Abstract
This chapter provides an overview of the formal operational semantics for a co-simulation framework to support the multidisciplinary modelling of embedded systems. Following a master/slave architecture, discrete-event and continuous-time simulations proceed in their own engines, but under the control of a coordinating co-simulation layer. The semantics are extended to accommodate a scripting language that permits co-simulation over predefined scenarios.
Access provided by Autonomous University of Puebla. Download chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
1 Introduction
This chapter provides an overview of the semantics for the whole co-simulation framework, covering the co-simulation engine and the scripting language. It is presented in a combination of styles, including graphical representations and Structural Operational semantics (SOS), see [77, 78]. This chapter assumes a background in formal semantics and is intended primarily for readers seeking a full understanding of the semantics underlying the Crescendo technology.
The mathematical foundations for bond graphs and the VDM-RT notation are substantially different. In this chapter, we present the formal foundations that enable coupling of these diverse formalisms to permit co-simulation. The Crescendo tool implements the semantics presented here following a traditional master/slave architecture. The master is the co-simulation engine that manages all communication between the DE and CT simulators which act as slaves and progress the simulation according to the directives coming from the master co-simulation engine.
The overall structure of the co-simulation engine, a basic explanation of the synchronisation of the two “slave” simulators, and the semantic constraints for the simulators are presented in Sect. 13.2. Section 13.3 provides the actual co-simulation semantics. Then, Sects. 13.4 and 13.5 explain how the co-simulation can be extended using the semantics for a small language Crescendo Scripting Language (CSL) that enables scenarios to be exercised by a co-simulation. Section 13.6 ends the chapter with a short summary.
2 Structure of Co-simulation
Figure 13.1 illustrates the synchronisation scheme underlying co-simulation between a DE simulation of a controller (top) and a CT simulation of the plant (bottom). It is an expanded diagram of Fig 2.3. The DE and CT simulators are coupled through a co-simulation engine that explicitly synchronises the shared variables, events and the simulation time in both linked simulators (the co-simulation engine is not shown explicitly in Fig. 13.1).
Each simulation maintains its own local state and time at which the state is valid. Thus, let σ de be the internal state of the DE simulation at simulation time t de, and let σ ct be the internal state of the CT simulation at simulation time t ct. The controlled variables defined in the co-simulation contract (whose values are defined in σ c) are set by the DE controller and read by the plant; the monitored variables (σ m) are set by the plant model and read by the controller.
Consider a synchronisation cycle which starts with the two simulators having a common simulation time (t ct = t de). On each cycle, the DE controller simulation sets the controlled variables and proposes a duration δ t by which the CT simulation should, if possible, advance. As the CT simulation of the environment advances, it may encounter a state in which one of the event predicates defined in the contract becomes true. The state of the monitored variables σ m 1 and the actual time that it reached δ t a are communicated back to the DE side. If no events occur in the CT simulation during this interval, δ t a = δ t. While the CT simulation has been progressing, the DE simulation remains unchanged, so its local simulation time remains at t de and state σ de. The DE simulation then advances by δ t a so that both DE and CT are again synchronised at the same simulation time, and the controlled variables are updated (σ c 1) and the next time step is proposed to CT. The performance of the DE state change takes place in two stages, with the calculations being performed first, separately from advancing the DE simulation time. The granularity of the synchronisation time step is always determined by the DE simulator. The scheme does not require resource-intensive roll-back of the simulation state in either of the simulators, though roll-back may occur inside the CT simulator in order to catch the precise time requested. The CT simulator typically performs a binary search technique to determine zero crossings for event signalling. This process is called microstepping, which is even performed when fixed time step solvers are used.
The overall structure of the co-simulation semantics presented in the remainder of this chapter consists of a central semantic model of the co-simulation engine. It consists of the necessary semantic models for the individual pieces of a co-model. This means that we have three semantic models instantiated for a typical co-model: the co-simulation engine; the Discrete-Event (DE) semantic model of the formalism (VDM) used to describe an embedded digital controller; and the Continuous-Time (CT) semantic model of the formalism (bond graphs) that is used to describe the environment that the embedded controller interacts with. The semantic model of the co-simulation engine is necessarily generic: it needs to be able to support the opaque embedding of other heterogeneous semantic models. In addition, the semantic models of the two simulators are only characterised in this chapter, and we rely on opaque embeddings of them in the semantics of the co-simulation engine.
The semantics of the co-simulation engine can only embed semantic models that conform to certain constraints. Some of these constraints are common to both DE and CT models and these are described in Sect. 13.2.1. The constraints of the CT and DE simulator semantic models are explained in Sects. 13.2.2 and 13.2.3, respectively.
This structure consisting of a central engine coordinating the simulated time and shared state of the overall co-model provides a clear modular division between the generic co-simulation properties and the formalism-specific subject model needs. As a part of this, the actual subject model simulations are delegated to separate semantic models, allowing them to be fit for the needs of those subject models. This, in turn, enables an implementation of the co-simulation engine that allows the use of a variety of different specific simulation engines, as has been done in the Crescendo tool.
2.1 Common Semantic Constraints
There are a few common constraints on the semantics of the simulators involved in co-simulation that must be respected. The constraints common to both simulator semantics are as follows:
- C1: :
-
It must be possible to have the semantics “step” from a given state at a given time to a successor state at some future time, and it must be able to do so in relatively small time increments.
- C2: :
-
It must calculate the next state of the subject model in a given simulator semantics, taking into account the values from the shared state that have been changed by other simulator semantics.
The first constraint, C1, is required to ensure that it is possible to interleave the simulation of the subject models. The ambiguity that it is able to do so in relatively small increments relates to the subject models (in the Crescendo tool the scale is nanoseconds).
For CT simulator semantics, this effectively means that it must be possible to determine the observable state of a model for any arbitrary (future) point in time, given the granularity defined by the “small time increments” noted above.
Constraint C2 is required to support a shared state between the various subject models in the co-simulation engine. Without this, one may as well just run the individual subject models independently.
2.2 Continuous-Time Simulation Semantics
The first type of semantic description that may be used as a simulator semantics in the co-simulation framework is labelled “continuous-time”. Semantic descriptions of this type are characterised by a model that is based on a single model state with no hidden or transactional variables. As such, simulators with this sort of semantic model are typically used to model physical systems.
Given the basic assumption that any semantics model in the overall co-simulation framework must make finite steps, there are four primary requirements on a CT semantic model:
- CT1: :
-
It must be possible to observe the complete state of the semantics for a given point in time.
- CT2: :
-
It must be possible to set bounds on the maximum duration of each simulation step of a subject model in the semantics.
- CT3: :
-
It must always produce the actual duration of the simulation step that was taken.
- CT4: :
-
It must be able to produce “events” as part of a simulation step of a subject model.
