Cyber-Virtual Systems: Simulation, Validation & Visualization

Jan Olaf Blech, Maria Spichkova, Ian Peake, Heinz SchmidtRMIT University

{janolaf.blech, maria.spichkova, ian.peake, heinz.schmidt}@rmit.edu.au

Keywords: Cyber-Physical Systems, Virtual Interoperability Testing, Simulation, System Modeling, Formal Specifica-tion, Visualization

Abstract: We describe our ongoing work and view on simulation, validation and visualization of cyber-physical systemsin industrial automation during development, operation and maintenance. System models may represent anexisting physical part – for example an existing robot installation – and a software simulated part – for examplea possible future extension. We call such systems cyber-virtual systems. In this paper, we present the existingVITELab infrastructure for visualization tasks in industrial automation. The new methodology for simulationand validation motivated in this paper integrates this infrastructure. We are targeting scenarios, where indus-trial sites which may be in remote locations are modeled and visualized from different sites anywhere in theworld. Complementing the visualization work, here, we are also concentrating on software modeling chal-lenges related to cyber-virtual systems and simulation, testing, validation and verification techniques for them.Software models of industrial sites require behavioural models of the components of the industrial sites suchas models for tools, robots, workpieces and other machinery as well as communication and sensor facilities.Furthermore, collaboration between sites is an important goal of our work.

1 INTRODUCTION

Operation, development, maintenance (includingmodifications and extensions) of industrial automa-tion facilities like factories or mining sites profit fromsoftware support such as software based monitoring,controlling and collaboration tools. This requiresvisualization capacities as well as software modelsof the physical entities involved and ways to rea-son about them. Industrial automation facilities typi-cally comprise machinery like robots and their com-ponents. Components may serve as actuators: tools,conveyor belts, work pieces or pipes, valves andpumps in cases were fluids or gases are processed.Sensors can be found throughout industrial automa-tion sites. The data gathered from the sensors may bestored in a central facility.

Hardware-in-the-loop (HIL) approaches(Schlager, 2008) are now standard in the devel-opment of system components in domains such asautomative systems, e.g., (Isermann et al., 1999),avionics and also in industrial automation. In HIL,parts of a system are simulated in software to testa distinct system component. In this paper, we aregoing one step further and aim at simulating differentparts of an industrial site. We do not restrict our ap-

proach to the development, but also aim at supportingoperation and maintenance of industrial automationfacilities. Furthermore, we aim at visualizing remotefacilities or parts of them. This is especially crucialwhen developing, operating or maintaining industrialsites located in areas that are difficult to access suchas mines and oil rigs and for collaboration betweendifferent sites and sharing knowledge between them.

In the case where components of a system aremanufactured at different places, transport from com-ponent development and production locations to in-tegration and deployment sites can significantly in-crease the whole development costs as well as time.Integration can reveal additional work tasks and fur-ther transportation of the system’s parts may be nec-essary. If a system’s components are bulky or heavy,this may also delay optimization and correction.

For this reason, we present an existing visualiza-tion infrastructure - the Virtual Interoperability TestLab (VITELab)1 a global laboratory connecting in-dustry and university sites and providing a collabo-

1VITELab is an eResearch facility of the Australia-India Research Centre for Automation Software Engineer-ing (AICAUSE), a partnership between RMIT Universityand the ABB Group (Australia and India), http://rmit.edu.au/research/aicause.

arX

iv:1

410.

1258

v1 [

cs.S

E]

6 O

ct 2

014

ration platform for experimental design and testing ofcyber-physical systems. Among its aims are to reducedevelopment costs by simulating and virtually testingpossible deployments before the system is actuallyphysically set up. We also present the correspondingnew and ongoing research directions towards combin-ing visualization and software support for reasoningabout industrial automation facilities. The ideas fea-tured in this paper comprise the following ingredients:

• The use of VITELab, in particular the Global Op-erations Visualization (GOV) Lab, a high resolu-tion multi-screen visualization facility.

• Software models for system components thatcomprise spatio-temporal information about acomponent’s behavior and ways to reason aboutthem, testing and simulation.

• The combination and integration of these for in-dustrial automation.

