Model Integration and Cyber Physical Systems: a Semantics Perspective

Institute for Software Integrated Systems Vanderbilt University

MODEL-INTEGRATION AND CYBER PHYSICAL SYSTEMS: A SEMANTICS PERSPECTIVE

Janos Sztipanovits with Ted Bapty , Gabor Karsai and Sandeep Neema

Institute for Software Integrated Systems Vanderbilt University Email: [email protected]

FM 2011 Limerick, Ireland 22 June 2011 About the Topic

CPS is a rapidly emerging, cross-disciplinary field with well -understood and urgent need for formal methods driven by challenges in model-based design system verification and manufacturing Overview

Boston Dynamics: BigDog

Energy Internet: When IT Meets ET integratorKnown Drivers of CPS

Networking and Information Technology (NIT) hbihphysicalave been and increas computationali ildngly used objectsas uniliversal system in human – scale and societal – scale systems Functionality and salient system characteristics emerge through the interaction of networked

Engineered products turn into Cyber-Physical Systems (CPS): networked interaction of physical and computational processes The Good News…

Networking and computing delivers precision and flexibility in interaction and coordination

Computing/Communication Integrated CPS Rich time models Elaborate coordination of physical processes Precise interactions across Hugely increased system size highly extended with controllable, stable spatial/temporal dimension behavior Flexible, dynamic DidtiDynamic, adaptive communication mechanisms architectures Precise time-variant, nonlinear Adaptive, autonomic systems behavior Introspection, learning, Self monitoring, self-healing reasoning system architectures and better safety/security guarantees. …and the Challenges

Fusing networking and computing with physical processes brings new unsolved problems

Computing/Communication Integrated CPS Cyber vulnerability Physical behavior of systems can be manipulated New type of interactions Lack of composition theories across highly extended for heterogeneous systems: spatial/temporal dimension much unsolved problems Flexible, dynamic VtliVastly increased compl litexity communication mechanisms and emergent behaviors Precise time-variant, nonlinear Lack of theoretical behavior foundations for CPS dynamics Introspection, learning, Verification, certification, reasoning ppyredictability has fundamentally new challenges. Foundation for Convergence: Model-Based Design

Communication Software Control Systems

package org.apache.tomcat.session;

import org.apache.tomcat.core.*; import org.apache.tomcat.util.StringManager; import java.io.*; import java.net.*; import java.util.*; import javax.servlet.*; import javax.servlet.http.*;

/** * Core implementation of a server session * * @author James Duncan Davidson [[email protected]] * @author James Todd [[email protected]] */

public class ServerSession {

private StringManager sm = StringManager.getManager("org.apache.tomcat.session"); private Hashtable values = new Hashtable(); private Hashtable appSessions = new Hashtable(); private String id; private long creationTime = System.currentTimeMillis();; private long thisAccessTime = creationTime; private long lastAccessed = creationTime; private int inactiveInterval = -1;

ServerSession(String id) { this.id = id; }

public String getId() { return id; }

public long getCreationTime() { return creationTime; }

public long getLastAccessedTime() { return lastAccessed; }

public ApplicationSession getApplicationSession(Context context, boolean create) { ApplicationSession appSession = (ApplicationSession)appSessions.get(context);

if (appSession == null && create) {

// XXX // sync to ensure valid?

appSession = new ApplicationSession(id, this, context); appSessions.put(context, appSession); }

// XXX // make sure that we haven't gone over the end of our // inactive interval -- if so, invalidate and create // a new appSession

return appSession; }

void removeApplicationSession(Context context) { appSessions.remove(context); }

/** * Called by context when request comes in so that accesses and * inactivities can be dealt with accordingly. */

void accessed() { // set last accessed to thisAccessTime as it will be left over // from the previous access

lastAccessed = thisAccessTime; thisAccessTime = System. currentTimeMillis();

}

void validate() Modeling Layer • StSystems E Eingineeri ng: Operati on research , Re lia bility, Requ iremen t spec.,.. • Control Engineering: Foundation of system theory: Linear, Nonlinear, … • Software Engineering: Formal methods, Model-based SE, RT software, .. • Communication Engineering: Information theory, Layered protocols, … (Re)-convergence of Systems, Control, Software, Communication Engineering 9 Overview

