MODEL-INTEGRATED DESIGN IN SOFTWARE, SYSTEMS AND …

Institute for Software Integrated SystemsVanderbilt University

MODEL-INTEGRATED DESIGN IN SOFTWARE, SYSTEMS AND CONTROL

ENGINEERING

Janos SztipanovitsISIS, Vanderbilt University

ISIS

Established by the School ofEstablished by the School of Engineering of Vanderbilt University in 1998 A d i / f i l hAcademic/professional researchorganization Personnel:

- 38 Research Scientists & Staff Engineers

- 7 Faculty (EECS)7 Faculty (EECS)- 6 Admin Staff- 50+ Graduate students

2

Overview

Cyber-Physical Systems (CPS)Model-Based DesignModel-Based Design

Structural SemanticsBehavioral Semantics

ConvergenceTowards Agile Design Automationg gTowards Composition in Heterogeneous SystemsExamples

Summary

Overview




Summary

Trends in Systems IndustrySectors Opportunities

Aircraft that fly faster and further on less energy. Air traffic control systems that make more efficient se of

Transportationthat make more efficient use of airspace.Automobiles that are more capable and safer but use less energy.

More capable defense systems; defense systems that make better use of networked fleets of autonomousDefense of networked fleets of autonomous vehicles.

New and renewable energy sourcesBoston Dynamics: BigDog

Energy and Industrial

A t ti

New and renewable energy sources. Homes, office, buildings and vehicles that are more energy efficient and cheaper to operate.

Automation

What Are the Drivers of These Trends?

Networking and Information Technology (NIT) h b i i l d i lhave been increasingly used as universal system integrator in human – scale and societal – scale systemssystemsFunctionality and salient system characteristics emerge through the interaction of networkedemerge through the interaction of networked physical and computational objectsEngineered products turn into Cyber-PhysicalEngineered products turn into Cyber Physical Systems (CPS): networked interaction of physical and computational processes

Why Is CPS Significant?

The share of value of embedded computing components in p g pdifferent industries:

2003 2009

Automotive and airspace systems 52% 56%Aerospace 52% 54%Health/Medical equipment 50% 52%I d t i l t ti 43% 48%Industrial automation 43% 48%Telecommunications 56% 58%Consumer electronics and Intelligent Homes 60% 62%Intelligent Homes 60% 62%

Source: “Study of Worldwide Trends and R&D Programmes in Embedded Systems in View of Maximising the

7

Impact of a Technology Platform in the Area” EU Commission, 2005

Why is CPS Hard?

Control SystemsSoftwareNetwork

package org.apache.tomcat.session;

import org.apache.tomcat.core.*;import org.apache.tomcat.util.StringManager;

import java.io.*;import java.net.*;import java.util.*;

import javax.servlet.*;import javax.servlet.http.*;

/*** Core implementation of a server session

** @author James Duncan Davidson [[email protected]]

* @author James Todd [[email protected]]*/

public class ServerSession {

private StringManager sm =StringManager.getManager("org.apache.tomcat.session");

private Hashtable values = new Hashtable();private Hashtable appSessions = new Hashtable();

private String id;private long creationTime = System.currentTimeMillis();;

private long thisAccessTime = creationTime;private long lastAccessed = creationTime;

private int inactiveInterval = -1;

ServerSession(String id) {this.id = id;

}

public String getId() {return id;

}

public long getCreationTime() {return creationTime;

}

public long getLastAccessedTime() {return lastAccessed;

}

public ApplicationSession getApplicationSession(Context context,boolean create) {

ApplicationSession appSession =(ApplicationSession)appSessions.get(context);

if (appSession == null && create) {

// XXX// sync to ensure valid?

appSession = new ApplicationSession(id, this, context);appSessions.put(context, appSession);

}

// XXX// make sure that we haven't gone over the end of our// inactive interval -- if so, invalidate and create

// a new appSession

return appSession;}

void removeApplicationSession(Context context) {appSessions.remove(context);

}

/*** Called by context when request comes in so that accesses and

* inactivities can be dealt with accordingly.*/

void accessed() {// set last accessed to thisAccessTime as it will be left over

// from the previous access

lastAccessed = thisAccessTime;thisAccessTime = System currentTimeMillis();thisAccessTime = System.currentTimeMillis();

