SPES 2020 Deliverable 1.4.B-3 Concepts for an Integrated Tool ...
SPES 2020 Deliverable 1.4.B-3 Concepts for an Integrated Tool ...
SPES 2020 Deliverable 1.4.B-3 Concepts for an Integrated Tool ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
TECHNISCHE UNIVERSITÄT MÜNCHEN<br />
FAKULTÄT FÜR INFORMATIK<br />
Software & Systems Engineering<br />
Prof. Dr. Dr. h.c. M<strong>an</strong>fred Broy<br />
<strong>SPES</strong> <strong>2020</strong> <strong>Deliverable</strong> <strong>1.4.B</strong>-3<br />
<strong>Concepts</strong> <strong>for</strong> <strong>an</strong> <strong>Integrated</strong> <strong>Tool</strong> Architecture<br />
Author: Martin Feilkas<br />
Markus Herrm<strong>an</strong>nsdoerfer<br />
Flori<strong>an</strong> Hoelzl<br />
Stef<strong>an</strong>o Merenda<br />
D<strong>an</strong>iel Ratiu<br />
Wolfg<strong>an</strong>g Schwitzer<br />
Version: 1.0<br />
Date: October 29, 2009<br />
Status: Released<br />
Technische Universität München - Fakultät für In<strong>for</strong>matik - Boltzm<strong>an</strong>nstr. 3 - 85748 Garching
About this Document<br />
More th<strong>an</strong> twenty years of research have created a large body of ideas, concepts <strong>an</strong>d theories<br />
<strong>for</strong> model-based development of embedded software-intensive systems. These approaches have<br />
been implemented by several tools <strong>an</strong>d successfully applied to various development projects.<br />
However, the everyday use of model-based approaches in the industry is still limited. Most of<br />
the times, the engineers work with a pre-defined set of isolated tools, <strong>an</strong>d there<strong>for</strong>e adapt their<br />
engineering <strong>an</strong>d process to the available tools. Today, the industry achieves tool integration by<br />
dem<strong>an</strong>d-driven, pragmatic <strong>an</strong>d ad-hoc composed chains of a priori existing commercial tools.<br />
Nevertheless, these tool chains are not (<strong>an</strong>d c<strong>an</strong>not be) seamless, since the achieved integration<br />
is not deep enough. This hampers the reuse <strong>an</strong>d refinement of models, which subsequently<br />
leads to problems like redund<strong>an</strong>cy, inconsistency <strong>an</strong>d lack of automation. In the end, these<br />
deficiencies decrease both the productivity <strong>an</strong>d quality that could be provided by model-based<br />
approaches.<br />
To overcome these problems, a deep, coherent <strong>an</strong>d comprehensive integration of models <strong>an</strong>d<br />
tools is required. Such <strong>an</strong> integration c<strong>an</strong> be achieved by the following three ingredients: 1)<br />
a comprehensive modeling theory that serves as a sem<strong>an</strong>tic domain <strong>for</strong> the models, 2) <strong>an</strong><br />
integrated architectural model that holistically describes the product <strong>an</strong>d process, <strong>an</strong>d 3) a<br />
m<strong>an</strong>ner to build tools that con<strong>for</strong>m to the modeling theory, allow the authoring of the product<br />
model <strong>an</strong>d guide the engineering process. We show that from a scientific point of view all<br />
ingredients are at our h<strong>an</strong>ds to do a subst<strong>an</strong>tial step into <strong>an</strong> integrated process <strong>an</strong>d tool world.<br />
Further, we illustrate our first attempt to build such <strong>an</strong> integrated engineering environment.<br />
Outline. In Section 1, we lay out the current bottom-up approach to integrate existing tools<br />
in industry, <strong>an</strong>d contrast it with a top-down approach. Due to the current practice, a number<br />
of pressing issues arise which we outline in Section 2. To overcome these pressing issues, we<br />
introduce in Section 3 our vision of a solution by <strong>an</strong> integrated engineering environment. Section<br />
4 explains from a technical point of view how such <strong>an</strong> integrated engineering environment<br />
could become reality <strong>an</strong>d <strong>an</strong>alyzes which technical ingredients are already available. The architecture<br />
of AutoFOCUS 3 which is our prototypical implementation of such <strong>an</strong> integrated<br />
engineering environment is outlined in Section 5. Finally, Section 6 summarizes related work<br />
on integrated engineering environments be<strong>for</strong>e we conclude in Section 7.<br />
2
Contents<br />
1 Introduction 4<br />
2 Pressing Issues of current <strong>Tool</strong> Chains 7<br />
2.1 High generality <strong>an</strong>d inappropriateness of modeling l<strong>an</strong>guages . . . . . . . . . . 8<br />
2.2 No integrated architectural Model . . . . . . . . . . . . . . . . . . . . . . . . . 9<br />
2.3 Insufficiently integrated Engineering Environments . . . . . . . . . . . . . . . . 10<br />
3 Vision of Seamless Model-based Development 13<br />
3.1 Sem<strong>an</strong>tic Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14<br />