Our work is a step towards software solutions facili-tating global collaboration between developers, oper-ators and maintenance of industrial sites.

2 RELATED WORK

Modelling aspects Different languages exist forthe modeling of embedded and automation systems.Standards like IEC 61131-3 and IEC 61499 tar-get the software part of control systems and thusspecify the behavior of machinery. In the scien-tific community different modeling languages suchas the Petri-Net semantics based BIP (Basu et al.,2006) for distributed asynchronous systems and Mod-elica, providing means for modeling and simula-tion of systems have been established, cf. (Do-nath et al., 2008), (Fritzson, 2004), (Anderson andFritzson, 2013). Modelica is object-oriented andits latest extensions allow modelling of system re-quirements (Tundis et al., 2013) as well as simu-lation of technical and physical systems (Fritzson,2011). Modeling theories for distributed hybrid sys-tem such as SHIFT (Deshpande et al., 1997) and R-Charon (Kratz et al., 2006) guarantee a complete sim-ulation and compilation of the models, but do not sup-port verification or analysis of the system on the mod-eling level. Same limitations also apply to the inputlanguage of the model checkers UPPAAL (Behrmannet al., 2004) and PHAVer (Beek et al., 2006): the ver-ification capabilities do not match the whole expres-siveness of the modeling languages.

Assigning semantics to logical entities for catego-rizing and reasoning about them is a one goal of our

models for industrial automation facilities. The con-cept has been made popular in the context of the se-mantic web (Berners-Lee et al., 2001) and ontologies(Staab et al., 2001).

Spatial aspects The modeling of industrial au-tomation sites involves spatial aspects. For example,robots must ensure a behavior that guarantees col-lision avoidance and the correct handling of work-pieces. Systems that comprising thermal aspects likeheat exchangers need adequate models to cover theirbehavior. SpaceEx (Frehse et al., 2011) allows themodeling of continuos hybrid systems based on hy-brid automata. It can be used for computing over-approximations of the space occupied by objects. Aprocess algebra for 3D objects is provided in (Cardelliand Gardner, 2010). Results on spatial interpreta-tions are explained in (Hirschkoff et al., 2003). Aquantifier-free rational fragment of logic suitable fordescribing spatial scenarios has been shown to bedecidable in (Dal Zilio et al., 2004). Logics forspatio-temporal reasoning go back to the seventies.The Region Connection Calculus (RCC) (Bennettet al., 2002) includes spatial predicates of separation.RCC features predicates indicating that regions do notshare points at all, points on the boundary of regionsare shared, internal contact where one region is in-cluded and touches on the boundary of another fromthe inside, overlap of regions, and inclusion.

Cyber-physical aspects Many approaches onmechatronic/cyber-physical systems omit an abstractlogical level of the system representation and losethe advantages of the abstract representation. Thework presented in (Vogel-Heuser et al., 2011) de-fines an extensive support to the components com-munication and time requirements, while the modeldiscussed in (Hadlich et al., 2011) proposes a com-plete model of the processes with communication.In traditional development of embedded systems e.g.,(Berger, 2002), the system is usually separated intosoftware and hardware parts as soon as possible, atan early stage of the development process. This doesnot always benefit the development process, becausewhen using an abstract level of modeling the differ-ence in the nature of components does not necessar-ily play an important role. (Sapienza et al., 2012)and (Spichkova and Campetelli, 2012) independentlysuggest to use a platform-independent design in theearly stages of system development. The approachpresented in (Sapienza et al., 2012) introduces theidea of pushing hardware- and software-dependentdesign as late as possible, however, the question of thecurrent practical and fundamental limitations of log-ical modeling in comparison to cyber-physical test-ing, is not completely answered. In comparison to

(Sapienza et al., 2012), the focus of (Spichkova andCampetelli, 2012) is on reutilisation and generalisa-tion of two existing software systems developmentmethodologies (both elaborated according to the re-sults of the case studies motivated and supported byDENSO Corporation and Robert Bosch GmbH) forapplication within the cyber-physical domain to bene-fit from the advantages these techniques have shown.The question, how deep we can go on the modelingof cyber-physical systems on the logical level is stillopen in both approaches. The goals presented hereare also related to hybrid commissioning (Dominkaet al., 2007).

