THE INSTITUTE FOR SYSTEMS RESEARCH ISR develops, applies and teaches advanced methodologies of design and analysis to solve complex, hierarchical, heterogeneous and dynamic prob- lems of engineering technology and systems for industry and government. ISR is a permanent institute of the University of Maryland, within the A. James Clark School of Engineering. It is a graduated National Science Foundation Engineering Research Center. www.isr.umd.edu Development of a Framework for CPS Open Standards and Platforms John S. Baras and Mark A. Austin ISR TECHNICAL REPORT 2014-02 Note: Th should n of the Na Acknowl 70NANB System D CP e views and ot be interp tional Insti edgment: R 11H148, to T s Engine Ins Co EVELOP S OPEN John S conclusion reted as re tute for Sta esearch supp the Univers ECHNI ering and titute for Universi llege Park MENT O STAND . Baras Novem s containe presenting ndards and orted in par ity of Maryl 1 CAL RE Integrati Systems R ty of Mary , MD 207 F A FRA ARDS AN by and Mar ber 8, 20 d in this do the official Technolog t by Cooper and College PORT on Labora esearch land 42, USA MEWOR D PLAT k A. Aus 13 cument are policies, eit y (NIST) or ative Agree Park. tory (SEI K FOR FORMS tin those of th her expres the U. S. Go ment, NIST L) e authors a sed or impl vernment. nd ied, 2 DEVELOPMENT OF A FRAMEWORK FOR CPS OPEN STANDARDS AND PLATFORMS 1. Introduction This technical report describes a Framework we have developed through our research and investigations in this project, with the goal to facilitate creation of Open Standards and Platforms for CPS; a task that addresses a critical mission for NIST. The rapid development of information technology (in terms of processing power, embedded hardware and software systems, comprehensive IT management systems, networking and Internet growth, system design environments) is producing an increasing number of applications and opening new doors. In addition over the last decade we entered a new era where systems complexity has increased dramatically. Complexity is increased both by the number of components that are included in each system as well as by the dependencies between those components. Increasingly, systems tend to be more software dependent and that is a major challenge that engineers involved in the development of such systems, face. The challenge is even greater when a safety critical system is considered, like an airplane or a passenger car. Software-intensive systems and devices have become everyday consumables. There is a need for development of software that is provably error-free. Thanks to their multifaceted support for networking and inclusion of data and services from global networks, systems are evolving to form integrated, overarching solutions that are increasingly penetrating all areas of life and work. When software dependent systems interact with the physical environment then we have the class of cyber-physical systems (CPS) [1, 2]. The challenge in CPS is to incorporate the inputs (and their characteristics and constraints) from the physical components in the logic of the cyber components (hardware and software). CPS are engineered systems constructed as networked interactions of physical and computational (cyber) components. In CPS, computations and communication are deeply embedded in and interacting with physical processes, and add new capabilities to physical systems. Competitive pressure and societal needs drive industry to design and deploy airplanes and cars that are more energy efficient and safe, medical devices and systems that are more dependable, defense systems that are more autonomous and secure. Whole industrial sectors are transformed by new product lines that are CPS-based. Modern CPSs are not simply the connection of two different kinds of components engineered by means of distinct design technology, but rather, a new system category that is both physical and computational [1, 2]. Current industrial experience tells us that, in fact, we have reached the limits of our knowledge of how to combine computers and physical systems. The shortcomings range from technical limitations in the foundations of cyber-physical systems to the way we organize our industries and educate engineers and scientists that support cyber-physical system design. If we continue to build systems using our very limited methods and tools but lack the science and technology foundations, we will create significant risks, produce failures and lead to loss of market. Nowadays, with increasing frequency we observe systems that cooperate to achieve a common goal, even though there were not built for that reason. These are called systems of systems. For example, the Global Positioning System (GPS) is a system by itself. However, it needs to cooperate with other systems when the air traffic control system of systems is under 3 consideration. The analysis and development of such systems should be done carefully because of the emergent behavior that systems exhibit when they are coupled with other systems. However, apart from the increasing complexity and the other technical challenges, there is a need to decrease time-to-market for new systems as well as the associated costs. This specific trend and associated requirements, which are an outcome of global competitiveness, are expected to continue and become even more stringent. If a successful contribution is to be made in shaping this change, the revolutionary potential of CPS must be recognized and incorporated into internal development processes at an early stage. For that Interoperability and Integratability of CPS is critical. In this Task we have developed a Framework to facilitate interoperability and integratability of CPS via Open Standards and Platforms. The purpose of this technical report is to introduce this Framework and its critical components, to provide various instantiations of it, and to describe initial successful applications of it in various important classes of CPS. An additional goal of publishing this technical report is to solicit feedback on the proposed Framework, and to catalyze discussions and interactions in the broader CPS technical community towards improving and strengthening this Framework. CPS integrate data and services from different systems which were developed independently and with disparate objectives, thereby enabling new functionalities and benefits. Currently there is a lack of well-defined interfaces that on the one hand define the standards for the form and content of the data being exchanged, but on the other hand take account of non-functional aspects of this data, such as differing levels of data quality or reliability. A similar situation exists with respect to tools and synthesis environments, although some work has been initiated in the latter. The technological prerequisite for the design of the aforementioned various functions and value added services of CPS is the interoperability and integratability of these systems as well as their capability to be adapted flexibly and application-specifically as well as extended at the different levels of abstraction. Dependent on the objective and scope of the application, it may be necessary to integrate component functions (Embedded Systems (ES), System of Systems (SoS), CPS), to establish communication and interfaces, and to ensure the required level of quality of interaction and also of the overall system behavior. This requires cross-domain concepts for architecture, communication and compatibility at all levels. The effects of these factors on existing or yet undeveloped systems and architectures represent a major challenge. Investigation into these factors is the objective of current national and international studies and research projects. CPS create core technological challenges for traditional system architectures, especially because of their high degree of connectivity. This is because CPS are not constructed for one specific purpose or function, but rather are open for many different services and processes, and must therefore be adaptable. In view of their evolutionary nature, they are only controllable to a limited extent. This creates new demands for greater interoperability and communication within CPS that cannot be met by current closed systems. In particular, the differences in the characteristics of embedded systems in relation to IT systems and services and data in networks lead to outstanding questions in relation to the form of architectures, the definition of system and communication interfaces and requirements for underlying CPS platforms with basic services and parallel architectures at different levels of abstraction. 4 The technological developments underlying CPS evolution require the development of standards in the individual application domains, as well as basic infrastructure investments that cannot be borne by individual companies alone. This is particularly significant for SMEs. The development and operation of uniform platforms to migrate individual services and products will therefore be as much of a challenge as joint specification standards. The creation of such quasi standards, less in the traditional mold of classic industry norms and standards and more in the sense of de facto standards that become established on the basis of technological and market dominance, will become an essential part of technological and market leadership. To summarize and emphasize, the complexity of the subject in terms of the required technologies and capabilities of CPS, as well as the capabilities and competences required to develop, control and design/ create innovative, usable CPS applications, demand fundamentally integrated action, interdisciplinarity (research and development, economy and society) and vertical and horizontal efforts in: ? The creation of open, cross-domain platforms with fundamental services (communication, networking, interoperability) and architectures (including domain- specific architectures); ? The complementary expansion and integration of application fields and environments with vertical experimentation platforms and correspondingly integrated interdisciplinary efforts; ? The systematic enhancement with respect to methods and technologies across all involved disciplines to create innovative CPS. The aim of our research and investigations under this Task of the project, was precisely to clarify these objectives and systematically develop detailed recommendations for action. Our research and investigations have identified the following essential and fundamental challenges for the modeling, design, synthesis and manufacturing of CPS: (i) The creation and demonstration of a framework for developing cross-domain integrated modeling hubs for CPS. (ii) The creation and demonstration of a framework for linking the integrated CPS modeling hub of (i) with powerful and diverse tradeoff analysis methods and tools for design exploration for CPS. (iii) The creation of a framework of linking the integrated CPS synthesis environment of (i) and (ii) with databases of modular component and process (manufacturing) models, backwards compatible with earlier legacy systems; (iv) The creation of a framework for translating textual requirements to mathematical representations as constraints, rules and metrics involving both logical and numerical variables and the automatic (at least to 75%) allocation of the resulting specifications to components of the CPS and of processes, in a way that allows traceability. 