=Paper=
{{Paper
|id=Vol-2245/gemoc_paper_4
|storemode=property
|title=CPS Simulation Models Categories in Extended Enterprises
|pdfUrl=https://ceur-ws.org/Vol-2245/gemoc_paper_4.pdf
|volume=Vol-2245
|authors=Renan Leroux,Marc Pantel,Ileana Ober,Jean-Michel Bruel
|dblpUrl=https://dblp.org/rec/conf/models/LerouxPOB18
}}
==CPS Simulation Models Categories in Extended Enterprises==
https://ceur-ws.org/Vol-2245/gemoc_paper_4.pdf
CPS simulation models categories in Extended Enterprises
Renan Leroux Marc Pantel, Ileana Ober, Jean-Michel Bruel
IRT Saint Exupéry — ALTRAN, Toulouse IRIT/University of Toulouse
IRIT-UPS/University of Toulouse IRT Saint Exupéry, Toulouse
Renan.Leroux@irt-saintexupery.com First.Last@irit.fr
ABSTRACT This contribution first describes the MOISE project where our
Simulation based early Validation and Verification is a key enabler work takes place and the AIDA use case. Then, it provides first
for the Model Based Development of complex systems. These ac- insights on the various categories of simulation models that must
tivities usually require distinct models for the System of Interest be built for AIDA and conclude on planned future activities.
and for its execution environment. For Cyber-Physical Systems, the
second kind combines generic environment behavioral models with 2 THE MOISE PROJECT
scenarios that drive specific simulations. When these systems are The Technological Research Institute (IRT) Antoine de Saint Exupéry
developed in Extended Enterprises, several sub-systems are devel- groups industrial and academic partners to transfer research re-
oped concurrently and the associated models may not be available sults to industrial practice in the domain of Aeronautic and Space
when assessing some specific sub-system S developed by a given industries. The MOISE (MOdels and Information Sharing in Ex-
partner P, or might be cloaked to protect the Intellectual Property tended enterprises) project experiments EE aware MBSE Methods
of the other partners. These other sub-systems thus become parts and Tools where simulation is used for models V & V. MOISE relies
of the environment of S and appropriate models might need to on the Arcadia method [7] and the Capella toolset [6] with 4 phases:
be developed by the P partner when conducting simulations. This operational Requirement Functional Logical Physical (RFLP).
contribution illustrates these issues relying on the AIDA plane in- Our work focuses on improving the use of simulation in EE
spection system developed in the IRT Saint Exupéry MOISE project. relying on co-simulation standards like FMI [1]. It targets Methods
Reference Format: Renan Leroux, Marc Pantel, Ileana Ober, Jean-Michel and Tools to harness the development of simulators built in EE
Bruel. 2018. CPS simulation models categories in Extended Enterprises. for models also built in EE. Figure 1 shows how simulators are
In Proceedings of GEMOC workshop at the ACM/IEEE MODELS derived from system models (see [2]) and how we use MBSE to
conference (GEMOC@MODELS’2018). 3 pages. build the various simulators needed to assess the models from the
various MBSE phases (see [5]) . The second diagram relies on a
RFLP method for the development of each simulation activity: the
1 INTRODUCTION
System Architecture provides Requirements for the simulation; the
Many complex Cyber-Physical Systems (CPS) are currently built in Simulation Architecture is built in Functional phase; the EE model
Extended Enterprises (EE) where stakeholders try to protect their is built in the Logical phase; the Co-Simulation Architecture is
know-how by minimizing the amount of data they share with the built in the Physical phase. Our proposal involves several actors
other stakeholders. Model Based Systems Engineering (MBSE) and working in EE: a) the System Architect (SyA) builds and assesses
early simulation based Validation and Verification (V & V) have models of the SoI using simulation. It provides requirements for
been shown to significantly improve the efficiency of the devel- the simulations (scenarios, expected quality, etc); b) the Simulation
opment and the quality of the resulting products. In this context, Architect (SiA) designs the co-simulation platform that executes the
stakeholders protect their know-how by cloaking parts of the mod- model simulations ; c) Simulation Model Developpers (SMD) builds
els they have built when others need to simulate them during the the various model components (Functional Mockup Units – FMU)
V & V of their part of the system (called the System of Interest that complete the SoI models to build a fully executable model.