Battery Components Engine ISG Transmission VMS span: • Multiple Servos physics /Linkages • Multiple domains • MltilMultiple tools

Physical Cyber Cyber-Physical Functional: Computation and Physical with implements some communication deeply embedded function in the that implements computing and design some function communication Interconnect: acts Requires a physical as the facilitators platform to run/to for physical communicate interactions CPS Design Flow Requires Model Integration

Architecture Design Integrated Multi-physics/Cyber Design Detailed Design Modeling Exploration Modeling Simulation V&V& Modeling Analysis

Physics-based

Structure/CAD/Mfg Deep Rapid exploration Exploration with integrated optimization and V&V analysis • Design Space + • Design Space + Constraint • Architecture Constraint Modeling Modeling Modeling • Architecture Modeling • Dynamics, RT • Architecture • Dynamics Modeling Software, CAD, Modeling • Computational Behavior Thermal, … • Low-Res Modeling • Detailed Domain Component • CAD/Thermal Modeling Modeling Modeling • Manufacturing Modeling

Domain Specific Modeling Languages Example: Architecture Modeling

Sublanguage Formalism, Language Constructs, Examples Usage / Capability Systems Hierarchical Architect Module -Explore Architecture Interconnect Design Modeling - Components Space - Interfaces - Derive - Interconnects Candidate - Parameters Designs - Properties

Hierarchically Systems Layered Architect Design Parametric Space - Define Alternati ves Design Modeling - Alternatives/ Space Options - Define - Parameters Constraint - Constraints Example: Dynamics Modeling

Component Hybrid Bond Engineer Graphs - model - Efforts, dynamics Flows, with Hybrid Physical - Sources, Bond Graphs Dynamics Capacitance, System Inductance, Engineers Modeling - RitResistance, - Compose - Transformers system Gyrators, dynamics

Dataflow + DiDomain Stateflow + TT Engineers Schedule - design controller Computational - Interaction Sensor Actuator System Dynamics with Phys ica l Processor Engineers Modeling Components Software - Cyber Topology - Processor Assembly Components allocate - Processing Allocation - Platform Components Effects Example: Physical Structure and Manufacturing Modeling

Standard Structural Component Structural Interfaces (ex: SAE Engineer Interfaces #1) - Defines - Defined with Structural Solid Peer Roles: Interface Modeling -Axis System (CAD / - Point Engineer - Surface Geome try) - Defines - CAD Links Architecture

Component Component MfCtManuf. Cost Engineer -Make Manufacturing - Material - Defines Modeling - Fab Proc Part Cost - Complxity - Defines - Shape/Wt Structural - OTS: Cost/unit Interface, Structural Fastener Interfaces - Fastener Types, Num# …

15 Model Integration Challenge: Physics

Heterogeneity of Physics

Electrical Mechanical Hydraulic Thermal Domain Domain Domain Domain

Theories, Theories, Theories, Theories, Dynamics, Dynamics, Dynamics, Dynamics, Tools Tools Tools Tools Physical components are involved in multiple physical interactions (multi- phi)hysics) Challenge: How to compose multi-models for heterogeneous physical components Model Integration Challenge: Abstraction Layers

Bt( )= κ ( Bt ( ),..., Bt ( )) Plant Dynamics Controller Dynamics: pj1 Models Models • Properties: stability, safety, performance • Abstractions: continuous time, functions,

Heterogen signals, flows ,… Physical design eity SftSoftware SftSoftware Software : Bi()= κ ck ( B1 () i,..., B ()) i • Properties: deadlock, invariants, Architecture Component of security,… Models Code Ab • Abstractions: logical-time, concurrency, s Software design tractions atomicity, ideal communication,..