The first constraint, CT1, means that there must be no hidden state: the successor state of a CT semantics must be dependent only on the observable state and the time. This lack of pre-determination, in turn, in principle allows changes to shared state variables to have immediate effect on the simulated model.
The second constraint, CT2, is necessary to support the interleaving of CT and DE semantic models. Because it is possible for a DE model to determine that its observable state will change at some given point in the future, we then know that we will need to synchronise the simulator semantic models at that point. Thus, it must be possible to ensure that a step of the semantic model will be no later than that known synchronisation point.
The third constraint, CT3, is required as it may be possible for the step to have taken less time than the maximum allowed by the bound. It may happen that the subject model’s successor state in a step is earlier than that bound; this can represent something occurring in that subject model, altering shared state, that requires synchronisation with the other simulation semantics.
Constraint CT4 allows for a mechanism to indicate that something of interest has happened in the simulation of the subject model—an event—without the need to record the event directly in the shared state. This is a sort of side-band signalling mechanism enabling both time-triggered as well as event-triggered behaviour.
2.3 Discrete-Event Simulation Semantics
The second type of semantic model for simulation is called the “discrete-event” model. Semantic descriptions of this type are characterised by a model that allows portions of the overall subject model state to be hidden. These hidden portions of the overall model state may be the result of determining the future value of state elements, but not allowing them to be observed until the appropriate point in time. Not surprisingly, this sort of model is typically used to model computational systems, such as embedded controllers.
The requirements on a DE semantic model are concerned with managing the subject model’s state and the bounds on the duration of steps of other simulators.
- DE1: :
-
Every step must indicate the time at which hidden state will next be revealed.
- DE2: :
-
It must be possible to have the semantics perform a synchronisation step that only exposes hidden state that is ready to be revealed up to a given point in time and updates the internal subject model state with the shared state from the co-simulation engine.
- DE3: :
-
It must be able to update to a point in time prior to the next point at which hidden state will be revealed.
- DE4: :
-
It should accept the notification of events that occurred in other simulators.
The first constraint, DE1, on DE semantic models is necessary to indicate to the co-simulation engine the point at which there will next be a change to the shared state due to this subject model. It allows the co-simulation engine to set a bound on the maximum duration of the next step of CT simulation semantics and is necessary to keep the various simulator semantics in the co-simulation engine in step with respect to time.
The second constraint, DE2, anticipates the addition of a fault injection framework and is not strictly necessary for the co-simulation engine itself. In a CT semantic model, as it has no hidden elements, the control and value state of the subject model are always synchronised with the time reported to the co-simulation engine. The DE model, in contrast, may allow hidden elements in its internal state to contain values which are not valid until future points in time. This means that for the subject model to be affected by changes to the shared state from other subject models, it must have a mechanism to update the present internal state before the next internal state is calculated. The initial semantic rules presented in Sect. 13.3.3 do not entirely conform to constraint DE2; however, Sect. 13.4 depends upon the constraint and alters the semantic rules in the required manner.
The third constraint, DE3, allows for this simulation semantics to gracefully handle the other simulation semantics taking steps shorter than expected. The expectation is that a DE model would not normally change any state on such a step. Connected to this is constraint DE4, which requires that the simulation semantics accept the notification of events from the CT model; these events give the subject model an opportunity to react to their presence.
3 Co-simulation Semantics
We use the SOS format [77, 78] to present the semantic definitions in this chapter. An SOS description consists of two major elements: a set of type definitions that describe the static structure of the system; and the definitions of the transition relations that describe the behaviour of the system.
The semantics is described using a collection of transition rules. Each of these has a number of hypotheses (typically one per line) over a horizontal line. Below the line the conclusion can be reached if all the hypotheses above the line can be reached. It is also possible that such transition rules have side conditions that also need to be satisfied to ensure the validity of applying a specific transition rule. Many of the hypotheses and the conclusion are typically described as transitions which are indicated as something that matches a configuration followed by a line (from left to right with a name above it) and followed again by the new configuration that a system is transformed into.
3.1 Structural Operational Semantics
The logical notation used for the assertions in the semantic descriptions is the basic VDM-SL type system and expressions [20, 27].Footnote 1 This notation is used to define the static structure of the co-simulation engine and give its behaviour.
In an SOS definition, the static state of a system is modelled as a configuration that contains all of the information needed to capture the complete state of a system at any given point. This includes, for the co-simulation semantics we present, information about which simulator semantics was used for the previous step, the shared variable state, the current simulated time and the complete internal states of both simulators’ semantics (treated opaquely). Configurations are typically given as tuples.
The behaviour of a system is defined through the use of transition relations, at least one of which must involve the complete static state configuration. In a fine-grained SOS definition, the overall system behaviour is typically defined using a transition relation from configuration to configuration, though this is not strictly necessary.
The transition relations are defined through the use of inference rule schemata, where each rule’s conclusion defines a subset of the entire transition relation. The least relation that satisfies all of the inference rules is taken to be the relation defined.
Consider the following rule:
The Example rule here would be a (partial) definition of the \(\stackrel{s}{\longrightarrow }\) transition relation. The conclusion below the line has four free variables—a, b, a′ and b′—into which values may be substituted. For this rule to be true of a given pair of pairs—(a, b) and (a′, b′) in this case—then the three hypotheses above the line must be satisfied.
In general, the rule applies for any set of values that may be substituted into the free variables so long as all of the hypotheses of the rule are satisfied. This substitution is similar to the pattern matching as done in VDM models and, where a free variable is equated to some other structure, the resolution of the possible values for the free variable is done in a way that allows the constraints in the other structure (concrete values, restrictions to certain types and so on) to hold of the value in the substitution. In practice, however, the rules are often used to determine a successor configuration, that is, the configuration on the right of the transition relation, based on some given predecessor configuration.
For the Example rule, that means that we would start with known values of a and b and then proceed to determine values for a′ and b′ that satisfy P(a, b, a′, b′) and R(b′). However, we would first check that this rule applies to the given a and b by checking any hypotheses that apply only to a and b; here we check Q(a, b).
The task of finding values for the successor configuration, a′ and b′ in this case, may be one of simply calculation, or a more complex constraint satisfaction problem. It may also involve choosing between equally valid alternatives for some values—these cases can introduce non-determinism into the semantic model,Footnote 2 which can be useful but must be resolved during implementation. Finally, it may not be possible to find values for a successor configuration: this may indicate that the predecessor configuration is not a part of the system modelled; that the wrong rule is being applied; that there’s an error or missing rule in the semantic model; or that the semantic model has deliberately chosen that the predecessor configuration has no successor.
