�

�������������������������� �������������������������������������������������������

�������������������������������������

���������������������������������������������

������ �� ��� ���� ����� ��������� ����� �������� ���� ��� � ��� ���� ��������

���������������� �������������������������������������������������

�������������������������������������������������

����������������� ��

�

�

�

�

������������ ���

an author's https://oatao.univ-toulouse.fr/20730

https://www.erts2018.org/authors_detail_inverted_Gauthier%20Jean-Marie.html

Gauthier, Jean-Marie and Hugues, Jérôme and Faudou, Raphaël Integrating AADL and FMI to Extend Virtual

Integration Capability. (2018) In: 9th European Congress Embedded Real Time Software and Systems (ERTSS), 31

January 2018 - 2 February 2018 (Toulouse, France

IntegratingAADLandFMItoExtendVirtualIntegrationCapability

JérômeHugues1,Jean-MarieGauthier2,RaphaëlFaudou2

(1ISAE-Supaero,2Samares-Engineering)

Keywords FMI,AADL,Cyber-PhysicalSystems,Co-Simulation,Virtualcomponents

Abstract VirtualIntegrationCapabilityisparamounttoperformearlyvalidationofCyberPhysicalSystems.Theobjectiveistoguidethesystemsengineersoastoensurethatthesystemunderdesignmeetsmultiple criteria throughhigh-fidelity simulation. In thispaper,wepresent an integration scheme that leverages the FMI (Functional Mock-Up interface)standardandtheAADLarchitecturedescriptionlanguage.Theircombinationallowsforvalidation of systems combining embedded platform captured by the AADL, and FMIcomponents that represent physical elements, either mechanical parts, or theenvironment.Wepresentoneapproach,anddemonstratorcasestudies.

1. Introduction

Virtualintegrationcapability`isparamounttoperformearlyvalidationofCyberPhysicalSystems.Theobjective is toguide thesystemsengineer soas toensure that thesystemunderdesignmeetsmultiplecriteriathroughhigh-fidelitysimulation.Thegeneralapproachistoleveragemodelsasprimaryartefactstocaptureallfacetsofasystem,andtoolsupportstoanalyzeandsimulatethesystem.

Earlystudy[23]demonstratedtheimportanceofArchitectureDescriptionLanguagetocapturemanyfacets of a system, for the embedded perspective, supportingmultiple kind of analysis such as timingperformance,orsafetyanalysis.OtherstandardslikeFMI[1]didthesameforthemechanicalandcontrolsphere, supporting co-simulation of high-level mechanical models (e.g. built on Modelica) or controlcommandmodelsbuiltaroundSimulinkorSCADE.FMIhasbeendefinedwithprimaryobjectivetosupportsystem-levelsimulations,withastrongemphasisonearlyvalidationofsystemsmadeofseparatedmodels.

A remaining challenge is to combine both spheres. As a matter of fact, architecture descriptionlanguages capture the organizational structure of the system to be designed, and the exchange ofinformation,physicsisabstractedthroughdevices(sensorsandcaptors)thatinteractwiththeenvironmentandmechanicalparts.Thesemodelscapturetheirbehaviorasasetofmodelelementsthatultimatelyleadto equations. FMI allows one to build reusable components from thesemodels, but do not address theconstructionofsimulationitself.Thisruptureinabstractionmakesitdifficulttobuildintegratedsimulation,andmotivatesourcontribution.

Consideringanarchitecturaldescriptionmodelofanembeddedsystemasaprimaryartifact,wewanttostreamlinetheconstructionofavirtualintegrationtestbenchthatwouldintegrateexternalmodelsasenvironment stimulus, hence allowing through tests of the embedded (or cyber)part.Our contributionbuildsontheAADLarchitecturedescriptionlanguage,andtheFMIstandard.Ourmaincontributioninthispaperconcernsamodel-basedapproachtointegrateFMIblocksandAADLsoastoleverageexistingcodegenerationstrategyandbuildeithermodel-in-the-looporhardware-in-the-loopsimulations.

Thepaperisorganizedasfollows:insection2,wereviewthemaintechnologicalelementsused:AADLandFMI.Insection3,wereportonexistingFMI-basedintegrationworkflows.Insection4weproposeanAADL-basedworkflowthatleadstothegenerationofsimulations.Section5isacasestudythatillustratestheapproach.Section6proposesfutureworkdirections.