}

void validate()

Crosses Interdisciplinary Boundaries

• Disciplinary boundaries need to be realigned• New fundamentals need to be created• New technologies and tools need to be developed

8

New technologies and tools need to be developed• Education need to be restructured

Foundation for Convergence: Model-Based Design

Control SystemsSoftwareNetwork

package org.apache.tomcat.session;

import org.apache.tomcat.core.*;import org.apache.tomcat.util.StringManager;

import java.io.*;import java.net.*;import java.util.*;

import javax.servlet.*;import javax.servlet.http.*;

/*** Core implementation of a server session

** @author James Duncan Davidson [[email protected]]

* @author James Todd [[email protected]]*/

public class ServerSession {

private StringManager sm =StringManager.getManager("org.apache.tomcat.session");

private Hashtable values = new Hashtable();private Hashtable appSessions = new Hashtable();

private String id;private long creationTime = System.currentTimeMillis();;

private long thisAccessTime = creationTime;private long lastAccessed = creationTime;

private int inactiveInterval = -1;

ServerSession(String id) {this.id = id;

}

public String getId() {return id;

}

public long getCreationTime() {return creationTime;

}

public long getLastAccessedTime() {return lastAccessed;

}

public ApplicationSession getApplicationSession(Context context,boolean create) {

ApplicationSession appSession =(ApplicationSession)appSessions.get(context);

if (appSession == null && create) {

// XXX// sync to ensure valid?

appSession = new ApplicationSession(id, this, context);appSessions.put(context, appSession);

}

// XXX// make sure that we haven't gone over the end of our// inactive interval -- if so, invalidate and create

// a new appSession

return appSession;}

void removeApplicationSession(Context context) {appSessions.remove(context);

}

/*** Called by context when request comes in so that accesses and

* inactivities can be dealt with accordingly.*/

void accessed() {// set last accessed to thisAccessTime as it will be left over

// from the previous access

lastAccessed = thisAccessTime;thisAccessTime = System currentTimeMillis();thisAccessTime = System.currentTimeMillis();

}

void validate()

Modeling LayerS t E i i M d l b d d i h b th t t f ti• Systems Engineering: Model-based design has been the state of practice

• Control Engineering: Wide acceptance (MathWorks Simulink/StateFlow)• Software Engineering: Increasing acceptance due to OMG’s MDA push and

wider availability of tool suites

9

wider availability of tool suites• Network Engineering: modeling networks in abstraction layers (TCP/IP),

research linking structural and behavioral properties

Overview




Summary

Define Domain-Specific Modeling Languages

Key Concept: Modeling languages define a set of well- formed models and their interpretations. The interpretations are mappings from one domain to another domain.

Abstract syntax of DSML-s are defined b d l by metamodels.

Basic metamodeling notation: UML Class Diagram + OCL

OCL Constraints:self.transTo->forAll(s | s <> self)

A metamodeling language is one of the DSML-s: the the DSML s: the same tool can be used for modeling and metamodeling.

Model-editor generated from metamodelMetaGME metamodel of simple statecharts

Use Precise Structural Semantics…

Key Concept: DSML syntax is understood as a constraint system that identifies behaviorally meaningful models. Structural semantics provides mathematical formalism

[ ]( )( ) { }

[ ]||,

,,,

Y

JiiY

CrRrCYD

CRYL

=∈=

= ∈

pfor interpreting models as well-formed structures.

Structural Semantics defines modeling domains using a mathematical structure This mathematical structure isY t f t

[ ] ': YY RR

a mathematical structure. This mathematical structure is the semantic domain of metamodeling languages.

Y: set of concepts, RY : set of possible

model realizationsC: set of constraints

R

Arguments for investigating structural semantics: • Conformance testing: Dx∈

over RYD(Y,C): domain of well-formed models[ ]: interpretations

Co o a ce test g• Non-emptiness checking: • DSML composing: • Model finding:

Transforming:

}{),( nilCYD ≠... '2121 DincludesDDDDD +∗

}|{ PsDsS =∈=YmXmmTm ∈∈= ;');('

Notes on the selected formalism: • Term algebra semantics extended with Logic Programming (LP)Jackson & Sztipanovits

• Transforming: YmXmmTm ∈∈= ;);(

Programming (LP)• Fragment of LP is equivalent to full first-order logic • Provide semantic domain for model transformations.