System Resource Systems : Bt(jpi )= κ ( Bt1 ( ),..., Bt ki ( )) Architecture Management • PtiProperties: tim ing, power, secur ity, fau lt Models Models tolerance System/Platform Design • Abstractions: discrete-time, delays, resources, scheduling, Cyber-physical components are modeled using multiple abstraction layers Challenge: How to compose abstraction layers in heterogeneous CPS components? A Pragmatic Approach: Model Integration Language

Model Integration Language Structural Hierarchical Ported Models /Interconnects Semantics Structured Design Spaces Meta‐model Composition Operators GtiGenerative Rules MetaGME Semantic Translators

CyPhy ÅÆSL/SF

SL/SF Manuf CAD CyyyPhy Meta Meta Meta ÅÆ SEER

CyPhy ÅÆ CAD Thermal SEER‐MFG Pro‐E DktDesktop CATIA Tools and Frameworks Æ Assets / IP / Designer Expertise

Impact: Open Language Engineering Environment Æ Adaptability of Process/Design Flow Æ Accommodate New Tools/Frameworks , Accommodate New Languages Overview

Specify Unambiguate Compute DSML Semantics

Models represent: Modeling Language Semantics: Mathematical Structure Structural Domains: (logical, physical,..) (set of well-formed • graphs model structures) • term algebra + logic

BehavioBehaviorr (cont. discrete,.. ) Behavioral Behavioral (cont. discrete,..) (set of feasible (set of feasible behaviors) behaviors) • denotational • operational Example 1/2

Physical Structure (components and terminals)

mph Transformation:

mbg =T(mph)

Bond Graph model (energy flows)

mbg Example 2/2

operational: simulated trajectories

msl =T(mbg)

mde =T(mbg)

denotational: mathematical equ ations Modeling Language Semantics Has Extensive Research History

Broy, Rumpe ‘1997 Harel ‘1998 Harel and Rumpe ‘2000 TClkSttKtBhdRKiTony Clark, Stuart Kent, Bernhard Rumpe, Kevin Lano, Jean-Michel Bruel and Ana Moreira - Precise UML Group Edward Lee, Alberto Sangiovanni-Vincentelli ‘2004 Joseph Sifakis ‘2005 … Overview

Cyber-Physical Systems (CPS) CPS and Domain Specific Modeling Languages Model Integration Challenge Formal Semantics of DSMLs Structural Semantics Behavioral Semantics Practical Use of Formal Semantics Addressing Horizontal Heterogeneity Addressing Vertical Heterogeneity Summary Specification of Domain-Specific Modeling Languages Key Concept: Modeling languages define a set of well- formed Abstract syntax models and their interpretations. The interpretations are of DSML-s are mappings from one domain to another domain. defined by metamodels.

OCL Constraints: A metamodeling self.transTo->forAll(s | s <> self) language is one Basic metamodeling notation: UML Class Diagram + OCL of the DSML-s.

Semantics of metamodeling languages: structural semantics.

MetaGME metamodel of simple statecharts Model-editor generated from metamodel Formalization of Structural Semantics

Key Concept: DSML syntax is understood as a constraint L = Y, RY ,C,()[]i i∈J system that identifies behaviorally meaningful models. D(){Y,C = r ∈R | r |= C } Y Structural semantics provides mathematical formalism [ ]: RY 6 RY ' for interpreting models as well-formed structures.

Structural Semantics defines modeling domains using Y: setft of concept s, term algebra extended with Logic Programming. This mathematical structure is the semantic domain of RY : set of possible model realizations metamodeling languages. C: set of constraints Use of structural semantics: over R Y • Conformance testing: x ∈ D D(Y,C): domain of well- formed models • Non-emptiness checking: D(Y,C) ≠ {nil} • DSML composing: [ ]: interpretations D1 ∗ D2 D1 + D2 D' includes D... • Model finding: S = {s ∈ D s |= P} • Transforming: m'= T (m); m'∈ X ; m∈Y

Jackson & Sz. ‘2007 Microsoft Research Tool: FORMULA Jackson, Schulte, Sz. • FtfLPiilttfllfitFragment of LP is equivalent to full first-ordlider logic ‘2008 • Provide semantic domain for model transformations. Jackson & Sz. ‘2009 GME-FORMULA Tool Interfaces

Generic Modeling Environment (ISIS)

MdlModels Modeling Lngs Relations among Modeling lngs and Models Const r ain t … Defs

Metamodel Model Translator Translator Validation Analyzer Tool Tool Formula Domain Formula Model

FORMULA (Microsoft Research) Ongoing Work

FORMULA (Schulte, Jackson et al, MSR) - A tool suite for building models and analyzing their properties. Co-developed with the European Microsoft Innovation Center (EMIC), Aachen, Germany GME-FORMULA translator – Extension of the MIC tool suite (VU -ISIS in cooperation with MSR) Analysis tools – Domain and Model Equivalence , Domain Composition, Model Completion (VU- ISIS in cooperation with MSR) Overview