2. Standardsinusea. AADL,ArchitectureAnalysisandDesignLanguage

The “Architecture Analysis and Design Language” (AADL) (Feiler & Gluch, 2012) is both a textual andgraphical languageformodel-basedengineeringofembeddedreal-timesystems.AADLisusedtodesignandanalyzesoftwareandhardwarearchitecturesofembeddedreal-timesystems.

TheAADLpurposeistomodelhardwarecomponents(memory,bus,processor,device,virtualprocessor,virtualbus)andtheirassociatedembeddedsoftware(data,thread,threadgroup,subprogram,process).Itfocusesonthedefinitionofclearblockinterfaces,andseparatestheimplementationsfromtheseinterfaces.Fromtheseparatedescriptionoftheseblocks,onecanbuildanassemblyofblocksthatrepresentthefullsystem. The AADL defines the notion of properties. Theymodel non-functional properties that can beattached to model elements (components, connections, features, instances, etc.). Properties are typedattributesthatspecifyconstraintsorcharacteristicsthatapplytotheelementsofthearchitecturesuchasclock frequencyof a processor, execution timeof a thread, bandwidth of a bus.As defined,AADL is anArchitecture Description Language. Without loss of generality, similar notation such as EAST-ADL orUML/MARTEwouldprovidethesamepowerofexpression.

AADLhasarichecosystemtomodel,analyzeandgeneratecodefrommodels,suchasOcarina(Hugues,Zalila,Pautet,&Kordon,2008).ThelateraspectisinterestingtoeasethetransitionofAADLmodels’tasks,andcommunicationsemanticstoanimplementationontopofaregularReal-TimeOperatingSystems.Wedetailthispartinthenextsection.

Letusnotethatinsuchmodels,thetimeintervalisgivenbytheCPUclockrate(orsimulatedbyascheduler):AADLmodelsarediscretebynatureandfitinthecyberpartofcyber-physicalsystems.

b. FMI,theFunctionalMock-UpInterface

FMI [1], the Functional Mock-Up Interface, is a standard for the simulation of systems, combiningheterogeneousmodels.The initial revisionofFMImostly focusedonmodels relevant formulti-physicalaspectsofautomotivesystems.Sincethen,ithasbeenwidelyadoptedinseveralsettings,especiallyforthemodellingandsimulationofCyber-PhysicalSystems,e.g.aspartofthePtolemyprojectatUCBerkeley[2].FMIisalreadysupportedbyanincreasingnumberoftoolsusedinseveraldomains,e.g.Modelica1tools,Simulink2 or SCADE Suite3. Through this standard, system designers may mix and co-simulateheterogeneousmodelsbuiltbyexpertstobetterunderstandhowasystemmaybeintegrated.

FMI,definesaninterfacetobeimplementedasacomponentcalledFMU(FunctionalMock-upUnit).TheFMIfunctionsareused(called)byasimulationenvironmenttocreateoneormoreinstancesoftheFMUandtosimulatethem,typicallytogetherwithothermodels.AnFMUmayeitherembedsitsownsolver(FMIforCo-Simulation)orrequiresthesimulationenvironmenttoperformnumericalintegration(FMIforModelExchange).Forbothapproaches,eachmodelisexportedinazipfile,calledFMU,whichcontainsabinaryfile of the model and an XML file (namedmodeldescription.xml) which describes the model contents,properties,andinterfaces(itsassociatedmodelvariables).

Inthispaper,weonlyfocusonFMI2.0forCo-Simulation,asweareinterestedincombiningself-containedsimulableblocksandtheirintegrationinasystemlevelsimulation.

c. FMIforCo-Simulation

TheFMIStandardforCo-simulationisintendedtoprovideaninterfacestandardforcouplingtwoormoresimulationtoolsinaco-simulationenvironment.Co-simulationisatechniqueusedforthesimulationofcoupledmodels.