5 These challenges have been listed here in the order of increasing difficulty both conceptually and in terms of arriving at implementable solutions. The order also reflects the extent to which the current state of affairs has made progress towards developing at least some initial instantiations of the desired frameworks. In this context, it is useful to compare with the advanced state of development of similar frameworks and their instantiations for synthesis and manufacturing of complex microelectronic VLSI chips including distributed ones, which have been available as integrated tools by several vendors for at least a decade. Regarding challenge (i) we have performed extensive work and research in this project towards developing model-based systems engineering (MBSE) procedures for the design, integration, testing and operational management of cyber-physical systems, that is, physical systems with cyber potentially embedded in every physical component. Thus in the Framework, described in this report, for standards for integrated modeling hubs for CPS, MBSE methods and tools are prominent. Regarding the search for a framework for standards for CPS this selection has the additional advantage that it is also emerging as an accepted framework for systems engineering by all industry sectors with substantial interest in CPS [3, 7]. Regarding challenge (ii) we have performed extensive work and research in this project towards developing the foundations for such an integration, and we have developed and demonstrated the first ever integration of a powerful tradeoff analysis tool (and methodology) with our SysML- Integrated system modeling environments for CPS synthesis [3, 7]. Primary applications of interest that we have instantiated this framework are: microgrids and power grids, wireless sensor networks (WSN) and applications to Smart Grid, energy efficient buildings, microrobotics and collaborative robotics, and the overarching (for all these applications) security and trust issues including our pioneering and innovative work on compositional security systems. A key concept here is the integration of multi-criteria, multi constraint optimization with constrained based reasoning. Regarding challenge (iii) we have only developed the conceptual Framework, as any required instantiations will require substantial commercial grade software development beyond the scope of this project. It is clear however that object-relational databases and database mediators (for both data and semantics) will have to be employed. Regarding challenge (iv) we have developed a Framework for checking and validating specifications, after they have been translated to their mathematical representations as constraints and metrics with logical and numerical variables. Various multi-criteria optimization, constrained based reasoning, model checking and automatic theorem proving tools will have to be combined. The automatic annotation of the system blocks with requirements and parameter specifications remains an open challenge. 2. CPS Architectures A key concept we investigated is that of architectures for CPS. This still remains a challenge. We (the MS researchers) participated in the studies of this subject as members of the NIST CPS Architecture Task Group. 6 Generically the Architecture of a System consists of: (1) The arrangement of entities that constitute the system; (2) The relationships between these entities. For a physical system, the architecture defines the form (structure) that performs the function (behavior). It also defines the interconnections between components and the associated interfaces. For CPS, since various physics are involved in the physical components understanding and modeling such interconnections and interfaces could be very complex. The same can be said about software systems, even though the ?form/structure? descriptor does not have any geometric or material meaning as it does for the physical components. And finally the architecture of a CPS must describe the interfaces between the cyber and the physical components at different scales. Thus describing and modeling CPS architectures can be a pretty challenging task. One of the great difficulties involved is to find appropriate models and representations so that design and manufacturing engineers can explore various architectures in a systematic and quantitative manner. It is our assessment that we are not close in developing satisfactory such models and representations of CPS architectures given the current state of affairs in CPS. Neither we are close in developing a satisfactory taxonomy of architecture classes for CPS in various areas of interest. We discuss below various issues and concepts related to CPS architectures from [2, 3, 4, 5]. First, every system has at least one architecture, whether it is stated explicitly or not. In fact, a typical system has more than one architecture depending on the intended purpose for describing it. The architecture of a system is essential to: ? Understand, model and analyze complex systems; ? Design complex systems; ? Manufacture complex systems; ? Evaluate the cost and other financial concerns about a system and its potential markets; ? Design standards and protocols to guide the evolution of long-lived systems; ? Manage complex systems. These are especially true of cyber-physical systems, where the physical and cyber (e.g., computation, communication, control) components have their own architecture(s). One common classification of architecture of a physical system is whether it is modular or integral. Most physical system architectures lie somewhere in between. Recent scholarship [3] seems to indicate that there is a scientific limit to the modularity of physical systems architecture, even when it is desired. No such limit seems to exist for the modularity of cyber systems architecture. While cyber system architectures can also be classified along the modular-integral axis, more frequently they are described as more/less ?layered? or ?hierarchical?. For example the popular Internet-based communication architecture consists of layers of protocols. Much of the success of the Internet is attributed to its layered architecture. For example, a typical web browser can be implemented using the protocols HTTP/TCP/IP/Ethernet, layering from top to bottom. A rich set of choices provided in each layer and the standardized interface between the layers have contributed to the success of the Internet-based communication. 7 Drawing from this Internet inspiration, Service-Oriented Architecture (SOA) for large scale enterprise-wide computing has adopted a layered approach. Casting computations as services is a popular trend for all sorts of computations, and these computations are architected as computing service layers with standardized interfaces. In the world of control systems, a popular architecture is hierarchical. In this hierarchical structure each node operates independently, performing tasks received from its superior node, commanding tasks of its subordinate nodes, sending abstracted sensations to its superior node, and receiving sensations from its subordinate nodes. The leaf notes are physical sensors and actuators. Note that each level in the hierarchy can be treated as a layer, and communications between them can be architected as discussed above. A more decentralized architecture is used in distributed and networked control systems. A typical large-scale control system usually has a hybrid architecture consisting of distributed and hierarchical clusters. In addition, all control systems are evolving into a rich collection of computation and communication subsystems ? thus inheriting the architectures of these subsystems. In summary, layered architecture is emerging as a popular choice for cyber (e.g., computation, communication, control) systems, with rich choices within each layer and standardized interface between layers. To further investigate the interesting topic of architectures for cyber-physical systems (CPS) we helped design and participated in survey of NIST subject matter experts in different domains of CPS including: SmartGrid & Telecommunication, SmartGrid, Smart Transportation ? Operations, Information Technology, Building Systems, Smart Manufacturing, Wireless Emergency Networks, Health IT, General CPS. The initial responses have been collected in an informal initial report [4]. To further investigate this key topic, an invited panel on CPS Architectures organized by PI Prof. Baras at the International Conference on CPS (ICCPS) held in Philadelphia April 9-12 [7]. The invited and distinguished panelists were: Prof. Manfred Broy of Technical University of Munich (Germany), Prof. Karl-Henrik Johansson of the Royal Institute of Technology (Sweden), Dr. David Corman of Boeing (and NSF), Dr. Vijay Srinivasan of NIST, Prof. Janos Sallai of Vanderbilt University and Prof. Raj Rajkumar of Carnegie Mellon University. The theme of this panel was to discuss concepts paradigms and needs towards developing a systematic and rigorous methodology, models and analysis for CPS architectures. Architecture is a key ingredient of any system. In a generic sense one understands by Architecture a description of the various structure and behavior components of a system together with their configuration and interfaces and interconnections. The concept of Architecture for CPS is a challenging concept as it needs to account for both the physical and cyber constraints. For instance physical and material laws as well as geometric laws and reasoning will guide the physical part. The same is true for various concepts of time and their constraints. Extensions of current distributed architectures for computers at all scales, and including both digital and analog components need to be considered. Even more importantly the interplay between the principles and rules of architectures from the physical and cyber sides need to be considered and brought to harmony. 8 The purpose of this panel was to initiate extensive discussions within the technical community of CPS at large with the goal to start developing principles, languages and a taxonomy of such architectures for CPS. An important new concept that was brought to the forefront was the significance of geometry and matter, which has not so far been considered in discussions of CPS architectures. The operational scenario of the panel was as follows. Professor Baras provided a brief introduction to the topic. He also introduced the following key questions that were addressed by the panelists and the audience. 1) Examples of physical system architectures strongly influenced by the physical laws of the components, including material and geometry laws and principles. 2) Examples of system cyber architectures where the physical layer and heterogeneous engineering components played a critical role. 3) Do we need specific architecture description languages for CPS? 4) What is the current state of the art in industry sectors like automotive, aerospace, power grids, where CPS thinking has already started? 5) Visions about some generic architectures set-up like the various planes in complex communication and computer networks. Is such a generic framework appropriate or even feasible for CPS? Is it possible to develop a taxonomy of CPS architectures? Examples? 6) There are pervasive cross-cutting concerns across classes of CPS, like security-resilience and robustness. How should these requirements be reflected in CPS architectures? 7) Is there a need for standards development as we work towards a taxonomy of CPS architectures? How important are such developments for interoperability and design of CPS? 8) What should the role and principles of CPS architectures with respect to validation and verification at the system level? 9) What is the role and principles for CPS architectures form the perspective of composability and compositionality? 