cypherscyphers.eu/sites/default/files/d5.1.pdf · 2014. 3. 31. · cyphers cyber-physical european...

CyPhERS

Cyber-Physical European Roadmap & Strategy

www.cyphers.eu

DELIVERABLE D5.1

CPS: State of the Art

Document Version: 1.0Document Status: FinalDate: March 28, 2014Dissemination: Public

Project co-funded by the European Union’s Seventh Framework Programme (FP/2007-2013)Coordination and Support ActionContract number 611430Project Start Date: 01 July 2013, Project Duration: 18 months

Project Consortium Information

Participants Contact

fortiss GmbH (Coordinator) María Victoria CengarleGuerickestraße 25 Phone: +49 89 3603522 2980805 München, Germany Email: [email protected]

Kungliga Tekniska högskolan (KTH) Martin TörngrenBrinellvagen 8 Phone: +46 8 790630710044 Stockholm, Sweden Email: [email protected]

Université Joseph Fourier Grenoble 1 (UJF) Saddek Bensalem621, Avenue Centrale, Domaine Universitaire Phone: +33 0456520371380410 Grenoble, France Email: [email protected]

Università degli Studi di Trento Roberto PasseroneVia Belenzani 12 Phone: +39 046128397138122 Trento, Italy Email: [email protected]

The University of York John McDermidHeslington Hall Phone: +44 1904 325419York YO10 5DD, UK Email: [email protected]

Siemens AG (affiliate partner) Thomas RunklerOtto-Hahn-Ring 6 Phone: +49 89 636 4001081739 München, Germany Email: [email protected]

Authors

Name Partner Contact

Responsible Author

Martin Törngren Kungliga Tekniskahögskolan

+46 8 7906307 [email protected]

Contributing Authors

Saddek Bensalem Université JosephFourier Grenoble 1

+33 0456520371 saddek.bensalem@

imag.fr

María Victoria Cengarle fortiss GmbH +49 89 3603522-29 cengarle@fortiss.

org

De-Jiu Chen De-Jiu Chen +46 8 7906428 [email protected]

John McDermid The University ofYork

+44 1904 325419 john.mcdermid@

york.ac.uk

Roberto Passerone Università degliStudi di Trento

+39 0461283971 roberto.passerone@

unitn.it

AlbertoSangiovanni-Vincentelli

Università degliStudi di Trento

+39 335218403 alberto@berkeley.

edu

Thomas Runkler Siemens AG +49 89 636 40010 thomas.runkler@

siemens.com

CyPhERS – Cyber-Physical European Roadmap & Strategy

Contents

Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1 Introduction 3

2 Area structuring 52.1 Existing structuring and classification approaches of relevance for CPS . . . . . 52.2 Proposed CPS structuring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.3 Positioning analysis: aspects for consideration . . . . . . . . . . . . . . . . . . 8

3 State of the art in engineering 93.1 Basic properties required for CPS . . . . . . . . . . . . . . . . . . . . . . . . 9

3.1.1 Context awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103.1.2 Cognitive computation . . . . . . . . . . . . . . . . . . . . . . . . . . 103.1.3 Autonomy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

3.2 Technologies for CPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113.2.1 Different technologies needed for CPS . . . . . . . . . . . . . . . . . . 123.2.2 Smart system technologies . . . . . . . . . . . . . . . . . . . . . . . . 26

3.3 Engineering processes for CPS . . . . . . . . . . . . . . . . . . . . . . . . . . 373.3.1 The V-model of the design process . . . . . . . . . . . . . . . . . . . . 373.3.2 Requirements engineering . . . . . . . . . . . . . . . . . . . . . . . . 393.3.3 System-wide and multi-layer design optimization . . . . . . . . . . . . 413.3.4 Managing risk across the development process . . . . . . . . . . . . . 423.3.5 Complexity of the supply chain . . . . . . . . . . . . . . . . . . . . . 43

3.4 Scientific foundations for CPS . . . . . . . . . . . . . . . . . . . . . . . . . . 453.4.1 System level design methods . . . . . . . . . . . . . . . . . . . . . . . 453.4.2 Model-based design . . . . . . . . . . . . . . . . . . . . . . . . . . . 503.4.3 Heterogeneous systems . . . . . . . . . . . . . . . . . . . . . . . . . . 513.4.4 Contract-based design . . . . . . . . . . . . . . . . . . . . . . . . . . 52

4 Current societal context 564.1 Market aspects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Deliverable D5.1 – Methods and Techniques i


4.2 Political and legislative aspects . . . . . . . . . . . . . . . . . . . . . . . . . . 594.3 Public perception and adoption . . . . . . . . . . . . . . . . . . . . . . . . . . 624.4 Education . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

5 International outlook 705.1 Europe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705.2 USA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725.3 Brazil . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 745.4 India . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 755.5 China . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 765.6 Korea . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 775.7 Japan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

6 Europe’s position 796.1 European surveys and roadmaps . . . . . . . . . . . . . . . . . . . . . . . . . 79

6.1.1 Vision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 816.1.2 Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 816.1.3 Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

6.2 Simple SWOT analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 846.2.1 Strengths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 856.2.2 Weaknesses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 866.2.3 Opportunities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 886.2.4 Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

6.3 Full SWOT analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

7 Discussion 927.1 About the state of the art in engineering . . . . . . . . . . . . . . . . . . . . . 947.2 About the societal context . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

8 Conclusions 99

Deliverable D5.1 – Methods and Techniques ii


Executive Summary

The purpose of this “state of the art” deliverable is twofold:

• to develop a systematic analysis of the current state of the art in science and technology, inEurope and beyond, encompassing best industrial practices as well as research findings;and

• to perform an initial assessment of Europe’s positioning in an international comparison,with respect to market, technology and research.

In the context of the CyPhERS project, this deliverable provides a basline for the forthcomingcomprehensive gap analysis to be performed between the vision of a “possible future” and thecurrent state in science and technology. This deliverable therefore (1) develops an initial struc-turing of the area as a basis for the analysis, (2) compiles and structures existing surveys of thecurrent state of the art, (3) performs an initial assessment of the the state of the art in Europevs. other relevant countries and regions, and (4) provides a discussion on how the gap analysis isto be performed. The final component for the gap analysis (in D5.2) will be provided by visions(future scenarios) provided in deliverable D2.2. in the continuation of the CyPhERS project.

As a “state of the art” survey we have chosen to go beyond a traditional technical assess-ment, since the transformative nature of CPS makes it necessary to study a wider social context;CPS are co-evolving with socio-technical systems. For the technological aspects we note thatkey concerns for current state of the art refer to both fundamental scientific issues regarding theintergration of cyber with physical parts, as well as with complexity management techniques todeal with the increasing scale of cyber-physical systems. For the business and societal perspec-tive, we consider for instance openness and the dichotomy competition/collaboration, on the onehand, and perception, acceptance and adoption facets, on the other. The proposed structuringfor the state of the art thus encompasses Engineering as well as Societal perspectives, with thelatter encompassing market, legislation/standardization, public perception and education.

As part of the international outlook we have gathered information about developments andthe state of the art from several countries in the world. This has been a challenging endeavour forseveral reasons. First, since CPS is still a rather new term, there are several interpretations andrelated fields (such as the internet of things and networked embedded systems, or covered in the

Deliverable D5.1 – Methods and Techniques 1


context of various application domains such as smart cities). Secondly, while a lot of informationon projects and efforts can be found, we have not been able to find a lot of overview surveys - herethere is thus room for more work. An exception in this regard is the recent survey performed byARTEMIS and ITEA on the state in Information and Communication Technologies, includingthe economic dimension (e.g., market sizes) for digital technology; see [IA13a, IA13b].



1 Introduction

The Description of Work (DoW), describes the Deliverable D5.1 as follows: “D5.1) State of theArt: The document will report on the results of the first phase, the current state of the art inscience and technology and an assessment of Europe’s positioning.”

The purpose of this “state of the art” deliverable is therefore twofold:

• to develop a systematic analysis of the current state of the art in science and technology, inEurope and beyond, encompassing best industrial practices as well as research findings.

• to perform an initial assessment of Europe’s positioning in an international comparison,with respect to market, technology and research.

In the context of WP5, the goal of this deliverable is to provide a baseline for Deliver-able D5.2, described as follows in the DoW: “D5.2) CPS: Significance, Challenges and Op-portunities: The document will present the results of the work package, a comprehensive gapanalysis together with an assessment of economic significance of CPS for Europe.”

The concept of gap analysis is further clarified as part of the overall goal for WP5, as a“gap analysis between the vision of a “possible future” and the current state in science andtechnology”. The expected results of Deliverable D5.2 include an assessment of the potentialof CPS, its economic significance for Europe and the necessary efforts in science, technology,legislation, and with respect to social challenges. D5.2 in turn provides the basis for the finaldeliverables of the project, the Integrated CPS Research Agenda.

Given this context, D5.1 thus has to provide a suitable baseline for the subsequent gap anal-ysis. D5.1 therefore needs to, (1) to develop a suitable structuring of the area as a basis for thesystematic analysis, (2) compile and structure existing surveys of the current state of the art, (3)assess the state of the art in Europe and other relevant countries and regions, and (4) provide an(initial) discussion on how the gap analysis is to be performed. The final component for the gapanalysis (in D5.2) will be provided by visions (future scenarios) provided in deliverable D2.2.

D5.1 draws on results from work packages WP2, WP3, and WP4, (in particular the cor-responding deliverables, D2.1, D3.1 and D4.1, see [CyP13, CyP14b, CyP14a]) and comple-mentary information sources when relevant, such as for example from the German agendaCPS(see [GBC+12]) and the ARTEMIS SRA1.

1www.artemis-ia.eu



Deliverables D2.1, D3.1 and D4.1 provided several perspectives and an initial characteriza-tion of the CPS domain. We build upon these results, and elaborate an overall structuring ofthe area; developing such a structure is the purpose of Section 2. Using this structuring, thestate of the art perspectives as provided by previous deliverables and other sources are conse-quently summarized and analyzed, divided into engineering (technology and methodology) –in Section 3, and societal perspectives (such as legislation, user adoption and education) – inSection 4. To provide a baseline for the gap analysis, an initial survey of efforts and state ofthe art in the Europe, US, Korea, Japan, China, India and Brazil is provided in Section 5, whichalso discusses the ambition and challenges in collecting information from other countries. Asa further preparation for the gap analysis, we discuss ways of performing the gap analysis andchallenges in performing such an analysis in Section 7. Also in Section 7 we discuss furtherwork required for the 2nd iteration of this deliverable (D5.2). Finally, the deliverable wraps upby providing conclusions in Section 8.



2 Area structuring

One purpose of this document D5.1 is to provide a systematic analysis of the current state ofthe art in science and technology, encompassing best industrial practices as well as researchfindings.

This chapter sets out to define a suitable structure of the CPS area as a basis for such asystematic analysis. The corresponding structure is then utilized by subsequent chapters whencompiling and analyzing existing surveys of the state of the art. We note that this structureis “work in progress” and that refinements are likely to take place through continued work ondeliverables such as D2.2 and D5.2.

In the following we first provide an overview of other relevant structuring and classificationapproaches of CPS, and then elaborate a structuring suitable for the purposes of D5.1.

2.1 Existing structuring and classification approaches ofrelevance for CPS

CPSs are clearly multidimensional, especially considering their extended capabilities, potentiallarge scale and societal implications. The following are some existing proposals for structuringand characterizing Cyber-Physical Systems:

• Initial CPS structuring by [CyP13] providing the following perspectives:

– Vision, oppportunities and challenges

– Engineering challenges, divided into System engineering, HW/SW evolution andHMI/shared control

– Acceptance, economic ecosystems and regulations

• Various market perspectives in relation to CPS, as elaborated in [CyP14b]

• Technology, property and methodology perspectives, by [CyP14a], encompassing the fol-lowing perspectives:

– scientific focus, limitations and fragmentation



– product properties such as safety and security

– specific system characteristics or aspects such as networking and human-interaction

– architectures, platforms, standards and methodologies for developing CPS

• The German agendaCPS (see [GBC+12]), provided several perspectives including thefollowing:

– System parts including human factors,

– Physicality – real world awareness, and

– Connectivity – cyber space

• In the field of systems engineering there are several existing characterizations and modelsincluding the following:

– the SPIT enterprise layered systems model (Social, Process, Information, Technical),adopted by [CyP14b],

– dividing processes into Systems engineering management processes, Systems engi-neering technical processes, and disciplinary processes, (see, e.g., [OKKJ96] andconsidering the complete product life cycle, from inception to retirement.

– processes, vs. organizations, vs. technology (products, development/manufacturingrelated), each with their specific architecture (see, e.g., [ES01]).

• Innovation strategy and research agenda as elaborated by the ARTEMIS SRA (see [IA13a]),incorporating

– application domain perspectives and contexts such as mobility and health,

– technological challenges and opportunities such as multicore platforms and autono-mous systems

– research domains including reference designs and architectures, seamless connectiv-ity and interoperability, and system design methods and tools.

– a clustering into the following four major research directions:

∗ Architecture principles and models for autonomous safe and secure CPS.

∗ System design, modelling and virtual engineering for CPS.

∗ Autonomous adaptive and cooperative CPS.

∗ Computing platforms and energy management.



These proposed structures and aspects provide a number of important perspectives to CPS.The characteristics specific to CPS are mirrored by the above approaches including the inher-ently heterogeneous technology parts of CPS as well as their interfaces/interactions. The tech-nological heterogeneity also leads to a heterogeneous set of stakeholders for CPS, and to cor-responding heterogeneous engineering environments for CPS. We note that the correspondingstructures and classifications partly serve different purposes, but that technological perspectiveshave some dominance. The technological shift represented by CPS clearly implies that a sys-tems engineering perspective, encompassing societal as well as technological perspectives, is re-quired. The perspectives provide an excellent basis for further work within the Cyphers project.

2.2 Proposed CPS structuring

In this deliverable we would like to develop a structuring that serves the purposes of the in-tended gap analysis between the vision of a “possible future” and the current state in science andtechnology. The incorporated aspects should thus be useful for forming a ‘delta’, implying thatthe various aspects need to be comparable and thus somehow measurable. Considerations andvarious ways of performing the gap analysis are discussed in Section 7

A provisional structuring for describing the state of the art is as follows:

• Engineering perspectives including

– Properties and capabilities of Cyber-Physical Systems, such a safety, performance,cost and intelligence related properties (e.g., autonomy and adaptiveness).

– Engineering processes related to the CPS lifecycle encompassing relevant view-points and stakeholders.

– Technologies for CPS encompassing hardware and software platforms, interfaces,communication protocols, development tools, and standards.

– Scientific foundations for CPS including relevant theories and also addressing gapsbetween traditional disciplines.

• Societal perspectives

– Market aspects, including economic ecosystems, business models and process.

– Political and legislation perspectives.

– Public perception and adoption.

– Education encompassing citizen general competence level as well as engineeringand managment education, and lifelong learning.



The proposed structure encompasses most aspects and perspectives brought up by the variousstructuring approaches (recall Section 2.1). Comparing with the SPIT model, it does not howeverexplicitly incorporate “information” – which clearly is an aspect where a gap analysis can bemade (e.g., what information can easily be made available, at the right time, be trusted etc.). Theability to provide information could be seen as a capability and is therefore dealt with (indirectly)as an Engineering capability as part of Section 3. Ways of using the proposed structure for thegap analysis are discussed in Section 7.

2.3 Positioning analysis: aspects for consideration

For the assessment of Europe’s positioning, an initial international outlook survey is performed.Performing such a survey is challenging, and where relevant existing surveys will be exploited.

In this initial survey we have tried to identify major initiatives (industry, academia etc.) andcharacteristics of these initiatives. Each section is structured as follows:

• Industry and research profile including market shares

• Major initiatives;

• Summary; overall awareness and thrusts

We have chosen not to include a comparison of market sizes and presence in this deliverable;a main reason for this is that ITEA and ARTEMIS recently provide useful surveys on this topicin [IA13b, IA13a].



3 State of the art in engineering

This chapter provides a technological perspective to the state of the art, focusing on the followingaspects:

• Technological perspectives including

– Properties and capabilities of Cyber-Physical Systems,

– Technologies for CPS,

– Engineering processes related to the CPS lifecycle,

– Scientific foundations for CPS,

Using this structuring, the state of the art perspectives as provided by previous deliverablesand other sources are consequently summarized.

3.1 Basic properties required for CPS

Advanced properties that are cyber-physical (CP) in nature are of rapidly increasing importancefor industrial systems due to the potential societal and economic benefits. Typically, such CPproperties offer many unique capabilities for achieving advanced features in regard to emer-gent behaviors, quality-of-service adaptations, fault tolerance, post-deployment diagnostics andproactive maintenance, etc. While the physical aspect is related to physical actions and the en-ergy flows under control, the cyber aspect is related to the control and cognitive loops in thesystems and system-of-systems (SoS). Clearly, the success in terms of qualified CP propertiesrelies heavily on a seamless integration of design-time and run-time knowledge and a systematictreatment of uncertainties and failure modes. Because of its wide scope of related functional andtechnical themes, CPS as a field cuts across a number of application domains, technical fields,and research areas and thus a wide range of concepts and technologies. Two nature questionsarisen therefrom are then: Are state-of-the-art technologies as well as the methodological sup-port sufficient for engineering of qualified CP features in industrial products? What could be themost critical future research directions?



In this section, we introduce the essential features exhibited by CPS beyond conventionalcontrol systems. In the subsequent Sections (Section 3.2, 3.3, and 3.4), detailed descriptions ofthe state-of-the-art approaches and the necessity of new research efforts are presented.

3.1.1 Context awareness

As one fundamental functional property, a system needs to perceive its own operational contextin terms of environmental situations and internal resource conditions for determining the bestcourses of actions in complex scenarios. Such a system feature is often referred to as contextawareness, of which the viewpoint can be either a system or a system constituent unit. Nor-mally, the data underlying context-awareness could be obtained or derived on the basis of directmonitoring and communicating about the operational situations. However, to cope with theuncertainties and interferences, other contractual data such as in regard to physical dynamics,trustworthiness and safety integrity, can also become necessary. For example, it is envisagedthat intelligent Transportation System (ITS) with the support of vehicle-to-vehicle (V2V) andV2I (vehicle-to-infrastructure) communications will promote the context-awareness of vehicles.The infrastructure constitutes basically a sensor network that allows an exchange of monitoredoperational information from a variety of sources, a consolidation of context understanding invehicular and infrastructural nodes (i.e., data fusion), and a coordination of planned behaviours.To plan the trajectory of a vehicle on a public road, the system also needs to be aware of thecontractual invariants of dynamics of other vehicles on the same road. For qualified contextawareness, there is a wide set of functional and technical requirements in regard to the data ac-quisition, derivation and consolidation. The topics range from the design of system boundarieswithin a system-of-systems, to the treatment of monitored data and historical records, to thehandling of stochastic properties and uncertainties, and to the guarantee of timing, consistencyand integrity. Obviously, all context-awareness information, if communicated or logged, couldalso be valuable for automated diagnosis, proactive maintenance, or certification.

3.1.2 Cognitive computation

By cognitive computation, we refer to the functional properties of a system in regard to the rea-soning of its own status and thereby the planning for its upcoming behaviours ranging from highlevel missions to lower level tasks and actions. Along with the support for context-awareness,cognitive computation relies on a provision of knowledge about the configurations and be-haviours of the target system or the bigger system-of-systems. To this end, one key issue isconcerned with how to elicit the systems’ ontology and to create the operational data and con-tractual models for the learning and planning decisions. From an engineering point of view, astandardized parameterization and structuring of a wide range of concerns with formal seman-



tics for effective analysis, synthesis, diagnostics and maintenance becomes of vital importance.Due to the heterogeneity and complexity of operational scenarios, such concerns normally havemultidisciplinary sources, rich semantics, different scopes and formalisms. Whilst some of thoserelated factors are well known, others remain to be explored.

3.1.3 Autonomy

By autonomy, we refer to the system’s property of being sufficiently independent in controllingits own structural and behavioural properties. Clearly, autonomy relies strongly on the supportof context awareness and cognitive computation, while emphasizing the deployment of suchCP properties as “built-in” system features. In general, a system can exhibit various kinds ofautonomy, collectively called self-x or self-*. For example, a self-defining system has the abilityof deriving knowledge of its components, status, ultimate capacity, and operational situations.A self-optimizing system can tune its own configuration and workflow for achieving some goalsin the most efficient or effective way. A self-healing system is able to detect errors or otheranomalies and then to resolve appropriate fault tolerance or fault treatment measures. A self-protecting system can detect, identify, and protect itself against malicious attacks and maintainthe overall system security and integrity. The support of autonomy has many functional andtechnical implications, particularly in a system-of-systems context. One kind of challenge isconcerned with the control performance of distributed autonomous agents such as in regardto the control stability and robustness, decision consistency and arbitration. Another kind ofchallenge is related to the management of computation and communication resources for dealingwith big data and complex reasoning through the built-in CP functions. Moreover, for safetycritical applications, it is also important to assure that the introduction of autonomic decisionsor behaviours will not lead to the violation of any safety goals.

3.2 Technologies for CPS

In this section, the first subsection comes from the German agendaCPS (see [GBC+12]) anddescribes the wide range of technologies and engineering processes that will be required toimplement Cyber-Physical Systems. The second subsection is from the NIST report [EI12] andpresents the current state of the technology in each of the five sectors of the economy:

(i) manufacturing,

(ii) smart grid and utilities,

(iii) buildings and infrastructures,



(iv) transportation and mobility, and

(v) healthcare.

3.2.1 Different technologies needed for CPS

A wide variety of different technologies will be needed in order to deliver the full range of novelcapabilities that Cyber-Physical Systems have to offer. The methods needed to implement someindividual capabilities do not yet exist or still require further research. It is therefore impossibleto provide detailed descriptions of all the necessary technologies. This subsection will describethe technologies that we believe can help deliver the new CPS capabilities based on our currentknowledge. We have:

• Physical awareness: the ability to detect and recognize objects and the physical environ-ment (physical awareness) is a key capability of Cyber-Physical Systems. In particular,it provides the basis for the subsequent analysis of application situations, including all ofthe technological and human actors involved and their condition, goals and options.

• Fully or semi-autonomous behaviour with the ability to plan ahead and predict the future:CPS are able to act fully or semi-autonomously in order to fulfil goals that would typicallyeither be set by their users or arise from their current situation.

• Cooperation and negotiation: Cyber-Physical Systems cooperate with each other in orderto accomplish their goals. This is witnessed both in the integration of new services intoexisting Cyber-Physical Systems and in the cooperative detection, evaluation and coordi-nation of situations and agreement of negotiation strategies.

• Human-computer interaction: Some of the major benefits offered by Cyber-Physical Sys-tems lie in their ability to support the actions and intentions of human beings and per-form tasks on their behalf. At the same time, they also take some decisions and performsome actions autonomously and therefore exert an influence over human behaviour andsocial processes. Although these capabilities offer significant benefits, there is still a hugeamount of work to be done to fully master acceptable ways of enabling human-computerinteraction.

• Learning: Cyber-Physical Systems adapt their behaviour and the way they cooperate tothe requirements of their current context. One key enabler of this capability is the abilityto build up knowledge, for example with regard to particular situations and the behaviourof human beings or based on experience from previous applications and interactions withdifferent contexts. Technologies from the field of machine learning could potentially beused to support the CPS capabilities of learning and adaptation.



• Evolution: self-organization and adaptation strategies. This field encompasses existingtechnologies that enable self-organization in communication networks and manufacturing.

• Basic technologies: This field encompasses the basic technologies needed to implementCyber-Physical Systems. In particular, these include sensor and actuator technologies,communication networks, efficient processors, distributed controllers and the domain mod-els and ontologies that are especially important for situation awareness and adequate be-haviour control.

Physical awareness

In order to analyse and interpret different situations and contexts, it is first of all necessaryto recognize the environment (detection of real-world objects, or physical awareness). Currenttechnologies that can help to achieve this include sensor fusion, pattern recognition and situationrecognition via situation maps.

Sensor fusion Sensor fusion refers to the fusion of data from several different sensors inorder to obtain more accurate measurements or higher-order data. Sensor fusion is used to detectand correct erroneous measurements made by individual sensors, as well as to make inferencesabout the system status that are only possible using several sensors.

Sensor fusion may be used for a variety of reasons. It is crucial for safety-critical systemsto use several redundant sensors to prevent inaccurate measurements from causing incorrectdecisions to be taken. In order to keep costs down, it is common practice to use several cheap butless reliable sensors instead of individual sensors that are more reliable but also more expensive.

Furthermore, in complex systems it is often simply not possible to capture the necessaryinformation directly. Instead, it has to be deduced based on the data provided by a variety ofdifferent sensors. For example, how does a system decide whether or not a car driver is changinglanes intentionally? This information can only be obtained by using several different sensors,i.e., indicators, proximity sensors that detect the distance between the car and other vehicles,cameras and of course the user’s own observations.

According to [Rab08], by 2017 there will be one thousand sensors for every person on theplanet. For systems engineering, economic and environmental reasons, it makes sense to try andcombine existing and future sensors into global sensor networks as soon as possible rather thansimply using them in isolation in order to perform individual functions. This raises questionswith regard to the trustworthiness of the sensor data, the specific features of the sensors and howto ensure that the decisions taken by Cyber-Physical Systems are correct.



Pattern recognition Pattern recognition [Web03] is an IT discipline with a strong engineer-ing component that involves the use of algorithms and systems to recognize patterns in incomingdata, compare them against known patterns and assign the detected patterns to different cate-gories. One example would be when a front-mounted camera on a vehicle detects a person,enabling the driver to be warned and an accident to be prevented.

Pattern recognition technology is essential for registering certain situations in the physicalworld, since it provides the ability to extract meaning from unordered data sets (measurements),thus creating the basis for a full assessment of the situation.

Tried-and-tested algorithms already exist in many areas of pattern recognition such as clusteranalysis, classification, regression and sequential analysis. Algorithms from the related field ofcomputer vision are used for processing static and moving images. The most widely establishedapproach involves data-driven methods that use statistical models.

A number of problems remain to be solved when using this technology in complex environ-ments. For example, at any given point in time, there are thousands upon thousands of mathe-matically high-dimensional measurements. However, in order to perform the current task, it isusually only necessary to analyse up to a hundred of the most significant dimensions. In orderto select the right ones, algorithms are needed that are capable of solving the feature selectionproblem. In practice, many of these pattern recognition algorithms still need to be calibrated byexperts in order for them to successfully perform the desired task. However, this is not a realisticproposition when it comes to the huge variety of different tasks performed by Cyber-PhysicalSystems. It is therefore necessary to develop self-calibrating processes.

Another issue is that the patterns being recognized tend to drift over longer operating periods.How to recognize this drift is a problem that has yet to be solved.

Situation recognition using situation maps The information about physical reality pro-vided by sensors and pattern recognition algorithms is combined to create a “mental map” of thephysical situation. Detected objects and subjects are recorded on this dynamic situation map atdifferent points in time.

These maps enable the system to detect, respond to and plan for different situations. Whenapproaching a junction, for example, the driver assistance system needs to know the number andexact position of all the other cars and pedestrians in the vicinity. The first attempts at employingsituation maps have already been made in the field of autonomous robots.

A number of technological challenges have yet to be solved. One problem concerns objectclassification over time which is currently performed using multi-instance filtering approaches.One elegant approach might involve the use of Finite Set Statistics (FISST [Mah03]) which alsoaddresses the categorization problem. However, the high cost of FISST means that it is noteasy to implement and it currently only exists in the shape of approximations. The subsequent



development of the situation can be projected using predictive models for physical objects suchas Kalman filters.

Another unresolved issue is the fusion of data from distributed sensors for large and partiallyhidden objects. Maps also need to merge data at a semantic level. In doing so, they have to takeinto account the varying reliability and accuracy of the different sensors and pattern recognitionalgorithms [Thi10].

Fully or semi-autonomous behaviour with the ability to plan ahead and predictthe future

Based on the situation that they have detected and the user’s goals,CPS are able to develop strate-gies for delivering these goals and implement them fully or semi-autonomously. One technologythat is already available today is multi-criteria situation assessment. However, the key technol-ogy will involve artificial intelligence processes and approaches for decision-taking, planningand forecasting. The challenge is how to address goals that may be either unclear or contradic-tory. Any autonomous behaviour should thus always be accompanied by an assessment of itsimpact on society.

Each scenario needs to be assessed from various different viewpoints that are relevant to thedecision-taking process. It is possible that some goals may contradict each other, for example itmay be necessary to weigh up the driver’s safety against that of a child who has run out into thestreet.

One important challenge is to enable assessments to be made in real time so that actions canbe triggered sufficiently rapidly. The processing speed of the relevant devices undoubtedly playsa role in this regard. However, aggregated information is not always immediately available, forexample it may first of all be necessary to calculate the situation map for an entire road junction.Moreover, it should also be possible to make an assessment based on uncertain information. Insuch cases, however, the uncertainty has to be quantified in terms of its suitability for use as thebasis of a decision. A similar situation arises if the sensors providing the data are not all equallyreliable.

One possible solution in restricted domains could be the development of situation-specificschemas that establish the priority to be attributed to different foreseeable factors and goals.

Artificial intelligence approaches Artificial intelligence (AI) is a branch of informationtechnology concerned with the automation of smart behaviour. AI technology is needed toenable Cyber-Physical Systems to respond intelligently to their environment, pursue goals onbehalf of their users and cooperate with other systems in order to do so. Examples from thescenarios in Chapter 2 include automated planning of the production of a new kitchen and the



rerouting of a journey.AI is able to take decisions by obtaining input data about the environment and using de-

ductive mechanisms to draw conclusions from this data. This requires extensive formal rulesystems for the different knowledge domains, which it is currently not yet possible to producefor complex situations involving unknown actors.

The uncertain knowledge that occurs in CPS for example as a result of unreliable sensorsor the use of external services is managed using Bayesian networks that compare the differ-ent knowledge that is available in order to produce an overall probability distribution. TheDempster-Shafer theory of evidence can be employed for explicit uncertainty modelling. Itenables information from different sources to be combined in order to arrive at an overall con-clusion, taking into account the credibility of the different pieces of evidence.

Cooperation and negotiation

The ability to cooperate and negotiate enables CPS to provide distributed services and formulateproblem-solving strategies in a distributed and coordinated manner and in real time. The goalis to enable coordinated collective behaviour. The necessary technologies are primarily to befound in the field of multi-agent systems. One key requirement in this area is subsystem interop-erability both at a technological level (i.e., in terms of communication interfaces and protocols)and at a semantic and user-visible level (i.e., interoperability with regard to the meaning of data).

Multi-agent systems Agents are one of the key paradigms in artificial intelligence. Anautonomous agent is a piece of software that acts independently in its environment in order toperform tasks on behalf of human beings. In multi-agent systems, several agents cooperate andnegotiate with each other. Agents are able to interact with their environment through sensors andactuators. Smart agents are capable of task-oriented problem solving thanks to the autonomous,responsive and targeted use of the appropriate artificial intelligence methods.