1https://www.modelica.org/[lastvisited30/05/2017]2https://fr.mathworks.com/products/simulink.html[lastvisited31/05/2017]3http://www.esterel-technologies.com/products/scade-suite/[lastvisited31/05/2017]

Acoupledmodel,isamodelthatdescribesasystemasanetworkof(logicallyorphysically)coupled(orconnected)components[5,6].Inthecoupledmodelformalism,theconnectionsbetweensubsystemsarerepresentedwithconnectors,ormathematicalequalities.Formally,acoupledmodelmayberepresentedasagraphstructure.Fornon-causalandcontinuousmodels,thegraphisundirected.Forcausalmodels,thegraph is directed. A coupledmodel is valid if connected ports are compatible regarding their type andcausalities[7].Thedataexchangebetweensubsystemsisdoneatdiscretecommunicationpoints(calledtci).Intheintervalbetweentwocommunicationpoints,thesubsystemsaresolvedindependentlybytheirrespective solvers. Master algorithms control exchanges of data between the subsystems and thesynchronizationbetweenslaves.

TheFigure1depictsanFMUrepresentedbyablock,withinternalstatevariablesx(t),connectedtoothersubsystemsofthecoupledproblembyinputsu(t)andoutputsy(t)[8].

Figure1:DataflowbetweentheenvironmentandanFMUforCS[1]

Therearetwopossibilitiesforprovidingslavesubsystemsforco-simulation:

• subsystemswiththeirspecificsolver,theycanbesimulatedinstand-alonemode(see• •

• Figure2),• subsystemswiththesimulationtoolsinwhichtheyhavebeendeveloped(seeFigure2).

Figure2:FMU(CS)integrationinstand-alone,andwithtoolcoupling[1]

TheFMI2.0specificationdefinesthelifecycle(differentnoticeablestates)ofanFMUasbelow.Amasteralgorithmservesseveralpurposes:toinstantiate,toinitialize,toexecuteandtosynchronizeFMUs[9].AninstantiatedFMUsiscalledaslave.MasteralgorithmssynchronizeFMUsbycontrollingthedatathatareexchanged between FMUs at specific synchronization points called communication steps. Thecommunicationstepsizesaredefinedashci=tci+1–tci,wheretciarecommunicationpoints.

Forco-simulationtwobasicgroupsoffunctionsshouldberealized:

1. functionsforthedataexchangebetweensubsystems,2. functionsforalgorithmicissuestosynchronizethesimulationofallsubsystemsandtoproceedin

communicationstepstci→tci+1frominitialtimetc0=tstarttoendtimetcN=tstop.

Figure3:State-machineofFMICo-Simulation[1]

d. CombiningADLandFMI–benefitsandchallenges

AnADLmodelcapturestheorganizationalstructureofthesystem,alongwithexecutableblocksthatrepresentsitsinnerstructure.Itsisfullyconfiguredsoastofaithfullyrepresentitsbehaviorintermsoftimingandcommunication.Severalstudiesexploredthecapabilitytoperformmodelcheckingoranalysisofsuchmodel.Yet,ausuallimitisthedifficultytocaptureamodeloftheenvironmentthatwouldactasastimulusfortheverificationpart.

FMIhasbeendesigntosupportsystemsimulation.Weclaimitcanalsobeusedalsoforverificationofreal-timeembeddedsystems,bycombiningamockoftheenvironmentasaFMUandthesystemundertest.Inthispaper,weillustrateourapproachtoaddressthispartusingAADL.

CombiningAADLandFMIwouldequipsystemarchitectswithatooltoprepareinadvanceintegrationphasesthroughavirtualtestbench.Indeed,thiswouldmakeeasiertheearlyvalidationofAADLmodels:thestimulusprovidedbyFMUs(thatrepresentthephysicalenvironment)couldbeconsideredastestcasesforAADLmodels.UsingFMUwouldalsogiveaccesstomodelswithhigh-leveloffidelity,withconnectionstootherengineeringmodelsbeyondanaïvemodelofaplant.

However,thiscombinationofdiscrete-timeexecutionsemanticsforthecyberpart(AADL)withsystemsdynamics (FMI,multi-physics simulation) isnot aneasy task. Suchhybridmodels raise issues regarding timemanagement in co-simulation, typical issues concern the time step used to synchronize elements, or

intermediateextrapolationsperformedbyeachmodelwhennoinputsareexchanged.[24]providesathroughreviewofthesetopicsinthegeneralcase.

