0250-SIP-2017-PIEEE 1 Model and Tool Integration Platforms for Cyber-Physical System Design Janos Sztipanovits, Fellow, IEEE, Ted Bapty, Xenofon Koutsoukos, Zsolt Lattmann, Sandeep Neema, and Ethan Jackson, Member, IEEE The tight interaction of physical and computational Abstract—Design methods and tools evolved to support the components creates new generations of smart systems whose principle of "separation of concerns" in order to manage impacts are revolutionary; this is evident today in emerging engineering complexity. Accordingly, most engineering tool suites autonomous vehicles and military platforms, intelligent are vertically integrated but have limited support for integration buildings, smart energy systems, intelligent transportation across disciplinary boundaries. Cyber-Physical Systems (CPS) systems, robots, or smart medical devices. Emerging industrial challenge these established boundaries between disciplines, and thus, the status quo on the tools market. The question is how to platforms such as the Internet of Things (IoT), Industrial create the foundations and technologies for semantically precise Internet (II), Fog Computing and Industrie 4.0 are triggering a model and tool integration that enable reuse of existing “gold rush” towards new markets and accelerating the commercial and open source tools in domain-specific design development of societal-scale systems such as connected flows. In this paper, we describe the lessons learned in the design vehicles, which, in addition to the synergy of computational and implementation of an experimental design automation tool and physical components, involve humans (H-CPS). suite, OpenMETA, for complex CPS in the vehicle domain. The As for most engineered systems, CPS design flows are conceptual foundation for the integration approach is platform- dominantly model-based. The model-based design process based design: OpenMETA is architected by introducing two key results in a formal description (model) of the system S, using platforms, the Model Integration Platform and Tool Integration Platform. The Model Integration Platform includes methods and as input the set of requirements R that must be satisfied in tools for the precise representation of semantic interfaces among some environment E (Fig. 1). modeling domains. The key new components of the Model Integration Platform are Model Integration Languages and the mathematical framework and tool for the compositional R E specification of their semantics. The Tool Integration Platform is Model-based designed for executing highly automated design-space Requirements Design Process Environment exploration. Key components of the platform are tools for constructing design spaces and model composers for analytics workflows. The paper concludes with describing experience and lessons learned by using OpenMETA in drivetrain design and by S System adapting OpenMETA to substantially different CPS application Figure 1: Model-based design domains. Index Terms — design automation; cyber-physical systems; If S, R and E can be represented formally, the system design model integration; tool integration can be framed as a synthesis process [1] that yields S such that when composed with the environment E, it satisfies the requirements R, or 푆 ∥ 퐸 ⊨ 푅. The automation of the design I. INTRODUCTION process assumes the availability of precise, formal models for YBER-PHYSICAL SYSTEMS (CPS) are engineered systems R and E restricted to a semantic domain where the synthesis C where functionality emerges from the networked process is computationally feasible. However, in CPS, there interaction of computational and physical processes. are significant challenges with deep impact on model-based design flows: This work was supported in part by the Defense Advanced Research Project Heterogeneity: Heterogeneity is an essential property of Agency under awards #FA-8650-10-C-7075, #FA8650-10-C-7082 # CPS. Much of the advantages of CPS design are expected HR0011-12-C-0008, and by the National Science Foundation under award # CNS-1035655. to come from the synthesis of traditionally isolated J. Sztipanovits, T. Bapty, S. Neema, X. Koutsoukos are with the Institute for modeling domains (creating novel modeling platforms in Software Integrated Systems of Vanderbilt University, TN 37212 USA (e- design flows [2][3]) and from the explicit representation mail: [email protected]). Zs. Lattmann is with A^3 by of interdependences across modeling domains, which is Airbus, CA 95113 USA (e-mail: [email protected]) and E. Jackson is with Microsoft Research, WA 80305 USA (e-mail: frequently neglected if the separation-of-concerns [email protected]). principle [4] is used incorrectly. Modeling uncertainties: In model-based design R, E and S are models of some referent systems (conceptual, logical 0250-SIP-2017-PIEEE 2 or physical) or their properties. The model is always a emerging from a practical constraint: domain-specific CPS simplification, preserving specifically chosen features of design flows are constructed to support synergistically a the referent. The relationship between models and their design methodology but need to be implemented by referents plays key role in the effectiveness of the design integrating a wide range of heterogeneous tool components. process. In cyber domains, this relationship is usually an This leads to – what Alberto Sangiovanni-Vincentelli and abstraction/refinement relation where property Manfred Broy calls – the “tyranny of tools” in design preservation between an abstract model and its referent automation [9], when not the design problems, but available (e.g. a software implementation) is an achievable goal. In tools dictate the abstractions that designers should use in physical domains this relationship is fundamentally problem solving. different. There is always some level of uncertainty The significance of the problem has long been recognized between a model and its physical referent that may be by industry. In fact the challenge of creating end-to-end aleatoric (irreducible) originating from the underlying integrated domain/product – specific tool chains is considered physics, or epistemic arising from the lack of knowledge to be a primary impediment for the faster penetration of [69]. Measuring, expressing and propagating uncertainties model-based design in CPS industry. Large system companies in CPS design models is an important challenge. face immense pressures to deliver safe and complex systems at Complexity and scalability: Complexity and scalability of low cost. Tools are at the heart of their engineering process verifying properties of models are significant concerns for covering the full spectrum of requirements, design, all model-based design approaches that target real-life manufacturing and operations support . The internal tool systems. Selecting modeling abstractions with scalable landscapes of large aerospace and automotive companies symbolic or simulation-based verification methods is a contain ~3000-5000 distinct tools totaling several hundreds of key approach in the cyber side of CPS and may result in millions of dollars in internal investments [10]. End-to-end significant complexity reduction [1]. However, on the tooling for these complex CPS product lines spans too many physical side, adjusting the level of abstractions used in technical areas for single tool vendors to fully cover. In modeling without considering the underlying physics addition, a significant part of the companies’ design flow is inevitably leads to increase in epistemic uncertainty that supported by in-house tools that are proprietary and capture may make the verification unsound and/or incomplete. high value design intellectual property (IP). In many areas, This paper is based on our experience with such as drivetrain electronics in the automotive industry, constructing a fully integrated model-based design tool production tool suites include a combination of in-house and chain prototype for the “make” process of complex CPS, commercial off the shelf (COTS) tools in the approximate as part of the Defense Advanced Research Project ratio of 70% and 30%, respectively. The development and use Agency (DARPA) Adaptive Vehicle Make (AVM) of in-house tools is not necessarily the result of deficient program [5]. The resulting design automation tool chain, COTS offerings, but, rather, it is an essential part of the OpenMETA [6], was expected to contribute to the innovation process that yields competitive advantage via following goals of the program: improved product quality and productivity. The primary Improved design productivity: Shortening technology barrier that slows down this process and makes development times for complex CPS was a primary integration of in-house tools with third party tools extremely goal of the program. OpenMETA contributed to expensive and error prone is the lack of modern tool achieving this goal with the following technical integration and deployment platforms. approaches: (a) extending model-based design to Seamless integration of end-to-end tool chains for highly component - and model - based design, (b) pursuing automated execution of design flows is a complex challenge of correct-by-construction design methods, and (c) which successful examples are rare – even after massive investment by companies. Vendors provide limited executing rapid requirements trade-offs across integration, primarily of their own tools, with a few cross- design domains. vendor integrations for particularly dominant