Comprehensive Model-

FEATURE
SPECIAL
based Engineering for
Systems of Systems

OCTOBER 2O16
VOLUME 19 / ISSUE 3
John Fitzgerald, John.Fitzgerald@ncl.ac.uk

 ABSTRACT
Systems of systems (SoS) place particular demands on model-based engineering, arising from the uncertainty inherent in dealing
with independent constituent systems, the need to obtain confidence in the end-to-end capabilities of the SoS, and the challenges
of integrating diverse domain-specific terminologies, models, and tools. This paper describes the approach taken by the COM-
PASS project in developing and validating model-based methods for SoS engineering (SoSE). Architectural frameworks, profiles
and modelling patterns implement a contractual approach that deals with uncertainty by allowing abstract specification of the
assumptions and guarantees between SoS constituents. These are underpinned by a formal semantic framework that permits the
verification of SoS-level properties arising from the composition of diverse constituent system contracts. The whole approach has
been realized in an open tools framework and validated through applications in home audio/video networks and in emergency re-
sponse service reengineering. The paper outlines and exemplifies the technologies developed within COMPASS and looks forward
to the emerging challenges of cyber-physical SoS.

S
INTRODUCTION
ystems engineering in the 21st from dealing with independently owned which each constituent system’s behavior
Century is already being charac- and managed constituent systems about can be specified. Reasoning about the
terized by the reliance placed on which only incomplete information is avail- dependability of systems built from such
Systems of systems (SoS). Indeed, able. Second, it is difficult to gain confi- weakly specified constituents requires
INCOSE’s vision for 2025 (INCOSE 2014) dence in a SoS’ ability to deliver end-to-end a semantics of system composition that
anticipates collaborative model-based capabilities by composing the capabilities of allows us to analyze end-to-end effects.
engineering methods supporting cross-dis- the constituent systems (Sanders and Smith Formal semantic models have done this for
ciplinary analyses as means of managing 2012). Third, SoS are often heterogeneous, software (Woodcock et al. 2009), but do not
risks and maximizing benefits in SoS. It is making it difficult to engage with the re- deliver the range of views required by sys-
therefore timely to ask how we can equip quirements and goals of diverse stakehold- tems engineers. Finally, both semantics and
practitioners to realize this vision. In 2011, ers (Hallerstede et al. 2012), each of which tools must be extensible to meet new needs
researchers and companies in Europe and may use their own established domain-spe- as constituent systems and goals evolve.
Brazil formed the COMPASS 1 consortium cific terminologies, models, and tools. The COMPASS group’s goal was to
with the aim of answering that question. Model-based techniques have attracted develop tools expressive enough to let
This article reflects on their achievements interest and investment as means of ad- practitioners model the architecture and
and findings. dressing the challenges of SoS engineering behavior of SoS, yet rigorous enough to
(Nielsen et al. 2015). Models of SoS archi- permit machine-assisted analysis of global
CHALLENGES OF MODEL-BASED tecture, constituent systems, infrastructure, dependability properties.
SOS ENGINEERING: UNCERTAINTY, and environment let engineers explore
DEPENDABILITY, HETEROGENEITY alternative designs before commitments FOUNDATIONS, METHODS, TOOLS
SoS place major demands on systems en- are made in detailed design and prototyp- Our approach promotes modelling of
gineering (Dahmann 2014). First, engineers ing. They also enable validation of global constituent system behavior and SoS ar-
must work with the uncertainty that arises dependability properties such as resilience chitecture in any language, but we focused
and security. Further, if models have formal initially on SysML. To address the challenge
1 COMPASS (comprehensive modelling for advanced semantics, it becomes possible to lever- of uncertainty in SoS, we support abstract
systems of systems) was an integrated project funded age machine-assisted analysis to identify description of behavior in a contractual
by the European Union. The COMPASS research defects early. style, recording each constituent’s assump-
community continues well after the end of the formal Applying model-based methods to SoS tions and guarantees with respect to those
project, and can be reached, along with all the project engineering is not trivial. The uncertainty around it. To address the validation of
outputs, at http://thecompassclub.org/. inherent in a SoS limits the precision with global dependability properties, we would