- EMSOFT 2006- MODELS 2007- SOSYM 2009

Example Application: Policy Aware Health Information Systems

Models of information flows, documents, agents, roles

Nurses should tag health questions

Models of privacy policies (HIPAA)

Definition of roles and permissions

G ∀p, q, s, m. inrole(p, nurse) ∧ send(p, q, m) ∧ contains(m, s, health-question) ⇒ tagged(m, s, health-question)

Definitionof people

Policy expressions

G ∀p, q, s, m. inrole(p, doctor) ∧ send(q, p, m) ∧ contains(m, s, health-question) ⇒ F ∃m’. send(p, s, m’)

∧ contains(m’, s, health-answer)

Doctors should answer health ques.

Definition of people and documents

Common Semantic DomainMitchell et al, 2006 Werner, Mathe

Sztipanovits, 2009

Semantic domain for policies and information models are matched: • structural constraints on models -> structural semantics

(these policies can be expressed in the context of models using OCLli d l t l t i t t b h i > b h i l ti + LTL

13

• policy models temporal constraints on system behavior -> behavioral semantics + LTL• the generated system controls information flows and monitors policy violations

Overview




Summary

Use Precise Behavioral Semantics

Given a DSML [ ]( ),,, JiiY CRYL = ∈

( ) { }[ ] ':

||,

YY

Y

RRCrRrCYD =∈=

Behavioral semantics will be defined by

[ ] YY

yspecifying the transformation between the DSML and a modeling language with behavioral

tisemantics.

Implicit Methods for Specifying Behavioral Semantics

Representation as AST

( ) { }CrRrCYD Y =∈= ||, Implicit

[ ]: RR

( ) { }Y ||,C++ Interpreter/Generator Graph rewriting rules

Implicit

[ ] ': YY RR

( ) { }[ ]

' '||',' Y

RRCrRrCYD =∈= Executable

ModelExecutable Code Executable

Specification[ ] ''': YY RR Model(Simulators)

p

Explicit Methods for Specifying Behavioral Semantics


( ) { }CrRrCYD Y =∈= ||, Explicit

[ ]: RR

( ) { }Y ||,C++ Interpreter/Generator Graph rewriting rules

Explicit

[ ] ': YY RR

( ) { }[ ]

' '||',' Y

RRCrRrCYD =∈= Executable

ModelExecutable Code Executable

Specification[ ] ''': YY RR Model(Simulators)

p

Specifying Behavioral Semantics With Semantic Anchoring


MIC-UDM

( ) { }CrRrCYD Y =∈= ||,

MIC-GME

[ ]: RR

( ) { }Y ||,Graph rewriting rules

MIC-GReAT[ ] ': YY RR MIC-GReAT

structure Event

eventType as String

class State

id as String

initial as Boolean

var active as Boolean = false

class Transition

id as String

abstract class FSM

id as String

React (e as Event) as Event?

step

let CS as State = GetCurrentState ()

step

let enabledTs as Set of Transition = {t | t in outTransitions (CS) where

e.eventType = triggerEventType(t)}

step

if Size (enabledTs) = 1 then

choose t in enabledTs

step

// WriteLine ("Execute transition: " + t.id)

CS.active := false

( ) { }[ ]

' '||',' Y

RRCrRrCYD =∈=

structure Event

eventType as String

class State

id as String

initial as Boolean

var active as Boolean = false

class Transition

id as String

abstract class FSM

React (e as Event) as Event?