3.2 Co-simulation Static State
Given a co-simulation system that has a CT-type simulator and a DE-type simulator, the overall co-simulation system configuration is given as
where
-
DE is the type of representations of the DE-type simulator, covering all of the possible states that it may reach;
-
CT is the type of representations of the CT-type simulator, also covering all of the states that it may reach;
-
Σ is the representation of the variables shared between the two simulator semantic models and is defined below;
-
the first Time component of the tuple represents the current simulated time of the overall co-simulation system;
-
the second Time component represents a time bound that must be respected by CT simulator semantics;
-
Event-set is the set of Events generated by CT semantic models for the DE models to react to; and
-
Tag is a token that records which of the two semantic models took the last step.
The definitions of the DE and CT representations are left undefined here; it suffices that they conform to the constraints given in Sect. 13.2. These representations are the overall configurations from their respective semantic models.
The type of the shared variables is a map from an identifier (represented by the inexhaustible set Id v ) to a pair of a value and a tag indicating which simulator semantics controls the value of that variable.
Note that a shared variable ownership is immutable over the course of a co-simulation run. Changing the ownership of a shared variable would imply some significant change to the structure of the subject models in the co-simulation.
The tag is simply a structure-less token, either \(\langle DE\rangle\) or \(\langle CT\rangle\).
3.3 Co-simulation Behaviour
With the static state defined, we can now define the transition relation for the co-simulation semantics, \({\buildrel \mathit{cs} \over \longrightarrow}\).
Note that the colon, above, is a type assertion; \({\buildrel cs \over \longrightarrow}\) is a relation over the type of configurations, Config.
We give two inference rules to define the high-level behaviour of the co-simulation semantics in Fig. 13.2. The first rule, DE Step, describes the behaviour that is dependent on the semantics of the discrete-event simulator; the second rule, CT Step, handles the corresponding case when the behaviour is dependent on the semantics of the continuous-time simulator.
Starting with the DE Step rule, consider first the Config tuple on the left of the \({\buildrel cs \over \longrightarrow}\) relation. This tuple is given in terms of its components to allow us to name the components for use in the rule.
Moving our focus to the first hypothesis of the rule, we see some of the components of the Config tuple being used in a new transition relation, \({\buildrel \mathit{de} \over \longrightarrow}\). This transition relation is defined as
and it represents a single step in the discrete-event semantics. Informally, the left side of the \({\buildrel de \over \longrightarrow}\) transition is a tuple of a DE simulator state, shared variable state, a new simulated time for the DE to update to and a set of events that happened between the last point at which the DE semantics took a step and the new simulated time; the right side is a tuple of the new DE simulator state, the new values of shared variables and a new time bound.
The second hypothesis merges the new values in the shared variable mapping what were produced by the DE semantics into the overall co-simulation shared state. The details of the merge are encapsulated into the mergeStates function, defined in Fig. 13.3. This hypothesis is separate from the DE semantics to emphasise that this synchronisation is, properly, the responsibility of the overall co-simulation semantics and not the individual simulator semantics. One important property that is maintained by this separation is that each simulation semantics may only affect the values that it “owns”, as marked by the control tag in the state.
So, the DE Step rule defines the behaviour of the co-simulation semantics when executing a DE step directly in terms of the behaviour of the DE semantics, with a bit of extra mechanism to ensure that the overall shared state is updated.
The second rule in Fig. 13.2, CT Step, is structured in a similar manner to the first, but uses the \({\buildrel ct \over \longrightarrow}\) transition relation to model the behaviour of the CT semantics as it performs a single step. This transition relation is defined as
where, informally, the left side of the transition relation is the CT simulator state, the shared variable state and a time bound; and the right side of the transition relation is the new CT simulator state, the modified shared variables, the time up to which the CT semantics actually reached and a (possibly empty) set of events generated during that step.
The primary advantage of this semantic description of co-simulation is that it isolates the semantics of the two simulators as much as possible, allowing the semantics for each simulator to be defined independently.
3.4 Simulator Properties and Their Transition Relations
For the common constraints, C1 and C2, it is clear that both the \({\buildrel \mathit{de} \over \longrightarrow}\) and \({\buildrel \mathit{ct} \over \longrightarrow}\) transition relations are satisfactory. The ability of the semantic models to step from state to state is inherent in SOS descriptions, thus satisfying C1. Satisfaction of C2 is actually handled internally within the individual definitions of \({\buildrel \mathit{de} \over \longrightarrow}\) and \({\buildrel \mathit{ct} \over \longrightarrow}\) that we must be satisfied with the simple structural compliance present. Specifically, the shared co-simulation state is in the signature of the transition relation, allowing a definition of the transition to use and update it.
Focusing on \({\buildrel \mathit{ct} \over \longrightarrow}\) transition, it must satisfy the four CT constraints, CT1–CT4. Two, CT1 and CT3, are dependent on the internal definition of the \({\buildrel \mathit{ct} \over \longrightarrow}\) transition, and the external structure cannot speak to this. However, CT2 requires that the internal definition of \({\buildrel \mathit{ct} \over \longrightarrow}\) be aware of a maximum duration and this appears structurally in the left-hand configuration. Finally, CT4 requires that the semantic description be allowed to produce events, and this appears directly in the structure of the right-hand configuration.
For the \({\buildrel \mathit{de} \over \longrightarrow}\) transition, the four DE constraints, DE1–DE4, must be satisfied. Constraints DE1, DE3 and DE4 are satisfied as far as possible by the structure of the signature of \({\buildrel \mathit{de} \over \longrightarrow}\); what remains is the responsibility of the internal definition of \({\buildrel \mathit{de} \over \longrightarrow}\) to handle. For constraint DE2, the signature of \({\buildrel \mathit{de} \over \longrightarrow}\) can support this, as it is possible to indicate that a synchronisation-only step is required by defining an event with such a special meaning. Beyond the structure, again, the rest is handled by the internal definition of \({\buildrel \mathit{de} \over \longrightarrow}\).
Possible internal definitions for the \({\buildrel \mathit{de} \over \longrightarrow}\) transition may be found in [61], and a description for the \({\buildrel \mathit{ct} \over \longrightarrow}\) may be found in [24]. In this book, the \({\buildrel \mathit{de} \over \longrightarrow}\) transition corresponds to the semantics of the executable subset of VDM-RT while the \({\buildrel \mathit{ct} \over \longrightarrow}\) transition corresponds to the simulation of the bond graphs.
4 Adding Fault Injection Semantics to the Co-simulation
The co-simulation engine used in the Crescendo tool presents an opportunity to create a fault injection framework that is independent of any of the constituent simulators. This framework only has access to variables that have been explicitly shared between the simulation engines, but this is sufficient for the creation of fault injection and external event scripting.