59
FEATURE
SPECIAL

process CallCentreProc = begin

…
«Fault Activation View» FaultsOfInterest = Complete Failure of the Radio System
Initiate Rescue Fault1 Activation [Fault1]
actions
CC : Call Centre : Radio System ERU1: ERU MERGE1(r) =
(dcl e:set of ERUId @ e := findIdleERUs();
:Start rescue
(do
«Fault Activation» e = {}–> DECISION2(r)
:Find idle ERU :Fault Activation
[IdleERU]
:Allocate :Send rescue :Process :Receive |
idle ERU into ERU message message
[findIdle
ERU]
[higher
e <> { }–>
(dcl e1: ERUId @ e1 :=
critical]
OCTOBER 2O16
VOLUME 19 / ISSUE 3

:Divert ERU
[lower
«Error Detection» «erroneous»
allocateIdleERU(e, r); MERGE2(e1, r))
critical]
:Error1 detection :Crop message
:Service
:Wait :Log diversion rescue
«Failure Event»
:Target not attended end)) …
:Start rescue

«Start Recovery» «End Recovery» process InitiateRescue =

:Start Recovery1 :EndRecovery1
CallCentreProc [| SEND_CHANNELS|]
RadioSystemProc [| RCV_CHANNELS |] ERUsProc

Modelling Formal Foundations: CML Tool-supported Analysis

• Frameworks, such as requirements • Promote trusted tools • Open tools framework
engineering, fault modelling • Supports contract specification • Model-checking
• Patterns to promote knowledge • Covers functionality, object-orientation, • Automated proof
sharing concurrency, real-time, mobility • Static fault analysis
• Supports contractual style • Can be extended to new paradigms • Test generation
• Language neutral, but • A supermarket of theories • Simulation
implemented in SysML • Model-in-loop test

Figure 1.  Features of COMPASS technology

link these abstract models to formal models recovery in a SoS (Andrews et al. 2014). applied, confer benefits. For example, the
expressed in a lingua franca called the We were developing so many SoS frame- Contracts Pattern identifies viewpoints
COMPASS Modelling Language (CML) works in COMPASS that we proposed an that help define contract conformance
(Woodcock et al., 2012) on which we would approach to help engineers “grow their relationships, functionality, and behavior.
build tools for analyzing global properties own.” Taking our own medicine, we defined Figure 2 shows an example of the use of
by composing the contractual descriptions. this as a framework in its own right: the this pattern to define invariant properties
Figure 1 summarizes the approach. COMPASS architectural framework frame- between constituent systems in a road
We developed two types of engineering work (CAFF) outlines the steps and views traffic management SoS.
assets: modelling assets including frame- needed to generate a useable and internally
works and patterns for requirements and consistent architectural framework. FORMAL FOUNDATIONS AND ANALYTIC
architectures, and formal assets including Work in several application domains led TOOLS
tool-supported semantics for dependability to our identifying patterns that describe CML incorporates several paradigms:
validation. These were combined into an common SoS structures and provide a modelling of data and functionality,
integrated approach incorporating require- basis for sharing experience. We observed state-based description, concurrency and
ments engineering, architectural modelling, structural patterns such as supply chains, communication, object orientation, and
transition to CML, validation, and design and enabling patterns which, when time. Models represented using SysML
verification. We highlight some of these
assets below.

SOS REQUIREMENTS AND ARCHITECTURAL bdd [Contract Definition View] Country TMS Invariants
MODELLING
A priority in COMPASS was to produce «Contract» «Invariant»
Country TMS different countries
practical frameworks to manage the
complexity of model construction and Attribute id <> nld
analysis in SoS. For example, we developed id
a requirements engineering process nld «Invariant»
SoS-ACRE to help manage the conflicting nationalSpeedLimit legal difference
requirements and varying perspectives acts
forall a1, a2 in set inds acts @
inherent in SoS engineering; this extends Operation (a1 + 1 = a2 => acts(a1).disp – acts(a2.disp < maxDiff
determineSpeedCorridor
context-based requirements engineering createSpeedCorridor
with views that accommodate both disableSpeedCorridor «Invariant»
SoS-level goals and the requirements on calc NeighbourTarget no greater than limit
individual constituent systems (Holt et al. calcDistance
isNeighborNeeded forall a in set elems acts @ a.disp <= nationalSpeedLimit
2015). Our fault modelling architectural
framework (FMAF) defines viewpoints that
help engineers to model systematically the Figure 2.  Example contract definition view in SysML (Ingram, Payne, Fitzgerald and
progression of faults, errors, failures, and Couto 2015)

