oatao.univ-toulouse.fr · keywords fmi, aadl, cyber-physical systems, co-simulation , virtual...
TRANSCRIPT
�
�������������������������� �������������������������������������������������������
�������������������������������������
���������������������������������������������
������ �� ��� ���� ����� ��������� ����� �������� ���� ��� � ��� ���� ��������
���������������� �������������������������������������������������
�������������������������������������������������
����������������� ��
�
�
�
�
������������ ���
an author's https://oatao.univ-toulouse.fr/20730
https://www.erts2018.org/authors_detail_inverted_Gauthier%20Jean-Marie.html
Gauthier, Jean-Marie and Hugues, Jérôme and Faudou, Raphaël Integrating AADL and FMI to Extend Virtual
Integration Capability. (2018) In: 9th European Congress Embedded Real Time Software and Systems (ERTSS), 31
January 2018 - 2 February 2018 (Toulouse, France
IntegratingAADLandFMItoExtendVirtualIntegrationCapability
JérômeHugues1,Jean-MarieGauthier2,RaphaëlFaudou2
(1ISAE-Supaero,2Samares-Engineering)
Keywords FMI,AADL,Cyber-PhysicalSystems,Co-Simulation,Virtualcomponents
Abstract VirtualIntegrationCapabilityisparamounttoperformearlyvalidationofCyberPhysicalSystems.Theobjectiveistoguidethesystemsengineersoastoensurethatthesystemunderdesignmeetsmultiple criteria throughhigh-fidelity simulation. In thispaper,wepresent an integration scheme that leverages the FMI (Functional Mock-Up interface)standardandtheAADLarchitecturedescriptionlanguage.Theircombinationallowsforvalidation of systems combining embedded platform captured by the AADL, and FMIcomponents that represent physical elements, either mechanical parts, or theenvironment.Wepresentoneapproach,anddemonstratorcasestudies.
1. Introduction
Virtualintegrationcapability`isparamounttoperformearlyvalidationofCyberPhysicalSystems.Theobjective is toguide thesystemsengineer soas toensure that thesystemunderdesignmeetsmultiplecriteriathroughhigh-fidelitysimulation.Thegeneralapproachistoleveragemodelsasprimaryartefactstocaptureallfacetsofasystem,andtoolsupportstoanalyzeandsimulatethesystem.
Earlystudy[23]demonstratedtheimportanceofArchitectureDescriptionLanguagetocapturemanyfacets of a system, for the embedded perspective, supportingmultiple kind of analysis such as timingperformance,orsafetyanalysis.OtherstandardslikeFMI[1]didthesameforthemechanicalandcontrolsphere, supporting co-simulation of high-level mechanical models (e.g. built on Modelica) or controlcommandmodelsbuiltaroundSimulinkorSCADE.FMIhasbeendefinedwithprimaryobjectivetosupportsystem-levelsimulations,withastrongemphasisonearlyvalidationofsystemsmadeofseparatedmodels.
A remaining challenge is to combine both spheres. As a matter of fact, architecture descriptionlanguages capture the organizational structure of the system to be designed, and the exchange ofinformation,physicsisabstractedthroughdevices(sensorsandcaptors)thatinteractwiththeenvironmentandmechanicalparts.Thesemodelscapturetheirbehaviorasasetofmodelelementsthatultimatelyleadto equations. FMI allows one to build reusable components from thesemodels, but do not address theconstructionofsimulationitself.Thisruptureinabstractionmakesitdifficulttobuildintegratedsimulation,andmotivatesourcontribution.
Consideringanarchitecturaldescriptionmodelofanembeddedsystemasaprimaryartifact,wewanttostreamlinetheconstructionofavirtualintegrationtestbenchthatwouldintegrateexternalmodelsasenvironment stimulus, hence allowing through tests of the embedded (or cyber)part.Our contributionbuildsontheAADLarchitecturedescriptionlanguage,andtheFMIstandard.Ourmaincontributioninthispaperconcernsamodel-basedapproachtointegrateFMIblocksandAADLsoastoleverageexistingcodegenerationstrategyandbuildeithermodel-in-the-looporhardware-in-the-loopsimulations.