3.2 <strong>Integrated</strong> architectural Model . . . . . . . . . . . . . . . . . . . . . . . . . . . 14<br />
3.3 <strong>Integrated</strong> Model Engineering Environment . . . . . . . . . . . . . . . . . . . . 15<br />
4 General <strong>Concepts</strong> <strong>for</strong> <strong>an</strong> <strong>Integrated</strong> <strong>Tool</strong> Architecture 16<br />
4.1 Separation of horizontal <strong>an</strong>d vertical <strong>Tool</strong>ing Aspects . . . . . . . . . . . . . . . 17<br />
4.1.1 Vertical Aspects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18<br />
4.1.2 Horizontal Aspects . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21<br />
4.2 Building-Block Principle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22<br />
4.3 M<strong>an</strong>aging Ch<strong>an</strong>ge <strong>for</strong> Modeling L<strong>an</strong>guages . . . . . . . . . . . . . . . . . . . . . 24<br />
5 AutoFOCUS 3: Prototypical Implementation of <strong>an</strong> <strong>Integrated</strong> <strong>Tool</strong> Architecture 25<br />
5.1 Example: Describing heterogeneous Hardware by L<strong>an</strong>guage Modules . . . . . . 27<br />
5.2 Case Studies <strong>an</strong>d Future Work on AutoFOCUS . . . . . . . . . . . . . . . . . . 28<br />
6 Related Work 29<br />
6.1 <strong>Tool</strong> Integration Approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29<br />
6.2 L<strong>an</strong>guage Workbenches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29<br />
7 Conclusion 31<br />
References 32<br />
3
1 Introduction<br />
Today, model-based development is adopted more or less consequently <strong>for</strong> practical development<br />
of systems in various domains (e. g., automotive, avionic, <strong>an</strong>d automation systems). The<br />
pervasive use of models allows the engineers to abstract from implementation details, raising<br />
the level of abstraction at which the systems are developed. As a consequence, model-based<br />
development promises to increase the productivity <strong>an</strong>d quality of software development <strong>for</strong><br />
embedded systems.<br />
However, model-based development approaches often fall short due to the lack of integration<br />
at both the conceptual <strong>an</strong>d tooling level. Even if artifacts are modeled explicitly, they are<br />
based on separate <strong>an</strong>d unrelated modeling theories (if foundations are given at all), which<br />
makes the tr<strong>an</strong>sition from one artifact to <strong>an</strong>other in the development process unclear <strong>an</strong>d<br />
error-prone. Current tools usually focus on particular development steps <strong>an</strong>d support single<br />
modeling paradigms (see Figure 1). Although m<strong>an</strong>y of these tools do a good job in their limited<br />
domain, during the development of a system from initial requirements down to a running<br />
implementation in hard- <strong>an</strong>d software m<strong>an</strong>y models have to be constructed. In practice, several<br />
isolated tools are necessary to construct these models, <strong>an</strong>d the tr<strong>an</strong>sition between them is often<br />
far from clear. Consequently, the engineers adopt ad-hoc integration solutions that are far from<br />
a disciplined Technische engineering. Universität München Both theories (whenever they are applied) <strong>an</strong>d tools do not fit to<br />
each other which hampers the reuse of models among different phases. Instead of refining <strong>an</strong>d<br />
Today’s ad-hoc composed tool chains<br />
tr<strong>an</strong>s<strong>for</strong>ming the existent models, they are often rebuilt from scratch which involves a lot of<br />
ef<strong>for</strong>t <strong>an</strong>d loss of in<strong>for</strong>mation. The overall in<strong>for</strong>mation about the developed product is available<br />
only implicitly in the engineers’ minds.<br />
no process integration<br />
Verification <strong>Tool</strong><br />
Implementation <strong>Tool</strong><br />
repositories<br />
Design <strong>Tool</strong><br />
implicit product model separated<br />
Requirements <strong>Tool</strong><br />
Ad-hoc composed tool chain<br />
Theory A<br />
Theory B<br />
Theory C<br />
Theory D<br />
Figure 1: Today’s engineering environments: ad-hoc composed tool chains.<br />
The real Garching, benefits 11.11.2008 of the models Stef<strong>an</strong>o take Merenda, effect Chair IV: Software if they <strong>an</strong>d Systems are used Engineering throughout the whole development<br />
2<br />
process in a seamless way. For inst<strong>an</strong>ce, requirements are the inputs <strong>for</strong> <strong>an</strong> initial system design<br />
<strong>an</strong>d <strong>for</strong> test case generation. This workflow requires a deep integration of the requirements,<br />
the system design, <strong>an</strong>d the tests in <strong>an</strong> integrated product model. Such integration c<strong>an</strong> only be<br />
implemented in a model engineering environment which supports the reuse of the in<strong>for</strong>mation<br />
