Modelling Foundations and Applications

Modeling problem domains independently of technology domains is the basis for software that is adaptable to both changing business requirements and advancing technical platforms. Moreover, implementa- tion-independent executable models allow problem-domain validation to be built right into agile conversations with customers. These validated models can then be compiled to a target implementation platform of choice.

But, unlike traditional programming, executable modeling abstracts behavior from the problem domain, rather than abstracting from hardware computational paradigms. In particular, executable models naturally embrace concurrency, because problem domain behavior is concurrent. And, as we move into an era of multiple cores, dealing with concurrency is rapidly moving from a peripheral to a central issue in mainstream programming.

Our programming languages today, on the other hand, are too platform specific, still based too much on, and abstracting too little from, traditional sequential, von Neumann hardware architectures. What we need is a way to model problem domains that can then be compiled to the highly concurrent multi-core platforms around the corner as easily as the traditional platforms of yesterday. This is exactly what executable modeling offers.

Work over the last few years has now provided new standards for precise execution semantics for a subset of UML and an associated action language. Taking advantage of these new standards, executable UML holds out the promise of addressing some fundamental issues for the next generation of programming - from multi-domain to multi-core.

Automotive systems are increasingly complex and critical. Their development accounts for a considerable share of the budget, both in terms of cost and time. The development process is complex, involving multiple development teams in varying disciplines, roles, departments, companies and locations, each using their own tools and notations.

One contribution to meeting these challenges is to use a common ontology that integrates information according to recognized patterns, an Architecture Description Language. The purpose of EAST-ADL is to capture engineering information related to automotive electrical/electronic (E/E) system development, from early phase to final implementation. The system implementation is represented using AUTOSAR, i.e. EAST-ADL is complementary to AUTOSAR, adding information beyond the software architecture to serve engineering work already in early phases.

The EAST-ADL model has a core part representing the E/E system, which interfaces to an Environment model for near and far environment. Extensions for cross-cutting concerns or evolving modelling concepts annotate the core elements with these additional aspects. One of the Extensions concerns dependability and captures information related to safety. Another extension captures system timing using events, event chains and timing constraints.

The EAST-ADL system model is organized in 4 abstraction levels, see Figure 1, from the

Vehicle Levels

abstract and solution-independent feature models over the

Analysis Levels

hardware independent functional models and the

Design Levels

hardware-allocated functional architecture to the

Implementation Level

AUTOSAR software and hardware architecture.

Based on an agreed modelling approach such as AUTOSAR and EAST-ADL, research and development on modelling technology, tools and methodology for automotive EE system development can continue more efficiently. Such results will allow the multitude of company specific approaches to be leveraged and gradually replaced by off-the shelf solutions.

The

adaptive software

paradigm supports the definition of software systems that are continuously adapted at run-time. An adaptation activates multiple features in the system, according to the current execution context (

e

.

g

., CPU consumption, available bandwidth). However, the underlying approaches used to implement adaptation are ordered,

e

.

g

. the order in which a set of features are turned on or off matters. Assuming feature definition as etched in stone, the identification of the

right

sequence is a difficult and time–consuming problem. We propose here a composition operator that intrinsically supports the commutativity of adaptations. Using this operator, one can minimize the number of ordered compositions in a system. It relies on an action–based approach, as this representation can support preexisting composition operators as well as our contribution in an uniform way. This approach is validated on the Service–Oriented Architecture domain, and is implemented using first–order logic.

A typical approach for the development of multi-domain systems often carries the risk of high non-conformance costs and time-consuming re-engineering due to the lack of interoperability between different domains. In its research project “Mechatronic Design”, the Siemens AG develops an integrated, model-based and simulation-focused process to perform a frontloading engineering approach for multi-domain systems.

The paper presents two use cases from this project as two implementation approaches to system modeling and simulation being synchronized at early design phases. Both use cases utilize the standardized system modeling language SysML and the multi-domain simulation language Modelica. One use case evaluates the standardized OMG SysML4Modelica profile for transformation between SysML and Modelica. The other use case uses a Modelica independent and proprietary profile aiming at more flexible usage. For both approaches, advantages and disadvantages are identified and compared. Depending on the project objectives, the general suitability of the approaches is also judged.

Collections, i.,e., sets, bags, ordered sets and sequences, play a central role in UML and OCL models. Essential OCL operations like role navigation, object selection by stating properties and the first order logic universal and existential quantifiers base upon or result in collections. In this paper, we show a uniform representation of flat and nested, but typed OCL collections as well as strings in form of flat, untyped relations, i.,e., sets of tuples, respecting the OCL particularities for nesting, undefinedness and emptiness. Transforming collections and strings into relations is particularly needed in the context of automatic model validation on the basis of a UML and OCL model transformation into relational logic.

