www.compass-research.eu. Foundations for Model-based. Engineering of
Systems of Systems. John Fitzgerald.
. Peter Gorm
Larsen ...
Foundations for Model-based Engineering of Systems of Systems John Fitzgerald
[email protected] Peter Gorm Larsen, Jim Woodcock
www.compass-research.eu
SoS Theory “There’s nothing more practical than a good theory” Kurt Lewin, 1952 Agenda 1. Systems of Systems Engineering 2. COMPASS: a Model-based Approach i. Technical Foci: contracts, verification, heterogeneity ii. Tools iii. “Emergent” leader election
3. Towards Cyber-Physical Systems 2
Systems of Systems (SoS) Multiple content forms, providers, DRMs
Multiple environments & delivery forms
Bang & Olufsen: Can we show consistent “SoS experience” as devices, content, DRM, etc., change?
A/V/Home Automation: • Multiple content sources, DRMs, • Multiple devices • Mobile and concurrent systems Bang & Olufsen: Can we ensure consistent “user experience” as devices, content, DRM, etc., change?
Traffic Management: • Wide variety of constituent systems: some legacy, some new • Harsh physical environment • Complex integration of new systems and architectures • Faults & Fault Tolerance West Consulting: How can we add new/evolved constituent systems, and be sure that they will integrate seamlessly?
Smart Grid: • Many stakeholders with different needs • Frequent changes to equipment and stakeholder needs. • Safety cannot be guaranteed centrally Service Provider: Can we ensure continuity of service and safety in the presence of change and faults?
Emergency Response: • Stakeholders (patients to government departments). • Human intervention required for many interactions. • Assurance of global performance and security properties Insiel: Can we manage evolution to a decentralised SoS while gaining assurance of global properties?
Background
Systems of Systems (SoSs) • Assembly of independent systems that collectively offer a new (“emergent”) service • … on which value and reliance is placed! • Independence • Distribution • Evolution • Emergence
5
SoS Engineering • SoS don’t “just happen”, neither are they often developed ab initio • SoS Engineering – Not new – Not always recognised – Now an active area of research
• Model-based techniques for managing the engineering risk?
Kemp et al., Steampunk System of Systems Engineering: A case study of successful System of Systems engineering in 19th century Britain, INCOSE Intl . Symp, 2013.
6
SoS Engineering – Challenges
H. Kopetz, in Directions in Systems of Systems Engineering. European Commission, Communications Networks, Content and Technology Directorate- General Unit A3-DG CONNECT, July 2012 7
COMPASS “providing and evaluating advanced model-based methods and tools for development and analysis of SoS.” Key outputs: • Guidelines & patterns for SoS Requirements, Architectures and Integration • A modelling language (CML) with formal semantics, developed specifically for SoS Engineering problems • An open tools platform providing computer-assisted analysis of global properties, and test generation and management • Industry evaluation of methods and tools based on case studies. 8
Technical Foci • Collaborative SoS Modelling by Formal Contracts – independence and autonomy of constituent systems – contractual (assume, commit) interface specification
• Verification of Emergence – complexity of confirming/refuting SoS-level properties – refinement for engineering of emergent properties; simulation tools allow exploration for unanticipated behaviours.
• Semantic Heterogeneity – multiple facets of multi-disciplinary SoS models – theory to combine the semantics of heterogeneous models in an extensible way (allowing us to add new paradigms)
9
COMPASS Technology
f1
«Fault Activation View» {faultsOfInterest = Complete Failure of the Radio System} Initiate Rescue Fault Activation [Fault 1] CC : Call Centre
: Radio System
ERU1 : ERU
: Start rescue
«Fault Activation» : Fault 1 activation
: Find idle ERUs [idle ERU]
[no idle ERU] [higher criticality]
: Allocate idle ERU
: Receive message
: Process message
: Divert ERU
[lower criticality]
: Wait
: Send rescue info to ERU
«erroneous» : Drop message
«Error Detection» : Error 1 detection : Log diversion
«Failure Event» : Target not attended
: Service rescue
: Start rescue
«Start Recovery» : Start Recovery 1
«End Recovery» : End Recovery 1
actions MERGE1(r) = (dcl e: set of ERUId @ e := findIdleERUs(); (do e = {} -> DECISION2(r) | e {} -> (dcl e1: ERUId @ e1 := allocateIdleERU(e, r); MERGE2(e1, r)) end)) … process InitiateRescue = CallCentreProc [| SEND_CHANNELS |] RadioSystemProc [| RCV_CHANNELS |] ERUsProc
(SoS || STOP) [= LE(SoS) E
SysML modelling
Formal Modelling Language
Tool-supported Analysis
• Guidelines for Requirements, Architecture, Integration, Systems Eng. • SoS Modelling profiles, e.g. Fault-Error-Failure • Architectural patterns and extensible frameworks.