Inthefollowing,wereviewexistingworkpriortoproposeanintegratedworkflowinsection4.

3. RelatedWork

FMIwasfirstdesignedtoco-simulatephysicalandhybridsystems(continuousanddiscrete)specifiedusingDAEs(DifferentialandAlgebraicEquations)anddiscreteevents.Inthispaper,wefocusontheuseofFMIinthecontextofcriticalembeddedsoftwaredesignwithAADL.WeplanalsoonleveragingexistingcodegenerationfromAADLthattargetsReal-TimeOperatingSystems(RTOS).

In the following, we present related work that a) integrate FMI with modelling language, b) thatcombineFMIwithRTOScode,andc)thatuseFMIforhybridsystemsco-simulation.

a. IntegratingFMIwithhigh-levelmodellinglanguage

TheintegrationofFMIwithmodellinglanguagesuchasUMLorSysMLisanaddressedchallenge.In[10],the authors proposed a co-simulation environment that combines the execution of UMLmodels (withfUML4) andFMIwithin theMokaPapyrusplugin. Thiswork the co-simulationof hybrid systems, e.g. acontrollermodelledasanactivitydiagram(discrete),anditsenvironmentasphysicalandcontinuousFMUs.Feldmanetal.[11]proposedtoexportRhapsodySysMLblocksintoFMUs,withalimitationonflowportsandattributes(thebehaviorofSysMLblock,e.g.state-machinesoractivities,isnotsupportedfornow).

Combining EAST-ADL and FMI has also been investigated during theMAENADproject [12]. Theworkresulted in FMI 1.0 import capability within EAST-ADLmodel usingmodel transformation technology.However,thisworkfocusedonthesemanticmappingbetweenEAST-ADLandFMI,thanonco-simulationissuesandexecution.LetusnotecurrentFMItechnologylacksmeanstobuildsimulationassemblies.ThestandardSystemStructureandParameterization(SSP)[13]willcomplementFMIonthisparticulartopic.

AsourworkconcentratesatalowerlevelofCPSdesign,i.e.embeddedsoftwaremodellingandsimulationusingAADL,weproposetocompletetheserelatedworksatthelowerleft-sideoftheV-cyclewithRTOSvalidationcapabilitiesusingFMI.

b. CombiningFMIwithRTOScode

In[14],theauthorsproposetoadaptembeddedsoftwaretocomplywithFMIforco-simulation.Moreprecisely,theauthorsproposetoadvancetheclockoftheRTOS,byoverwritingtheidlethreadandwaitingfor a signal to start execution. Pohlmann et al. [15], proposed to generate FMUs from UML softwarespecification,wheretheclockisspecifiedinaDSLnamedMechatronicUML.ThisclockisusedtomeasureexecutiontimeandtospecifyReal-Timepropertieswithintimedstate-machines.

Onthecontrary,weaimatvalidatingasystemfromitsADLmodel.Hence,weproposetosimulatethebehavioroftheembeddedprocessor,whichexecutesthetargetcode.Hence,onecanperformco-simulationofCPS,closesttotheactualimplementationwithouttheneedofspecifichardware(betweenSoftware-IntheLoopandHardwareintheLoop),oronthefinaltarget.Thisisleftasalate-bindingdescision.

c. FMIforhybridco-simulation

Co-simulating discrete (software) and continuous models (physical), raises several issues that weencounteredduringourstudyandexperiments.Indeed,mixingcontinuousanddiscretebehaviorinaco-simulationframeworkisnotwellhandledbyFMI.TherepresentationoftimeanditsmanagementarethekeyissuesofFMIbasedco-simulationapproaches.InCremonaetal.[16],theauthorsidentifiedextensions

4http://www.omg.org/spec/FUML/1.2.1/[lastvisited02/06/2017]

toFMIforsupportinghybridco-simulation:useintegertimeinsteadoffloatingpointtimerepresentation,automaticchoiceoftimeresolution,useof“super-dense”time,andtheuseofabsentsignal.Theproposedsolution of [16] satisfies all the requirements for hybrid co-simulation stated in [17]. Unfortunately, itimposesstrongconstraintsontheusability:theseextensionsarenotbackward-compatiblewithexistingFMI2.0FMUs..

