Institute for Software Integrated Systems Vanderbilt University Cyber Physical Systems: New Challenges for Model-based Design Janos Sztipanovits ISIS, Vanderbilt University From Embedded Systems to Cyber-Physical Systems: A Review of the State-of-the-Art and Research Needs CHESS Workshop April 21, 2008

package org.apache.tomcat.session; import org.apache.tomcat.core.*; import org.apache.tomcat.util.StringManager; import java.io.*; import java.net.*; import java.util.*; import javax.servlet.*; import javax.servlet.http.*; /** * Core implementation of a server session * James Duncan Davidson James Todd */ public class ServerSession { private StringManager sm = StringManager.getManager("org.apache.tomcat.session"); private Hashtable values = new Hashtable(); private Hashtable appSessions = new Hashtable(); private String id; private long creationTime = System.currentTimeMillis();; private long thisAccessTime = creationTime; private long lastAccessed = creationTime; private int inactiveInterval = -1; ServerSession(String id) { this.id = id; } public String getId() { return id; } public long getCreationTime() { return creationTime; } public long getLastAccessedTime() { return lastAccessed; } public ApplicationSession getApplicationSession(Context context, boolean create) { ApplicationSession appSession = (ApplicationSession)appSessions.get(context); if (appSession == null && create) { // XXX // sync to ensure valid? appSession = new ApplicationSession(id, this, context); appSessions.put(context, appSession); } // XXX // make sure that we haven't gone over the end of our // inactive interval -- if so, invalidate and create // a new appSession return appSession; } void removeApplicationSession(Context context) { appSessions.remove(context); } /** * Called by context when request comes in so that accesses and * inactivities can be dealt with accordingly. */ void accessed() { // set last accessed to thisAccessTime as it will be left over // from the previous access lastAccessed = thisAccessTime; thisAccessTime = System.currentTimeMillis(); } void validate() SoftwareControlSystems Abstraction Adjustable Integrative Precise Safe (analyzable) Integration Affordable Model-based (end-to-end) Manage heterogeneity better Automation Domain-specific tool chains, but Reusable infrastructure Embedded Systems Challenge Systems industry turns IT driven: Aerospace, Automotive, Process,.. Modeling Layer

Abstractions are linked through refinement relations. Abstraction layers allow the verification of different properties. Key Idea: Manage design complexity by creating layers of abstractions in the design flow. (Alberto Sangiovanni-Vincentelli) Platform mapping Software architecture defines the composition of functions such that a least fixed point exists and is unique. Hardware architecture defines a set of concurrent functional units, where the software architecture can be deployed. Platform mapping Behavior models define a set of timed automata with local clocks and broadcast. Models can be analyzed with TCTL. Abstraction layers define platforms. Platforms, Abstractions and Domain Specific Modeling Languages (DSML)

Key Idea: Capture intrinsic domain concepts with domain-specific modeling languages (DSML-s) and partition DSML-s into structural and behavioral semantics. The behavioral semantics defines what the structures do. The structural semantics excludes semantically meaningless models. No operator was provided for composition of values, so this merge model is semantically meaningless in this domain. The structural semantics views a model as a structure, and provides a means for calculating which structures are well-formed. Model-Integrated Computing

GME, the metaprogrammable modeling tool of ISIS, supports rapid construction of metamodels and DSML models. MetaGME metamodel of simple statecharts Model-editor generated from metamodel Basic metamodeling notation: UML Class Diagram + OCL Abstract syntax of DSML-s are defined by metamodels. Metamodeling languages provide structural semantics. Specification of Structural Semantics of DSML-s Metamodels define the structural semantics of DSML-s: OCL Constraints: self.transTo->forAll(s | s <> self) A metamodeling language is one of the DSML-s: the same tool can be used for modeling and metamodeling.

C++ coding permits complex behavioral semantics, but the “specifications” are cluttered with C++ details. Behavioral semantics are defined with model transformations and semantic anchoring. Graph transformations provide a transparent mechanism to attach semantics. However, not all behavioral semantics ca be specified this way. Semantic anchoring with ASM captures the best of both worlds: Simple graph transformations and simple behavioral specifications. Specification of Behavioral Semantics of DSML-s

Lessons Learned: Metaprogrammable Tools -Model-based development is practical! -Domain specific abstractions are not only desirable; they are affordable -DSML-s are not programming languages GME UDM GReAT Best of Breed Modeling Tools Simulators Verifiers Model Checkers Meta Models Generic Model Editor (GME) Open Tool Integration Framework Model Transformation Model Management OTIF DESERT Component Abstraction (T A ) Design Space Modeling (M D ) Design Space Encoding (T E ) Design Space Pruning Design Decoding Component Reconstruction Design Space Exploration MIC Tool Suite

