by John Fitzgerald, Peter Gorm Larsen and Marcel Verhoef

A new generation of innovative products is emerging that link computing elements – hardware and software – with physical processes. They surround us in our daily life and we are becoming dependent upon their embedded intelligence, as well as their interconnections. Successful design of these “Cyber-Physical Systems” (CPSs) requires close collaboration between all engineering disciplines involved, and rapid innovation is often required in order to meet short windows of opportunity under economically volatile circumstances. The DESTECS consortium has developed co-modelling technology to support cooperative working, and has delivered methods validated in industry case studies. These results are embodied in a new tool set that reduces the effort required to perform design iterations, and improves their impact, right from the outset of design.

Cyber-Physical Systems (CPSs) are challenging to develop because the cyber and physical parts have different kinds of semantic foundation, thus a communication hurdle exists between the engineering disciplines [1]. CPS methods and tools must bridge this gap in order to create a common basis for design and analysis. Various approaches have been suggested to overcome this challenge [2]. In the DESTECS project, we demonstrated how model-based techniques could support multidisciplinary design by bringing together Continuous Time (CT) models of physical systems with Discrete Event (DE) models of the embedded controller behaviour. Instead of requiring control and software engineers to adopt a new common design notation, we focused on harnessing models of physics and software within a common framework with a sound formal semantics, enabling the resulting co-model to be simulated as a whole. The project resulted in the development of the Crescendo technology [3], which enables stakeholders from different engineering backgrounds to continue using the methods that are familiar to them, while jointly engaging in holistic analysis and tradeoff across the disciplinary divide. This enables cross-discipline dialogue in the early stages of design, often exposing hidden (domain specific) assumptions that would otherwise be found during integration and test. This not only reduces cost and improves time-to-market and product quality, but it also promotes the impact analysis of design alternatives, providing a better basis for decision making during product development.

In Crescendo, the coupling between discrete and continuous models is formalized in a “contract” that describes the state variables and events that are exchanged between the connected models, as well as the shared design parameters and model variables. All these artifacts are described and managed in a single place and automatically shared among models, which improves consistency. Model variables are set from a script, enabling engineers to undertake sensitivity analysis on the model by performing a parameter sweep or to perform fault resilience analysis by enabling or disabling parts of the model that represent error behaviours. Providing the co-simulation contract is maintained, the participating models can be modified at will, so that engineers can explore the design space, for example examining different controller strategies on the same physical system model, or to subject a single controller to a set of physical system models with different fidelity.

Our collaborative modelling and simulation approach has been implemented in the Crescendo tool, which currently uses 20-sim, a commercially available tool, for the CT models of the physical system, coupled with DE controller models expressed using the VDM notation. 20-sim supports several textual and graphical methods to describe CT models which are automatically converted into sets of differential equations that are numerically solved. A library of domain-specific sub-models describes mechanical, pneumatic, hydraulic and electrical components. A 3-D mechanics editor allows a virtual mock-up to be created to support visualization. On the DE side, VDM is an object-oriented formal modelling technique that supports abstract data types, constants, functions, operations and additional integrity constraints such as invariants and pre- and post-conditions. The language enables the specification of distributed and embedded systems, with asynchronous operations, time and an explicit notion of the computation and communication architecture onto which the software is deployed. The cyber-side engineer can thus specify which software runs where, and assess the impact of that chosen deployment on overall performance and timing.

Figure 1:  The ChessWay Prototype

Figure 1: The ChessWay Prototype

Several companies have applied and evaluated the technology. During the project, CHESS (NL) developed a personal transporter akin to the famous Segway, with a distributed safety monitor (Figure 1). Verhaert (B) developed a novel controller for a dredging excavator, enabling even novice operators to dig perfectly straight trenches (Figure 2). Neopost (NL) modelled a new system design for automatically folding stacks of documents and placing them in envelopes at high speed (Figure 3). Other smaller-scale applications based on industry-specified challenges included a tilting conveyor belt system, an aircraft flare dispensing unit and movement control for an interplanetary rover. The industrial case studies have shown that co-simulation is a valuable tool to support the multi-disciplinary design dialogue from the initial (conceptual) stages of product development. We used 20-sim and VDM-RT in DESTECS, but the Crescendo tool has an open architecture and is built upon a well-defined semantics that is essentially technology-agnostic.

Figure 2: Co-simulation of the Verhaert Excavator model

Figure 2: Co-simulation of the Verhaert Excavator model

Figure 3: The Neopost document insertion system

Figure 3: The Neopost document insertion system

Of course, simulation is not a “silver bullet”, but our industry case studies showed that it is possible – and indeed very cost-effective – to create abstract and competent co-models of CPSs in early development phases. These models remain lightweight and compact, allowing developers to play “what-if” scenarios at relatively low cost. The insight gained by these simple experiments raises the confidence in the models quickly, because design decisions are continuously validated. Implicit choices and hidden assumptions are immediately exposed, replacing “gut feeling” by credible, objective and quantitative information that now can be assessed by all the designers involved, regardless of their “home” discipline. This typically gives direction, depth and momentum to the design effort because the potential of certain designs and the likelihood and impact of potential risks can be determined very rapidly, without large upfront investments. Because co-models can be subjected to advanced verification or form the basis of implementations, they have a utility far beyond initial multidisciplinary design.


[1] T.A. Henzinger, J. Sifakis: “The Embedded Systems Design Challenge”, FM 2006: Formal Methods, pp. 1-15, 2006
[2] E.A. Lee: “Cyber Physical Systems: Design Challenges” in proc. of ISORC 2008, pp. 363-369, 2008
[3] J. Fitzgerald, P. Gorm Larsen, M. Verhoef (eds): “Collaborative Design for Embedded Systems - Co-modelling and Co-simulation”, Springer, April 2014, ISBN 978-3-642-54117-9

Please contact:
John Fitzgerald
Newcastle University, UK
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

Peter Gorm Larsen,
Aarhus University, Denmark
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

Marcel Verhoef
Chess, the Netherlands
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

Next issue
April 2018
Next special theme:
Autonomous Vehicles
Call for the next issue
Image ERCIM News 97 epub
This issue in ePub format
Get the latest issue to your desktop
RSS Feed