The CSL is introduced in the Crescendo user documentation and is a minimal language intended to allow for changes to the shared state of the simulators when certain conditions are met. The basic structure of a script—a series of commands in CSL—is just a sequence of triggers, each with a firing condition, body and optional reversions.
The CSL is essentially a reactive language, and a script is a sequence of triggers. A trigger consists of a test expression and a set of assignments to the shared state and may also optionally have a list of variables to revert to their values prior to the trigger. A trigger may be set to react every time its test expression is true, or it may react only once during the entire co-simulation run.
In the basic co-simulation cycle, the DE simulator runs first, followed by the CT simulator, and execution continues, alternating between the two simulators. To add CSL into this cycle, we need to split the DE step and add a new CSL step. We must also extend the configuration, Config, with a representation of the CSL script, and the Tag type of tokens with \(\langle CSL\rangle\) and \(\langle SY NC\rangle\) to include tags for the CSL.
When splitting the DE Step rule from Fig. 13.2, we replace it with the version in Fig. 13.4. The difference between the two rules is that the extended version requires that the Tag in the left-hand configuration be \(\langle CSL\rangle\) instead of \(\langle CT\rangle\) and that the new time bound, τ b ″, must be the least between that generated by the DE semantics, in τ b ′, and last execution of the CSL script, in τ b .
We also add a new rule, DE Sync, that does a \({\buildrel \mathit{de} \over \longrightarrow}\) transition with a Sync event marked; the intent is to signal to the internal definition of the \({\buildrel \mathit{de} \over \longrightarrow}\) transition that it should perform synchronisation of hidden state, and not perform any new computation, as per Constraint DE2. This rule also takes the least available time bound for τ b ″.
For completeness, Fig. 13.4 also shows the updated CT Step rule and definition of the updated Config.
The transition, \({\buildrel \mathit{csl} \over \longrightarrow}\), for the CSL can be defined as
where CSL is the type representing CSL scripts. The two Time values correspond, respectively, to the simulated time in the subject model at which the CSL script is evaluated and a time bound indicating the next simulated time at which the CSL may be triggered.
The necessary semantic rule to use the \({\buildrel csl \over \longrightarrow}\) transition for the CSL is the last rule given in Fig. 13.4. This rule follows the pattern of the rest of the rules in Fig. 13.4, except that it does not need to merge states as it operates on the shared state directly. Further, given that the CSL is intended to allow changes to the shared state of both simulators, there is no need to handle ownership of variables.
Taking the rules in Fig. 13.4 as a whole, we can see that the round-robin cycle is preserved; in order, the rules proceed from the DE Step rule to CT Step to DE Sync to CSL Step and then back around.
5 Semantics of the CSL
The intended execution of a CSL script is straightforward: for a setpoint in time, each trigger is sequentially processed, modifying the shared state as necessary. The semantic model given below reflects this as the transition relation recursively processes the sequence of triggers, producing a new shared state when given an empty sequence.
5.1 Top-Level CSL Structures
The active structure of the CSL in the co-simulation semantics is the CSL construct.
\(\begin{array}{lll} CSL::&ts &:Script\\ &ms &: Marker{\ast} \end{array}\)
The CSL construct contains the script of CSL triggers and a sequence of the same length to hold a minimal amount of state for each trigger.
Script = Trigger∗
Each trigger state—a Marker—is either nil, a constant Done or a pair of a time value and a state.
\(\begin{array}{l} Marker = [DONE \vert Time\times \varSigma ] \end{array}\)
The initialisation of the CSL construct is handled by the \(\mathop{\longrightarrow }\limits _{}^{cslinit}\) transition,
with its definition given in Fig. 13.5. The initialisation rule simply transforms a fault injection script into the CSL object used by the main CSL rules. The top-level rule is given in Fig. 13.6
The Trigger construct is defined as
\(\begin{array}{l} Trigger\::\ once\:\ \mathbb{B} \\ \qquad \qquad \quad test\:\ Expr \\ \qquad \qquad \quad dur\:\ \big[Time\big] \\ \qquad \qquad \quad body\:\ Stmt{\ast} \\ \qquad \qquad \quad rev\:\ Id_{v}-\mathbf{set} \end{array}\)
A Trigger has a flag, once, indicating whether or not it may occur only once or many times; a condition, test, which is evaluated to determine if the trigger should fire; an optional duration field, dur, which if present requires that the condition hold over the given duration; a body field, body, that holds assignment and print statements to be executed when the trigger fires; and a field, rev, that stores a set of variable names to be reverted to their values prior to the trigger firing.
The basic execution of a CSL script is modelled by the \({\buildrel \mathit{csl} \over \longrightarrow}\) relation,
\(\begin{array}{l} { \buildrel csl \over \longrightarrow:(CSL\times \varSigma _{o}\times Time)\times (\mathit{CSL}\times \varSigma _{o}\times Time)} \end{array}\)
and that rule delegates most of the actual work of executing the triggers to the \({\buildrel trig \over \longrightarrow}\) transition relation. Of the rest of the rule, the first and third hypotheses deal with the flattening and rebuilding of the shared state, and the final hypothesis calculates a time bound for the co-simulation based on the triggers that are actively testing a condition over a duration.
The \({\buildrel trig \over \longrightarrow}\) transition relation,
\(\begin{array}{l} { \buildrel trig \over \longrightarrow:(Trigger{\ast}\times Marker{\ast}\times Time\times \varSigma )\times (Marker{\ast}\times \varSigma )} \end{array}\)
only alters the sequence of Markers and the shared state; the actual triggers are never altered. The three basic rules for a trigger with a simple test (no duration) are shown in Figs. 13.7, 13.8 and 13.9.
Reading the Exec rule in Fig. 13.7, we see that the configuration is structured to pattern match the heads of the sequences of triggers and markers, ensuring that we only execute a trigger that is not already active. Then, the first hypothesis pattern matches the first trigger on the sequence to ensure that it is one without a duration. The second hypothesis ensures that the trigger’s condition has been met; evaluation of the expression test is done using the semantic evaluation function [[⋅ ]], and the result is, in turn, given a τ and a σ to evaluate the expression in the time and state context down to its value. The third hypothesis delegates the execution of the body of the trigger to the \({\buildrel tstmt \over \longrightarrow}\) transition relation, producing a potentially altered shared state. The last hypothesis executes the rest of the sequence of triggers.Footnote 3 The conclusion of this rule places a pair containing the present time—that is, when the trigger fired—and the initial state at the head of the sequence of markers in the resulting configuration. This indicates to future evaluations of this trigger that the trigger has fired and is waiting for the condition to become false.
The Skip rule in Fig. 13.8 just skips over triggers that have a pair as their marker and a true condition; for triggers with durations, the rule only applies when the duration has been exceeded (third hypothesis). When the marker is a pair, this indicates that the trigger has been active; furthermore, that the condition is still true means that it is not yet time to revert any variables.