Lessons Learned: Transitioning  Researchers partnering with End Users with real stake and new challenges  Working model for managing proprietary issues (Open Source, Gated Source)  Repository is active, live, quality controlled (and costs money to operate)  Creates future market for tool vendors. Example: Microsoft Software Factories (health care, web services) MathWorks interactions  NEW TRANSITIONIN MODEL IS ESSENTIAL IF WE EXPECT RAPID AND SUBSTANTIAL IMPACT Research groups ESCHER Institute Boeing, GM Raytheon A small scale experiment with potentially large impact that works: ESCHER Non-profit Universities IR&D FCS DDX C2W Repository funding criteria maturation High quality tools & SW emphasis

New Challenges: Cyber Physical Systems package org.apache.tomcat.session; import org.apache.tomcat.core.*; import org.apache.tomcat.util.StringManager; import java.io.*; import java.net.*; import java.util.*; import javax.servlet.*; import javax.servlet.http.*; /** * Core implementation of a server session * James Duncan Davidson James Todd */ public class ServerSession { private StringManager sm = StringManager.getManager("org.apache.tomcat.session"); private Hashtable values = new Hashtable(); private Hashtable appSessions = new Hashtable(); private String id; private long creationTime = System.currentTimeMillis();; private long thisAccessTime = creationTime; private long lastAccessed = creationTime; private int inactiveInterval = -1; ServerSession(String id) { this.id = id; } public String getId() { return id; } public long getCreationTime() { return creationTime; } public long getLastAccessedTime() { return lastAccessed; } public ApplicationSession getApplicationSession(Context context, boolean create) { ApplicationSession appSession = (ApplicationSession)appSessions.get(context); if (appSession == null && create) { // XXX // sync to ensure valid? appSession = new ApplicationSession(id, this, context); appSessions.put(context, appSession); } // XXX // make sure that we haven't gone over the end of our // inactive interval -- if so, invalidate and create // a new appSession return appSession; } void removeApplicationSession(Context context) { appSessions.remove(context); } /** * Called by context when request comes in so that accesses and * inactivities can be dealt with accordingly. */ void accessed() { // set last accessed to thisAccessTime as it will be left over // from the previous access lastAccessed = thisAccessTime; thisAccessTime = System.currentTimeMillis(); } void validate() SoftwareControlSystems Abstraction Adjustable Integrative Safe Precise Integration Affordable Model-based (end-to-end) Manage heterogeneity better Automation Domain-specific tool chains, but Reusable infrastructure Systems industry turns IT driven: Aerospace, Automotive, Process,.. package org.apache.tomcat.session; import org.apache.tomcat.core.*; import org.apache.tomcat.util.StringManager; import java.io.*; import java.net.*; import java.util.*; import javax.servlet.*; import javax.servlet.http.*; /** * Core implementation of a server session * James Duncan Davidson James Todd */ public class ServerSession { private StringManager sm = StringManager.getManager("org.apache.tomcat.session"); private Hashtable values = new Hashtable(); private Hashtable appSessions = new Hashtable(); private String id; private long creationTime = System.currentTimeMillis();; private long thisAccessTime = creationTime; private long lastAccessed = creationTime; private int inactiveInterval = -1; ServerSession(String id) { this.id = id; } public String getId() { return id; } public long getCreationTime() { return creationTime; } public long getLastAccessedTime() { return lastAccessed; } public ApplicationSession getApplicationSession(Context context, boolean create) { ApplicationSession appSession = (ApplicationSession)appSessions.get(context); if (appSession == null && create) { // XXX // sync to ensure valid? appSession = new ApplicationSession(id, this, context); appSessions.put(context, appSession); } // XXX // make sure that we haven't gone over the end of our // inactive interval -- if so, invalidate and create // a new appSession return appSession; } void removeApplicationSession(Context context) { appSessions.remove(context); } /** * Called by context when request comes in so that accesses and * inactivities can be dealt with accordingly. */ void accessed() { // set last accessed to thisAccessTime as it will be left over // from the previous access lastAccessed = thisAccessTime; thisAccessTime = System.currentTimeMillis(); } void validate() Modeling Layer