Finally,usingthedependencygraphasanassettogetmoreprecisehybridco-simulationresultsisanissueinvestigatedinseveralworks,especiallyin[18],whoseauthorsproposetogeneratemasteralgorithmbasedon thedependencygraph (withandwithout loop)andon thestep-sizeofeachFMU(multi-clockmanagement).Wearealso interested in therecentresultsofDACCOSIM[4],whichproposetogeneratemasteralgorithmsforparallelanddistributedco-simulationusinghierarchicalFMUs.

4. IntegratingFMUsasAADLblocks

InthisSection,wepresenttheintegrationworkflowofFMUcomponentswithinAADLmodels.

We view the integration of FMU as an integration process. Starting from an AADLmodel, one aims atintegratingFMUasanexecutableblock,similartotheinclusionofotherfunctionalmodelsinAADL,suchasC,Ada,Scade,SimulinkthatarealreadysupportedbyourAADLtoolchainOcarina.Eachblockisactuallyintegratedasasubprogramblock,thatistriggeredbyitsenclosingcomponentsuchasathreadoradevice.

Ocarina5[19]isamodelprocessorfortheAADL.ItsupportscodegenerationtargetingawidevarietyofRTOS(RTEMS,RT-POSIX,FreeRTOS,ARINC653).ItmapsAADLconstructsontothePolyORB-HIruntimethatabstractRTOSconstructs.ItpreservestheinitialsemanticsoftheAADLmodel.

a. IntegrationofFMUinAADLworkflow

First,letussaythatonereceivesanFMUthatmodelsandsimulatesthemechanicalpart(physical)ofalargersystem.ThisFMUshouldbeintegratedwithacontroller(cyberpart),designedwithAADL.Thegoalistoverifythatthecontrollerbehavesasexpected.TheintegrationworkflowispresentedFigure45.ThefirststepconsistsinanautomatedtranslationoftheFMUasAADLmodelusinganalgorithm,which1)unzipstheFMUfile,2)parsesthemodeldescription.xmlfiletocreateAADLelementsrespectingthemappingofTable1,and3)createstheFMIwrapperassetofAADLconstructs:subprogramthatcapturetheexecutionentrypoint of the simulator) and and corresponding C implementation, thread and device abstractions.Then,onecouldconnecttheFMUwiththelargerAADLmodeltobuildacoupledmodel.

Figure4:IntegratinganFMUasanAADLcomponent–Workflow

b. IntegrationofFMUexecutionsemantics

5http://openaadl.org

FMU-based simulations relyon the conceptof aMasterAlgorithm thatorchestrates theoverallsimulation at each time step. Then, the FMUs perform a calculation step, and the resulting values arepropagatedtothescheduler,whichlaunchestasksdependingontheoverallsimulationtime.TheMasterAlgorithm can be built based on the dependency graph of the coupledmodel. However, in the case ofalgebraicloopdetection,thecalculationofthedependencygraphisabortedandagenericMasterAlgorithmisprovided.Inparallel,thetargetRTOScodeisgeneratedfromtheAADLmodel,usingOcarina.Finally,thewholecodeiscompiledandlinkedtobeexecuted.

Table1:MappingBetweenFMIandAADL

Concepts FMI AADLComponent FMU Subprogram/DeviceInput/Outputport CausalityIn/Out Inport/OutportDiscreteport/Continuousport VariabilityDiscrete/Continuous Eventport/DataportTypes Real,Integer,Boolean Base_Types::Float,

Base_Types::Integer,Base_Types::Boolean

AsstatedbyTable1,FMUblocksaremappedtoAADLdevice, that isanabstractionofadeviceinteractingwith thephysicalworld capturedby the FMUmodel.Hence, FMU interactions are explicitlydiscretizedbytheactivationofthedevicebyotherpartofthemodel,e.g.readingfromasensorwilltriggerthecorrespondingFMUat thecorrespondingsamplingtime.Hence,onecan integrateeithercontinuoustimeordiscretetimeinthesimulation.