10) CPS exist at various scales from macro to nano and even at multiple scales within the same system. What are the challenges for CPS architectures emanating from this multi- scale reality? Each of the panelists made a short presentation of about 10 minutes. These presentations were followed by a lively discussion and questions and answers with the audience and the panelists. The audience attendance was about 80 people. Feedback from the participants was that the panel and discussions were very interesting and timely. The panel and discussion duration was approximately two hours, overrunning the planned schedule due to the continuous interest of the participants. A follow-up panel discussion on CPS architectures will take place in the forthcoming IEEE Conference on Decision and Control, on December 13, in Florence, Italy. It has been organized and will be moderated by Professor Baras with the following invited panelists: Dr. Manfred Broy (Technical University Munich, Germany), Dr. David Corman (National Science Foundation (NSF), CPS Program Director, USA), Dr. Karl Henrik Johannson (Royal Institute of Technology (KTH), Sweden), Dr. P.R. Kumar (Texas A&M University, USA), Dr. Max Lemke (European 9 Commission, Complex Systems & Advanced Computing Head), Dr. Alberto Sangiovanni- Vincentelli (University of California Berkeley, USA), Dr. Vijay Srinivasan (National Institute of Standards and Technology (NIST), USA). To achieve superior levels of performance, CPS architectures will need to be highly integrated, be able to easily adapt to rapidly changing requirements and environmental conditions, and CPS systems will need to be agile. The use of integrated system architectures changes the very nature of MBSE because loosely coupled design flows are replaced by chains of many-to-many relationships between the system stakeholders, their design concerns, viewpoints, views and models. Stringent requirements on system agility imply that complex systems will have connectivity relationships that allow for systematic assembly (or composition) from simpler systems. Design space exploration and trade studies are more difficult to conduct because: (1) System relationships can reach laterally across systems hierarchies and/or intertwined network structures; and (2) Ideal architectural solutions to integration and agility conflict. System validation is more difficult because system components will be required to serve multiple functions, and cause-and-effect mechanisms are no longer localized and obvious. The tenet of our approach is that these CPS design challenges can be met through the use of design flows and operational processes that are strategic in their use of top-down hierarchical decomposition (to simplify the description and solution of problems), bottom-up composition (to allow for increased system agility and reliability, and decreased time-to-deployment), abstraction (to remove problem details not immediately relevant to decision making) and formal methods (to ensure that models of system functionality, system design, and decision making are correct). 3. Model-Based Systems Engineering for CPS Model-based Systems Engineering (MBSE) [8] has emerged as a promising methodology for the systematic design, performance evaluation and validation of complex engineering systems. ?(MBSE) is the formalized application of modeling to support system requirements, design, analysis, verification and validation activities beginning in the conceptual design phase and continuing throughout development and later life cycle phases? [8]. MBSE is a relatively new development in the Systems Engineering technical community which emphasizes the practice of systems development through the use of models (of all types). MBSE facilitates the flow of requirements through models, a methodology that is at the same time compact and enforces consistency between data and requirements (through the models). Figure 1 describes the basic steps of the MBSE process that we have developed, and have been teaching at the University of Maryland (UMD) for several years [9]. This MBSE process has the following steps (phases): Requirements Collection, Construction of System Structure Model (what the system consists of), Construction of System Behavior Model (what the system does), Mapping of Behavior onto Structure (what structure components will perform parts of behavior), Allocation of Requirements to Structure and Behavior Components, Trade-Off Analysis, Validation and Verification. As illustrated in Figure 1, the process moves between these steps in an iterative manner, until satisfactory alternative system designs are developed. The process is executed at different levels of granularity (detail/aggregation). As the MBSE process executes a system architecture is 10 developed through the creation of behavior and structure components, their interrelationships and the allocation of behavior components to structure components. At this point if one wishes to utilize an Architecture Design Language and associated tool to capture the system architecture, she/he can do so, but it is not necessary. Fig. 1. Model-Based Systems Engineering Process [9] High levels of MBSE productivity will be achieved through the use of high-level visual abstractions coupled with lower-level (mathematical) abstractions suitable for formal systems analysis. Recent research has demonstrated the use of SysML as a centerpiece abstraction for team-based system development, with a variety of interfaces and relationship types (e.g., parametric, logical and dependency) providing linkages to detailed discipline-specific analyses and orchestration of system engineering activities. 3.1 Systems Modeling Language (SysML) SysML [10] is a general purpose graphical modeling language that was developed based on UML and is a key enabler for the MBSE process by providing ways for the representation and analysis of complex engineering systems. SysML supports the specification, analysis, design, verification, and validation of systems that include hardware, software, data, personnel, procedures, and facilities. SysML supports model and data interchange via XML Metadata Interchange (XMI) and the AP233 standard. Recent research has demonstrated the use of SysML [10] as a centerpiece abstraction for team-based system development, with a variety of interfaces and relationship types (e.g., parametric, logical and dependency) providing linkages to detailed discipline-specific analyses and orchestration of system engineering activities. The four fundamental pillars of SysML are the support of models for the structure of the system, models Define Requirements Effectiveness Measures Create Behavior Model Assess Available Information Create Structure Model Specifications Perform Trade-Off Analysis Create Sequential build & Test Plan Map behavior onto structure Allocate Requirements Generate derivative requirements metrics Model - based UML - SysML - GME - eMFLON Rapsody, MagicDraw UPPAAL EnergyPlus MATLAB, MAPLE Modelica / Dymola DOORS, etc. CONSOL-OPTCAD, WSN-DESIGN CPLEX, ILOG SOLVER Integrated System Synthesis Framework -- Tools- & Environments Iterate to Find a Feasible Solution / Change as needed f uirements ti ne s ures te vior l e s i l ti n te t ture l cifications rf r O f l i te quential i t Plan Change structure/behavior model as needed ehavior t structure l uirements Integrated Multiple Views is Hard ! SIEMENS ? PLM, NX, TeamCenter of the be system, w behavior linking S such as m (e.g. IBM catalyst environm and its co Our rese the found Framewo 3.2 CPS A major However havior of th hich ties de Fig. 2. Mult models (a ysML-base ultimetric o -ILOG So for the int ents, for co mponents ( arch in this ations for th rk are the re Modeling I challenge i , besides ha e system, m sign variabl i-domain m kind of ann d system m ptimization lver). SysM egration of mplex syst Figure 2), w task has est e model int sulting CPS ntegration H n MBSE fo ving consist odels for ca es and metr odel integrat otation of t odels to an (e.g. IBM- L, as a lan various m ems, while here the Sys ablished a S egration fra modeling ub Archit r CPS is to ent data ther 11 pturing the ic parametri ion via syst hese model alysis mode ILOG CPLE guage for d odeling env allowing mu tem Archite ysML-base mework for integration ecture have mod e is a need f requirement c representa em architect s). Paramet ls, includin X) and con escribing t ironments, ltiple disci cture Mode d approach CPS. A ke hubs (Figur els that are or the mode s for the sy tions to the ure model ( ric diagram g trade-off straint base he system a as well as plinary view l is describe towards the y componen e 4). consistent ls to work t stem via the structure an SysML) s are the k analysis m d reasoning rchitecture, analysis/d s of the sy d via SysML developme t in the prop with each o ogether in o new d ey to odels tools is a esign stem . nt of osed ther. rder to offer a core of o module w process [ Another associate and bond actual de a modeli these co metamod terms of eMoflon The resu managem three lay specific p the imple between work as informati to perfor holistic Sy ur modeling ith externa 9, 10, 11]. key compon d languages graphs [11 sign implem ng language nstructs. It eling layer m model tran model trans lting MBSE ent (PLM) er approach rofile is cre mentation o the model the ?glue? on inside a m model tra stems Engin integration l tools, eac ent of the and semant ]. A metam entation in together w can be con odel transf sformation formation to Fig. system mod environmen needs to be ated in Sys f tool adap transformati between th model and c nsformation eering appr hub (Fig. 2 h one used emerging Fr ics based on odeling laye a modeling ith the rule sidered as ormations tools, like ol was used 3: System m eling envir t for CPS, a followed. I ML [14]. T ters that are on layer an e different all the appro s [11], [14] 12 oach to the and Fig. 4 in a differ amework is sophisticat r (Figure 3 language. A s that spec the gramm take place (F ATL, GME [12], [13]. odeling tra onment can cross discip nitially, for hen a mode used as a d the other pieces of so priate Java . Fig. 4 pres designer of ). The main ent phase a metamo ed versions ) stands one metamodel ify the allow ar of that igure 3). T , eMoflon, nsformation be thought line tools. T the tool we l transforma middleware component ftware. Th functions g ents these la CPS. SysM aim is to in of the Syste deling envir of annotate abstraction consists of able relati modeling l here are man QVT. In of as a ?virt o achieve need to int tion is defi for exchan s of the hu eir role is enerated by yers as wel L is used i tegrate this ms Engine onment wi d block diag layer abov the construc onships bet anguage. A y alternativ our research ual? produc this integrat egrate, a do ned, followe ging inform b. Tool ada to access/ch the eMoflon l as the area n the core ering th its rams e the ts of ween t the es in the t line ion a main d by ation pters ange tool s for which w design ex In our re industria Simulink this integ and the developm framewo have dev efficient managem e need to in perience for search to d l CPS probl , Mathemat ration of m hybrid (log ent of new rk for stand eloped such buildings, ent systems tegrate tools CPS. ate we have ems) variou ica, Maple, odels and v ic-analog n mathema ardization i CPS mod wireless s for next ge with the c successful s environme COMSOL iews due to ature of CP tical found n these so- eling integr ensor netw neration all- 13 ore module ly integrate nts with Sy etc.). CPS p the fundam S). Our re ations for called CPS ation hubs orks, wire electric airc to realize th d (and dem sML: Mode uts additio ental hetero search to d this model modeling i for power less netwo raft. e MBSE vi onstrated th lica, MATL nal significa geneity of C ate has als integration ntegration grids, micro rk protoco sion of a sy e use of, in AB (Statef nt challeng PS compo o addressed and towar hubs. So fa robotics, en ls and ve stem real low / es in nents the ds a r we ergy hicle 14 4. Tradeoff Analysis and Design Space Exploration Although progress to date in MBSE facilitates the integration of system component models from different domains, we still need an integrated environment to optimize system architecture, manage the analysis and optimization of diverse measures of effectiveness (MoE), manage the various acceptable designs and most than anything else perform tradeoff analysis. Tradeoff is an essential part of system design, as it implements design space exploration. SysML does not provide a way for engineers to formally evaluate and rank design criteria, conduct sensitivity analysis, search design spaces for better design solutions, and conduct trade studies. To address this challenge we have introduced [3, 7, 11] the concept that SysML needs to be integrated with industrial-strength multi-objective algorithms, constraint-based reasoning algorithms, with appropriate linkages to modeling/simulation environments (see Figure 5). An integration of SysML with a tradeoff tool will allow the designer to make decisions faster and with more confidence. 