conceptual model based approach for multi ...

Proceedings of TMCE 2014, May 19-23, 2014, Budapest, Hungary, Edited by I. Horváth, Z. Rusák

 Organizing Committee of TMCE 2014, ISBN 978-94-6186-177-1

CONCEPTUAL MODEL BASED APPROACH FOR MULTI-DISCIPLINARY CYBER PHYSICAL SYSTEMS DESIGN AND ENGINEERING Marco Grimm Department of Computer Integrated Design Technische Universität Darmstadt [email protected]

Reiner Anderl Department of Computer Integrated Design Technische Universität Darmstadt [email protected]

Yan Wang The George W. Woodruff School of Engineering Georgia Institute of Technology [email protected]

ABSTRACT Cyber-physical systems (CPS) are able to provide new and smart services as well as opportunities across existing application boundaries. By connecting the physical world to the cyber world, CPS will have a significant impact in human comfort, safety, health, and productivity. However, along with the new opportunities, CPS bring new challenges in design and engineering. Current product development strategies are design domain-specific and lack universality that is specifically required in CPS design. In this paper we propose a model-based approach toward the enhancement of development methodologies by layer based system abstraction and linkage among the technical disciplines. Different structure viewpoints help to design and manage system models in the concept phase of product development. Human factors as well as suitable model description tools and languages are considered as a part of the concept.

KEYWORDS Cyber-physical systems, systems engineering, attack vectors, security, design abstraction, modeling tools, Internet of Things

1. INTRODUCTION By merging the real, physical world with the virtual world (Internet alias cyberspace), cyber-physical systems (CPS) are part of the next technical revolution toward a globally networked world. Intelligent products in smart homes, transportation,

health and manufacturing (“Industry 4.0”) scenarios will lead to a massive market dynamization, emerging industries, as well as a vast number of new applications and business models. However, the high complexity of these intelligent products is a challenging issue for CPS design and development. Existing engineering processes and systems are not able to sufficiently capture, represent and manage the complexity and interrelations of CPS. Great obstacles are experienced particularly in the development of smart products, because wellestablished methods, software tools and systems are focused on the requirements of individual technical disciplines. There is a lack of coordination and synchronization of the disciplines [1]. In addition, the state-of-the-art product data models, which are the basis for the tools, are designed to be engineering domain specific. The results are monolithic systems and isolated applications. In order to solve existing challenges, efficient development methods and intelligent tools are required. As the foundation for the industry’s inventiveness, these methods and tools will play a major role in the future. However, not only new tools for the development are necessary. Dynamically networked CPS need constant maintenance, advancements and improvements over their life time. To prevent cyber-based criminality and manipulation, security, trust and safety are also critical properties for success. Hence, being able to exactly predict a system’s behavior is essential. This makes virtual system models some of the most important assets in order to continuously provide

1

safety, functionality and robustness of the systems over their entire life span. To address the challenges in CPS engineering, this paper presents a conceptual approach toward the enhancement of development tools for multidisciplinary system modeling in the conceptual design phase. Based on abstraction and discipline linkage in different design viewpoints, new development methods that are able to capture the multidisciplinary aspects of the products should arise to allow for discipline-independent functional engineering. Thus innovative, intelligent products of tomorrow can be successfully realized.

2. CHALLENGES IN CYBER-PHYSICAL SYSTEMS ENGINEERING 2.1. Disciplines CPS are systems featuring a combination of physical, electronic and software systems into an entity that is able to connect and communicate with other systems. Extending the capabilities of traditional embedded systems and control systems, CPS form a System of Systems (SoS). In such systems, sensors, actuators, electronics, software as well as information and communication technology (ICT) are tightly linked to each other [2]. Typical CPS development project teams consist of electrical engineers, mechanical engineers, computer scientists, physicists, software engineers, and others. Since all these individual developers have different backgrounds and knowledge, the integration of the distinct disciplines into a unified engineering effort is challenging. Development of innovative and high-performance systems requires good understanding and cooperation beyond discipline gaps in all phases of system design and engineering. Practical experience shows that achieving this is difficult because of two main reasons: First, in complex systems such as CPS, many system properties are linked between disciplines and influence others in a multi-directional way. This leads to a multiplication and distribution of errors, interruptions and incompatibilities across the disciplines. In this case, it is often unclear where the origin of an issue is. This makes solving problems together even harder. Second, there is a lack of clearly specified and documented interactions and interfaces between the various disciplines and involved parties. Implicit knowledge, definitions, protocols and processes are not sufficiently expressed and verbalized in collaborations. Hence mutual understanding in communication is hindered.