Thepaperisorganizedasfollows:insection2,wereviewthemaintechnologicalelementsused:AADLandFMI.Insection3,wereportonexistingFMI-basedintegrationworkflows.Insection4weproposeanAADL-basedworkflowthatleadstothegenerationofsimulations.Section5isacasestudythatillustratestheapproach.Section6proposesfutureworkdirections.
2. Standardsinusea. AADL,ArchitectureAnalysisandDesignLanguage
The “Architecture Analysis and Design Language” (AADL) (Feiler & Gluch, 2012) is both a textual andgraphical languageformodel-basedengineeringofembeddedreal-timesystems.AADLisusedtodesignandanalyzesoftwareandhardwarearchitecturesofembeddedreal-timesystems.
TheAADLpurposeistomodelhardwarecomponents(memory,bus,processor,device,virtualprocessor,virtualbus)andtheirassociatedembeddedsoftware(data,thread,threadgroup,subprogram,process).Itfocusesonthedefinitionofclearblockinterfaces,andseparatestheimplementationsfromtheseinterfaces.Fromtheseparatedescriptionoftheseblocks,onecanbuildanassemblyofblocksthatrepresentthefullsystem. The AADL defines the notion of properties. Theymodel non-functional properties that can beattached to model elements (components, connections, features, instances, etc.). Properties are typedattributesthatspecifyconstraintsorcharacteristicsthatapplytotheelementsofthearchitecturesuchasclock frequencyof a processor, execution timeof a thread, bandwidth of a bus.As defined,AADL is anArchitecture Description Language. Without loss of generality, similar notation such as EAST-ADL orUML/MARTEwouldprovidethesamepowerofexpression.
AADLhasarichecosystemtomodel,analyzeandgeneratecodefrommodels,suchasOcarina(Hugues,Zalila,Pautet,&Kordon,2008).ThelateraspectisinterestingtoeasethetransitionofAADLmodels’tasks,andcommunicationsemanticstoanimplementationontopofaregularReal-TimeOperatingSystems.Wedetailthispartinthenextsection.
Letusnotethatinsuchmodels,thetimeintervalisgivenbytheCPUclockrate(orsimulatedbyascheduler):AADLmodelsarediscretebynatureandfitinthecyberpartofcyber-physicalsystems.
b. FMI,theFunctionalMock-UpInterface
FMI [1], the Functional Mock-Up Interface, is a standard for the simulation of systems, combiningheterogeneousmodels.The initial revisionofFMImostly focusedonmodels relevant formulti-physicalaspectsofautomotivesystems.Sincethen,ithasbeenwidelyadoptedinseveralsettings,especiallyforthemodellingandsimulationofCyber-PhysicalSystems,e.g.aspartofthePtolemyprojectatUCBerkeley[2].FMIisalreadysupportedbyanincreasingnumberoftoolsusedinseveraldomains,e.g.Modelica1tools,Simulink2 or SCADE Suite3. Through this standard, system designers may mix and co-simulateheterogeneousmodelsbuiltbyexpertstobetterunderstandhowasystemmaybeintegrated.
FMI,definesaninterfacetobeimplementedasacomponentcalledFMU(FunctionalMock-upUnit).TheFMIfunctionsareused(called)byasimulationenvironmenttocreateoneormoreinstancesoftheFMUandtosimulatethem,typicallytogetherwithothermodels.AnFMUmayeitherembedsitsownsolver(FMIforCo-Simulation)orrequiresthesimulationenvironmenttoperformnumericalintegration(FMIforModelExchange).Forbothapproaches,eachmodelisexportedinazipfile,calledFMU,whichcontainsabinaryfile of the model and an XML file (namedmodeldescription.xml) which describes the model contents,properties,andinterfaces(itsassociatedmodelvariables).
Inthispaper,weonlyfocusonFMI2.0forCo-Simulation,asweareinterestedincombiningself-containedsimulableblocksandtheirintegrationinasystemlevelsimulation.
c. FMIforCo-Simulation
TheFMIStandardforCo-simulationisintendedtoprovideaninterfacestandardforcouplingtwoormoresimulationtoolsinaco-simulationenvironment.Co-simulationisatechniqueusedforthesimulationofcoupledmodels.