Modeling standards by the Object Management Group (OMG) enable the interchange of models between tools. In practice, the success of such interchange has been severely limited due to ambiguities and inconsistencies in the standards and lack of rigorous testing of tools’ interchange capabilities. This motivated a number of OMG members, including tool vendors and users, to form a Model Interchange Working Group (MIWG) to test and improve model interchange between tools. In this paper, we report on the activities of the MIWG, presenting its testing process and highlighting its design decisions and challenges. We also report on a case study where the MIWG has used its process to test the interchange of UML and SysML models. We make observations, present statistics and discuss lessons learned. We conclude that the MIWG has indeed defined a rigorous, effective and semi-automated process for model interchange testing, which has resulted in more reliable interchange of models between participating tools.

The OPC Unified Architecture (OPC UA) is becoming more and more important for industrial automation products. The development of OPC UA components is currently supported by the use of SDKs for OPC UA. However, these SDKs provide only low level support for creating OPC UA based applications. This leads to higher development efforts. The domain-specific metamodel defined by OPC UA defines serves as a good basis for creating domain-specific languages on a higher abstraction level. This has the potential of reducing development efforts. In this paper, we focus on the event filter and query part of OPC UA. Current SDKs only provide interfaces for constructing an object tree for these queries and event filters programmatically. Creating and maintaining these object structures is tedious and error prone. Therefore, we introduce an internal DSL approach for constructing OPC UA queries and event filters based on the OPC UA information model and the Language Integrated Queries (LINQ) feature available in .Net.

UML interaction diagrams are used during integration testing. However, this will typically not find all integration faults as some incorrect behaviors are only exhibited in certain states of the collaborating classes during interactions. State machine diagrams are typically used to model the behavior of state-dependent objects. This paper presents a technique to enhance interaction testing by accounting for state-based behavior as well as data-flow information. UML sequence and state machine diagrams are combined into a control-flow graph to then generate integration test cases, adapting well-known coupling-based, data-flow testing criteria. In order to assess our technique, we developed a prototype tool and applied it on a small case study. The results suggest that the proposed technique is more cost-effective than the most closely related approach reported in the literature, which only relies on control flow analysis.

Many companies in the automotive industry have adopted MDD in their vehicle control software development. As a major automotive company, General Motors has been using a custom-built, domain-specific modeling language, implemented as an internal proprietary metamodel, to meet the modeling needs in its control software development. As AUTOSAR (AUTomotive Open System ARchitecture) is being developed as a standard to ease the process of integrating components provided by different suppliers and manufacturers, there is a growing demand to migrate these GM-specific, legacy models to AUTOSAR models. Given that AUTOSAR defines its own metamodel for various system artifacts in automotive software development, we explore using model transformations to address the challenges in migrating GM legacy models to their AUTOSAR equivalents. As a case study, we have built a model transformation using the MDWorkbench tool and the Atlas Transformation Language (ATL). This paper reports on the case study, makes observations based on our experience to assist in the development of similar types of transformations, and provides recommendations for further research.

When designing complex domain-specific languages, metamodels are frequently enriched with

derived features

that correspond to attribute values or references (edges) representing computed information in the model. In the popular Eclipse Modeling Framework, these are typically implemented as imperative Java code.

In the paper, we propose to integrate the

EMF-IncQuery

model query framework to the Ecore metamodeling infrastructure in order to facilitate the efficient and automated (re-)computation of derived attributes and references over EMF models. Such an integration allows to define derived features using an expressive graph-based model query language [1], and offers high performance and scalability thanks to the incremental evaluation technique of

EMF-IncQuery

[2]. In addition, our approach offers to automate two typical associated challenges of EMF tools: (1) values of derived features are immediately recalculated upon model changes and (2) notifications are sent automatically to other EMF model elements to report changes in derived features.

The majority of contemporary model management languages that support MDE tasks (such as model transformation, validation and code generation) require models to be captured using metamodelling architectures such as Ecore and MOF. In practice, a limited subset of modelling tools – with the exception of some UML tools – build atop such architectures. For many modelling languages and tools outside of the UML/Ecore/MOF family, plain XML is a widely-used model storage and exchange format. In this paper, we argue for the importance of integrating XML-based models in the MDE process. We identify the challenges involved in integrating XML-based models into MDE processes, and we present a technical solution that addresses these challenges, which enables developers to perform a wide range of model management tasks on models captured in XML.