4.1 Integration of SysML-Integrated CPS Modeling Hubs with Tradeoff Tools We have recently developed and demonstrated [11] the first ever integration of a powerful tradeoff analysis tool (and methodology), Consol-Optcad, which is a sophisticated multi-criteria optimization tool developed at the University of Maryland, with our SysML-based modeling integration hubs for CPS. Consol-Optcad is a multi-objective optimization tool that allows interaction between the model and the user. It can handle non-linear objective functions and constraints with continuous values. Another version of Consol-Optcad has been developed to handle also logical variables, via integer and constraint programming [15]. In systems development and after the system structure is defined there is a need to calculate the design parameters that best meet the objectives and constraints. Usually when we deal with complex systems and optimization is under consideration, this is not a trivial task. The support of an interactive tool, like Consol-Optcad, to help the designer resolve the emerging trade-offs is necessary. A major advantage of Consol-Optcad is that it allows the user to interact with the tool, while the optimization is under way. The designer might not know or might not be in a position at the beginning to specify what preferred design means. Therefore such interaction with the tool could be of great benefit [15], [16]. Another key feature of Consol-Optcad is the use of the Feasible Sequential Quadratic Programming (FSQP) algorithm for the solver [16, 17]. FSQP?s advantage is that as soon as we get an iteration solution that is inside the feasible region, feasibility is guaranteed for the following iterations as well. Moreover, very interesting is the fact that besides traditional objectives and constraints Consol-Optcad allows the definition of functional constraints and objectives that depend on a free parameter. Consol-Optcad has been applied to the design of flight control systems [17], rotorcraft systems [18, 19], integrated product process design (IPPD) systems [15] and other complex engineering systems. For effective design space exploration and tradeoff analysis it is important to have the ability o compute sensitivities to proposed changes and evaluate ?what if? types of questions. CONSOL- OPTCAD is such a sophisticated multi-criteria optimization tool, which incorporates duality methods of analysis (involving both numerical and discrete variables) for problems such as IPPD, as well as innovative visualization techniques to help engineers understand the impact of design ch feature o Center. F Comsol-O Fig oices (see f Consol-Op igure 6(b) s ptcad. . 5: Linking D for instance tcad as com hows the sit esign Space Fig. 6 the Pcomb pared to ot uation with Exploration (a). Pcom 15 diagram in her approac a functional Tools with Sy b after the Figure 6(a hes currentl requiremen sML ? Integ 18th itera ) from [11] y like the on t; another u rated CPS M tion ). This is un e use in M nique streng odeling Hub ique odel- th of The detaiintegratioSysML iother too Fig. 7 prfollowedearlier, t ls of the intn between s not a tool ls and it can esents the a to complethe integrati egration framSysML (frospecific lan be modified rchitecture oe the integron process Fig. 6(b). ework, andm MagicDrguage, but more easil f the integration procesis divided Functional Fig. 7. Inte 16 the separataw [14]) anMagicDrawy. ation togeths. Accordininto three m constraint gration Fram e steps that d Consol-O was used b er with numg to the thrain parts. after 18th it ework were followptcad, can because it is bered stepee-layer appThe first p eration ed to achieve found in more open s that need roach descart concern e the [11]. than to be ribed s the mapping developmOptcad transformappropriaintegratioadditionait gives tsignificanrelationshstereotyphas been draggingintegratiodescribedboth the Fig. 8 The linka should b Diagram an impor of the objecent of specin SysML ation betwete tool adan process. l constructshe user the tly the desips [14]. Ee, accordingcreated the and droppn process are genericCPS model : Illustratin ge of trade e made thr (PD); both tant concept ts between ific semanticwas createen the two pters. The Profiling is inside the dability to uign effort. Aach Consol to the Condesigner caing Consol-is also show, in the sensintegrated hu g the steps u off analysis ough conne new diagram in the propo the two langs that are ud. The secmodels takecreation of the mechanevelopmentse construct SysML Pr-Optcad cosol-Optcad sn load the nOptcad conn in Figue that they cb and the tr sed in the in and design cting to the s introduce sed Framew 17 uages (SysMsed for that ond part iss place. Th a Consol-ism that Sy environmens of a speciofile is comnstruct is repecificationew profile instructs in tre 8. We wan be easilyadeoff and d tegration of space explo Requireme d by SysM ork L, Consolpurpose; in the metae last part cOptcad prosML has tt. After a prfic tool direposed by apresented i document [ the projeche block deould like t generated esign explo the CPS IM ration tools nts Diagram L. This is il -Optcad). It this case a p-modeling onsists of ifile is the o allow theofile is beinctly in Sys set of steren the profi15, 16, 17].t and start ufinition diao emphasizfor differentration tool. H with the in the prop (RD) and lustrated in also includerofile of Colayer wheremplementinfirst step o designer tog built and ML, it decrotypes and le diagram After the prsing it by sigram area.e that the instantiatio tradeoff too osed Frame the Param Figure 9. T s the nsol- the g the f the use since eases their by a ofile mply This steps ns of l. work etric his is 4.2 Integ Anal Requirem and metr include a methods indeed m constrain integer-n In constr of a certa those pro or non-li often all formulae be many the solve chosen, b does not Fig. 9: Inte ration of C ysis and De ents in a co ics with log lso time. T and tools sh etrics and c t based pr umerical). aint program in domain, blems effici near mathem together. A such that a different wa r algorithm ut it also h have to be grating Trad onstrained- sign Space mplex syste ical and num hus an imp ould be abl onstraints a ogramming ming [20, 2 and (2) fin ently. The m atical (in)e solution to ll formulae ys to model used. Thus as to fit wit the same as eoff and De Based Reas Exploration m, includin erical vari ortant comp e to freely m re mathema (CP) with 1, 26, 33] t ding a 'good odels are e qualities ov a constraint are satisfied a problem, , not only h the solver the languag 18 sign Space oning and g CPS, will ables and va onent in th ove form c tical dual o multi-obje here are two ' (high-perf xpressed us er integers problem is . The issues and (2) the the most ex algorithms e (data stru Exploration Optimizatio eventually lues. These e proposed onstraints t bjects. This ctive const problems: ormance) so ing logic fo or reals, or a valuation with model choice of m pressive m used. Note ctures) used tools with S n for CPS be represent constraints Framework o metrics an involves t rained optim (1) modelin lution algo rmulae over set theoret for the free ing are that odeling app odeling app that the mo in the solv ysML Tradeoff ed as constr and metric is that tra d converse he integratio ization (m g the proble rithm that s Booleans, l ical express variables i : (1) there c roach determ roach shou deling 'lang ers. A mod aints s can deoff ly, as n of ixed m(s) olves inear ions; n the ould ines ld be uage' eling 19 language can use much higher-level, domain-specific constructs, from which all the lower-level, solver-oriented formulae could be automatically generated. For solvers one can use purely mathematical algorithms (e.g. linear [27] or non-linear programming [28]) or algorithms developed by the AI community (e.g. constraint propagation/distribution over finite domains [29]) or algorithms that work on the symbolic representations of Booleans (e.g. manipulations on ordered binary decision diagrams [30]). The available packages such a ILOG solver [22], CHIP [23], ECLiPSe [24] and Prolog IV [25] are all robust and result of years of research in this field and can be used as solvers. They all have library of methods for solving the problem, but they also allow users to develop their own algorithms. A further refinement on the constraint programming paradigm is the introduction of soft constraints [32], where not all, but the majority of the formulae must be satisfied by a solution. In the classical constraint programming paradigm all formulae must be satisfied by the solution, otherwise there is no solution. Soft constraints also allow assigning priorities and preferences to formulae, thus preferring solutions that satistfy more important constraints than less important ones. This sort of prioritization is a very powerful and pragmatic modeling technique, better reflecting reality than the classical, hard constraints. Fig. 10: the IBM-ILOG Optimization Suite A good example of such an integration is the IBM-ILOG optimization suite. IBM-ILOG CPLEX and IBM-ILOG Solver form the core optimization engines for the platform. IBM-ILOG CPLEX provides powerful C and C++ fundamental algorithm libraries for operations research nonlinear programming professionals. These libraries include ILOG?s simplex, barrier and mixed integer optimizers for linear, integer and quadratic programming. IBM-ILOG CPLEX also provides easy-to-use C++ modeling objects that allow the expression of linear and integer programs in a simplified form directly related to their algebraic models. The IBM-ILOG Solver is one of the core C++ libraries in the ILOG Optimization Suite and implements the basic engine for constraint-based optimization. It can solve highly combinatorial real-world problems that are impractical to solve with traditional mathematical programming methods. This high-performance constraint-programming engine can be used alone, or with the IBM-ILOG CPLEX. Using these engines one can also develop customized algorithms. In Figure ? 