step

let CS as State = GetCurrentState ()

step

let enabledTs as Set of Transition = {t | t in outTransitions (CS) where

e.eventType = triggerEventType(t)}

step

if Size (enabledTs) = 1 then

choose t in enabledTs

step

// WriteLine ("Execute transition: " + t.id)

i f l ASML

Abstract State Machine Formalism

id as String

abstract property states as Set of State

get

abstract property transitions as Set of Transition

get

abstract property outTransitions as Map of <State, Set of Transition>

get

abstract property dstState as Map of <Transition, State>

get

abstract property triggerEventType as Map of <Transition, String>

get

abstract property outputEventType as Map of <Transition, String>

step

dstState(t).active := true

step

if t in me.outputEventType then

return Event(outputEventType(t))

else

return null

else

if Size(enabledTs) > 1 then

error ("NON-DETERMINISM ERROR!")

else

return null

[ ] ''': YY RR id as String

abstract property states as Set of State

get

abstract property transitions as Set of Transition

get

abstract property outTransitions as Map of <State, Set of Transition>

get

abstract property dstState as Map of <Transition, State>

get

abstract property triggerEventType as Map of <Transition, String>

get

abstract property outputEventType as Map of <Transition, String>

CS.active := false

step

dstState(t).active := true

step

if t in me.outputEventType then

return Event(outputEventType(t))

else

return null

else

if Size(enabledTs) > 1 then

error ("NON-DETERMINISM ERROR!")

else

return null

Abstract Data Model Model Interpreter

ASML

Chen, Sztipanovits, Neema, DATE 2007

Status Report

Much work needs to be doneCompositionality and scalingBetter link between denotational and operational

happroachesApproachable formal framework (such as ASM, SLP, other?)SLP, other?)Probabilistic modelsDesign automation tools for composing DSMLsg p gTransitioning…

Overview




Summary

Model-Based Tool ChainsK Id U d l i d i ifi d i fl d

Domain Specific Design Automation E i t

Key Idea: Use models in domain-specific design flows and ensure that final design models are rich enough to enable production ofartifacts with sufficiently predictable properties.Impact: decoupling design technology from production technology

Domain-Specific Environments

Environments:• Automotive• Avionics• Sensors…

p p g g gy p gy

Design Requirements

Production Facilities

Tools:• Behavioral Sim.• Analysis

Requirements

y• Verification• Synthesis

doTransition (fsm as FSM, s as State, t as Transition) =require s.active step exitState (s)step if t.outputEvent <> null then

emitEvent (fsm, t.outputEvent)step activateState (fsm, t.dst)

Mathematical and physical foundations

Tool Chain CompositionK Id E f hi h l t l i d i ifiKey Idea: Ensure reuse of high-value tools in domain-specific design flows by introducing a metaprogrammable tool infrastructure.VU-ISIS implementation: Model Integrated Computing (MIC) tool suite

Domain Specific Design Automation E i t

Domain-Specific Environments

Environments:• Automotive• Avionics• Sensors…

Design Requirements

Production Facilities

MetaprogrammableTool Infrastructure

New

Requirements

Metaprogrammable Tools, Environments

• Model Building• Model Transform.• Model Mngmt• Tool IntegrationTool Integration

Semantic FoundationS l

doTransition (fsm as FSM, s as State, t as Transition) =require s.active step exitState (s)step if t.outputEvent <> null then

emitEvent (fsm, t.outputEvent)step activateState (fsm, t.dst)

Semantic FoundationComponent Libraries

• Structural• Behavioral

Tool Chain Example: VCPKey Idea: Use best-of-breed tools and multiple modeling languagesin design flows.Abstraction layers are

defined by DSML-sf sim l ti lysis Common Semantic Domain: Hybrid Automata

Abstract Syntax and Transformations: Meta-Models

Domain Models and Model Interchange:AIRES

Vehicle Control Platform (VCP)

of simulation, analysisAnd synthesis tools.

Design models are AIRESDesign models are refined, transformed and analyzed in thedesign flow.

ECSL-DPGME

SimulinkStateflow

SL/SF ECSL-DP

ECSL-DPMOML

Analysis tools are integrated in the

OSEK/

SL/S

FD

SE

ED

PC

integrated in thedesign flow bymodel transformationcomponents

DESERT OSEK/Code

Integration of VCPKey Idea: Integrate domain and tool specific models through metamodeling and model transformations. Abstraction layers are

defined by formally sp ifi d DSML s Common Semantic Domain: Hybrid Automata

AIRES

Abstract Syntax and Transformations: Meta-Models

AIRES

specified DSML-s.

