The Reliability Equation: Modeling Assumptions in Cyber-Physical Systems

Author: Denis Avetisyan

As cyber-physical systems become more complex, clearly defining the underlying assumptions and guarantees is crucial for ensuring safe and dependable operation.

Assumption tags frequently co-occur with guarantee tags, with the height of each bar indicating the total number of assumptions linked to a specific guarantee.

This review surveys current practices in specifying assumptions and guarantees for cyber-physical systems, identifying gaps in modeling sensing, perception, and uncertainty, and proposing guidelines for improved reporting and benchmarking.

Despite the increasing demand for formally verified cyber-physical systems, the underlying assumptions enabling these guarantees remain surprisingly underspecified. This paper, ‘What Does It Take to Get Guarantees? Systematizing Assumptions in Cyber-Physical Systems’, presents a systematic survey of 104 papers to reveal prevalent trends and critical gaps in how assumptions are defined and linked to assurances. Our analysis of 423 assumptions and 321 guarantees highlights particular deficiencies in modeling sensing, perception, and uncertainty-areas crucial for robust system behavior. Addressing these gaps is essential for building truly trustworthy CPS; can improved reporting and standardized benchmarking of assumptions accelerate progress towards reliable guarantees?

The Shifting Foundations of System Assurance

Contemporary cyber-physical systems are no longer evaluated solely on how fast they operate, but rather on what they definitively will do, even under challenging conditions. This shift necessitates a move beyond traditional performance metrics-like throughput or latency-towards formal guarantees about system behavior. Critical applications, such as autonomous vehicles or medical devices, demand assurances that safety protocols will be upheld, deadlines will be met, and operational boundaries will not be breached. These guarantees aren’t simply desirable; they are becoming essential for establishing trust, ensuring regulatory compliance, and enabling wider adoption of increasingly complex technologies. Consequently, research and development efforts are heavily focused on creating systems that provide provable, rather than merely probable, correctness.

Any assertion of system correctness, however meticulously proven, is ultimately conditional. Guarantees concerning a cyber-physical system’s behavior – whether related to safety, security, or timeliness – are not absolute truths, but rather hold true only within a specific context defined by a set of underlying assumptions. These assumptions, which can range from predictable network latency to limitations on environmental temperature or the absence of specific adversarial attacks, represent the boundaries of a guarantee’s validity. A system rigorously proven safe under the assumption of a benign operating environment may fail catastrophically when exposed to unexpected conditions, underscoring that the strength of a guarantee is inextricably linked to the accuracy and completeness of its associated assumptions.

A comprehensive survey of 104 Cyber-Physical Systems (CPS) research papers revealed a substantial volume of both guarantees and the underlying assumptions upon which they depend – 321 guarantees were identified alongside 423 distinct assumptions. This disparity underscores a critical issue within the field: the frequent lack of explicit and rigorous definition for these foundational assumptions. The study demonstrates that even mathematically robust guarantees become effectively useless if the conditions under which they hold are not clearly articulated and, crucially, validated against the intended operational environment. This necessitates a shift towards prioritizing assumption definition as a core component of CPS design and verification, ensuring that promised system behaviors are genuinely reliable and trustworthy in practice.

The composition of assumption tags varies depending on the guarantee being supported, as shown by the percent-normalized co-occurrence patterns.

The Necessity of Abstraction, and its Limits

Complex systems are frequently represented by simplified abstractions, or models, to enable formal verification and guarantee provision. This simplification is a necessary step because directly reasoning about the full complexity of a real-world system is computationally intractable. Models focus on essential features relevant to the desired guarantee, intentionally omitting details considered inconsequential for that specific property. The creation of a model therefore involves a deliberate reduction in system fidelity, allowing for manageable analysis and the formulation of provable statements about system behavior, despite representing an approximation of reality.

System abstraction, the practice of creating simplified representations of complex systems, inherently relies on modeling assumptions. These assumptions, which define the scope and limitations of the model, directly influence its fidelity – the degree to which the model accurately reflects the behavior of the real system. Consequently, the strength of any guarantee derived from the model is bounded by the validity of these underlying assumptions; a model built on inaccurate or incomplete assumptions will yield guarantees that may not hold in the actual system. The impact of these modeling assumptions is significant, as they constituted 53.8% of all assumptions identified in a recent survey of system specifications, highlighting their central role in the process of formal verification and system design.

