It does not allow the simultaneous introduction of markers into inverse events, which allows the modeling of critical processes to eliminate the error of an incorrect marking process; provides an opportunity to obtain new conditions that can lead to negative outcomes of critical systems.
According to the results of the matrix representation of the process of fuzzy inference of knowledge according to the composition rule, which reduces risks, the construction of a fuzzy Petri net is demonstrated, which involves the use of transitions max and min. For a fuzzy Petri net, it is difficult to use the mathematical apparatus of analysis known in classical Petri nets. The transition from fuzzy Petri nets to classical ones will make it possible to realize fuzzy knowledge output to them, solve problems of analyzing the output process, which is important when solving diagnostic problems, as well as solving the problems of constructing an elemental base oriented to the tasks of knowledge output in fuzzy machines.