that is captured within the models. To achieve the vision of seamless model-based development<br />
(as illustrated in Figure 2), we need the following three fundamental ingredients: 1) a comprehensive<br />
modeling theory that serves as a sem<strong>an</strong>tic domain <strong>for</strong> the <strong>for</strong>mal definition of the<br />
4<br />
no common theory
models, 2) <strong>an</strong> integrated architectural model that describes the detailed structure of the product<br />
(product model) as well as the process to develop it (process model), <strong>an</strong>d 3) <strong>an</strong> integrated<br />
model engineering environment which guar<strong>an</strong>tees a seamless tool support <strong>for</strong> authoring <strong>an</strong>d<br />
<strong>an</strong>alyzing the product model according to the process defined in the process model. Instead of<br />
working with isolated models, engineers access via dedicated views a common model repository<br />
which explicitly stores the overall product model. All required views are <strong>for</strong>mally defined <strong>an</strong>d<br />
based on one comprehensive modeling theory which enables the construction <strong>an</strong>d unambiguous<br />
sem<strong>an</strong>tic interpretation of the product architecture. The compli<strong>an</strong>ce to the process model is<br />
assured by a common workflow engine.<br />
seamless engineering<br />
Common Workflow Engine<br />
integration of methodology<br />
Design View<br />
Requirements View<br />
Verification View<br />
Implementation View<br />
integration of artifacts<br />
Common Model Repository<br />
integration of theory<br />
Common<br />
Modeling<br />
Theory<br />
Figure 2: Vision of integrated model-based engineering environment.<br />
Today one of the major impediments <strong>for</strong> the advent of seamless model-based development in<br />
the industry is the lack of tools. Ideally, based on modeling theories <strong>an</strong>d a common product<br />
model, we should be able to define the requirements <strong>for</strong> tooling (see Figure 3(a)). In reality,<br />
however, a small set of tools (most of the times off-the-shelf) has to be used in a particular<br />
project. Thereby, these tools impose the modeling aspects that are treated <strong>an</strong>d consequently<br />
the product model that is to be built (see Figure 3(b)). Due to the high costs of developing <strong>an</strong>d<br />
maintaining tools, the development of in-house tools that are specific enough <strong>an</strong>d tailored to a<br />
certain project is not <strong>an</strong> option. As a consequence, the engineers need to adapt their process<br />
to the commercially available tools <strong>an</strong>d m<strong>an</strong>y times to twist their w<strong>an</strong>ted product design in a<br />
way en<strong>for</strong>ced by the tools at h<strong>an</strong>d. The top-down dependency between the modeling theory<br />
<strong>an</strong>d their implementation in tools (as promoted by the model-based development itself) is<br />
inverted in reality by the already available tools that dictate the modeling technique that is to<br />
be followed in a project.<br />
5
Technische Universität München<br />
Dependencies between modeling techniques <strong>an</strong>d tools<br />
Ideal situation<br />
well-defined well-thought modeling theory<br />
common product model<br />
appropriate process model<br />
Situation today<br />
no no modeling theory<br />
unclear product model<br />
ad-hoc imposed process<br />
define impose<br />
<strong>Tool</strong> support Currently available tools<br />
(a) w<strong>an</strong>ted<br />
(b) unw<strong>an</strong>ted<br />
Garching, , Chair IV: IV: Software <strong>an</strong>d <strong>an</strong>d Systems Engineering 4 4<br />
Figure 3: The tyr<strong>an</strong>ny of current tools.<br />
6
2 Pressing Issues of current <strong>Tool</strong> Chains<br />
We developed a questionnaire to get <strong>an</strong> overview over the situation <strong>an</strong>d the needs of tools <strong>for</strong><br />
model-based development in industry today. We distributed this questionnaire to all <strong>SPES</strong><br />
industry partners, <strong>an</strong>d received 24 filled out questionnaires. The results [HM09] indicate the<br />
following current problems which hamper the seamless integration of tools:<br />
Heterogeneity of target plat<strong>for</strong>m. The target plat<strong>for</strong>m onto which the embedded system<br />
is deployed is affected by a considerable heterogeneity. The target plat<strong>for</strong>m varies a<br />
lot from project to project in terms of both programming l<strong>an</strong>guage, bus system, operating<br />
system, <strong>an</strong>d middleware. As a consequence, the development tools are also affected by<br />
heterogeneity, as each of them is usually specialized <strong>for</strong> a certain target plat<strong>for</strong>m. There<strong>for</strong>e,<br />
the heterogeneity of target plat<strong>for</strong>m heavily hampers the seamless integration of the<br />