Metamodels are used Domain Models and Tool Interchange Formats: Tool Chains AIRESVehicle Control Platform (VCP) Meta-Model

ECSL-DPAIF

Metamodels are used for expressing relationship among models used in theh d i fl

ECSL-DPGME

SimulinkStateflow

SL/SF ECSL-DP

ECSL-DPMOML

SL/SFMeta-Model

ECSL-DP Meta-Model

CANOESL/SFECSL-DP

ECSL-DPMOML

the design flow.

Models of model transformations

OSEK/

SL/S

FD

SE

ED

PC

DESERT SFC

ECSL-DPSFC

SL/SFDESERT

transformations specify the “glue” that connect analysis tools to the design flow.

DESERT OSEK/Code

DESERTMeta-Model

SFCMeta-Model

Integrated MIC Tool SuiteM d li

GME

ModelingDomain independent metaprogrammable tool base for domain

ifi d i fl

UDM

Model Data Management

Design Space Exploration

specific design flows

Application diversity of the MIC tool suite

MetaModels OTIF

TOOL TOOL TOOL

DESERTComponent

Abstraction (TA)Design SpaceModeling (MD)

Design SpaceEncoding (TE)

Design SpacePruning

Design Decoding

ComponentReconstruction

of the MIC tool suiteis huge:- Aerospace- Automotive

GR AT Open Tool Integration

BACKPLANE REGISTRATION/NOTIFICATION/TRANSFER SERVICES

SEMANTIC TRANSLATOR

SEMANTIC TRANSLATOR

TOOL

TOOL ADAPTOR

TOOL

TOOL ADAPTOR

TOOL

TOOL ADAPTOR MANAGER

Standard interface/ Protocol

METADATA

- Health InformationSystems- Networked system

integration GReAT Open Tool IntegrationFramework

integration- System security-….

Th MIC l i Model Transformation

ESCHER Quality Controlled Repository:http://escher.isis.vanderbilt.edu

The MIC tool suite has been evolving over 20 years

Status Report

Significant and sustained research effortU.S.: Berkeley (Ptolemy, Metropolis); CMU (Checkmate); Eclipse tools (IBM, many contributors); MIT (Alloy); UPenn (Charon); Vanderbilt (MIC)EU: Verimag (BIP); BUTE (VIATRA); TU ViennaEU: Verimag (BIP); BUTE (VIATRA); TU Vienna, OFFIS; TU Munich, …

Lack of major transitioning success in new j gdomains (DARPA’s Meta 2 program is a hope for breakthrough)Need for broadening application domains (medical, SoS,…)Need for significant scaling up model management tools

Overview




Summary

K Id M d i l it b ti

Model-Based DesignKey Idea: Manage design complexity by creating abstraction layers in the design flow.

Abstraction layers define platforms.

Physical Platform

Abstractions are linked through

Software Platform

mapping.

Abstraction layers allow the verification of different properties .

Computation/Communication Platform

Frameworks and Tools for High-Confidence Design of Adaptive,Distributed Embedded Control SystemsMURI Project; Vanderbilt – UC Berkeley, CMU and Stanford

Integration Inside AbstractionLayers: Composition

Plant DynamicsModels

Controller Models

Dynamics: • Properties: stability, safety, performance• Abstractions: continuous time, functions,

signals, flows,…Ph i l d i

1( ) ( ( ), ..., ( ))p jB t B t B tκ=

s g a s, o s,Physical design

SoftwareArchitecture

Models

Software Component

CodeS ft d i

Software : • Properties: deadlock, invariants,

security,…• Abstractions: logical-time concurrency

1( ) ( ( ), ..., ( ))c kB i B i B iκ=

Software design Abstractions: logical time, concurrency, atomicity, ideal communication,..