Model validity, defined as the degree to which a model accurately reflects the real system, is a critical component of formal verification. Alongside any guarantee derived from a model, a rigorous assessment of its validity is essential to understand the limitations of that guarantee. Our research highlights the prevalence of modeling assumptions; these assumptions comprised 53.8% of all assumptions identified in a comprehensive survey of system specifications. This dominance underscores the necessity of explicitly documenting and evaluating these assumptions to determine the scope and reliability of any formally verified property.

Analysis of 2,299 language feature instances reveals the frequency with which different features are used to formalize assumptions.

Perception as Interpretation: The Role of Interface Assumptions

Perception in any interactive system fundamentally depends on sensing, the process of acquiring data about the environment. However, raw sensor data is rarely directly usable; systems operate based on interface assumptions that predefine the expected characteristics of this data. These assumptions encompass data type, range, units, noise levels, and the relationship between sensor readings and real-world phenomena. For example, a temperature sensor might be assumed to return values in Celsius with a precision of 0.1 degrees, or a distance sensor might assume a linear relationship between the measured time-of-flight and the actual distance to an object. Without clearly defined interface assumptions, the system lacks the necessary framework to correctly interpret the incoming data stream and build a coherent representation of its surroundings.

A system’s interpretation of raw sensor data is fundamentally determined by pre-defined interface assumptions. These assumptions establish expected data types, ranges, units, and formats, effectively creating a model of how the sensed environment should manifest in the received data. This process translates physical phenomena – like light intensity or temperature – into quantifiable values the system can process. Consequently, the system doesn’t directly perceive “reality,” but rather constructs a perception based on these interpreted values, constrained by the initial interface assumptions. Any deviation between the assumed data characteristics and the actual sensed data will directly impact the fidelity of the resulting perception and subsequent system behavior.

Perceptual accuracy is fundamentally dependent on the correctness of underlying interface assumptions made by a sensing system. If a system assumes a linear relationship between sensor input and a physical property, but that relationship is non-linear, the resulting perception will be skewed. Similarly, assumptions regarding noise levels, data ranges, or environmental conditions-such as temperature or lighting-directly impact interpretation. Invalid assumptions introduce systematic errors into the perceived data, leading to flawed reasoning in subsequent processing stages. This can compromise the reliability of any guarantees the system provides, particularly in critical applications where accurate perception is paramount, and potentially result in incorrect actions or decisions based on the misrepresented reality.

From Correctness to Robustness: Strengthening System Guarantees

Formal verification employs techniques based on mathematical logic to establish the correctness of a system. This involves constructing a formal model of the system – a precise, unambiguous representation of its components and behavior – and then using logical reasoning, such as theorem proving or model checking, to demonstrate that the model satisfies a specified set of properties. These properties, expressed as logical statements, define the desired behavior of the system, and verification aims to prove that the system will always adhere to these properties under all possible conditions. Unlike testing, which can only reveal the presence of errors with limited coverage, formal verification aims for complete assurance, providing a mathematically sound guarantee of system behavior, though this often comes at the cost of increased development effort and computational resources.

While formal verification often centers on proving the correctness of a system-that it behaves as specified-robustness is a parallel and essential consideration. Robustness defines a system’s ability to maintain acceptable performance levels when subjected to disturbances, such as sensor noise, actuator imprecision, or unexpected environmental factors. Unlike correctness, which focuses on whether a system ever violates its specifications, robustness concerns how much a system can deviate from ideal behavior without failing to meet its objectives. Evaluating robustness typically involves analyzing system behavior across a range of possible disturbance magnitudes and characterizing the resulting performance degradation, often expressed as bounds on error or deviation from nominal values.

Formal verification of Cyber-Physical Systems (CPS) centers on establishing guarantees regarding system behavior, with both safety and feasibility being primary concerns. Safety guarantees the absence of unsafe states – conditions that could lead to system failure or harm – while feasibility proves that a solution meeting specified requirements exists. Analysis of guarantees identified in a recent survey reveals that safety properties are a dominant focus, comprising 27% of all verified properties; this suggests that ensuring the absence of hazards is a key design priority in the development of CPS. Establishing both safety and feasibility through formal methods provides a rigorous foundation for building reliable and predictable systems.