1https://www.modelica.org/[lastvisited30/05/2017]2https://fr.mathworks.com/products/simulink.html[lastvisited31/05/2017]3http://www.esterel-technologies.com/products/scade-suite/[lastvisited31/05/2017]
Acoupledmodel,isamodelthatdescribesasystemasanetworkof(logicallyorphysically)coupled(orconnected)components[5,6].Inthecoupledmodelformalism,theconnectionsbetweensubsystemsarerepresentedwithconnectors,ormathematicalequalities.Formally,acoupledmodelmayberepresentedasagraphstructure.Fornon-causalandcontinuousmodels,thegraphisundirected.Forcausalmodels,thegraph is directed. A coupledmodel is valid if connected ports are compatible regarding their type andcausalities[7].Thedataexchangebetweensubsystemsisdoneatdiscretecommunicationpoints(calledtci).Intheintervalbetweentwocommunicationpoints,thesubsystemsaresolvedindependentlybytheirrespective solvers. Master algorithms control exchanges of data between the subsystems and thesynchronizationbetweenslaves.
TheFigure1depictsanFMUrepresentedbyablock,withinternalstatevariablesx(t),connectedtoothersubsystemsofthecoupledproblembyinputsu(t)andoutputsy(t)[8].
Figure1:DataflowbetweentheenvironmentandanFMUforCS[1]
Therearetwopossibilitiesforprovidingslavesubsystemsforco-simulation:
• subsystemswiththeirspecificsolver,theycanbesimulatedinstand-alonemode(see• •
• Figure2),• subsystemswiththesimulationtoolsinwhichtheyhavebeendeveloped(seeFigure2).
Figure2:FMU(CS)integrationinstand-alone,andwithtoolcoupling[1]
TheFMI2.0specificationdefinesthelifecycle(differentnoticeablestates)ofanFMUasbelow.Amasteralgorithmservesseveralpurposes:toinstantiate,toinitialize,toexecuteandtosynchronizeFMUs[9].AninstantiatedFMUsiscalledaslave.MasteralgorithmssynchronizeFMUsbycontrollingthedatathatareexchanged between FMUs at specific synchronization points called communication steps. Thecommunicationstepsizesaredefinedashci=tci+1–tci,wheretciarecommunicationpoints.
Forco-simulationtwobasicgroupsoffunctionsshouldberealized:
1. functionsforthedataexchangebetweensubsystems,2. functionsforalgorithmicissuestosynchronizethesimulationofallsubsystemsandtoproceedin
communicationstepstci→tci+1frominitialtimetc0=tstarttoendtimetcN=tstop.
Figure3:State-machineofFMICo-Simulation[1]
d. CombiningADLandFMI–benefitsandchallenges
AnADLmodelcapturestheorganizationalstructureofthesystem,alongwithexecutableblocksthatrepresentsitsinnerstructure.Itsisfullyconfiguredsoastofaithfullyrepresentitsbehaviorintermsoftimingandcommunication.Severalstudiesexploredthecapabilitytoperformmodelcheckingoranalysisofsuchmodel.Yet,ausuallimitisthedifficultytocaptureamodeloftheenvironmentthatwouldactasastimulusfortheverificationpart.
FMIhasbeendesigntosupportsystemsimulation.Weclaimitcanalsobeusedalsoforverificationofreal-timeembeddedsystems,bycombiningamockoftheenvironmentasaFMUandthesystemundertest.Inthispaper,weillustrateourapproachtoaddressthispartusingAADL.
CombiningAADLandFMIwouldequipsystemarchitectswithatooltoprepareinadvanceintegrationphasesthroughavirtualtestbench.Indeed,thiswouldmakeeasiertheearlyvalidationofAADLmodels:thestimulusprovidedbyFMUs(thatrepresentthephysicalenvironment)couldbeconsideredastestcasesforAADLmodels.UsingFMUwouldalsogiveaccesstomodelswithhigh-leveloffidelity,withconnectionstootherengineeringmodelsbeyondanaïvemodelofaplant.
However,thiscombinationofdiscrete-timeexecutionsemanticsforthecyberpart(AADL)withsystemsdynamics (FMI,multi-physics simulation) isnot aneasy task. Suchhybridmodels raise issues regarding timemanagement in co-simulation, typical issues concern the time step used to synchronize elements, or
intermediateextrapolationsperformedbyeachmodelwhennoinputsareexchanged.[24]providesathroughreviewofthesetopicsinthegeneralcase.