tools.<br />
Heterogeneity of tools. There is also <strong>an</strong> enormous heterogeneity in the tools that are<br />
used <strong>for</strong> the model-based development of embedded systems. More specifically, the tools<br />
vary a lot <strong>for</strong> both the development phases like requirements m<strong>an</strong>agement, modeling, <strong>an</strong>d<br />
quality assur<strong>an</strong>ce, <strong>an</strong>d <strong>for</strong> the crosscutting functionality like tool plat<strong>for</strong>m, version <strong>an</strong>d<br />
ch<strong>an</strong>ge m<strong>an</strong>agement. The heterogeneity hampers the seamless integration of the tools, as<br />
the different tools are usually based on different technologies.<br />
Weakly defined models. <strong>Tool</strong>s which are based on models without a precise me<strong>an</strong>ing<br />
are still widely used in industry. For requirements m<strong>an</strong>agement, the comp<strong>an</strong>ies still rely a<br />
lot on Microsoft Word <strong>an</strong>d Excel which are not completely adequate <strong>for</strong> modeling requirements.<br />
The situation is much better <strong>for</strong> system modeling with a high usage of modeling<br />
tools such as Matlab Simulink <strong>an</strong>d Scade. For process support, a lot of tool support is<br />
based on Microsoft Project <strong>an</strong>d Excel which do not allow <strong>for</strong> the rigorous definition of<br />
a process. Models with a precise me<strong>an</strong>ing c<strong>an</strong> be better <strong>an</strong>alyzed, operationalized, <strong>an</strong>d<br />
integrated with models from different development phases or different subsystems.<br />
Sporadic usage of model-based development. The tool chains used in practice do<br />
not yet provide the full benefits of model-based development. Even though the comp<strong>an</strong>ies<br />
use a lot of adv<strong>an</strong>ced modeling tools like Matlab Simulink <strong>an</strong>d Scade, a lot of code is<br />
still h<strong>an</strong>dwritten instead of generating it from the models. For quality assur<strong>an</strong>ce, the<br />
comp<strong>an</strong>ies still use a lot of m<strong>an</strong>ual techniques like m<strong>an</strong>ual testing <strong>an</strong>d code review, <strong>an</strong>d<br />
do not rely on automatic techniques like model checking <strong>an</strong>d theorem proving. These<br />
results show that current tool chains are not yet seamless enough to realize the promises<br />
of model-based development.<br />
High rate of proprietary tools. The comp<strong>an</strong>ies make use of a lot of proprietary<br />
tools which are especially developed <strong>for</strong> them. The results show us that proprietary<br />
tools are developed <strong>for</strong> all process phases. Although a huge number of development tools<br />
are available, the market does not seem to provide solutions satisfying the requirements.<br />
This may be also due to the missing customizability of existing tools to the individual<br />
requirements. In particular, most ef<strong>for</strong>t is spent on the integration of existing tools which<br />
is very import<strong>an</strong>t <strong>for</strong> seamless model-based development.<br />
7
The results show that current tool chains are <strong>an</strong>d c<strong>an</strong>not be seamless enough to benefit from<br />
the promises of model-based development. When looking at the needs <strong>for</strong> future tools, the<br />
following features are considered the most import<strong>an</strong>t:<br />
Import<strong>an</strong>ce of tool integration. A deep integration of the development tools is seen<br />
as the major issue. Most ef<strong>for</strong>t <strong>for</strong> proprietary tool development is spent on coupling<br />
of existing tools. Moreover, the missing integration of the tools heavily restricts the<br />
developers in their daily work. Currently, only very few tool chains are fully integrated<br />
on different levels of integration. However, tool integration is considered as import<strong>an</strong>t on<br />
nearly all levels of integration.<br />
Import<strong>an</strong>ce of process support. Support of the development process is seen as <strong>an</strong><br />
import<strong>an</strong>t feature which is not fully satisfied by current tools. Currently, the comp<strong>an</strong>ies<br />
mainly use Microsoft Process <strong>an</strong>d Excel <strong>for</strong> process support which do not allow them to<br />
operationalize the process. The missing process support restricts a lot of the developers<br />
in their daily work. Today, only very few tool chains are fully integrated by me<strong>an</strong>s of<br />
process support, but however more integration is desired. This is probably due to the fact<br />
that integrated process support also requires tool integration which is also missing today.<br />
In the following, we characterize <strong>an</strong>d <strong>an</strong>alyze pressing issues concerning current tool chains,<br />