Early analysis aspects The idea of early analy-sis of critical system faults has the goal to identifyfaults which mutate the safety critical behaviour ofthe system, and to identify test scenarios which canexpose such faults from an abstract modeling level,i.e. by generation of tests (both for real system and itsmodel) from formal specifications or from the CASEtool models (cf., e.g., (Hazra et al., 2013; Broy et al.,2005; Pretschner and Philipps, 2005)). The approachhas certain limitations due the abstract nature of theformal model serving as a base for the test generationas well as an underlying assumption of existence of aprecise formal model of the system being developed.Even when taking into account these limitations andassumptions, these approaches allow automatizationof test case design and make the design process morestringent. VITELab and the described research com-plements commercially available visualization soft-ware for collaboration purposes in industrial automa-tion such as DELMIA2. The approach described here,is building on (semi-)formal models which carry se-mantic meaning and are suitable for automatic inter-pretation and processing, whereas the DELMIA focusis even more on visualization.

3 FROM CYBER-PHYSICAL TOCYBER-VIRTUAL SYSTEMS

Let us discuss an example scenario based on theideas of the virtual interoperation testing. In an indus-trial plant we require the integration/interoperabilityof n+1 bulky/heavy robots (cf. Figure 1): a robot ofthe type AType (lets call it robot A) is assembled inlocation LA, the n other robots are of a different typeBType and are assembled in a different location lo-cation LB. The robots are in different locations andmaking them work together in a different shared de-

2http://www.3ds.com/products-services/delmia/products/all-delmia-products/

so#ware  simula-on  real  world  loca-on  1  

real  world  loca-on  2  

...  

robot  A   robot  B  

model  B1  

model  Bn  

replica-on  of  actuator  informa-on  

composi-on  of  simulated  sensor  informa-on  

cyber-­‐virtual  interac-on  

Figure 1: Cyber-virtual communication

ployment location requires extensive simulation, test-ing and collaboration.

Assuming in addition that the n robots of typeBType perform simultaneously similar movementsand actions (e.g., they stamp similar details on work-pieces on a conveyor belt and are doing the samemovements, even in the case their stamps are differ-ent), we can simulate their behaviour using a singlerobot B: its actuator information will be replicatedto obtain n virtual models B1, . . . ,Bn, and its sensorinformation will be extended by the composition ofthe modeled sensor information from B1, . . . ,Bn. Thesensor information of the robot A will be a composi-tion of the real sensor data and the sensor data mod-eled according to the actions of B1, . . . ,Bn.

Thus, to check the interoperability of the robot Aand n robots of the type BType on the level of virtualinteroperability testing, we need only two real robots:a robot A and a robot B. Moreover, they could be lo-cated in LA and LB respectively, because the simulatorand visualization facility may take the role of a physi-cal medium between them, allowing to ignore the realdistance between robots and also allowing to have avisualisation of the test and simulation not only at LAand LB, but also on the third place LC, where the cor-responding laboratory is located.

General ideas for using the virtual interoperabil-ity test lab (VITELab) for the use of remote cyber-physical integration/interoperability testing in a vir-tual environment as a middle step between an ab-stract modelling and real testing were presented in(Spichkova et al., 2013a). Figure 2 shows the VITE-Lab facility in operation, viewed from the GOV Lab.VITELab gives a platform for a new level of simula-tion and integration: interoperability simulation andtesting is performed early and remotely, for exam-ple while cyber-physical components are in the pro-

Figure 2: VITElab in operation

totyping stage i.e. on the workbench: individual com-ponents (e.g., robots, manufacturing cells), are con-nected in a suitable virtual environment, without be-ing deployed at the same place physically. Successfultesting and simulation could significantly reduce thewell-documented costs arising from discovery of de-sign faults after implementation.