Inthefollowing,wereviewexistingworkpriortoproposeanintegratedworkflowinsection4.
3. RelatedWork
FMIwasfirstdesignedtoco-simulatephysicalandhybridsystems(continuousanddiscrete)specifiedusingDAEs(DifferentialandAlgebraicEquations)anddiscreteevents.Inthispaper,wefocusontheuseofFMIinthecontextofcriticalembeddedsoftwaredesignwithAADL.WeplanalsoonleveragingexistingcodegenerationfromAADLthattargetsReal-TimeOperatingSystems(RTOS).
In the following, we present related work that a) integrate FMI with modelling language, b) thatcombineFMIwithRTOScode,andc)thatuseFMIforhybridsystemsco-simulation.
a. IntegratingFMIwithhigh-levelmodellinglanguage
TheintegrationofFMIwithmodellinglanguagesuchasUMLorSysMLisanaddressedchallenge.In[10],the authors proposed a co-simulation environment that combines the execution of UMLmodels (withfUML4) andFMIwithin theMokaPapyrusplugin. Thiswork the co-simulationof hybrid systems, e.g. acontrollermodelledasanactivitydiagram(discrete),anditsenvironmentasphysicalandcontinuousFMUs.Feldmanetal.[11]proposedtoexportRhapsodySysMLblocksintoFMUs,withalimitationonflowportsandattributes(thebehaviorofSysMLblock,e.g.state-machinesoractivities,isnotsupportedfornow).
Combining EAST-ADL and FMI has also been investigated during theMAENADproject [12]. Theworkresulted in FMI 1.0 import capability within EAST-ADLmodel usingmodel transformation technology.However,thisworkfocusedonthesemanticmappingbetweenEAST-ADLandFMI,thanonco-simulationissuesandexecution.LetusnotecurrentFMItechnologylacksmeanstobuildsimulationassemblies.ThestandardSystemStructureandParameterization(SSP)[13]willcomplementFMIonthisparticulartopic.
AsourworkconcentratesatalowerlevelofCPSdesign,i.e.embeddedsoftwaremodellingandsimulationusingAADL,weproposetocompletetheserelatedworksatthelowerleft-sideoftheV-cyclewithRTOSvalidationcapabilitiesusingFMI.
b. CombiningFMIwithRTOScode
In[14],theauthorsproposetoadaptembeddedsoftwaretocomplywithFMIforco-simulation.Moreprecisely,theauthorsproposetoadvancetheclockoftheRTOS,byoverwritingtheidlethreadandwaitingfor a signal to start execution. Pohlmann et al. [15], proposed to generate FMUs from UML softwarespecification,wheretheclockisspecifiedinaDSLnamedMechatronicUML.ThisclockisusedtomeasureexecutiontimeandtospecifyReal-Timepropertieswithintimedstate-machines.
Onthecontrary,weaimatvalidatingasystemfromitsADLmodel.Hence,weproposetosimulatethebehavioroftheembeddedprocessor,whichexecutesthetargetcode.Hence,onecanperformco-simulationofCPS,closesttotheactualimplementationwithouttheneedofspecifichardware(betweenSoftware-IntheLoopandHardwareintheLoop),oronthefinaltarget.Thisisleftasalate-bindingdescision.
c. FMIforhybridco-simulation
Co-simulating discrete (software) and continuous models (physical), raises several issues that weencounteredduringourstudyandexperiments.Indeed,mixingcontinuousanddiscretebehaviorinaco-simulationframeworkisnotwellhandledbyFMI.TherepresentationoftimeanditsmanagementarethekeyissuesofFMIbasedco-simulationapproaches.InCremonaetal.[16],theauthorsidentifiedextensions
4http://www.omg.org/spec/FUML/1.2.1/[lastvisited02/06/2017]
toFMIforsupportinghybridco-simulation:useintegertimeinsteadoffloatingpointtimerepresentation,automaticchoiceoftimeresolution,useof“super-dense”time,andtheuseofabsentsignal.Theproposedsolution of [16] satisfies all the requirements for hybrid co-simulation stated in [17]. Unfortunately, itimposesstrongconstraintsontheusability:theseextensionsarenotbackward-compatiblewithexistingFMI2.0FMUs..