Given a DSML L = Y, RY ,C,()[]i i∈J

D(Y,C)= {r ∈ RY | r |= C}

[ ]: RY 6 RY '

Behavioral semantics will be defined by specifying the transformation between the DSML and a modeling language with behavioral semantics. Implicit Methods for Specifying Behavioral Semantics

Representation as AST

D(Y,C)= {r ∈ RY | r |= C} Implicit C++ Interpreter/Generator Graph rewriting rules

[ ]: RY 6 RY '

D(){Y ',C' = r ∈ RY ' | r |= C' }Executable Executable Code Executable [ ]: R 6 R Model Specification Y ' Y '' (Simulators) Explicit Methods for Specifying Behavioral Semantics

Representation as AST

D(Y,C)= {r ∈ RY | r |= C} Explicit C++ Interpreter/Generator Graph rewriting rules

[ ]: RY 6 RY '

D(){Y ',C' = r ∈ RY ' | r |= C' }Executable Executable Code Executable [ ]: R 6 R Model Specification Y ' Y '' (Simulators) Specifying Behavioral Semantics With Semantic Anchoring

Representation as AST

MIC-UDM MIC-GME

D(Y,C)= {r ∈ RY | r |= C} Graph rewriting rules

MIC-GReAT [ ]: RY 6 RY ' (Karsai, VU-ISIS)

Abstract State Machine Formalism

structure Event React (e as Event) as Event? structure eventType Event as String React step(e as Event) as Event? eventType as String step let CS as State = GetCurrentState ()

class State letstep CS as State = GetCurrentState () class State id as String step let enabledTs as Set of Transition = {t | t in outTransitions (CS) where id initial as asString Boolean e.eventType let enabledTs = triggerEventType(t)} as Set of Transition = {t | t in outTransitions (CS) where initial var active as asBoolean Boolean = false e.eventType step = triggerEventType(t)} var active as Boolean = false D(){Y ',C' = r ∈ R | r |= C' } step if Size (enabledTs) = 1 then class Transition Y ' if Sizechoose (enabledTs) t in enabledTs = 1 then class id Transition as String choose step t in enabledTs id as String step // WriteLine ("Execute transition: " + t.id) abstract class FSM // WriteLineCS.active ("Execute:= false transition: " + t.id) abstract id as class String FSM CS.actstep i ve := flfalse id as String step dstState(t).active := true abstract property states as Set of State dstState(t).active := true [ ]: R 6 R abstract get property states as Set of State step step Y ' Y '' getabstract property transitions as Set of Transition if t in me.outputEventType then if t in me.outputEventType then abstract get property transitions as Set of Transition return Event(outputEventType(t)) getabstract property outTransitions as Map of elsereturn Event(outputEventType(t)) abstract get property outTransitions as Map of else return null getabstract property dstState as Map of else return null abstract get property dstState as Map of else if Size(enabledTs) > 1 then getabstract property triggerEventType as Map of if Size(enabledTs)error ("NON-DETERMINISM > 1 then ERROR!") abstract get property triggerEventType as Map of elseerror ("NON-DETERMINISM ERROR!") getabstract property outputEventType as Map of else return null abstract property outputEventType as Map of return null

Abstract Data Model Model Interpreter Example Specification : FSM

Abstract Data Model Interpreter structure Event abstract class FSM eventType as String Run (e as Event) as Event? clSttlass State sttep initial as Boolean let CS as State = GetCurrentState () var active as Boolean = false step class Transition let enabledTs as Set of Transition = {t | t in abstract class FSM outTransitions (CS) where e.eventType = abstract property states as Set of State triggerEventType(t)} get step abstract property transitions as Set of Transition if Size (enabledTs) >= 1 then get choose t in enabledTs abstract property outTransitions as Map of step CS.active := false get abstract property dstState as Map of step get dstState(t). active := true abstract property triggerEventType as Map of step if t in me.outputEventType then get return Event(outputEventType(t)) abstract property outputEventType as Map of else return null get else return null