(SoI)). When these systems are built using Concurrent Engineer- To protect the confidential data and know-how of the various
ing (CE), some models are even not available when a stakeholder stakeholders in the same project, the various parts of the models
need to conduct V & V activities for a SoI thus requiring him to developed by a stakeholder will only be partly available to the other
build intermediate coarse models used for simulation. Our work ones. The FMI standard [1] provides such cloaking facilities in the
targets an efficient methodology for building simulation models execution of the model co-simulation [3].
and associated tools for the V & V of complex CPS in EE.
3 THE AIDA INSPECTION DRONE USE CASE
The Airplane Inspection Drone Assistant (AIDA) use case was de-
Permission to make digital or hard copies of part or all of this work for personal or veloped to illustrate and validate the work conducted in MOISE.
classroom use is granted without fee provided that copies are not made or distributed A drone moves around a plane on the runway before take off (see
for profit or commercial advantage and that copies bear this notice and the full citation
on the first page. Copyrights for third-party components of this work must be honored.
Figure 2) to support the pilot in the mandatory pre-flight aircraft
For all other uses, contact the owner/author(s). inspection. AIDA (i) quickens the pilot inspection task and (ii) im-
GEMOC@MODELS’2018, October 2018, Eindhoven, Netherlands proves its quality, by allowing scrutinizing all areas, even the ones
© 2018 Copyright held by the owner/author(s).
not-easily-accessible (e.g., top of the wings, crown of the fuselage,
. . . ), to detect irregularities, such as forgotten caps on sensors, ill
�GEMOC@MODELS’2018, October 2018, Eindhoven, Netherlands R. Leroux et al.
Figure 1: MOISE methodology and MBSE for co-simulation activities
Figure 2: AIDA inspection drone flight plan example and mission sketch
Figure 3: Functional architecture & associated simulation model
closed trap doors, or mechanical defects. AIDA can be manually points of interest to be scrutinized. It is equipped with various cap-
controlled following predefined paths (flight plans), with enhanced tors: vision system, GPS locator, and a radar, for a greater precision,
automated safety capacities to avoid hurting ground staff. AIDA to ensure a sufficient safe distance with respect to the plane and the
is aware of the cartography of the plane and of the location of the ground staff. To enable the diagnostic in case of malfunction, flight
�CPS simulation models categories in Extended Enterprises GEMOC@MODELS’2018, October 2018, Eindhoven, Netherlands
data are saved locally and transferred in real-time to the ground. be considered as the environment for the models built by P but
The operator can watch live images taken by the drone, make sure they usually describe both parts of the product and its environment,
that control points do not present any irregularities, and adapt the thus are both prescriptive and descriptive. As the content of models
drone flight plan. The drone mission is sketched in Figure 2. from the other stakeholders involved in a simulation is partially
Figure 3 is a part of the drone functional architecture model. The hidden (i.e. black or gray box models), it is more difficult for P to
left diagram illustrates different kinds of functions in the product build the most appropriate model needed for the assessment as it
model: the SoI function assessed by the simulation is in red dotted will interact during the simulation with these cloaked models. It
line; an already developed function whose model is available for is thus mandatory to provide requirements regarding the model
the simulation is in orange full line; and the other undeveloped expected qualities (see [2]).
functions whose models are needed by the simulation. The right di- Things can be even worse when using agile processes, where CE
agram explained hereafter corresponds to our work in MOISE: how is used to maximize the efficiency of the development, it is manda-
to build the simulation models and yield the executable simulator tory to early conduct model based V & V activities even if some
taking into account EE constraints. of the required external models are not available. The stakeholder
that assesses an internal model he has designed must then build
approximate external models that are neither fully prescriptive nor
4 MODEL CATEGORIES FOR CPS
fully descriptive. Such models describe the behavior of the system
Edward Alan Lee advocates [4] that there exist two fundamental parts that other stakeholders will build using their own prescriptive
kinds of models: science models that describes the observed sys- models. These models might combine parts of the system and parts
tem behavior and engineering models that prescribes the expected of its environment. Then, he also wants to limit the level of detail
system behavior. Cyber Physical Systems mix product engineering of this model (as it is not prescriptive) to the one needed for a mean-
models and environment science models. Both kinds of models can ingful assessment. The right diagram in Figure 3 illustrates such
be continuous, discrete and even hybrid but Lee advocates that they functions using full red lines. These functions are tagged as internal
should not be handled in the same manner. Product models are environment as they are not part of the final models used to build
prescriptive and should be as simple as possible and always deter- the product. Recall that the function in full orange line is a prescrip-
ministic. Then the product must comply to the models. Whereas tive internal model that has already been developed and is thus
environment models are descriptive models needed to assess the not tagged in the same way. In these cases, additional verification
product models. They should also be as simple as possible regarding activities must be conducted to compare the intermediate models
the purpose of the assessment. Their correctness will be checked that were built by other stakeholders to assess the models they were
with respect to the physical behavior of the real environment. One building, with the final models built by all intended stakeholders.