For example,iIn the manufacturing environment [MVK06], it is possible to respond to faultslocally without the need for intervention from a centralized control system. The individual unitsnegotiate the optimal distribution of resources among themselves. By employing large num-bers of software agents it is possible to simulate the interactions between several networkedactors [KNR+11]. This enables group behaviour to be predicted, allowing traffic flow and con-gestion forecasts to be made, for example.

One of the challenges associated with multi-agent systems is the issue of shared control.Users must be able to decide how much autonomy they are prepared to allow their agents. More-over, they must be capable of intervening at any time and understanding the decisions that havebeen taken.



The phenomenon of distribution is of fundamental importance to Cyber-Physical Systems.Centralized communication methods such as blackboards are no longer sufficient. Moreover,when several actors are involved, existing negotiation rules soon become too complex, even inpurely computational terms.

In contexts characterized by open cooperation between several different partners, it becomesmore difficult to prevent agents’ decision-taking processes from being manipulated. Combinedtechnological and economic measures are needed to address this issue [Wei00]. This includesthe development of interaction rules that allow agents to act in their own interests while at thesame time maximising the benefits for the system as a whole and maintaining its stability; seealso [Woo09].

Human-computer interaction

In order for Cyber-Physical Systems to provide users with optimal support, new solutions willbe required in the field of human-computer interaction (HCI). This applies to the interfaces forinteractions between humans and technological systems, which will need to provide multimodal,real-time support for complex interactions and enable the current system status, situation andoptions to be conveyed in a manner that is appropriate to the current situation. In addition, itwill be necessary for Cyber-Physical Systems to recognise users’ intentions - in a similar wayto the predictive situation awareness described above - and anticipate human behaviour. Currenttechnologies that could make a contribution in this regard can be found in the fields of human-computer interfaces, intention recognition and user and human modelling.

Human-computer interface and interaction modalities Interactions between humansand Cyber-Physical Systems are not confined to a single modality such as a keyboard. Systemsmay be accessed via any number of modalities, e.g., touch screens, voice commands or bodylanguage. This requires the interaction logic that determines the rules governing the interaction,e.g., the number and sequence of input options - to be modality-independent. In other words,the logic and presentation layers need to be separate from each other.

In addition, the user interface needs to adjust to the relevant modality by taking into accountthe quantity of information and options it can display. This is an important consideration, sinceif a system is being operated using voice technology, for example, it is not able to present theuser with the same number of options as could be displayed on a screen.

The distributed nature of Cyber-Physical Systems entails the additional challenge of havingto ensure that services provided by different suppliers are all operated in the same way.

Configuring technological systems is an expensive process that requires a lot of technicalknow-how and experience [Nor96]. This knowledge remains inside the heads of the relevant ex-



perts and is thus not available to others. In order to ensure that this situation does not occur withCyber-Physical Systems, optimized parameter sets should be stored as best practice applicationsand made available to other users.

Intention and plan recognition Intention recognition is the ability to recognize the inten-tions of an agent (in this paragraph, the term “agent” refers to a human being or a technologicalsystem) by analysing their previous behaviour or the effect of this behaviour on the environ-ment. Plan recognition goes one step further than intention recognition by using an agent’s pastbehaviour to predict its future behaviour. Both of these capabilities are extremely important toCPS in order to provide users with as optimal and autonomous a level of support as possible foraccomplishing their goals without necessarily requiring them to provide a detailed descriptionof these goals via the human-computer interface.

Significant progress has been made thanks to the use of logic- and probability-based meth-ods. Nevertheless, new applications such as those enabled by Cyber-Physical Systems are throw-ing up new challenges, especially the selection of the correct intention hypothesis, how to ad-dress the issue of limited agent observability, the analysis and classification of interconnectedactions where the agent has several different intentions at the same time and the recognitionand classification of alternative behaviour outcomes for achieving the same goal. Furthermore,intention recognition for cooperating agents whose behaviour is restricted - such as people withdisabilities - is currently still in its infancy.

In addition to the above technologies, user and human modelling, machine learning anddomain models also play an important role in intention and plan recognition.

User and human modelling, human awareness User and human modelling enablesthe diagnosis, simulation, prediction and support of human behaviour in interactions with tech-nological systems. Current research is focused on two applications: the “virtual test driver” andthe “empathic virtual passenger”.

Virtual test drivers involve models that assess the safety of different technological system de-signs. Models are linked to formal system designs so that large numbers of potential applicationscenarios can be analysed via co-simulation.

Current research initiatives are also attempting to apply insights from cognitive psychologyand anthropometry to the realm of systems engineering. The aims of this approach includepredicting the effect of a new system on the user’s attentiveness, potential operating errors andhow comfortable to use, physically accessible and easily recognized different controls are.

In CPS-based uses, models are employed as empathic virtual passengers in smart assis-tance systems in order to diagnose users’ current motivation and the degree of strain that theyare experiencing. This allows them to provide the user with targeted assistance for perform-



ing particular tasks, thereby offering context-sensitive support for human-computer interactions.For their input, these models use, e.g., user behaviour in conjunction with psychophysiologicalmeasurements such as eye movements, skin conductance and blinking frequency, in order toassess conditions such as stress, distraction or vigilance. There are various technical methodsfor creating user and human models, including rule-based production systems, Bayesian net-works, mathematical control theory, Markov decision processes and various combinations ofthese methods.

Learning

Adaptive Cyber-Physical Systems adapt to their users and to new situations. In other words,they learn what the user is trying to achieve in a given situation and how they wish to operate thesystem and they adapt to the user’s language. The planning components of Cyber-Physical Sys-tems learn which behaviours and plans succeed in specific situations and share this knowledgewith each other. Moreover, machine learning methods use the large volumes of data obtainedfrom sensors and cooperating systems to answer specific questions or generate new knowledge.As things currently stand, delivering this capability will require machine learning, data miningand multi-agent system technologies in addition to the technologies already mentionned above.

Machine learning and data mining Machine learning [Bis07] involves the use of infor-mation technology and mathematical theory to enable computers to extract knowledge from theavailable data. This may be done in order to find the answer to a specific question (“what doesa typical traffic jam look like?”) or, in the field of data mining, to generate completely newknowledge.

These algorithms are necessary in order to enable the data provided by Cyber-Physical Sys-tems to be turned into something that can be used. In the field of mechanical engineering, theseprocesses can be used to configure the entire manufacturing process as a self-optimising systemwhere the Manufacturing Execution System (MES) identifies the optimal process parametersbased on its own historical data sets [BKS11]. In the field of healthcare, a system that haslearned what the user’s normal ECG readings are can alert them to any anomalous values. Rein-forcement learning allows systems to process feedback on the success of their actions, creatinga feedback loop that enables them to constantly improve the way that they adapt to the currentsituation and similar situations in the future.

Challenges exist with regard to the fact that many algorithms are not yet designed to handlethe huge volumes of data involved. Furthermore, the relevant data are scattered across severaldistributed database systems. The solutions being developed include online learning processesand multiple classifier systems [SKR11] that collate the knowledge from several different al-



gorithms. Research in the field of multi-agent systems is investigating algorithms designed toenable distributed learning.

The majority of data do not have labels that describe what can be observed in the currentmeasurements. Research into partially and semi-supervised learning is developing ways of get-ting by with only a limited number of labels.

Current algorithms are not able to solve the problem if the things being searched for areunknown or poorly defined.

Evolution: self-organization and adaptation strategies

Self-organization and adaptation strategies are necessary to enable cooperation and context-adaptive, fully or semi- autonomous behaviour. Currently, this type of technology is foundmainly in the realms of manufacturing, communication networks and multi-agent systems.

Self-organization in manufacturing In the realm of manufacturing, this principle hasbeen investigated since the end of the 1990s [BS00, SB01] and is underpinned by the fundamen-tal idea of individually identifiable workpieces that move independently through the manufac-turing process, from component manufacture through to assembly. Flexible machine tools andassembly lines know what they are capable of producing and adapt independently to differenttasks. The workpieces, machinery and transport systems organize manufacturing operations lo-cally and independently. They take the current status of production into account at all times, forexample machinery failures or supply problems.

This requires products, production units and processes, their controllers and the MES func-tions - all of which are represented by Cyber-Physical Systems - to be capable of synchronisingwith each other in a coherent manner. A substantial research effort will be necessary in order todevelop methods, tools and software components and to enable standardization.

Self-organising communication networks CPS communication networks need to beflexible in order to guarantee trouble-free and reliable operation in the face of constantly chang-ing environments and requirements. In addition to enhancement of the existing infrastructurewith technologies for addressing mobile users, additional technologies will also be required thatenable network users to create secure communication networks among each other and operatethem cooperatively so that they can exchange data. Moreover, they will have to be able to do thison an ad hoc basis, i.e., at run-time and without explicit planning and configuration. This willrequire technologies that enable distributed administration, configuration, control and operation,as well as the establishment of mechanisms to ensure that the cost is shared fairly among all thepartners.



Given the specific quality requirements for this type of communication, the existing technol-ogy is unlikely to be sufficient and current approaches will need to be adapted [SAL+03]. Thereare a number of relevant research initiatives in the field of ad-hoc sensor networks [WS08],which are investigating proactive and reactive communication path routing protocols. The proac-tive protocols include the Highly Dynamic Destination-Sequenced Distance Vector Routing Pro-tocol, whilst the reactive ones include the Ad hoc on-Demand Distance Vector. Standardizationis a key enabler of ad-hoc communication, since devices that have not previously worked to-gether need a common language.

Basic technologies

Situation awareness, planning and cooperation all require machine-processable models of therelevant application domains. These include ontologies and domain-specific languages.

The other basic CPS technologies include sensors and actuators, the relevant communicationinfrastructure, and devices capable of processing the large volumes of data captured by thesensors in real time. Among other things, this will require computers equipped with multicoreprocessors. Moreover, the need for real-time processing means that it will not be possible toprocess the data centrally. Distributed control will therefore be essential.

Domain models, ontologies and domain-specific languages In order to enable au-tonomous situation awareness, planning and learning, the relevant knowledge in a given applica-tion domain must be described in a domain model. This formal description enables cooperationbetween different parts of Cyber-Physical Systems and makes it possible to achieve a higherdegree of autonomy with regard to information processing and planning.

Experts compile the relevant concepts in a particular domain into standard ontologies. Thesecomprise descriptions of the hierarchical relationships between concepts and objects. The knowl-edge contained in these ontologies can then be exchanged - one of the fundamental principles ofthe Semantic Web. The best-known methods of describing ontologies are the Semantic Web’sOntology Web Language (OWL) and the language of the CYC project in the field of artificialintelligence [Len97].

Languages tailored to a particular domain, known as domain-specific languages (DSLs), canbe used to include additional domain knowledge in the models. These are formal languagesbased on ontologies that have their own grammar and contain all the concepts, objects andpossible actions for a narrowly-defined domain. There are various methods, e.g., the Meta-Object Facility Standard, and tools, e.g., the Meta Programming System [Dmi04], that can beused to develop these languages. Translation into behaviour is carried out by translators that usethe information written in DSLs to create programs in a high-level computer language like C.



The first attempts at doing this involve mechanisms such as OWL Profiles or Views in the BioPortal language [RLM+06].

Every domain contains specific ontologies. For example, a Cyber-Physical System may wishto buy a ticket from a new airline whose own Cyber-Physical Systems do not recognize the term“onward journey”. Communication between the two is thus only possible if the terms from thedifferent ontologies can be mapped onto each other in a process known as ontology mapping,ontology mediation or ontology alignment [KS03]. This enables knowledge to be exchangedacross different domains.

There are a number of challenges associated with producing ontologies. A precise definitionis needed of which concepts can be included and which should be excluded from the domain.The translation of DSLs into behaviour can only be achieved through domain-specific modeltransformation approaches, something that very few domains have yet attempted.

A problem common to all technologies is that while human beings have an intuitive under-standing of fuzzy concepts which can only be partially realized, they constitute a major challengefor modelling.

Sensor and actuator technology Sensors and actuators allow Cyber-Physical Systemsto observe and influence their physical environment. Sensors record qualitative or quantita-tive measurements of the environment’s physical or chemical properties such as temperature,humidity, sound or the materials it is made of and convert these measurements into a formatthat can be processed digitally. Actuators convert digital values into mechanical movements orother physical parameters such as pressure and temperature, thereby producing an effect on theenvironment.

The sensors that can be deployed in Cyber-Physical Systems range from simple detectors thatonly measure one particular physical parameter to complex environment sensors such as videoand radar, biosensors that can be implanted into patients’ bodies to record complex health-relatedprocesses and sensor networks incorporating a large number of often heterogeneous sensors.

The challenges in this field (see also [GMA09, BHGZ09, MM06, HSMS07, ABB+09]) in-clude the need to increase sensors’ accuracy and speed, since these are currently often not suf-ficient to enable the detailed real-time physical awareness required by Cyber-Physical Systems.Furthermore, the fact that sensors and actuators will be deployed in different and often extremelydemanding environments places higher demands on their robustness and durability as well as ontheir size and energy consumption. In the most extreme cases, they may even have to be energyself-sufficient. Recent years have seen the first attempts to build smarter sensors by increasingtheir processing and memory power.

The actuators used by Cyber-Physical Systems range from simple, often mechanical con-trollers in control circuits, e.g., valve trains, to electromechanical and hydraulic drives and com-



plex control systems, e.g., for the longitudinal and lateral guidance of vehicles or entire trafficflows via the coordinated interaction of several heterogeneous actuators in actuator networks.

Communication infrastructure and platforms The availability of Cyber-Physical Sys-tems will have a significant impact on the research and development of large-scale distributedsystems in areas such as electric mobility or the Internet of Energy and on the necessary commu-nication infrastructures. As a result of information and communication technology, computersand the use of hierarchical communication infrastructures to network them are becoming in-creasingly ubiquitous. Personal Area Networks (PANs) based, e.g., on the Bluetooth and Zigbeeshort-range radio standards are used to enable nodes to communicate with each other or witha larger network. Local Area Networks (LANs) use, e.g., WiFi to enable nodes and systemsto communicate with much higher data rates and over longer distances. Wide Area Networks(WANs) employing 3G, 4G and even 5G mobile communication technology cover much largerareas and enable wired and wireless communication between nodes, systems and Systems ofSystems.

Cyber-Physical Systems will place a number of new demands on this heterogeneous andhierarchically organized communication infrastructure that have as yet been only partially ad-dressed, if at all. The emergence of Cyber-Physical Systems, i.e., the trend towards spontaneouscreation of new behavioural traits as a result of the interaction between different componentsand features - will require equally spontaneous, efficient and effective communication links tobe available at both the micro and macro system levels.

Wireless data connections in particular tend to be error-prone and can suffer from latency.The communication infrastructure solutions for Cyber-Physical Systems will need to guaranteethe most consistent and uniform service quality possible for all of the system’s components. TheCPS communication infrastructure data connections are susceptible to blocking, interruptionand eavesdropping. In order to ensure that the data being transmitted can always be trusted,optimal data security must be guaranteed at the levels of individual nodes, systems and complexnetworks of systems. Cyber-Physical Systems are characterized by a high level of openness andadaptability and the communication infrastructure plays a key role in making this possible. Inorder for communication to work properly at every level, it is necessary to constantly monitorand test the service quality of the connections in the system and make automatic adjustments inthe event of any changes to the system. Self-organising networks (SON) constitute one possiblesolution to this challenge.

Cyber-Physical Systems will be deployed in dynamic real-time environments. This willrequire communication infrastructures to be analysed, transformed, researched and re-developedin terms of their robustness, reconfigurability, adaptability, performance and access to the cloud.



Efficient parallel processors Smart devices for Cyber-Physical Systems harbour huge in-novation potential. In the future, it will be possible to host even more functions on a single chip,optimize their power consumption and make them even cheaper and smaller. The continuedadvances in electronic hardware will enable improved performance in the following areas:

• improved performance and highly parallel architectures. In the future we will continueto see ever better and faster processor cores built onto a single chip (multicore processorapproach).

• additional hardware functions for specialized tasks (multimedia, graphics, video analysis,image processing, real-time capability, security) will result in chips with dedicated coresfor specific tasks.

• I/O processing, including radio receivers, will be even more deeply integrated into thechips. There is still room for further optimization of chips in terms of their power con-sumption and heat dissipation.

• new energy harvesting methods will enable the creation of Cyber-Physical Systems with-out an external power supply.

• hardware-based virtualization will enable consolidation of Cyber-Physical Systems onboard vehicles, for example, without jeopardising their real-time capabilities, safety andsecurity, functionality or performance.

Further challenges include the integration of new technologies into development processes,ensuring that the most is made of parallel processing capabilities and guaranteeing safety andsecurity, for example. The use of multicore processors in safety-critical avionics applications isone example that would already be relatively easy to implement from a technical point of view,even today. However, the issue of certification of non-functional properties such as safety andsecurity remains largely unresolved.

Stable distributed controllers Distributed controllers are control systems or networkswhose signal-processing components are geographically dispersed and may even be hierarchi-cally structured, rather than being organized centrally. This allows them to control more complexdistributed systems that cannot be controlled centrally [ABB+09], and in particular the interven-tions in the environment required by Cyber-Physical Systems that are based on sensor readingsand enabled by interactions between distributed subsystems.

The distributed controllers available today are mostly confined to individual systems, e.g., inmotor vehicles where individual control systems are integrated in order to provide driving sta-bility – such as ESP and active suspension as part of an “Integrated Vehicle Dynamics Manage-



ment” system [ABB+09], or in the location detection and terrain and object recognition systemsused by vehicles taking part in the DARPA “Desert and Urban Challenge” [CPS08]. In the caseof Cyber-Physical Systems, however, controllers need to be networked across different systemsand it is also necessary to be able to build and dismantle these control systems dynamically, e.g.,to create ad-hoc control systems for cooperating systems.

Problems can arise as a result of connection failures, signal fluctuations caused by variationsin communication latencies (jitter) and packet loss, which typically has a major influence oncontroller behaviour and can easily result in controller instability. There is therefore a need forcontrol concepts and the associated development and analysis processes and tools to enable thedevelopment of control algorithms that can counteract these effects in a robust, scalable andhierarchical manner and that are adaptive or capable of reconfiguring themselves [ABB+09].

One further fundamental problem is that the two disciplines of control engineering and in-formation technology still largely operate separately of each other [CPS08]. Methods from bothareas will therefore need to be combined.

Challenges X-awareness is a key property of Cyber-Physical Systems, involving accuraterecognition and interpretation of both situation and context (situation awareness, context aware-ness), awareness of the system’s own condition and the condition and quality of CPS servicesand components and, importantly, the condition, goals and intentions of the system’s users (hu-man awareness). This necessitates awareness of the physical, IT and human environments andthe ability to use this information to interpret and assess the situation that has been identifiedin terms of the goals of both the system itself and of other actors. The technologies describedabove are not currently powerful enough to provide the level of X-awareness that is requiredfor Cyber-Physical Systems. Whilst the first challenge is to improve sensor technology, it willsubsequently also be essential to improve awareness of complex situations together with thenecessary processing and aggregation –including semantic aggregation– of large volumes ofdata in real time. Further challenges will include enabling real-time analysis and assessment ofsituations involving several different actors who may have conflicting goals.

Processes and technologies for combining different perspectives when a situation is per-ceived and analysed by different actors and for working with incomplete knowledge will bekey, as will methods for enabling the system to assess its own situation and capabilities (self-awareness). The challenges with regard to recognition and interpretation of human behaviourand users’ wishes, goals and intentions (human awareness) revolve around predicting human be-haviour (intention recognition) and the design of appropriate multimodal interfaces for human-computer interaction that enable inputting of higher-order goals via any number of differentmodalities whilst at the same time providing the user with a picture of the situation that takesaccount of their current attention profile, the system status and the situation itself. The key chal-



lenge is to design human-computer interactions in a way that enables users to coordinate andcontrol Cyber-Physical Systems as required by their current situation.

One key requirement for comprehensive X-awareness that has not yet been adequately metis the development and validation of appropriate domain models, particularly user models.

Context-adaptive, cooperative behaviour is another key feature of Cyber-Physical Systems.Even once X-awareness has been achieved, continuous context and process interactions, coop-erative goal-oriented behaviour and autonomous and active context-dependent behaviour willrequire additional technologies, as described above. The processing and communication speedsof processors and communication media will be key to the real-time capabilities and respon-siveness of Cyber-Physical Systems. Technical and semantic interoperability will be equallyessential. There are also a number of major challenges at the application level that are onlypartly addressed by current technology. These include domain models geared towards com-plex environments, the ability to pursue numerous competing goals, working with incompleteknowledge, negotiation strategies, shared control and fair interaction rules.

The technologies in fields learning and evolution and the relevant domain and human modelswill have a particularly important role to play. In addition to handling the large volumes of datagenerated and semantic annotation of these data, the key challenges include developing andvalidating domain and human models that incorporate fuzzy concepts and converting them intobehaviour and learning strategies.

Coordination strategies will be necessary to enable self-organization and adaptation to achanging physical and technological environment and new (learned or inferred) goals. Differentcomponents and services will need to be able to form targeted partnerships without the need forexplicit planning and configuration. The greatest challenge concerns semantic and user-visibleinteroperability and the accompanying need for standardization

3.2.2 Smart system technologies

The information presented in this section was obtained through a comprehensive review of pub-lished literature in sectors of economy considered prime areas of opportunity for CPS as thesesystems are already emerging in many applications. It is organized around five sectors of theeconomy and gives the state-of-the-art in technology for each one of them.

Smart manufacturing Smart manufacturing combines technology, knowledge, informa-tion, and human ingenuity to develop and apply “manufacturing intelligence”. It comprises thesmart use of networked information for demand-dynamic economics; integrated computationalmaterials; enterprise and supply chain performance and broad-based workforce engagement;manufacturing robotics that work safely with people in shared spaces; and computer-directed,



metal-based additive manufacturing. Smart manufacturing makes rapid production in accor-dance with individual customer specifications possible, the production procedure within com-panies can also be optimized via a network of globally cooperating, adaptive, evolutionary andself-organizing production units belonging to different operators. Production systems will beset up that are able to react virtually in real time to changes in the market and the supply chainusing cyber-physical systems, and which cooperate with ultra-flexibility even beyond companyboundaries.

One of the main drivers in industrial production is increased automation and advances ininformation technology, which lead to competitiveness and economic prosperity. Digital com-puting and communications is increasing in manufacturing plants, allowing for new opportuni-ties for the adoption of smart manufacturing techniques and technologies. Smart manufacturingused in the innovation, planning, designing, operating, and maintaining of manufacturing facil-ities can support more agile operations and accelerated product and business cycles. Increasedintegration in manufacturing systems can provide pathways to manufacture materials and prod-ucts based on global and domestic needs.

Manufacturing today occurs in traditional factory-situated shop floors where the focus is onmass production of physical components and the system is typically not completely integrated.Although robotics have become more common and improved productivity of some tasks, work-flow automation is hindered by high costs of maintenance and investment. Many aspects of theproduction process, including design, manufacturing, and supply, are increasingly outsourced toeffective labor markets overseas. CPS science and technology can provide many possibilities forinnovation in the manufacturing industry through smart products and production and lifecycledesign for product safety, security, and sustainability.

The vision for smart manufacturing is for all aspects of manufacturing to be highly inte-grated, from plant operation to supply chain. The entire life cycle of a product would be enabledto be tracked, including aspects such as processes and resources, leading to manufacturing en-vironments that are flexible and can optimize performance and efficiency. Advances in CPS canhelp reduce the time-to-market for products and systems, while promoting innovation, competi-tion, and resilience in supply chains. These advances can allow a more flexible optimization ofcost and markets since production could be located near materials, technology skill centers, orconsumers.

The state of robotics in today’s manufacturing industry as designed to be precise and re-peatable, operate in only structured environments, and have limited application. Integration ofrobotics is expensive, and can cost five to ten times the capital cost. In some cases, roboticsystems in factories are unsafe for people to be around, leading to a separation between the twotypes of workers.

There is a current trend in today’s manufacturing towards “converged modular automation”



in which systems are built of modular cyber-physical components. These components havetheir own embedded controller and are all connected by a network that allows for a supervisorycontroller to gather information and for information exchange from peer-to-peer [EI12]. Theadvantage of such modular automation systems is that they can be more reconfigurable thancustom-designed systems, but modules that have embedded controllers are more complex thana typical system and requires additional testing and validation before it can be applied.

To realize the benefits of smart manufacturing, the exchange of information in manufactur-ing networks has to be seamless, but such a comprehensive infrastructure is not yet in existence.Some of the main challenges associated with implementing CPS include network integration,affordability, and the interoperability of engineering systems. Using a systems view of manu-facturing is necessary to gain a better understanding of what effects the changes in one elementwill have throughout the entire system.

Today’s production networks carry out all tasks related to the life cycle of the product, in-cluding design, engineering, fabrication, and maintenance functions and are, therefore, becom-ing increasingly complex and dynamic and require more sophisticated information integration.This increasing complexity is beginning to exceed the ability of both engineers and designers tofully control and optimize their performance. Traditional communication, control, and softwaretheory cannot efficiently provide all the tools needed to analyze large-scale control networks. Forexample, current network research often focuses on connectivity and coverage issues assumingthat network components are homogeneous; but in practical terms CPS consists of both wirelessand wired networks characterized with varying capacities and reliability. There is a need for aunifying theory of non-homogeneous control and communication systems. The heterogeneity ofeach device, in terms of memory, communication, and processing, should be considered in thedesign of the CPS architecture to optimize real-time communication and reliability.

Smart grid and current state of the technology For the most part, electricity is gener-ated far away from where it is consumed, e.g., hydroelectric stations are often located far awayfrom large metro areas and electricity is then transported over long distances. The long haultransportation factor exposes power lines to increased risks of attacks (physical protection isneither economical nor practical).

In the power “world”, everything involves a grid, the network is the key concept aroundwhich the system is built and its behaviour is nonlinear in terms of associated dynamics andsteady state regimes.

The three main components are: generation; transmission; and distribution. The wires rep-resent the transmission and distribution grids. A substation serves to step up or down a voltagelevel, be it in the transmission or the distribution network. The boundary separating the trans-mission, subtransmission (typically, the set of lines carrying power at a voltage below 130 kV)



and distribution systems is not crisply defined and may vary from system to system.Energy Management System (EMS) is the “control center” of the grid. The EMS provides

real time monitoring and control for the grid and can be viewed as the central nervous systemof the grid. As a by pproduct, the EMS furnishes the most up to date information on the systemof interest to many other parties outside of system operations, such as market and businesspersonnel – we view the information as the “pulse” of the grid.

The current level of electricity demand has a significant effect on energy-related carbondioxide emissions since a large portion of electricity is generated from coal. Concerns aboutgreenhouse gas emissions are moving electricity generation away from coal. With the projec-tions of increased use of renewable energy and modest growth in demand, electricity-relatedcarbon dioxide emissions will grow. CPS can help to reach these projections of slowing the riseof carbon dioxide emissions as demand for electricity increases.

As more consumers begin to use electric vehicles, the smart grid will have to adapt to in-creased loads as well as being able to integrate these vehicles as part of the grid. These vehicleswill provide both opportunities and challenges as to how the smart grid can provide charg-ing when necessary or even use the vehicles as storage when possible. CPS engineering andadvancements in smart transportation will thus affect those in the smart grid, allowing for inno-vation in function and capability in both energy and transportation systems. Integrating electricvehicles into the smart grid will also help reduce the number of gasoline-powered vehicles thatcontribute to emission.

The electric grid today is driven by consumer demand and it is generated as it is consumed.Electricity cannot be stored easily or economically, leading to little storage capacity for produc-ers. The current system of managing generation while responding to demand is inefficient forgeneration systems today, especially when the systems are unable or slow to switch on or offin response to demand [EI12]. Control in power plants is primarily used to ensure that thereis stability during normal operation. Each utility company uses automatic generation controlto regulate power imbalances that are not easily predicted, yet there is no online coordinationbetween the utilities. Control mechanisms for power flow are inefficient and expensive and donot allow for flexible routing of power flow. If the system could predict or model future demandusing CPS engineering and technologies, providers would be able to better prepare for peakloads without overestimating them.

While a majority of electricity is currently generated from coal, natural gas, and nuclearpower, electricity produced from renewable resources is estimated to increase to 16% in 2035(see [EI12]). Although renewable sources provide “clean” sources of electricity generation, theysometimes provide intermittent or variable sources of energy. CPS technologies and engineer-ing will provide the next-generation control architectures and platforms needed to optimize theelectricity system as it is called on to integrate a variety of energy sources, including intermittent



renewables.CPS technologies can also be used to help manage user consumption. For example, ap-

plying CPS to the advanced metering infrastructure may enable more effective management ofconsumption by providing the ability to schedule power utilization based on information fromthe meters. Smart meters provide information for the development of technologies that canenable demand management, distribution automation, substation intelligence, distributed gen-eration, and information technology. The objective of these technologies is to increase energyefficiency through optimization, control, and a reduced peak load. CPS technology will providethe tools for real-time, resilient, safe, and secure control of energy systems, resulting in highlyintegrated, dependable, and flexible energy technologies.

A smart grid of the future will be more flexible and resilient and have the ability to providereal-time pricing and response, reduce the time and extent of power outages and disturbances,reduce congestion, and better utilize resources. No longer will the network be considered to becentralized and distribution only, as generation will also come from homes and other distributedsources. The system must be able to integrate alternative technologies, including solar, thermal,wind, and water-based generators; smaller scale nuclear generation; and generation from alter-native fuels. In addition, an increase in electricity storage capacity will be necessary to help thegrid be better able to handle peak loads. Integrating buildings that have cogeneration of heatand power as well as electric vehicles into the grid will present challenges, but also provideopportunities.

A grand challenge for CPS is the design and deployment of an energy system infrastructurethat is able to provide blackout-free electricity generation and distribution, in addition to otherproperties. This infrastructure will provide energy that is more efficient, reliable, and stablewhile meeting consumer demand. In addition,it must be flexible, allowing heterogeneous partic-ipants to consume energy from and supply energy to the grid. The energy system infrastructuremust be secure and impervious to accidental or intentional disruptions or manipulations. It willbe important for the architecture, control, and implementation to be modified and adapt to fu-ture technologies as well. In order to operate the next-generation energy and infrastructure thattake advantage of CPS technologies, there also needs to be a qualified, innovative, and skilledworkforce.

Sources for electricity generation today are typically centralized, but will become more dis-tributed as sources become more varied. Among these include the increase in renewable sourcesfor electricity generation, including solar, wind, and others. Technical challenges arise with theincrease of distributed sources of power generation. Incorporating power generated from dis-tributed resources into the grid requires new controls as well as complex balancing schemes.For example, power generated from wind is growing rapidly, yet it supplies an irregular streamof electricity. This type of source, along with other distributed sources, causes an additional



stress on the current grid. Energy storage technologies are currently not effective enough tosupport a higher penetration of renewable sources and there is only an ill-defined hierarchy forintegrating the sources into the grid. Coordination of and interaction between varying distributedresources will pose many new challenges.