The After rule in Fig. 13.9 handles the case where the trigger’s condition has become false and there are shared variables to revert. This rule applies to all repeating triggers, regardless of whether or not they have a duration. The first two hypotheses pattern match the trigger at the head of the sequence and that the condition is false. The third hypothesis is a guard for triggers with a duration, to ensure that we do not revert shared variables when we should instead be cancelling a trigger with a duration that was still waiting for the necessary time to pass. The fourth hypothesis does the necessary reversion of the state, pulling the values of the variables to be reverted from the state at the start of the trigger, σ 0; note that if the trigger did not have any reverts specified, then the set rev will be empty and σ′ = σ. The fifth hypothesis is the usual recursive step of executing the rest of the triggers.
Those are the three basic rules for executing triggers in the CSL semantics. There are ten semantic rules in total and they have been constructed so that there is no situation where multiple rules apply.
Of the remaining semantic rules, some of the base cases are given in Fig. 13.10. The first, Base, is only necessary to handle the base case of processing a sequence: that is, when the sequence is empty. Two rules, Done and Once after, deal with the non-repeating triggers: the former skips non-repeating triggers that have already triggered; and the latter places a Done constant in the marker after the trigger completes.
The last four remaining rules in Fig. 13.11, Duration init, Duration pending, Duration cancel and Duration exec, handle the specific cases where a trigger with a duration on its conditional must, respectively, start monitoring the duration in which the conditional has been true; do nothing between the condition becoming true but before the duration has passed; stop monitoring the duration if the condition goes false before the duration passes; and to execute the trigger body when the duration is met.
5.2 CSL Statement and Expression Semantics
The rules for statements and expressions are included only to give a complete semantic model of the CSL. There are only three statements—assignment, output and quit—and the expression evaluation is essentially a subset VDM’s expressions (with the singular addition of a special identifier to obtain the current time value).
5.2.1 Structure
Statements in CSL are represented by the Stmt type and consist of assignment statements, output statements to print message to the log and the quit statement.
Stmt = Assign | Output | Quit
Assignment statements have the state variable that will be modified and an expression that is evaluated to a value assigned.
\(\begin{array}{l} Assign\::\ id\:\ Id_{v} \\ \qquad \qquad \quad e\:\ Expr \end{array}\)
Output statements may print a message to one of three logs: the regular message log, Print, the warnings log, Warn, or the error log, Error.
\(\begin{array}{l} Output\::\ target\:\ PRINT \vert WARN \vert ERROR\\ \qquad \qquad message: String \end{array}\)
Expressions in CSL are represented by the Expr type and consist of the special variable Time, time values, Time, Boolean values, real number values, identifiers, unary expressions and binary expressions.
\(Expr\mbox{ Time} \vert Time \vert \mathbb{B} \vert \mathbb{R} \vert Id_{v} \vert UnaryExpr \vert BinaryExpr\)
Unary expressions in CSL include the arithmetic operators for negation and absolute value, the rounding functions floor and ceiling and the boolean negation operator.
\(\begin{array}{l} UnaryExpr\::\ op\:- \vert ABS \vert FLOOR \vert CEIL \vert NOT\\ \qquad \qquad \qquad \quad e\:\ Expr \end{array}\)
Binary expressions in CSL include the usual logical operators for conjunction, disjunction, implication and bi-implication; the basic arithmetic comparison operators; the usual arithmetic addition, subtraction, multiplication and division; and the integer modulo and division operators.
\(\begin{array}{l} BinaryExpr\::\ op\:\wedge \vert \vee \vert \Rightarrow \vert \Leftrightarrow \vert <\vert \leq \vert \geq \vert >\vert =\vert \neq \vert + \vert - \vert \times \vert \div \vert MOD \vert DIV \\ \qquad \qquad \qquad \qquad a\:\ Expr \\ \qquad \qquad \qquad \qquad b\:\ Expr \end{array}\)
Finally, the transition relation for statement execution in CSL is defined as \({\buildrel tstmt \over \longrightarrow}\), which relates a tuple containing a sequence of statements, a current time value and an initial state, Σ, to a final state. \(\begin{array}{l} { \buildrel tstmt \over \longrightarrow:(Stmt{\ast}\times Time\times \varSigma )\times \varSigma } \end{array}\)
5.2.2 Statement Rules
There are four rules to define \({\buildrel tstmt \over \longrightarrow}\), giving the behaviour of statements in CSL.
The first rule defines the base case behaviour for sequences of statements, just giving the state on the left of the transition relation as the final state.
The rule for assignment statements evaluates the expression given the current time and state, and then executes the remaining statements in an appropriately modified state.
The function output() in the Stmt Print rule is left undefined; the intent is that it maps to some implementation-dependent logging facility.
The third type of statement, Quit, does not have a semantic rule defined here. The quit statement is implementation-dependent as it is intended to stop simulation of the entire co-model.
5.2.3 Expression Evaluation
Expression evaluation in the CSL is defined in the usual way, though we include access to the current time value using the special identifier Time. Note, also, that the set of time values, Time, is a subset of the real numbers.
The semantics of expression evaluation is given as a function, [[⋅ ]], over three parameters that results in either a Boolean value or a real number. The first parameter is the expression to be evaluated, the second is the time at which the expression is evaluated and the third is the state in which it is evaluated.
\(\begin{array}{l} [[\cdot ]]:\mathit{Expr} \times \mathit{Time} \times \Sigma \rightarrow (\mathbb{B} \vert \mathbb{R}) \end{array}\)
The specific cases in the definition of [[⋅ ]] are given below.
\(\begin{array}{rcll} [[\mathbf{true}]]\tau \sigma & =&\mathbf{true} \\ {}[[\mathbf{false}]]\tau \sigma & =&\mathbf{false} \\ {}[[TIME]]\tau \sigma & =&\tau \\ {}[[r]]\tau \sigma & =&r & \Leftrightarrow r \in \mathbb{R} \\ {}[[id]]\tau \sigma & =&\sigma (id) & \Leftrightarrow id \in \mathbf{dom} \sigma \\ {}[[mk-UnaryExpr(op,e)]]\tau \sigma & =&op([[e]]\tau \sigma ) \\ {} [[mk-BinaryExpr(op,e_{1},e_{2})]]\tau \sigma & =&([[e_{1}]]\tau \sigma )\ op\ ([[e_{2}]]\tau \sigma ) \end{array}\)
The first four cases deal with constant values: the Boolean and real values evaluate to themselves (the first, second and fourth lines), and the special constant Time evaluates the given time value, τ. The fifth case deals with variable identifiers by returning their corresponding value from the state. The last two cases deal with operators by applying the operation to the result(s) of evaluating their operand(s).