20 10, we have also shown the information that should be passed among the two engines to solve an example networked CPS problem, involving sensor networks. One of the main goals of modular system design in general and structural software programming in particular is separation of concerns. In a component based design, separation of concerns leads to breaking the system into components that overlap in functionality as little as possible. Unfortunately, there are some concerns that cannot be localized and dealt with in a single component. These types of concerns are called cross-cutting concerns. Good examples of cross- cutting concerns for distributed systems are security issues, synchronization requirements, fault detection and intrusion detection. Aspect-oriented design methodology [34] is a systematic solution for coping with cross-cutting concerns. In component based architectures, one can represent aspects as separate components. In this way, while we are implementing functional components in a CPS, we do not need to explicitly address the aspect concerns. Instead, the system should offer implicit invocation mechanisms for invoking behavior in the functional component (such as routing) whose implementers were unaware of the concern (such as security). In this way, if the security requirements change we can go ahead and design and /or use a new security component (aspect). If the system is designed based on the aspect oriented design paradigm, it should be clear which one of the components can work under the new aspect requirements with minimal modifications. The tradeoff analysis methodology that we include in the proposed Framework is based on the integrated and interoperable use of constrained based reasoning and multi-criteria optimization. It is capable of performing trade-off analysis for both the behavioral and the structural model of a system and its components, as well as of the allocation of behavioral components to structural components. One example instantiation is described in [11]. Design space exploration is based on effective tradeoff tools. The integration and its implementation, as described in this report, was successfully applied to analyze a multi-criteria optimization problem concerning power allocation and scheduling in a microgrid [11]. Expanding the capabilities of this integration by making Consol-Optcad able to handle mix integer problems is currently under development, which represent the majority of problems that industry usually faces. Finding a way to incorporate structural changes and geometry to the design space exploration process is another very challenging task that can expand the usefulness of the integration presented (see section 6 below). Finally, another instantiation of the Framework is to integrate IBM CPLEX and IBM-ILOG Solver in our CPS integrated modeling hub -- tools that are used widely in industry with excellent results in many domains. With the integration of design space exploration tools our proposed Framework addresses the fundamental CPS challenge of connecting multiple development environments, so as to provide a unified system view, while at the same time facilitating holistic (i.e. system level traceability and impact analysis). This accomplishes system architecture management across disciplinary domains. The Framework derived by our research, and proposed herein, represents a substantial and innovative extension of the current state of the art in Model-Based Engineering (MBE). Our approach and results to date address the following applications and challenges for CPS synthesis: (a) Broader exploration of the design space; (b) Dramatically increased flexibility and 21 adaptability to changing environments, without time-consuming redesign; (c) Need for modifiable systems, reconfigurable or upgradable by reference to virtual models, by plug- replacing subcomponents; (d) Heterogeneous CPS model integration; (e) Engineering tools, technologies and methods that enable conceptual design ? system design and production, that are useful for full product models and allow easy modification and upgrades. 5. Functional Mock-up Interface (FMI) In the last two years the Functional Mock-up Interface (or FMI) framework [35], for co simulation of complex systems has been gaining acceptance. Functional Mock-up Interface (FMI) is a tool independent standard to support both model exchange and co-simulation of dynamic models using a combination of XML-files and compiled C-code. The first version, FMI 1.0 (downloads#version1), was published in 2010. The FMI development was initiated by Daimler AG with the goal to improve the exchange of simulation models between suppliers and OEMs. As of today, development of the standard continues through the participation of 16 companies and research institutes (development). FMI is supported by over 35 tools (tools) and is used by automotive and non-automotive organizations throughout Europe, Asia and North America. The FMI specifications (http://www.modelisar.com/fmi.html) are distributed under open source Licenses. Each FMU (functional mock-up unit) model is distributed in a zip file with the extension ?.fmu? which contains: (i) An XML file containing among other things the definition of the variables used by the FMU; (ii) All the equations used by the model (defined as a set of C functions); (iii) Optional other data, such as parameter tables, user interface, documentation which may be needed by the model. FMI defines a standardized interface to be used in computer simulations to develop complex CPS [35, 36, 37]. The vision of FMI is to support this approach: if the real product is to be assembled from a wide range of parts interacting in complex ways, each controlled by a complex set of physical laws, then it should be possible to create a virtual product that can be assembled from a set of models that each represent a combination of parts, each a model of the physical laws as well as a model of the control systems (using electronics, hydraulics, digital software, ..) assembled digitally. The FMI standard thus provides the means for model based development of systems and is used for example for designing functions that are driven by electronic devices inside vehicles (e.g. ESP controllers, active safety systems, combustion controllers). Activities from systems modelling, simulation, validation and test can be covered with the FMI based approach. The four required FMI aspects of creating models capable of being assembled have been covered in the Modelisar project: ? FMI for model exchange, ? FMI for co-simulation, ? FMI for applications, ? FMI for PLM (integration of models and related data in product life-cycle management). 22 In practice, the FMI implementation by a software modelling tool enables the creation of a simulation model that can be interconnected or the creation of a software library of component models called FMUs (Functional Mockup Units). The typical FMI approach is described by the following stages: ? A modelling environment describes a product sub-system by differential, algebraic and discrete equations with time, state and step-events. These models can be large for usage in off-line or online simulation or can be used in embedded control systems; ? As an alternative, an engineering tool defines the controller code for controlling a vehicle system; ? Such tools generate and export the component in an FMU (Functional Mock-up Unit); ? An FMU can then be imported in another environment to be executed; ? Several FMUs can ? by this way ? cooperate at runtime through a co-simulation environment, thanks to the FMI definitions of their interfaces. The FMI specifications (http://www.modelisar.com/fmi.html) are distributed under open source Licenses. Each FMU (functional mock-up unit) model is distributed in a zip file with the extension ?.fmu? which contains: (i) An XML file containing among other things the definition of the variables used by the FMU; (ii) All the equations used by the model (defined as a set of C functions); (iii) Optional other data, such as parameter tables, user interface, documentation which may be needed by the model. FMI models have several advantages over Simulink S-Functions: ? S-Functions format is proprietary, whereas the FMI schema is licensed under a BSD license. ? The building blocks of S-Functions are much more complex than FMI, making it very difficult to integrate in simulators other than Simulink itself. ? Furthermore, the S-Functions format is specific to Simulink. ? S-Functions are not suited for embedded systems, due to the memory overhead of S-Functions. We have included FMI in the proposed Framework due to the benefits described above. However, we emphasize that the FMI framework by itself helps only for simulating complex CPS systems and not in performing the entire MBSE process as described here. However integrated with the rest of the components of our framework it does provide some very useful functionalities. We have used FMI model integration within our framework already in several applications. 6. Multi-Physics Models One of the major challenges in modeling CPS and for performing MBSE of CPS, is the heterogeneity of physics involved in CPS (see Figure 11). This is dramatically different form VLSI design for example, as the heterogeneity of physics require representation of different design logics (the rule implied by each physics involved in the CPS). Modeling implies the activity of forming a mathematical representation, and its algorithmic and computational implementation of the system behavior regarding the relationship between input (stimulus implies t say, simu assignme been use ?Multifie physical systems solidifica consisten as requir behavior semantic permits t ?multifie Semantic principle classifica terms or compone narrow b displacem extensive hydrodyn physics ) and outpu he activity o lation impl nt of values d historica ld? to deno fields; ?mu with dras tion bounda t bridging o ed by a mul al utilization possibilitie he construc ld?, ?multid Fig. 11: I ally, a mult (s) for evol tion in such constitutiv nts) or whe uffer zone ents). Typ ly develope amics, or (magnetohy t (response f actually u ies the activ to a subset lly in mor te the sim ltidomain? tically diff ry problem f various be titude of sco . Furthermo s generates tion of a co omain?, and llustrating m iphysics sys ution or equ systems is e relations ther it occu (e.g., thro ical examp d literature ?rad-hydro? drodynamic ) in terms tilizing the ity of pred of the asso e than one ultaneous e to denote th erent prop s etc.) throu havioral mo pes ranging re, it is sig four more m nceptual att ?multiscale ultiple phys tem consist ilibrium, ty whether th that are act rs over an ugh bounda les of bul include radi ), electricity s), and che 23 of state va model produ icting the b ciated state undeclared xcitation an e interactio erties (e.g gh sharable dels of the from manu nificant to n eanings of ribute space ?. ical compon s of more th pically con e coupling ive in the idealized in ry conditio k-coupled ation with h and magn mical reac riables. Sim ced by the ehavior of variables. T contexts. d response n among c . fluid-stru boundaries system at h facturing p ote that any the term mu that is spa ents and in an one com servation or occurs in th overlapping terface tha ns that tra multiphysic ydrodynami etism with tion with t ilarly, the modeling ac the system he term ?m Primary am of the sys ontinuum re cture inter ; ?multi-sca and, at vari rocess persp combinati ltiphysics. A nned by the teractions in ponent gov constitutiv e bulk (e.g domains o t is lower d nsmit fluxe s systems cs in astroph hydrodyna ransport in term simul tivity. That according t ultiphysics ong these tem by mu presentatio action, mo le? to denot ous length s ective to m on of these ccordingly basis attrib CPS erned by its e laws. A m ., through so f the indiv imensional s, pressure with their ysics (radia mics in pl combustio ation is to o the ? has are: ltiple ns of ving e the cales acro- three , this utes, own ajor urce idual or a s, or own tion- asma n or subsurfac systems aeroelast are many Success analysis, modeling model is equations Lagrange evolution of the ph derived q may con sense, the a multiph model m constrain Fig. 12: I domain c The Mo associate modeling interactio thermody Modelica Both lang regarding capabiliti e flows (r are ocean icity, and co others that in simulatin uncertaint , which ten augmented are defined multiplier of these au ysical varia uantities ma stitute yet m y give the o ysics chara ay treat som t manifold nteracting m ontinuum sy delica (pub d tools, pr and simul ns between namic, hy /Dymola ca uages are v the mode es for mo eactive tran -atmospher re-edge cou share impor g forward y quantific d to requir by variab . These vari s, or coeffi xiliary depe bles. When y be carried ore. Thoug verall simu cter by virt e componen on which o ulti-domain stems acros lic domain ovide intere ation, as it systems o draulic, pn n build inte ery well su ling of cyb deling geo sport). Typ e dynamic pling in tok tant structur models lea ation, mod e many for les other th ables may b cients of s ndent variab the visualiz along. Erro h the auxili lation the str ue of being ts as being ther compon and multi- s geometrie ) and Dym sting capab is possible f many en eumatic, t grated mod ited for mul er and hy metry, mat 24 ical examp s in geop amaks. Bey al features. ds to ambi el-constrain ward simul an the pri e probabilit ystem-adap les are ofte ation is don