Modern software systems are growing more distributed, autonomous, and embedded in physical world [ 1 ]. Such systems are increasingly important because they offer socioeconomic benefits beyond classic embedded systems. For example, fully automated self-driving cars promise dramatic reductions in the accident rate [ 2 ]. Such systems are often called CyberPhysical Systems (CPS)1because they are combine software with complex physical dynamics.

Safety-critical CPS are difficult but important to engineer correctly. To tackle complex analog and digital processes, CPS design and quality assurance rely on model-driven engineering from various scientific and engineering fields, such as artificial intelligence, control theory, and mechanical design. This diversity of methods leads to complex and heterogeneous models that are hard to combine for one system’s design. For example, at least six distinct models of computation may need to coexist in a single system model [ 3 ].

Failure to combine multidisciplinary modeling methods properly may lead to miscommunication and inconsistencies, which turn into design errors and ultimately system failures [ 4 ]. In this paper, such issues are generally called the Problem of Modeling Methods Integration (MMI) – absence of integration leading to erroneous designs. Although partial solutions to the MMI problem exist, CPS community has not yet developed general, effective, and practical ways to integrate 1Such systems are also sometimes referred to as autonomous robotics and mechatronics.

CPS modeling and design methods [ 5 ]. As a result, safetycritical CPS are prone to implicit errors that take a substantial amount of time, effort, and funds to discover and fix. For example, the GM ignition switch recall was caused by an unexpected interaction between the mechanical and electrical designs of the ignition switch, leading to failures, loss of lives, and expensive recalls [ 6 ].

One of the approaches to the MMI problem focuses on choosing an appropriate component abstraction (a“view”) for each CPS formalism, using annotated graphs as an underlying notation [ 7 ]. This approach takes advantage of flexibility of graph annotations to support custom models and a variety of consistency verification methods. Despite its advantages, the architectural approach currently has several significant limitations. First, model-view relations are informal and require substantial manual effort to be created and updated throughout the engineering process. Another limitation is that consistency is fragile due to frequent algorithmic changes to models (we call these algorithms analyses). Finally, consistency properties have limited expressiveness confined solely to the architectural level, incapable of expressing richer properties.

This paper introduces the two-level integration approach that overcomes the above limitations. One level of abstraction is the architectural view level that represents the aspects of each model that are relevant for integration. The other level is the analysis level that focuses on algorithms that change models and infer information from them. Combining these two levels leads to a holistic treatment of CPS modeling integration issues. In particular, this research makes the following major contributions to the field of cyber-physical systems: A Formalization of, and automated support for, CPS modelview relations – a formalism and algorithms for automated creation and updating of model-view relations, even for models that are not structured based on components, e.g., hybrid programs [ 8 ]. Preliminary work (Sec. V) shows that automation of model-view relations is feasible and provides auxiliary modeling benefits, such as component-based analysis and reuse of models.

A modeling method is a cohesive set of formalisms, algorithms, and processes to represent, design, and analyze a system towards satisfaction of certain properties. CPS engineering combines various modeling methods to address systemic properties like safety, stability, schedulability, security, and others.

The work related to this research can be split into two categories: individual CPS modeling methods that can be supported by an integration approach, and CPS model integration approaches that can be seen as alternative solutions to the MMI problem.

As mentioned in Sec. I, the Modeling Method Integration (MMI) problem is caused by a critical lack of integration between CPS modeling methods that leads to design errors and ensuing substantial operational losses. Consider for example a self-driving car that autonomously navigates through an urban environment, supported by intelligent infrastructure, such as smart traffic signals [ 22 ]. All aspects of the car design – electrical, mechanical, thermal, power, control, and communication – need to be properly aligned and, ideally, verified before manufacturing in order to ensure safety and acceptable performance of the system. If modeling methods that address these aspects invalidate each other, it is likely that difficult-to-find discrepancies would be introduced into the design.

Some parts of the MMI problem have been successfully addressed in related research. For example, architectural integration abstractions have been used to represent model structure and behavior, check consistency, and compose independent components [ 23 ]. Model integration properties can be expressed as parametric constraints over sets of views [ 24 ].

However, several important integration issues have not been resolved. One of them is the informality of relations between heterogeneous models and their integration-level representations (such as views). These relations may be easier to establish and maintain for component-based models, such as Simulink and Verilog. However, some CPS models do not have native support for components. For example, hybrid programs are difficult to componentize [ 8 ] because they formally are sequences of potentially non-deterministic discrete jumps and continuous evolutions. Traditionally, such fuzzy model-view relations are handled by an engineer’s judgment and insight, which is an effort-intensive and error-prone way.

Another aspect of the MMI problem is that system designs undergo constant change. It is increasingly common to use automated tools and algorithms to analyze and augment models. We call such tools and algorithms analyses. Analyses are based on theories and methods from diverse engineering and scientific domains. For example, in the domain of real-time processor scheduling, thread-to-processor allocation via binpacking and processor frequency scaling [ 25 ] are analyses that derive a more optimal architecture of a real-time system. If analyses change models locally, it is impractical to maintain consistency in a traditional way: for every local change, many global properties may need to be re-verified before another local change can be made. Besides, analyses often make implicit assumptions about the system and its environment, and it’s important to verify these assumptions – otherwise analytic results may be incorrect.