6 Conclusion
In order to be able to trust the outcomes of model-based analyses, we need languages and tools that have a formal semantics, and the semantics must form the basis of the tooling. For co-simulation, the semantic basis is perhaps more intricate than that of monodisciplinary modelling because of the need to be precise about the management of communication and the time in the collaborating simulations. The overall manner in which the Crescendo co-simulation works was presented at the start of this chapter, and that was used as a starting point to give the general semantic constraints under which a co-simulation framework must operate. With those constraints in mind, we described a modular operational semantic model that gives the behaviour of co-simulation while leaving the behaviour of the individual simulators abstract. We then presented an extension to the co-simulation semantic model that includes support for fault injection. This was presented as an extension to the whole co-simulation semantics to allow the fault injection to be abstract with respect to the simulators. We then gave the operational semantics of CSL, as that was the fault injection language implemented for the Crescendo tool. Readers interested in a detailed presentation of the VDM-RT simulator are invited to review the execution semantics [24].
Notes
- 1.
The mathematical syntax will be used for these definitions in order to clearly distinguish it from the use of VDM-RT in the models used in this book.
- 2.
Or under-definedness, rather than non-determinism, depending on the perspective and interpretation of the semantic model.
- 3.
The base case—an empty sequence of triggers—is handled by the rule Base in Fig. 13.10.
References
Alexander C, Ishikawa S, Silverstein M (1977) A pattern language: towns, buildings, construction. Oxford University Press, New York
Alur R, Courcoubetis C, Halbwachs N, Henzinger TA, Ho PH, Nicollin X, Olivero A, Sifakis J, Yovine S (1995) The algorithmic analysis of hybrid systems. Theor Comput Sci 138:3–34
Ambrosius F (2007) Modelling and distributed controller design of the BodeRC paper-path setup. Master’s thesis, Department of Electrical Engineering, Mathematics and Computer Science, University of Twente, appeared as Technical Report 003CE2007
van Amerongen J (2010) Dynamical systems for creative technology. Controllab Products, Enschede
Ashenden PJ (2001) The designer’s guide to VHDL, 2nd edn. Morgan Kaufmann Publishers, San Francisco
Avizienis A, Laprie JC, Randell B, Landwehr C (2004) Basic concepts and taxonomy of dependable and secure computing. IEEE Trans Dependable Secure Comput 1:11–33
Bae K, Ölveczky PC, Feng TH, Tripakis S (2009) Verifying ptolemy ii discrete-event models using real-time maude. In: Proceedings of the 11th international conference on formal engineering methods: formal methods and software engineering, ICFEM ’09. Springer, Berlin, pp 717–736
Baheti R, Gill H (2011) Cyber-physical systems. In: Samad T, Annaswamy A (eds) The impact of control technology. IEEE Control Society, pp 161–166. Available at www.ieeecss.org
Baker RE (2005) An approach for dealing with dynamic multi-attribute decision problems. Ph.D. thesis, Department of Computer Science, University of York, UK
Banerjee A, Venkatasubramanian KK, Mukherjee T, Gupta SKS (2012) Ensuring safety, security, and sustainability of mission-critical cyber-physical systems. Proc IEEE 100(1):283–299. doi:10.1109/JPROC.2011.2165689
Banks J, Carson J, Nelson BL, Nicol D (2004) Discrete-event system simulation, 4th edn. Prentice Hall, Upper Saddle River
Berkenkötter K, Bisanz S, Hannemann U, Peleska J (2004) Executable hybriduml and its application to train control systems. In: Ehrig H, Damm W, Desel J, Grosse-Rhode M, Reif W, Schnieder E, Westkämper E (eds) SoftSpez Final Report. Lecture notes in computer science, vol 3147. Springer, Berlin, pp 145–173
Blochwitz T, Otter M, Akesson J, Arnold M, Clauss C, Elmqvist H, Friedrich M, Junghanns A, Mauss J, Neumerkel D, Olsson H, Viel A (2012) The functional mockup interface 2.0: the standard for tool independent exchange of simulation models. In: Proceedings of the 9th international Modelica conference, Munich
Bonabeau E (2002) Agent-based modeling: methods and techniques for simulating human systems. Proc Natl Acad Sci USA 99(Suppl 3):7280–7287. doi:10.1073/pnas.082080899
Booch G, Jacobson I, Rumbaugh J (1999) The unified modelling language user guide. Addison-Wesley, Reading
Broenink JF (1997) Modelling, simulation and analysis with 20-Sim. J A Spec Issue CACSD 38(3):22–25
Broenink JF, Ni Y, Groothuis MA (2010) On model-driven design of robot software using co-simulation. In: Menegatti E (ed) Proceedings of SIMPAR 2010 workshops international conference on simulation, modeling, and programming for autonomous robots. TU Darmstadt, Darmstadt, pp 659–668
Broman D, Derler P, Eidson J (2013) Temporal issues in cyber-physical systems. J Indian Inst Sci 93(3):389–402
Broy M, Cengarle MV, Geisberger E (2012) Cyber-physical systems: imminent challenges. In: Calinescu R, Garlan D (eds) Large-scale complex IT systems. Development, operation and management. Lecture notes in computer science, vol 7539. Springer, Berlin, pp 1–28. doi:10.1007/978-3-642-34059-8
Bruun H, Damm F, Hansen BS (1991) An approach to the static semantics of VDM-SL. In: VDM ’91: formal software development methods, VDM Europe. Springer, Berlin, pp 220–253
Cervin A, Henriksson D, Lincoln B, Eker J, Arzen K (2003) How does control timing affect performance? Analysis and simulation of timing using jitterbug and truetime. IEEE Control Syst 23(3):16–30. doi:10.1109/MCS.2003.1200240
Chiodo M, Giusto P, Jurecska A, Hsieh HC, Sangiovanni-Vincentelli A, Lavagno L (1994) Hardware-software codesign of embedded systems. IEEE Micro 14:26–36
Christiansen MP, Larsen M, Jørgensen RN (2013) Collaborative model based development of adaptive controller settings for a load-carrying vehicle with changing loads. In: Bochtis DD, Sørensen CAG (eds) CIOSTA XXXV conference
Coleman JW, Lausdahl KG, Larsen PG (2012) D3.4b—co-simulation semantics. Tech. Rep., The DESTECS Project (CNECT-ICT-248134)