2

Additionally, disciplines differ from each other regarding their specific view, terminology, problem solving and creative techniques, design approaches, theories, way of thinking, etc. [3]. In industrial CPS design projects, fostering cooperation between the involved parties and disciplines is often seen as a management task. Globalized long-term projects with multiple specialists and companies involved lead to strongly heterogeneous development ecosystems. Management cannot solve this aspect alone. Hence, tools and methods are required to overcome discipline gaps and achieve a high quality communication and collaboration between all parties. Recent research proposed to integrate the different engineering disciplines and their respective design domains into a layered model [4, 5]. This model captures and visualizes interdependencies between those design domains in order to support crossdomain collaboration in product development. Together with the systems engineering approach in development process, collaboration is supported and managed through the product development phases.

2.2. CPS Quality Features The design and realization of CPS is an emerging field in engineering and science. Hence it is important to know and to understand the most important factors and quality-decisive properties to ensure the success of such systems. It is predicted that over the next decades, CPS will become an integrated part of our society. Our society and technical environment will go through a transition to a ubiquitous computing world. Smart cyber-physical systems will create a new form of the Internet, the Internet of Things (IoT). The application fields for future CPS include smartgrid, e-Health scenarios, smart mobility, smart production, and smart homes, just to name a few. The main goals of all CPS applications are to improve quality of life, comfort and safety for humans, as well as to protect the environment and save resources. To achieve these goals, CPS must provide a variety of quality features, including performance, functionality, robustness, scalability, privacy, security, trust and safety (see Figure 1).

Marco Grimm, Reiner Anderl, Yan Wang

Functionality Performance

Robustness

CPS

Safety

Scalability

correction techniques in communication protocols, such as forward error correction (FEC), have been developed to overcome inherent unreliability. The foundation of these techniques is transmission overhead and redundancy. However, this might conflict with performance requirements, especially because CPS are real-time systems. Tackling this tradeoff between the different quality features by developing and implementing efficient algorithms that are working independent of systematic inaccuracies, environmental influences and life-time errors will be highly relevant in the future [6].

2.3. Attack vectors on CPS Privacy

Trust Security

Figure 1 Quality features of CPS

These quality features do not only depend on the components of which the CPS is composed, but also on the integration and interconnection between the single elements of the system. Additionally, the interconnection between multiple CPS in a SoS plays a major role. These attributes strongly influence each other. As an example, an unsecure communication implementation leads to a reduced trustworthiness of the system and the system becomes prone to security attacks. Environmental uncertainties and interferences in wired or wireless connections are critical variables that CPS have to deal with during operation. In real-time CPS applications with safety requirements, the strong influence on performance and functionality is critical. Making systems robust in terms of all these factors basically requires tools and methods that are able to transform those qualities into measureable quantities. Especially uncertainties and security issues are hard to anticipate during development. It is acceptable that products and systems are not perfect and may require bug fixing and patching later. This is why it is a common practice to fix issues, exploits and vulnerabilities of traditional systems in later phases of the product life cycle. Issues are often not discovered and identified in product prototyping and testing stages until they have caused damages after delivery and use. Compared to physical defects, some elements such as wireless transmission or magnetic data storage are more fault-tolerant. The physical mediums are prone to errors in recording information. Hence, error

Besides internal weaknesses and errors, highly networked systems are especially endangered to intentional intrusion and manipulation. Recent cyberattacks, such as the precisely targeted ‘Stuxnet’, ‘Duqu’ or ‘Nitro’ attacks, show the great hazard coming from attackers. Various other attacks and incidents (without involvement of cybercriminals) on a range of industrial control systems over the past years clearly reveal that there is still a large room for improvement. Many production systems still lack proper adoption of state-of-the-art network and IT security procedures. Some examples of such security procedures can be found in [7-12]. Another popular type of attack is Denial of Service (DoS) attack. This attack can also be performed in a distributed manner as distributed DoS (DDoS) from a large number of hosts connecting to systems. The attacker utilizes these systems and puts them into a state in which they are not able to provide their intended functions any more. In such conditions, the systems either collapse under the load, or lose control of safe operation. Even if the systems can withstand the attack, effectively attacks still lead to a strong reduction of the systems’ performance and functionality. In future CPS, which are highly interconnected and networked, attacks like these would pose an imminent danger to people and environment, and therefore should be prevented by all means [13]. Beyond-design accidents may not be prevented in all cases; however it is one of the most important CPS design and engineering challenges to prevent as many dangers and points of attack as possible at the very beginning of system design, i.e. Security and Privacy by Design. To do so, knowing the system structure and deriving possible weak points is essential. A structured, layer-based representation of