Research connected to VITElab is influenced bylarger cooperations in the industrial automation do-main. Remote integration and testing allows for anintegration and testing phase of a real system assum-ing a certain level of abstraction where the network,the virtual environment and the remote embodimentsmay be abstractions themselves. This level of abstrac-tion includes real physical components of the system(in the case of the VITElab project, e.g., real robotsand production plants) and more characteristics of thenetwork, environment and embodiments. Our modelsand their visualization can give us the possibility toidentify (i) a number of problems and inconsistencieson the early stage of system development and verifyespecially important system’s properties before thereal system is build and integrated, and (ii) possibleweak points in the system (such as some timing prop-erties, feature interactions, component dependancies)which we should focus on, during the testing phase.

4 RESEARCH CHALLENGESAND CORRESPONDINGPROJECTS

This section presents research challenges con-nected to cyber-virtual systems, VITELab, simulationand validation in more detail.

Main directions for research We have identifiedthe following research challenges in our scenario:

• Simulation and the visualization of simulationruns.

• Testing, verification and validation of cyber-virtual scenarios.

• Gaining expertise and knowledge from joint workusing visualization and simulation.

• Sharing and making expertise and knowledgeavailable for similar development projects and forrelated operation and maintenance tasks in relatedfacilities.

Software Models for Industrial Plants In ourwork, we propose two ingredients related to softwaremodels for addressing these challenges:

• (Semi-)formal descriptions based on humanfactors approaches to achieve better readabil-ity/usability and understandability.

• Spatial behavioral models that capture the charac-teristics of entities and components in industrialautomation. We are interested in establishing atype system for these components.

Existing VITELab projects The research chal-lenges identified in the context of VITELab fall intothe network, cloud and distributed computing areas,and are covered by the following ongoing projects:

• Network connectivity between sites with special-ist equipment is supported by dedicated links andresearch software stacks.

• The Cyber-physical Simulation Rack (CSRack),is a multi-node cloud server rack with attachedRAID storage provides parallel cloud computingcapability to support modeling and simulation andthe capability to act as a ’cloudlet’ gateway to ma-jor national and international cloud facilities suchas NeCTAR3.

• The Global Operations Visualization (GOV) Labproject, provides videoconference and streamingcapability to remote sites combined with a largehigh resolution tiled display wall.

• The Advanced Manufacturing Robot Interopera-tion Test (AMRIT) lab provides industrial robotsconnected to the GOV lab. The robots com-prise arms, sensors and cameras as “eyes on therobots”.

Further research challenges exist in the connectionof software based development tools for industrialautomation systems to the described infrastructure.

3National eResearch Collaboration Tools and ResourcesProject, https://www.nectar.org.au

R1

sensors

actuators

R2

sensors

actuators

physicalworld

+

software simulation

Figure 3: Robot in the loop

Such tools may need to undergo a redesign of thesoftware architecture to enable this, cf. (Peake et al.,2013).

5 From (Semi-)Formal Methods toVisualization & Validation

A starting point for our work is a HIL approachand is depicted in Figure 3. Here, the interplay ofa physical robot with a virtual simulated robot isshown. The actions of the physical robot to the en-vironment are observed passed to the robot simula-tion and reacting actions are calculated. These actionsare (by)passed to the sensors of the physical robot tosimulate the interplay. The interplay can be analyzedboth by software tools as well as human inspection.The human based analysis profits from visualisationcapabilities for the display of the simulated robot andthe monitoring of the physical counterpart.

Human Factors and Formal Models To enablesimulations we need (semi-)formal descriptions ofrobot behavior, which should not only fit for thesimulation purposes but also be readable for sys-tem/verification engineers. In our approach we followthe ideas based on human factor analysis within for-mal methods (Spichkova, 2013a; Spichkova, 2012).This allows to have short and readable specificationsof component behavior. It is appropriate for switchingbetween different modeling, specification and pro-gramming languages and is suitable for the applica-tion of specification, reasoning and proof methodol-ogy (Spichkova et al., 2013b; Spichkova, 2007).

Formal Proofs and Verification In the case of for-mal proofs, one of the main points of this method-ology is an alignment of the future proofs duringthe specification phase to make the proofs simplerand appropriate for application in practice. One di-

rection for reasoning about a system represented ina formal specification framework, is the verificationof its properties by translating the specification to aHigher-Order Logic and subsequently using the theo-rem prover following (Spichkova, 2013b).