Inourapproach,FMUsareembeddedinsideanAADLmodelthatalreadyhaveanexecutionsemantics,andascheduler.Asaresult,theMasterAlgorithmisimplicitlydefinedbythecombinationoftheschedulingparameters of all blocks: signals are captured in AADL event port communications; data propagationasAADLdataportcommunications;schedulingiscontrolledbytheschedulerofthesystem,e.g.priority-driven scheduler. Thus, the cyber part of the system interacts with the environment through polling(periodicread),interrupts(receptionofeventsfromtheenvironment)oractuation.ThesearecapturedbycorrespondingportdirectionsintheAADLmodel.

As a consequence, the co-simulation time is linked to scheduler time..We used signals to start thescheduleruntil thecommunication timestep isreached.The implementationof themasteralgorithmisautomatically generated using the Ocarina AADL code generator by translating AADL tasks andcommunicationports to the correspondingC artefacts. Thanks to the versatility of the code generationprocess,wecaneitherreallyontrue(wallclock)time,orsimulatedtimeusingasimulatorofaRTOS.Hence,thisapproachallowsseamlessintegrationofFMUasfunctionalmodels.

5. CaseStudyandExperimentResults

Inthissection,welisttwocasestudiesbuiltonthepreviousintegrationworkflow6.

a. Moonlander

AMoonLandermodel[20]wasusedtoinvestigateco-simulation’stimeandscheduler’stimeissues.WebuiltaModelicamodelofthephysicalmodelandexporteditintoanFMU2.0forCo-Simulation.Thecontrollerimplementsabasicstrategytocontrolthedescentofthevehicle,andtriggersthethrusters.AfirstversionhasbeenimplementedinModelicatocheckthecorrectnessofthecontroller.,andsimulatedintheOpenModelicaframework.

Then, theFMUof thephysicalmodelwas importedasanAADLcomponent followingthesemanticsmappingoftheTable1,andconnectedtoareimplementationofthecontrollerinC.Thiscontrollerandthe6Othercasestudiesareavailablethroughhttp://www.openaadl.org

plant,asseenasanAADLdevicethatsamplestheenvironment,havebeenconnectedinanAADLmodel(see Figure 6). This model indicates the data types exchanges and the scheduling parameters of thecontroller. From the system designer perspective, the AADL model captures the configuration of thecontroller,andadevicethatinteractswiththeenvironmentasaregulardevicedriver.Here,FMIplaysitsroleof“mock-up”,insteadofconnectingthismodeltotheimplementationofadriver,weconnectittothemodelthatsimulatedtheenvironmentitinteractswith.

Tosimulatetheoverallsystem,wegeneratedtheCcodeoftheAADLcontrollerwithOcarina,alongwith code archetype for the various tasks and communication channels.We linked it to the FMUas anexternallibrary.WerelyontheFMUSDK2fromModelon(adaptedbyUniversityofCalifornia–Berkeley7)tobuildagenericentrypointtoloadFMUsandtocomputesimulationstepstriggeredbythehostprocess.Forthisexperiment,wereliedontheGNU/LinuxOS,combinedwithRT-POSIXAPIcalltoimplementareal-timebehaviorforthecontroller.

Throughanalysisoftheexecutionlogs,wecouldassessthesimulationhasthesamebehaviorforboththeFMI-coupledmodelandtheModelicamodel.

Figure5AADLmodelofthelunarlander

b. ROSACEcasestudy

TheROSACEcasestudy(Pagetti,Saussié,Gratia,Noulard,&Siron,2014)wasusedtoinvestigateco-simulation graph issues, but also scalability. ROSACE has multiple implementations in C/POSIX,C/ARINC653,SimulinkGiottoorPtolemy.ItisareferencebenchmarkforCPSsimulation.

TheenvironmentofthecontrolleriscomposedofthreeFMUs:anengine,anelevator,andtheaircraftdynamics.TheseFMUsareconnectedtoexchangephysicalquantities,andtothecontrollerthatismodeledin AADL. This controller ismade of 11 periodic tasks interconnected. Thismodel has a higher level ofcomplexitycomparedtotheMoonLandercasestudy,withmoreFMUsandtasks.