Requirements are often structured and documented as use cases while UML state machine diagrams often describe the behavior of a system. State machines capture rich and detailed behavior of a system, which can serve as a basis for many automated activities such as automated test case and code generation. The former is of interest in this paper. Non-functional behavior can be modeled using standard UML state machines, but usually results in complex state machines. To cope with such complexity, Aspect-Oriented Modeling (AOM) is often recommended. AspectSM is a UML profile defined to model crosscutting behavior on UML state machines called as aspect state machines with the focus of supporting model-based test case generation for non-functional behavior. Hence, an automatic transition from use cases to aspect state machines would provide significant, practical help for testing system requirements. In this paper, we propose an approach to automatically generate aspect state machines from use cases for the purpose of non-functional testing. Our approach is implemented in a tool, which we used for two industrial case studies. Results show that high quality aspect state machines can be generated, which can be manually refined at a reasonable cost to support testing.

One of the main challenges in model-driven software engineering is to deal with design model inconsistencies. Automated techniques to detect and resolve these inconsistencies are essential. We propose to use the artificial intelligence technique of automated planning for the purpose of resolving software model inconsistencies. We implemented a regression planner in Prolog and validated it on the resolution of different types of structural inconsistencies for generated models of varying sizes. We discuss the scalability results of the approach obtained through several stress-tests and discuss the limitations of our approach.

Mutual exclusion is a very common requirement in parallel systems. Yet its modeling is a tedious task in UML state machines, one of the most popular languages for behavior modeling. We present

HiLA

, an aspect-oriented extension of UML state machines, to address this problem. In

HiLA

, mutual exclusion can be modeled in a highly modular and declarative way. That is, the logic of mutual exclusion is modeled at a dedicated place rather than by model elements scattered all over the state machine, and the modeler only needs to specify which states to mutually exclude rather than how to exclude them.

Contemporary software systems contain a large number of artifacts expressed in multiple languages, ranging from domain-specific languages to general purpose languages. These artifacts are interrelated to form software systems. Existing development environments insufficiently support handling relations between artifacts in multiple languages.

This paper presents a taxonomy for multi-language development environments, organized according to language representation, representation of relations between languages, and types of these relations. Additionally, we present TexMo, a prototype of a multi-language development environment, which uses an explicit relation model and implements visualization, static checking, navigation, and refactoring of cross-language relations. We evaluate TexMo by applying it to development of a web-application, JTrac, and provide preliminary evidence of its feasibility by running user tests and interviews.

One of the main advantages of multi-level modeling environments over traditional modeling environments is that all ontological classification levels are treated in a uniform way and are all equally available for immediate, on-the-fly modification. However, such flexibility is a two-edged sword, since a minor change in a (meta-) ontological level can have a dramatic impact on other parts of the ontology (i.e. collection of ontological levels) - requiring a large number of “knock-on” changes to keep the overall ontology correct. To effectively exploit the modeling flexibility offered by multi-level modeling environments therefore, modelers need semi-automated support for emending ontologies to keep them consistent in the face of changes. In this paper we describe a model emendation architecture and illustrate how it can help modelers maintain the correctness of an ontology.

In typical model-driven development processes, models on different abstraction levels are used to describe different aspects. When developing a mechatronic system, an abstract system model is used to describe everything that is relevant to more than one of the disciplines involved in the development. The discipline-specific implementation is then carried out using different concrete discipline-specific models.

During the development, changes in these discipline-specific models may affect the abstract system model and other disciplines’ models. Thus, these changes must be propagated to ensure the overall consistency. Bidirectional model transformation and synchronization techniques aim at automatically resolving such inconsistencies.

However, most changes are discipline-specific refinements that do not affect other disciplines. Therefore, vertical model transformations also have to take into account that these refinements must not be propagated. Current model transformation techniques, however, do not provide sufficient means to specify and detect whether a change is just a refinement.

In this paper, we propose a way to formally define such refinements. These definitions are then used by the model transformation engine to automatically synchronize models of different abstraction levels.

Configuring Integrated Control Systems (ICSs) is largely manual, time-consuming and error-prone. In this paper, we propose a model-based configuration approach that interactively guides engineers to configure software embedded in ICSs. Our approach verifies engineers’ decisions at each configuration iteration, and further, automates some of the decisions. We use a constraint solver, SICStus Prolog, to automatically infer configuration decisions and to ensure the consistency of configuration data. We evaluated our approach by applying it to a real subsea oil production system. Specifically, we rebuilt a number of existing verified product configurations of our industry partner. Our experience shows that our approach successfully enforces consistency of configurations, can automatically infer up to 50% of the configuration decisions, and reduces the complexity of making configuration decisions.