Corporaal H (2006) Embedded system design. In: Karelse F (ed) Progress White Papers 2006. STW, Utrecht, pp 7–27
Coverity (2012) Coverity Scan: 2012 Open Source Report. Tech. Rep., Coverity
Dawes J (1991) The VDM-SL reference guide. Pitman, London. ISBN 0-273-03151-1
DESTECS09 (2009) DESTECS (Design support and tooling for embedded control software). European Research Project
Eidson J, Lee E, Matic S, Seshia S, Zou J (2012) Distributed real-time software for cyber-physical systems. Proc IEEE 100(1):45–59. doi:10.1109/JPROC.2011.2161237
Eker J, Janneck J, Lee E, Liu J, Liu X, Ludvig J, Neuendorffer S, Sachs S, Xiong Y (2003) Taming heterogeneity—the ptolemy approach. Proc IEEE 91(1):127–144
European Cooperation for Space Standardization (ECSS) (2009) ECSS Std ECSS-E-ST-40C Space engineering—software
European Cooperation for Space Standardization (ECSS) (2009) ECSS Std ECSS-Q-ST-80C Space product assurance—software product assurance
Eveleens JL, Verhoef C (2010) The rise and fall of the chaos report figures. IEEE Software, pp 30–36
Fitzgerald J, Larsen PG (1998) Modelling systems—practical tools and techniques in software development. Cambridge University Press, Cambridge. ISBN 0-521-62348-0
Fitzgerald J, Larsen PG (2009) Modelling systems—practical tools and techniques in software development, 2nd edn. Cambridge University Press, Cambridge. ISBN 0-521-62348-0
Fitzgerald J, Larsen PG, Mukherjee P, Plat N, Verhoef M (2005) Validated designs for object-oriented systems. Springer, New York
Fitzgerald JS, Larsen PG, Verhoef M (2008) Vienna development method. In: Wah B (ed) Wiley encyclopedia of computer science and engineering. Wiley, Chichester
Fritzson P, Engelson V (1998) Modelica—a unified object-oriented language for system modelling and simulation. In: ECCOP ’98: proceedings of the 12th European conference on object-oriented programming. Springer, Berlin, pp 67–90
Gamma E, Helm R, Johnson R, Vlissides J (1995) Design patterns. Elements of reusable object-oriented software. Addison-Wesley professional computing series. Addison-Wesley, Reading
Gupta SK, Mukherjee T, Varsamopoulos G, Banerjee A (2011) Research directions in energy-sustainable cyber-physical systems. Sustain Comput Inform Syst 1(1):57–74
Hardebolle C, Boulanger F (2009) Exploring multi-paradigm modeling techniques. SIMULATION Trans Soc Model Simul Int 85(11/12):688–708
Heemels M, Muller G (2007) Boderc: model-based design of high-tech systems, 2nd edn. Embedded Systems Institute, Eindhoven
IEEE (2000) IEEE 100 the authoritative dictionary of IEEE standards terms, 7th edn. IEEE Std 100-2000. doi:10.1109/IEEESTD.2000.322230
IEEE (2008) International Standard ISO/IEC 12207:2008(E), IEEE Std 12207-2008 (Revision of IEEE/EIA 12207.0-1996) Systems and software engineering—software life cycle processes. ISO/IEC and IEEE Computer Society
IEEE (2008) International Standard ISO/IEC 15288:2008(E), IEEE Std 15288-2008 (Revision of IEEE Std 15288-2004) Systems and software engineering—system life cycle processes. ISO/IEC and IEEE Computer Society
Jackson D (2009) A direct path to dependable software. Commun ACM 52(4):78–88. doi:10.1145/1498765.1498787
Jensen J, Chang D, Lee E (2011) A model-based design methodology for cyber-physical systems. In: 2011 7th international wireless communications and mobile computing conference (IWCMC), pp 1666–1671. doi:10.1109/IWCMC.2011.5982785
Johnson CW (2005) The natural history of bugs: using formal methods to analyse software related failures in space missions. In: Fitzgerald J, Hayes IJ, Tarlecki A (eds) FM 2005: formal methods. Lecture notes in computer science, vol 3582. Springer, Berlin, pp 9–25
Johnson J (2006) My life is failure. Standish Group International, co-author of the original 1994 CHAOS report
Jones CB (1990) Systematic software development using VDM, 2nd edn. Prentice-Hall International, Englewood Cliffs. ISBN 0-13-880733-7
JPL Special Review Board (2000) Report on the loss of the Mars Polar Lander and Deep Space 2 missions. Tech. Rep. JPL D-18709. Jet Propulsion Laboratory
Karnopp D, Rosenberg R (1968) Analysis and simulation of multiport systems: the bond graph approach to physical system dynamic. MIT Press, Cambridge
Kleijn C (2009) 20-sim 4.1 reference manual, 1st edn. Controllab Products B.V., Enschede. ISBN 978-90-79499-05-2
Kleijn C, Visser P, Groen F (2012) D3.5—extension to Matlab/Simulink. Tech. Rep., The DESTECS Project (CNECT-ICT-248134)
Kopetz H, Bauer G (2003) The time-triggered architecture. Proc IEEE 91(1):112–126
Larsen PG, Battle N, Ferreira M, Fitzgerald J, Lausdahl K, Verhoef M (2010) The overture initiative—integrating tools for VDM. SIGSOFT Softw Eng Notes 35(1):1–6
Larsen PG, Lausdahl K, Battle N (2010) Combinatorial testing for VDM. In: Proceedings of the 2010 8th IEEE international conference on software engineering and formal methods, SEFM ’10. IEEE Computer Society, Washington, pp 278–285. ISBN 978-0-7695-4153-2
Larsen PG, Wolff S, Battle N, Fitzgerald J, Pierce K (2010) Development process of distributed embedded systems using vdm. Tech. Rep. TR-2010-02, The Overture Open Source Initiative
Larsen PG, Lausdahl K, Battle N, Fitzgerald J, Wolff S, Sahara S (2013) VDM-10 language manual. Tech. Rep. TR-001, The Overture Initiative
Larsen PG, Lausdahl K, Coleman J, Wolff S, Kleijn C, Groen F (2013) Crescendo tool support: user manual. Tech. Rep. TR-001, The Crescendo Initiative
Lausdahl K, Coleman JW, Larsen PG (2013) Semantics of the VDM real-time dialect. ECE-TR-13, Aarhus University, Aarhus, April 2013
Lee E, Seshia S (2011) Introduction to embedded systems, a cyber-physical systems approach. University of Berkeley, Berkeley. ISBN 978-0-557-70857-4
Lee EA (2008) Cyber physical systems: design challenges. Tech. Rep. UCB/EECS-2008-8, EECS Department, University of California, Berkeley
Lee EA (2009) Computing needs time. Commun ACM 52(5):70–79
Lee EA (2010) CPS foundations. In: Proceedings of the 47th design automation conference, DAC ’10. ACM, New York, pp 737–742. doi:10.1145/1837274.1837462
Lee I, Sokolsky O, Chen S, Hatcliff J, Jee E, Kim B, King A, Mullen-Fortino M, Park S, Roederer A, Venkatasubramanian K (2012) Challenges and research directions in medical cyber-physical systems. Proc IEEE 100(1):75–90. doi:10.1109/JPROC.2011.2165270
