An Architectural Approach to Managing Heterogeneous Models for Automotive Control System Design Position submitted to Auto-CPS 2010

1. The Challenge: Heterogeneous Models Automotive systems and other cyber-physical systems are designed and analyzed using a variety of modeling formalisms and tools. Each representation highlights certain features and occludes others to make analysis tractable and to focus on particular performance attributes. Typically a particular formalism represents either the cyber or the physical elements well, but not both. For example, differential equation models typically represent physical processes well, but do not represent naturally the details of computation, data communication, or digital control. On the other hand, discrete modeling formalisms such as Petri nets and automata are well suited for representing discrete behavior and control flow, but are not particularly useful for modeling continuous phenomena in the physical world. These different perspectives also reflect the wide range of engineering domains and technical expertise required to design and implement a system rich in both cyber and physical components. Thus, the heterogeneity of cyber-physical systems in many dimensions requires multiple heterogeneous models and formalisms to explore the complete design space. Although the diversity of models and formalisms supports a component-based " divide and conquer " approach to cyber-physical system development, it presents a serious problem for verifying the correctness and safety of designs at the system level. Model-based design and verification of particular component properties and even global system properties is always done in the context of assumptions about system features that cannot be represented in the particular formalism being used. Each design and verification activity also leads to constraints and conditions that impinge on assumptions made in other models. The exchange of information, implications, and assumptions among the many groups of engineers performing design and verification in the development of a complex cyber-physical system is typically informal at best, and it is particularly difficult when the structure and semantics of the modeling formalisms differ significantly like in the gap between cyber and physical. Consequently, correctness of the design is inferred by a combination of engineering judgment supported by extensive testing of the final system. To achieve system-level verification in an explicit and principled way requires a framework that encompasses the complete system and is not prejudiced toward particular formalisms that capture well only cyber or only physical features.