Models play a key role in assuring software quality in the model-driven approach. Precise models usually require the definition of OCL expressions to specify model constraints that cannot be expressed graphically. Techniques that check the satisfiability of such models and find corresponding instances of them are important in various activities, such as model-based testing and validation. Several tools to check model satisfiability have been developed but to our knowledge, none of them yet supports the analysis of OCL expressions including operations on Strings in general terms. As, in contrast, many industrial models do contain such operations, there is evidently a gap.

There has been much research on formal reasoning on strings in general, but so far the results could not be included into model finding approaches. For model finding, string reasoning only contributes a sub-problem, therefore, a string reasoning approach for model finding should not add up front too much computational complexity to the global model finding problem. We present such a lightweight approach based on constraint satisfaction problems and constraint rewriting. Our approach efficiently solves several common kinds of string constraints and it is integrated into the EMFtoCSP model finder.

Domain-specific modelling languages are normally defined through general-purpose meta-modelling languages like the MOF. While this is satisfactory for many Model-Driven Engineering (MDE) projects, several researchers have identified the need for

domain-specific meta-modelling

(DSMM) languages providing customised meta-modelling primitives aimed at the definition of modelling languages in a specific domain, as well as the construction of meta-model families.

In this paper, we discuss the potential of

multi-level meta-modelling

for the systematic engineering of DSMM architectures. For this purpose, we present: (i) several primitives and techniques to control the meta-modelling facilities offered to the users of the DSMM languages, (ii) a flexible approach to define textual concrete syntaxes for DSMM languages, (iii) extensions to model management languages enabling the practical use of DSMM in MDE, and (iv) an implementation of these ideas in the

metaDepth

tool.

MBE solutions, including their corresponding MDA frameworks, cover many parts of industrial application development processes. Although model based development methodologies are in abundance, fully integrated, domain specific methodologies still find their niche in specialized application scenarios. In this paper, such an alternative methodology will be presented that targets reconfigurable networked systems executing on top of interconnected heterogeneous hardware nodes. The methodology covers the whole development cycle; it even utilizes a configuration model for component reconfigurability, and also involves a first-order logic based structural modeling language, Alloy, in the analysis of component deployment and reconfiguration. The methodology is supported by both a metamodel based tooling environment within GME and a robust distributed middleware platform over Erlang/OTP. Due to its special applicability, the methodology is limited in scope and scaling, though core parts have been successfully showcased in a sensor network demonstrator of the IST project RUNES.

Triple Graph Grammars (TGGs) are a rule-based technique with a formal background for specifying bidirectional model transformation. In practical scenarios, the unidirectional rules needed for the forward and backward transformations are automatically derived from the TGG rules in the specification, and the overall transformation process is governed by a control algorithm. Current implementations either have a worst case exponential runtime complexity, based on the number of elements to be processed, or pose such strong restrictions on the class of supported TGGs that practical real-world applications become infeasible. This paper, therefore, introduces a new class of TGGs together with a control algorithm that drops a number of practice-relevant restrictions on TGG rules and still has a polynomial runtime complexity.

The increasing development complexity of automotive embedded systems has led to industrial needs of improved information management, early verification and validation of a system etc. EAST-ADL; an automotive-specific architectural description language provides a structured model-based approach for information management throughout the development process. A method to formally analyze consistency of EAST-ADL based timing constraint specifications using timed-automata is presented. A mapping scheme providing a basis for automated model-transformations between EAST-ADL and timed-automata is the main contribution. The method is demonstrated with a case study of a brake-by-wire system. Guidelines for extending the mapping framework are also provided.

Life is fun and prospect of reincarnations is thus very attractive. People enjoy various ways how models may be transformed to executable code, how information may be derived, enriched, superimposed. It could take a number of complex transformations to reach the state of nirvana of a finally running application. Each such model transformation is like a reincarnation, new existence in a different body, the spirit mostly staying the same. We have been for years fascinated with this and tried different ways and approaches and we are experiencing a progress. We have extensively applied code generation in areas of enterprise systems integration and enterprise frontends. During time we have done code generation different ways into different target languages and we have also done a lot of direct model interpretation. More and more we value nirvana over many reincarnations, nevertheless there is still place left for code generation. In this paper we share our model-driven experience.

Model simulation is a credible approach for model validation, complementary to others such as formal verification and testing. For UML 2.x, model simulations are available for state machines and communication diagrams; alternative finer-grained simulations, e.g., as are supported for Executable UML, are not available without significant effort (e.g., via profiles or model transformations). We present a flexible, plug-in based approach to enhance UML model simulation. We show how an existing simulation tool applicable to UML behavioural models can be extended to support external action language processors. The presented approach paves the way to enrich existing UML-based simulation tools with the ability to simulate external action languages.