CONCEPTUAL MODEL BASED APPROACH FOR MULTI-DISCIPLINARY CPS DESIGN AND ENGINEERING

3

the system is the basis for modeling the interactions between the system’s domain-specific elements and components. Hence, this representation supports identification of attack vectors as a part of the security design. Figure 2 shows an exemplary layer-based structure of CPS. The CPS system boundary is displayed as a dashed box around the networking, software, electronics and physics elements. Outside of the system are humans and machines that interact with the CPS. A few exemplary critical weak spots for attacks are marked with numbered stars: 1 Knowledge theft, social engineering, phishing; 2 protocol analysis, DDoS, network intrusion; 3 - manin-the-middle, recording unencrypted data streams; 4 - sidechannel attacks; 5 - tampering with active components; 6 - signal recording with logic analyzers; 7 - disassembling and reverse engineering; 8 - decompiling, memory editing and malcode injection; 9 - malware applications.

1

Protocols

Context

Human to Machine

Machine to Machine

Interaction

Application

VoIP

9

Programs

Presentation

Network Data Link Bit Transfer (physical layer)

OS

8 Assembler Machine code

7

Software

TCP, UDP 3

Compiler

Session Transport

4 Processor (Silicon)

Electronics

BUS / PTP

6 Real world – signal boundary

ADC

DAC Actuator

5

Sensor

Physical principles & effects

Physics

Mechanics

Energy, Matter

Input

Process

Output

Figure 2 Layer-based cyber-physical system representation. Numbered stars represent traditional security weak spots.

Cyber‐Physical System

2

Networking

Cyber Stack

E‐Mail

Physical Stack

Software issues: race conditions, buffer overflows, integer overflows and deadlocks. Hardware issues: bit flipping, brown-outs, environmentally-induced overheating or shortcircuits. Network and communication issues: jammed wireless signals or high noise due to environmental disruptions, lost transmission packets [14]. Physical issues: mechanical fatigue, thermo-chemical and tribological fatigue, creep fatigue, corrosion, rupture of functional parts, sensors and actuators.

3. CONCEPTUAL MODEL Knowledge

Semantics

4

This exemplary representation of a generic CPS structure with both human-machine interface via the Internet and machine-to-machine (M2M) interface e.g. TTEthernet or field buses is simplified. In addition to the structure detail and attack vectors shown in Figure 2, increased level of detail of the component representation provides additional categories of possible attack vectors and related issues which lead to system instabilities. These categories and corresponding examples are:

Current research and practice experience show that in the early stages of CPS development there is a lack of tools and methodological support to handle the complexity of the CPS design [1]. Our proposed conceptual model for CPS design describes a systematic process that supports the development of complex CPS in the initial conceptual engineering stages. It is an approach that consolidates and integrates multi-domain engineering perspectives by using an abstract layer form. By abstraction of the system, domain-specific properties and perception of the distinct disciplines on the system are decoupled. Hence, the difficulty of achieving quality features such as security and privacy by design is alleviated through incorporating them from the very beginning of system development. The proposed conceptual model focuses on the stages of system analysis (requirements and system architecture design) and provides a design abstraction framework that is used as a basis for iterative detail design. First, the critical system components and functions that determine the quality features are carved out with the support of a set of conceptual design questions, which will be discussed in section 3.1. The outcome of this initial knowledge capturing process is an information pool which is then used in the second stage. By considering the information pool Marco Grimm, Reiner Anderl, Yan Wang

and the given requirements, the system is represented by a layer-based abstract model with multiple viewpoints. The process to a detailed system model with respect to structural dependencies will be discussed in section 3.2. Customer requirements

Project definition

Design requirements analysis and definition

Design support questionnarie

System information pool

Design abstraction and disciplinary‐spanning viewpoints Concept of operations

System architecture design Product operation

Requirements, functional, logical, physical, stakeholder and behavior structures

Validation

System modeling Integrated system models domain specific design

System models

Figure 3 The conceptual model focuses on the engineering process

As shown in Figure 3, the result of the process is an integrated formal model of the CPS, represented by a virtual model. The integrated virtual system model is designed by using a range of modeling languages and tools (see section 3.3). Data management systems are used for a central model representation and management, which is particularly important for cross-enterprise design collaboration. Following the extended systems engineering approach [15], the details of the virtual model for CPS are gradually inserted in the consecutive engineering phases. It is later used as the basis for virtual testing, verification and simulating the system as well as for prototyping and system integration.