Spatial Behavioral Types Our (semi-)formal mod-els comprise spatial behavioural. This can be assignedto both physical and virtual simulated robots, theircomponents and other entities interacting with themas shown in Figure 4. Following the ideas presentedin (Blech et al., 2012) these spatial behavioural mod-els can serve as a type system similar to types systemsin higher programming languages like C and Javawhich come with basic types like integers, Stringsand floating point values as well as composed typeslike records or classes. Here, we regard (spatial) Be-havioural Types (BT). BT act as types for virtual orphysical entities in our automation scenarios. Theyare characterised by the following core concepts:

• Abstraction. BT represent aspects of robots, robotcomponents and other entities in industrial au-tomation. BT abstract from details concerning in-teractions and internal structure.

• Conformance. Type conformance of BT is used torelate entities in industrial automation correctly toa BT.

• Refinement. BT should comprise a notion ofspatio-behavioral refinement that allows replac-ing a component by a refined one. For example,the concept of refinement shall allow replacing arobot by a newer version that essentially providesthe same functionality plus some new features.

• Compatibility. Compatibility checking of BT isused to decide whether a component does indeedmatch required needs based on provided and ex-pected BT. It should be decidable and automatic.

• Inference. A BT framework should allow to infercomposed BT. For example, the BT of a robot maybe inferred from the BT of its components.

Spatial Behavioural Types for Simulation and Val-idation BT can serve as a specification basis forthe components of robots and the robots composedof them. BT can be used to build models of industrialautomation facilities. Using BT based specifications,we can perform:

• Simulation and visualization for human inspec-tion and collaboration between developers, opera-tors and maintenance personnel.

• Automatic spatio-temporal reasoning for collisiondetection of robots and other entities.

R1 R2 R3 R4 R5

existing robot existing robot existing robotsimulated robot simulated robot

BT BT BT BT BT

BT

compositionanalysis

simulationverificationvalidation

conveyor belt

visualization

visualization

Figure 4: Combining virtual and physical robots with BT

• Checking automatically the required sensorranges and regions affected by physical entities.

• Guaranteeing correct interplay of tools and work-pieces in time and space.

• Simulating the replacement of an entity such as arobot arm by another (refined) version.

• Documenting behavior of system installations andsharing this for collaboration.

The BT concept is following the idea of interface au-tomata (de Alfaro and Henzinger, 2001). It has beenproposed as a type system for OSGi systems in thepast (Blech et al., 2012). Theorem prover exportand interactive verification of properties were stud-ied in (Blech and Schatz, 2012) and may be an issuefor future work together with human-factor analysis.Checking compatibility and means to make behav-ioral system descriptions compatible were examinedin (Blech, 2013). For checking the spatio-temporalproperties in our scenarios we incorporate the Be-SpaceD (Blech and Schmidt, 2013) tool. Checksin BeSpaceD are done by converting spatio-temporalmodels or BT and required properties into SMT andSAT problems and applying suitable solving tech-niques such as the z3 SMT solver (De Moura andBjørner, 2008).

6 CONCLUSIONS

The presented research is ongoing work and partof larger cooperations with an industrial automationcompany. In this paper, we presented an overviewon the existing VITELab infrastructure facilitating re-mote collaboration by large screen/multi screen vi-sualization. The aim of this infrastructure is to re-duce the development costs by simulating and virtu-

ally testing possible deployments before the system isactually physically set up. We have highlighted con-nected research questions, as well as explained theVITELab applications in operating, developing andmaintaining industrial automation facilities. The con-nection to spatial behavioral models and a related typesystem for the simulation of industrial automation fa-cilities and the connection to visualization capacitieswas presented in more detail.

Acknowledgements We would like to thank stafffrom RMIT ITS, PropertyServices, eResearch and theVITELab team, in particular Lasith Fernando, RaviSreenivasamurthy and Garry Keltie.

REFERENCES

Anderson, A. and Fritzson, P. (2013). Models forDistributed Real-Time Simulation in a Vehicle Co-Simulator Setup. In Nilsson, H., editor, Proceed-ings of the 5th International Workshop on Equation-Based Object-Oriented Modeling Languages andTools. Linkoping University Electronic Press.