r estimation ary variable ucture of m multirate in equilibriu ents vary m parti onto wave treat affai phys A ke and cons scale inter mod chall the p Mod s tools ola (Dassa ilities in S to simula gineering hermal an els and hav ti-physics c brid dynam ter and as les of int hysics, fl ond these tions for in ed optimi ations. In t mitive quan y density fun tive bases. n derived an e in situ wi fields in ad s may not b ultiphysics. or multireso m, idealizin ore slowly tioned mat wavelet ba number pr ed differen rs in model ics systems y challenge simulation i traints acros s (see Figu face of the c els with t enging. For roposed Fra elica, Dymo and environ ux System ystems Eng te the dyna fields, such d control e simulation ontinuum sy ical system sociated d erface-coupl uid-structure classic mult verse prob zation, and hese advanc tities in w ctions, sen Equations d solved to th the simu aptive mes e ?physical Still other s lution. A c g a fast rela . Some phe hematically ses of differ operties th tly. The c ing and sim cans be foun in multi-p s the handl s geometry, re 12). Reg omponents he cyber these reason mework lan la, COMSO ments. es) languag ineering a mic behavi as mecha systems. s results th stems, but s. Howeve eterministic ed multiph dynamic iphysics sys lems, sensi reduced- es, the phy hich the go sitivity grad that govern gether with lation, addit hing applica ? in the stan ystems may hemical kin xation down nomena ma by projec ent frequen at are natu urrent stat ulation of m d in [38, 39 hysics mod ing of geom geometry a arding CPS of multi ph models is s we includ guages such L, associate es [40, 41 nd solution or and com nical, elect Thus user at depict re have weakn r they do and stoch ysics s in tems tivity order sical vern ients, the some ional tions dard have etics to a y be tions cy or rally e of ulti- ]. eling etry, cross the ysics also e in as d ]and s for plex rical, s of ality. esses offer astic 25 tolerances. In addition both model very well differential-algebraic equations that frequently appear in multi-physics models. The COMSOL Multiphysics simulation environment [42, 43] facilitates all the steps in the modeling process ? defining component or system geometry, meshing, specifying its physics, solving, and then visualizing the results. It also serves as a platform for application specific modules. Model set-up is quick, thanks to a number of predefined physics interfaces for applications ranging from fluid flow and heat transfer to structural mechanics and electrostatics. Material properties, source terms, and boundary conditions can all be spatially varying, time- dependent, or functions of the dependent variables. One can freely mix physics interfaces into new multiphysics combinations as well as couple with any application specific module. As an alternative to writing one?s own simulation code, the COMSOL Multiphysics user interface gives the option to specify one?s own partial or ordinary differential equations (PDEs or ODEs) and link them with other physics interfaces. When combined with the CAD Import Module or one of the LiveLink products, this enables one to run custom simulations on CAD models from industry-standard formats. Both Modelica/Dymola and COMSOL integrate well with geometry modeling tools like CATIA (Dassaux Systems). They both integrate very well within the Framework described in Figures 2, 3, 4, 5. We have successfully used in CPS problems involving microgrids, microrobots and energy efficient buildings in our research so far. 7. Successful Applications of the Proposed Framework In [11] we presented the CPS modeling hub as a way to realize the Model-Based Systems Engineering vision and face today's challenges on systems synthesis and development. Furthermore, we introduced a version of the proposed Framework for integrating the SysML- based CPS hub with Consol-Optcad. In [11] we provided details on how each step of the integration was implemented and what tools were used throughout this process. The SysML Consol-Optcad integration facilitates the problem formulation for the user and also enables the design and optimization processes, interacting and working in parallel in order to achieve the best possible design. A trade-off problem for an electrical microgrid was developed and solved to demonstrate the utility of the integration. Distributed Generation (DG) has emerged as a way to address shortcomings of power grids. In DG the generating systems are of small scale, their use is local and they are geographically distributed. However, DG can cause problems to the network, like reverse power flow, excessive voltage rise, increased fault levels, harmonic distortion and stability problems, due to their independent operation. To overcome such problems various distributed energy resources (DERs) are grouped together and together with loads to form what is called a microgrid [11]. The Energy Management System plays a central role in the smooth operation of microgrids; it makes the decisions about generation and distribution of electrical energy. These decisions are based on many factors, like power demand, weather, price of electricity and heat, fuel cost, emissions cost and government policies, to name a few. The DERs that take part in a microgrid can be electrical, thermal or a combination. Solar panels, small wind and hydro generators, micro turbines, diesel engines, fuel cells, gas turbines are some examples of DERs. We defin one dies microgrid addressed each eng operation source ca turning o In [44] w synthesis study are for applic rescue in these pro complete specifica hierarchy Such a t propertie approach An impo configura this parti algorithm the legs) For insta ed a microg el engine. T was suppo the problem ine for a per al cost, fue n be turned n/off power e described and demon shown in F ations relat hazardous totypes are microrobo tions. Since , the contro ype of mic s and geom is importan rtant innova tions as des cular work w ) and the p can lead to nce, simila rid that con he characte sed to prov of finding iod of 24 h l cost, emiss on and off o sources. De this new m strate it in th igure 13. Va Fig. ed to collabo environmen very limi tics system the microro l laws cann rorobot is i etric struct t for micro tion in this ign variable e demonst hysical part various impr r performan sists of three ristics of e ide power t an optimal ours. The op ions and m nly two tim tails can be ethodology e design of rious types 13: Micror rative moti ts and med ted. Our ne allows the bots tend to ot be design ndeed a CP ure in the robots, capa work was s. Figure 14 rated how th (here the m oved soluti ce results 26 power sou ach type of o a resident solution in timal soluti eet custome es during a found in [11 and environ microrobots of microrob obots of inte on such as, ical drug de w approach robots to have small ed separate S, as contr physical sid ble of colla the treatme illustrates e interplay aterial selec ons with res could resul rces: one m power sou ial building terms of sch on was sou r demand. W day, becaus ]. ment for Cy viewed as ots have bee rest as CPS sensor netw livery. How for mode complete m features, c ly from the ol in the c e, are tight borating and nt of mater a Modelica between the tion and th pect to stabl t with two icroturbine, rce were re that has 50 eduling and ght while try e assumed e of the cost ber Physica CPS. The m n developed orks, explor ever, contr ling and si ore compl omplex mic physical lay yber side, ly interrela completin ial propertie model of th cyber part e geometric e motion of different s one fuel cel alistic [11]. apartments power outp ing to mini that each p s associated l Systems ( icrorobots o in recent y ation and se ol algorithm mulation o ex tasks as ro-structure er of the ro and the ma ted. This d g complex t s and geom e microrobo (here the co configurati the microro elections o l and The . We ut of mize ower with CPS) f our ears arch- s for f the per s and bots. terial esign asks. etric t. In ntrol on of bots. f the controlle functiona In [45] w systems. and com systems a domain n study sys simulatio HybridSi SysML, blocks. S scripts di to the Fu exchange HybridSi case stud commun A most heterogen r, material lity will be e develope Many CPS plex netwo re crucial to ature of CP tem dynami n toolchain m can tran which enab econdly, Hy rectly from nctional Mo informatio m using a c y to inves ication netw successful eous wirel and geomet allocated to Fig d HybridSi , such as Sm rk interacti ensure tha S, it is mor cs. In [139] , called H sform and les systems bridSim can SysML desi ck-up Inter n between omprehens tigate the ork. application ess sensor n ry. Thus de the physical . 14: Modeli m, a model art Buildin ons. Thus t they functi e appropriat , we design ybridSim, import exis engineers generate F gns. Finally face standar them. We ive hydronic impact of p has been etworks (W 27 sign space part and wh ca model of ing and co- gs, are subj comprehens on as intend e to use a h ed and impl for the de ting system to design C unctional M , HybridSim d to synchro demonstrat heating sy acket loss the creat SN) [46, 4 exploration at to the cy microrobot simulation ect to very ive modeli ed before d eterogeneou emented an sign and s componen PS with o ock-up Uni can co-sim nize their c ed the con stem model and sampl ion of a 7, 48, 49]. also includ ber and why toolchain fo expensive d ng and sim eployment. s simulation integrated m imulation o ts from mu nly these i ts (FMUs) a ulate these orrespondin venience an for Smart ing rate in synthesis e In our wor es what pa ? r cyber-phy eployment ulation of Given the m environme odeling an f CPS. Fi lti-domains mported Sy nd configur FMUs acco g simulator d efficienc Buildings a troduced by nvironment k heterogen rt of sical costs such ulti- nt to d co- rstly, into sML ation rding s and y of s the the for eous wireless Wireless applicatio heterogen (both sim estimate hoc meth Existing of reusab and WSN . In our w WSNs, c principle Firstly, W structure modeled Continuo differenti sensor netw Sensor Netw ns, the he eous intera ulation-bas system perf ods restrict ad hoc syste ility. In add s have not b ork [46, 48 alled WSND s to enhanc SNDesign s of WSNs in SysML us-time com al equations orks (WSN orks (WSN terogeneity ctions with ed and tes ormance tho design spa m design m ition, the in een well stu Fig ], we deve esign, whi e model reu provides m in the cont Statechar ponents ar , which are ), are view s) is a comp of low-lev their physi tbed-based) roughly an ce explorati ethods for teractions b died. . 