One of the challenges of applying CPS engineering and technology to the electric grid andother utilities is integrating these technologies into the existing infrastructure. Improvementsand changes are being applied to the existing power grid system, which must transition intothe smart grid of the future. There will need to be changes in how the system is managed aspower generation comes from more distributed that need to be continually integrated into theexisting infrastructure. Unforeseen complications and challenges will arise as these distributedsources are connected to the grid on the regional and national level. Generation, storage, anddistribution will have to remain dependent and stable even as sensing and actuation technologiesare added to sections of the existing grid. As technologies and systems are incorporated as partof the modernization of the grid, security remains a paramount concern in terms of loweringthe vulnerability of the smart grid and water sector systems. Any disruptions to these sectorsaffect other sectors, making their secure operation a necessity. The energy and electric sectorsare networked and complex, with increasing interactions between generation, transmission, anddistribution processes, resulting in numerous access points. Control systems should have inte-grated protection, detection, and response mechanisms to be able to survive natural disasters,human error, and cyber attack without loss of function.

Buildings and infrastructures Next-generation technologies and methods integrated intobuilding systems could allow building energy use to be seamlessly predicted, monitored, con-trolled, and minimized across the dimensions of performance, scale and time. Homes and busi-nesses could be connected with the smart grid, where their energy monitoring and control sys-tems predict usage and then negotiate energy consumption and prices with the utility company.The cyber and the physical worlds must be tightly integrated to enable many of these conceptsto work effectively in buildings.

Achieving net-zero energy (NZE) buildings, for example, where the building can produceas much (or more) energy than it consumes, requires highly integrated systems of cyber andphysical components. The smart buildings of the future will also include co-generation of heatand power with sophisticated controls. Research in cyber-physical systems (CPS) provides op-portunities for improvement in the efficiency and performance of commercial and residentialbuildings as well as other structures, such as bridges and dams.

Modern buildings are systems of components consisting of interacting heat exchange, air-flow, water, safety, access/security, and movement control subsystems. These subsystems areincreasingly coupled using embedded sensing and control systems where state information from



one system is directly used to make operational decisions in another subsystem. Integrationof different controls and aspects of buildings can help to increase overall building performanceby improving control and efficiency while reducing costs. Certain areas of building control arealready becoming more connected. For example, coordinating the heating, ventilating, and airconditioning (HVAC) system with other systems in buildings, such as lighting or fire alarms,allows for safer and smarter operation. Some examples of integration in buildings include al-lowing the fire alarm/life safety system to control elevators or safety exit lighting, or enablingthe HVAC system to use air ducts for smoke control and removal in the event of a fire.

Submetering of building energy and water usage represents an area where further research inCPS would be applicable and could help in achieving NZE buildings. Meters are already usedin buildings to measure energy and water consumption, although usually on a monthly basis andfor a building as a whole. Submetering allows for the possibility of gathering continuous datafor individual areas, systems or equipment. Integrating submetering with building automationsystems, and the development and implementation of technologies including sensor systemsthat can evaluate the data collected could lead to greater energy conservation and efficiency. Thetechnical details of submeters themselves as well as the software, data networks, and servicesmust be considered, allowing for applications of research in cyber-physical systems.

Structural health monitoring (SHM) is an emerging field in civil engineering which allowsthe possibility of continuous or periodic assessment of the condition of civil infrastructure. Cur-rent sensors can discretely monitor factors such as strains, accelerations, deformations, and cor-rosion potential. SHM could provide the information to assess the condition of bridges, build-ings, dams or other structures and help to determine when preventative maintenance is necessary,thus preventing structural failure or costs. Smart sensors, which are typically low cost and bat-tery powered, and have an on-board microprocessor and sensing capability, are a viable optionfor the sensors to be used in SHM projects.

Decision makers, industry officials, and experts agree that intelligent transportation systemsand connected vehicle technologies are the future of travel, and will improve safety, efficiency,and the economy. Today, humans play an active role in both automotive and aviation operations.People drive vehicles while sensor systems alert the driver to various dangerous situations (lanechanges, crash ahead). Although modern aircraft have a larger amount of automation, pilotsstill play an essential role in control and UAVs have yet to make a significant presence in NAS.However, CPS are increasingly being applied to make it easier, safer, and more convenient forhumans to operate and use transportation systems.

Challenges in measurements for intelligent buildings are numerous, and must be overcomebefore NZE buildings can reach fruition. New metrology for smart building technologies shouldinclude performance metrics and measurement methods, tools to predict performance, protocolsto achieve desired performance, evaluation and assessment of the performance of technologies,



systems, and practices, and performance-based standards and practices. System complexitiesand interactions in a building should be captured while innovation in the design and manufactur-ing of individual components and systems is supported. Today systems in intelligent buildingsare unable to effectively communicate, interact, share information, make decisions, and performsmoothly and reliably because of a lack of measurement methods.

Measurement science is needed to support intelligent buildings systems that can detect andrespond to faults, operational errors, and inefficiencies to ensure that buildings perform as ex-pected and performance does not decrease. Challenges include but are not limited to the fol-lowing: data and methods for assessing the performance of buildings, tests and test beds for theevaluation of controls technology and fault detection approaches, best practice guidelines for in-telligent design and operation of buildings, measurements to support automation of commission-ing processes, and low-cost, reliable energy metering systems. Overcoming these challenges inmeasurement science could lead to enhancements in communication protocol standards that en-able the practical use of integrated systems such as lighting and energy management and achieveincreased comfort safety, energy efficiency, and secure, real-time communication of informationwithin the building system. This will be essential for applications such as interconnection be-tween the building and the Smart Grid.

Transportation and mobility Decision makers, industry officials, and experts agree thatintelligent transportation systems and connected vehicle technologies are the future of travel,and will improve safety, efficiency, and the economy. Today, humans play an active role in bothautomotive and aviation operations. People drive vehicles while sensor systems alert the driverto various dangerous situations (lane changes, crash ahead). Although modern aircraft have alarger amount of automation, pilots still play an essential role in control and UAVs have yet tomake a significant presence in national airspace system. However, CPS are increasingly beingapplied to make it easier, safer, and more convenient for humans to operate and use transportationsystems.

Connected vehicle technologies The main focus in ITS research that is particularlyrelated to CPS is connected vehicle technologies, specifically Vehicle-to-vehicle (V2V) andvehicle-to-infrastructure (V2I) communications. Examples of V2V applications in vehicles in-clude blind spot/lane change warnings, forward collision warnings, electronic emergency brakelights, intersection movement assistance, do not pass warnings, and control loss warning. Exam-ples of V2I applications include traffic signal violation warnings, stop sign violation warnings,pedestrian crossing information, and left turn assistance.



Multi-vehicle cooperative driving and intersection control research Individual-vehicle-control research concentrates on guaranteeing driving safety. As previously noted, in-creased traffic congestion is now making multi-vehicle-control research an important topic forresearch in CPS. Twenty years ago researchers started examining lane changing- and lane-merging- control problems. A solution to those problems comes from the path planning lit-erature, which studies how to generate a collision-free driving path or trajectory under the givenvehicle dynamics. On the basis of these studies, researchers now consider cooperative drivingwith inter-vehicle communication to be a more promising answer to the problems of traffic jamsand collisions.

Intelligent Sensing for Cyber-Physical Smart Cars As noted earlier, technology trends inconsumer automobiles are moving toward increased autonomy. Early developments in -CPSfor vehicles include traction and stability control, cruise control, and anti-lock braking systemsthat increase safety. Communication between vehicle components provides information such asvelocity, acceleration, and traction for the purposes of navigation, infotainment, and other uses.These systems do not take control of the vehicle, but they provide information to the driver whoultimately makes a decision on how to act. Safety behaviours such as shaking the steering wheelto gain the driver’s attention cannot alter the situation but can provide necessary information tothe driver to enable action. Systems that perceive the environment outside the car as well as theenvironment inside the car are of particular importance. Specific examples of these intelligentsystems are discussed below.

The state of the art considers three kinds of intelligent-vehicle sensing:

1. Out-vehicle environment sensing involves collecting information about the driving envi-ronment. Specific topics include extracting lane boundaries when they are not clearlymarked or in adverse weather conditions; detecting other vehicles that are nearby and es-timating their kinematics (position, speed, and acceleration); recognizing traffic signs andtraffic lights; detecting unexpected traffic participants (such as pedestrians); and sensingobstacles of all kinds. Sensing the environment out of the vehicle is a very challengingtask, especially when weather changes are taken into account.

2. Vehicle-state sensing is of a lower level and concentrates on measuring a vehicle’s move-ment and monitoring its actuators. Examples include detection of vehicle position, veloc-ity, and acceleration; engine pressure and temperature; tire pressure; temperature; frictioncoefficients; and similar variables.

3. In-vehicle environment sensing involves collecting information about the driver and thepassengers; i.e., behaviour monitoring. Specific topics include monitoring the driver’s eyemovements, vigilance, and tiredness; the interaction inside the car; and so forth. Sensing



inside the vehicle is equally important to out-vehicle sensing. The driver’s diminishingvigilance level has become a serious problem in traffic safety. Among different approachesin this field, monitoring the driver’s head position has received considerable interest. Thiscould be used to infer the driver’s fatigue level (especially when combined with a driver-eye-gaze tracking system) and implement a “smart” airbag.

The tools and techniques used in transportation to certify and develop safe, reliable productsare effective for present-day systems, but they might not be economically or technically feasiblefor more complex, larger future systems. Challenges exist in implementing certification of newITS or individual technologies, including determining what should be certified, what entity isresponsible for certification, and how the certification should be accomplished. Issues for theDOT Intelligent Transportation System Connected Vehicle Research (which can also be appliedto other areas of transportation CPS) include uncertainty about what policy or legislation will berequired to successfully launch and sustain new technologies. Another issue is determining whatentities will potentially own and govern connected vehicle research systems, components, anddata. Also in question is what elements need to be governed and how to address public concernsfor privacy.

Safety is a paramount concern for any transportation system. As technology levels in ve-hicles drastically increase, the emphasis on safety and security must keep pace. One of thegrand challenges that the automotive sector is working to achieve is “zero fatality” highways.It is expected that increased automation can help to achieve safety goals, but not without somechallenges. There is a possibility that integrated technologies will create more distractions fordrivers, potentially causing safety issues.

Security threats will be a continuous concern and challenge in transportation CPS. The sys-tems will be constantly changed and updated, creating more opportunities for weaknesses orfaults to be potentially exploited. As CPS become more complex and interactions between com-ponents increase, safety and security will continue to be of paramount importance.

Healthcare The past years have witnessed the transformation of the designs of medical de-vices from analog to digital. Analog designs were simple, with simple user interfaces and limitedfunctionality. The primary method of controlling risk to the patient was human intervention. Thedevice was used while the specialist was present, handling the device. Because of establishedbusiness models these devices tended to last a long time.

Today, innovations in technology and new ways of connecting devices to each other havecompletely changed the landscape of this field. Microprocessors, actuators, sensors of differentkinds and software can all be put together easily in ways that they scale up. For example, someof the more complex devices can have a million lines or more of code.



Most devices contain embedded systems that rely on a combination of proprietary, commercial-off-the- shelf (COTS) and custom software or software-of-unknown-pedigree (SOUP) compo-nents. While general-purpose computing systems, such as PCs, execute a wide variety of func-tions and are easily reprogrammed, an embedded system may be thought of as a special-purposecomputer system designed to perform dedicated functions. An embedded system is usually sub-ject to resource-limitation constraints as part of a mechanical device and, because they are notintended to be reprogrammable, implemented in read-only memory. Embedded systems are be-coming critical in medicine because they increasingly control functions of, and communicatewith, patients themselves as well as engineered systems.

These systems are highly proprietary and increasingly dependent on software to providegreater levels of device robustness and functionality. Embedded system design allows the realtime acquisition and interpretation of signals of various kinds, and for this reason it has enabledcurrent technology. However, the machine becomes dedicated and difficult to integrate into anetwork where it gives out information while it also receives information of different kinds.With general purpose computers becoming faster and smaller, the market may favor generalcomputing as opposed to specialized. Nevertheless, in today’s environment medical devicescontinue to rely on competent human intervention as the ultimate risk- control measure.

CPS deployment and integration in healthcare faces general and specific challenges. Thegeneral challenges are related to the overall cyber-physical infrastructure: hardware, connectiv-ity, software development and communications. The specific challenges have to do with spe-cialized processes at the intersection of control and sensing, sensor fusion and decision making,security, and the compositionality of CPS.

Engineering the complex medical systems envisioned cannot be obtained using current soft-ware development practices, because not only we need to know that it is trustworthy softwaremade out of diverse components, but we also need to know whether the system of systems func-tions as expected. New software engineering techniques are needed that integrate computationaland communication designs together with patient models. Software development methods mustscale across the device industry’s entire problem.

The study of security for medical devices is at an embryonic stage, simply because mostmedical devices are not connected to any network. A paradigm shift is underway, with healthcare patient records changing from paper to electronic media. As this information is used inmedical device interoperation, the issue of security becomes important.



3.3 Engineering processes for CPS

One of the big challenges in engineering CPS is the requirement of integrating into a coherentsystem both the computational part (cyber) and the physical part. This entails that models andmethods from different disciplines, including computer science, electronics, mechanics, as wellas economics and social sciences, must be brought together in a consistent way, coordinatingformalisms that are both discrete and continuous [Cen13]. It moreover implies that industrialengineering practices tend to use a subsystem-based approach, where new functionalities areimmediately mapped to certain technologies and subsystems, resulting in large opportunities foroptimizing future CPS if new development methodologies can be adopted.

In this context, several approaches are currently under development and use in the industry.In this section, we cover the most common and widespread.

3.3.1 The V-model of the design process

A widely accepted approach to deal with complexity of systems in the defense and transporta-tion domain is to structure product development processes along variations of the V diagram,originally developed for defense applications by the German DoD.1

Its characteristic V-shape splits the product development process into a design and an in-tegration phase. Specifically, following product level requirement analysis, subsequent stepswould first evolve a functional architecture supporting product level requirements. Sub-functionsare then re-grouped taking into account re-use and product line requirements into a logical ar-chitecture, whose modules can be developed independently, e.g., by different subsystem suppli-ers. The realization of such modules often involves mechatronic design. The top-level of thetechnology-oriented architecture would then show the mechatronic architecture of the module,defining interfaces between the different domains of mechanical, hydraulic, electrical, and elec-tronic system design. Subsequent phases would then unfold the detailed design for each of thesedomains, such as the design of the electronic subsystem involving among others the design ofelectronic control units. These design phases are paralleled by integration phases along the right-hand part of the V, such as integrating basic- and application software on the ECU hardware toactually construct the electronic control unit, integrating the complete electronic subsystems,integrating the mechatronic subsystem to build the module, and integrating multiple modulesto build the complete product. Forming an integral part of V-based development processes aretesting activities, where at each integration level test-suites developed during the design phasesare used to verify compliance of the integrated entity to their specification.

The design of electronic components in complex systems such as aircrafts inherently in-

1See, e.g. http://www.v-model-xt.de



volves multi-site, multi-domain and cross-organizational design teams, reflecting, e.g., a parti-tioning of the aircraft into different subsystems (such as primary and secondary flight systems,cabin, fuel, and wing), different domains such as the interface of the electronic subsystem tohydraulic and/or mechanical subsystems, control-law design, telecommunications, software de-sign, hardware design, diagnostics, and development-depth separated design activities carriedout at the OEM and supplier companies. This partitioning of the design space (along perspec-tives and abstraction layers) naturally lends itself to a parallelization of design activities, a mustin order to achieve timely delivery of the overall product, leading often into the order of hundredsof concurrent design processes.

Each of these sub-processes will have its own design basis, as determined by the role of anorganization in the supplier chain. Abstraction levels define, then, what is seen as basic design-unit at a given level in the supplier hierarchy, such as on the module-level (such as an aircraftengine), the ECU level (such as in traditional automotive development processes, where tier 1suppliers were providing a complete ECU implementing a single new vehicle function), or themicroprocessor layer.

Tightly linked to the previous item, is the observation that re-use strategies such as component-based design and product line design lead to separate design activities, which then short-cut orsignificantly reduce the effort both in design and integration steps in the individual sub-processesfor an individual product.

Finally, there is a need of supporting processes for key viewpoints, such as for safety, wheredomain standards prescribe activities to be carried out during product development, which areoften anchored with separate roles in the organization. For instance, Airbus RecommendedPractices 4754 prescribes the activities in a safety assessment process as well as its interface tothe aircraft development process, ultimately yielding a safety case to be approved by certificationauthorities.

Virtual integration tests are instrumental in discovering and revealing failures early in theV cycle. The challenge rests in lifting this from the current level of simulation-based analysisof functional system requirements to rich virtual integration testing that includes non-functionalrequirements. An approach to do so is contract-based virtual integration testing, where bothsubsystems and the complete system are equipped with multi-viewpoint contracts. Since sub-systems now characterize their legal environments, we can flag situations, where a subsystem isused out of specification, i.e., in a design context, for which no guarantees on the subsystemsreaction can be given. Instances of possible early tests include:

• The lack of a component to provide complete fault isolation (a property presumed by aneighbouring subsystem);

• The lack of a subsystem to stay within the failure hypothesis assumed by a neighbouring



subsystem;

• The lack of a subsystem to provide a response within an expected time-window (a propertypresumed by a neighbouring subsystem);

• The unavailability of a shared resource such as a bus-system in a specified time-window;

• Non-allowed memory accesses;

• Glitch rates exceeding specified bounds (a property presumed by a neighbouring subsys-tem);

• Signal strengths not meeting specified thresholds (a property presumed by a neighbouringsubsystem).

The above approach to virtual integration testing is purely based on the subsystems contractspecifications. If virtual integration testing is successful, any implementation of a subsystemcompliant to this contract specification will not invalidate the outcome of virtual integration test-ing. Using this method the IP of subsystem suppliers is protected — the only evidence requiredis the confirmation that their implementation meets the subsystem contract specification. Sec-ond, assuming that the virtual integration test was passed successfully, one can verify whetherthe system itself meets its contract purely based on the knowledge of the subsystems contractand the systems architecture (and evidence that the subsystem implementation is compliant withthis contract).

This entails that, at any level of the supplier hierarchy, the higher-level organization can —prior to contracting suppliers — analyze whether the subsystems contracts pass the virtual inte-gration test and are sufficient to establish the system requirements. By then basing the contractsto suppliers on the subsystem contracts, and requiring subsystem suppliers to give evidence(such as through testing or through formal analysis methods) that their implementation compliesto their contract, the final integration of subsystems to the complete system will be free of allclasses of integration errors covered by contracts in the virtual integration test.

3.3.2 Requirements engineering

The design chains should connect seamlessly to minimize design errors and time-to-market de-lays. Yet, the boundaries among companies and between different divisions of the same companyare often not as clean as needed and design specs move from one company (or one division) to thenext in non-executable and often unstable and imprecise forms, thus yielding misinterpretationsand consequent design errors. In addition, errors are often caught only at the final integration



step as the specifications were incomplete and imprecise and nonfunctional specifications (e.g.,safety, timing, power consumption, size) are difficult to trace.

Requirements engineering is a discipline that aims at improving this situation by paying closeattention to the management of the requirement descriptions and traceability support (e.g., usingcommercial tools such as DOORS2 in combination with Reqtify3) and by inserting wheneverpossible precise formulation and analysis methods and tools. Research in this area is active butmore needs to be done to make this essential step a first class citizen in system design.

Depending on application domains, up to 50% of all errors result from imprecise, incom-plete, or inconsistent and thus unfeasible requirements. Out of the many approaches taken inindustry for getting requirements right, we focus here on those for initial systems requirements,relying on ISO 26262 compliant approaches.

To cope with the inherently unstructured problem of (in)completeness of requirements, in-dustry has set up domain- and application-class specific methodologies. As particular examples,we mention learning process, such as employed by Airbus to incorporate the knowledge baseof external hazards from flight incidents, the Code of Practice proposed by the Prevent Projectusing guiding questions to assess the completeness of requirements in the concept phase of thedevelopment of advanced driver assistance systems. Use-case analysis methods as advocatedfor UML-based development process follow the same objective. A common theme of theseapproaches is the intent to systematically identify those aspects of the environment of the sys-tem under development whose observability is necessary and sufficient to achieve the systemrequirements. Pushing this further again leads to using contracts: based on a determined sys-tem boundary, responsibilities of achieving requirements are split into those to be establishedby the system-under-development (the “guarantees” of the contract) and those characterizingadmissible environments of the system-under-development (the “assumptions” of the contract).

However, the most efficient way of assessing completeness of a set of requirements is byexecuting it. This consists in what David Harel called “playing out” for the particular case oflive sequence charts [HKMP02, HM03, HS07], i.e., the use of formalized contract specificationsto generate trajectories of interface observations compliant with the considered set of contracts.Such simulation capabilities turn out to be instrumental in revealing incompleteness: typically,they will exhibit unexpected traces, e.g., due to an insufficient restriction of the environment, oronly partially specified system reactions. Executing requirements is only possible if semi-formalor formal specification languages are used, where the particular shape of such formalizationsis viewpoint and domain dependent. Examples include the use of failure propagation modelsfor safety contracts, the use of probabilistic timed automata to specify arrival processes, the

2http://www-01.ibm.com/software/awdtools/doors/productline/3http://www.3ds.com/products-services/catia/capabilities/catia-systems-engineering/requirements-engineering/reqtify/



use of live sequence charts for capturing scenarios in the interaction of actors and systems,or formalized requirement languages such as the PSL standard [otICS10] combining temporallogic and automata-based specifications used in the EDA domain, or the pattern-based contractspecification language defined by the integrated project SPEEDS.

In addition, using contracts resting on logic-based formalisms comes with the advantage,that “spurious” unwanted behaviours can be excluded by “throwing in” additional contracts, orstrengthening assumptions, or by considering additional cases for guarantees. A second advan-tage rests in the capability of checking for consistency by providing effective tests, whether a setof contracts is realizable, or whether, in contrast, facets of these are inherently conflicting, andthus no implementation is feasible.

3.3.3 System-wide and multi-layer design optimization

System designs are often the result of modifications of previous designs with the attempt ofminimizing risks and reducing delays and design costs. While this was an effective way ofbringing new products to market in the past, with the increase in demand for new functionalityand the advances of the implementation platforms, this strategy has yielded more problems thanit has fixed. Indeed, there is a shared consensus that in most of the cases the designs are notoptimized in the sense that the full exploitation of the new opportunities technology offers isnot achieved and that having visibility of the available options and an evaluation framework fordesign alternatives are a sorely missing capability.

Since the design process is fragmented, product optimization is rarely carried out acrossmore than one company boundary and even then, it is limited due to:

• The lack of appropriate models encompassing both functional and non-functional (Qualityof Service) aspects, covering both internal use and export outside the company;

• The time pressure to meet the product deadlines;

• The functional description that is over-constrained by architectural considerations whichde facto eliminate potentially interesting implementation alternatives.

An ideal scenario for optimization is to have access to the entire design space at the lowest pos-sible level of abstraction and then run a global optimization algorithm that could select thesecomponents satisfying constraints and optimizing multiple criteria involving non-functional as-pects of the design. Unfortunately this approach is obviously out of the question for most designsgiven the size of the design space and the capabilities of optimization algorithms.

If the design process were carried out as in a unique, well-integrated, virtual company in-cluding all the players shown above, the overall ecosystem would greatly benefit. The issue



here is to allow a reasonably efficient design space exploration by providing a framework wheredifferent architectures could be quickly assembled and evaluated at each layer of abstractioncorresponding to the design task being considered in the chain [EkAB+13].

What is possible is to select solutions in a pre-selected design space where the number ofalternatives to choose from is finite and searchable by state-of-the-art optimization programs.Indeed, the platform-based design paradigm offers scaffolding that would support this approach.In fact, at any abstraction layer, we need to optimize with respect to the components of the plat-form. The selection process will have to look only at feasible combinations of the componentsas dictated by the composability contracts.

3.3.4 Managing risk across the development process

The realization of complex systems calls for design processes that mitigate risks in highly con-current, distributed, and typically multi-domain engineering processes, often involving morethan one hundred sub-processes. The complexity of the entire design process and of the re-lationships between players in the supply chain creates the need to elaborate risk sharing andrisk management plans because of the potential enormity of the impact that design errors andsupplier solidity may have on the economics of a company. Risk mitigation measures typicallycover all phases of design processes, ranging from ensuring high quality initial requirements toearly assessments of risks in realizability of product requirements during the concept phase, toenforcing complete traceability of such requirements with requirements management tools, tomanaging consistency and synchronization across concurrent sub-processes using Product Life-cycle Management (PLM) tools. PLM design is used in combination with virtual modelling anddigital mockups, acting as a data base of virtual system components. A key challenge rests inbalancing risk reduction versus development time and effort: completely eliminating the risksstemming from concurrent engineering essentially requires a complete synchronization along afine-grained milestone structure, which would kill any development project due to the induceddelays.

Current practice leads to typically implicit assumptions about design aspects to be guaran-teed by concurrent processes — designers are “speculating” on outcomes of concurrent engi-neering sub-processes, based on their experiences from previous designs. These assumptionsshould be made explicit — emphasizing once again the high methodological value of assump-tions — and associate these with risk-levels, which qualify or quantify the expected risks in notachieving such assumptions [Dam05]. This very same instrument can be put in place duringthe concept phase of development processes, where vertical assumptions form the key basis forassessing realizability of requirements. If we will be able to change the design process along thelines of more formal approaches, better complexity handling, better requirement engineering,



then risks will be substantially lower than they are today. Indeed, the nature of the risks andpotential countermeasures could be factored in the requirement development phase as well as indetailed product implementation.

3.3.5 Complexity of the supply chain

To ensure coherent product development across complex supply chains, standardization of de-sign entities, and harmonization/standardization of processes are key trends. There are multiplechallenges in defining technical annexes to contracts between OEM and suppliers. Specificationsused for procurement should be precise, unambiguous, and complete. However, a recurrent rea-son for failures causing deep iterations across supply chain boundaries rests in incomplete char-acterizations of the environment of the system to be developed by the supplier, such as missinginformation about failure modes and failure rates, missing information on possible sources forinterferences through shared resources, and missing boundary conditions. This highlights theneed to explicate assumptions on the design context in OEM-supplier contracts. In the lightof an increased sharing of hardware resources by applications developed by multiple suppliers,the contract-based approach seems indispensable for resolving liability issues and allowing ap-plications with different criticality levels to co-exist (such as ASIL levels [IEC10, ISO11] inautomotive).

Standardization of design entities

We have already discussed the importance of standardization in deliverable D4.1 (see [CyP14a]),especially with regard to the integration issue, which is central to an efficient CPS engineeringprocess. Here we recall the main standards. In the automotive sector they include the recentlyapproved requirement interchange format standard RIF4, the AUTOSAR5 de-facto standard,the OSEK6 operating system standard, standardized bus-systems such as CAN7 and Flexray8,standards for “car2X” communication, and standardized representations of test supported byASAM9. Examples in the aerospace domain include ARINC standards10 such as the avionicsapplications standard interface, IMA, RTCA11 communication standards. In the automation do-

4http://www.w3.org/2005/rules/wiki/RIF_Working_Group5http://www.autosar.org/6http://www.osek-vdx.org/7http://www.iso.org/iso/search.htm?qt=Controller+Area+Network&searchSubmit=Search&sort=rel&type=simple&published=true

8http://www.flexray.com/9http://www.asam.net/

10http://www.aeec-amc-fsemc.com/standards/index.html11http://www.rtca.org/



main, standards for interconnection of automation devices such as Profibus12 are complementedby standardized design languages for application development such as Structured Text.

As standardization moves from hardware to operating system to applications, and thus crossesmultiple design layers, the challenge increases to incorporate all facets of design entities requiredto optimize the overall product, while at the same time enabling distributed development in com-plex supply chains. As an example, to address the different viewpoints required to optimize theoverall product, AUTOSAR extended in transitioning from release 3.1 to 4 its capability tocapture timing characteristics of design entities, a key prerequisite for assessing alternate de-ployments with respect to their impact on timing. More generally, the need for overall systemoptimization calls for the standardization of all non-functional viewpoints of design entities, anobjective yet to be achieved in its full generality.

Standardization/harmonization of processes

Harmonizing or even standardizing key processes (such as development processes and safetyprocesses) provides for a further level of optimization in interactions across the supply chain.As an example, Airbus Directives and Procedures (ADBs) provide requirements for design pro-cesses of equipment manufactures. Often, harmonized processes across the supply chain buildon agreed maturity gates with incremental acceptance testing to monitor progress of supplierdevelopment towards final acceptance, often building on incremental prototypes. Shared useof Product Lifcycle Management (PLM) [R. 05] databases across the supply chain offers fur-ther potentials for cross-supply chain optimization of development processes. Also, in domainsdeveloping safety related systems, domain specific standards clearly define the responsibilitiesand duties of companies across the supply chain to demonstrate functional safety, such as in theISO 2626213 for the automotive domain, IEC 6150814 for automation, its derivatives CenelecEN 50128 and Cenelec EN 5012615 for rail, and Do 178 B16 for civil avionics.

Yet, the challenge in defining standards rests in balancing the need for stability with the needof not blocking process innovations. As an example, means for compositional construction ofsafety cases are seen as mandatory to reduce certification costs in the aerospace and rail domains.Similarly, the potential of using formal verification techniques to cope with increasing systemcomplexity is considered in the move from DO 178 B to DO 178 C standards.

12http://www.profibus.com/13http://www.iso.org/iso/catalogue_detail.htm?csnumber=4346414http://www.iec.ch/functionalsafety/15http://www.cenelec.eu/Cenelec/CENELEC+in+action/Web+Store/Standards/

default.htm16http://www.do178site.com/



3.4 Scientific foundations for CPS

One of the main scientific challenges of CPS is their inherent heterogeneity. From a foundationspoint of view, the computational and the physical parts of the design differ substantially in boththe modelling methodology and the design process (as discussed in the previous section). Inparticular, Derler et al. identify the notion of time as one specific aspect that requires a funda-mentally new approach [DLV12]. Computing has been traditionally only concerned with thesequence of operations, leaving the timing as a secondary concern, which has to do mostly withperformance. Conversely, the interaction with the physical world and the reactivity of the systemdemand the execution of operations at precise times for the design to work as expected.

Other issues that have been explored in the literature include the ability to evaluate the per-formance of the system and its non-functional properties, with methods that are rooted in systemlevel design analysis. One approach that has received a lot of attention in the last few years isthe one based on contracts. We will analyze these aspects in the rest of this section.