Finally,usingthedependencygraphasanassettogetmoreprecisehybridco-simulationresultsisanissueinvestigatedinseveralworks,especiallyin[18],whoseauthorsproposetogeneratemasteralgorithmbasedon thedependencygraph (withandwithout loop)andon thestep-sizeofeachFMU(multi-clockmanagement).Wearealso interested in therecentresultsofDACCOSIM[4],whichproposetogeneratemasteralgorithmsforparallelanddistributedco-simulationusinghierarchicalFMUs.
4. IntegratingFMUsasAADLblocks
InthisSection,wepresenttheintegrationworkflowofFMUcomponentswithinAADLmodels.
We view the integration of FMU as an integration process. Starting from an AADLmodel, one aims atintegratingFMUasanexecutableblock,similartotheinclusionofotherfunctionalmodelsinAADL,suchasC,Ada,Scade,SimulinkthatarealreadysupportedbyourAADLtoolchainOcarina.Eachblockisactuallyintegratedasasubprogramblock,thatistriggeredbyitsenclosingcomponentsuchasathreadoradevice.
Ocarina5[19]isamodelprocessorfortheAADL.ItsupportscodegenerationtargetingawidevarietyofRTOS(RTEMS,RT-POSIX,FreeRTOS,ARINC653).ItmapsAADLconstructsontothePolyORB-HIruntimethatabstractRTOSconstructs.ItpreservestheinitialsemanticsoftheAADLmodel.
a. IntegrationofFMUinAADLworkflow
First,letussaythatonereceivesanFMUthatmodelsandsimulatesthemechanicalpart(physical)ofalargersystem.ThisFMUshouldbeintegratedwithacontroller(cyberpart),designedwithAADL.Thegoalistoverifythatthecontrollerbehavesasexpected.TheintegrationworkflowispresentedFigure45.ThefirststepconsistsinanautomatedtranslationoftheFMUasAADLmodelusinganalgorithm,which1)unzipstheFMUfile,2)parsesthemodeldescription.xmlfiletocreateAADLelementsrespectingthemappingofTable1,and3)createstheFMIwrapperassetofAADLconstructs:subprogramthatcapturetheexecutionentrypoint of the simulator) and and corresponding C implementation, thread and device abstractions.Then,onecouldconnecttheFMUwiththelargerAADLmodeltobuildacoupledmodel.
Figure4:IntegratinganFMUasanAADLcomponent–Workflow
b. IntegrationofFMUexecutionsemantics
5http://openaadl.org
FMU-based simulations relyon the conceptof aMasterAlgorithm thatorchestrates theoverallsimulation at each time step. Then, the FMUs perform a calculation step, and the resulting values arepropagatedtothescheduler,whichlaunchestasksdependingontheoverallsimulationtime.TheMasterAlgorithm can be built based on the dependency graph of the coupledmodel. However, in the case ofalgebraicloopdetection,thecalculationofthedependencygraphisabortedandagenericMasterAlgorithmisprovided.Inparallel,thetargetRTOScodeisgeneratedfromtheAADLmodel,usingOcarina.Finally,thewholecodeiscompiledandlinkedtobeexecuted.
Table1:MappingBetweenFMIandAADL
Concepts FMI AADLComponent FMU Subprogram/DeviceInput/Outputport CausalityIn/Out Inport/OutportDiscreteport/Continuousport VariabilityDiscrete/Continuous Eventport/DataportTypes Real,Integer,Boolean Base_Types::Float,
Base_Types::Integer,Base_Types::Boolean
AsstatedbyTable1,FMUblocksaremappedtoAADLdevice, that isanabstractionofadeviceinteractingwith thephysicalworld capturedby the FMUmodel.Hence, FMU interactions are explicitlydiscretizedbytheactivationofthedevicebyotherpartofthemodel,e.g.readingfromasensorwilltriggerthecorrespondingFMUat thecorrespondingsamplingtime.Hence,onecan integrateeithercontinuoustimeordiscretetimeinthesimulation.