60

inIncident.myId?1?t –> d : nat :=
calcDistancet, nationalSpeedLimit)
NEW_INCIDENT CORRIDOR
c : Corridor := d;…
RE_CHECK
NEIGHBOUR_REQ
...
Figure 3. Example SysML to CML translation (Ingram, Payne, Fitzgerald and Couto 2015)
could be translated to CML and augment-
ed if desired before being subjected to
tool-supported analysis. Figure 3 shows a
fragment of the CML representation of a
SoS contractual description given in SysML
using the Contracts Pattern on our road
traffic SoS.
In order to promote extensibility we
defined a modular semantics for CML. The
modules are theories describing phenomena
such as concurrency, object-orientation,
and contracts, sufficient to reason over
architectural models. For example, SysML
state machines use communication, paral-
lelism, and data operations in specific pat-
terns, and we could use specific theories to
describe these features. The formal seman-
tics also defines refinement, which enables
the verification of global SoS properties
from the composition of the contractual
descriptions of constituent systems.
The COMPASS tool suite integrates
tools for CML model construction and
simulation, exploration of individual
CML models of SoS, and linking real
implementations into co-simulation with
models of other constituent systems.
Fault analysis and verification tools have
been demonstrated for SysML models
using the architectural frameworks, so
that failure events can be analyzed to
identify violations of global dependability
requirements such as safety. Strategies were
developed for testing global SoS properties,
testing constituent systems for correctness
of inputs and outputs (conformance with
contractual specifications), reducing the
number of SoS test cases in a justifiable way,
and testing dynamic SoS configurations.
EXPERIENCE
Two companies validated COMPASS
technology in depth: Bang and Olufsen,
a Danish consumer electronics firm; and
INSIEL, an Italian Information Technology
company.
Bang and Olufsen’s study focused on
home audio/video networks (Bryans et
al. 2013). The goal was to ensure consis-
process CountryTMS =
begin
… where constituent system stakeholders
actions
BEHAVIOUR = NEW_INCIDENT [] NEIGHBOR_REQ
NEW_INCIDENT = inIncident.myId?1?t –>
(dcl d : nat ;= calcDistance
( t, nationalSpeedLimit ) @ NEW_CORRIDOR(1, t, d))
NEW_CORRIDOR = 1 : int, t: nat, d:nat
…
@ ACT_STATUS; c:Corridor :=det; …
@ BEHAVIOUR
end
process CountryA = CountryTMS (Aid, BId, limitA, actCorrA)
process CountryB = CountryTMS (BId, Aid, limitB, actCorrB)
process BorderTrafficSoS = CountryA [| interface|]CountryB
tency of the user’s experience interacting
with content rendered through diverse
networked devices and protocols, and
as new devices from different providers
are integrated. The SoS was regarded as
virtual, with no central authority or agreed
purpose, but with the capacity to transit
to a collaborative mode where a leader is
elected and constituent systems recognize
global objectives. Such mode transitions are
known to be tricky, especially in a SoS! Lay-
ers of the architecture exhibited patterns:
the application layer has a service-oriented
architecture, and the transport layer a pipe-
and-filter pattern.
Bang and Olufsen applied the CAFF to
develop a domain-specific framework for
content streaming, subsequently adopt-
ed into the company’s design processes.
Verification using CML refinement and
model-checking tools led to the discovery
of hitherto unidentified design assumptions
that ensure dependable leader election