3.4.1 System level design methods

The literature on system level design and design space exploration is vast. Densmore et al. pre-sented a broad survey of system level design tools and methodologies in the context of Platform-Based Design [DPSV06]. There, several general aspects are identified, which are important forcomparing tools and flows, categorized along different axes such as the ability to support func-tional, architecture and mapping descriptions, and the depth of the levels of abstraction thatare covered. Here we will focus in particular on the modelling capabilities and especially inthe handling of different interaction paradigms to support heterogeneity of various frameworks.We will also discuss the tools in terms of their ability to effectively decouple functionality andarchitecture, and on the mechanisms available for their mapping.

System level analysis plays an essential role in the design of hard real-time embedded sys-tems at early stage. Several different methodologies that address the problem of system-levelanalysis of embedded systems have been presented [DHLN10, KMN+00, BBS06a, HHJ+05,CPR08, TCN00, BMS09, SVA04]. These methodologies are typically based on some form ofabstraction and can often be applied to only a specific or limited set of system architectures orparameter space. Abstraction comes in the form of analytical and executable models. Analyti-cal models are advantageous in that they generally provide good scalability, particularly if theyare compositional. On the other hand, executable models can often be more accurate as a moregeneral semantic model is inherent to them. Because of the complementary nature of analyticaland executable methods, there has been a trend recently in trying to combine techniques fromthese domains and thereby taking advantage of their respective strengths [SV07].



On the analytical side, the Modular Performance Analysis Toolbox [WTVL06], based onthe Real-Time Calculus (MPA-RTC) [TCN00], makes use of functions on the time-interval do-main to represent both system workload and availability of computation and communicationresources. Component interaction is abstractly modeled by sets of functions, instead of signals,tokens or other activity triggers. As this features compositionality also on the level of the for-mal analysis, MPA-RTC supports a wide and efficient performance evaluation of key metricsof component-based real-time systems. Pessimism contained in the obtained guarantees w.r.t.worst-case system behaviours, e.g., burst-sizes, backlog-sizes and delays, can be avoided aslong as the system under analysis matches the model of computation inherent to RTC. However,it may be difficult to adequately model components having state-dependent behaviours, e.g.,CPUs whose speed changes with the size of the backlog buffer. For less pessimistic results insuch situations, a methodology for embedding component models based on Timed Automata(TA) [AD90] into a MPA-RTC-based system model [LPT09, LPT10] was developed. However,with this approach it is possible to study only fixed values of parameters, e.g., a fixed CPU speed,fixed buffer sizes, and fixed parameters of functions modelling the component/environment in-teraction. Hence, a big space of feasible parameters values remains unstudied.

A host of industrial tools have their roots in Model Driven Architecture (MDA) developed byOMG [MDA03]. At its basis is the separation between system behaviour vs. usage of platformcapabilities. Development starts with a computation independent model (CIM), which capturesdetailed requirements but no functionality. This model is refined into a platform independentmodel (PIM), used to specify the functionality of the system without committing to any par-ticular platform. At the same time, platform models are developed as sets of subsystems andtechnologies that provide a coherent set of functionality through interfaces and specified usagepatterns. A PIM is transformed into a platform specific model (PSM) through a mapping thatconsists of model transformations, i.e., rules or algorithms that take objects in the PIM modellanguage and generate (one or more) objects in the PSM model language. Annotations andattributes can be used to enrich the PSM model with non-functional properties [CPVP10].

An approach similar to MDA is Model Integrated Computing (MIC) [KSLB03]. MIC alsouses models for the design representation and generators to synthesize and integrate the system.Unlike MDA, which uses UML for all levels, MIC uses domain-specific modelling languages.Thus, different modelling languages are used to express the functionality, the architecture andtheir relation (the mapping). The MIC methodology is supported by a set of tools that can createand manage such languages. For instance, the Generic Modelling Environment (GME) has beendesigned to facilitate the construction and the manipulation of a domain-specific modelling lan-guage, by providing a way to specify an abstract as well as a concrete syntax (textual or graphi-cal), including well-formedness constraints and static semantics. The language design activity isagain based on UML and on OCL constraints [OCL06], which are used as meta-languages. The



resulting language need not be related to UML at all. The manipulation in GME also includesthe possibility to merge and compose languages at the syntactic level, by identifying relation-ships between elements of different languages. Languages designed in GME can be manipu-lated using GReAT [Agr03] to implement a variety of model transformations based on standardtraversal patterns or on graph rewriting rules. These are used to automatically convert modelsbetween languages, or to generate implementation models. MILAN [BPL+01, LDNA03] is averification tool which supports simulator integration using model interpreters, and integratesthe design space exploration tool DESERT [NSK03]. DESERT allows the designer to expressplatform flexibility by specifying structural constraints in OCL. Symbolic pruning of the designspace based on these constraints can greatly reduce the number of points to be evaluated withlower level simulators.

SystemC [Sys, GLMS02] is a language created by the Language Open Group (LOG) of theOpen SystemC Initiative (OSCI), and is targeted to a wide range of designers. SystemC supportsdifferent models of computation and allows the design of heterogeneous systems. Moreover,SystemC allows the design at different levels of abstraction including Register Transfer Level(RTL) and Transaction Level (TL) modelling. Basically, SystemC is a C++ class library, whereC++ plays the role of language foundation while the library provides both a notion of processand interface, and a simulation kernel based on the Discrete-Event model.

SPIRIT17 is an IP-integration consortium that aims to provide a common specification mech-anism for describing and handling IPs. It includes: an XML-based IP meta-data schema thatleverages industry standards (such as VSIA, XSLT, and XPath), configuration and generationinterfaces, and the IPXACT methodology which uses the former two. This methodology is fo-cused mainly at the RTL level, but an IP-XACT methodology with ESL extensions is currentlyunder development. The ESL requirements for the XML schema include module hierarchy sup-port, ad-hoc connection support, multiple views of different levels for one component (e.g., TLMPV, TLM CA, etc.), supporting mixed IP modelling abstraction levels.

Ptolemy II is a design environment for heterogeneous systems that consists of several exe-cutable domains of computation that can be mixed in a hierarchy controlled by a global sched-uler [BLL+05]. Each MoC is described operationally in terms of a common executable inter-face. For each model, a “director” determines the activation order of the components (or actors).Similarly, a “receiver” implements communication in terms of a common interface. A MoC, ordomain, in Ptolemy II is a pair composed of a director and a receiver. Heterogeneity in Ptolemy IIis strictly hierarchical. This implies that each node of the hierarchy contains exactly one domain,and that each component interacts with the rest of the system using the specific communicationmechanism of the hierarchy node it belongs to. Domains only interact at the boundary between

17The Spirit Consortium, http://www.spiritconsortium.org/home



two different levels of the hierarchy. SystemC-H [PSB07] is a heterogeneous extension to Sys-temC [GLMS02]. While SystemC is based on a discrete event simulation kernel, SystemC-Hextends it to provide additional MoCs such as dataflow and hierarchical FSMs, using similartechniques as Ptolemy II. The authors demonstrate an increase in simulation efficiency overSystemC with MoC-specific analysis - such as static scheduling for dataflow. The hierarchicalapproach to heterogeneity of Ptolemy II and SystemC-H is nicely structured and is excellent forexperimentation. The structure, however, also imposes limitations on the heterogeneity that canbe achieved, as will be discussed later in Section 3.4.3.

The metroII framework also addresses the issue of heterogeneity of specification, support-ing non-functional analysis using a platform-based design methodology [BDD+09, SVSS+09,DDG+13]. Unlike other approaches like GME, metroII is not concerned with the design of themodelling language. Instead, it allows designers to construct adaptors to coordinate componentsfrom different models. This way, existing languages can be employed with the developmentof wrappers that bridge between different activation and scheduling protocols. The objectiveis to determine semantic relationships using refinements into a common semantic domain, andthen abstract the results into a mixed domain that supports the development of adaptors. Thereare many similarities between MDA and this methodology, starting with the shared goals ofachieving model portability, interoperability and reusability. The main difference relates to thefocus of metroII on architecture exploration, which employs a mapping that is more generic, andintended to provide performance metrics rather than a detailed implementation. The approachto heterogeneity also differs from that of Ptolemy II, and is instead based on establishing clearabstraction and refinement relationships between models. The approach is therefore not hierar-chical, where the interaction between models is prescribed by the framework, but favors insteada more flexible horizontal adaptation of models.

ForSyDe [SJ04] initially specifies the system as a deterministic network of fully synchronousprocesses that communicate over sequences of events. Haskell has been chosen as the concretelanguage for expressing the model, since it natively supports higher order constructs. Compli-ance to the model is enforced by expressing the basic combinatorial behaviours using functionsfree of side effects, and by generating processes using higher order process constructors. Thisspecification, which lacks detailed timing, is then refined into an implementation by applying aseries of network transformations, that may or may not preserve the semantics. These transfor-mations can, for example, partition the system into sub-domains that run at different speeds (themodel is therefore no longer fully synchronous), interfaced through up- and down-converters.When the desired structure has been obtained, processes can be converted into hardware or soft-ware. The basic ForSyDe model was then extended to cover a larger array of MoCs [Jan03],and has been implemented in Standard ML in the SML-Sys project [MPS04b], as well as inC++ [MPSJ06]. There, the initial assumption of a fully synchronous system is dropped in fa-



vor of an untimed model similar to Kahn process networks [Kah74]. In addition, synchronous,clocked and timed models can be used for refinement. However, SML-Sys appears to be morefocused on heterogeneous design, rather than on transformational refinement. For this reason,SML-Sys relies on ForSyDe for network transformations, while more complex interfaces havebeen introduced to bridge the gap between different sub-domains. More recently, the same grouphas developed a front-end to both SML-Sys and ForSyDe, called EWD [MPS04a], which cap-tures their common structure into a GME-based metamodel, and provides some code generationfacilities. GME uses the static semantics to catch certain classes of errors early in the designprocess.

In the heterogeneous system-level design language Rosetta [Ale06, KA03], a MoC is de-scribed declaratively as a set of assertions in a higher order logic. Different MoCs can be ob-tained by extending a definition in a way similar to the sub-classing relation of a type system.MoCs obtained in this way are automatically related by an abstraction/refinement relationship.Unrelated MoCs can still be compared by constructing functions that (sometimes partially) ex-press the consequences of the properties and quantities of one domain onto another. This processis particularly useful for expressing and keeping track of constraints during the refinement of thedesign. Tools that take full advantage of the Rosetta representation are, however, still in devel-opment.

The separation between computation and coordination is central to the Behaviour-Interaction-Priority (BIP) framework [BBS06b]. In BIP, a system specification is divided into three layers.At the bottom layer, the behaviour of the system is specified as a collection of independent finitestate transition systems (components), which communicate with the environment through ports.Each transition of a component is activated by an interaction, which is a subset of its ports.At the middle layer, a set of connectors specifies the possible interactions of the components.That is, connectors identify the subsets of the ports of the whole system that can participatein interactions, and therefore activate a transition. Different connectors, and different ways oflinking them, define different kinds of interactions which can be used to model such diversecommunication paradigms as asynchronous broadcast to fully synchronous systems. Connec-tors often result in nondeterministic systems. Determinism can be recovered by using the thirdlayer, where priorities can be imposed on the interactions to induce a unique choice of transi-tion. One of the strengths of the BIP framework is the ability to check certain properties, such asdeadlock-freedom, compositionally. However, this may require a complex coordination schemebetween a large set of connectors.



3.4.2 Model-based design

At the heart of many methodologies for system level integration lies the exploitation of math-ematical and executable models, in what is known as model-based design. We have discussedseveral aspects of this approach already in deliverable D4.1 (see [CyP14a]). Here we summarizethe relevant related work.

Model-based design (MBD) is today generally accepted as a key enabler to cope with com-plex system design due to its capabilities to support early requirement validation and virtualsystem integration. MBD-inspired design languages and tools such as SysML18 [Obj08] and/orAADL [PF06] for system level modelling, Catia and Modelica [Fri03] for physical system mod-elling, Matlab-Simulink [Kar06] for control-law design, and UML19 [BRJ05, Obj] Scade [Ber03]and TargetLink for detailed software design, depend on design layer and application class. Thestate-of-the-art in MBD includes automatic code-generation, simulation coupled with require-ment monitoring, co-simulation of heterogeneous models such as UML and Matlab-Simulink,model-based analysis including verification of compliance of requirements and specificationmodels, model-based test-generation, rapid prototyping, and virtual integration testing.

In MBD today non-functional aspects such as performance, timing, power or safety anal-ysis are typically addressed in dedicated specialized tools using tool-specific models, with theentailed risk of incoherency between the corresponding models, which generally interact. Tocounteract these risks, meta-models encompassing multiple views of design entities, enablingco-modelling and co-analysis of typically heterogeneous viewpoint specific models have beendeveloped. Examples include the MARTE UML [Obj07] profile for real-time system analysis,the SPEEDS HRC metamodel [PHG+09] and the Metropolis semantic meta-model [BPPSV05,BDD+09, SVSS+09, DDG+13]. In Metropolis multiple views are accommodated via the con-cept of “quantities” that annotate the functional view of a design and can be composed alongwith subsystems using a suitable algebra. The SPEEDS meta-model building on and extendingSysML has been demonstrated to support co-simulation and co-analysis of system models fortransportation applications allowing co-assessment of functional, real-time and safety require-ments. It forms an integral part of the meta-model-based inter-operability concepts of the CESAR

reference technology platform.20

Rather than “physically” integrating a system from subsystems at integration stages, model-based design allows systems to be virtually integrated based on the models of their subsystemand the architecture specification of the system. Such virtual integration thus allows detectingpotential integration problems up front, in the early design phases. Virtual system integration

18http://www.omg.org/spec/SysML/19http://www.omg.org/spec/UML/20www.cesarproject.eu



is often a source of heterogeneous system models, such as when realizing an aircraft func-tion through the combination of mechanical, hydraulic, and electronic systems. Heterogeneouscomposition of models with different semantics was originally addressed in Ptolemy [EJL+03],Metropolis [BDD+09, BPSV01], and in the SPEEDS meta-model of heterogeneous rich compo-nents [DVM+05, BCF+08, BFM+08], albeit with different approaches.

3.4.3 Heterogeneous systems

We have already discussed this aspect in the previous sections, here we focus on the more theo-retical developments.

Heterogeneity theory has been evolving in parallel with system level methodologies, to as-sist designers in dealing with heterogeneous composition of components with various Modelsof Computation and Communication (MoCC). The idea behind these theories and frameworksis to be able to combine well-established specification formalisms to enable analysis and simu-lation across heterogeneous boundaries. This is usually accomplished by providing some sort ofcommon mechanism in the form of an underlying rich semantic model or coordination protocol.One such approach is the cited framework of Ptolemy II [BLL+05], where models, called do-mains, are combined hierarchically: each level of the hierarchy is homogeneous, while differentinteraction mechanisms are specified at different levels in the hierarchy. This approach, whichhas clear advantages for simulation, has two fundamental limitations. First, it does not provideaccess to the components themselves but only to their schedulers, limiting the ability to establishrelations to only the models of computation, and not to the heterogeneous specifications of thecomponents. More importantly, the relationship between different models is implicit in the waythe execution protocol schedules the activation of the directors and the transfer of informationthrough the receivers. This makes it hard to predict the outcome of a hierarchical heterogeneouscomposition or to study its properties. In addition, the execution protocol is hard-wired in theframework, and therefore it cannot be changed without altering the core of the tools. As a re-sult, the relationship between different models (i.e., abstraction and refinement) is fixed, unlessboundary components are used to explicitly translate between different domains. For example,this technique is used in Ptolemy II to translate from the discrete to the continuous domain,and vice versa, through special transducers. This, however, appears to relax the requirement forstrict hierarchical heterogeneity. The metroII framework [DDG+13] relaxes this limitation, andallows designers to build model adapters directly. However, metroII treats components mostlyas black boxes using a wrapping mechanism to guarantee flexibility in the system integration,making the development of an underlying theory complex. These and other similar frameworksare mainly focused on handling heterogeneity at the level of simulation.

Another body of work is instead oriented towards the formal representation, verification and



analysis of these system. The already cited BIP framework uses the notion of connector, ontop of a state based model, to implement both synchronous and asynchronous interaction pat-terns [BS08a]. Their relationship, however, can not be easily altered. Recently, the BIP frame-work has been extended with a notion of real time to encompass hybrid models [TA10, AT13].Benveniste et al. [BCC+08] propose a heterogeneous denotational semantics inspired by the Leeand Sangiovanni-Vincentelli formalism of tag signal models [LSV98], which has been long ad-vocated as a unified modelling framework capable of capturing heterogeneous MoCC. In bothmodels, tags play an important role in capturing various notions of time, where each tag systemhas its own tag structure expressing an MoCC. Composing such systems is thus done by ap-plying mappings between different tag structures. Tag Machines [BCCSV05] are subsequentlyintroduced as finite representations of homogeneous tag systems. They are quite expressive, andways to map traditional interaction paradigms have been reported in the literature [BCCSV05].

One approach to dealing with both the discrete evolution typical of computational systemsand the continuous evolution of physical systems is to use a hybrid model or timed automata.These models come in a variety of forms, and generally consists of a state machine whosestates represent dynamics in the form of differential equations. Several tools have been devel-oped to analyze these systems, including the cited Modelica [Fri03] and Simulink [Kar06], UP-PAAL [BDL+06] and many others. Carloni et al. provide a comprehensive survey [CPPSV06].

3.4.4 Contract-based design

It is difficult to write a comprehensive bibliography on the general aspects of contract-baseddesign. The topic is multi faceted and has been addressed by several communities: softwareengineering, language design, system engineering, and formal methods in a broad sense. We re-port here a partial and limited overview of how this paradigm has been tackled in these differentcommunities.

Part of this material was inspired by a report by Payne [Ric10]. Design by Contract is a soft-ware engineering technique popularized by Bertrand Meyer [Mey92, Mey09] following earlierideas from Floyd-Hoare logic [Rob67, Hoa69]. Floyd-Hoare logic assigns meaning to sequentialimperative programs in the form of triples of assertions {P,C,Q} consisting of a preconditionon program states and inputs, a command, and a postcondition on program states and outputs.Meyer’s contracts were developed for Object-Oriented programming. They expose the relation-ships between systems in terms of preconditions and postconditions on operations and invari-ants on states. A contract on an operation asserts that, given a state and inputs which satisfythe precondition, the operation will terminate in a state and will return a result that satisfy thepostcondition and respects any required invariant properties. Contracts contribute to system sub-stitutability. Systems may be replaced by alternative systems or assemblies that offer the same



or substitutable functionality with weaker or equivalent preconditions and stronger/equivalentpostconditions. With the aim of addressing service oriented architectures, Meyer’s contractswere proposed a multiple layering by Beugnard et al. [BJP99]. The basic layer specifies opera-tions, their inputs, outputs and possible exceptions. The behaviour layer describes the abstractbehaviour of operations in terms of their preconditions and postconditions. The third layer, syn-chronization, corresponds to real-time scheduling of component interaction and message pass-ing. The fourth, quality of service (QoS) level, details non-functional aspects of operations. Thecontracts proposed by Beugnard et al. are subscribed to prior to service invocation and may alsobe altered at runtime, thus extending the use of contracts to Systems of Systems [M.W98]. Sofar contracts consisting of pre/postconditions naturally fit imperative sequential programming.In situations where programs may operate concurrently, interference on shared variables canoccur. Rely/Guarantee rules [Jon83] were thus added to interface contracts. Rely conditionsstate assumptions about any interference on shared variables during the execution of operationsby the system’s environment. Guarantee conditions state obligations of the operation regardingshared variables.

The frameworks of contracts developed in the area of Software Engineering have proveduseful paradigms for component-based software system development. For the wider area ofCPS, model-based development (MBD) is generally accepted as a key enabler due to its capa-bilities to support early validation and virtual system integration. MBD-inspired design lan-guages and tools include SysML [Obj08] or AADL [PF06] for system level modelling, Model-ica [Fri03] for physical system modelling, Matlab-Simulink [Kar06] for control-law design, andScade [Nic91, Ber03] and TargetLink for detailed software design. UML-related standardiza-tion efforts in this area also include the MARTE UML21 profile for real-time systems. Contracttheories for model-based development were considered in the community of formal verification.They were initially developed as specification formalisms able to refuse certain inputs fromthe environment. Dill proposed asynchronous trace structures with failure behaviours [Dil89].A trace structure is a representation of a component or interface with two sets of behaviours.The set of successes are those behaviours which are acceptable and guaranteed by the compo-nent. Conversely, the set of failures are behaviours which drive the component into unacceptablestates, and are therefore refused. This work focuses primarily on the problem of checking refine-ment, and does not explore further the potentials of the formalism from a methodological pointof view. The work by Dill was later extended by Wolf in the direction of synchronous systems.Negulescu later generalizes the algebra to Process Spaces which abstract away the specifics ofthe behaviours, and derives new composition operators [Neg98]. This particular abstractiontechnique was earlier introduced by Burch with Trace Algebras to construct conservative ap-

21www.omgmarte.org



proximations [Bur92], and later generalized by Passerone and Burch [PBSV07] to study generictrace structures with failure behaviours and to formalize the problem of computing the quotient(there called mirror) [Pas04].

Contracts often appear in the form of an Interface Theory. Interfaces have been the sub-ject of considerable literature, see [Nym08] for an in-depth bibliographical study. In 2001, deAlfaro and Henzinger [dAH01] introduced Interface Automata, where interfaces are seen asgames between the component and its environment. Since then, Interface automata have oftenbeen considered as the theory of reference regarding interfaces. Refinement is by alternatingsimulation [AHKV98], which amounts to getting more permissive regarding the environmentand more constrained regarding the considered component. Parallel composition is monotonicwith respect to refinement and ensures substitutability and deadlock freeness. This frameworkwas adapted in [CdAHM02] to synchronous symbolic transition systems and was subsequentlyextended to handling shared refinement [DHJP08].

Building on [dAH01] in combination with background work on modal automata [Lar89],Larsen et al. [LNW07a] have shown that the framework of Interface Automata is naturallyembedded into that of Modal I/O Automata, a slight variation of modal automata. Accord-ing to this embedding, alternating simulation appears as a particular case of modal refine-ment. In [LNW06], the same group of authors adapts modal I/O automata to support As-sume/Guarantee reasoning. Regarding the variations around the generic concept of modality,an extensive bibliographical study is again found in [Nym08]. This is a fundamental step as itallows replacing the sophisticated, game oriented, refinement by alternating simulation, by themuch simpler notion of modal refinement.

In his thesis [Rac07], Raclet provided an interesting language-oriented variation of modalautomata, called modal specifications. Modal specifications are the language version of modalautomata. They correspond to the conjunctive fragment of the mu-calculus [FP07, Feu05]. Theyare slightly more restrictive than modal automata, because, by not handling states explicitly,they cannot capture nondeterminism. On the other hand, they are more elegant in that modalrefinement is sound and complete for modal specifications — see [LNW07b] regarding the non-completeness of modal refinement, for modal automata.

An extensive trace-based theory of Assume/Guarantee reasoning in the form of A/G-contractshas been proposed in the SPEEDS project [BCF+08] with explicit handling of multiple-viewpointcontracts. By explicitly relying on the notions of Assumptions and Guarantees, A/G-contractsare intuitive, which makes them appealing for the engineer. In A/G-contracts, Assumptions andGuarantees are just properties. The typical case is when these properties are languages or setsof traces, which includes the class of safety properties [Lam77, CMP92, MP95, BJ08, CGP99].A/G-contracts were further experimented in the framework of the CESAR project [DTS+11],with the additional consideration of weak and strong assumptions. In [BCF+08], a theory was



developed that turns out to be closest to this presentation; still, exceptions were not handledthere.

Inspired by [LNW06], another form for A/G-contract was proposed by [GPQ14, GQ07,HGQ10] when designs are expressed using the BIP programming language [BS08b, Sif09].To achieve separate development of components, and to overcome the problems that certainmodels have with the effective computation of the operators, the authors avoid using parallelcomposition ⊗ of contracts, and replace it with the concept of circular reasoning.

Regarding extensions, a notion of contract for real-time interfaces is proposed in [BS10].Sets of tasks are associated to components which are individually schedulable on a processor.In [NSVSP12], a platform-based design methodology that uses A/G analog contracts is proposedto develop reliable abstractions and design-independent interfaces for analog and mixed-signalintegrated circuit design. Horizontal and vertical contracts are formulated to produce implemen-tations by composition and refinement that are correct by construction. A/G-contracts have alsobeen extended to a stochastic setting by Delahaye et al. [Del10, DCL10, DCL11]. In this work,the implementation relation becomes quantitative. More precisely, implementation is measuredin two ways: reliability and availability. Availability is a measure of the time during which asystem satisfies a given property, for all possible runs of the system. In contrast, reliability is ameasure of the set of runs of a system that satisfy a given property. Following the lines of thecontract theories presented earlier, satisfaction is assumption-dependent in the sense that runsthat do not satisfy the assumptions are considered to be “correct”; the theory supports refine-ment, structural composition and logical conjunction of contracts; and compositional reasoningmethods have been proposed, where the stochastic or non-stochastic satisfaction levels can bebudgeted across the architecture: For instance, assume that implementationMi satisfies contractCi with probability αi, for i = 1, 2, then the composition of the two implementations M1 ×M2

satisfies the composition of the two contracts C1 ⊗ C2 with probability at least α1 + α2 − 1.Methodological aspects of contract-based design of Cyber-Physical Systems are extensively

discussed in [SVDP12].



4 Current societal context

Typically a treatment of the “state of the art” is viewed as a technical assessment of some do-main or technology. However the exploitation of technology depends on the wider social con-text. Thus, in order to form a realistic roadmap, CyPhERS needs to enrich this state of the artassessment by considering the wider societal context.

It would be possible to undertake a very broad assessment of the social context; howeverwe have chosen to focus on four major areas, which we believe will be particularly influentialregarding CPS adoption:

• Market aspects, including economic eco-systems and business models;

• Political and legislative perspectives;

• Public perception and adoption;

• Education encompassing the general competence level of citizens as well as engineeringand management education, and lifelong learning.

The discussion covers opportunities for, and impediments to, CPS adoption as this enablesus to identify challenges that need to be addressed in the roadmap as well as factors that willenhance the process of adopting CPS. The treatment of education mainly considers educational“initiatives” as CyPhERS believes that this will be a significant factor in enabling the futureadoption of CPS.

Where appropriate, this section draws on earlier deliverables, particularly [CyP14b], butseeks to go beyond those deliverables in considering the impact of the societal factors on (adop-tion of) the state of the art.

4.1 Market aspects

In the Structured CPS Market Model (D3.1, see [CyP14b]) there was an extensive treatment ofmarket models, including an analysis using classical “business school” models, e.g., Porter’sFive Forces. However [CyP14b] recognized that these classical models do not reflect the “new”business models enabled by IT (and the Internet) in general, and which can be exploited in(facilitating) the adoption of CPS. Four key areas were identified in [CyP14b]:



• Collaboration in innovation;

• End users as active members of the ecosystem;

• Virtual enterprises;

• Horizontal and vertical integration of enterprises.

We expand on each of these in turn before considering social enterprises. It should be notedthat these categories are not entirely disjoint, but by considering each separately we can empha-size different aspects of (new) market mechanisms. We view these as “positives” for CPS; wethen contrast this optimistic perspective by considering potential impediments to the adoption ofsuch market models.

Collaboration in innovation is, in essence, the breaking down of traditional barriers, e.g.,organizational boundaries, in innovation. This includes several models such as “open innova-tion” and “collaboration to compete”. We return to “open innovation” under the considerationof virtual enterprises, and consider collaboration first.

The concept of “collaboration to compete” is where competitors work together to create newmarkets, or to expand existing markets in a way that none of the competitors could do on theirown. One example is developing new standards to create a new market in which companiescan compete. Whilst the mobile phone industry is perhaps the paradigm example of this thereare other examples, e.g., in formats for audio and video files. In CPS it is likely that suchdevelopments would be at the technology or information level, and might be domain specific.For example there might be agreements on data standards (ontologies) and communicationsprotocols for medical CPS (the Continua Health Alliance referenced in [CyP14b] is an indicationthat exactly this form of collaboration is emerging). This sort of development could be purelymarket driven, or could be influenced by EU policy, e.g., facilitating or funding the collaborativeactivities.

End users may be active members of the ecosystem and, as such, would alter the dynamicsof the market. For example, users developing apps that extend the capability of CPS make themmore attractive. This gives leverage for the CPS manufacturer. Whilst they do not obtain directrevenue from the additional apps they obtain greater market share if the user-developed appsmake their product more attractive. Thus it is in the manufacturer’s interests to open up interfaces(again largely at the information and technology layers). The concept of “crowd sourcing” mightbe viewed as a particular case of user-generated apps where users work together to create newcapability. Capabilities such as 3D printing might allow the expansion of the capability of aCPS in the physical domain, e.g., adding to an actuator (perhaps a good analogy is a SwissArmy knife where owners could add new tools). Whilst such possibilities would fit into the CPS



roadmap it is largely an opportunity for vendors, not something which can be influenced by EUpolicy.

Virtual enterprises or “open innovation” is where a network of organizations work togetherto innovate or to develop new technologies. Some companies already work this way, e.g., IBMboth set up semi-stable collaborative structures and organize “jams” mediated over the Internetover a short period, perhaps a few weeks. They have used “jams” to look for innovations undertheir “Smarter Planet” initiative. This model is “natural” for IT systems and may include endusers (see above) as well as researchers. It is also practical for CPS where the communicationsaspects enable the dynamic creation (and termination) of extended virtual enterprises. Withthe right infrastructure such mechanisms can also be used for social good, as well as marketcreation, e.g., to deal with a natural disaster, or for some other short-lived event. Whilst notin the CPS space, there are several examples of this in the recent past, e.g., producing accurateand informative mapping (or geographical information systems (GIS)) following events such asthe Haiti earthquake. The opportunity with CPS is to have physical effect, as well as provideinformation, or to provide much more accurate information – perhaps of disruption of criticalinfrastructure, e.g., power or water, in the case of an earthquake, then providing an overlay onthe GIS from CPS elements which monitor and control the infrastructure. Again, opening up ofinterfaces is crucial to making such a model work.

All of these market mechanisms can be used to enable both horizontal and vertical integrationof enterprises. A vertical enterprise is from low-level component manufacturers to end users,perhaps through several intermediaries. In technological terms this might mean, say, a CPScomponent (hardware) manufacturer providing interfaces that are preserved “up” through layersof systems to enable the use of the interface to provide services at the “end user” level. In a carthis might mean, for example, being able to access brake pad wear (from the maximum travel ofthe brake actuators) through the car’s telematics systems, either in a garage or by the car owner,perhaps through an app on a mobile phone. This example could be extended to, say, pre-orderingcomponents for servicing, or focusing the attention of the technicians to make servicing moreefficient, and hence creating market value.