TobuildtheseFMUs,wemodelledtheenvironmentusingtheModelicalanguageandwegeneratedtheFMUswithJModelica.ThecontrollerhasbeenimplementedinSimulink,andlatertranslatedinC.Erreur!Nousn’avonspastrouvélasourcedurenvoi.7showstheresultingAADLmodelthatintegratestheFMUswiththeAADLcontroller.Then,basedon(VanAcker,Denil,Vangheluwe,&DeMeulenaere,2015;Galtier,et al., 2017) we have investigated the construction of the overall dependency graph to generateautomatically the Master Algorithm. This algorithm has been translated as a set of AADL schedulingconfigurationparameters.Themodelsaresimpleenoughtobefulldiscretized,thusacausalgraphcanbededucedtocapturethewholesimulationbehavior.

WecouldleveragetheROSACEvalidationscripttoensurethatoursimulationwasalsoconsistentwithothersimulationsdoneeitherinSimulink,Ptolemy/HLAorGiotto.

7https://github.com/cxbrooks/fmusdk2[lastvisited03/06/2017]

c. Lessonslearnt

Throughthesetwocasestudies,wecouldgeneratevirtualintegrationtestbenchforcyberphysicalsystems.Wedemonstratedthecapabilitytoconnectarchitecturaldescriptiontomodelsimulatingtheenvironmentusing the FMI framework. This is a first step towards full generation of simulation environment. ThearchitecturaldescriptionofthesystemhasbeendemonstratedtobeenoughtointeractwiththeFMU-basedenvironmentblocks.Thisisaconsequenceofusingcausalsystems:onecasesimulatetheenvironmentuptotheinstantrequiredbythecyberpart.

6. ConclusionandFurtherWork

Inthispaper,weaddressedtheearlyvalidationofembeddedsystems.Weproposedageneralapproachtobindarchitecturaldescription,amenabletocodegeneration,toFMUblocks.Thisenablestheconstructionofvirtual integrationtestbench.First,wepresentedthevariouselementsofcontextsandrelatedwork.Then,weillustratedhowFMIblockscanbeboundtoAADLmodeslsotoserveasamockoftheenvironmentasseenthroughadevice.Hence,onecantestanAADLmodelconsideringarepresentativemodeloftheenvironment, leading. Leveraging high-fidelity model turned into FMU, one can test more preciseinteractionscenario.Futureworkactivitieswillincreasethenumberofcasestudies,tostresstimelinessissues, e.g. multi-clock scenarios. Another aspect will consider integrating multiple simulators likeInstructionSetSimulators forprecisesimulationofhardwareblocks,and interoperabilitywithdomain-specificsimulatorstosimulatetheoccurrenceoffaultsanddefects.

Bibliography

[1] "MODELISARConsortiumandModelicaAssociationProject"FMI"-FunctionalMock-upInterfaceforModel-ExchangeandCo-Simulation,"2014.

[2] F.Cremona,M.Lohstroh,S.Tripakis,C.BrooksandE.A.Lee,"FIDE:AnFMIIntegratedDevelopmentEnvironment,"inProceedingsofthe31stAnnualACMSymposiumonAppliedComputing(SAC'16),Pisa,Italy,2016.

[3] P. H. Feiler and D. P. Gluch, Model-Based Engineering with AADL: An Introduction to the SAEArchitectureAnalysis&DesignLanguage,Addison-WesleyProfessional,2012.

[4] V.Galtier,M.Ianotto,M.Caujolle,R.Corniglion,J.-P.Tavella,J.E.Gomez,J.J.H.Cabrera,V.ReinboldandE.Kremers,"ExperimentingwithMatryoshkaCo-Simulation:BuildingParallelandHierarchicalFMUs,"inProceedingsofthe12thInternationalModelicaConference,2017.

[5] P.B.Zeigler,TheoryofModellingandSimulation,Malabar,Florida:RobertE.Krieger,1984.

[6] H.Vangheluwe,"Thediscreteeventsystemspecification(DEVS)Formalism.CourseNotes,Course:Modeling and Simulation (COMP522A), McGill University, Montreal Canada.," 2001. [Online].Available:http://www.cs.mcgill.ca/~hv/classes/MS.01.Fall/DEVS.pdf.[Accessed12122016].

[7] H.Vangheluwe, J.DeLaraandP. J.Mosterman,"An introductiontomulti-paradigmmodellingandsimulation," inProceedingsof theArtificial Intelligence, SimulationandPlanning inHighAutonomySystems.(AIS'02),Lisboa,Potugal,2002.