3.1. Requirements and system architecture design stages In order to create detailed system architecture based on a comprehensive system abstraction, the initial conceptual stages in system development are of significant importance. At this stage, decisions made based on preliminary concepts and designs determine project management and development process. Bad decisions because of the lack of details and

understanding of the complex interrelationships between system components may lead to substantial problems in the development and system integration [2]. Here we list some high-level questions that are used in the conceptual design and requirements definition phases in order to support the initial identification and assessment of components with their specific interrelations in the CPS design. This list of questions is non-exhaustive. The focus of questions may vary from case to case. However, they are important as the resulting qualitative information provides a basic overview of the system and is required for consecutive system abstraction explained in the following section. The questions are listed as follows. 1. What will be connected? This covers the aspects of power requirements, functional safety requirements, hazard estimations, wireless, wired, mobile or stationary application types. 2. What information will be transferred? This includes the aspects of scalability, privacy concerns and privacy-related laws, additional functions and services that must run on existing infrastructures, data and know-how protection, cryptographic and time-critical transmission protocols. 3. Who will be connected and involved? This includes the information regarding affected stakeholders, staff, consumers, personal risks, as well as knowledge and qualification of controlling personnel for ease of use and intuitiveness. 4. How will it be connected? The implications of connectivity can be derived from whether the target application is local or large-area type (e.g. single devices in a smart home vs. highly distributed smart-grid), and if it is critical in terms of runtime, responsiveness and lag. 5. What environmental influences have to be covered? This includes the utilization of the system under various environmental conditions such as the use in space, undersea, factory environments;


5

contamination, thermo-chemical parameters and radiation that have to be tolerated by the system. 6. How is the environment?

system

interacting

with

its

This covers human and social factors (e.g. public acceptance, trustworthy operation), functional safety, influence of other systems; contamination, electromagnetic compatibility (EMC) that has to be avoided (e.g. in medical applications and food production plants). 7. What application constraints exist? The constraints in the application include physical dimensions, weight, shape of the system (interrelation to stationary or mobile application constraints), energy supply, power availability, hours of operation, and occasional, random or permanent operation. 8. What benefits do end-users have by using the CPS? These are the aspects of user acceptance, safety, comfort, privacy concerns, user requirements, human ability to interact and intervene, and usability in Semantic Web.

3.2. CPS design by abstraction With the information pool acquired from the previous rough conception phase as a foundation, the systems engineer will need to develop a layered, abstract structure of the CPS. The structure is represented as a meta model with various viewpoints, based on the existing architecture description frameworks as described in the standards IEEE 14712000 and ISO/IEC/IEEE 42010:2007 [16]. The SPES 2020 method proposes four views (requirements, functional, logical and technical) for the abstraction in embedded system modeling [17]. The concept proposed in this paper extends these views by also considering human (stakeholder’s view) as well as physical behavior of the system. These extensions are useful for transferring functional and technical structure to a real-world CPS behavior model that can be used for simulation. The reason is that functional, logical and component models are nonexecutable and cannot be simulated as a discrete mathematical representation of the system [18, 19]. Additionally, the influence of human behavior on the CPS is represented in the model as opposed to the modeling with classical Function-Behavior-State (FBS) methodologies.

6

The concept is also based on an integrated virtual product development environment and process. Engineering tools, which implement integrated product data models, are required to design common system models that merge all involved disciplines [20]. The views in which the CPS is abstracted and modeled into are: 

Requirement structure



Functional structure



Logical structure



Technical structure



Stakeholder (human) viewpoint



System behavior

Figure 4 gives an overview of the process how a system model in its viewpoints is generated by abstraction and synthesis. In the first step, the project inputs, particularly customer requirements, market survey results, project definitions etc. are collected and analyzed. In the sense of computer-supported, integrated product development, these data should be fed into the data management system, where all documents and data remain continuously accessible over all product life cycle phases. The quantitative and non-quantitative customer requirements are analyzed and consecutively detailed to a cross-discipline requirement structure. The requirement structure is particularly important for quality assessment in various product maturity stages (rough designs, preliminary designs, detailed designs, prototypes and real product testing). Integrated requirements management provides the means for developing, handling and exchanging the requirement structures. Various tools, languages (e.g. Requirements Interchange Format, or ReqIF) and description frameworks (e.g. Requirements Modeling Framework, or RMF) are available [21]. The requirement structure is then used as the base for deriving the function structure. Classical tools like Quality Function Deployment (QFD) can be used. The focus should be on the identification of discipline-spanning functions. This allows for integrated solutions, e.g. a sensor node, which combines sensing and power generation functions by the use of a single physical effect or active principle Marco Grimm, Reiner Anderl, Yan Wang

Requirements

Functional

!