Inourapproach,FMUsareembeddedinsideanAADLmodelthatalreadyhaveanexecutionsemantics,andascheduler.Asaresult,theMasterAlgorithmisimplicitlydefinedbythecombinationoftheschedulingparameters of all blocks: signals are captured in AADL event port communications; data propagationasAADLdataportcommunications;schedulingiscontrolledbytheschedulerofthesystem,e.g.priority-driven scheduler. Thus, the cyber part of the system interacts with the environment through polling(periodicread),interrupts(receptionofeventsfromtheenvironment)oractuation.ThesearecapturedbycorrespondingportdirectionsintheAADLmodel.
As a consequence, the co-simulation time is linked to scheduler time..We used signals to start thescheduleruntil thecommunication timestep isreached.The implementationof themasteralgorithmisautomatically generated using the Ocarina AADL code generator by translating AADL tasks andcommunicationports to the correspondingC artefacts. Thanks to the versatility of the code generationprocess,wecaneitherreallyontrue(wallclock)time,orsimulatedtimeusingasimulatorofaRTOS.Hence,thisapproachallowsseamlessintegrationofFMUasfunctionalmodels.
5. CaseStudyandExperimentResults
Inthissection,welisttwocasestudiesbuiltonthepreviousintegrationworkflow6.
a. Moonlander
AMoonLandermodel[20]wasusedtoinvestigateco-simulation’stimeandscheduler’stimeissues.WebuiltaModelicamodelofthephysicalmodelandexporteditintoanFMU2.0forCo-Simulation.Thecontrollerimplementsabasicstrategytocontrolthedescentofthevehicle,andtriggersthethrusters.AfirstversionhasbeenimplementedinModelicatocheckthecorrectnessofthecontroller.,andsimulatedintheOpenModelicaframework.
Then, theFMUof thephysicalmodelwas importedasanAADLcomponent followingthesemanticsmappingoftheTable1,andconnectedtoareimplementationofthecontrollerinC.Thiscontrollerandthe6Othercasestudiesareavailablethroughhttp://www.openaadl.org
plant,asseenasanAADLdevicethatsamplestheenvironment,havebeenconnectedinanAADLmodel(see Figure 6). This model indicates the data types exchanges and the scheduling parameters of thecontroller. From the system designer perspective, the AADL model captures the configuration of thecontroller,andadevicethatinteractswiththeenvironmentasaregulardevicedriver.Here,FMIplaysitsroleof“mock-up”,insteadofconnectingthismodeltotheimplementationofadriver,weconnectittothemodelthatsimulatedtheenvironmentitinteractswith.
Tosimulatetheoverallsystem,wegeneratedtheCcodeoftheAADLcontrollerwithOcarina,alongwith code archetype for the various tasks and communication channels.We linked it to the FMUas anexternallibrary.WerelyontheFMUSDK2fromModelon(adaptedbyUniversityofCalifornia–Berkeley7)tobuildagenericentrypointtoloadFMUsandtocomputesimulationstepstriggeredbythehostprocess.Forthisexperiment,wereliedontheGNU/LinuxOS,combinedwithRT-POSIXAPIcalltoimplementareal-timebehaviorforthecontroller.
Throughanalysisoftheexecutionlogs,wecouldassessthesimulationhasthesamebehaviorforboththeFMI-coupledmodelandtheModelicamodel.
Figure5AADLmodelofthelunarlander
b. ROSACEcasestudy
TheROSACEcasestudy(Pagetti,Saussié,Gratia,Noulard,&Siron,2014)wasusedtoinvestigateco-simulation graph issues, but also scalability. ROSACE has multiple implementations in C/POSIX,C/ARINC653,SimulinkGiottoorPtolemy.ItisareferencebenchmarkforCPSsimulation.
TheenvironmentofthecontrolleriscomposedofthreeFMUs:anengine,anelevator,andtheaircraftdynamics.TheseFMUsareconnectedtoexchangephysicalquantities,andtothecontrollerthatismodeledin AADL. This controller ismade of 11 periodic tasks interconnected. Thismodel has a higher level ofcomplexitycomparedtotheMoonLandercasestudy,withmoreFMUsandtasks.