Lions JL, Lübeck L, Fauquembergue JL, Kahn G, Kubbat W, Levedag S, Mazzini L, Merle D, O’Halloran C (1996) ARIANE 5—flight 501 failure—report by the inquiry board. Tech. Rep., European Space Agency
Liu J (1998) Continuous time and mixed-signal simulation in ptolemy ii. Tech. Rep. UCB/ERL M98/74, EECS Department, University of California, Berkeley
Magureanu G, Gavrilescu M, Pescaru D (2013) Validation of static properties in unified modeling language models for cyber physical systems. J Zhejiang Univ Sci C 14(5):332–346. doi:10.1631/jzus.C1200263
Maier MW (1996) Architecting principles for systems-of-systems. In: Sixth international symposium of the international council on systems engineering, INCOSE
Margaria T, Schätz B, Verhoef M (2006) Formal methods going mainstream: costs, benefits, experiences. BCS-FACS FACTS 2006(2):34–38, report on the ForTIA Industry Day at FM’05
Marwedel P (2010) Embedded system design—embedded systems foundations of cyber-physical systems. Springer, Berlin
Mazzara M, Bhattacharyya A (2010) On modelling and analysis of dynamic reconfiguration of dependable real-time systems. In: 2010 third international conference on dependability (DEPEND), pp 173–181. doi:10.1109/DEPEND.2010.33
Miclea L, Sanislav T (2011) About dependability in cyber-physical systems. In: Design test symposium (EWDTS), 2011 9th East-West, pp 17–21. doi:10.1109/EWDTS.2011.6116428
Moore GE (1965) Cramming more components onto integrated circuits. Electronics 38(8):114–117
Nielsen CB (2010) Dynamic reconfiguration of distributed systems in VDM-RT. Master’s thesis, Aarhus University
Plotkin GD (1981) A structural approach to operational semantics. Tech. Rep. DAIMI FN-19, Aarhus University
Plotkin GD (2004) A structural approach to operational semantics. J Logic Algebraic Program 60–61:17–139
Ptolemaeus C (ed) (2014) System design, modeling, and simulation using ptolemy II. Ptolemy.org
Pumfrey D (1999) The principled design of computer system safety analyses. Ph.D. thesis, Department of Computer Science, University of York
Rajkumar R, Lee I, Sha L, Stankovic J (2010) Cyber-physical systems: the next computing revolution. In: Design automation conference (DAC), 2010 47th ACM/IEEE, pp 731–736
Rational Software Corporation (1998) Rational unified process—best practices for software development teams
Robinson S (2004) Simulation: the practice of model development and use. Wiley, New York
Romanovsky A, Thomas M (eds) (2013) Industrial deployment of system engineering methods providing high dependability and productivity. Springer, Berlin. ISBN 978-3-642-33169-5
Rushby J (1989) Kernels for safety? In: Safe and secure computing systems, Blackwell Scientific Publications, Oxford, pp 210–220
Safety and Health Council of the Chemical Industries Association Ltd (1977) A guide to hazard and operability studies
Friedenthal S, Moore A, Steiner R (2011) A practical guide to SysML, 2nd edn. Morgan Kaufmann OMG Press, Waltham. ISBN: 978-0-12-385206-9
Sangiovanni-Vincentelli A (2006) Successive refinements of communication functions and architectures in system design. In: Design automation and test in Europe, hot topic session—network the next “Big Idea” in design?
Sanwal M, Hasan O (2013) Formal verification of cyber-physical systems: coping with continuous elements. In: Murgante B, Misra S, Carlini M, Torre C, Nguyen HQ, Taniar D, Apduhan B, Gervasi O (eds) Computational science and its applications—ICCSA 2013. Lecture notes in computer science, vol 7971. Springer, Berlin, pp 358–371. doi:10.1007/978-3-642-39637-39
Schirner G, Erdogmus D, Chowdhury K, Padir T (2013) The future of human-in-the-loop cyber-physical systems. Computer 46(1):36–45
Sztipanovits J, Koutsoukos X, Karsai G, Kottenstette N, Antsaklis P, Gupta V, Goodwine B, Baras J, Wang S (2012) Toward a science of cyber-physical system integration. Proc IEEE 100(1):29–44. doi:10.1109/JPROC.2011.2161529
Taguchi G (1987) System of experimental design, vols 1 and 2. UNIPUB/Krass International Publications, New York
Thomas D, Moorby P (2008) The Verilog hardware description language, 5th edn. Springer, Berlin
Trapp M, Schneider D, Liggesmeyer P (2013) A safety roadmap to cyber-physical systems. In: Münch J, Schmid K (eds) Perspectives on the future of software engineering. Springer, Berlin, pp 81–94. doi:10. 1007∕978-3-642-37395-46
Vangheluwe HL, de Lara J, Mosterman PJ (2002) An introduction to multi-paradigm modelling and simulation. In: Barros F, Giambiasi N (eds) Proceedings of the AIS’2002 conference (AI, Simulation and Planning in High Autonomy Systems), Lisboa, Portugal, pp 9–20
Verhoef M (2009) Modeling and validating distributed embedded real-time control systems. Ph.D. thesis, Radboud University Nijmegen
Verhoef M, Bos B, van Eijk P, Remijnse J, Visser E, De Paepe M, De Witte Y, Rombaut K, Van Lembergen R (2012) Industrial case studies—final report. DESTECS Deliverable D4.3, The DESTECS Project (CNECT-ICT-248134)
Wan K, Hughes D, Man KL, Krilavicius T (2010) Composition challenges and approaches for cyber physical systems. In: 2010 IEEE international conference on networked embedded systems for enterprise applications (NESEA), pp 1–7. doi:10.1109/NESEA.2010.5678065
Wang G, Liu Q, Wu J (2010) Hierarchical attribute-based encryption for fine-grained access control in cloud storage services. In: Proceedings of the 17th ACM conference on computer and communications security. ACM, New York, pp 735–737
Woodcock J, Larsen PG, Bicarregui J, Fitzgerald J (2009) Formal methods: practice and experience. ACM Comput Surv 41(4):1–36
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Coleman, J.W., Lausdahl, K., Larsen, P.G. (2014). Semantics of Co-simulation. In: Fitzgerald, J., Larsen, P., Verhoef, M. (eds) Collaborative Design for Embedded Systems. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-54118-6_13
Download citation
DOI: https://doi.org/10.1007/978-3-642-54118-6_13
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-54117-9
Online ISBN: 978-3-642-54118-6
eBook Packages: Computer ScienceComputer Science (R0)