• CML allows representation of behavioural semantics of the SoS • Supports contract specification • Describes functionality, objectorientation, concurrency, realtime, mobility. • Can be extended to new paradigms
• Model-checker • Automated proof • Test generation • Simulation • Verifying conformance during evolution, and emergence • Exploration of design space 10
COMPASS Tool Architecture
11
Contractual Modelling • Enrich interface specifications: – Rich state, operations (pre/post), interactions
• Contract (re-negotiation) needs to be supported. – Information hiding > icv ERSoS ERSoS
: ERU Device
rec send
: Comms Layer
rec send
: ERU Device 12
process Card = val i: Index @ begin state value: nat operations Init: () ==> () … Credit: nat ==> () … Debit: nat ==> () … Debit(n) == value := value - n actions Transfer = pay.i?j?n -> ( [n > value] & reject!i -> Skip [] [n accept!i -> Debit(n) ) Receive = transfer?j.i?n -> Credit(n) Cycle = ( Transfer [] Receive ); Cycle @ Init(); Cycle end… process Cards = || i: Index @ [ {| pay.i, transfer.i, accept.i, reject.i |} union { transfer.j.i.n | j () … len(valueseq) = N Debit: nat ==>=()M… sum(valueseq) Debit(n) == value := value - n operations actions Init: () ==> () Transfer = Init() == valueseq := initseq(N) pay.i?j?n -> actions value] n: & Money reject!i @ -> Skip Pay (=[ni,j:> Index, [] -> pay.i.j.n value] & then if[n n > Skip-> accept!i -> Debit(n) ) Receive transfer?j.i?n -> Credit(n) else ( =valueseq := subtseq(valueseq,i,n); Cycle = ( valueseq Transfer []:=Receive ); Cycle addseq(valueseq,j,n); @ accept.i -> Skip) Init(); Cycle Cycle = ( |˜| i,j: Index, n: Money @ Pay(i,j,n) ); end… Cycle process Cards = @ || i: Index @ Cycle end[ {| pay.i, transfer.i, accept.i, reject.i |} union { transfer.j.i.n | j 1]/send_undecided
do : changeClaim do : incStrength
Controller
process Node = i : nat @ begin state id : NODE_ID mem: map NODE_ID to CS inv dom mem = node_ids \ {id} and dom mem {} operations changeClaim: CLAIM ==> () changeClaim(newc) == (dcl currStr : STRENGTH := myCS.s @ myCS := mk_CS(newc, currStr)) pre myCS.c = => newc = and myCS.c = => newc = or … actions Leader = changeClaim();SendCS;Controller; ([leaders > 0] & Undecided [] [leaders = 0] & incStrength();Leader) end process TransportLayer = ... actions TransportLayer = (Reader [] Writer [] NodeMngt) end
/
•
Ready
/
Update
do : receive
do : update
/
process ElectionHiddenComms = ll Nodes [|{|n_send,n_rec,on,off,init|}|] TransportLayer \\ {|n_rec,n_send|}
Results and Some Open Issues • www.compass-research.eu • Guidelines: – Requirements Engineering, Architectural Modelling Framework, Integration, SoS Engineering, implementing in Atego’s tools. – COMPASS Architectural Framework Framework! – are there “laws” for architectural refinement?
• Foundations: – Modelling Language Semantics – extend to stochastic models, continuous time models, agent-based? – Fault Analysis – extending the range of “abnormalities”
• Tool Support: – Tools platform & integrations – how will user interaction look ? – Introductory examples and tools videos. 17
Forthcoming Events • COMPASS Interest Group – 15 January, Amsterdam • Meeting on case studies • Led by Bang & Olufsen and Insiel
– Summer meeting (TBC, Aarhus?) • Meeting on new challenge problems in traffic flow management & smart grid
• COMPASS Summer School – 16-20 June, Newcastle, UK – For students & early career researchers – on model-based approaches to SoS Engineering
Roke Manor Research Ltd Nokia GridManager West Consulting BV Rockwell Collins UNU-IIST Center for Electronic Governance 3SL Embraer TERMA Altran University of South Australia Jaguar Land Rover National Institute of Informatics, Japan Verified Systems International GmbH AGCO Corporation DSTL, UK
18
Towards Cyber-Physical Systems
• Requires convergence of: – Multi-paradigm modelling and cosimulation – Model-based design – Architectural modelling – Verification technology
www.destecs.org
Towards Cyber-Physical Systems Urban Cyber-Physical Systems Lab @ Newcastle – CPS Lab focussing on design for dependability – Smart grid, transport, devices, cloud labs – Focus on urban sustainability. – Collaborations sought!
20
Concluding Remarks • Practical Theory driven by application need • Don’t ask “Is it an SoS or not?” – Instead, “What are its SoS characteristics?”
• SoS Thinking: – Addressing constituent system independence via explicit contractual specification – Exploring & verifying emergent properties – Multi-domain: embracing semantic heterogeneity 21