Basu, A., Bozga, M., and Sifakis, J. (2006). Modelingheterogeneous real-time components in bip. In 4thIEEE International Conference on Software Engineer-ing and Formal Methods (SEFM), pages 3–12. IEEE.

Beek, D. A. V., Man, K. L., Reniers, M. A., Rooda, J. E.,and Schiffelers, R. R. H. (2006). Syntax and consis-tent equation semantics of hybrid Chi. In Journal ofLogic and Algebraic Programming, pages 129–210.

Behrmann, G., David, A., and Larsen, K. (2004). A Tutorialon Uppaal. In Bernardo, M. and Corradini, F., editors,Formal Methods for the Design of Real-Time Systems,volume 3185 of LNCS, pages 200–236. Springer.

Bennett, B., Cohn, A. G., Wolter, F., and Zakharyaschev, M.(2002). Multi-dimensional modal logic as a frame-work for spatio-temporal reasoning. Applied Intelli-gence, 17(3):239–251.

Berger, A. (2002). Embedded Systems Design: An Intro-duction to Processes, Tools, and Techniques. CMPBooks.

Berners-Lee, T., Hendler, J., Lassila, O., et al. (2001). Thesemantic web. Scientific american, 284(5):28–37.

Blech, J. O. (2013). Towards a framework for behavioralspecifications of osgi components. In 11th Interna-tional Workshop on Formal Engineering approachesto Software Components and Architectures (FESCA),pages 79–93.

Blech, J. O., Falcone, Y., Rueß, H., and Schatz, B. (2012).Behavioral specification based runtime monitors forosgi services. In Leveraging Applications of For-mal Methods, Verification and Validation. Technolo-gies for Mastering Change, pages 405–419. SpringerBerlin Heidelberg.

Blech, J. O. and Schatz, B. (2012). Towards a formal foun-dation of behavioral types for uml state-machines.

ACM SIGSOFT Software Engineering Notes, 37(4):1–8.

Blech, J. O. and Schmidt, H. (2013). Towards modelingand checking the spatial and interaction behavior ofwidely distributed systems. In Improving Systems andSoftware Engineering Conference.

Broy, M., Jonsson, B., Katoen, J.-P., Leucker, M., andPretschner, A. (2005). Model-Based Testing of Re-active Systems: Advanced Lectures (LNCS). Springer.

Cardelli, L. and Gardner, P. (2010). Processes in space. InPrograms, Proofs, Processes, pages 78–87. Springer.

Dal Zilio, S., Lugiez, D., and Meyssonnier, C. (2004). Alogic you can count on. In ACM SIGPLAN Notices,volume 39, pages 135–146. ACM.

de Alfaro, L. and Henzinger, T. A. (2001). Interface au-tomata. SIGSOFT Softw. Eng. Notes, 26(5):109–120.

De Moura, L. and Bjørner, N. (2008). Z3: An efficient smtsolver. In Tools and Algorithms for the Constructionand Analysis of Systems, pages 337–340. Springer.

Deshpande, A., Gll, A., Gollu, A., and Varaiya, P. (1997).Shift: A Formalism and a Programming Language forDynamic Networks of Hybrid Automata.

Dominka, S., Schiller, F., and Kain, S. (2007). Hybridcommissioningfrom hardware-in-the-loop simulationto real production plants. In Proceedings of the 18thIASTED International Conference on Modeling andSimulation (MS’07), pages 544–549.

Donath, U., Haufe, J., Blochwitz, T., and Neidhold, T.(2008). A new Approach for Modeling and Verifica-tion of Discrete Control Components within a Model-ica Environment.

Frehse, G., Le Guernic, C., Donze, A., Cotton, S., Ray,R., Lebeltel, O., Ripado, R., Girard, A., Dang, T.,and Maler, O. (2011). Spaceex: Scalable verificationof hybrid systems. In Computer Aided Verification,pages 379–395. Springer.

Fritzson, P. (2004). Principles of Object-Oriented Model-ing and Simulation with Modelica 2.1. Wiley-IEEEComputer Society Press.

Fritzson, P. (2011). Introduction to Modeling and Simula-tion of Technical and Physical Systems with Modelica.Wiley-IEEE Computer Society Press.