15: WSND loped a mo ch is a syst sability and odel libra ext of Smar t Diagrams e modeled then transfo 28 ed as large licated proc el impleme cal environ for WSNs d with the r on and the Wireless Se etween the esign mod del-based s ematic met collaborati ries (Figure t Buildings , or impo in Modelic rmed and im heterogeneo ess because ntation det ments. Curr are far fr equired accu evaluation o nsor Networ continuous el libraries ystems desi hodology ap ons among 15) to m . Event-trigg rted from a and their ported to W us CPS. Sy of the wide ails, and th ent ad hoc om satisfac racy. Furth f new tech ks (WSNs) -time physic gn (MBSD plying syst multiple mo odel variou ered comp existing T behaviors a SNDesign stem desig variety of W e complex design met tory and ca ermore, the nology inse suffer from al environm ) framewor ems engine deling dom s behaviors onents are e inyOS libr re describe . Therefore, n for SN and hods nnot se ad rtion. lack ents k for ering ains. and ither aries. d by with the help Modelica estimate to quickl performa can be c simulatio analysis oversimp can save integrate results. F analysis Diagram feedback 15 illust WSNDes On top o database aware da sensor m value ra of WSNDe libraries, the perform y explore t nce model alculated by n codes an provides i lifications, system en s the existin inally, WSN using summ s, and expo about the i rates the m ign. f WSNDesi system for ta storage sy ote. HybridS nges as fil sign, system rather than ance of des he performa described us traversing d configurat mmediate especially f gineers the g widely ac Design pr ary propag se a sequen nfluence of odel librar F gn we desi flash-based stem, called tore can pr ter conditio engineers design eve igned system nce trade-o ing SysML the system ion scripts performanc or large com trouble of cepted simu ovides an in ation on fa ce of desig a design de ies of WS ig. 16: WSN gned and im storage-ce HybridStor ocess typica ns extreme 29 can take ad rything from s, providin ffs space. I Parametric structure t directly fro e results, plex system writing sim lators to in teractive to ctor graphs n choices cision on th NDesign. F Design des plemented ntricWSNs. e [47], to st l joint queri ly efficient vantage of scratch. g instant fe n WSNDes Diagrams. ree. Thirdly m system m accuracy i s. With co ulation co crease the c ol to reduc transform to system d e complexit igure 16 ign flow HybridDB HybridDB ore and que es involving ly. Based many exist Secondly, W edback to sy ign, each c System ove , WSNDes odels. Alth s often sa de generati des manua onfidence o e the comp ed from Sy esigners to y of system shows the [49], an eff exploits a ry sensor da both time w on HybridS ing TinyOS SNDesign sstem engi omponent h rall perform ign can gen ough theor crificed du on, WSND lly. WSND f the simul lexity of sy sML Param provide in analysis. F design flow icient distrib novel reso ta in situ on indows and tore, Hybr and can neers as a ance erate etical e to esign esign ation stem etric stant igure of uted urce- each key idDB 30 provides the support for incremental e-approximate querying that enables clients to retrieve a just-sufficient set of readings by issuing sub-queries with decreasing error-bounds. HybridDB will return an approximate dataset with arbitrary L1-norm error bound, after applying temporal approximate locally on each sensor, and spatial approximate in the neighborhood on the proxy. In addition, HybridDB exploits an adaptive error distribution mechanism between temporal and spatial approximate for trade-offs of energy consumption between sensors and the proxy, and response times between the current subquery and following subqueries. Our implementation of HybridDB in TinyOS 2.1 can be transformed and imported to WSNDesign as a part of the model libraries. 8. Requirements Engineering Using Contract-based Design The remaining last challenge (see (iv) in section 1) to add to the proposed Framework is a formal way to handle requirements. This means specifically a formal method to automatically annotate the structure and behavior components of the CPS by the mathematical representations of the specifications via constraints and metrics. This is currently done manually and as such it represents a scalability problem. As the complexity of the CPS increases, our inability to rigorously model the interactions between the physical and the cyber sides creates serious vulnerabilities. Systems become unsafe, with disastrous inexplicable failures that could not have been predicted. The challenges in the realization and operation of these CPS and systems of systems (SoS) are manifold, and cover a broad range of largely unsolved design and run-time problems. These include: modeling and abstraction, verification, validation and test, reliability and resiliency, multi-scale technology integration and mapping, power and energy, security, diagnostics, and run-time management. Failure to address these challenges in a cohesive and comprehensive way will most certainly delay if not prohibit the widespread adoption of these new technologies. The most promising means to address this last challenge in MBSE of CPS is to employ structured and formal design methodologies that seamlessly and coherently combine the various dimensions of the design space (be it behavior, space or time), that provide the appropriate abstractions to manage the inherent complexity, and that can provide correct-by-construction implementations. The following technology issues must be addressed when developing new approaches to the design of complex systems, CPS and SoS [50]: ? The overall design flow for heterogeneous systems and the associated use of models across traditional boundaries are not well developed and understood. Relationships between different teams inside the same company, or between different stake-holders in the supplier chain, are not well supported by solid technical descriptions for the mutual obligations. ? System requirement capture and analysis is in large part a heuristic process, where the informal text and natural language-based techniques in use today are facing significant challenges. Formal requirement engineering is in its infancy: mathematical models, formal analysis techniques and links to system implementation must be developed. ? Dealing with variability, uncertainty, and life-cycle issues, such as extensibility of a product family, are not well addressed using available systems engineering methodology and tools. ? Design-space exploration is rarely performed adequately, yielding suboptimal designs where the architecture selection phase does not consider extensibility, re-usability, and fault tolerance to the extent that is needed to reduce cost, failure rates, and time-to-market. 31 ? The verification and validation of ?complex systems,? particularly at the system integration phase, where any interactions are complicated and extremely costly to address, is a common need in defense, automotive, and other industries. The challenge is to address the entire process and not to consider only point solutions of methodology, tools, and models that ease part of the design [50]. The proposed Framework for CPS MBSE addresses effectively these challenges with the exception of Requirements Engineering. The goal has been to offer a new approach to the system design problem, suited for the complexity and heterogeneity of CPS, that is rigorous and effective in dealing with the problems and challenges described above, and that, at the same time, does not require a radical change in the way industrial designers and manufacturers carry out their task as it cuts across design flows of different type. Contract-based design [50, 51, 52] appears to be a promising methodology to address the remaining challenge, coupled with formal model-checking tools and methods like UPPAAL [53], efficient computation and approximation of reachable and invariant sets of set-valued hybrid systems [54] and automatic theorem proving tools and methods like Isabelle [55, 56]. Contracts in the layman use of the term are established when an OEM must agree with its suppliers on the subsystem or component to be delivered. Contracts involve a legal part binding the different parties and a technical annex that serves as a reference regarding the entity to be delivered by the supplier. Contracts can also be used through their technical annex in concurrent engineering, when different teams develop different subsystems or different aspects of a system within a same company. In [5], it is argued that contracts can be actually used almost everywhere and at nearly all stages of system design, from early requirements capture, to embedded computing infrastructure and detailed design involving circuits and other hardware. Contracts [50, 51] explicitly handle pairs of properties, respectively representing the assumptions on the environment and the guarantees of the system under these assumptions. Intuitively, a contract is a pair C = (A;G) of {Assumptions, Guarantees}, characterizing in a formal way 1) under which context the design is assumed to operate, and 2) what its obligations are. Assume/Guarantee reasoning has been known for quite some time, but it has been used mostly as verification mean for the design of software. The purpose in [50, 51, 52] is more ambitious: contract based design with explicit assumptions is a philosophy that should be followed all along the design, with all kinds of models, whenever necessary. The consideration of rich contracts as above in the industry is still in its infancy. To make contract-based design a technique of choice for system engineers, we must develop: ? Mathematical foundations for contract representation and requirement engineering that enable the design of frameworks and tools; ? A system engineering framework and associated methodologies and tool sets that focus on system requirement modeling, contract specification, and verification at multiple abstraction layers. The framework should address cross-boundary and cross-organizational design activities. 32 In [50] a unified treatment of contracts is provided, where they are precisely defined and characterized so that they can be used in design with no ambiguity. In addition, [50] provides an important link between interfaces and contracts to show similarities and correspondences. UPPAAL [53] is an integrated tool environment for modeling, validation and verification of real?time systems modeled as networks of timed automata, extended with data types (bounded integers, arrays, etc.). Isabelle [54] is a generic proof assistant. It allows mathematical formulas to be expressed in a formal language and provides tools for proving those formulas in a logical calculus 9. Compositional Analysis of Dynamic Networked CPS and Complexity Reduction An important part of the proposed Framework for CPS is the development of methods and tools to manage the enormous complexity of these systems throughout their design and operations cycle. We have developed one such a method and tool in our research [57, 58] . Many more are needed. Dynamic Bayesian networks (DBNs) can be effectively used to model various problems in CPS. In [57] we performed an empirical investigation on compositional analysis of DBNs using abstraction. In static systems and hidden Markov models, computation of a metric called treewidth induces a tree decomposition that can be used to perform logical or probabilistic inference and {max, +} optimizations in time exponential in treewidth and linear in overall system size. Intuitively, the linear scaling means that very large systems can be analyzed as long as they are sufficiently sparse and well structured. In these simple cases, summary propagation, which uses two operations, summation (projection) and product (composition), suffices to perform the inference or optimization. In this part of our research work, we extended this result to structured networks of communicating dynamic systems. We [57] defined generalizations of projection and composition operators that treat labeled Markov chains as primitive objects. The projection operation, corresponding to summation, is implemented as label deletion followed by exact state reduction for Markov chains, similar to Hopcroft?s DFA minimization algorithm, with O(n logm) complexity. The composition operation is the product of state machines. We used canonical MDDs, similar to BDDs, to capture logical dependencies symbolically. The composition operation is the product of state machines. We used canonical MDDs, similar to BDDs, to capture logical dependencies symbolically. Combining symbolic representations with Markov chain lumping algorithms is a novel contribution. Using this approach, we have created a tool leveraging model based systems engineering technologies. The communicating Markov chains are specified using UML Statecharts via Papyrus extended using an ANTLR parsed domain specific language (DSL). The tool reduces the number of states in networks of Markov chains by several orders of magnitude. In one example, a network having a product state space of more than 600 million states is reduced to about 500 states. A feature of this technique is that the state space is examined an input which is composit and algo network We also Complex metric on analysis. in a SysM of the s compreh workflow treewidth Though generally finding s system to system: a incrementa to the redu surprising b ion