Horizontal integration is more a “network” or “system of systems” model where peer sys-tems interact to provide added value services or capabilities. Some of the example scenariosin [CyP14b] fall into this class. In general the value is generated through the sale of services thatare not possible using one of the CPS “components” on its own. The most obvious analogy iswith location-dependent services that are now available with smart phones – such services couldbe extended to CPS, e.g., to provide an automated parking service in a unfamiliar city, perhapseven an automated car “dropping off” the occupants at a restaurant, and coming to collect themagain once it was informed that they had paid their bill. In this case there is convenience forthe car owner, value for the car park owner if they get more custom (the park has higher av-



erage occupancy), and it may increase sales for both the automotive manufacturer and for therestaurant.

There are also not-for-profit enterprises which do not really map well to the classical modelsof competition; in general such enterprises are much more collaborative, and are concerned withcreating social benefits, and are not driven by the profit motive. The example of providing aGIS to help in managing natural disasters outlined above is but one example of such an activ-ity. However, from a technological perspective, similar mechanisms to those used in for-profitsituations may support the not-for-profit activities. An interesting issue might be whether or notthese mechanisms could be used for commercial services by some organizations, but the CPSvendors would also enable not-for-profit uses; if this were done, how would the CPS vendorsavoid being exploited?

Obstacles can occur when a dominant “player” in a market refuses to collaborate (believingthat their market position will enable them to retain substantial market share). More subtly, anorganization may make “interpretations” of standards that leads to “lock in” to their technologyand solutions. It is probably impossible to prevent such actions, but sufficiently anti-competitivebehaviour can be addressed through existing EU mechanisms (strictly speaking this should beviewed as a political or legislative issue, but it fits more naturally here).

Considering these market issues in the context of a “state of the art” survey suggests twothings. First, a critical aspect of the technology is openness of interfaces, but also providing“controlled openness” so that, for example, charging models can be agreed (perhaps dynami-cally) to enable the market to function economically, as well as at a technical level. Second,where it is of value to the EU consideration should be given to supporting “collaborate to com-pete” activities and these are likely to be around interfaces, data and information standards,means of managing data quality, etc. In CyPhERS it is really only possible to identify suchthings generically, as the details will inevitably be domain specific.

4.2 Political and legislative aspects

[CyP14b] referred to legal and standards issues, noting how these can shape the market. Theintent here is to take a slightly broader view of such issues hence we have used the title “politicaland legislative aspects”. These are linked as we wish to consider how the jurisdictional andlegislative issues may vary from state-to-state limiting action across borders. This is most simplyillustrated by a non-CPS example.

Until recently, Liechtenstein required that bank account records were held (on computersystems) within the country. This had a number of effects, including limiting the use of computerservices such as the cloud. Liechtenstein decided that this was disadvantageous and changed its



legislative framework to allow the use of such technology.What we need to understand is whether or not such issues can impact the adoption of CPS

and thus need to be considered in the road map. It is beyond the scope of this document (indeedthe CyPhERS project) to do a review of all potentially applicable legislation in the EU, but it ispossible to shed light on the issue by considering both generic and domain-specific issues.

The term jurisdiction means “the geographic area over which authority extends”, in the con-text of legal authority. Historically jurisdiction has rested with Nation States, or parts of NationStates, e.g., Germany has the authority to deal with certain issues, e.g., traffic law violations,within its borders. Whilst the establishment and evolution of the EU has meant more homogene-ity at the European level, the jurisdiction for many issues still remains with Nation Sates; evenwhere the legislation is pan-European the Nation States would still take legal action. There arealready issues due to Internet connectivity that can be seen to challenge this concept, and thereis a question of whether or not the use of CPS is adequately addressed.

For example, if a CPS element (an actuator of some sort) was used to cause some damagein one State, by commands issued from another, what is the jurisdiction for this “action at adistance”? Is it the State where the damage happened, or the other one where it was “caused”?Further, has a crime been committed at all (under the criminal law)? If a crime has been com-mitted, can a perpetrator be extradited? Alternatively, might the owner of the asset damaged bythis remote action (only) have recourse under the civil law? If so, and an individual is found tohave been at fault, what right of recourse does the “victim” have across State boundaries?

CyPhERS does not intend to investigate such issues further (indeed the team is not competentto do so) but wishes to emphasize that the political and legislative framework, both civil andcriminal, surrounding “action at a distance” needs to be understood. Whilst this does not affectthe state of the art technically, it does influence the take-up of CPS and the road map.

More specifically there is the legislation and standards that relate to CPS, whether intention-ally or not, in specific domains. Whilst there may be different aspects of particular domainswhich are relevant to understanding the state of the art and influencing the road map, we focuson safety and security/privacy as these seem to be issues for many domains, e.g., automotive,healthcare, and ambient living. We illustrate the issues in the automotive domain and then gen-eralize the discussion.

ISO 26262 is the automotive standard that addresses, amongst other things, the integrityrequirements for software and complex hardware in road vehicles (more specifically small ve-hicles such as passenger cars). Risk is determined based on three factors, one of which is con-trollability. Controllability is a measure of how well a driver will be able to cope if a vehiclemalfunctions; controllability and hence risk should be assessed in relationship to particular haz-ards.

For autonomous driving it is not clear whether or not the model in ISO 26262 “works” as it



is not obvious that controllability can always be determined. Some malfunctions, e.g., the lossof an augmentation function such as lane deviation, can be assessed from this point of view (thedriver should be paying attention anyway). However, what is possible with full automation?Will a driver be capable of “taking over” from the automation if it fails? In some cases, e.g.,if the car over-speeds on a twisting road will the driver be able to regain control? Even if theycan disengage the automatic systems will they be able to drive in those circumstances? Similarquestions can be asked about road trains. Further, if the autonomy is used as a way of supportingthe infirm (see [CyP14b]) or even the blind –the Google car has been used with blind occupants–is the notion of controllability valid at all?

Relating the analysis above more directly to CPS the integrity of the software and pro-grammable or complex hardware is “controlled” using the concept of ASIL (Automotive SIL)ranging from D (the highest) to A (the lowest). The ASILs define or constrain the acceptableapproaches to developing software and complex hardware. ASIL D applies where the severityand likelihood of an accident (associated with a hazard) is high enough and the driver cannot beexpected to control the situation. With autonomy many more systems will need to be developedto ASIL D but, more importantly, the ASIL concept may not adequately control the risks if,say, the same software is in multiple cars in a road train and it exhibits a common mode failure.Certainly the notion of “controllability” for a single driver is not really meaningful in such asituation.

More generally, we can think of standards as being on a “spectrum” of utility in the CPScontext; we can identify at least three points on the spectrum, viz.:

• Helps – explicitly addresses CPS issues or those aspects of development and assurancewhich are pertinent to CPS;

• Neutral – do not explicitly help with control of the key properties of CPS, but do notprevent project or situation specific approaches being adopted;

• Hinders – either does not address key CPS issues, includes mandatory “rules” which areinapplicable to or meaningless for CPS, or they actively inhibit the use of CPS.

ISO 26262 should probably be viewed as being in the neutral-hinders range, but it is inter-esting to note that the engineers at Google doing a (retrospective) safety analysis have gone backto first principles, rather than using ISO 262621.

Security is also a concern for CPS. In the political and legislative context similar issues ariseas for safety and it is reasonable to analyse standards using a similar “spectrum” as for safety.However it should also be noted that standards can be in conflict and that a spectrum of therelationship between standards can also be defined, such as:

1Personal communication with Jon Derickson, Google, August 2013.



• Harmonious – the standards ask for the same thing, or ask for sufficiently similar things,that there is no additional cost complying with both standards over complying with one;

• Reconcilable – the standards contain different requirements, but none of them activelyconflict so they can be met “simultaneously” albeit at a potentially unnecessary cost;

• Conflicting – the standards have requirements which cannot both be met at the same time,and a resolution/trade-off needs to be made which is likely to prioritize one standard overthe other if an impasse is to be avoided.

Whilst expressed in terms of pairs of standards the above concepts generalize to multiplicitiesof standards and can be applied to both product and process standards.

Standards are often domain specific, although some are technology specific, e.g., IEC 61508is a pan-domain standard for programmable electronics. Thus analysis of the legislative contextneeds to be done on a domain-specific basis, but considering also standards applicable to CPStechnologies.

Although expressed in terms of standards the above analysis generalizes to other forms oflegislation.

In terms of the state of the art, these political and legislative issues have two types of impact.First, some things that are technologically possible may not be permissible given the politicaland legislative framework. Second, the road map may need to contain work on standards andlegislation in order to remove or modify barriers to successful exploitation of technology, e.g.,modifying standards so they help not hinder, and to remove conflicts.

4.3 Public perception and adoption

The matter of public perception of the emerging technologies presents many aspects that notalways seem reconcilable with each other. These aspects influence the acceptance and, in con-sequence, the adoption of the technical innovations.

The big advantage ascribed to CPS is, besides the comfort they provide (e.g., in the domainof mobile telephony), their support for the intelligent use of limited resources and the reductionof environmental impact. Sustainability is one of the big challenges of the 21st century, andthe public opinion also attaches great importance to the reduction of risks posed by for instancenuclear power plants. Regarding these issues, the combination of sensing/actuating and com-putational abilities, on the one hand, and their interconnection (be it via Internet or any othermeans), on the other hand, opens seemingly infinite possibilities of far reaching repercussion.This kind of capabilities opened by CPS constitute the systems’ biggest perceived asset. Beyondthat, CPS offer a wide range of social benefits:



• greater independence and autonomy, e.g., for the elderly, thanks to comprehensive provi-sion of information and assistance,

• greater comfort,

• close integration into social contexts through comprehensive networking,

• engagement in social processes,

• flexible involvement in the design of the technology and its usage through variable con-cepts of use.

Consumer behaviour is moreover subject to trends in design and appearance; so much so thatend users feel compensated, i.e., they are ready and even willing to honour aesthetics, functionand usability combined; see, e.g., [IH11]. This work argues how user-driven design can createnew products and services in the energy field.

Furthermore, large-scale first- and second-order infrastructure systems, networked smartsensors enabling physical awareness, and needs-based control offer great potential for inno-vation. Interactive socio-technical application systems and processes in working and livingenvironments (including virtual ones), smart interactive situation and context awareness andhuman-computer cooperation tailored to users’ needs are the key characteristics in this context.2

Acceptance factors derived from empirical studies and expert surveys addressing trends anddevelopments in the fields of smart embedded systems, smart automation, mobility applications,ambient assisted living and online services, can be summarized as follows:3

• Usability and usefulness (services that are integrated into their context of use, intuitivehuman-computer interactions, flexibility regarding when they are used, efficient perfor-mance of the service, permanent service accessibility and availability).

• The ability for users to configure the systems in accordance with their own needs.2First-order systems are open-ended and therefore functionally non-specific infrastructure systems such as traffic,

transport and communications infrastructures. The term second-order systems, by contrast, refers to superim-posed inter-systemic structures in which parts of the first-order systems are combined in order to perform aspecific task. These are social domains in which, increasingly, elements of ‘autonomous’ technological networkstructures for transport, communications and data exchange, goods supply and waste disposal are recombined forthe purposes of the system in question and are given their own institutional identity. Examples are cross-borderdisposal of toxic materials in the waste management sector, organized mass tourism structures in the leisure in-dustry or the creation of a supraregional technological system for transplant medicine in the healthcare sector;see [Deg02].

3Recent surveys on trends and developments in the field of self-service machines [BBB+11], the BMBF/VDEInnovation Partnership “Ambient Assisted Living” (of the Federal Ministry of Education and Research andthe Association for Electrical, Electronic & Information Technologies) [Eic10, MM10], of assistance sys-tems [BMG13], relating to the evolution from Internet to the Outernet [JS10], studies on networked ser-vices [BMW09, BMW10, GGL10, HW11], the Foresight Process of the Federal Ministry of Education andResearch [CGW09] and the BITKOM studies on Smart Cities [BIT11a] and automobiles [BIT11b].



• Clarity regarding shared control requirements.

• User flexibility and the ability for them to act and take their own decisions independently.

• Safe, secure systems that do not pose a risk to human health.

• Availability of help if the system makes an error or fails, including help provided byhuman beings (e.g., service personnel).

• Guaranteed anonymity, i.e., protection of users’ personal data and privacy.

• Ensuring an enjoyable user experience (“you wouldn’t believe all the things it can do!”).

• In the AAL context, maintaining contact with other people.

The concerns that are recurrently expressed have to do with the protection of the data privacy;this fear sometimes expressed as the “gläserner Bürger” or totally transparent citizen. Even forthe legislature this matter is anything but trivial: it is not seldom that the regulations be stipulatedonly after some incident became known, and that those regulations be more an expression ofwish than a factually controllable restriction. For instance the German commissioner for dataprotection imposes the privacy protection goal of unlinkability of data. This requirement aimsat preventing accumulation of data, which would permit the inference of further informationnot explicitly disclosed by the private person in question; that is, data from separate contextsshould be kept separate and not processed as a single data chain. There are plenty of measuresthat can be taken to deliver unlinkability: for instance, databases are to be separately stored andmust use different keys for data access (i.e., the use of unique data set identifiers such as phonenumber must be avoided). Moreover, there should be a guarantee that data will only be usedfor its intended purpose and deleted once no longer necessary. These measures, however, seemlimited in their effectiveness. A further privacy protection goal is termed intervenability andmeans that actors must have the ability to intervene the information collected about them, ontheir own initiative as and when they deem it necessary. Moreover, the actors must be able toremove their data. Unfortunately, in Germany intervenability is far from obvious: by way ofexample, Green Party politician Malte Spitz claimed the return of six months’ of his data thathad been stored by Deutsche Telekom, for which he had to sue the company. Subsequently, hemade the data available to the ZEIT ONLINE newspaper, that used the data in order to trace allhis movements during the period in question, showing the ease with which also unlinkability ischallenged.4 Similar examples can be found all over Europe. Satnav manufacturer TomTom,

4The GPS data was further correlated with information about the MP’s life that was freely available online (viaTwitter, blog entries and web sites). See http://www.zeit.de/datenschutz/malte-spitz-data-retention .



for example, provided the police with (anonymized) speed data from its Dutch customers, thisway enabling the authorities to choose the optimum location for their speed traps. Especially inthe healthcare sector, there are several concerns regarding the handling of collectively acquiredpatient data, of which the ownership is not clearly stated. The question is whether or not ahealth insurance provider is entitled to use data collected via a remote monitoring system (forinstance, the insulin readings of a diabetes patient) for any other purpose not necessarily identicalwith the one understood by the patient. The data could be use to check treatment observance;this question becomes particularly relevant in view of the fact that health insurers are alreadyconsidering introducing premium reductions for patients with good treatment compliance.

Other dependability issues that gain attention of the wider public relate to the safety/securityas well as liability aspects of systems in general and of CPS in particular. While availabilitymight cause annoyance, and thus attract not too much notice from the media, the safety of anysystem, be this a building, a means of transport, a nuclear power plant or a CPS, rather any unsafebehaviour or accident, most likely makes headlines. This fact negatively influences the publicperception of those systems. Regarding security, breaches are usually brought to the generalpublic when they impact on the safety and/or the liability of the system. And liability of modern(or smart) systems5 is treated by the media as a matter that badly needs modernization. The sadconsequence is a general and overall mistrustfulness towards innovation.

Closely related to the issue of dependability is the one of governance. The term governancerefers to the action or manner of governing a state, organization, etc. It is the way in which acity, company, etc., is controlled by the people who run it. In particular, given their nature ofsocio-technical entities, CPS pose an enormous challenge in regards to governance. Indeed, thelarge-scale infrastructure systems of networked smart sensors (enabling physical awareness) incombination with interactive socio-technical applications and processes in working and livingenvironments, as mentioned above, imply complex “hybrid” systems. These are the result ofcombining, on the one hand, centrally coordinated and controlled (sub-)systems, which offerdecentralized self-coordination of highly disciplined actors (typical of closed systems) and, onthe other, open (sub-)systems like road traffic whose actors are less disciplined. In the presenceof real-time communication, both the centralized and the decentralized, self-organising coordi-nation modes would exist. This, in turn, implies the coexistence of the following governanceapproaches:

1. central coordination and control, characterized by global optimization, hierarchical con-trol and loss of autonomy; the risks involved include total control and loss of human users’ability to learn and adapt;

2. decentralized self-coordination with local optimization.5The term CPS is not necessarily employed in the media.



Examples of the second mode are the individual use of a navigation system with dynamic routeplanning and decentralized negotiation, and also the so-called “green wave” apps; see [KPM11,Gri14]. Centrality norms, conversely, assist the arbitration procedure of conflicts arising be-tween peers; see [Sin12]. Simulation experiments have been carried out in order to test thedichotomy between centralized and decentralized control as well as between soft and hard con-trol; see, e.g., [AWF14]. There seems to be a need for research how to support transforming thegovernance of the complete life cycle of cyber-physical systems into a science-based engineer-ing discipline, that is moreover backed up by meaningful and vastly (in particular, cross-border)agreed upon regulations. This would help counteract the perceived vulnerability and lack of pro-tection of ones as well as the obstruction and even anarchy felt (and occasionally taken advantageof) by others.

The social tensions, fears and concerns about fairness –that have already been discussed inthe context of the rapid development of the Internet, networks and ubiquitous digital services–are reissued in regards to CPS. The relevant factors include (see [GBC+12]), among others, thefollowing:

• drifting apart of social strata and heightened tensions between “literates” and “illiterates”,“natives” and “non-natives”, “haves” and “have-nots”, “drop-outs” and “refuseniks”;6

• individuals or social groups losing their ability to solve problems and take action, possiblyas a result of increased use of technologies that provide support and operate autonomouslyand a concomitant increase in passivity and conformity;

• social groups and basic government functions becoming increasingly dependent on CPSand their coordinating services (which touches on the issue of governance);

• basic questions and analyses relating to the impact and power of technology in shap-ing society, in other words in bringing about socio-economic and institutional change(see [DW07]).

The first factor, in particular, refers to what is also termed “digital divide”. As reproducedin [Kan89], the digital divide consists of ‘differences due to geography, race, economic status,gender and physical ability in access to information through the Internet, and other informationtechnologies and services, as well as in the skills, knowledge and abilities to use information,the Internet and other technologies’. A major European case study highlights the problem, andarrives to the alarming conclusion that the digital dividend, opposed to digital divide, will notclose the latter; see [GPJE11]. This is especially alarming if one takes into account that thereare books, for instance, that are only electronically available.

6A “refusenik” is a person who refuses to do something, especially by way of protest.



The increase of quality of life that the materialization of the vision implies, should be accom-panied by higher level of qualifications and avoidance of unemployment. The advantages of, forinstance, ebooks, that include improved sustainability because less use of paper and emissionreduction because of downscaled transit, can be downplayed if the focus is laid on the possi-ble downsize of publishing companies, delivery departments, and bookshops. As pointed outin [SM12], emerging technologies create new winners and losers. As this applies to almost ev-ery area of an economy, opposition cannot surprise by those that unfortunately belong to thesecond category.

4.4 Education

The science and engineering of CPS are cross-disciplinary in nature, requiring expertise in com-puter science, mathematics, statistics, engineering, and the full spectrum of physical sciences—even extending into the arts such as ethics and psychology. Working across disciplines can bechallenging, as it requires experts with highly diverse backgrounds to communicate on a com-mon basis. In academia, there is a lack of concentrated, multi-disciplinary CPS education andresearch, as efforts have focused on the cyber or physical domains rather than a combinationof the two. Significant challenges exist in creating multi-disciplinary CPS programs within theexisting university structure, which has historically been divided into conventional disciplines(e.g., computer science, engineering, chemistry).

Education is extremely important in terms of creating a workforce capable of dealing withthe CPS that we propose building. The current status in education is poorly prepared to trainthe next generation of CPS engineers and scientists. An EU-sponsored initiative should havesubstantial impact at all levels of EU educational system, ranging from secondary school tograduate level instruction.

Building and sustaining a workforce capable of developing, innovating, and operating fu-ture CPS will require significant enhancements in engineering curricula, renewed emphasis onsystems sciences and engineering, and an increased emphasis on multidisciplinary research.Dynamic training programs for engineers, operators, and users of these systems will create path-ways for keeping the workforce on top of new developments as they emerge. Academia haspreviously confronted and successfully addressed similar challenges, resulting in the creation ofnew, vibrant industries such as bio-engineering.

Revision of undergraduate and graduate curricula should be encouraged to prepare studentsto meet the demands of the CPS research priorities and roadmaps for such revisions should beestablished. Forums to exchange ideas and approaches to curriculum changes should be createdand wide dissemination of the results should be encouraged.At the graduate level, we expect



research projects in CPS to directly result in new graduate courses whose materials can be usedat other universities. These curriculum efforts could be aided by the creation of consortia thatdevelop and share material, providing an early audience and motivation for improving material.

What is needed? A key visionary element of the future of education for CPS is the avail-ability of recognized educational programs that offer the fundamentals of CPS though a multi-disciplinary curriculum. Similarly, future workforce training and technology transition of CPSrequire the availability of professional certification and other practice oriented programs. Thefuture vision for this area can be summarized as the following:

• A cross-disciplinary CPS curriculum is part of the university system to teach the foun-dations of CPS, is recognized as an undergraduate and post-graduate field of study, andoffers opportunities for transition into the workplace.

• An academic CPS environment is available that is interdisciplinary and dynamic, provideslaboratory experience, and covers human behaviour as well as the business side of CPS.

• Technology transfer takes place seamlessly, reliably, and painlessly. Potential opportuni-ties include the availability of internships with industry, professional certifications, andother practice-oriented programs.

What do we have to do? A number of transformative ideas that could improve or revolu-tionize CPS education and technology transition were identified. For example, CPS is a field thatis continuously evolving both in terms of technology and information so it may be necessary todevelop continuous education programs in addition to a structured degree. The transformativeideas proposed for this area can be summarized as the following:

1. Create an industry-recognized certification for CPS professionals

2. Develop education programs that are continuous

3. Develop a virtual CPS computer world that allows for experiments and exercises

4. Attract engineers at an early stage in their education and get them involved to instill apassion for lifelong learning and commitment

5. Develop a global standard for CPS education

6. Create an environment where individuals can develop collaborative applications for smartsectors, such as smart grid and smart buildings



What are the challenges? A number of challenges were identified that impede advance-ments in CPS education, workforce training, and technology transition. These are describedbelow:

1. Education:

• CPS degree that cuts across multiple disciplines

• Define what aspects should be included in the CPS curriculum

• Mechanisms for continuous retraining, incentives, and funds to facilitate radical CPSinnovations in universities, schools and industry,

• Define the educational outcomes and objectives for a CPS-based curriculum

• Project-based activities that are sufficiently adequate in terms of reinforcing CPS

2. Workforce training:

• Training future CPS engineers

• Need for rigorous tools that can effectively train workforce using a flexible deliverymethod while maintaining quality

• Funding and programs to train students in CPS

3. Technology transition:

• Difficult to understand the substance of research, evidence for investment, targetaudience, and time to market, due to overly theoretical research descriptions

• Business models needed to motivate development, which creates liabilities

• Need of communications among CPS collaborators with different conceptual frame-works

• Making CPS an open source to capture CPS technology, methods, and tools in sharedmodelling and simulation systems

• Open standards should be included in undergraduate training



5 International outlook

As part of the international outlook we have gathered information about developments and thestate of the art from several countries in the world including Europe, US, Brazil, India China,Korea and Japan. We realize that there are other countries that may well be of interest andwill in future work also attempt to include Russia, Australia and South Africa. Initially, weplanned to cover these countries too, but gathering information has been problematic for severalreasons. First, since CPS is still a rather new term, there are several interpretations and relatedfields such as the internet of things, sensor networks, networked embedded systems, ubiquitouscomputing, including also various application domains such as smart cities and transportation.The information is thus highly fragmented. This makes it difficult to gather the information in asensible way, and further motivates the need for a proper structuring of the area. We have alsonot been able to find much of other surveys in this direction, motivating further work.

Secondly, finding relevant information has also been difficult, especially for Russia andChina (simillar difficulties were reported by the German agendaCPS; see [GBC+12]). Whilstthese countries are undoubtedly active in the field of Cyber-Physical Systems, there is littleinformation publically available, or available in English.

Our survey complements the previous international outlook caried out in the context ofthe German agendaCPS (see [GBC+12]) and the one carried out by ITEA and ARTEMIS;see [IA13a, IA13b]).

Each section is structured as follows:

• Industry and research profile;

• Major initiatives;

• Summary: overall awareness and thrusts.

5.1 Europe

There are several initiatives in Europe covering the area of Cyber-Physical Systems, both inresearch and in an industrial context.



• From a research point of view, the European Commission has devoted a full topic onSmart Cyber-Physical Systems in the Horizon2020 call for proposals. The program in-cludes “next generation embedded ICT systems that are interconnected and collaboratingincluding through the Internet of things, and providing citizens and businesses with awide range of innovative applications and services”. In particular, the call for actions arestructured along two themes:

– Modelling and integration frameworks, targets integrated tool chains for the holisticmodelling of the system behavioural, computational, physical and/or human aspectsof CPS.

– Smart, cooperative and open CPS, targets methods for engineering CPS that are ableto respond in real-time to dynamic and complex situations. This theme also coversopen and heterogeneous CPS and Systems of Systems.

The drive of the call is towards the establishment of reference architectures and platformsfor open and co-operative CPS.

• The Artemis Industry Association is one of the leading actors in Embedded Systems inEurope, and comprises more than 200 members from academia and industry. Artemisdevelops the Strategic Research Agenda (SRA), which sets forth the priorities and thechallenges and research and development (see [IA13a]). In addition, under the ArtemisJoint Undertaking, the association promotes and funds projects, typically lead by indus-trial partners.

The objective of Artemis is to strengthen the European position in Embedded Intelligenceand Systems. Part of the SRA is devoted to analyzing the Embedded/Cyber-PhysicalSystems Major Challenges. The following priority targets will guide the program:

– Exploiting the ubiquity of the Embedded Systems/Cyber-Physical Systems

– Exploiting the connectivity of the networked Embedded Systems/Cyber-PhysicalSystems

– Optimizing the factor Technology Time to Market/Technology Time on Market

– Mastering the complexity

– Reducing and managing the energy and power consumption cost.

The strategy to achieve the objectives lies on building on the leading positions whereEurope is strong, especially in automotive, aeronautics, space, health and the productionsector; on creating new opportunities of new or emerging markets with high potentialgrowth rates, such as smart cities, energy generation and distribution, the environment,



food and agriculture; and on making a tentative comeback on smart devices, to challengethe leading US and Asian actors.

• The EIT ICT Labs is a Knowledge and Innovation Community (KIC)1, set up by the Euro-pean Institute of Innovation and Technology (EIT), which is an initiative of the EuropeanUnion. The mission of the ICT Labs is to drive European leadership in ICT innovation foreconomic growth and quality of life. One interesting aspect of this initiative is that it linkseducation, research and business under a concerted effort.

The ICT Labs are structured into Innovation Areas or Action Lines, one of which is dedi-cated to Cyber-Physical Systems. The activities, and the projects funded by the ICT Labs,include:

– CPS-specific extension of sensornet test-beds for the development, testing and eval-uation of cyber-physical applications

– Demonstrator for water-cycle management

– Methods and tools addressing the engineering of complex CPS

– Reference architecture for medical applications

In addition, the Action Line organizes a summer school for Master and PhD students.

The Universities that are part of the ICT Labs also organize a co-operative Master andDoctoral School that include a technical programme on Embedded Systems.

5.2 USA

The definition of the research field described by the term Cyber-Physical Systems (CPS) origi-nated in United States in the early 2000 from a series of discussions of Berkeley faculty (Hen-zinger, Lee, Sangiovanni-Vincentelli, Sastry and Tomlin) who were the PIs for the Center ofHybrid and Embedded Software Systems (CHESS) funded for five years by NSF. A steeringgroup was formed in 2006 to provide CPS strategic directions for funding agencies of the UnitedStates and to the White House. The initiative yielded an Executive Summary sent to the Pres-ident’s Council of Advisors on Science and Technology (PCAST). This action resulted in theintroduction of CPS in the agenda of PCAST (see the 2007 PCAST report [Fed07] submitted tothe National Coordination Office that highlights CPS as the “number one” Priority for FederalInvestments in Networking and Information Technology) and of NSF. The group included (inalphabetical order): Helen Gill, National Science Foundation (NSF), Bruce H. Krogh, CarnegieMellon University, Edward Lee, UC Berkeley, Insup Lee, University of Pennsylvania, Scott

1http://www.eitictlabs.eu/



Midkiff, NSF, Al Mok, UT Austin, George Pappas, University of Pennsylvania, Raj Rajkumar,Carnegie Mellon University, Alberto Sangiovanni Vincentelli, UC Berkeley, Lui Raymond Sha,UIUC, Kang Shin, University of Michigan, Jack Stankovic, University of Virginia, Janos Szti-panovits, Vanderbilt University, Wayne Wolf, Georgia Institute of Technology, Taieb B. Znati,NSF. The group had participants coming from a rather diverse background: from real-time sys-tems to control, from design methodology and tools to computer architecture and networking.In 2008 a letter was sent to The Honorable Bart Gordon Chairman Committee on Science andTechnology (enclosed) outlining the relevance of the field for the interest of the United States.The definition used in the report was simple to make sure the message could be delivered tothe policy makers with great strength: “The integration of physical systems and processes withnetworked computing has led to the emergence of a new generation of engineered systems:Cyber-Physical Systems (CPS). Such systems use computations and communication deeply em-bedded in and interacting with physical processes to add new capabilities to physical systems.These CPS range from minuscule (pace makers) to large-scale (the national power-grid).”

Since then, CPS has occupied a central role in research funding by NSF.

In 2014, NSF is working closely with multiple agencies of the federal government,including the U.S. Department of Homeland (DHS) Security Science and Technol-ogy Directorate (S&T), U.S. Department of Transportation (DOT) Federal HighwayAdministration (FHWA) and, through FHWA, U.S. DOT Intelligent TransportationSystems (ITS) Joint Program Office (JPO), to identify basic research needs in CPScommon across multiple application domains, along with opportunities for accel-erated transition to practice.

Three types of research and education projects – differing in scope and goals – willbe considered through this solicitation:

• Breakthrough projects must offer a significant advance in fundamental CPSscience, engineering and/or technology that has the potential to change thefield. This category focuses on new approaches to bridge computing, commu-nication, and control. Funding for Breakthrough projects may be requestedfor a total of up to $ 500,000 for a period of up to 3 years.

• Synergy projects must demonstrate innovation at the intersection of multipledisciplines, to accomplish a clear goal that requires an integrated perspectivespanning the disciplines. Funding for Synergy projects may be requested fora total of $500,001 to $1,000,000 for a period of 3 to 4 years.

• Frontier projects must address clearly identified critical CPS challenges thatcannot be achieved by a set of smaller projects. Funding may be requested for



a total of $1,000,001 to $7,000,000 for a period of 4 to 5 years.

from NSF web page2.Industry has followed up with some delay but CPS are indeed at the heart of the R and

D activity of the US system industry. Recently, large corporations such as IBM, Cisco andGoogle have declared their interests in the Internet of Things aspects of CPS. Google has been aprecursor of autonomous driving vehicles and has recently acquired two companies (a thermostatmanufacturer and a robotics company (General Robotics)) demonstrating their commitment toCPS. The interest of Apple in Tesla demonstrates that another US giant is targeting CPS as amajor technology thrust.