which lead to the problems mentioned above. We ground this section both on the literature,<br />
<strong>an</strong>d on our experience gathered from working with industrial partners.<br />
2.1 High generality <strong>an</strong>d inappropriateness of modeling l<strong>an</strong>guages<br />
One of the key challenges of modeling l<strong>an</strong>guages is the abstraction challenge – namely, how<br />
one c<strong>an</strong> provide support <strong>for</strong> creating <strong>an</strong>d m<strong>an</strong>ipulating problem-level abstractions as first-class<br />
modeling elements [FR07]. Engineers need several years to develop a specific product family<br />
(e. g., the A350 family of Airbus aircrafts or the Z4 family of cars at BMW) <strong>an</strong>d ideally, in order<br />
to be efficient, the modeling l<strong>an</strong>guages that they use should directly support the development of<br />
that product <strong>an</strong>d nothing more. Un<strong>for</strong>tunately, the modeling l<strong>an</strong>guages are highly general <strong>an</strong>d<br />
most of the times domain independent <strong>an</strong>d ontologically neutral [vL00]. This leads to a critical<br />
conceptual gap between the professional l<strong>an</strong>guages of engineers <strong>an</strong>d the modeling l<strong>an</strong>guages.<br />
The same modeling techniques are used <strong>for</strong> describing a wide variety of situations <strong>an</strong>d a small<br />
number of pre-defined tools <strong>an</strong>d modeling mech<strong>an</strong>isms are adapted to a wide variety of needs<br />
(e. g., these tools make no difference whether they build a model of a vehicle or <strong>an</strong> airpl<strong>an</strong>e).<br />
The domain inappropriateness <strong>an</strong>d the generality of l<strong>an</strong>guages lead to abstraction loss: clearly<br />
defined concepts in the domain are not captured by the l<strong>an</strong>guages. This subsequently leads to<br />
weakly defined modeling l<strong>an</strong>guages that are too general <strong>an</strong>d “not aware” of the specifics of a<br />
domain. For example, requirements structuring is <strong>an</strong> accepted best practice in requirements<br />
engineering. However, the structuring criteria vary among industries, comp<strong>an</strong>ies, <strong>an</strong>d even<br />
projects. In the avionics industry, the requirements of <strong>an</strong> airpl<strong>an</strong>e are ordered in a tree <strong>an</strong>d<br />
classified according to a st<strong>an</strong>dard defined by the “Air Tr<strong>an</strong>sport Association of America”<br />
(ATA). The ATA tree is only two levels deep <strong>an</strong>d different comp<strong>an</strong>ies have the freedom to define<br />
additional levels. Un<strong>for</strong>tunately, the current commercial requirements engineering tools ignore<br />
the ATA chapters way of structuring the requirements <strong>an</strong>d provide only general structuring<br />
mech<strong>an</strong>isms such as generic requirements modules <strong>an</strong>d objects (e.g. in Telelogic DOORS).<br />
8
Lacking evolvability of modeling l<strong>an</strong>guages. Although often neglected, a modeling l<strong>an</strong>guage<br />
is subject to ch<strong>an</strong>ge like <strong>an</strong>y other software artifact [Fav05]. This holds even <strong>for</strong> general-purpose<br />
modeling l<strong>an</strong>guages: e. g., UML, although relatively young, already has a rich evolution history.<br />
Domain-specific modeling l<strong>an</strong>guages are even more prone to ch<strong>an</strong>ge, as they have to<br />
be adapted whenever their domain ch<strong>an</strong>ges due to technological progress or evolving requirements.<br />
Experiences from collaborations with our partners from the automotive industry show<br />
that l<strong>an</strong>guages are often not adapted to new requirements due to missing tool support <strong>for</strong> the<br />
resulting migration of models. However, modelers often find workarounds <strong>an</strong>d encode additional<br />
in<strong>for</strong>mation in a way not intended by the original l<strong>an</strong>guage design. As the l<strong>an</strong>guage<br />
editors c<strong>an</strong>not en<strong>for</strong>ce the well-<strong>for</strong>medness of the introduced constructs, different modelers<br />
may choose different workarounds to encode the same additional in<strong>for</strong>mation. Furthermore, it<br />
is difficult <strong>for</strong> l<strong>an</strong>guage tools to process this in<strong>for</strong>mation in a homogeneous way. Consequently,<br />
lack of evolvability c<strong>an</strong> decrease the value of a modeling l<strong>an</strong>guage in the long run.<br />
2.2 No integrated architectural Model<br />
There is usually no integrated architectural model that defines how modeling starting from<br />
initial requirements down to a running system should be per<strong>for</strong>med. Complementing modeling<br />