TobuildtheseFMUs,wemodelledtheenvironmentusingtheModelicalanguageandwegeneratedtheFMUswithJModelica.ThecontrollerhasbeenimplementedinSimulink,andlatertranslatedinC.Erreur!Nousn’avonspastrouvélasourcedurenvoi.7showstheresultingAADLmodelthatintegratestheFMUswiththeAADLcontroller.Then,basedon(VanAcker,Denil,Vangheluwe,&DeMeulenaere,2015;Galtier,et al., 2017) we have investigated the construction of the overall dependency graph to generateautomatically the Master Algorithm. This algorithm has been translated as a set of AADL schedulingconfigurationparameters.Themodelsaresimpleenoughtobefulldiscretized,thusacausalgraphcanbededucedtocapturethewholesimulationbehavior.
WecouldleveragetheROSACEvalidationscripttoensurethatoursimulationwasalsoconsistentwithothersimulationsdoneeitherinSimulink,Ptolemy/HLAorGiotto.
7https://github.com/cxbrooks/fmusdk2[lastvisited03/06/2017]
c. Lessonslearnt
Throughthesetwocasestudies,wecouldgeneratevirtualintegrationtestbenchforcyberphysicalsystems.Wedemonstratedthecapabilitytoconnectarchitecturaldescriptiontomodelsimulatingtheenvironmentusing the FMI framework. This is a first step towards full generation of simulation environment. ThearchitecturaldescriptionofthesystemhasbeendemonstratedtobeenoughtointeractwiththeFMU-basedenvironmentblocks.Thisisaconsequenceofusingcausalsystems:onecasesimulatetheenvironmentuptotheinstantrequiredbythecyberpart.
6. ConclusionandFurtherWork
Inthispaper,weaddressedtheearlyvalidationofembeddedsystems.Weproposedageneralapproachtobindarchitecturaldescription,amenabletocodegeneration,toFMUblocks.Thisenablestheconstructionofvirtual integrationtestbench.First,wepresentedthevariouselementsofcontextsandrelatedwork.Then,weillustratedhowFMIblockscanbeboundtoAADLmodeslsotoserveasamockoftheenvironmentasseenthroughadevice.Hence,onecantestanAADLmodelconsideringarepresentativemodeloftheenvironment, leading. Leveraging high-fidelity model turned into FMU, one can test more preciseinteractionscenario.Futureworkactivitieswillincreasethenumberofcasestudies,tostresstimelinessissues, e.g. multi-clock scenarios. Another aspect will consider integrating multiple simulators likeInstructionSetSimulators forprecisesimulationofhardwareblocks,and interoperabilitywithdomain-specificsimulatorstosimulatetheoccurrenceoffaultsanddefects.
Bibliography
[1] "MODELISARConsortiumandModelicaAssociationProject"FMI"-FunctionalMock-upInterfaceforModel-ExchangeandCo-Simulation,"2014.
[2] F.Cremona,M.Lohstroh,S.Tripakis,C.BrooksandE.A.Lee,"FIDE:AnFMIIntegratedDevelopmentEnvironment,"inProceedingsofthe31stAnnualACMSymposiumonAppliedComputing(SAC'16),Pisa,Italy,2016.
[3] P. H. Feiler and D. P. Gluch, Model-Based Engineering with AADL: An Introduction to the SAEArchitectureAnalysis&DesignLanguage,Addison-WesleyProfessional,2012.
[4] V.Galtier,M.Ianotto,M.Caujolle,R.Corniglion,J.-P.Tavella,J.E.Gomez,J.J.H.Cabrera,V.ReinboldandE.Kremers,"ExperimentingwithMatryoshkaCo-Simulation:BuildingParallelandHierarchicalFMUs,"inProceedingsofthe12thInternationalModelicaConference,2017.
[5] P.B.Zeigler,TheoryofModellingandSimulation,Malabar,Florida:RobertE.Krieger,1984.
[6] H.Vangheluwe,"Thediscreteeventsystemspecification(DEVS)Formalism.CourseNotes,Course:Modeling and Simulation (COMP522A), McGill University, Montreal Canada.," 2001. [Online].Available:http://www.cs.mcgill.ca/~hv/classes/MS.01.Fall/DEVS.pdf.[Accessed12122016].
[7] H.Vangheluwe, J.DeLaraandP. J.Mosterman,"An introductiontomulti-paradigmmodellingandsimulation," inProceedingsof theArtificial Intelligence, SimulationandPlanning inHighAutonomySystems.(AIS'02),Lisboa,Potugal,2002.