5.3 Brazil

We report on research, education and the societal context3

• Regarding funding for research projects, for the last 12 years, the Brazilian governmenthas been sponsoring several research areas (both in Universities and in Industry) in theform of grants. Each year, a number of areas (around 5 areas) are selected by the gov-ernment, to which universities and the industry can submit project proposals. The totalgovernment investment each year is usually from R$ 100 millions to 1 billion (approxi-mately, between 30 to 300 million euros). In the last years, the areas that are most relevantto CPS that have been selected are: Defense, Telemedicine, Energy and Transportation.

Among the current projects, the German agendaCPS (see [GBC+12]) reports that severalare underway to investigate the opportunities provided by Cyber-Physical Systems. Forinstance, Ciberfloresta is used to monitor fires and rain, Biodigestor Inteligente controlsa biogas plant that produces biogas and biofertilizers, and the LOGBOT project has de-signed a prototype mobile robot for the development of the Amazon rainforest. Today,home and building automation is standard practice in the Brazilian construction industry.Finally, Brazil has launched a project to make the city of Búzios on the Atlantic coast aflagship for smart energy consumption management.

The most relevant Brazilian conference on this area is SBESC (Brazilian Symposiumon Engineering of Computational Systems). For the last three years, its proceedings arepublished by IEEE and are available on ieeexplore.

• With respect to education, the courses that are more closely related to CPS are ComputerEngineering, Electronic Engineering, Mechatronics and Computer Science. All these are

2See https://www.nsf.gov/funding/pgm_summ.jsp?pims_id=5032863Part of the information due to Prof. Douglas Renaux, UTFPR



available as undergraduate and graduate (M.Sc. and Doctorate) levels. All engineeringcourses have a strong background in Physics and Mathematics. On the other hand, re-search groups in the area of CPS tend to be multidisciplinary groups so to provide com-petence to the diversity required in the CPS area.

• From a societal context point of view, the cultural profile in Brazil is prone to the adoptionof new technologies and with low level of concern to privacy issues. There has been a longtime history (over 25 years) with the use of technology in sensitive areas as Banking, TaxReports, Election, Medical Records, which succeeded both in providing adequate func-tionality and in guaranteeing security. As new technological advances are made availableto the public in Brazil it is likely they will be rapidly adopted.

There is no specific legislation for CPS. The legislation that applies is the same for prod-ucts in all areas and involve: Safety, Security, Health, Privacy, Consumer Protection, andso on.

5.4 India

When searching for CPS in India, the top hit is the Robert Bosch centre for research in CPS.The centre was founded in 2011 in collaboration between the Bosch company and the IndianInstitute of Science (IISc); the centre is an entity of IISc. The Centre has a base grant of approx.2M Euros from the Robert Bosch Foundation. The centre is moreover involved in sponsoredresearch projects with external organizations. See http://cps.iisc.ernet.in/ for more details.

India is also active in the closely related field of IoT, as apparent from a number of sources,exemplified in the following.

According to the “Global Internet of Things (IoT) Index” by the IDC, India has been rankedat the 16th position in IoT, “with countries such as the US and South Korea topping the chart”.The article is positive about prospects in India, given that while Indian enterprises are still intheir early stages of IoT implementation, many businesses are aware and planning to adopt IoTin the next few years 4.

News reports on indications of strategic India and South Korea collaboration on IoT, 5. Theidea is to combine the strengths in hardware (Korea) and software (India).

As an industrially driven effort, the Global ICT standardization forum for India (GISFI) 6

4See, e.g., http://www.cxotoday.com/story/indian-firms-yet-to-explore-iot-potential/ (retrieved March 24th, 2014). The IDC (non-free) survey is available at http://www.idc.com/getdoc.jsp?containerId=243705

5Indo-Asian News Service, January 21, 2014; see http://gadgets.ndtv.com/internet/news/india-and-south-korea-to-collaborate-on-internet-of-things-technologies-473812

6See http://www.gisfi.org/workinggroups.php?wg=IoT



has started to address standardization for IoT. A number of domains are in focus such as “smartcity”, mobile (read “remote”) healthcare, and food Supply Chain Management. The activitiesappear to be in pre-standardization phase - where use-cases and requirements are being elicited.Large international companies are part of the work including, e.g., CISCO, IBM, and Ericcson.

IoT also appears to be an active area in research 7.

5.5 China

CPS and IoT are being addressed inChina. Following a cursory survey we here highlight andgive examples of larger scale efforts in China.

In China, there is a government supported initiative, called “Intelligent Manufacturing”,which is comparable to Germany’s “Industrie 4.0”. The Intelligent Manufacturing Initiativesupports research and development as well as applications of advanced manufacturing technol-ogy, targeting at seven strategic emerging industries. The development plans are initiated byChina Ministry of Science and Technology (MOST). Intelligent Manufacturing has the follow-ing features, which are similar to Cyber Physical System (CPS) in concept:

• Information-based manufacturing in a pervasive sensing environment, targeting at thewhole product lifecycle

• Deep fusion and integration (note: compare to CPS) of information technology and intelli-gent technology (cyber) with equipment and manufacturing process technology (physical)

• Based on the advanced technologies of sensing, networking, automation, and humanoidintelligence; to achieve intelligence in the design process, manufacturing process, andmanufacturing equipments, through intelligent technologies of sensing, human machineinterface, decision-making, and execution

Each year, about 70 projects are supported, with government financial support in the rangeof 2 million Euro each.

IoT is also receiving a lot of attention, driven by top-down driven initiatives that encompasslarge scale pilots and “all parties” in the industry chain such as research institute, operators,equipment providers, industry users and application developers. Standardization efforts havealso been initiated. The National Agriculture IoT Pilot Project provides an interesting exampleof IoT efforts in China, being a part of the Chinese IoT Action Plan. According to Prof Li-RongZheng of Fudan University, the total investment for the pilot project is 13 M USD, 3 years.

7See for example the following overview presentation: “IoT R&D Activity Related to Internet of Things at In-dian Institutions” available at http://www.ttc.or.jp/files/6613/3213/8996/P-5_Prof_R_V_Raja_Kumar_IOT_RandD.pdf



The objectives include ensuring food safety and quality management using IoT and developinga scalable and open platform (relating to national/international standards). The project is con-ducted as a pilot project in Shandong and Shanxi provinces and includes 20 universities, insti-tutes, and companies ( 375 researchers), coordinated by Fudan University (FDU). The projectapparently takes end to end considerations, ranging from sensing, communication, standards,service platforms/engines and tools, applications, and large scale pilot tests.

China is becoming visible in the research community rearding CPS, and was for examplehosting the CPS week 2012 in Beijing8. CPS is further being addressed in research, with ex-amples including research at the laboratory for embedded and network computing in HunanUniversity and by the Emerging Technologies Institute at the University of Hong Kong.

It should be noted that internet search for CPS and IoT produces a lots of hits, but that mostinformation is in Chinese.

5.6 Korea

Korea is very active in both research and with industrial activities. For example, a new AsianCPS conference was initiated 2011 (http://www.cpsna.org/) with several Korean universities in-volved (e.g., KAIST, Seoul National University and National Taiwan University). Indications ofactivities are seen for example with CPS labs (http://cpslab.skku.edu/)

As another example, Korean companies were present at the Consumer Electronics Show inLas Vegas9 displaying systems and home appliances for IoT, including LG’s smart fridge (whichcan send you an sms if you are out of milk) and a Samsung speaker system that will stream audiowirelessly from the cloud (no separate ordinary computer or phone required).

The “Global Internet of Things (IoT) Index” by the IDC ranks the US and South Korea inthe top. 10

5.7 Japan

The National Institute of Informatics (NII) together with the universities of Hokkaido, Osakaand Kyusuyu have investigated CPS with focus on optimization of societal systems and, in par-ticular, lay the focus on Human-Centric CPS (HCPS). So, for instance, the HumanS simulatorworks with a geographic information system and models the movements of pedestrian by gen-erating pedestrian agent flows on a map with the help of sensors distributed throughout the

8See http://triton.towson.edu/~cpsweek/default.htm9In January 2014, see http://ces.cnet.com/

10See http://www.cxotoday.com/story/indian-firms-yet-to-explore-iot-potential/(retrieved March 24th, 2014), which refers to the IDC (non-free) survey is available at http://www.idc.com/getdoc.jsp?containerId=243705



area of interest. HumanS is used to evaluate location sensing systems under various conditions;see [KHYH12]11. Further experiences in wider areas have been made by smartphone naviga-tion in urban areas and shopping malls, that besides smartphones is based on cameras and lasersensors. The goal is a safe and secure urban life, including pedestrian flow control and energyreduction; see [UKU+13, WHYH13]. The insights thus gained were combined with effortstowards reduction of energy consumption; see [MYS+12, HKYH12]. There is also a GlobalResearch Center for Cyber-Physical Systems at NII12 but the available information about it isunfortunately very sparse.

The FIRST Program (Funding Program for World-leading Innovative R&D on Science andTechnology) has been brought into being in 2009 and is designed to rigorously promote world-leading, innovative research and enhance Japan’s mid- to long-term international competitive-ness and overall strength in wide-ranging fields. Among other so-called sub-themes, in theone titled “Large Scale Cyber Physical Application Verification Testing”, social applications ofdatabase engines and of big data handling are investigated in fields such as medicine, agricul-ture and machine learning; see [Tai13]. Especially in the last field, in particular with regards topersonalized activity recognition, some interesting results are shown in [SKU13].

Japan’s National Institute of Information and Communications Technology (NICT) developsa prototype cloud platform for collecting, archiving, organizing, manipulating and sharing verylarge cyber, physical and social data. This cyber-physical data cloud is designed to, among otherthings, explore the role that massive-scale data recording and aggregation together with efficientaccess and interpretation can play in supporting the critical infrastructure, and was triggeredby the great east Japan earthquake of 2011. The cyber-physical architecture will address theconvergence of the cloud, big data and social data, the associated challenges include securityand standards; see [Yas13].13

11See also http://www-higashi.ist.osaka-u.ac.jp/research/humans/12See http://www.nii.ac.jp/en/research/centers/13See also http://www.nict.go.jp/en/univ-com/isp/publications.html



6 Europe’s position

The European countries and the European Commission, for some years now, have been mindfulof the opportunities offered as well as the difficulties and risks associated with, on the onehand, the technology progress, that unfolds new and yet not fully known possibilities (pushperspective). On the other hand, that consciousness includes the demographic change and theevolution of public awareness, that demand judicious use of novel possibilities and moreoverrequire further innovations that meet nowadays’ challenges (pull perspective). The nature ofthe issues is manifold, ranging from political and societal to academic and educational overindustrial and standard-related. A number of efforts were initiated, mostly in form of projects,devoted to investigating the matter. A summary of them is presented in Section 6.1 below.

In the subsequent Section 6.2, a popular planning method, namely the SWOT analysis, isbriefly presented. Furthermore, an initial attempt at such an analysis is therein undertaken inorder to, in a first step, evaluate the prospects of CPS in Europe. In a second step, furtheranalysis needs be performed in order to develop strategies minimizing risks and maximizingbenefits of CPS in Europe.

6.1 European surveys and roadmaps

The term “cyber-physical system” seems to be the melting pot of diverse branches of scienceand technology, including systems of systems, ubiquitous (pervasive/context-aware) computing,internet of things, multi-agent systems, to name a few (see, e.g., [KA12]). There are, more-over, some further terms that could be considered synonym for CPS as, for instance, networkedembedded systems and federated embedded systems. Accordingly dissimilar are the foci andapproaches attempted by the different communities to tackle the challenges posed by the re-spective envisioned use and exploitation of the possibilities thus offered. This diversity showsthat, up to now, no real consensus has been reached on the name and nature of the emergentinnovation(s). There are, however, many commonalities regarding vision, topics, and strategies.

The European Commission has initiated a cluster of projects, whose character may be purelytechnical and within the above mentioned realms (so-called STRePs, i.e., “specific targeted re-search projects”), or else aimed at research and development (R&D) management and/or policymaking; see Figure 6.1. The national agencies, in turn, have likewise launched projects with



similar goals.

Figure 6.1: EC projects (source: [Roa13])

In this section we summarize the visions, identified topics, and strategies that have beenalready made public by those projects. In particular, this summary heavily relies on

• the Strategic Research Agenda of the European Technology Platform on Smart SystemsIntegration (EPoSS, see [EPo09]),

• the High Level Strategic Research and Innovation Agenda of the ICT Components andSystems Industries as represented by ARTEMIS, ENIAC and EPoSS (see [AEE12],

• the Trans-Atlantic Research and Education Agenda in Systems of Systems (T-AREA-Sos,see [TAR13]), and

• the ARTEMIS-IA Vision 2030 (see [IA13b].

In the following subsections, an attempt is made at organizing the collected information.



6.1.1 Vision

The visions (and missions) posited, always expressions of “good intentions”, that were identifiedby the different communities, can be divided into benefits for the individual members of thesociety, and benefits for the society and the region as a whole. Belonging to the first category,for instance, is that of “mankind benefiting from a major evolution in intelligent systems, aworld in which all systems, machines and objects are smart, have a presence in cyber space,exploit the information and services around them, communicate which each other, with theenvironment and with people, and manage their resources autonomously”; see [AEE12, IA13b].This vision, in [AEE12], goes on as “a concerted approach with the controlled access for creatingthe indispensable technology basis for new products, systems and services and their applicationsessential for a smart, sustainable and inclusive European 2020 society”. Moreover, accordingto [IA13b], there will be a resulting “change the way we live as citizens and the way we dobusiness in the new digital economy. It is a trend that is accelerating and its impact on oursociety will become deeper than ever”.

Within the second category, we can place the “mission of the European ICT Components andSystems industries is to progress and remain at the forefront of state-of-the-art innovation in thedevelopment of highly reliable complex systems and their further miniaturization and integra-tion, while dramatically increasing functionalities and thus enabling solutions for societal needs”(this last words explaining one impact corresponding to the previous category); see [AEE12]. Inthe opposite direction, i.e., from a future for the individual to a future for the society, goes theargument in [IA13b], whose vision “nurtures the ambition to strengthen the European positionin Embedded Intelligence and [CPS] and to ensure its achievement of world-class leadership inthis area by establishing an environment that supports innovation, stimulates the implementa-tion of the latest achievements of CPS and Embedded Systems on European scale, and avoidsthe fragmentation of investments in R&D&I” (research, development and innovation).

6.1.2 Issues

Also the topics and issues identified by the different surveys and roadmaps can be classifiedaccording to their nature. They can be technical themes, as the twelve listed in [TAR13] (whichcomprise more than 80 problem areas):

• Characterization and Description

• Theoretical Foundations

• Emergence

• Multi-level Modelling



• Measurement and Metrics

• Evaluation

• Definition & Evolution of Architecture

• Prototyping

• Trade-off

• Security

• Human Aspects

• Energy Efficiency

Other issues, equally important, are expressed in terms of return on investment, of revenuesand jobs. For instance in [IA13b], we read that “the global market of Digital Technology1 isestimated at USD 3,300 billion, corresponding to around 50 million jobs. The share of Europein digital technologies is about 9.1 million jobs. Europe’s position is characterized by a strongpresence in vertical markets. In Europe we have 0.2 million jobs in hardware, including semi-conductors, and 8.9 million jobs in software and services. [It can be stated] that: Software inno-vation thus addresses a global market of around USD 2,600 billion, corresponding to 44 millionjobs. [. . . ] Bottom-up data collected from relevant industries indicate the strong significanceof the embedded digital systems part. Today already more than 50% of the key selling featuresof our technical products are determined by Digital Technologies, with a firm increase to morethan 70% expected within the next 5 to 10 years.” And the report goes on with a striking eval-uation: “As a very conservative estimate, the European applications industry spends only 20%of its R&D effort in the domain of Embedded Digital Technologies, resulting in a cumulativetotal R&D&I investment of EUR 150 billion in the period 2013-2020, EUR 15 billion of whichis expected to be allocated to collaborative R&D&I projects in Embedded Digital Technologies.Based on [indications] that about 60% of all product features will depend on Embedded DigitalTechnologies, we also estimate growth of about 800k jobs in the application industries, directlyresulting from the impact of Embedded Digital Technologies.”

1“Digital Technology” encompasses the following notions:

• Hardware (semiconductors, PCs, tablets, servers, storage, peripherals)

• Software (including packaged embedded software)

• IT Services

• Internal IT

• Embedded software in products of “vertical markets” like automotive, healthcare, etc.



The human aspects seem to be insufficiently addressed in the literature consulted. Althoughmentioned in the above list of themes of [TAR13], they in general cannot be confined to amere research and education topic. To the best of our knowledge, only the German agen-daCPS (see [GBC+12]) emphasized the need for a participative debate, inclusive discussion, andwidespread information and instruction. Otherwise, due to a legitimate fear of change, particu-larly of unemployment, and nourished by media reports prone to sensationalism, as discussed inSection 4.3 above, vast areas of the public opinion could oppose and moreover compromise anygood intentions and “abstract” (because perceived as unrealistic) decisions taken geographicallyand socially far away. The human aspects range from standards, that need to be agreed beyondnational boundaries, and training and (re-)education, to laboratory and field experiments in orderto safeguard individual and collective interests.

6.1.3 Strategies

The issues above are the variables to be leveraged in order to achieve the vision. In [AEE12],for instance, the proposed strategy “is based upon exploitation of European strengths and oppor-tunities:

• Exploiting strengths implies building on the leading positions in specific technology andapplication domains by increasing industry effectiveness, and reducing fragmentation,

• Creating opportunities implies for Europe to be positioned at the forefront of new emerg-ing markets with high potential growth rates and to become a world leader in these do-mains.”

There moreover is argued that innovation, as a key point for the strategy, “is propelled by efficienttransnational eco-systems of industry, institutes, universities and public authorities”.

The strategies proposed in [IA13b] is that the ARTEMIS European Technology Platforms(ETP) “continue to nurture activities supporting innovation such as education, standards andSME development [. . . ] to boost the competitiveness of Europe’s industry”. There, further-more, it is alluded that the innovation eco-systems, built by ARTEMIS and ITEA, of companiesand research organizations allow these to closely interact and are therefore “essential to enableEuropean organizations, including SMEs, to keep up with the fast changing reality in DigitalTechnology, its increasing complexity and to remain at the forefront of innovation”.

In [EPo09] strategies are listed together with the vision towards they are tailored: “Europehas to turn its outstanding R&D potential, its infrastructure, as well as its technological environ-ment, into successful product development in order to maintain its competitive edge [and] bringtogether a wide spectrum of stakeholders, primarily key industrial players, researchers, univer-sities, non-governmental organizations, intermediaries and civil society” in order to “strengthen



its competitiveness whilst satisfying the core objectives of the Lisbon Growth and Job Strat-egy”. There also the fragmented landscape of European public support is addressed, whichcan be counteracted by the creation of “a single, Europe-wide and industrially-driven R&Dprogramme” for which a Joint Technology Initiative (JTI) is proposed that “will combine a crit-ical mass of national, EU and private resources within one coherent, flexible and efficient legalframework”.

6.2 Simple SWOT analysis

A SWOT analysis is a method tailored at assessing the degree to which a company aiming at newproject or business venture matches the surrounding environment; this is also termed “strategicfit”. Although this method was conceived for companies, it can also be carried out for products,industries, persons, etc. In particular, the method helps the organization of information for thepurpose of gaining insight into barriers and drivers associated with the planned endeavour. Theinformation to be gathered refers to positive and negative factors of internal or external nature;see Figure 6.2. The method can moreover be used for the identification of strategies that helpdecide the direction that will be most effective; see Figure 6.3.

Figure 6.2: Simple SWOT analysis

Given that the subject of this document will be re-addressed in a second iteration, here werestrict ourselves to a first attempt at listing the factors depicted in Figure 6.2. The strengths andweaknesses refer to the internal capabilities of research and industry in Europe. The opportu-nities and threats comprise the external influences on the analysis connected with the specificcharacteristics of CPS.

The factors presented in the subsections below can concern Europe as a whole or else some



Figure 6.3: SWOT analysis (including the strategies’ matrix)

regions of the continent. The observations below were chiefly already made in previous surveys;see [GBC+12, EIT14] and also [ABB+09, EIT13]. The internal factors refer to the capabilitiesof research and industry in Europe, and are employed to pinpoint strenghts and weaknesses;see [CyP13]. The external influences used to detect opportunities and threats are with the specificcharacteristics of CPS.

6.2.1 Strengths

Position and framework

• innovative networks in the field of embedded systems that include SMEs

• high software and services share in B2B and industrial ICT market

• government push to introduce ICT in classical industries (e.g., via the Fraunhofer Society)

• education level, math and science programs

• embedded systems:

– embedded software, systems engineering, sensor technology, mechatronics, robotics



– architectures, protocols

– development and manufacturing processes

• key industries that use embedded systems:

– automation, manufacturing, automotive, energy technology, logistics, aviation, health-care

– strong client industries with high demand for innovation

• comprehensive local value chain coverage

• high-quality and comprehensive communications infrastructure

• awareness, of both public and policymakers, of demographic change and sustainability aswell as of data and privacy protection

Engineering, research and training

• research and engineering in the field of embedded systems:

– close cooperation between research and industry in certain disciplines and fields ofapplication, for example automotive, medical technology, automation technology

– architecture frameworks

– model-based development, quality assurance, verification

– safety and security technology, certification

– modelling, model-based development, validation and verification

• leadership in basic research on individual CPS technology themes

• high standard of training in embedded systems and conventional engineering

6.2.2 Weaknesses

Position and framework

• inadequate market share in fast moving B2C business

• venture capital availability and VC risk taking low

• government and firms slow in ICT adoption

• losing ground in intellectual property protection and standards setting potential



• R&D investments in non-Telecom related ICT sectors is only 10% of the global investment

• few elite institutions and programs for ICT

• lack of market competence in consumer products, and correspondingly weak position withregard to end devices and innovative user interfaces

• failure to adequately take users, user processes and application problems into account, forexample in terms of human factors and living spaces, what is characterized by

– a weak services industry

– a strong focus on technology per se, without considering the consequences of its use

– industry’s obsession with industry-specific Business-to-Business processes and theiroptimization

• a lack of market-leading Internet companies and software platforms:

– inadequate competencies with regard to Internet and cloud technology

– inadequate software know-how among established SMEs and CPS component sup-pliers

– inadequate technology and software know-how among trades and service providers,

– shortage of skilled labour

• in places, inadequate communication infrastructure, in particular a lack of broadband cov-erage in rural areas

• a suspicious attitude towards technology among the public

• unattractiveness of certain locations for people and also (particularly small) businesses:

– setting up new organizations and companies involves a lot of red tape

– inadequate social infrastructure; for example, a lack of support the integration offoreigners into the European society,

– inflexible or non-existent regulatory frameworks

– a general reluctance to experiment and take risks

– insufficient venture capital, reluctance to invest

Engineering, research and training

• highly fragmented research in individual disciplines, isolated research topics



• no sustainable development of interdisciplinary research fields

• weaknesses in individual key research areas:

– requirements management, non-functional requirements and quality models

– human-technology interaction, usability

– inadequate integration of sociology and psychology with IT and technology

• weaknesses in terms of the consistent translation of research findings into innovations

• rigid and hierarchical development stages and supply structures. There is little commu-nication with potential users and customers. As a result, their requirements are not ade-quately taken into account in the design of systems and subsystems.

• a lack of interdisciplinary training

6.2.3 Opportunities

Potential (for society, industry and the market)

• leverage traditional European industrial and social system strengths by augmenting solu-tions with ICT, e.g., Smart Grids, transportation, CPS, eHealth, better aging, inclusion,. . .

• push open source, open data, open innovation for European style business ecosystem in-novation

• pan-European advanced education programs

• living spaces and growing needs, contribution to meeting social challenges

– smart cities, transport, mobility services, people’s everyday private lives, smart homes,smart buildings, green IT, assistance

– AAL, e-health, integrated remote healthcare, enabling the elderly and infirm to liveindependent lives and play an active part in society

• infrastructure and utility systems, integrated service delivery, organization, supply andmonitoring

– energy, water

– governance, needs-based, integrated control of energy and water supply and of trafficin towns and cities



– healthcare, integrated (remote) medical care

• integrated security surveillance and safety monitoring and the associated strategies, e.g.,for panic or fire prevention, as well as for general technological processes at events inpublic buildings or towns and cities

• integrated services for all of the above, delivered using CPS technology

Technology and engineering

• requirements and domain models, enhanced quality models, architecture and compositionconcepts

– integrable requirements, environment and domain models

– models of human-computer interactions and shared control

– integrated interaction and behaviour concepts

– hybrid models for systems and networks, as well as integrated architecture and com-position concepts

– models for cooperative and strategic behaviour

– integrated technologies and methods for delivering the required CPS capabilities

– intuitive, dependable and transparent concepts for operation, interaction and controland for usability, multimodal interfaces and communication

– human models, situation and intention recognition

– techniques and processes for learning and adaptation

– sensor and actuator technologies and networks

– Internet technology, especially semantic technology

– efficient processors and communication

– Self-X and safety and security technologies, enhanced safety and security methods

– CPS platforms and middleware, including quality assurance models

• interdisciplinary engineering

– requirements engineering, participatory requirements analysis and design

– model-based exploration, simulation, validation and verification

– enhanced quality and risk engineering

– ensuring that non-functional requirements are met in design and composition



– domain engineering, creation of CPS application architectures and platforms

– self-organization and controlled autonomy

• concepts for technologies, engineering, architectures and guarantees geared towards pri-vacy protection, for Privacy by Design –i.e., the incorporation of personal data protectionconsiderations right from the very beginning of a product’s or service’s development– andfor privacy protection goals

• Green IT, energy and resource efficiency

Industry

• evolution towards and breakthrough into a new generation of technology

– potential for a whole host of innovative products, systems and services

– sustainable innovation diversity through creation of networks and ecosystems

• the opportunity to carry out all aspects of the research, development, manufacture andintegration of CPS in Germany, thereby ensuring Germany’s market and technology lead-ership

• development of the relevant cross-sectoral standards and of models, architectures andmodelling languages that facilitate new innovations

6.2.4 Threats

Technology

• European ICT industry being marginalized because of

– low footprint in global market

– slow growth in home market

• R&D expenditures in Asian countries are rising rapidly and focusing on ICT businesscreation

• Declining number of students entering science and engineering programs

• the complexity and resulting internal and external emergence (the spontaneous comingabout of new behaviours as a result of system components interacting with other systemcomponents or with the social environment) of CPS and their applications

– lack of predictability and controllability



– increased risks as a result of inadequate safety and security

• higher risk of tampering and attacks owing to the open and ubiquitous nature of the sys-tems

• inadequate security and protection of embedded systems and critical CPS infrastructures

Society and industry

• surveillance society

• digital divide

• individual and social dependence on correct operation of CPS

• restriction of individual flexibility and freedom

• disruption of business models in key industries

• non-transparent control of the Internet and communication by state and private actors, e.g.,Google, Facebook or the secret services

• threats to know-how advances, e.g., from espionage

• threats arising from inadequate legal framework, e.g., inconsistent, inflexible or non-existent IP and patent regulations

• inadequate networking between manufacturers of individual components, resulting in pro-nounced technological heterogeneity and solutions that have been developed in isolationof each other

• fragmented technology, failure to standardize, preventing system interoperability

6.3 Full SWOT analysis

The above analysis will be subject to improvement and completion. Firstly, a consolidatedvision on CPS for Europe, indispensable for a full SWOT analysis, will be devised in the up-coming Deliverable D2.2. The simple SWOT should be secondly validated and, ideally, eachpair (factor,region) should be quantified. And thirdly, strategies filling the quadrants of theSWOT matrix should be devised, that take into account the factors, as is customary for SWOTanalyses, the consolidated vision, as well as the strategies proposed in the literature, most no-tably [EPo09, AEE12, TAR13, IA13b, GBC+12, EIT14, ABB+09, EIT13], and the recommen-dations for action in [BGC+11]. Optimally, thus, these tasks combined can give rise to nuancedstrategies. The full SWOT analysis, however, is outside the scope of this document.



7 Discussion

In this deliverable we have provided a state of the art survey that we hope will be useful for theintended gap analysis between the vision of a “possible future” and the current state in scienceand technology. To perform the gap analysis, there is a need for a “framework” that assists inperforming a useful gap analysis. What are the desiderata for such a framework? First of all,it should help us to identify relevant gaps (challenges) in order to be able to discuss measuresto deal with them and potential risks in doing so. Moreover, it would be useful if it would bepossible to somehow quantify the gaps. In order to form the gap analysis we thus need thefollowing

• an understanding of the concerns of interest (this has been the topic of previous deliver-ables, see [CyP13, CyP14b, CyP14a]) and most probably also a prioritization and delimi-tation;

• a suitable structuring of these concerns;

• a description of the current situation (covered by Chapters 3 and 4 – as attempted in thisdeliverable);

• a description of an envisioned future situation (the topic of forthcoming deliverable D2.2);

• metrics with which different aspects can, at least qualitatively, be compared with eachother;

• a validation as far as possible of all of the above.

As part of the hypothesized structure (recall Chapter 2), the currently achievable capabilitiesof CPS could for example be compared with those envisioned for the future. With suitablemetrics, such a comparison will be facilitated. Likewise, for societal perspectives, the currentpublic perception and educational state can be compared with a future state.

In the following we further discuss the proposed structure, possible metrics, validation andchallenges in performing the gap analysis.

• Validation of included concerns. An important question is whether all relevant aspects arecovered. Validation can and will be performed by interactions with a broader network of



experts and by a refined assessment with respect to state of the art frameworks/models(refinement with respect to the initial analysis in Section 2.1). For example, we notedalready in the initial analysis that an explicit inclusion of the information aspect wouldbe relevant. Other tentatively relevant considerations include domain perspectives andstudies (e.g., smart mobility, smart health etc.).

• Metrics. The incorporated aspects should be useful for forming a “delta”, implying thatthe various aspects needs to be comparable and thus somehow be measurable. For this pur-pose some form of metrics need to be identified and selected, such as for example TRLlevels, capability models such as CMMi and available capability models for propertiessuch as for Autonomy (such as the NHTSA definitions1). Even for a qualitative discus-sion, the various aspects of the perspectives have to be relevant and sufficiently detailedfor a comparative analysis.

• Drivers for dealing with the gap. Related to the gap analysis it would clearly be usefulto identify drivers for closing the gaps and risks in closing the gaps. Deliverable D2.1(see [CyP13]) discussed application pull and technology push, and risks as well as benefitsin adopting CPS technology. Such an analysis is helpful for selecting and establishing thevisions and also help to pinpoint technological aspects and application domains that maybe of relevance for the state of the art and the gap analysis.