and transition to the collaborative mode
(Antonino et al. 2015).
INSIEL’s study focused on a unified
emergency response center, coordinating
independent services (fire, police, and am-
bulance) in an acknowledged SoS. The aim
was to permit exploration of SoS perfor-
mance by simulation, managing constituent
system introduction, and evolution. INSIEL
applied SoS-ACRE, the contract pattern,
CML modelling, simulation and model
checking. In particular, the fault modelling
framework was applied successfully (An-
drews et al. 2014).
Both companies evaluated the readiness
for deployment of the COMPASS technolo-
gy. The architectural modelling assets were
rated as highly mature, while the CML-
based formal assets (with the exception of
test generation) require further work to
make them accessible to the majority of po-
tential users. However, the formal models
were valued as a clear basis against which
to validate real implementations. The use
of ontologies in the modelling frameworks
was seen as enabling consistent communi-
cation and reasoning at the SoS level, even
FEATURE
SPECIAL
have distinct subdomain terminologies.
Final proof of the utility of our research
came when COMPASS associate company
Verified Systems International beat off
competition from over 1000 innovations to
come as runners-up in the European 2015
Innovation Radar Awards for their test
OCTOBER 2O16
VOLUME 19 / ISSUE 3
automation products developed from work
done in COMPASS.
LOOKING FORWARD: INTEGRATING THE
CYBER AND THE PHYSICAL
To what extent did COMPASS address
the challenges of model-based SoS
engineering? In tackling uncertainty,
we showed that contractual modelling
allowed us to record the assumptions
and guarantees that bind constituent
systems into an SoS. This was reflected
in the abstractions, frameworks, and
patterns implemented in SysML and
CML and applied in practice. The
validation of SoS dependability required
a semantic framework that allowed us to
start building the future tools needed to
verify key properties. The potential was
vividly demonstrated by the discovery
of features of mode transitions in the
content streaming SoS. Finally, delivering
a semantic framework that could cope
with diverse models and stakeholders was
a highly technical challenge. We delivered
such a framework based on modular
theories, and future work will increase
the range of models to match the range of
phenomena seen in SoS.
Next generation SoS, enabled by
technologies such as the Internet-of-things,
will make even greater demands on model-
based engineering techniques through
closer integration of the networked
digital, physical, and human domains.
Our recent work applies COMPASS
principles to SoS that have both discrete-
event computational and continuous-time
physical elements. We are working in areas
such as rail, automotive, robotics, and
building management that demand co-
modelling of computational and physical
systems that have traditionally been
developed separately.
COMPASS provided one of the most
thorough explorations of model-based SoS
engineering undertaken to date, demon-
strably advancing the state of the art. Reus-
able frameworks and patterns have lowered
the barrier to applying systems thinking
to complex SoS problems. Built on firm
semantic foundations, they have enabled
new tools, which show the potential of
model-based methods in engineering SoS
that we can trust.  ¡
>  continued on page 62
61
 Fitzgerald  continued from page 61
FEATURE
SPECIAL