Underlying abstract machine - ASM Language: AsmL Yuri Gurevich, MSR Ongoing Work

Semantic anchoringgg of DSMLs using “semantic units” Compositional specification of semantics for heterogeneous modeling languages Investigating alternative frameworks (e.g. based on FORMULA) Overview

Modeling Language Semantics:

Structural (set of well-formed model structures)

Physical (struct. and behav. constraints)

Rational: • Get the physics right Behavioral Behavioral (set of feasible (set of feasible • The rest is mathematics bhbehav iors ) bhbehav iors ) (Kalman, 2005) • denotational • operational Physical Semantics: Structural Implications 1/2

Electrical Mech. domain domain ?

Electrica El.-Mech Mech. l domain (inter- domain dom.)

EiEnergy is conserved at couplings between domains Physical Semantics: Structural Implications 2/2

Collateral energy flow …other rul es…

Heat energy generated on dissipative eltlements: creat es additional energy coupling Physical Semantics: Behavioral Implications

One Junction Rule

∑ei = 0 i

ffik=∈;,ik N Denotational behavioral semantics Rate of power transfer between components is balanced Physical Semantics: Ongoing Work

Extend metamodeling language and metaprogrammable modeling tool (GME) with generative constructs Make specification of generative modeling constructs integrated with metamodeling Extend structural semantics and tools with dynamic constructs Develop rule libraries for relevant cross-physical domains (in progress) Overview

Cyber-Physical Systems (CPS) CPS and Domain Specific Modeling Languages Model Integration Challenge Formal Semantics of DSMLs Structural Semantics Behavioral Semantics Practical Use of Formal Semantics Addressing Horizontal Heterogeneity Addressing Vertical Heterogeneity Summary Integration Inside Abstraction Layers: Composition Bt( )= κ ( Bt ( ),..., Bt ( )) Plant Dynamics Controller Dynamics: pj1 Models Models • Properties: stability, safety, performance • Abstractions: continuous time, functions, ssgign as,als, fl ow s,… Physi cal d esi gn

Software Software Software : Bi( )= κ ck ( B1 ( i ),..., B ( i )) Architecture Component • Properties: deadlock, invariants, Models Code security,… • Abstractions: logical -time, concurrency , SftSoftware d esi gn atomicity, ideal communication,..

System Resource Systems : Bt(jpi )= κ ( Bt1 ( ),..., Bt ki ( )) Architecture Management • Properties: timing, power, security, fault Models Models tolerance System/Platform Design • Abs trac tions: discre te-time, de lays, resources, scheduling, Integration Across Abstraction Layers: Much Unsolved Problems

Plant Dynamics Controller Controller dynamics is developed Models Models without considering implementation uncertainties (e.g. word length, clock Physi cal d esi gn accuracy ) optimizing performance. Assumption: Effects of digital implementation can beX neglected Software architecture models are Software Software developed without explicitly considering Architecture Component systems platform characteristics, even Models Code though key behavioral properties Software design depend on it.

Assumption: Effects of platform properties can beX neglected System Resource System-level architecture defines Architecture Management implementation platform configuration. Models Models Scheduling, network uncertainties, etc. are System/Platform Design introduce time variant delays that may require re-verification of key properties on all levels. Dealing With Leaky Abstractions

Leaky abstractions are caused by lack of comppyosability across s yyystem layers. Consequences: intractable interactions unpredictable system level behavior full-system verification does not scale Sol u tion: s imp lifica tion s tra teg ies Decoupling: Use design concepts that decouple systems layers for selected properties Cross-layer Abstractions: Develop methods that can handle effects of cross-layer interactions Example for Decoupling: Passive Dynamics

Goals: Physical models • Effect of “l eak y ab st racti on” : loss of stability due to implementation implementation-induced time delays (networks , schedulers) • Passivity of dynamics Abstract Model decouples stability from time varying delays • Compositional verification of time safety: implementation essential dynamic properties − stability − safety Real-time Model • Hugely decreased verification complexity • Hugely increased flexibility time robustness Passivity-based Design and Modeling Languages 1/4 Modeling Language Semantics: Heterogeneous Abstractions Structural Structural constraints are (stability) (set of well-formed more involved (next page) model structures)

Physical (struct. and behav. constraints)

denotational operational

Fix for stability: • Passivity-based Behavioral Behavioral (set of feasible (set of feasible design bhbehav iors ) bhbehav iors ) t2 T x = f (x,u) u (t)y(t)dt +V (x(t )) ≥ V (x(t )) ∫ 1 2 y = h(x,u). t 1 for all t2 ≥ t1 and the input u(t) Ԗ U [Antsaklis ‘2008] Passivity-based Design and Modeling Languages 2/4 Constrain modeling language with constructs below:

Bilinear transform: power and wave vars.