key point is that level of details in the various models should be
consistent in order to ensure an efficient and meaningful simulation. 5 CONCLUSION AND FUTURE WORKS
Indeed, in some cases, combining model with different scales (i.e.
This contribution illustrated the need for intermediate simulation
precision of the physical phenomena or numerical algorithms) can
models when developing a system using agile Concurrent Engi-
lead to incorrect simulation behavior.
neering in an Extended Enterprise. These models are used only to
In a single enterprise, with a theoretical V lifecycle, the envi-
conduct early model based V &V activities and are neither fully
ronment is well known, all models are fully shared between all
prescriptive nor fully descriptive with respect to the product. They
actors and can be built in the best order to ensure the correctness
must be the subject of additional verification activities. We plan
of the model based V & V activities (i.e. the environment models
for the future both to extend this work to the full AIDA model and
are correct with respect to the real environment and all the needed
other use cases and lift it to the level of an ontology of models
product models are available when the assessments are conducted).
categories for developing Cyber-Physical Systems; and to study the
In an EE, the various stakeholders want to protect their know-
meaning and constraints regarding the work done by Lee.
how and confidential data. In MBSE, these elements can be revealed
by the models. Thus, the stakeholders do not want to share their REFERENCES
models and they wish to hide as much as possible their content. [1] T. Blochwitz, M. Otter, J. Åkesson, M. Arnold, C. Clauss, H. Elmqvist, M. Friedrich,
The FMI standard [1] was designed partly to provide such mask- A. Junghanns, J. Mauss, D. Neumerkel, H. Olsson, and A. Viel. 2012. Functional
ing techniques during co-simulation. System requirements for the Mockup Interface 2.0: The Standard for Tool independent Exchange of Simulation
Models. In Proc. of the 9th Intl Modelica Conference. The Modelica Association.
environment behavior shared by all stakeholders are usually high [2] B. Bossa, B. Boulbene, S. Dubé, and M. Pantel. 2018. Towards a co-simulation based
level (e.g. AIDA should be able to fly with gusts of wind up to Xxx model assessment process for system architecture. In Proc. of the 2nd Workshop
kms/h.). They are refined by each stakeholder according to the V on the Formal CoSimulation of Cyber Physical Systems, part of the SEFM conf.
[3] C. Gomes, C. Thule, D. Broman, P. Gorm Larsen, and H. Vangheluwe. 2017. Co-
& V requirements for the system parts he is designing. Thus, the simulation: State of the art. (2017). http://arxiv.org/abs/1702.00686
targeted refinement level for environment models depends on the [4] E. A. Lee. 2016. Fundamental Limits of Cyber-Physical Systems Modeling. TCPS 1,
SoI models’ one and on the numerical algorithms used for their 1 (2016), 3:1–3:26. https://doi.org/10.1145/2912149
[5] R. Leroux, M. Pantel, I. Ober, and J-M. Bruel. 2018. Model-Based Systems Engi-
simulations. These ones can reveal elements from the ones used neering for Systems Simulation. In Proc. of the 13nd International Symposium On
for the SoI models and leaks some information about the product Leveraging Applications of formal methods, verification and validation.
design that the developper want to protect. For a given stakeholder [6] Polarsys. 2018. Capella. http://www.polarsys.org/capella/.
[7] J-L. Voirin. 2018. Model-based System and Architecture Engineering with the Arcadia
P, we will distinguish internal models that are built by P and ex- Method (1st ed.). Elsevier.
ternal models that are built by the other stakeholders. They can