Technical

?

f(x)

!

Layers of abstraction

Logical

!

!

!

=

≥

!

!

!

= = =

≥ ≥

f(x)

!

f(x) !

=

f(x)

f(x)

environment

while x

= !

groups

f(x)

! =

Visual signal movements translatory, rotatory

approximation 3

!

!

Behavior

2

f(x) f(x)

!

CPS immediate

1

!

Stakeholder

…

k>j?

y …

society

n …

≥

if (t > 293) { return 0 }

Viewpoints

Figure 4 CPS abstraction in different viewpoints ([17], modified)

(e.g. thermoelectricity, piezoelectricity, etc.). The possible CPS use cases for such energy harvesting devices are low-power wireless sensor nodes, active dampers, etc. [22]. Process-orientated (crossdiscipline input-output structure) as well as hierarchical function decomposition are the two main approaches to generate an integrated function structure. However, it should be kept in mind that the decomposed function structure of the system should be formulated in a disciplinary-neutral manner, in order not to unnecessarily predetermine technical solutions and components. Likewise, the logical design is developed. The system is represented in a logical solution and concretized by subdividing the overall coarse logic design into logic entities that represent subsystems. These logic subsystems, which fulfill actions and processes, are visualized with their respective correlations and dependencies between one and another. It is important in this view that the logic design is platform-independent. Interfaces between mechanics, electronics, software and networking entities as well as functional integration or modularization are carved out. Flowchart diagrams, structograms and class diagrams, which are established tools in software engineering, can be applied to all design domains in order to visualize the properties and the logic behavior of the system. Similar to the SPES 2020 approach [17], the logic design model is mapped on a technical structure. The

top-down concretization starts from a black-box model in the most abstract layer. The next step is from a network of grey-box components to a detailed part structure, which represents the relations and interconnections between the domain-specific parts. This device-specific structure captures three categories of components, which are connected by logic interfaces (see 3rd row of technical view in Figure 4): 

Physical components (mechanical, electronic and computing components)



Networking components (communication)



Software (user-interface, operating system and controller backbone etc.)

The logic interfaces are modeled based on their types. Physical signaling interfaces are represented by topology models (e.g. ring, star, hierarchy/tree, line, point-to-point, etc.). Sensors, actuators as well as power and material flows are covered by information-energy-material models based on the principles and effects of actuation and sensing. Networking interfaces and corresponding crossdevice data flows are modeled with Internet information abstraction models, e.g. the ISO/IEC 7498-1 Open Systems Interconnection Model (OSI Model), which provides 7 logical layers [23]. Software is modeled with software engineering techniques, as provided by the Software Engineering Body of Knowledge (SWEBOK) [24], and IEEE


7

1074-2006 [25]. However, software has an exceptional position in the component model. Software can be considered as system component. But it also depends on platforms on which it is to be executed. For instance, the boundary of software and hardware is different on microprocessors, microcontrollers, and Field Programmable Gate Arrays (FPGAs). Hence, the multi-disciplinary integration of software, computing hardware and the other physical components as described above, requires a shared component view. Lee et al. [26] have provided an interesting platform-based model representation for actor-oriented systems as shown in Figure 5. With this representation, software and hardware models are integrated to their respective platform (bottom – silicon chips as central computing hardware, top – communication with application models for actuator control systems and communication). Detailed overview of their actorbased design approach and a detailed overview about

1. The human factor that affects the system

Figure 5 Platform-based interrelations between sets of design models [27]

In our conceptual model, human factor will be considered from the stakeholder view. In the most abstract level, the immediate user (or consumer, respectively) is considered. This includes both ergonomic (physical) and comprehension (semantic and knowledge) aspects of human-machine interfacing (HMI). Digital human modeling provides methods for modeling and representing human’s capabilities in order to simulate direct interactions with CPS. Today, technologies such as wireless Internet connection, Web 2.0 and social networks

supportive software tools is given in [26, 27]. With the methodologies of systems engineering, virtual models can be derived from the described viewpoint models for simulation and prototyping. However, the following two considerations, which play a major role for the CPS, are particularly important:

8

Humans as stakeholders may have different roles, as user who consumes output of the CPS, controller who produces input for the CPS, or disturbance value (wrong use, mistakes, security attacks etc.). Hence, instead of excluding the human from the system (outside system boundary), human modeling needs to be integrated and considered as an additional discipline in CPS design and engineering. 2. Interface and component design are non-atomic System components are designed to communicate and act via predefined interfaces and protocols. Components in modular systems usually see each other as black boxes; object-oriented hardware and software designs imply private, non-disclosed operations, variables and functions. In reality, components are designed non-atomic and their intrinsic properties are not transparent to the observer. This also applies on layer-based protocols and physical implementations of computational functions in hardware such as cryptosystems, encoders and decoders. The weaknesses in these parts of design may not be revealed in design and prototyping and may not affect the system’s overall performance when the system is at a regular state. However, underlying issues can be exploited later on by attackers, as described in section 2.3. It is obvious that a more exact and atomic system model provides for higher security and robustness against breaches. In practice, building highly exact and atomic models is not realistic, because assumptions and simplifications are necessary to handle the already high complexity of the system models. A good practice in the conflict between cost and time effective development and high quality is that critical functions and components should be modeled and tested with the highest possible level of detail. Additionally, techniques such as obfuscation, which makes reverse-engineering and tampering harder, should be used in hardware design.


allow providers to offer a large scale of services. Modeling groups with their dynamics is necessary for developing and evaluating personalized services as well as services that are based on social affiliations. Personal services provided on the basis of the Internet of Things will play a major role in the future. Social, demographic and economic aspects in the society need to be thoroughly considered to fully use the potential of the future distributed and ubiquitous computing environment. The behavior view is targeted at the mathematical representation of the technical structures with the stakeholders. The goal is to create mathematically solvable models, which are executable models for simulation and prototyping purposes. With that, the real behavior of the system is predicted. With some classical engineering methodologies, behavior models are preferably designed and simulated with discipline-specific tools. Integrated design tools should be chosen for complex CPS. Fortunately, modeling tools and solutions have evolved over the past years and a unified description of system behavior models is more and more possible. As opposed to the functional and technical models, the behavior view captures the real behavior of the system components, not only designed and expected behaviors. This includes the disturbance which is not part of the design, as well as uncertainties associated with components and human over all domains. The initial step is to design a rough model that only represents the basic and qualitative behavior (e.g. signal, movements, and information flow). In the next step, assumptions and simplifications are made, and critical disturbances are carved out. Numerical approximations are the base for exact mathematical definitions of the system’s behavior. In order to receive the most realistic behavior from the model, analytical correlations are implemented in domain independent codes. If the physical behavior is implemented in a discrete program, in simulation it should be evaluated whether it models the real behavior precisely enough so that minor uncertainties can be neglected.

3.3. Modeling languages and tools Modeling of complex system behavior under involvement of interdisciplinary engineering groups is not only a challenging process, but also a data management problem. Models aimed to be as comprehensive and precise as possible contain lots of information and data. In order to manage the

information and allow a cost and time effective system design and development, capable software tools and languages are necessary. Around 10 years ago, science and industry have started to recognize these needs and since then we are facing a rapid development and evolvement of new advanced tools and languages. Some of the currently available, discipline-neutral languages and tools that can be used as a tool base for our approach are listed below. For practice examples and more detailed information, refer to the literature. UML (Unified Modeling Language), a graphical modeling language for specification and design of software and systems [28]. SysML (System Modeling Language), an extended dialect based on UML for modeling of complex systems [29]. SystemC is an open source C++ based class library, supporting unified modeling of hardware and software components in complex system. Many implementations are available. SystemC is standardized in IEEE 1666-2011 [30]. Modelica is a discipline-independent physical system modeling language for simulation. Modelica uses translators to transfer physical models into mathematical models for simulation solving [31]. MDA (Model Driven Architecture) is a modeling approach based on UML from the Object Management Group (OMG). It is focused on the design and application of software systems and useful for modeling the service aspects of cyberphysical systems (Service-Oriented Architectures (SOA)) ESMoL (Embedded Systems Modeling Language), recently developed at the Vanderbilt’s Institute for Software Integrated Systems is another approach and framework for multidisciplinary model design, simulation and target code generation [32]. Electronics Architecture and Software Technology Architecture Description Language (EAST-ADL) is a system modeling language focused on automotive design. It is based on UML and was developed in several European research projects [33]. Functional Mock-up Interface (FMI), an XML/C based open standard for cross-domain description of simulation models for model exchange and cosimulation