Finally, some model consistency properties and analytic assumptions need to be expressed not only in terms of architectural elements (components and connectors), but also in domain- and model-specific terms (e.g., current battery cell charge [ 25 ]) that are not defined in architectural models. Often such terms are too semantically low-level, and fully defining them in architectural views would be impractical because one would have to “import” the full detailed semantics of a model, thus defeating the purpose of integration abstractions.

To clarify the expressiveness issue, consider an assumption of the frequency scaling analysis – behavioral deadlinemonotonicity of threads on each processor [ 25 ]. That is, if a thread preempts another, it should have a smaller deadline. To express this statement logically, in addition to the architectural concepts (threads, processors, bindings, and deadlines) we refer to the non-architectural concept of thread preemption. In this case, preemption is modelled as a logical predicate CanPrmpt over a pair of threads that holds iff the first thread preempts the second at the (implicitly modeled) current moment of time. Then the assumption can be written as: 8t1; t2 2 T t1 6= t2 ^ CPUBind(t1) = CPUBind(t2) : G (CanPrmpt(t1; t2) =)

Dline(t1) < Dline(t2)); (1) where T is the set of all threads in the system; CPUBind(t) is the processor that thread t executes on; G (P ) is a global modality in linear temporal logic (LTL) [ 26 ] requiring that predicate P holds at all times; and Dline(t) is the offline deadline of thread t. We need to systematically and scalably interpret and verify statements like the above, and the existing frameworks fall short of doing so.

erogeneous methods need to, as least partially, reconcile conflicting paradigms to achieve practical integration. Correct integration often depends upon satisfaction of implicit assumptions. Many engineers do not challenge the assumptions of their discipline, and aren’t aware of the assumptions in other disciplines. Discovering such assumptions and their violations is therefore a difficult task with unpredictable outcomes.

cannot be found on popular collaborative websites such as GitHub. Conducting an evaluative case study of integration methods requires overcoming organizational and legal barriers to access protected systems.

Nevertheless, it is possible to improve CPS modeling method integration. The next section presents a two-level approach to the MMI problem.

ANALYTIC INTEGRATION

The overall scheme of the two-level integration approach is shown in Fig. 1. Consider two heterogeneous models to be integrated. The models are not completely independent, and there exists some relationship between them. This relationship is however too complex to express or verify directly. Instead, we create architectural view abstractions with integrationrelevant information for each model. The views need to be general enough to accommodate different formalisms (e.g., hybrid programs or Simulink) and CPS application domains (e.g., avionics or transportation).

To support systematic change of models, analyses are considered first-class entities. Analyses read and change views, which propagate the changes to models. Analyses often have their applicability limited by assumptions. If an analysis’ assumptions are not satisfied, this analysis may produce an incorrect result should not be executed. Some analyses have guarantees – statements that should hold after an analysis is executed. If this is not the case, the changes made by this analysis should be rolled back. Since some analyses modify the same set of views, input-output dependencies arise and have to be resolved.

The view level is used to mediate complex interaction between analyses and models. An view is an architectural model with components, connectors, and properties that are defined in a particular architectural style – a custom vocabulary of architectural elements. Using views for integration requires creating and maintaining two kinds of relations: view-view and modelview. The former is more straightforward because views are specified in ADLs that have generally homogeneous structure of components and connectors. Therefore this relationship can be maintained using a number of well-established techniques such as model transformation [ 28 ] or synchronization [ 29 ].

Model-view relations, on the other hand, require a more special link between views and potentially less structured models. A view needs to abstract out some semantics and structure of a model. We use view-model mappings and transformations to automatically support model-view relations. These mappings and transformations have to be customized to the particular formalism in order to be effective. The approach takes advantage of the flexibility of architectural styles to support customization and tailor transformation algorithms. For instance, the hybrid program view [ 14 ] describes which component “owns” how each hybrid program variable.

Another function of the view level is establishing consistency between models through their views. That is done by specifying and verifying consistency rules, which take form of constraints over multiple views and can be verified with constraint solving [ 30 ]. Properties that contain model-specific terms like CanPrmpt (see Eq. 1) require more sophisticated verification methods, such as model checking or theorem proving.

tiple domains and formalisms can now be expressed and verified at an appropriate abstraction level, thanks to Contribution C.

The bottom-up philosophy behind the approach enables adding new modeling methods without up-front planning, in contrast with existing top-down approaches that are dependent on specific formalisms.

The approach also has several limitations:

It may be difficult to provide integration for incomplete and informal models, which often require unique formalizations and algorithms.

The scalability of formal verification techniques depends on carefully designed abstractions and high-quality tools, which may not always be available.

It may be impractical to invest into an up-front formal integration of views and analyses in CPS projects that do not use many heterogeneous modeling methods.

To summarize, the two-level approach is promising to make CPS modeling method integration more effective and less effortful. The next section presents preliminary evidence that supports this claim.

I thank my advisor David Garlan for his guidance and support. I thank Dionisio De Niz, Sagar Chaki, Bradley Schmerl, Ashwini Rao, and other collaborators for contributing to this research. I am also grateful to anonymous reviewers for their helpful comments and suggestions.

This work is funded and supported by the National Science Foundation under Grant CNS-0834701, by the National Security Agency, and by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.

3Available at github.com/bisc/active 4nasa.gov/europa 5lunar.cs.cmu.edu