REFERENCES
■■ Andrews, Z., C. Ingram, R. Payne, A. Romanovsky, S. Perry, and J. Holt. 2014. “Traceable engineering of fault tolerant SoS.” In
Proceedings INCOSE International Symposium, Henderson, US-NV, 30 June –3 July.
■■ Antonino, P. R. G, M. V. M. Sampaio, A. C. A. Oliveria, K. E. Kristensen, and J. W. Bryans. 2014. “Leadership Election: an Indus-
trial SoS Application of Compositional Deadlock Verification.” In Julia M. Badger and Kristin Yvonne Rozier, eds., NASA Formal
Methods, Proceedings 6th International Symposium, NFM 2014, Houston, US-TX, 29 April – 1 May, Lecture Notes in Computer
Science 8430:31-45. Springer International Publishing.
OCTOBER 2O16
VOLUME 19 / ISSUE 3

■■ Bryans, J., J. S. Fitzgerald, R. Payne, and K. Kristensen. 2014. “Maintaining Emergence in Systems of Systems Integration: a Con-
tractual Approach using SysML.” In Proceedings INCOSE International Symposium, Las Vegas, US-NV, 30 June – 3 July.
■■ Dahmann, J. 2014. “Systems of Systems Pain Points.” In Proceedings of the 24th INCOSE International Symposium, Henderson,
US-NV. 30 June – 3 July.
■■ INCOSE. 2014. “A World in Motion: Systems Engineering Vision 2025.” International Council on Systems Engineering, San Diego,
US-CA.
■■ Hallerstede, S., F. O. Hansen, J. Holt, R. Lauritsen, L. Lorenzen, and J. Peleska. 2012. “Technical Challenges of SoS Requirements
Engineering.” Proceedings of the 7th International Conference on System of System Engineering, IEEE, Genova, IT, 16-19 July.
■■ Holt, J., S. Perry, R. Payne, J. Bryans, S. Hallerstede and F. O. Hansen. 2015. “A Model-Based Approach for Requirements Engineer-
ing for Systems of Systems,” IEEE Systems Journal 9 (1): 252-262, March.
■■ Ingram, C., R. Payne, J. S. Fitzgerald, and L. D. Couto. 2015. “Model-based Engineering of Emergence in a Collaborative SoS: Ex-
ploiting SysML & Formalism.” In Proceedings of the 25th INCOSE International Symposium, Seattle, US-WA. 13-16 July.
■■ Nielsen, C. B., P. G. Larsen, J. S. Fitzgerald, J. Woodcock, and J. Peleska. 2015. “Systems of Systems Engineering: Basic Concepts,
Model-Based Techniques, and Research Directions,” ACM Computing Surveys 48 (2), September.
■■ Sanders, J. W. and G. Smith. 2012. “Emergence and Refinement,” Formal Aspects of Computing, 24 (1): 45–65.
■■ Woodcock, J., P. G. Larsen, J. Bicarregui, and J. Fitzgerald. 2009. “Formal Methods: Practice and Experience,” ACM Computing
Surveys, 41 (4): 1-40.
■■ Woodcock, J., A. Cavalcanti, J. Fitzgerald, P. G. Larsen, A. Miyazawa and S. Perry. 2012. “Features of CML: a Formal Modelling
Language for Systems of Systems.” In Proceedings of the 7th International Conference on System of System Engineering, IEEE,
Genova, IT, 16-19 July.

ABOUT THE AUTHOR

Dr John Fitzgerald is a full professor
in the School of Computing Science at
Newcastle University, where he heads the
research group on advanced model-based
engineering. With a background in formal
validation and verification, he has been
working as a researcher and industry
practitioner in model-based design since
the early 1990s, and has been active in SoS
engineering research since 2000. He led
the European Union’s COMPASS program
on model-based engineering of SoS, which
fostered methods, patterns, and award-win-
ning tools for contractual modelling and
analysis of SoS. His team at Newcastle
works in multiple research and innovation
projects in cyber-physical systems engi-
neering. He also plays a leading role in the
$80 million Urban Sciences project, creat-
ing a campus and laboratory for research,
innovation, and teaching in computing
and urban systems at scale in the heart of
the city of Newcastle upon Tyne. John is an
active member of the INCOSE Systems of
Systems Working Group.

Lochow  continued from page 57

SoS highlighted that there is a high poten-
tial and benefit in the proposed methods to
support future SoS architects and operators
to significantly reduce the risk imposed by
such large systems during the creation but
also potentially during the operation phase
of the SoS. Finally, all industrial partners in
the consortium highlighted a lot of further
potential to exploit the same techniques in
other industrial domains such as air traffic
management, water management and
supply, autonomous systems, production
systems and many more.  ¡
ABOUT THE AUTHOR
Mr. Tim Lochow received his engineer­
ing degree (MSc) in aeronautics from
the Technical University of Munich,
Germany. He joined the Airbus Group
– formerly known as EADS–in 2003.
Working for more than ten years in the
systems engineering domain, the main
focus of his work has been the research
and development of processes, methods,
tools for systems engineering. During his
career he has gained experience in various
technical systems engineering processes
such as requirements engineering, systems
architecting and systems engineering
management contributing to operational
(commercial aircraft and space programs)
as well as large research programs such as
DANSE with a focus on SoS architecting.
In his current position he is leading
major research projects at Airbus Group
Innovations on digital engineering processes
and platforms. He is an active member of
INCOSE since 2004 and received CSEP
accreditation in January 2011.

REFERENCES
■■ Winokur, M. et al. 2015. D4.4 DANSE
Methodology V03. Final Deliverable,
The DANSE project, http://www.danse-
ip.eu .

62