The Genesis of Trust: Initial States and the Importance of Data

A system’s initial condition represents a foundational premise upon which all future states and behaviors are predicated; therefore, its accurate definition is paramount to establishing validity. Any deviation from the true initial state introduces a cascading error, potentially rendering subsequent analyses or predictions unreliable. Consider a climate model, for instance: specifying the atmospheric composition, temperature distribution, and ocean currents at a given point in time forms its starting point. If these initial parameters are inaccurately defined – perhaps due to limited historical data or simplifying assumptions – the model’s projections of future climate change will be correspondingly flawed. This principle extends beyond computational models; even physical systems, like a chemical reaction or a mechanical device, are wholly dependent on their precisely defined starting conditions to behave as expected. Establishing a valid initial state isn’t simply a technical detail; it’s the bedrock of any meaningful system analysis and a critical step in ensuring the reliability of its outcomes.

The reliability of any system hinges on the quality of data used to define its understanding of the world. A system trained on biased or incomplete data will inevitably form inaccurate assumptions about its operating environment, leading to flawed predictions and potentially harmful actions. For example, an autonomous vehicle learning to navigate streets solely from daytime images may struggle – or fail entirely – to interpret conditions at night or during inclement weather. Similarly, a medical diagnosis algorithm trained on data primarily from one demographic group may exhibit significant inaccuracies when applied to patients from different backgrounds. Therefore, meticulous attention to data collection methodologies – encompassing source diversity, sample size, and mitigation of inherent biases – is not merely a technical detail, but a foundational requirement for establishing trustworthy and robust artificial intelligence.

The dependability of any complex system hinges on a thorough understanding of its genesis – both the starting point and the information used to shape it. Establishing robust guarantees requires meticulous attention to initial conditions, as even slight inaccuracies can propagate and amplify throughout a system’s operation. Simultaneously, the data collection process acts as the foundation upon which these systems learn and adapt; biased or incomplete data inevitably leads to flawed assumptions about the environment. Consequently, a system’s resilience isn’t simply a matter of complex algorithms, but rather a direct result of carefully curated data and a well-defined starting state, allowing for more predictable behavior and increased confidence in its long-term reliability. By prioritizing these foundational elements, developers can move beyond mere functionality and construct systems capable of consistently delivering trustworthy results.

The pursuit of guarantees in cyber-physical systems, as detailed in the study, often leads to elaborate constructions built upon unstated, or poorly defined, assumptions. It’s a familiar pattern; systems grow complex not from necessity, but from a reluctance to admit what isn’t known. As Richard Feynman observed, “The first principle is that you must not fool yourself – and you are the easiest person to fool.” This resonates deeply with the paper’s central argument regarding the need for explicit modeling of uncertainty. The tendency to obscure foundational limitations with layers of abstraction-they called it a framework to hide the panic- ultimately undermines the very assurance these systems seek to provide. A clear articulation of what isn’t guaranteed is as vital as detailing what is.

What Remains?

The systematization of assumptions in cyber-physical systems-a worthwhile endeavor. This work illuminates a consistent, if predictable, lacuna: the implicit treatment of sensing, perception, and inherent uncertainty. Systems are guaranteed only relative to assumptions; the current practice often obscures the cost of those assumptions. Clarity is the minimum viable kindness.

Future effort must address this asymmetry. Benchmarking, beyond functional correctness, requires the explicit modeling of sensor fidelity, perceptual limitations, and the quantifiable impact of noise. The field gravitates toward complexity; a counter-movement, focused on minimal sufficient models, would be beneficial.

Formal verification, while powerful, is not a panacea. The focus should shift toward rigorous documentation of what is assumed, not merely that something is assumed. The goal is not perfection-an asymptotic limit-but demonstrable awareness of the boundaries of any guarantee.

Original article: https://arxiv.org/pdf/2511.15952.pdf

Contact the author: https://www.linkedin.com/in/avetisyan/