System Architecture

Models

ResourceManagement

Models

Systems : • Properties: timing, power, security, fault

toleranceAb t ti di t ti d l

1( ) ( ( ), ..., ( ))j p i k iB t B t B tκ=

System/Platform Design • Abstractions: discrete-time, delays, resources, scheduling,

Integration Across Abstraction Layers: Much Unsolved Problems

Plant DynamicsModels

Controller Models

Ph i l d i

Controller dynamics is developedwithout considering implementation uncertainties (e.g. word length, clock accuracy ) optimizing performancePhysical design accuracy ) optimizing performance.

Assumption: Effects of digital implementationcan be neglectedX

SoftwareArchitecture

Models

Software Component

Code

Software architecture models are developed without explicitly consideringsystems platform characteristics, eventhough key behavioral properties

Software design depend on it.

Assumption: Effects of platform properties can be neglectedX

System Architecture

Models

ResourceManagement

Models

System-level architecture defines implementation platform configuration. Scheduling, network uncertainties, etc. are introduce time variant delays that may

XSystem/Platform Design introduce time variant delays that may

require re-verification of key properties on all levels.

Challenge to Compositionality: Heterogeneity

Consequence of the lack of composability across system layers

intractable interactionsunpredictable system level behaviorfull-system verification does not scale

Active research: simplification strategiesDecoupling: Use design concepts thatdecouple systems layers for selectedproperties p pCross-layer Abstractions: Develop methods that can handle effects of cross-layer i t tiinteractions

K id P i i b d d i f k d

Physical layer: Passivity-based design

Key idea: Passivity-based design of networked control systems provides robustness to time-varying delaysvarying delays

Various mathematical definitionsA passive system only stores and dissipates energy but p y y p gycannot generate energy of its own

Passive systems interact in a stable manner When connected in either a parallel or negative feedbackWhen connected in either a parallel or negative feedback manner the overall system remains passive

Passive control theory applies to Linear and nonlinear systemsContinuous and discrete-time systems

Easier and safer to controlEasier and safer to controlIndependent joint PD controller for robotic manipulator Asymptotic stability for set-point tracking

Background on Passivity

Milestones:Wave digital filters (Fettweis, 70’s)Dissipative dynamical systems (Willems, 70’s)Resonator bank implementation structuresResonator-bank implementation structures (Peceli, 80’s)Teleoperation over the Internet (Niemmeyer, 04)p ( y )Power junctions (Kottenstette, Antsaklis, 08)

Work at ISIS:Design tool suite for high confidence systems (Eyisi, Hall, Hemingway, Porter, Karsai, Kottenstette Koutsoukos Sztipanovits)Kottenstette, Koutsoukos, Sztipanovits)

33

Illustration of Passive Dynamics

Experimental Setup Joint Angle and Reference

Two CrustCrawler robotic arms Time delay (Robot 2 and PJ)arms

4 DOF with AX-12 smart servos at each joint

Novint haptic paddleNovint haptic paddleFive networked Windows PCs with Matlab/Simulink

Status Report

Need to address more fundamentals:extending theories for decouplingdeveloping theory of compositionality among system layers (vertical composition)layers (vertical composition)extending compositionality for multiple properties, e.g. stability, safety and invariants

Early signs of increased attentionCPS research programs in US (NSF Center at V d bil /N D /U M l d S i fVanderbilt/Notre Dame/U. Maryland on Science of System Integration)New conference sequenceNew conference sequence

Overview




Summary

Example 1: System of System Integration

Future Combat System

Distributed DatabaseInformation LayerInteroperable

Standards-BasedOpen SoftwareArchitectureCommon Operating

PictureJoint CommonDatabase

Information ManagementInformation ManagementVehicle Applications Mission Applications Business Applications Administration Applications

Human Machine Interface /Machine-Machine Interface

lann

ing

& P

rep

Und

erst

andi

ngm

man

d

d Su

stai

nmen

t co

gniti

on

usio

n

d M

issi

on T

rain

ing

n n nage

men

t

ng ent

atio

n

anag

emen

ter

ver M

gtD

istr

ibut

ion

agem

ent

Upg

rade

nsta

ll

roub

lesh

oot

Vehicle Applications Mission Applications Business Applications Administration Applications