[8] D. Broman, C. Brooks, L. Greenberg, E. A. Lee,M.Masin, S. Tripakis andM.Wetter, "DeterminateCompositionofFMUsforCo-simulation,"inProceedingsofthe11thACMInternationalConferenceonEmbeddedSoftware,Montreal,Quebec,Canada,2013.
[9] J.Bastian,C.Clauß,S.WolfandP.Schneider,"MasterforCo-SimulationUsingFMI,"inProceedingsofthe8thInternationalModelicaConference,Dresden,Germany,2011.
[10]S.Guermazi,S.Dhouib,A.Cuccuru,C.LetavernierandS.Gérard,"IntegrationofUMLModelsinFMI-basedCo-simulation,"inProceedingsoftheSymposiumonTheoryofModeling&Simulation(TMS-DEVS'16),Pasadena,California,2016.
[11]Y.A.Feldman,L.GreenbergandE.Palachi,"SimulatingRhapsodySysMLBlocksinHybridModelswithFMI,"inProceedingsofthe10thInternationalModelicaConference,Lund,Sweden,2014.
[12]S. Cavdar, "Supporting Embedded Systems Development - Tool Support for EAST-ADL import ofModelicaFMU,"Chalmers,Gothenburg,Sweden,2011.
[13]J.Köhler,H.-M.Heinkel,P.Mai,J.Krasser,M.DeppeandM.Nagasawa,"Modelica-Association-Project“SystemStructureandParameterization”--EarlyInsights,"inTheFirstJapaneseModelicaConferences,Tokyo,Japan,2016.
[14]P.Nicolai,B.Tom,M.JanandV.-L.Morten,"FMIforCo-SimulationofEmbeddedControlSoftware,"inTheFirstJapaneseModelicaConferences,Tokyo,Japan,May23-24,2016.
[15]U.Pohlmann,W.Schäfer,H.Reddehase,J.RockemannandR.Wagner,"GeneratingFunctionalMockupUnits fromSoftwareSpecifications," inProceedingsof the9th InternationalMODELICAConference,Munich,Germany,2012.
[16]F.Cremona,M.Lohstroh,D.Broman,S.TripakisandE.A.Lee,"HybridCo-Simulation:It'sAboutTime,"UniversityofCalifornia,Berkeley,2017.
[17]D. a. G. L. Broman, E. A. Lee, M. Masin, S. Tripakis and M. Wetter, "Requirements for HybridCosimulation Standards," in Proceedings of the 18th International Conference on Hybrid Systems:ComputationandControl,Seattle,Washington,2015.
[18]B. VanAcker, J. Denil, H. Vangheluwe andP.DeMeulenaere, "Generation of anOptimisedMasterAlgorithm for FMI Co-simulation," in Proceedings of the Symposium on Theory of Modeling &Simulation:DEVSIntegrativeM&SSymposium(DEVS'15),Alexandria,Virginia,2015.
[19]J.Hugues,B.Zalila,L.PautetandF.Kordon,"FromtheprototypetothefinalembeddedsystemusingtheOcarinaAADLtoolsuite,"ACMTransactionsonEmbeddedComputingSystems(TECS),vol.7,no.4,2008.
[20]P.Fritzson,IntroductiontomodelingandsimulationoftechnicalandphysicalsystemswithModelica,JohnWiley&Sons,2011.
[21]C. Pagetti,D. Saussié,R.Gratia, E.Noulard andP. Siron, "TheROSACECase Study: FromSimulinkSpecificationtoMulti/Many-CoreExecution,"inIEEE19thReal-TimeandEmbeddedTechnologyandApplicationsSymposium(RTAS),Berlin,Germany,2014.
[22]E.Durling,E.PalmkvistandM.Henningsson,"FMIandIPProtectionofModels:ASurveyofUseCasesandSupportintheStandard,"inModelicaconference,Prague,2017.
[23]P.H.Feiler,J.Hansson,D.deNiz,L.Wrage,"SystemArchitectureVirtualIntegration:AnIndustrialCaseStudy"TechnicalReportCMU/SEI-2009-TR-017
[24]M.Hoepfer,"Towardsacomprehensiveframeworkforco-simulationofdynamicmodelswithanemphasisontimestepping",PhDthesis,GeorgiaTech,http://hdl.handle.net/1853/41219