9

A wide range of modeling and simulation tools is available that provide support for these languages in systems engineering. These include: Mathworks MATLAB/Simulink is a popular commercial software for simulation, physical modeling via Simscape, control design, verification and hardware-software design. Designed models can be exported to various programming languages, e.g. C and VHDL for FPGAs. Dassault Dymola is commercial software that supports multidisciplinary engineering across a various design domains. It implements the Modelica language and provides support for FMI. Many free and commercial libraries for various simulation domains are available. ITI SimulationX allows modeling and simulation of complex systems with interfaces to various CAx and numerical simulation tools. Models based on the Modelica language and FMI are supported.

4. CONCLUSION This paper presents a conceptual approach toward an integrated model driven development of complex cyber-physical systems. The approach is meant to be integrated in the early phases of concept generation and system analysis. As discussed, domain-specific views and the development of distinct subsystems as part of traditional design methodologies hinder the successful development of smart systems, in which components do not only play predefined roles and communicate via standardized protocols and interfaces. Current methodologies and tools lack the required functionality to cover all views, abstractions and the human factor in the system model. Therefore, the high-level approach is proposed as a basic step to new modeling and design strategies that are suitable to capture, abstract and simulate the strong interplays between highly versatile and smart system components that fulfill multiple functions beyond the spectrum of current applications (e.g. in autonomous energy-harvesting sensor networks).

fundamental research, we see great potential in the field of tools and methodologies for: 

System thinking and abstraction techniques



Tools and systems for the integrated development, multidisciplinary design collaboration and data exchange



System modeling languages



And the migration of existing tools and knowledge in new systems.

ACKNOWLEDGMENTS We thank our colleagues from the Georgia Institute of Technology CAD and Design group and the TU Darmstadt Department of Computer Integrated Design for their feedback. This project was supported by CASED - Center for Advanced Security Research Darmstadt (www.cased.de), which is funded through the LOEWE program by the Federal State of Hessen, Germany.

REFERENCES [1] R. Anderl, M. Eigner, U. Sendler, and R. Stark, acatech DISKUSSION: Smart Engineering. Berlin, Munich: Springer, 2012. [2] acatech - National Academy of Science and Engineering. (2011, Cyber-Physical Systems Driving force for innovation in mobility, health, energy and production. [3] P. Derler, E. A. Lee, S. Tripakis, and M. Törngren, "Cyber-physical system design contracts," in Proceedings of the ACM/IEEE 4th International Conference on Cyber-Physical Systems, Philadelphia, Pennsylvania, 2013, pp. 109-118.

5. OUTLOOK

[4] J. Sztipanovits, X. Koutsoukos, G. Karsai, N. Kottenstette, P. Antsaklis, V. Gupta, B. Goodwine, J. Baras, and S. Wang, "Toward a Science of CyberPhysical System Integration," Proceedings of the IEEE, vol. 100, pp. 29-44, 2011.

In order to create smart products of the future, equally smart development tools and processes are needed. While the industry and science have advanced discipline-specific tools, multidisciplinary development of complex systems is still a major challenge due to a lack of well-adapted tools and methods. Therefore, for future applied and

[5] Z. Zhang, J. Porter, E. Eyisi, G. Karsai, X. Koutsoukos, and J. Sztipanovits, "Co-simulation framework for design of time-triggered cyber physical systems," in Proceedings of the ACM/IEEE 4th International Conference on Cyber-Physical Systems, Philadelphia, Pennsylvania, 2013, pp. 119128.

10


[6] S. Lui, S. Gopalakrishnan, L. Xue, and W. Qixin, "Cyber-Physical Systems: A New Frontier," presented at the IEEE International Conference on Sensor Networks, Ubiquitous and Trustworthy Computing (SUTC '08), 2008. [7] J. Slay and M. Miller, "Lessons learned from the maroochy water breach," Critical Infrastructure Protection, vol. 2007, pp. 73–82, 2007. [8] E. Byres and J. Lowe, "The myths and facts behind cyber security risks for industrial control systems," in Proceedings of the VDE Congress, 2004. [9] U.S. Government Accountability Office, "Critical infrastructure protection. Multiple efforts to secure control systems are under way, but challenges remain," Technical Report GAO-07-1036, 2007. [10] R. J. Turk, "Cyber incidents involving control systems," Technical Report INL/EXT-0500671, Idao National Laboratory, 2005. [11] Laboratory of Cryptography and System Security (CrySyS Lab). (2012, sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks. [12] Z. Zhang, M. Trinkle, H. Li, and A. D. Dimitrovski, "Combating time synchronization attack: a cross layer defense mechanism," in Proceedings of the ACM/IEEE 4th International Conference on Cyber-Physical Systems, Philadelphia, Pennsylvania, 2013, pp. 141-149.