Hadlich, T., Diedrich, C., Eckert, K., Frank, T., Fay, A.,and Vogel-Heuser, B. (2011). Common communi-cation model for distributed automation systems. In9th IEEE International Conference on Industrial In-formatics, IEEE INDIN.

Hazra, A., Ghosh, P., Vadlamudi, S. G., Chakrabarti, P. P.,and Dasgupta, P. (2013). Formal methods for earlyanalysis of functional reliability in component-basedembedded applications. Embedded Systems Letters,5(1):8–11.

Hirschkoff, D., Lozes, E., and Sangiorgi, D. (2003). Mini-mality results for the spatial logics. In FST TCS 2003:Foundations of Software Technology and TheoreticalComputer Science, pages 252–264. Springer.

Isermann, R., Schaffnit, J., and Sinsel, S. (1999). Hardware-in-the-loop simulation for the design and testing ofengine-control systems. Control Engineering Prac-tice, 7(5):643–653.

Kratz, F., Sokolsky, O., Pappas, G. J., and Lee, I. (2006).R-Charon, a Modeling Language for ReconfigurableHybrid Systems. In Hybrid Systems: Computationand Control (HSCC), pages 392–406.

Peake, I., Blech, J. O., and Fernando, L. (2013). Towards re-constructing architectural models of software tools byruntime analysis. In 3rd International Workshop onExperiences and Empirical Studies in Software Mod-elling.

Pretschner, A. and Philipps, J. (2005). Methodological Is-sues in Model-Based Testing. Model-Based Testing ofReactive Systems, pages 181–291.

Sapienza, G., Crnkovic, I., and Seceleanu, T. (2012). To-wards a methodology for hardware and software de-sign separation in embedded systems. In Proc. of theSeventh International Conference on Software Engi-neering Advances (ICSEA), pages 557–562. IARIA.

Schlager, M. (2008). Hardware-in-the-loop simulation.Spichkova, M. (2007). Specification and Seamless Verifica-

tion of Embedded Real-Time Systems: FOCUS on Is-abelle. PhD thesis, Technische Universitat Munchen.

Spichkova, M. (2012). Human Factors of Formal Methods.In Proc. of IADIS Interfaces and Human ComputerInteraction. IHCI 2012.

Spichkova, M. (2013a). Design of formal languages andinterfaces: “formal” does not mean “unreadable”. InBlashki, K. and Isaias, P., editors, Emerging Researchand Trends in Interactivity and the Human-ComputerInterface. IGI Global.

Spichkova, M. (2013b). Stream Processing Compo-nents: Isabelle/HOL Formalisation and Case Studies.Archive of Formal Proofs.

Spichkova, M. and Campetelli, A. (2012). Towards sys-tem development methodologies: From software tocyber-physical domain. In First International Work-shop on Formal Techniques for Safety-Critical Sys-tems (FTSCS’12).

Spichkova, M., Schmidt, H., and Peake, I. (2013a). Fromabstract modelling to remote cyber-physical integra-tion/interoperability testing. In Improving Systemsand Software Engineering Conference.

Spichkova, M., Zhu, X., and Mou, D. (2013b). Do we reallyneed to write documentation for a system? In Interna-tional Conference on Model-Driven Engineering andSoftware Development (MODELSWARD’13).

Staab, S., Studer, R., Schnurr, H.-P., and Sure, Y. (2001).Knowledge processes and ontologies. Intelligent Sys-tems, IEEE, 16(1):26–34.

Tundis, A., Rogovchenko-Buffoni, L., Fritzson, P., andGarro, A. (2013). Modeling System Requirementsin Modelica: Definition and Comparison of Candi-date Approaches. In Nilsson, H., editor, Proceed-ings of the 5th International Workshop on Equation-Based Object-Oriented Modeling Languages andTools. Linkoping University Electronic Press.

Vogel-Heuser, B., S., F., Werner, T., and Diedrich, C.(2011). Modeling network architecture and timebehavior of distributed control systems in industrialplant. In 37th Annual Conference of the IEEE Indus-trial Electronics Society, IECON.