techniques provide better support <strong>for</strong> expressing different aspects of the system. In order to<br />
obtain a complete view of the system, the model views need to be integrated into a complete<br />
product model. Most of the times, however, the sem<strong>an</strong>tic integration of modeling techniques<br />
is not clear. For example, UML 2.0 [OMG06c] defines 13 types of diagrams <strong>for</strong> different development<br />
stages (e. g., use-case diagrams, activity diagram, component diagrams, deployment<br />
diagrams). Even if these m<strong>an</strong>y views allow a better development of different aspects of the<br />
system, once different system views are constructed, it is not clear how they are to be combined<br />
<strong>an</strong>d integrated. The missing architectural model leads to the (logical) isolation of the<br />
developed models <strong>an</strong>d subsequently to the inability to per<strong>for</strong>m adv<strong>an</strong>ced model <strong>an</strong>alyses such<br />
as feature interaction, impact <strong>an</strong>alysis between different models, <strong>for</strong>mal verification, checking<br />
quality aspects that cross-cut models, etc.<br />
M<strong>an</strong>aging the intent. Due to the isolation of models, the intent <strong>an</strong>d rationale behind component<br />
designs is lost in the process [Lev00]. The loss of intent <strong>an</strong>d the impossibility to trace<br />
artifacts at different abstraction levels are effects of abstraction loss <strong>an</strong>d of the lack of comprehensive<br />
architectural model. In order to document the intent more explicitly, trace links<br />
between different model elements in different tools are required. However, the trace links are<br />
only weak associations among model elements, <strong>an</strong>d m<strong>an</strong>y times we need more adv<strong>an</strong>ced in<strong>for</strong>mation<br />
about these links <strong>an</strong>d their special me<strong>an</strong>ing (e. g., that they should express consistency<br />
conditions). A typical example <strong>for</strong> missing trace links is requirements tracing in<strong>for</strong>mation that<br />
is lost during the tr<strong>an</strong>sition from a requirements engineering to a design modeling tool.<br />
M<strong>an</strong>aging consistency. Consistency problems are twofold: vertical consistency <strong>an</strong>d horizontal<br />
consistency. In the vertical case, we need to make sure that the models at two different<br />
phases of the development process are consistent to each other (e. g., specification with tests).<br />
The horizontal consistency is between the models created in the same phase – e. g., two views<br />
showing a perspective of the design. A well known problem with the consistency of models (in<br />
9
this case belonging to two versions of CATIA) caused the cable crisis of A380 [A38]. Different<br />
parts of the airpl<strong>an</strong>e were developed with incompatible versions of the program <strong>an</strong>d thereby<br />
the models (painfully) proved to be inconsistent at the end.<br />
2.3 Insufficiently integrated Engineering Environments<br />
M<strong>an</strong>y problems arise due to tooling issues such as missing tool integration <strong>an</strong>d cumbersome<br />
h<strong>an</strong>dling of models. For example, in Figure 4 we illustrate the flow of in<strong>for</strong>mation between<br />
different tools employed in a typical development process in the automotive domain. The<br />
in<strong>for</strong>mation is passed from one tool to <strong>an</strong>other mainly by m<strong>an</strong>ual tr<strong>an</strong>s<strong>for</strong>mation. On the<br />
requirements level tools like Telelogic Doors, Caliber or even simple word processing tools are<br />
used to describe the system functionality in semi-structured natural l<strong>an</strong>guage. After that,<br />
this in<strong>for</strong>mation is used to build more structured models by design modeling tools. Beside<br />
AUTOSAR, also very special l<strong>an</strong>guages that are used to configure special hardware controllers<br />
are employed. For example, ordinary von-Neum<strong>an</strong>n processors are often not suitable to fulfill<br />
the very special requirements (e.g. timing) of engine control units, so special peripheral devices<br />
are used. These devices (e.g. Infineon’s PCP/GPTA or Freescale’s TPU) must be programmed<br />
in special (configuration) l<strong>an</strong>guages. These l<strong>an</strong>guages are then used to generate assembly code<br />
or C code to be deployed onto the ECU. Altogether the in<strong>for</strong>mation about the software-based<br />
functionality that runs within the electrical system of a vehicle is distributed in m<strong>an</strong>y different<br />
artifacts. For every artifact, there is a special tool that offers special features to edit <strong>an</strong>d<br />
<strong>an</strong>alyze it. However, the in<strong>for</strong>mation stored in these single artifacts corresponds to each other<br />