The benefits of Model Driven Development may be achieved through exploitation of its potential for automation. Automated model verification is one of the most important examples of this. The usage of automated model verification in everyday software engineering practice is far from widespread. One of the reasons for this is that model designers do not have the necessary background in mathematical methods. An approach where model designers can remain working in their domain while the verification is performed on demand, automatically and transparently, is desirable. We present one such approach using a tool chain built atop mature, popular and widespread technologies. Our approach was verified on industrial experiments from the embedded systems domain in the fields of avionics and surveillance.

Time properties are key requirements for the reliability of Safety Critical Real-Time Systems (RTS). UML and MARTE are standardized modelling languages widely accepted by industrial designers for the design of RTS using Model-Driven Engineering (MDE). However, formal verification at early phases of the system lifecycle for UML-MARTE models remains mainly an open issue.

In this paper, we present a time properties verification framework for UML-MARTE safety critical RTS. This framework relies on a property-driven transformation from UML architecture and behaviour models to executable and verifiable models expressed with Time Petri Nets (TPN). Meanwhile, it translates the time properties into a set of property patterns, corresponding to TPN observers. The observer-based model checking approach is then performed on the produced TPN. This verification framework can assess time properties like upper bound for loops and buffers, Best/Worst-Case Response Time, Best/Worst-Case Execution Time, Best/Worst-Case Traversal Time, schedulability, and synchronization-related properties (synchronization, coincidence, exclusion, precedence, sub-occurrence, causality). In addition, it can verify some behavioural properties like absence of deadlock or dead branches. This framework is illustrated with a representative case study. This paper also provides experimental results and evaluates the method’s performance.

In this paper, we propose a graph pattern matching framework that produces both a standalone compiled and an interpreter-based engine as a result of a uniform development process. This process uses the same pattern specification and shares all internal data structures, and nearly all internal modules. Additionally, runtime performance measurements have been carried out on both engines with exactly the same parameter settings to assess and reveal the overhead of our interpreter-based solution.

This paper presents an approach that enables users to monitor and verify the behavior of an application running on a virtual machine (like the Java virtual machine) at an abstract model level. Models for object-oriented implementations are often used as a foundation for formal verification approaches. Our work allows the developer to verify whether a model corresponds to a concrete implementation by validating assumptions about model structure and behavior. In previous work, we focused on (a) the validation of static model properties by monitoring invariants and (b) basic dynamic properties by specifying pre- and postconditions of an operation. In this paper, we extend our work in order to verify and validate advanced dynamic properties, i.,e., properties of sequences of operation calls. This is achieved by integrating support for monitoring UML protocol state machines into our basic validation engine.

Various approaches have recently been proposed to ease the manipulation of models for specific purposes (

e.g.,

automatic model adaptation or reuse of model transformations). Such approaches raise the need for a unified theory that would ease their combination, but would also outline the scope of what can be expected in terms of engineering to put model manipulation into action. In this work, we address this problem from the model substitutability point of view, through model typing. We introduce four mechanisms to achieve model substitutability, each formally defined by a subtyping relation. We then discuss how to declare and check these subtyping relations. This work provides a formal reference specification establishing a family of model-oriented type systems. These type systems enable many facilities that are well known at the programming language level. Such facilities range from abstraction, reuse and safety to impact analyses and auto-completion.

Petri-Nets are a very expressive modelling concept. However, modelling industrial problems using Petri-Nets is not a trivial task as Petri-Nets do not provide support for constructing large models. Modelling a complete business process, for example, with several activities and associated resources using Petri-Nets becomes a complex task. Model transformations are a promising technology to address this problem. In this paper we present an extended Petri-Net model that supports modelling industrial problems via model transformations. We also introduce a transformation framework that allows to graphically define model transformations by templates.

An acquisition problem involves the identification, procurement and management of resources that allow an organisation to achieve goals. Examples include through-life capability management (in the defense domain), and planning for the

next release

of a software system. The latter is representative of the challenges of acquisition, as solving the problem involves the assessment of the very many ways in which the different requirements of multiple heterogeneous customers may be satisfied. We present a novel approach to modelling acquisition problems, based on the use of Model-Driven Engineering principles and practices. The approach includes domain-specific modelling languages for acquisition problems, and uses model transformation to automatically generate potential solutions to the acquisition problem. We outline a prototype tool, built using the Epsilon model management framework. We illustrate the approach and tool on an example of the next release acquisition problem.