[8] D. Broman, C. Brooks, L. Greenberg, E. A. Lee,M.Masin, S. Tripakis andM.Wetter, "DeterminateCompositionofFMUsforCo-simulation,"inProceedingsofthe11thACMInternationalConferenceonEmbeddedSoftware,Montreal,Quebec,Canada,2013.

[9] J.Bastian,C.Clauß,S.WolfandP.Schneider,"MasterforCo-SimulationUsingFMI,"inProceedingsofthe8thInternationalModelicaConference,Dresden,Germany,2011.

[10]S.Guermazi,S.Dhouib,A.Cuccuru,C.LetavernierandS.Gérard,"IntegrationofUMLModelsinFMI-basedCo-simulation,"inProceedingsoftheSymposiumonTheoryofModeling&Simulation(TMS-DEVS'16),Pasadena,California,2016.

[11]Y.A.Feldman,L.GreenbergandE.Palachi,"SimulatingRhapsodySysMLBlocksinHybridModelswithFMI,"inProceedingsofthe10thInternationalModelicaConference,Lund,Sweden,2014.

[12]S. Cavdar, "Supporting Embedded Systems Development - Tool Support for EAST-ADL import ofModelicaFMU,"Chalmers,Gothenburg,Sweden,2011.

[13]J.Köhler,H.-M.Heinkel,P.Mai,J.Krasser,M.DeppeandM.Nagasawa,"Modelica-Association-Project“SystemStructureandParameterization”--EarlyInsights,"inTheFirstJapaneseModelicaConferences,Tokyo,Japan,2016.

[14]P.Nicolai,B.Tom,M.JanandV.-L.Morten,"FMIforCo-SimulationofEmbeddedControlSoftware,"inTheFirstJapaneseModelicaConferences,Tokyo,Japan,May23-24,2016.

[15]U.Pohlmann,W.Schäfer,H.Reddehase,J.RockemannandR.Wagner,"GeneratingFunctionalMockupUnits fromSoftwareSpecifications," inProceedingsof the9th InternationalMODELICAConference,Munich,Germany,2012.

[16]F.Cremona,M.Lohstroh,D.Broman,S.TripakisandE.A.Lee,"HybridCo-Simulation:It'sAboutTime,"UniversityofCalifornia,Berkeley,2017.

[17]D. a. G. L. Broman, E. A. Lee, M. Masin, S. Tripakis and M. Wetter, "Requirements for HybridCosimulation Standards," in Proceedings of the 18th International Conference on Hybrid Systems:ComputationandControl,Seattle,Washington,2015.

[18]B. VanAcker, J. Denil, H. Vangheluwe andP.DeMeulenaere, "Generation of anOptimisedMasterAlgorithm for FMI Co-simulation," in Proceedings of the Symposium on Theory of Modeling &Simulation:DEVSIntegrativeM&SSymposium(DEVS'15),Alexandria,Virginia,2015.

[19]J.Hugues,B.Zalila,L.PautetandF.Kordon,"FromtheprototypetothefinalembeddedsystemusingtheOcarinaAADLtoolsuite,"ACMTransactionsonEmbeddedComputingSystems(TECS),vol.7,no.4,2008.

[20]P.Fritzson,IntroductiontomodelingandsimulationoftechnicalandphysicalsystemswithModelica,JohnWiley&Sons,2011.

[21]C. Pagetti,D. Saussié,R.Gratia, E.Noulard andP. Siron, "TheROSACECase Study: FromSimulinkSpecificationtoMulti/Many-CoreExecution,"inIEEE19thReal-TimeandEmbeddedTechnologyandApplicationsSymposium(RTAS),Berlin,Germany,2014.

[22]E.Durling,E.PalmkvistandM.Henningsson,"FMIandIPProtectionofModels:ASurveyofUseCasesandSupportintheStandard,"inModelicaconference,Prague,2017.

[23]P.H.Feiler,J.Hansson,D.deNiz,L.Wrage,"SystemArchitectureVirtualIntegration:AnIndustrialCaseStudy"TechnicalReportCMU/SEI-2009-TR-017

[24]M.Hoepfer,"Towardsacomprehensiveframeworkforco-simulationofdynamicmodelswithanemphasisontimestepping",PhDthesis,GeorgiaTech,http://hdl.handle.net/1853/41219