<strong>an</strong>d is to be kept consistent m<strong>an</strong>ually.<br />
Consistency<br />
M<strong>an</strong>ual tr<strong>an</strong>s<strong>for</strong>mation<br />
Generation<br />
Figure 4: An example of today’s tooling situation in automotive software development.<br />
Lack of suitable tools. Only very few model-based technologies are backed up by tools that<br />
are robust <strong>an</strong>d powerful enough <strong>for</strong> industrial use. For example, despite its shortcomings, the<br />
success of UML is (arguably) based also on the fact that it is well-supported by commercial<br />
tools. Due to the high costs of tool development, only a few comp<strong>an</strong>ies c<strong>an</strong> af<strong>for</strong>d to build<br />
10
their own solutions. There<strong>for</strong>e, there is a general tendency to work with commercial-off-theshelf<br />
(COTS) tools in industrial practice. On the one h<strong>an</strong>d, COTS tools are too powerful <strong>an</strong>d<br />
provide functionality that their users do not need in their daily work in a specific project. On<br />
the other h<strong>an</strong>d, these tools are most of the times not aware of the specifics of the system being<br />
developed <strong>an</strong>d thus do not support their users effectively. Beside “trivial” customization of<br />
layout, the adv<strong>an</strong>ced customization of the current tools is practically never done.<br />
Isolation of tools. Today m<strong>an</strong>y different kinds of tools are used to develop automotive <strong>an</strong>d<br />
avionic systems. As soon as the system is modeled in different isolated tools, m<strong>an</strong>y problems<br />
arise, since m<strong>an</strong>y tools are rather opaque <strong>an</strong>d do not allow direct access to the models that<br />
they develop. Furthermore, if the access is possible, it is based on different heterogeneous<br />
technologies. Often the tools are st<strong>an</strong>dalone solutions: <strong>Tool</strong>s are designed to be used as simple<br />
st<strong>an</strong>dalone programs that are executed by one developer on one machine. In practice modeling<br />
is usually done in a collaborative way with a number of people involved. The fact that parts<br />
of the product model are implemented in different tools leads to redund<strong>an</strong>cy. Then, in most<br />
cases, this redund<strong>an</strong>cy is not modeled in exactly the same way which makes it even more<br />
complicated to check the consistency. The integration of tools is done today in a peer-topeer<br />
m<strong>an</strong>ner using tool couplers. This approach does not scale, since the number of couplers<br />
increases exponentially in the number of tools. Moreover, the coupler based integration of<br />
tools is done in <strong>an</strong> ad-hoc m<strong>an</strong>ner in order to solve specific pragmatic problems.<br />
Weak support of collaborative work. The relation between supplier <strong>an</strong>d customer brings<br />
specific challenges such as: specification of interfaces or integration of processes of customer<br />
<strong>an</strong>d supplier. Furthermore, distributing <strong>an</strong>d synchronizing global development requires a high<br />
degree of composability in the modeling techniques. In the automotive industry, <strong>for</strong> inst<strong>an</strong>ce,<br />
the supplier usually has the so called integration responsibility. This me<strong>an</strong>s that he is responsible<br />
to deploy several applications onto <strong>an</strong> Electronic Control Unit (ECU), which is the<br />
deliverable to the OEM. The OEM is responsible <strong>for</strong> the integration of the ECUs into the<br />
bordnet. The hardware-based composition of the total system out of several ECUs is subject<br />
to interface errors due the lack of type checking. So in future automotive development, ECUs<br />
will no longer be the right concept to decompose the system <strong>an</strong>d to break it into parts to<br />
be developed independently. A more software rather th<strong>an</strong> hardware oriented decomposition<br />
<strong>an</strong>d integration will be needed. So the OEMs will gradually gain more <strong>an</strong>d more integration<br />
responsibility like it is already practiced in the avionic industry.<br />
The collaborative development is very complicated, since even application functions, that are<br />
independent from each other from a functional point of view, interact implicitly if they are<br />
deployed on the same hardware infrastructure in the car (e. g., they share the bus systems<br />
or run on the same ECUs). Because of this, not only the functional interfaces between the<br />
applications have to be precisely specified, but also m<strong>an</strong>y other interactions that must be taken<br />
into account – e. g., interactions that are mediated indirectly through shared resources such as<br />
memory, peripheral devices, processor time as well as bus load. Furthermore, the collaborating<br />