• Bilinear transform (b) • Delays [[]Kottenstette‘2011] • Power and Wave variables • Power junction • Passive down- and up-sampler • Passive dynamical (PUS, PDS) system Passivity-based Design and Modeling Languages 3/4 Constrain modeling language with composition constraints below:

negative feedback interconnection of two passive systems is passive

parallel interconnection of two passive systems is still passive

Extensive research in the VU/ND/UMD NSF project toward correct-by-construction design environments (where correct- by-construction means what the term suggest) Passivity-based Design and Modeling Languages 4/4 Constrain modeling language behavior with these constraints (for LTI)

• For LTI passive systems, we can always assume quadratic storage function

1 T V (x) = x Px where P = PT > 0. 2 • For continuous-time system this leads to the following LMI

⎡AT P + PA PB − CT ⎤ ⎢ T T ⎥ ≤ 0 ⎣ B P − C − D − D ⎦

• In discrete-time the LMI becomes the following ⎡AT PA − P AT PB − CT ⎤ 0 ⎢ T T T ⎥ ≤ ⎣B PA − C B PB − D − D ⎦

[Antsaklis ‘2008] Summary

Penetration of networking and computing in engineered systems forces a grand convergence across engineering disciplines. Sigggpns of this convergence presents new opportunities and challenges for formal methods research: New foundation for model integration – emergence of metaprogrammable tool suites and multi-modeling Embedding physical semantics in modeling languages Model-based design facilitates a necessary convergence among software, system, control and network engineering References

- Jackson, E., Sztipanovits, J.: ‘Formalizing the Structural Semantics of Domain-Specific Modeling Languages,” Journal of Software and Systems Modeling pp. 451-478, September 2009 - JDATE,aaso,ckson , Thibod bodau,oeaux, Porter, ,SpaosS Sztipanovits: “Sema ntics sooa of Domain-Specific M odelin g L an guages, ” in P. Mosterman, G. Nicolescu: Model-Based Design of Heterogeneous Embedded Systems. Pp. 437-486, CRC Press, November 24, 2009 - Ethan K. Jackson, Wolfram Schulte, and Janos Sztipanovits: The Power of Rich Syntax for Model- based Development, MSR Technical Report, 2009 - Kai Chen, Janos Sztipanovits, Sandeep Neema: “Compositional Specification of Behavioral Semantics,” in Design, Automation, and Test in Europe: The Most Influential Papers of 10 Years Rudy Lauwereins and Jan Madsen (Eds), Springer 2008 - Nicholas Kottenstette, Joe Hall, Xenofon Koutsoukos, Panos Antsaklis, and Janos Sztipanovits, "Digital Control of Multiple Discrete Passive Plants Over Networks" , International Journal of Systems, Control and Communications (IJSCC), Special Issue on Progress in Networked Control Systems. (Accepted for publication) - Xenofon Koutsoukos, Nicholas Kottenstette, Joe Hall, Emeka Eiysi, Heath Leblanc, Joseph Porter and Janos Sztipanovits, “A Passivity Approach for Model -Based Compositional Design of Networked Control Systems”, ACM Transactions on Computational Logic . (Accepted for publication) - Heath LeBlanc, Emeka Eyisi, Nicholas Kottenstette, Xenofon Koutsoukos, and Janos Sztipanovits. "A Passivity-Based Approach to Deployment in Multi-Agent Networks", 7th Internationalfl Conference f l db on Informatics ( ) in Control, Automation, and Robotics (ICINCO 2010). Funchal, Madeira, June 15-18, 2010. (Best Student Paper Award) About the CPS Name…

“What’s in a name? That w hich we call a rose b y any oth er name would smell as sweet”

– Shakespeare

P.R. Kumar, 2010