New Challenges: Cyber Physical Systems package org.apache.tomcat.session; import org.apache.tomcat.core.*; import org.apache.tomcat.util.StringManager; import java.io.*; import java.net.*; import java.util.*; import javax.servlet.*; import javax.servlet.http.*; /** * Core implementation of a server session * James Duncan Davidson James Todd */ public class ServerSession { private StringManager sm = StringManager.getManager("org.apache.tomcat.session"); private Hashtable values = new Hashtable(); private Hashtable appSessions = new Hashtable(); private String id; private long creationTime = System.currentTimeMillis();; private long thisAccessTime = creationTime; private long lastAccessed = creationTime; private int inactiveInterval = -1; ServerSession(String id) { this.id = id; } public String getId() { return id; } public long getCreationTime() { return creationTime; } public long getLastAccessedTime() { return lastAccessed; } public ApplicationSession getApplicationSession(Context context, boolean create) { ApplicationSession appSession = (ApplicationSession)appSessions.get(context); if (appSession == null && create) { // XXX // sync to ensure valid? appSession = new ApplicationSession(id, this, context); appSessions.put(context, appSession); } // XXX // make sure that we haven't gone over the end of our // inactive interval -- if so, invalidate and create // a new appSession return appSession; } void removeApplicationSession(Context context) { appSessions.remove(context); } /** * Called by context when request comes in so that accesses and * inactivities can be dealt with accordingly. */ void accessed() { // set last accessed to thisAccessTime as it will be left over // from the previous access lastAccessed = thisAccessTime; thisAccessTime = System.currentTimeMillis(); } void validate() SoftwareControl Systems Modeling Layer Systems industry builds CPS: Aerospace, Automotive, Process,.. CPS - Integrated Modeling Discipline Security It is not possible to identify whether behavioral attributes are the result of computations (computer programs), physical laws, or both working together; Functionality and salient system characteristics are emerging through the interaction of physical and computational objects.

CPS and Model-Based Design  Model-Based Methods will drive the progress in CPS technology  Major advancements are needed in:  Composition theory  Certification and high confidence design  Secure systems design  System Integration  Design automation  Education  New application domains will emerge rapidly  Model-based system integration  Architecture exploration  Resilient systems DSML/ MetaM. Model Transf. V&V Model Mgmnt Tool Comp. New Abstractions   Semantic foundations  Composition platforms for Heterogeneity  Predictability under limited compositionality  Foundation for System Integration Compositional Certification  Agile Design Automation Open Architectures  Reliable systems from unreliable Components  Resiliency against Cyber Attacks

Example: System-of-System Engineering

Tool Chain for Architecture Exploration in FCS Component Adapters System Model Segment ADeVS, IONS RELEX Excel Rose CAT file IDD GReAT Transform System Integration C++ ______ IDL ______ Runtime Glue (Deployed) System Integration Test Harness C++ ______ IDL ______ Integration Laboratory Tools GReAT Transform XML ______ FCS Program: Boeing – Vanderbilt/ISIS

Risk Mitigation: Surrogate Modeling and Synthesis BC Surrogate Component GME Component Models Code Generator Input Interfaces Output Interfaces Business Logic (Generated) System Of Systems Common Operating Environment BC Surrogate Component Code Generator Input Interfaces Output Interfaces Acquired Business Logic “Real” BC Component DeploymentInstance Topology Networks Interfaces, Business Logic Interfaces “Real” BC Component GME System Models

Human Controllers Mixed Initiative Controller Context Dep. Command Interpretation Adaptive Resource Allocation Data Distribution Network Coordination Decision Support HCI Abstract Commands Platform Commands Assigned Platform Commands Platform Status Model-Based Experiment Integration Environment: SSW Building a Software/System “Wind Tunnel” (SSW) Unmanned Sensor Platforms Issues to be studied experimentally: Distributed Command and Control – Synchronization and coordination – Distributed dynamic decision making – Network effects Information Sharing – Shared situation awareness – Common Operation Picture (COP) – Network effects AFOSR PRET Project: Vanderbilt-ISIS, Berkeley, GMU

SSW Integration Architecture: Simulation Components and Models Simulation Data Distribution/Communication Middleware Simulation Integration Platform (HLA) Distributed Simulation Platform Instrumentation Layer code DEVS Federate. OmNet++ Federate CPN Federate. OGRE Federate Simulink Federate Controller Models Network Models Org. Models Fusion Models Model Integration Layer “Virtual” Components Instrumentation Layer Experiment Specification & Configuration Run-time Models Env. Models

Model Integration Ogre Adaptive Human Organization Mixed Initiative Controller Context Dep. Command Interpretation Adaptive Resource Allocation Data Distribution Network Coordination Decision Support HCI Abstract Commands Platform Commands Assigned Platform Commands Platform Status COP Elements COP Elements COP Elements Model-Integrated System and Software Laboratory Environment: C2 Windtunnel CPN SL/SF Devs GME OMNET Organization/Coordination Controller/Vehicle Dynamics Processing (Tracking) 3-D Environment (Sensors) Simulation Interaction Simulation Architecture Network Architecture SL/SF GME

Summary  CPS-s represent the coming new age in systems design  The required technology changes are profound – go way beyond the reach of “multidisciplinary” approaches  Role of model-based methods and tools is  The impact on competitiveness is huge: CPS-s are the foundation for the systems industry