• Challenges: There are clearly several challenges involved in performing the gap analy-sis. Apart from validating the included concerns, validation is also required with respectto the selected metrics, the visions, and for the conclusions drawn from the gap analysis.Different concerns for comparison are likely to require different types of metrics and com-parison methods (e.g., technological aspects vs. public perception). As mentioned earlier,validation will be performed by a dialogue with experts. When it comes to the visions,they are clearly, and inherently, difficult to validate but can be used to indicate desired andundesired directions, to enable appropriate actions to be recommended. Finally, time andresource-wise this type of exercise is demanding, and given the limited resources of theproject, delimitations will be necessary.

Given this overall discussion focusing on the framework for the gap analysis, we turn to abrief discussion regarding the technological and societal perspectives in the following subsec-tions.

1See http://www.nhtsa.gov/About+NHTSA/Press+Releases/U.S.+Department+of+Transportation+Releases+Policy+on+Automated+Vehicle+Development



7.1 About the state of the art in engineering

Many emerging applications now share networks and components in configurations whose con-ceptual structure no longer readily maps to their physical structure. In parallel, open networks ofsystems couple applications from multiple domains : everything can, in principle, be connectedto everything else. Networked systems are becoming the neural system of our cyber-society.The future applications of CPS are more transformative than the IT revolution of the past threedecades. Real-time networked information and pervasive sensing, actuating, and computationare creating powerful opportunities for systems integration. Today, It is hard to imagine whatwill be the different tasks that can be executed by the next generation CPS. These new capabili-ties will require high-confidence computing systems that can interact appropriately with humansand the physical world in dynamic environments and under unforeseen conditions. Achievingthese capabilities presents a complex and multi-disciplinary engineering challenge.

The underlying technical challenges also have a great deal of commonality reflecting a rangeof fundamental scientific and engineering issues. Barriers arise throughout all stages of technol-ogy development. Systems and computer science has provided a solid foundation for spectacularprogress in engineering and information technology; a new systems science is now needed toaddress the unique scientific and technical challenges of CPS. Addressing these challenges willhelp ensure that in the future CPS are reliable, safe, producible, and secure. The following para-graphs present the main directions of research needed (some of them are described in details inthe literature) in CPSs domain that is still in an early stage:

Design principles for integrating complex, heterogeneous large-scale systemsFuture CPS will contain heterogeneous distributed components and systems of large numbersthat must work together effectively to deliver expected performance. Components may have dif-ferent notion of time, across different scales. In heterogeneous, physically aware CPS, feedbackcan occur through both the cyber and physical environments. Composability that cuts acrossthe heterogeneous cyber and physical aspects of CPS is a major scientific challenge. Basic re-search in composability leads to reduced challenges in system integration of both subsystemsand systems-of-systems.

Many tools and approaches exist for creating components and composing them. Differentmodels, languages and notations exist, however, they are appropriate only for particular prob-lem or areas. No complete solution exist for CPS. There are several challenges to achieving thistoday. A fundamental issue is the lack of common terminology, modelling languages, and rig-orous semantics for describing interactions “physical and computational” across heterogeneoussystems. Achieving the interoperability and composability of various components constructedin different engineering domains and sectors, without the benefit of unifying theories and stan-



dards, presents a major challenge.

Issues of predictability CPSs must provide a services meeting given requirements in inter-action with uncertain environments. Uncertainty directly affects predictability that is to say thedegree to which qualitative or quantitative system properties can be asserted. Lack of predictabil-ity is further aggravated, as exact analysis techniques are impossible owing to non-computabilityof all essential system properties. For instance, timing analysis techniques allow upper approxi-mations of WCET, which may be many orders of magnitude larger. Uncertainty and the resultingnon-predictability limit our ability to design complex critical systems for which it is impossibleto anticipate at design time by a case-by-case analysis all the potentially critical situations. Cur-rent methods for characterization and quantification of uncertainty are limited and inadequate.This is exacerbated by the limits of reliability and accuracy of physical components, the validityof models characterizing them, network connections, and potential design errors in software.

Verification and validation Verification techniques have definitely found important appli-cations. After the first two decades of intensive research and development, recent years havebeen characterized by a shift in focus and intensity. Today we have fairly efficient verificationalgorithms. However, all suffer from well-known inherent complexity limitations when appliedto large systems and their capabilities for verification and validation (V&V) of CPS are limited,time consuming, and costly, particularly when compared to development time. We need to de-velop new theories of correctness for CPS that allow new “correct-by-construction” approaches:property preserving transformation of existing and new systems. We also need methods for rea-soning about the co-stability of cyber and physical domain features. The major challenges arethe creation of methodologies to further the capabilities of V&V of complex systems, and thedevelopment of test beds and datasets to support a principled approach to the validation of com-plex CPS. If the design phase is more reliable, testing can become more informed and requireless time. The evaluation challenges will become increasingly difficult at the larger scales andhigher complexity expected for future CPS, which will have massive and interconnected sensor,actuator, and component networks.

System design The design of CPS is hampered by the limited ability to design at a systems-level. There are many factors impeding system-level design, such as the lack of formalized highfidelity models for large systems, insufficient ways of measuring performance, and inadequatescientific foundations.

A key factor is correct-by-construction design. There is great merit in this approach, anda key aim for the science and engineering of CPS is to see how to extend these principles tocover the full range of properties of concern for CPS. The principles of correct-by-construction



approaches are at the root of any mature engineering discipline. They allow to reason about theproperties of the designed system incrementally and compositionally along the design process.They are scalable and do not suffer limitations of correctness-by-checking. Testing may be stillnecessary, but its role is to validate the correct-by-construction process rather than to find bugs.

System developers extensively use algorithms, protocols and architectures that have beenproven correct. They also use compilers to get across abstraction levels and translate high-levellanguages into (semantically equivalent) object code. All these results and techniques largelyaccount for our ability to master complexity and develop systems cost-effectively. Nonetheless,we still lack theory and methods for combining them in principled and disciplined fully correct-by-construction flows.

For designing CPS we need a methodology to ensure correctness-by construction graduallythroughout the design process by acting in two different directions:

• Horizontally, within a design step, by providing rules for enforcing global properties ofcomposite components (horizontal correctness) while preserving essential properties ofatomic components;

• Vertically, between design steps to guarantee that if some property established at somestep then it will be preserved at all subsequent step (vertical correctness)

Scientific and technical challenges to achieving this approach include a lack of mathematical andsystem science foundations, formalized metrics, evaluation techniques, and methods for dealingwith cross-cutting properties in the design space. Furthering the mathematical methodologyfor design space exploration is critical for allowing a principled approach to design complexarchitectures that are modular.

Privacy, trust and security Assuring that systems are trustworthy, secure, and protect theprivacy of information creates both technical and policy challenges. Cyber-security is a criticalaspect of CPS on many levels, including the protection of national infrastructure, privacy ofindividuals, system integrity, and intellectual property.

Security is a basic requirement for Cyber-Physical Systems. The technologies used will needto employ measures that provide protection against attacks. It will be particularly important toguarantee secure communication, since this will often occur via wireless communication inter-faces. This will require technologies for ensuring that communication only takes place withauthenticated and authorized partners. In addition, it will be necessary to guarantee the integrityand confidentiality of the data being transmitted. In other words, these data will need to beprotected against tampering and eavesdropping.

In addition to ensuring secure communication, it is also necessary to provide protection forthe various systems, devices and components that form part of the system, since these are often



deployed in public places and are therefore highly susceptible to attacks involving physical tam-pering. Consequently, the data stored on these systems need to be protected against tampering,unauthorized access and destruction. This applies both to system data such as the operatingsystem and to stored data such as measurements or the cryptographic keys used to enable securecommunication. Cyber-Physical Systems often involve interactions between unknown commu-nication partners, some of who may harbor malicious intentions. As a result, technologies willbe needed for assessing communication partners’ trustworthiness.

Security needs to be addressed not only during the development stage of Cyber-PhysicalSystems but also once they are up and running. This will require engineering capabilities thatenable implementation of security concepts for ensuring that the systems are both Secure byDesign and Secure during Operation.

In CPS, physical and cyber elements motivate different models of trust so that erroneousbehaviour is detected and human operators maintain appropriate skepticism during system op-eration. New science and theory is needed to define cyber-physical inter-confidence and trustmaps, CPS context dependent trust models, and ground truth detection capabilities (based, e.g.,on real-world physical limits).

Mixed-critical systems For CPS, a key issue for integration is mastering interaction of crit-ical and non-critical features and error containment. Preventing failures of non-critical compo-nents from affecting the behaviour of critical components raises difficult problems. Managementof criticality is key point and it is important that critical parts of a system do not interfere withnon-critical parts such as maintenance functions, or added value services provided to users suchas navigation or weather information. Note that preventing failures of non-critical componentsfrom affecting the behaviour of critical components raises difficult problems; see, e.g., [FGS06].However, the theory with which to tackle them is lacking.

The challenge in implementing mixed-critical systems is to obtain implementations that areable to provide functional and timing guarantees at very high levels of assurance to the safety-Critical functionalities, while simultaneously not reserving such an excessive amount of theresources that it becomes impossible to provide any guarantees, even at far lower levels of assur-ance, to the non-critical functionalities. Research is needed to determine strategies that wouldaccomplish this goal.

7.2 About the societal context

This section has highlighted a number of non-technical issues which provide a context in whichto assess the “state of the art” in CPS and which will also inform the roadmap for CPS. Wehighlight five issues which need further consideration within CyPhERS AND where support



from the EU may be needed if the full capabilities of CPS are to be realized and/or the EU is tobenefit from the opportunities:

• CyPhERS should consider and define more clearly where “openness” is likely to be akey to success and the EU should consider where standards, legislation or directives arerequired to give “weight” to the desire to ensure “openness”;

• CyPhERS should consider and identify domains where support to innovation through a“collaborate to compete” model is likely to be important, and make recommendations tothe EU where funding (perhaps specific support actions) would be beneficial to realizesuch collaboration;

• CyPhERS should consider standards, especially for safety and security and/or privacy ina number of key domains, and identify where development is needed to remove obstaclesto CPS adoption and consider whether or not there is a role for directives;

• CyPhERS should consider and identify more clearly a means to develop both curriculaand materials to support education and training in CPS, and consider whether or not anEU-wide initiative to develop and promulgate the materials would be worthwhile;

• CyPhERS should consider how to characterize more fully the “digital divide” so as to beable to identify means of reducing the divide, where practicable, and to suggest mecha-nisms which should be adopted at the EU level to prevent serious social exclusion.

To an extent, all these issues should be reflected in the final CyPhERS roadmap.Finally, CyPhERS suggests that a competent group should consider jurisdictional issues in

relationship to CPS to determine whether or not there are serious concerns at the EU level. Asindicated above CyPhERS is not competent to address such issues although it could provide atechnical briefing on the issues to support such an activity.



8 Conclusions

In this “state of the art” deliverable we have aimed to provide a baseline for the forthcominggap analysis to be performed between the vision of a “possible future” and the current state inscience and technology.

We have surveyed various technological and societal aspects of CPS, provided an initialinternational outlook, discussed Europes positioning, and also discussed how to perform thesubsequent gap analysis.

CPS is still an evolving area, with fragmented information and viewpoints (including amongacademic disciplines and industrial domains). Further work will be required in the followingareas:

• refining the proposed structuring of the area in terms of engineering and societal aspects.Such a refinement may also further our understanding of core aspects of CPS, thus pro-viding helpful delimitations.

• prioritizing among the aspects to be covered. The shear amounts of aspects as makes prior-itization necessary. Moreover, some areas such as legislation, are beyond the competenceof the CyPhERS team; in such cases the CyPhERS project can provide recommendationsfor further separate studies.

• developing a framework for performing the gap analysis (D5.2).

• gathering and developing visions for the future (D2.2).

• investigating further the international perspective, with priority in eliciting informationfrom regions considered of most interest (D5.2).

• performing an assessment of economic significance of CPS for Europe, as far as possiblereusing the recent study by ITEA/ARTEMIS (D5.2).

The deliverable also pointed to the need to evolve CPS education. While initial efforts in thisdirection can be noted in the US (CPS education workshops) and as part of the EIT ICTLabs CPSeducation, there is clearly a need for further work in this direction, going beyond the scope ofCyPhERS. This is an area where an EU-wide initiative to develop and promulgate the materialswould be worthwhile.



Bibliography

[ABB+09] Reinhold Achatz, Klaus Beetz, Manfred Broy, Heinrich Dämbkes, Werner Damm,Klaus Grimm, and Peter Liggesmeyer. Nationale Roadmap Embedded Sys-tems. ZVEI (Zentralverband Elektrotechnik und Elektronikindustrie e. V.),Kompetenzzentrum Embedded Software & Systems, Frankfurt/Main, Decem-ber 2009. URL: https://www.zvei.org/fileadmin/user_upload/Forschung_Bildung/NRMES.pdf.

[AD90] Rajeev Alur and David L. Dill. Automata For Modeling Real-Time Systems. InMike Paterson, editor, ICALP’90, LNCS 443, pages 322–335. Springer, 1990.

[AEE12] High Level Strategic Research and Innovation Agenda of the ICT Com-ponents and Systems Industries as represented by ARTEMIS, ENIACand EPoSS, April 2012. URL: http://www.smart-systems-

integration.org/public/documents/publications/sria_

ict_components_systems_industry_april2012.pdf.

[Agr03] Aditya Agrawal. Graph rewriting and transformation (GReAT): A solution for themodel integrated computing (MIC) bottleneck. In Proceedings of the 18th IEEEInternational Conference on Automated Software Engineering (ASE03), 2003.

[AHKV98] Rajeev Alur, Thomas A. Henzinger, Orna Kupferman, and Moshe Y. Vardi. Alter-nating refinement relations. In Davide Sangiorgi and Robert de Simone, editors,9th International Conference Concurrency Theory (CONCUR’98, Proceedings),volume 1466 of Lecture Notes in Computer Science, pages 163–178. Springer,1998.

[Ale06] Perry Alexander. System Level Design with Rosetta. Elsevier, 2006.

[AT13] Jacques Combaz Ahlem Triki. Model-based implementation of parallel real-timesystems. Technical Report TR-2013-11, Verimag Research Report, 2013.

[AWF14] Fabian Adelt, Johannes Weyer, and Robin Fink. Governance of complex sys-tems: results of a sociological simulation experiment. Ergonomics, 2014. To



appear. URL: http://www.tandfonline.com/doi/full/10.1080/00140139.2013.877598.

[BBB+11] Wolfgang Beinhauer, Janina Bierkandt, Micha Block, Elisabeth Bülles-feld, and Jasmin Link. Trendstudie – Auszug der Studie “Trends undEntwicklungen im Umfeld von Automaten”. Technical report, Fraunhofer-Institut für Arbeitswirtschaft und Organisation (IAO), April 2011. URL:http://www.erlebnis-automat.de/cms/images/documents/

auszug_trendstudie.pdf.

[BBS06a] Ananda Basu, Marius Bozga, and Joseph Sifakis. Modeling Heterogeneous Real-time Components in BIP. In Proc. of the Fourth IEEE Intl. Conference on SoftwareEngineering and Formal Methods, pages 3–12, Washington, DC, USA, 2006.IEEE Computer Society.

[BBS06b] Ananda Basu, Marius Bozga, and Joseph Sifakis. Modeling heterogeneous real-time components in BIP. In Proceedings of the Fourth IEEE International Con-ference on Software Engineering and Formal Methods (SEFM06), pages 3–12,Washington, DC, USA, 2006.

[BCC+08] Albert Benveniste, Benoît Caillaud, Luca P. Carloni, Paul Caspi, and Alberto L.Sangiovanni-Vincentelli. Composing heterogeneous reactive systems. ACMTrans. Embed. Comput. Syst., 7:43:1–43:36, 2008.

[BCCSV05] Albert Benveniste, Benoît Caillaud, Luca P. Carloni, and Alberto Sangiovanni-Vincentelli. Tag machines. In EMSOFT, pages 255–263, 2005.

[BCF+08] Albert Benveniste, Benoît Caillaud, Alberto Ferrari, Leonardo Mangeruca,Roberto Passerone, and Christos Sofronis. Multiple viewpoint contract-basedspecification and design. In Proceedings of the Software Technology Concerta-tion on Formal Methods for Components and Objects, FMCO’07, volume 5382of Lecture Notes in Computer Science, pages 200–225. Springer, October 2008.

[BDD+09] Felice Balarin, Abhijit Davare, Massimiliano D’Angelo, Douglas Densmore,Trevor Meyerowitz, Roberto Passerone, Alessandro Pinto, Alberto Sangiovanni-Vincentelli, Alena Simalatsar, Yoshinori Watanabe, Guang Yang, and Qi Zhu.Platform-based design and frameworks: METROPOLIS and METRO II. In GabrielaNicolescu and Pieter J. Mosterman, editors, Model-Based Design for EmbeddedSystems, chapter 10, page 259. CRC Press, Taylor and Francis Group, Boca Raton,London, New York, November 2009.



[BDL+06] G. Behrmann, A. David, K.G. Larsen, J. Hakansson, P. Petterson, Wang Yi, andM. Hendriks. Uppaal 4.0. In Quantitative Evaluation of Systems, 2006. QEST2006. Third International Conference on, pages 125–126, Sept 2006.

[Ber03] Gerard Berry. The effectiveness of synchronous languages for the development ofsafety-critical systems. White paper, Esterel Technologies, 2003. URL: http://www.esterel-technologies.com.

[BFM+08] Luca Benvenuti, Alberto Ferrari, Leonardo Mangeruca, Emanuele Mazzi, RobertoPasserone, and Christos Sofronis. A contract-based formalism for the specifica-tion of heterogeneous systems. In Proceedings of the Forum on Specification,Verification and Design Languages (FDL08), pages 142–147, Stuttgart, Germany,September 23–25, 2008.

[BGC+11] Manfred Broy, Eva Geisberger, María Victoria Cengarle, Patrick Keil, JürgenNiehaus, Christian Thiel, and Hans-Jürgen Thönnißen-Fries. Cyber-Physical Sys-tems: Driving force for innovation in mobility, health, energy and production.Number 8 in acatech POSITION PAPER. Springer, Berlin, 2011. URL: http://www.springer.com/computer/book/978-3-642-29089-3.

[BHGZ09] Leif Brand, Tim Hülser, Vera Grimm, and Axel Zweck. Inter-net der Dinge: Übersichtsstudie. Technical report, Zukünftige Tech-nologien Consulting der VDI Technologiezentrum GmbH, March 2009.URL: http://www.vdi.de/fileadmin/vdi_de/redakteur/dps_

bilder/TZ/2009/Band%2080_IdD_komplett.pdf.

[Bis07] Christopher Bishop. Pattern Recognition and Machine Learning. Springer, NewYork, 2007. Corr. 2nd printing.

[BIT11a] “Smart Cities” – Gr"une ITK zur Zukunftssicherung moderner St"adte. Technicalreport, Bundesverband Informationswirtschaft, Telekommunikation und neue Me-dien e.V. (BITKOM), May 2011. URL: http://www.bitkom.org/files/documents/Smart_Cities_Studie_Mai_2011.pdf.

[BIT11b] Studie Automobil – ITK im Auto und Elektromobilit"at. Technical report,Bundesverband Informationswirtschaft, Telekommunikation und neue Me-dien e.V. (BITKOM), 2011. URL: http://www.bitkom.org/files/documents/BITKOM_Studie_Automobil_-_ITK_im_Auto_und_

Elektromobilitaet.pdf.



[BJ08] Christel Baier and Joost-Pieter Katoen. Principles of Model Checking. MIT Press,Cambridge, 2008.

[BJP99] Antoine Beugnard, Jean-Marc Jézéquel, and Noël Plouzeau. Making componentscontract aware. IEEE Computer, 32(7):38–45, 1999.

[BKS11] Christian Brecher, Stefan Kozielski, and Lutz Schapp. Integrative Pro-duktionstechnik f"ur Hochlohnl"ander. pages 47–70. Springer, Berlin,April 2011. URL: http://www.acatech.de/fileadmin/user_

upload/Baumstruktur_nach_Website/Acatech/root/de/

Publikationen/acatech_diskutiert/acatech_diskutiert_

Wertschoepfung_WEB.pdf.

[BLL+05] C. Brooks, E.A. Lee, X. Liu, S. Neuendorffer, Y. Zhao, and H. Zheng (eds.).Heterogeneous concurrent modeling and design in Java (Volume 1: Introductionto Ptolemy II). Technical Report UCB/ERL M05/21, University of California,Berkeley, July 2005.

[BMG13] Unterstützung Pflegebedürftiger durch technische Assistenzsysteme – Abschluss-bericht. Technical report, Bundesministerium für Gesundheit, November 2013.URL: http://www.vdivde-it.de/publikationen/studien/

unterstuetzung-pflegebeduerftiger-durch-technische-

assistenzsysteme/at_download/pdf.

[BMS09] Matthias Büker, Alexander Metzner, and Ingo Stierand. Testing real-time tasknetworks with functional extensions using model-checking. In Proc. of the 14thIEEE int. conference on Emerging technologies & factory automation, ETFA’09,pages 564–573, Piscataway, NJ, USA, 2009. IEEE Press.

[BMW09] Internet der Dinge: Leitfaden zu technischen, organisatorischen, rechtlichenund sicherheitsrelevanten Aspekten bei der Realisierung neuer RFID-gest"utzterProzesse in Wirtschaft und Verwaltung. Dokumentation 581, Bundesministeriumf"ur Wirtschaft und Technologie, May 2009. URL: http://www.internet-of-things.eu/resources/documents/internet-der-dinge.

[BMW10] Das Internet der Dienste. Innovationspolitik, informationsgesellschaft,telekommunikation, Bundesministerium f"ur Wirtschaft und Technologie,September 2010. URL: http://bmwi.de/BMWi/Redaktion/PDF/

Publikationen/Technologie-und-Innovation/internet-



der-dienste,property=pdf,bereich=bmwi,sprache=de,rwb=

true.pdf.

[BPL+01] A. Bakshi, V. K. Prasanna, A. Ledeczi, V. Mathur, S. Mohanty, C. S. Raghaven-dra, M. Singh, A. Agrawal, J. Davis, B. Eames, S. Neema, and G. Nordstrom.MILAN: A model based integrated simulation framework for design of embed-ded systems. In Proceedings of the Workshop on Languages, Compilers and Toolsfor Embedded Systems (LCTES 2001), Snowbird, UT, June 2001.

[BPPSV05] Felice Balarin, Roberto Passerone, Alessandro Pinto, and Alberto L. Sangiovanni-Vincentelli. A formal approach to system level design: Metamodels and unifieddesign environments. In Proceedings of the Third ACM and IEEE InternationalConference on Formal Methods and Models for Co-Design (MEMOCODE05),pages 155–163, Verona, Italy, July 11–14, 2005. IEEE Computer Society, LosAlamitos, CA, USA.

[BPSV01] Jerry R. Burch, Roberto Passerone, and Alberto L. Sangiovanni-Vincentelli. Over-coming heterophobia: Modeling concurrency in heterogeneous systems. In Pro-ceedings of the 2nd International Conference on Application of Concurrency toSystem Design (ACSD01), pages 13–32, Newcastle upon Tyne, UK, June 25–29,2001. IEEE Computer Society, Los Alamitos, CA, USA.

[BRJ05] Grady Booch, James Rumbaugh, and Ivar Jacobson. Unified Modeling Lan-guage User Guide, The (2nd Edition) (Addison-Wesley Object Technology Series).Addison-Wesley Professional, 2005.

[BS00] Stefan Bussmann and Klaus Schild. Self-Organizing Manufacturing Control: AnIndustrial Application of Agent Technology. In Fourth International Conferenceon MultiAgent Systems (Proceedings), pages 87–94, 2000.

[BS08a] Simon Bliudze and Joseph Sifakis. The algebra of connectors: Structuring inter-action in BIP. IEEE Transactions on Computers, 57(10):1315–1330, 2008.

[BS08b] Simon Bliudze and Joseph Sifakis. The Algebra of Connectors - Structuring In-teraction in BIP. IEEE Trans. Computers, 57(10):1315–1330, 2008.

[BS10] Purandar Bhaduri and Ingo Stierand. A proposal for real-time interfaces in speeds.In Design, Automation and Test in Europe (DATE’10), pages 441–446. IEEE,2010.



[Bur92] Jerry R. Burch. Trace Algebra for Automatic Verification of Real-Time ConcurrentSystems. PhD thesis, School of Computer Science, Carnegie Mellon University,August 1992.

[CdAHM02] Arindam Chakrabarti, Luca de Alfaro, Thomas A. Henzinger, and Freddy Y. C.Mang. Synchronous and bidirectional component interfaces. In Proceedings of the14th International Conference on Computer Aided Verification, CAV’02, volume2404 of Lecture Notes in Computer Science, pages 414–427, 2002.

[Cen13] María Victoria Cengarle. Engineering of cyber-physical systems. In First OpenEIT ICT Labs Workshop on Cyber-Physical Systems Engineering, Trento, Italy,May 24 2013.

[CGP99] E. Clarke, O. Grumberg, and D. Peled. Model Checking. MIT Press, 1999.

[CGW09] Kerstin Cuhls, Walter Ganz, and Philine Warnke, editors. Foresight-Prozess im Auftrag des Bundesministeriums f"ur Bildung und Forschung(BMBF) – Zukunftsfelder neuen Zuschnitts. Fraunhofer Verlag, Karlsruhe,2009. URL: http://www.bmbf.de/pubRD/Foresight-Prozess_

BMBF_Zukunftsfelder_neuen_Zuschnitts.pdf.

[CMP92] Edward Y. Chang, Zohar Manna, and Amir Pnueli. Characterization of temporalproperty classes. In Werner Kuich, editor, ICALP, volume 623 of Lecture Notesin Computer Science, pages 474–486. Springer, 1992.

[CPPSV06] Luca P. Carloni, Roberto Passerone, Alessandro Pinto, and Alberto L.Sangiovanni-Vincentelli. Languages and tools for hybrid systems design. Foun-dations and Trends in Electronic Design Automation, 1(1/2):1–193, January 2006.

[CPR08] Alessandro Cimatti, Luigi Palopoli, and Yusi Ramadian. Symbolic Computationof Schedulability Regions Using Parametric Timed Automata. RTSS’08, 0:80–89,2008.

[CPS08] Cyber-Physical Systems Summit “Holistic Approaches to Cyber-Physical Inte-gration”. Report, CPS Week, April 2008. URL: http://iccps2012.cse.wustl.edu/_doc/CPS_Summit_Report.pdf.

[CPVP10] Daniela Cancila, Roberto Passerone, Tullio Vardanega, and Marco Panunzio. To-ward correctness in the specification and handling of non-functional attributes ofhigh-integrity real-time embedded systems. IEEE Transactions on Industrial In-formatics, 6(2):181–194, May 2010.



[CyP13] Characteristics, capabilities, potential applications of Cyber-Physical Systems: apreliminary analysis. Technical Report CyPhERS Deliverable D2.1, CyPhERSFP7 project, November 2013. URL: http://www.cyphers.eu/sites/default/files/D2.1.pdf.

[CyP14a] CPS methods and techniques. Technical Report CyPhERS Deliverable D4.1,CyPhERS FP7 project, February 2014. URL: http://www.cyphers.eu/sites/default/files/D4.1.pdf.

[CyP14b] Structured CPS market model. Technical Report CyPhERS Deliverable D3.1,CyPhERS FP7 project, January 2014. URL: http://www.cyphers.eu/sites/default/files/D3.1.pdf.

[dAH01] Luca de Alfaro and Thomas A. Henzinger. Interface automata. In Proceedingsof the Ninth Annual Symposium on Foundations of Software Engineering, pages109–120. ACM Press, 2001.

[Dam05] Werner Damm. Controlling speculative design processes using rich componentmodels. In Proceedings of 5th International Conference on Application of Con-currency to System Design (ACSD), 2005.

[DCL10] Benoît Delahaye, Benoît Caillaud, and Axel Legay. Probabilistic Contracts : ACompositional Reasoning Methodology for the Design of Stochastic Systems. InProc. 10th International Conference on Application of Concurrency to SystemDesign (ACSD), Braga, Portugal. IEEE, 2010.

[DCL11] Benoît Delahaye, Benoît Caillaud, and Axel Legay. Probabilistic contracts : Acompositional reasoning methodology for the design of systems with stochasticand/or non-deterministic aspects. Formal Methods in System Design, 2011. Toappear.

[DDG+13] Abhijit Davare, Douglas Densmore, Liangpeng Guo, Roberto Passerone, Al-berto L. Sangiovanni-Vincentelli, Alena Simalatsar, and Qi Zhu. METROII:A design environment for cyber-physical systems. ACM Transactions on Em-bedded Computing Systems, 12(1s):49:1–49:31, March 2013. URL: http://doi.acm.org/10.1145/2435227.2435245.

[Deg02] Nina Degele. Einführung in die Techniksoziologie. UTB, Stuttgart, 2002.

[Del10] Benoît Delahaye. Modular Specification and Compositional Analysis of Stochas-tic Systems. PhD thesis, Université de Rennes 1, 2010.



[DHJP08] Laurent Doyen, Thomas A. Henzinger, Barbara Jobstmann, and Tatjana Petrov.Interface theories with component reuse. In Proceedings of the 8th ACM &IEEE International conference on Embedded software, EMSOFT’08, pages 79–88, 2008.

[DHLN10] Laurent Doyen, Thomas A. Henzinger, Axel Legay, and Dejan Nickovic. Robust-ness of Sequential Circuits. In ACSD’10, pages 77–84, 2010.

[Dil89] David L. Dill. Trace Theory for Automatic Hierarchical Verification of Speed-Independent Circuits. ACM Distinguished Dissertations. MIT Press, 1989.

[DLV12] P. Derler, E.A. Lee, and A.-S. Vincentelli. Modeling cyber-;physical systems.Proceedings of the IEEE, 100(1):13–28, Jan 2012.

[Dmi04] Sergey Dmitriev. Language Oriented Programming: The Next ProgrammingParadigm. onBoard, 1, November 2004. URL: http://www.jetbrains.com/mps/docs/Language_Oriented_Programming.pdf.

[DPSV06] Douglas Densmore, Roberto Passerone, and Alberto L. Sangiovanni-Vincentelli.A platform-based taxonomy for ESL design. IEEE Design and Test of Computers,23(5):359–374, May 2006.

[DTS+11] W. Damm, E. Thaden, I. Stierand, T. Peikenkamp, and H. Hungar. Using Contract-Based Component Specifications for Virtual Integration and Architecture Design.In Proceedings of the 2011 Design, Automation and Test in Europe (DATE’11),March 2011. To appear.

[DVM+05] Werner Damm, Angelika Votintseva, Alexander Metzner, Bernhard Josko,Thomas Peikenkamp, and Eckard Böde. Boosting reuse of embedded automotiveapplications through rich components. In Proceedings of FIT 2005 - Foundationsof Interface Technologies, 2005.