is efficie rithms and and its mana developed ity [58]. Th the parame For many g L Paramet ystem is e ensive analy by reducin is a framew Fig. 17: An there are cl NP-compl atisficing so the design visual intu lly, meanin ction algori ecause the t nt at least f tools to tw gement syst an Interact e overall too tric structur raphically d ric Diagram xponential sis can ser g costly un ork for enu illustration asses for w ete. For thi lutions, exp er. A desig ition about g that the fu thm. The p echnique in or systems w o CPSs: a em (VMS), ive Tree D l is based o e of a system escribable s , Bayesian in treewidt ve to bring anticipated merating co of our comp hich treewid s reason, w osing choic ner can con the relations 33 ll state spac rimary redu cludes no ex ith high sy modern airc and a hospi ecompositio n a graphic that is int ystems, suc networks, m h and line competitiv behaviors. mputational lexity analy th computa e pose [58 es that can i tribute two hips betwee e is never ex ction appea plicit symm mmetry. We raft power tal intensive n Tool for al tool for th imately tied h as system ind maps, w ar in syste e advantag Furthermore ly compatib sis and redu tion is trac ] the proble nfluence the important t n the under plicitly rep rs to come etry handli have appli generation care unit (I Reducing e calculatio to the comp s of parame riting term m size. A e to a syst , a byprodu le distribute ction tool f table (chord m from th complexity hings to the lying objec resented, ev from symm ng. We note ed these met and distrib CU). System Ana n of treewid lexity of sy tric equation papers, ana tool facilit ems engine ct of comp d algorithms or CPS al graphs), e perspectiv of the resu structure o ts and the a en as etry that hods ution lysis th, a stem s, as lysis ating ering uting . it is e of lting f the bility 34 to change the relationships themselves at design time to reduce analysis complexity. Having a visual tool that provides instant feedback will help designers achieve an intuitive grasp of the relationship between design decisions and system complexity. As complexity is the root of almost every systems engineering problem, and also something not easily understood, incorporating complexity analysis into a design process should improve resulting system designs. Our tool [58] uses a randomized, anytime algorithm for interactive optimization of treewidth. It presents a sequence of choices to a designer and incrementally lowers an upper bound on system treewidth over time. This algorithm is novel, as few algorithms are targeted at interactivity with a human user. We have investigated a number of CPS examples for using the tool. We showed how our tool helps to decompose some example systems, including a quadrotor design optimization, a wireless sensor network design optimization, a Bayesian network, and a mind map. An instance of using the tool is illustrated in Figure 17. References [1] Special Issue, ?Cyber-Physical Systems,? Proceedings of the IEEE, January 2012, Vol. 100, No. 1. [2] ?Recommendations for Implementing the Strategic Initiative INDUSTRIE 4.0,? Final Report of the Industrie 4.0 Working Group, ACATECH, German National Academy of Science and Engineering, federal Ministry of Education and Research, April 2013. [3] J.S. Baras and M.A. Austin, ?Second Semiannual Technical Progress Report, on Cooperative Agreement, NIST 70NANB11H148, Modeling and Synthesis of Cyber- Physical Systems,? Institute for Systems Research, University of Maryland, November 18, 2012. [4] V. Srinivasan et al, NIST CPS Architecture Task Group, ?Architectures in the Context of Cyber-Physical Systems,? NIST Internal Report, October 2012. [5] D. Whitney et al, The ESD Architecture Committee, ?The Influence of Architecture in Engineering Systems,? Engineering Systems Monograph, MIT Engineering Systems Division, March 2004. [6] ?NIST Notional Reference Architecture for Cyber-Physical Systems,? NIST Internal White Paper, April 2013. [7] J.S. Baras and M.A. Austin, ?Third Semiannual Technical Progress Report, on Cooperative Agreement, NIST 70NANB11H148, Modeling and Synthesis of Cyber-Physical Systems,? Institute for Systems Research, University of Maryland, April 22, 2013. [8] International Council on Systems Engineering (INCOSE): Systems Engineering Vision 2020. Version 2.03, TP-2004-004-02 (2007). [9] J.S. Baras, Lecture Notes for MSSE class, ENSE 621, 2002. [10] S. Friedenthal, A. Moore, and R. Steiner, A Practical Guide to SysML, The MK/OMG Press, 2009. [11] D. Spyropoulos and J.S. Baras, ?Extending Design Capabilities of SysML with Tradeoff Analysis: Electrical Microgrid Case Study?, Proc. Conference on Systems Engineering Research (CSER?13), March 2013. [12] The eMoflon team: An Introduction to Metamodelling and Graph Transformations with eMoflon, V 1.4, TU Darmsadt (2011). [13] A. Anjorin, M. Lauder, S. Patzina, A. Schurr, ?eMoflon: Leveraging EMF and Professional CASE Tools,? Proceedings INFORMATIK ?11, Bonn (2011). 35 [14] No Magic,Inc.: Open API-User Guide. Version 17.0.1, 2011. [15] Meyer, J., Ball, M., Baras, J. S., Chowdhury, A., Lin, E., Nau, D., Rajamani, R., Trichur, V.: Process Planning in Microwave Module Production. In: Proc. SIGMAN: AI and Manufacturing: State of the Art and State of Practice (1998) [16] Fan, M. K.H., Tits, A. L., Zhou, J., Wang, L.-S., Koninckx, J.: CONSOLE-User?s Manual. Technical report, Un. of Maryland, Vers. 1.1 (1990) [17] Fan, M. K.H., Wang, L.-S., Koninckx, J., Tits, A. L.: Software Package for Optimization-Based Design with User-Supplied Simulators. IEEE Control Systems Magazine, Volume 9, Issue 1, Pages 66 - 71 (1989) [18] Tischler, M.B., Colbourne, J.D., Morel, M.R., Biezad, D.J.: A Multidisciplinary Flight Control Development Environment and its Application to a Helicopter, IEEE Control Systems Magazine, Volume 19, Issue 4, Pages 22-33 (1999) [19] Potter, P.J.: ?Parametrically Optimal Control for the UH-60A (Black Hawk) Rotorcraft in Forward Flight,? MS Thesis, Un. of Maryland, 1995. [20] Bradwell, R., Ford, J., Mills, P., Tsang, E.P.K. & Williams, R, ?An overview of the CACP project: modelling and solving constraint satisfaction/optimization problems with minimal expert intervention,? Workshop on Analysis and Visualization of Constraint Programs and Solvers, Constraint Programming 2000, Singapore 22 September 2000. [21] E. Tsang, ?A Glimpse of Constraint Satisfaction,? Artif. Intell. Rev. 13, 3, 215-227, June 1999. [22] J-F. Puget, ?Applications of Constraint Programming,? in U. Montanari and F. Rossi, (ed.), Proceedings, Principles and Practice of Constraint Programming (CP'95), 647-650, Lecture Notes in Computer Science, Springer, 1995. [23] H. Simonis, ?The CHIP System and its Applications,? in U. Montanari, and F. Rossi, (ed.), Proceedings, Principles and Practice of Constraint Programming (CP'95), 643-646, Lecture Notes in Computer Science, Springer, 1995. [24] J. Lever, M. Wallace, and B. Richards, ?Constraint Logic Programming for Scheduling and Planning,? British Telecom Technology J., Vol.13, 1., 73-80, Martlesham Heath, 1995. [25] A. Colmerauer, ?An Introduction to Prolog III,? CACM Vol.33, No7, 69-90, July 1990. [26] K. Marriott and P. J. Stuckey, Programming with Constraints, An Introduction, MIT Press, 1998. [27] A. Schrijver, Theory of Linear and Integer Programming. John Wiley & sons, 1998. [28] D. N. Bertsekas, Nonlinear Programming, 2nd Edition, Athena Scientific, 1999. [29] T. Muller, ?Constraint Propagation in Mozart,? Doctoral Dissertation, U. Saarbrucken, 2001. [30] T. Bapty, S. Neema, J. Scott, J. Sztipanovits, S. Asaad, ?Model-Integrated Tools for the Design of Dynamically Reconfigurable Systems,? VLSI Design, vol. 10, 281-306, 2000. [31] C. Van Buskirk, B. Dawant, G. Karsai, J. Sprinkle, G. Szokoli, K. Suwanmongkol, R. Currer, ?Computer-aided Aircraft Maintenance Scheduling,? ISIS-02-303, Institute for Software Integrated Systems, November, 2002. [32] S. Bistarelli, U. Montanari, and F. Rossi, ?Soft Concurrent Constraint Programming,? ACM Trans. Comput. Logic, 7(3), 563-589, 2006. [33] K. Apt, Principles of Constraint Programming, Cambridge University Press, 2003. [34] T. Elrad, R. E. Filman, A. Bader, ?Aspect-oriented programming: Introduction?, Commun. ACM 44, 10 (Oct. 2001), 29-32. [35] https://www.fmi-standard.org 36 [36] M. Otter, H. Elmqvist, T. Blochwitz, J. Mauss, A. Junghanns, H. Olsson, ?Functional Mockup Interface ? Overview? (http://synchronics.inria.fr/lib/exe/fetch.php/modelica- fmielmqvist.pdf). http://synchronics.inria.fr (INRIA), 2011. [37] J. Bastian, C. Clauss, S. Wolf, and P. Schneider, ?Master for Co-Simulation Using FMI,? Proc. 8th International Modelica Conference, 115-120, Dresden, Germany, 2011. [38] J. G. Michopoulos, C. Farhat, and J. Fish, ?Modeling and Simulation of Multiphysics Systems,? Transactions of the ASME, J. of Computing and information Science and Engineering, September 2005, Vol. 5, 198-213. [39] D. Keyes et al, ?Multiphysics Simulations: Challenges and Opportunities,? Technical Report ANL/MCS-TM-321, Argonne National laboratory, 2011. [40] Modelica and the Modelica Association, https://www.modelica.org/. [41] Dymola, Dynamic Modeling Laboratory, http://www.3ds.com/products- services/catia/capabilities/catia-systems-engineering/modelica-systems-simulation/dymola/. [42] COMSOL MULTIPHYSICS, Product Booklet, 2013, www.comsol.com. [43] ?Multiphysics Simulation,? IEEE Spectrum, May 2013. [44] Y. Zhou and J. S. Baras, ?CPS Modeling Integration Hub and Design Space Exploration with Application to Microrobotics,? in D. C. Tarraf (ed.), Control of Cyber-Physical Systems, 23-42, LNCIS 449, Springer 2013. [45] B. Wang and J.S. Baras, ?HybridSim: A Modeling and Co-simulation Toolchain for Cyber- Physical Systems,? Proceedings 17th IEEE/ACM DS-RT Conference, October 30, 2013. [46] B. Wang and J. S. Baras, ?Integrated Modeling and Simulation Framework for Wireless Sensor Networks,? Proceedings of the 21st IEEE International Conference on Collaboration Technologies and Infrastructures (WETICE 2012- CoMetS track), pp. 268- 273, Toulouse, France, June 25 - 27, 2012. [47] B. Wang and J. S. Baras, ?HybridStore: An Efficient DataManagement System for Hybrid Flash-based Sensor Devices,? Proceedings of the 10th European Conference on Wireless Sensor Networks, pp. 50-66, Ghent, Belgium, February 13-15, 2013. [48] B. Wang, ?Storage-centric Sensor Networks for Smart Buildings,? Proceedings of the 12th ACM/IEEE Conference on Information Processing in Sensor Networks IPSN 2013, Philadelphia, PA, April 8-11, 2013. [49] B. Wang and J. S. Baras. ?HybridDB: An Efficient Database System Supporting Incremental e-Approximate Querying for Storage-centric Sensor Networks,? submitted to ACM Transactions on Sensor Networks, May 2013. [50] A. Benveniste et al, ?Contracts for Systems Design,? INRIA Research Report No 8147, Nov. 2012. [51] A. Sangiovanni-Vincentelli, W. Damm, and R. Passerone, ?Taming Dr. Frankenstein; Contract-Based Design for Cyber-physical Systems,? European J. Control, Vol. 18, N. 3, 217-238, 2012. [52] A. Benveniste, ?Contracts and Interfaces in the Context of Requirements Engineerng,? invited address, ICECCS 2012, Paris, France, July 2012. [53] UPPAAL, http://www.uppaal.org/. [54] P. Collins, ?Optimal Semicomputable Approximations to Reachable and Invariant Sets,? Theory of Computer Systems, 2007, DOI: 10.1007/s00224-006-1338-3. [55] Isabelle, http://www.cl.cam.ac.uk/research/hvg/Isabelle/. [56] T. Nipkow, L.C. Paulson and M. Wenzel, A Proof Assistant for Higher-Order Logic, Springer-Verlag, 2013. 37 [57] S. Yang, Y. Zhou, J.S. Baras, ?Compositional Analysis of Dynamic Bayesian Networks and Applications to Complex Dynamic System Decomposition,? Proceedings of the Conference on Systems Engineering Research (CSER?13), Atlanta, GA, March 19-22, 2013. [58] S. Yang, B. Wang and J.S. Baras, ?Interactive Tree Decomposition Tool for Reducing System Analysis Complexity,? Proceedings of the Conference on Systems Engineering Research (CSER?13), pp. 167-176, Atlanta, GA, March 19-22, 2013.