Human Machine Interface /Machine-Machine Interface

lann

ing

& P

rep

Und

erst

andi

ngm

man

d

d Su

stai

nmen

t co

gniti

on

usio

n

d M

issi

on T

rain

ing

n n nage

men

t

ng ent

atio

n

anag

emen

ter

ver M

gtD

istr

ibut

ion

agem

ent

Upg

rade

nsta

ll

roub

lesh

oot

• Heterogeneous

COP

Interoperableexport

HQESO

lann

ing

& Pr

ep

Und

erst

andi

ng

mt &

Exe

cutio

n

usio

n

cogn

ition

d Su

stai

nmen

t

d Tr

aini

ng

Warfighter Interface

DB Synchronization

InteroperabilityInteroperabilityFIOP

Foundation Infrastructure –(e.g, Network with: COMSEC Crypto Services, Mobility Enhancements, IP Network Appliqué's, )

Operating System

Operating System Abstraction Services

Network InfrastructureServices

SOS Framework ServicesCOTSNDI

SOS Operations ServicesInformation Assurance (IA) Network Mgt (NM) Information Dissemination Mgt (IDM)

Application Program Interfaces –Common Services

COTSNDI

Mis

sion

PS

ituat

ion

UB

attle

Com

Inte

grat

edTa

rget

Rec

Sen

sor

Fu

Em

bedd

ed

Nav

igat

ion

Con

trol

s

Pro

puls

ion

Hyd

raul

icE

lect

rical

Fuel

Sys

Hea

lth M

a

Eng

inee

rinP

rocu

rem

eFa

cilit

ies

Logi

stic

sP

erso

nnel

Tran

spor

ta

Dis

posa

l

Sys

tem

Ma

Rem

ote

SeS

oftw

are

D

Use

r Man

aS

oftw

are

US

oftw

are

I

Rem

ote

Tr

Foundation Infrastructure –(e.g, Network with: COMSEC Crypto Services, Mobility Enhancements, IP Network Appliqué's, )

Operating System

Operating System Abstraction Services

Network InfrastructureServices

SOS Framework ServicesCOTSNDI



Application Program Interfaces –Common Services

COTSNDI

Mis

sion

PS

ituat

ion

UB

attle

Com

Inte

grat

edTa

rget

Rec

Sen

sor

Fu

Em

bedd

ed

Nav

igat

ion

Con

trol

s

Pro

puls

ion

Hyd

raul

icE

lect

rical

Fuel

Sys

Hea

lth M

a

Eng

inee

rinP

rocu

rem

eFa

cilit

ies

Logi

stic

sP

erso

nnel

Tran

spor

ta

Dis

posa

l

Sys

tem

Ma

Rem

ote

SeS

oftw

are

D

Use

r Man

aS

oftw

are

US

oftw

are

I

Rem

ote

Tr

• Open Dynamic Architecture - heterogeneousnetworking

UE/HQESO

EPLRSSINCGARSVHF

Link 4ALink 11Link 16WIN T

Mis

sion

Pl

Situ

atio

n U

Battl

e M

gm

Sens

or F

u

Targ

et R

e

Inte

grat

ed

Embe

dded

Common Services

Information Management

Computing and Networking

HQ

BattleCommand

Reachback

HHQ XX

networking - heterogeneouscomponents

WIN-T Hierarchical Ad-Hoc Network

DataImagesVoiceVideo V t i

UGS

WNW WNW

stubnetJTRS

• Very high level concurrency with complex interactions

L COP L COP L COP L COP

Video Vetronics

Common VehicleSubsystems

EO/IR EO/IRSAR/MTI

Networked CommandNetworked Command

• Challenges: – understanding and– predicting behavior

How to achieve predictability with limited/partial compositionality?

PlatformPlatformNetworked CommandNetworked Command

Real-Life SoS Development

All integration categories are present (component, layer, SoS)SoS)Systems are evolving along “spiral-outs”New technical challenges are emerging and potentialNew technical challenges are emerging and potential solutions need to be rapidly exploredAll layers of the system are subject to modifications, there are no well defined synchronization points in the development processIntegration is inherently incremental; deployedIntegration is inherently incremental; deployed systems need to be integrated with components on different level of maturity: prototypical and with i l t d t / tsimulated systems/components.