[DW07] Ulrich Dolata and Raymund Werle, editors. Gesellschaft und die Macht derTechnik: Sozio"okonomischer und institutioneller Wandel durch Technisierung.Number 58 in Schriften aus dem Max-Planck-Institut f"ur GesellschaftsforschungK"oln. Campus Verlag, Frankfurt/New York, May 2007.

[EI12] Cyber-Physical Systems: Situation Analysis of Current Trends, Tech-nologies and Challenges. In Foundations for Innovation in Cyber-Physical Systems (NIST CPS-Workshop), March 2012. Prepared by En-ergetics incorporated for the National Institute of Standards and Tech-



nology (NIST). URL: http://events.energetics.com/NIST-

CPSWorkshop/pdfs/CPS_Situation_Analysis.pdf.

[Eic10] Marco Eichelberg. Interoperabilität von AAL-Systemkomponenten Teil 1: Standder Technik. VDE-Verlag, January 2010.

[EIT13] Strategic Innovation Agenda 2013. Technical report, EIT ICT Labs, April 2013.URL: http://www.eitictlabs.eu.

[EIT14] Blended Life In A Connected World – Strategic Innovation Agenda 2014-2016. Technical report, EIT ICT Labs, March 2014. URL: http://www.eitictlabs.eu.

[EJL+03] Johan Eker, Jörn W. Janneck, Edward A. Lee, Jie Liu, Xiaojun Liu, J. Ludvig,Stephen Neuendorffer, S. Sachs, and Yuhong Xiong. Taming heterogeneity - theptolemy approach. Proc. of the IEEE, 91(1):127–144, 2003.

[EkAB+13] Jad El-khoury, Fredrik Asplund, Matthias Biehl, Frederic Loiret, and Martin Törn-gren. A roadmap towards integrated CPS development environments. In FirstOpen EIT ICT Labs Workshop on Cyber-Physical Systems Engineering, Trento,Italy, May 24 2013.

[EPo09] Strategic Research Agenda of The European Technology Platform on SmartSystems Integration (Version 2), March 2009. URL: http://www.smart-systems-integration.org/documents/publications/EPoSS%

20Strategic%20Research%20Agenda%202009.pdf.

[ES01] Salminen V. Eppinger S. Patterns of product development interactions. In Pro-ceedings International Conference on Engineering Design, ICED01, Glasgow,August 21-23 2001.

[Fed07] Federal Networking and Information Technology – R&D Program. Lead-ership Under Challenge: Information Technology R&D in a CompetitiveWorld. Technical report, Council of Advisors on Science and Technol-ogy, 2007. URL: http://www.whitehouse.gov/sites/default/files/microsites/ostp/pcast-07-nitrd-review.pdf.

[Feu05] G. Feuillade. Modal specifications are a syntactic fragment of the mu-calculus.Research Report RR-5612, INRIA, June 2005.

[FGS06] Alessandro Fantechi, Stefania Gnesi, and Laura Semini. Achieving Fault Toler-ance by a Formally Validated Interaction Policy. In Michael Butler, Cliff Jones,



Alexander Romanovsky, and Elena Troubitsyna, editors, Rigorous Developmentof Complex Fault-Tolerant Systems [FP6 IST-511599 RODIN project], volume4157 of Lecture Notes in Computer Science, pages 133–152. Springer, 2006.

[FP07] G. Feuillade and S. Pinchinat. Modal specifications for the control theory ofdiscrete-event systems. Discrete Event Dynamic Systems, 17(2):211–232, 2007.

[Fri03] Peter Fritzson. Principles of Object-Oriented Modeling and Simulation with Mod-elica 2.1. Wiley, 2003.

[GBC+12] Eva Geisberger, Manfred Broy, María Victoria Cengarle, Patrick Keil, JürgenNiehaus, Christian Thiel, and Hans-Jürgen Thönnißen-Fries. agendaCPS: Inte-grierte Forschungsagenda Cyber-Physical Systems. Springer, Berlin, 2012.

[GGL10] Peter Gabriel, Katrin Gas̈sner, and Sebastian Lange. Das Internet derDinge: Basis für IKT-Infrastruktur von morgen – Anwendungen, Akteureund politische Handlungsfelder. Technical report, Institut für Innovationund Technik, VDI/VDE-IT, April 2010. URL: http://www.internet-of-things.eu/resources/documents/das-internet-der-

dinge-2013-basis-fur-die-ikt-infrastruktur-von-

morgen/at_download/file.

[GLMS02] Thorsten Grötker, Stan Liao, Grant Martin, and Stuart Swan. System Design withSystemC. Kluwer Academic Publishers, Norwell, MA, 2002.

[GMA09] Automation 2020: Bedeutung und Entwicklung der Automation bis zumJahr 2020 – Thesen und Handlungsfelder. Technical report, VDI/VDE-Gesellschaft Mess- und Automatisierungstechnik (GMA), June 2009. URL:http://www.vdi.de/fileadmin/vdi_de/redakteur_dateien/

gma_dateien/AT_2020_INTERNET.pdf.

[GPJE11] Nico Grove, Arnold Picot, Friedrich Jondral, and Jens Elsner. Why the Dig-ital Dividend will not close the Digital Divide. intermedia, 39(2):32–37,May 2011. URL: https://www.cel.kit.edu/download/IM_Vol_39_No_2_Digital_Dividend.pdf.

[GPQ14] Susanne Graf, Roberto Passerone, and Sophie Quinton. Contract-based reason-ing for component systems with rich interactions. In Alberto L. Sangiovanni-Vincentelli, Haibo Zeng, Marco Di Natale, and Peter Marwedel, editors, Em-bedded Systems Development: From Functional Models to Implementations, vol-



ume 20 of Embedded Systems, chapter 8, pages 139–154. Springer New York,2014. URL: http://dx.doi.org/10.1007/978-1-4614-3879-3_8.

[GQ07] Susanne Graf and Sophie Quinton. Contracts for BIP: Hierarchical InteractionModels for Compositional Verification. In John Derrick and Jüri Vain, edi-tors, FORTE, volume 4574 of Lecture Notes in Computer Science, pages 1–18.Springer, 2007.

[Gri14] Ben Griffin. Audi traffic light recognition system needs to be green-lighted.Recombu, March 2014. URL: http://recombu.com/cars/articles/news/audi-traffic-light-recognition-system-needs-to-

be-green-lighted.

[HGQ10] Imene Ben Hafaiedh, Susanne Graf, and Sophie Quinton. Reasoning about Safetyand Progress Using Contracts. In Proc. of ICFEM’10, volume 6447 of LNCS,pages 436–451. Springer, 2010.

[HHJ+05] R. Henia, A. Hamann, M. Jersak, R. Racu, K. Richter, and R. Ernst. SystemLevel Performance Analysis-The SymTA/S Approach. IEEE Proc.-Computersand Digital Techniques, 152(2):148–166, 2005.

[HKMP02] David Harel, Hillel Kugler, Rami Marelly, and Amir Pnueli. Smart play-out ofbehavioral requirements. In FMCAD, pages 378–398, 2002.

[HKYH12] Akihito Hiromori, Takumi Kanaya, Hirozumi Yamaguchi, and Teruo Hi-gashino. Performance Evaluation of Mobility-Based Energy-Saving to ControlAir-conditioning and Lighting Equipments. In Sustainable Internet and ICT forSustainability (SustainIT’12, Proceedings), pages 1–6, 2012.

[HM03] David Harel and Rami Marelly. Come, Let’s Play: Scenario-Based Program-ming Using LSCs and the Play-Engine. Springer-Verlag, 2003. http://www.wisdom.weizmann.ac.il/~harel/ComeLetsPlay.pdf.

[Hoa69] C. A. R. Hoare. An axiomatic basis for computer programming. Commun. ACM,12(10):576–580, 1969.

[HS07] David Harel and Itai Segall. Planned and traversable play-out: A flexible methodfor executing scenario-based programs, . In TACAS, pages 485–499, 2007.

[HSMS07] Juhani Hirvonen, Mikko Sallinen, Hannu Maula, and Marko Suojanen. SensorNetworks Roadmap. Research notes 2381, VTT Tiedotteita, 2007. URL: http://www.vtt.fi/inf/pdf/tiedotteet/2007/T2381.pdf.



[HW11] Lutz Heuser and Wolfgang Wahlster, editors. Internet der Dienste. acatechDISKUTIERT. Springer, Berlin, June 2011. URL: http://www.acatech.de/fileadmin/user_upload/Baumstruktur_nach_Website/

Acatech/root/de/Publikationen/acatech_diskutiert/

acatech_Diskutiert_Internet-der-Dienste_WEB_02.pdf.

[IA13a] Embedded / Cyber-Physical Systems ARTEMIS Major Challenges: 2014-2020– 2013 DRAFT Addendum to the ARTEMIS-SRA 2011, December 2013.URL: http://www.artemis-ia.eu/publication/download/

publication/910/file/ARTEMISIA_SRA_Addendum.pdf.

[IA13b] ITEA ARTEMIS-IA High-Level Vision 2030: Opportunities for Eu-rope, Autumn 2013. URL: https://itea3.org/publication/

download/publication/961/file/ITEA_ARTEMIS_IA_high_

level_vision_2030_v2013.pdf.

[IEC10] Functional safety of electrical/electronic/programmable electronic safety-relatedsystems. Technical Report Standard 61508, International Electrotechnical Com-mission (IEC), May 2010.

[IH11] Sara Ilstedt Hjelm. Design, energi och håbar utveckling. Technical report, Kung-liga Tekniska Högskolan, May 2011. URL: http://www.greenleap.kth.se/polopoly_fs/1.296114!/Menu/general/column-

content/attachment/Design%2C%20energi%20och%20h%C3%

A5llbar%20utveckling.pdf.

[ISO11] Road vehicles – functional safety. Technical Report Standard 26262, InternationalOrganization for Standardization (ISO), 2011.

[Jan03] Axel Jantsch. Modeling Embedded Systems and SOC’s: Concurrency and Timein Models of Computation. Morgan Kaufmann Publishers, 2003.

[Jon83] Cliff B. Jones. Specification and design of (parallel) programs. In IFIP Congress,pages 321–332, 1983.

[JS10] Sven Gábor Jánszky and Thomas Schildhauer. Vom Internet zum Outernet:Strategieempfehlungen und Geschäftsmodelle der Zukunft in einer Welt derAugmented Realities. Technical report, 2b AHEAD ThinkTanks und Instituteof Electronic Business an der Universität der Künste Berlin, November 2010.URL: https://www.2bahead.com/fileadmin/content/2bahead/PDFs/Whitepaper_Ansicht_NEU.pdf.



[KA03] Cindy Kong and Perry Alexander. The Rosetta meta-model framework. In Pro-ceedings of the IEEE Engineering of Computer-Based Systems Symposium andWorkshop, Huntsville, AL, April 7-11 2003.

[KA12] Avenir Kobetski and Jakob Axelsson. Federated Embedded Systems: a review ofthe literature in related fields. Technical Report T2012:01, Swedish Institute ofComputer Science, January 2012. URL: http://soda.swedish-ict.se/5138/1/FES_literature_review-1.pdf.

[Kah74] Gilles Kahn. The semantics of a simple language for parallel programming. InJ. L. Rosenfeld, editor, Proceedings of the IFIP Congress 74, Information Pro-cessing 74, pages 471–475, Amsterdam, The Netherlands, 1974.

[Kan89] Asha Kanwar. Digital divide or digital dividend? Commonwealth EducationPartnerships, pages 79–83, 2008/9. URL: http://www.cedol.org/wp-content/uploads/2012/02/79-83-2008.pdf.

[Kar06] S. Karris. Introduction to Simulink with Engineering Applications. Orchard Pub-lications, 2006.

[KHYH12] Takumi Kanaya, Akihito Hiromori, Hirozumi Yamaguchi, and Teruo Higashino.HumanS: A Human Mobility Sensing Simulator. In Albert Levi, MohamadBadra, Matteo Cesana, Mona Ghassemian, Özgür Gürbüz, Nafaâ Jabeur, MarekKlonowski, Antonio Maña, Susana Sargento, and Sherali Zeadally, editors, 5th In-ternational Conference on New Technologies, Mobility and Security (NTMS 2012,Proceedings), pages 1–4. IEEE, 2012. URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=06208740.

[KMN+00] K. Keutzer, S. Malik, A. R. Newton, J. Rabaey, and A. Sangiovanni-Vincentelli.System Level Design: Orthogonolization of Concerns and Platform-Based De-sign. IEEE Transactions on Computer-Aided Design of Integrated Circuits andSystems, 19(12), December 2000.

[KNR+11] Wolfram Krewitt, Kristina Nienhaus, Nils Roloff, Rudolf Weeber, MatthiasReeg, Wolfgang Weimer-Jehle, Sandra Wassermann, Gerhard Fuchs, ThomasKast, Bernd Schmidt, Uwe Leprich, and Eva Hauser. Analyse von Rah-menbedingungen f"ur die Integration erneuerbarer Energien in die Stromm"arkteauf der Basis agentenbasierter Simulation (Abschlussbericht). Technicalreport, Deutsches Zentrum f"ur Luft- und Raumfahrt e.V. (DLR), Inter-disziplin"arer Forschungsschwerpunkt Risiko und nachhaltige Technikentwick-



lung (ZIRN), Thomas Kast Simulation Solutions, Institut f"ur ZukunftsEn-ergieSysteme (IZES), gef"ordert mit Mitteln des Bundesministeriums f"urUmwelt, Naturschutz und Reaktorsicherheit unter dem F"orderkennzeichen0325015, February 2011. URL: http://www.dlr.de/Portaldata/41/Resources/dokumente/st/AMIRIS-Pilotvorhaben.pdf.

[KPM11] Emmanouil Koukoumidis, Li-Shiuan Peh, and Margaret Martonosi. Sig-nalGuru: leveraging mobile phones for collaborative traffic signal scheduleadvisory. pages 127–140. ACM, 2011. URL: http://projects.csail.mit.edu/wiki/pub/LSPgroup/PublicationList/Koukoumidis_

SignalGuru_MobiSys_2011.pdf.

[KS03] Yannis Kalfoglou and Marco Schorlemmer. Ontology mapping: The state of theart. The Knowledge Engineering Review, 18(1):1–31, 2003.

[KSLB03] Gabor Karsai, Janos Sztipanovits, Akos Ledeczi, and Ted Bapty. Model-integrateddevelopment of embedded software. Proceedings of the IEEE, 91(1), January2003.

[Lam77] Leslie Lamport. Proving the correctness of multiprocess programs. IEEE Trans.Software Eng., 3(2):125–143, 1977.

[Lar89] Kim Guldstrand Larsen. Modal specifications. In Automatic Verification Methodsfor Finite State Systems, volume 407 of Lecture Notes in Computer Science, pages232–246. Springer, 1989.

[LDNA03] Akos Ledeczi, James Davis, Sandeep Neema, and Aditya Agrawal. Modelingmethodology for integrated simulation of embedded systems. ACM Transactionson Modeling and Computer Simulation, 13(1):82–103, 2003.

[Len97] Douglas Lenat. From 2001 to 2001: Common Sense and the Mind of HAL. pages305–332. MIT Press, Cambridge, MA, 1997.

[LNW06] K. G. Larsen, U. Nyman, and A. Wasowski. Interface input/output automata.In 14th International Symposium on Formal Methods, FM’06, volume 4085 ofLecture Notes in Computer Science, pages 82–97. Springer, 2006.

[LNW07a] Kim Guldstrand Larsen, Ulrik Nyman, and Andrzej Wasowski. Modal I/O au-tomata for interface and product line theories. In Programming Languages andSystems, 16th European Symposium on Programming, ESOP’07, volume 4421 ofLecture Notes in Computer Science, pages 64–79. Springer, 2007.



[LNW07b] Kim Guldstrand Larsen, Ulrik Nyman, and Andrzej Wasowski. On modal refine-ment and consistency. In CONCUR, pages 105–119, 2007.

[LPT09] Kai Lampka, Simon Perathoner, and Lothar Thiele. Analytic Real-Time Analysisand Timed Automata: A Hybrid Method for Analyzing Embedded Real-TimeSystems. In EMSOFT’09: Proc. of the 7th ACM int. conference on Embeddedsoftware, pages 107–116, New York, NY, USA, 2009. ACM.

[LPT10] Kai Lampka, Simon Perathoner, and Lothar Thiele. Analytic Real-Time Analy-sis and Timed Automata: A Hybrid Methodology for the Performance Analysisof Embedded Real-Time Systems. Design Automation for Embedded Systems,14(3):193–227, 2010.

[LSV98] E.A. Lee and A. Sangiovanni-Vincentelli. A framework for comparing models ofcomputation. IEEE Trans. CAD of Integ. Circ. and Systems, 17:1217–1229, 1998.

[Mah03] R.P.S. Mahler. Multitarget bayes filtering via first-order multitarget moments.Aerospace and Electronic Systems, IEEE Transactions on, 39(4):1152–1178, Oct2003.

[MDA03] MDA guide version 1.0.1. Technical Report omg/2003-06-01, OMG, 2003.

[Mey92] B. Meyer. Applying “design by contract”. IEEE Computer, 25(10):40–51, Octo-ber 1992.

[Mey09] Bertrand Meyer. Touch of Class: Learning to Program Well Using Object Tech-nology and Design by Contract. Springer, Software Engineering, 2009.

[MM06] Pedro José Marrón and Daniel Minder, editors. Embedded WiSeNtsResearch Roadmap. Logos Verlag, Berlin, November 2006. URL:ftp://ftp.informatik.uni-stuttgart.de/pub/library/

ncstrl.ustuttgart_fi/BOOK-2006-03/BOOK-2006-03.pdf.

[MM10] Sibylle Meyer and Heidrun Mollenkopf. AAL in der alternden Gesellschaft: An-forderungen, Akzeptanz und Perspektiven – Analyse und Planungshilfe. VDE-Verlag, May 2010.

[MP95] Zohar Manna and Amir Pnueli. Temporal verification of reactive systems: Safety.Springer, 1995.

[MPS04a] Deepak Mathaikutty, Hiren Patel, and Sandeep Shukla. EWD: A metamodelingdriven customizable multi-MoC system modeling environment. FERMAT Tech-nical Report 2004-20, Virginia Tech, 2004.



[MPS04b] Deepak A. Mathaikutty, H. Patel, and S. Shukla. A functional programmingframework of heterogeneous model of computation for system design. In Fo-rum on Specification and Design Languages (FDL’04), Lille, France, September13–17 2004.

[MPSJ06] Deepak A. Mathaikutty, Hiren D. Patel, Sandeep K. Shukla, and Axel Jantsch.UMoC++: A C++-based multi-MoC modeling environment. In A. Vachoux, edi-tor, Application of Specification and Design Languages for SoCs - Selected paperfrom FDL 2005, chapter 7, pages 115–130. Springer, 2006.

[MVK06] László Monostori, József Váncza, and Soundar R. T. Kumara. Agent-Based Sys-tems for Manufacturing. CIRP Annals - Manufacturing Technology, 55(2):697–720, 2006.

[M.W98] M.W. Maier. Architecting Principles for Systems of Systems. Systems Engineer-ing, 1(4):267–284, 1998.

[MYS+12] Ayaka Murai, Yohei Yamaguchi, Yoshiyuki Shimoda, Takumi Kanaya, AkihitoHiromori, Hirozumi Yamaguchi, and Teruo Higashino. Evaluation of energy-saving performance of office building task/ambient systems considering dynamicworker’s behaviour. In 1st Asia Conference of International Building PerformanceSimulation Association (ASim’12, Proceedings), 2012.

[Neg98] Radu Negulescu. Process Spaces and the Formal Verification of AsynchronousCircuits. PhD thesis, University of Waterloo, Canada, 1998.

[Nic91] Nicolas Halbwachs and Paul Caspi and Pascal Raymond and Daniel Pilaud. Thesynchronous data flow programming language Lustre. Proceedings of the IEEE,79(9):1305–1320, 1991.

[Nor96] Donald A. Norman. Dinge des Alltags. Gutes Design und Psychologie für Ge-brauchsgegenstände. Campus Verlag, 1996.

[NSK03] Sandeep Neema, Janos Sztipanovits, and Gabor Karsai. Constraint-based design-space exploration and model synthesis. In Proceedings of the Third InternationalConference on Embedded Software (EMSOFT03), Philadelphia, PA, October 13–15 2003.

[NSVSP12] P. Nuzzo, A. Sangiovanni-Vincentelli, X. Sun, and A. Puggelli. Methodology forthe design of analog integrated interfaces using contracts. IEEE Sensors Journal,12(12):3329–3345, Dec. 2012.



[Nym08] Ulrik Nyman. Modal Transition Systems as the Basis for Interface Theories andProduct Lines. PhD thesis, Aalborg University, Department of Computer Science,September 2008.

[Obj] Object Management Group (OMG). Unified Modeling Language (UML) specifi-cation. [online], http://www.omg.org/spec/UML/.

[Obj07] Object Management Group (OMG), . A UML profile for MARTE, beta 1. OMGAdopted Specification ptc/07-08-04, OMG, August 2007. URL: http://www.omg.org/omgmarte/.

[Obj08] Object Management Group (OMG), . System modeling language specificationv1.1. Technical report, OMG, 2008. URL: http://www.sysmlforum.com.

[OCL06] Object constraint language, version 2.0. OMG Available Specification formal/06-05-01, Object Management Group, May 2006.

[OKKJ96] D.W. Oliver, T.P. Kelliher, and J.G. Keegan Jr. Engineering Complex Systemswith Models and Objects. McGraw-Hill, New York, 1996.

[otICS10] The Design Automation Standards Committee of the IEEE Computer Society,editor. 1850-2010 - IEEE Standard for Property Specification Language (PSL).IEEE Computer Society, 2010.

[Pas04] Roberto Passerone. Semantic Foundations for Heterogeneous Systems. PhD the-sis, Department of Electrical Engineering and Computer Sciences, University ofCalifornia, Berkeley, Berkeley, CA 94720, May 2004.

[PBSV07] Roberto Passerone, Jerry R. Burch, and Alberto L. Sangiovanni-Vincentelli. Re-finement preserving approximations for the design and verification of heteroge-neous systems. Formal Methods in System Design, 31(1):1–33, August 2007.

[PF06] J. Hudak P. Feiler, D. Gluch. The Architecture Analysis and Design Language(AADL): An Introduction. Software Engineering Institute (SEI) Technical Note,CMU/SEI-2006-TN-011, February 2006.

[PHG+09] Roberto Passerone, Imene Ben Hafaiedh, Susanne Graf, Albert Benveniste,Daniela Cancila, Arnaud Cuccuru, Sébastien Gérard, Francois Terrier, WernerDamm, Alberto Ferrari, Leonardo Mangeruca, Bernhard Josko, ThomasPeikenkamp, and Alberto Sangiovanni-Vincentelli. Metamodels in Europe: Lan-guages, tools, and applications. IEEE Design and Test of Computers, 26(3):38–53,May/June 2009.



[PSB07] Hiren D. Patel, Sandeep K. Shukla, and Reinaldo A. Bergamaschi. Heterogeneousbehavioral hierarchy extensions for SystemC. IEEE Transactions on Computed-Aided Design of Integrated Circuits and Systems, 26(4):765–780, 2007.

[R. 05] R. Sudarsan and S.J. Fenves and R.D. Sriram and F. Wang. A product informationmodeling framework for product lifecycle management. Computer-Aided Design,37:1399–1411, 2005.

[Rab08] Jan M. Rabaey. A brand new wireless day. In ASP-DAC, page 1. IEEE, 2008.

[Rac07] Jean-Baptiste Raclet. Quotient de spécifications pour la réutilisation de com-posants. PhD thesis, Ecole doctorale Matisse, université de Rennes 1, November2007.

[Ric10] Richard Payne and John Fitzgerald. Evaluation of Architectural FrameworksSupporting Contract-Based Specification. Technical Report CS-TR-1233, Com-puting Science, Newcastle University, UK, Dec 2010. available from http:

//www.cs.ncl.ac.uk/publications/trs/papers/1233.pdf.

[RLM+06] Daniel Rubin, Suzanna Lewis, Chris Mungall, Sima Misra, Monte Westerfield,Michael Ashburner, Ida Sim, Christopher Chute, Harold Solbrig, Margaret-AnneStorey, Barry Smith, John Day-Richter, Natalya Noy, and Mark Musen. Na-tional Center for Biomedical Ontology: Advancing Biomedicine through Struc-tured Organization of Scientific Knowledge. OMICS: A Journal of IntegrativeBiology, 10(2):185–198, June 2006. URL: http://www.liebertonline.com/doi/pdf/10.1089/omi.2006.10.185.

[Roa13] Workshop on Systems of Systems Engineering and Control (Report), Novem-ber 2013. URL: http://road2sos-project.eu/cms/upload/

documents/Report_Systems_of_Systems_and_Control_final.

pdf.

[Rob67] Robert W. Floyd. Assigning meaning to programs. In J.T. Schwartz, editor, Pro-ceedings of Symposium on Applied Mathematics, volume 19, pages 19–32, 1967.

[SAL+03] J.A. Stankovic, T.F. Abdelzaher, Chenyang Lu, Lui Sha, and J.C. Hou. Real-timecommunication and coordination in embedded sensor networks. Proceedings ofthe IEEE, 91(7):1002–1022, July 2003.

[SB01] Kurt Sundermeyer and Stefan Bussmann. Einf"uhrung der Agententechnologie ineinem produzierenden Unternehmen – Ein Erfahrungsbericht. Wirtschaftsinfor-matik, 43(2):135–142, 2001.



[Sif09] Joseph Sifakis. Component-Based Construction of Heterogeneous Real-TimeSystems in Bip. In Giuliana Franceschinis and Karsten Wolf, editors, Petri Nets,volume 5606 of Lecture Notes in Computer Science, page 1. Springer, 2009.

[Sin12] Munindar Singh. Norms as a Basis for Governing Sociotechnical Systems. ACMTransactions on Intelligent Systems and Technology, V(N), June 2012. Article A.

[SJ04] Ingo Sander and Axel Jantsch. System modeling and transformational designrefinement in ForSyDe. IEEE Transactions on Computer-Aided Design of Inte-grated Circuits and Systems, 23(1):17–32, January 2004.

[SKR11] Carlo Sansone, Josef Kittler, and Fabio Roli, editors. Multiple Classifier Systems- 10th International Workshop, MCS 2011, Naples, Italy, June 15-17, 2011. Pro-ceedings, volume 6713 of Lecture Notes in Computer Science. Springer, 2011.

[SKU13] Xu Sun, Hisashi Kashima, and Naonori Ueda. Large-Scale Personalized HumanActivity Recognition Using Online Multitask Learning. IEEE Transactions onKnowledge and Data Engineering, 25(11):2551–2563, November 2013.

[SM12] Kevin Sullivan and Ram Muthukrishnan. Technology Strategies for Manufactur-ers: Disrupt or Be Disrupted. Technical report, Cisco Internet Business SolutionsGroup, June 2012. URL: http://www.cisco.com/web/about/ac79/docs/mfg/Technology-Strategies-for-Mfg.pdf.

[SV07] A. L. Sangiovanni-Vincentelli. Quo Vadis, SLD? Reasoning About the Trends andChallenges of System Level Design. Proc. of the IEEE, 95(3):467–506, March2007.

[SVA04] Koushik Sen, Mahesh Viswanathan, and Gul Agha. Statistical Model Checkingof Black-Box Probabilistic Systems. In CAV’04, LNCS 3114, pages 202–215.Springer, 2004.

[SVDP12] Alberto L. Sangiovanni-Vincentelli, Werner Damm, and Roberto Passerone. Tam-ing dr. frankenstein: Contract-based design for cyber-physical systems. Eur. J.Control, 18(3):217–238, 2012.

[SVSS+09] A. Sangiovanni-Vincentelli, S. Shukla, J. Sztipanovits, G. Yang, and D. Math-aikutty. Metamodeling: An emerging representation paradigm for system-leveldesign". Special Section on Meta-Modeling, IEEE Design and Test,, 26(3):54–69,2009.

[Sys] SystemC. http://www.systemc.org.



[TA10] Joseph Sifakis Tesnim Abdellatif, Jacques Combaz. Model-based implementa-tion of real-time applications. Technical Report TR-2010-14, Verimag ResearchReport, 2010.

[Tai13] Madoka Tainaka. Cyber Physical Systems, Creating New Value fromSensor Network Information. NII Today, (45):6–7, April 2013. URL:http://www.nii.ac.jp/userdata/results/pr_data/NII_

Today/59_en/all.pdf.

[TAR13] The Systems of Systems Engineering Strategic Research Agenda, on Smart Sys-tems Integration (Version 2), August 2013. URL: https://www.tareasos.eu/docs/pb/SRA_Issue2.pdf.

[TCN00] Lothar Thiele, Samarjit Chakraborty, and Martin Naedele. Real-time calculusfor scheduling hard real-time systems. In Proc. Intl. Symposium on Circuits andSystems, volume 4, pages 101–104, 2000.

[Thi10] Christian Thiel. Multiple Classifier Systems Incorporating Uncertainty. PhD the-sis, University of Ulm, 2010.

[UKU+13] Akira Uchiyama, Etsuko Katsuda, Yuki Uejima, Hirozumi Yamaguchi, and TeruoHigashino. GPS Line-Of-Sight Fingerprinting for Enhancing Location Accuracyin Urban Areas. In 4th International Conference on Indoor Positioning and IndoorNavigation (IPIN 2013, Proceedings), pages 827–830, 2013.

[Web03] Andrew R. Webb. Statistical Pattern Recognition. John Wiley & Sons, Ltd, secondedition edition, 2003.

[Wei00] Gerhard Weiss. Multiagent systems: a modern approach to distributed artificialintelligence. MIT press, 2000.

[WHYH13] Yusuke Wada, Takamasa Higuchi, Hirozumi Yamaguchi, and Teruo Higashino.Accurate Positioning of Mobile Phones in a Crowd using Laser Range Scanners.In IEEE 9th International Conference on Wireless and Mobile Computing, Net-working and Communications (WiMob 2013, Proceedings), pages 430–435, 2013.

[Woo09] Michael Wooldridge. An introduction to multiagent systems. John Wiley & Sons,2009.

[WS08] Anthony D. Wood and John A. Stankovic. Security of Distributed, Ubiquitous,and Embedded Computing Platforms. John Wiley & Sons, Inc., 2008.



[WTVL06] E. Wandeler, L. Thiele, M. Verhoef, and P. Lieverse. System Architecture Evalu-ation Using Modular Performance Analysis: A Case Study. STTT, 8(6):649–667,2006.

[Yas13] Rutrell Yasin. In wake of earthquake, researchers envision a cyber-physical cloud.GCN, January 2013. URL: http://gcn.com/Articles/2013/01/16/Japan-earthquake-cyber-physical-cloud.aspx.


cypherscyphers.eu/sites/default/files/d5.1.pdf · 2014. 3. 31. · cyphers cyber-physical european...

Documents