[16] ISO/IEC/IEEE 42010: Systems and software engineering - Architecture description. Available: http://www.iso-architecture.org/42010/ [17] K. Pohl, H. Hönninger, R. Achatz, and M. Broy, Model-based engineering of embedded systems : the SPES 2020 methodology. Berlin: Springer, 2012. [18] A. A. Alvarez Cabrera, M. S. Erden, and T. Tomiyama, "On the Potential of Function-BehaviorState (FBS) Methodology for the Integration of Modeling Tools," in Proceedings of the 19th CIRP Design Conference – Competitive Design, Cranfield University, 2009, p. 412. [19] A. Canedo, E. Schwarzenbach, and M. A. A. Faruque, "Context-sensitive synthesis of executable functional models of cyber-physical systems," in Proceedings of the ACM/IEEE 4th International Conference on Cyber-Physical Systems, Philadelphia, Pennsylvania, 2013, pp. 99-108. [20] W. Eversheim, Innovation Management for Technical Products : Systematic and integrated product development and production planning. Berlin: Springer, 2009. [21] I.-I. C. o. S. Engineering. (2010). INCOSE Requirements Management Tools Survey. Available: http://www.incose.org/ProductsPubs/products/rmsurv ey.aspx [22] S. Priya and D. J. Inman, Energy Harvesting Technologies. Boston, MA: Springer US, 2009.

[13] A. A. Cárdenas, S. Amin, B. Sinopoli, A. Giani, A. Perrig, and S. Sastry, "Challenges for Securing Cyber Physical Systems," Workshop on Future Directions in Cyber-physical Systems Security, 2009.

[23] ISO/IEC 7498-1. (1994). Information Technology - Open Systems Interconnection - Basic Reference Model: The Basic Model. Available: http://standards.iso.org/ittf/PubliclyAvailableStandar ds/s020269_ISO_IEC_7498-1_1994(E).zip

[14] K. Han, S. D. Potluri, and K. G. Shin, "On authentication in a connected vehicle: secure integration of mobile devices with vehicular networks," in Proceedings of the ACM/IEEE 4th International Conference on Cyber-Physical Systems, Philadelphia, Pennsylvania, 2013, pp. 160-169.

[24] I. C. Society. (2013). SWEBOK - Software Engineering Body of Knowledge Available: http://www.computer.org/portal/web/swebok/home

[15] R. Nattermann and R. Anderl, "Approach for a Data Management System and a Proceeding Model for the Development of Adaptronic Systems," in Proceedings for the ASME International Mechanical Engineering Congress and Exposition - IMECE 2010, Vancouver, BC, Canada, 2010.

[25] I. C. Society, "IEEE 1074-2006: IEEE Standard for Developing a Software Project Life Cycle Process," ed, 2006. [26] E. A. Lee, S. Neuendorffer, and M. J. Wirthlin, "Actor-Oriented Design of Embedded Hardware and Software Systems," Journal of Circuits, Systems, and Computers, vol. 12, pp. 231260, 2003. [27] E. A. Lee, "Model-Driven Development From Object-Oriented Design to Actor-Oriented


11

Design," presented at the Workshop on Software Engineering for Embedded Systems: From Requirements to Implementation, Chicago, 2003. [28] A. Dennis, B. H. Wixom, and D. Tegarden, Systems Analysis and Design with UML, 4th ed., 2012. [29] J. Holt and S. Perry, SysML for Systems Engineering: Institution of Engineering and Technology, 2008. [30] I. C. Society, "1666-2011- IEEE Standard for Standard SystemC Language Reference Manual," ed, 2012. [31] Modelica Association, "Modelica - A Unified Object-Oriented Language for Systems Modeling ", ed, 2012. [32] E. Eyisi, Z. Zhang, X. Koutsoukos, J. Porter, G. Karsai, and J. Sztipanovits, "Model-Based Control Design and Integration of Cyber-Physical Systems: An Adaptive Cruise Control Case Study," Journal of Control Science and Engineering, 2013. [33] E.-A. Association, "EAST-ADL Domain Model Specification Version V2.1.11," ed, 2013.

12