How Is It Solved Today?

Systems are integrated when all components are delivered

– Acquisition pushes in this directionIntegration means: “Make it working somehow” System Integration Labs do not offer support for spiral developmentThere is no approach to deal with incomplete specifications and components

System Integration is the highest risk mostSystem Integration is the highest risk, most expensive, least predictable step in SoS development

Emerging Solution: Model-Based Integration

Apply Models Earlypp y yApply Models OftenUse Every OpportunityUse Every Opportunity

Requirements/Architecture IntegrationArchitecture/Design IntegrationDesign Assessment/VerificationPrototyping/ScalingImplementationScalingTestingTesting

Tool Chain for Architecture Exploration in FCS

ADeVS, IONS RELEX

Excel

Component

SystemModelSegment

IDD

GReATTransform

SystemIntegration

SystemComponentAdapters

C++______________________________

IDL______________________________

SystemIntegrationTest Harness

C++______________________________

IDL________________________

GReATTransform

XML______

RoseCAT file

RuntimeGlue(Deployed)

______

IntegrationLaboratoryTools

________________________

With Boeing FCS Program

Risk Mitigation: SurrogateModeling and Synthesis

GME System Models

GME Component ModelsDeployment Instance Topology Networks

GME Component Models

Interfaces,Business

Interfaces

Code GeneratorCode Generator

BusinessLogic

InputInterfaces

OutputInterfaces

BusinessLogic(Generated)

InputInterfaces

OutputInterfaces

AcquiredBusinessLogic

“Real”BC

“Real”BC

BC Surrogate Component

(Generated)

System Of Systems Common Operating Environment

BC Surrogate Component

Logic ComponentComponent

With Boeing FCS Program

Example 2: Heterogeneous Simulation Integration

Processing (Tracking) 3-D Environment (Sensors)Organization/Coordination Controller/Vehicle Dynamics

Devs Delta3DCPN SL/SFCPNAdaptive Human

Organization

MixedInitiative

Controller

Context Dep.Command

Interpretation

AdaptiveResourceAllocation

Coordination Decision Support

HCI AbstractCommands

PlatformCommands

AssignedPlatform

Commands

Devs Delta3D

How can we integrate the models?How can we integrate the simulated heterogeneous system components?H i t t th i l ti i ?

CPN SL/SFCPN

Data Distribution Network

Support

PlatformStatus

COPElements

COPElements

COPElements

Model-Integrated System and Software Laboratory Environment: C2 Windtunnel

How can we integrate the simulation engines?

GME GMESimulation Interaction Simulation Architecture

OMNETNetwork ArchitectureAFOSR PRET: C2 Wind Tunnel

Model-based Integration Architecture

“Virtual”

Model Integration LayerComponents

ExperimentSpecification

& ConfigurationController

ModelsNetworkModels

Org.Models

FusionModels

Models

Env.Models

Si l ti I t ti Pl tf (HLA)

Instrumentation Layer

DEVSFederate.

OmNet++Federate

CPNFederate.

OGREFederate

SimulinkFederate

Instrumentation Layer

Run-time

Simulation Data Distribution/Communication Middleware

Simulation Integration Platform (HLA)

Distributed Simulation PlatformDistributed Simulation Platform

https://wiki.isis.vanderbilt.edu/OpenC2WT

Experiments: Impact of Cyber Attacks

Network attack:A sub-network with hundreds of zombie nodes attacks a critical router on the main network.Flood attack on udp, tcp or ping p, p p g

Full Zombie subnet

network

Summary

Penetration of networking and computing in all engineered systems forces a broad basedengineered systems forces a broad based convergence across engineering disciplines. Signs of this convergence is present in many g g p yareas from which we discussed two:

Design Automation – emergence of bl l d l d lmetaprogrammable tool suites and multimodeling

System Integration – re-integration of computer and systems sciencesystems science

Model-based design facilitates a necessary convergence among software, system, control co e ge ce a o g so t a e, syste , co t oand network engineering

Documents

MODEL-INTEGRATED DESIGN IN SOFTWARE, SYSTEMS AND …