parties, e.g. <strong>an</strong> OEM <strong>an</strong>d its component suppliers have to agree on two levels be<strong>for</strong>e seamless<br />
collaboration is possible: The interface of the supplied component must be defined (modellevel)<br />
as well as the modeling technique used by the supplier should fit into the tool chain of<br />
the OEM (metamodel-level). A deep integration of tools is of import<strong>an</strong>ce because of the high<br />
11
degree of implicit <strong>an</strong>d explicit interaction between the applications. Static <strong>an</strong>alysis r<strong>an</strong>ging<br />
from simple type checking (e. g., the consistent encoding of signals into CAN messages) to<br />
highly sophisticated scheduling <strong>an</strong>alysis techniques [PEP02] becomes <strong>an</strong> import<strong>an</strong>t method <strong>for</strong><br />
verification <strong>an</strong>d quality assur<strong>an</strong>ce.<br />
Securing intellectual property rights. Distributed development especially requires a sophisticated<br />
rights m<strong>an</strong>agement. In [WA08] the difficulty of the supplier-OEM relationship is mentioned<br />
as <strong>an</strong> import<strong>an</strong>t issue in the automotive domain. OEMs need to be able to investigate<br />
<strong>an</strong>d check the quality of the delivered artifacts, to make sure that the subsystems are compatible<br />
with their environment. OEMs also w<strong>an</strong>t to make sure that the delivered systems are<br />
well-crafted. The only thing that OEMs do today is testing (dynamic <strong>an</strong>alysis) <strong>an</strong>d process<br />
assessments. The adoption of static <strong>an</strong>alysis techniques is often not applicable. Suppliers<br />
on the other side are interested in keeping their special know-how <strong>an</strong>d intellectual properties<br />
undisclosed. In m<strong>an</strong>y cases, it seems to be a good idea to agree on object files as a deliverable.<br />
This has the big adv<strong>an</strong>tage that the intellectual properties of the supplier remain undisclosed.<br />
However, the disadv<strong>an</strong>tages are that static <strong>an</strong>alysis that could ensure the correctness of the<br />
behavior of the software component in its environment (e.g. model checking) or the assessment<br />
of quality attributes is not possible.<br />
12
3 Vision of Seamless Model-based Development<br />
Seamless model-based development promises to lift software development onto higher levels<br />
of abstraction by providing integrated chains of models covering all phases from requirements<br />
to system design <strong>an</strong>d verification. In seamless model-based development, modeling is not just<br />
<strong>an</strong> implementation method, but it is a paradigm that provides support throughout the entire<br />
development <strong>an</strong>d mainten<strong>an</strong>ce life cycle. Modeling starts early in the development process<br />
with requirements engineering where in<strong>for</strong>mal requirements are turned into models step by<br />
step. At the end of the requirements engineering phase, we have a functional model capturing<br />
the requirements. In turn, the system architecture <strong>an</strong>d in sequence the software architecture<br />
is described by various models that capture different aspects of the system. Provided these<br />
models are chosen carefully <strong>an</strong>d based on a proper theory, the architecture model c<strong>an</strong> be<br />
verified to guar<strong>an</strong>tee that the functional requirements are fulfilled. Furthermore, a rigorous<br />
tracing is enabled between the functional requirements <strong>an</strong>d the architecture model. To be<br />
able to do that, a carefully structured architecture model has to be worked out – not just<br />
describing a system at the technical implementation level, but also describing carefully chosen<br />
useful abstractions such as function hierarchies <strong>an</strong>d logical architectures [Bro07].<br />
Seamless <strong>an</strong>d comprehensive model-based development is a key to a more systematic development<br />
process with higher potential <strong>for</strong> automation. To be able to work out such <strong>an</strong> approach,<br />
a number of ingredients are required as illustrated in Figure 5. These ingredients c<strong>an</strong> be divided<br />
into three levels: the sem<strong>an</strong>tic domain <strong>for</strong>ms the basis of <strong>an</strong> integrated architecture model<br />
Technische Universität München<br />
which is operationalized by a model engineering environment. In the following, we detail on<br />
these levels <strong>an</strong>d their corresponding ingredients.<br />
Main ingredients <strong>for</strong> seamless model-based development<br />
Model<br />
Engineering<br />
Environment<br />
<strong>Integrated</strong><br />
Architectural<br />
Model<br />
Sem<strong>an</strong>tic<br />
Domain<br />
Authoring<br />
Analysis / Synthesis Model Repository Workflow Engine<br />
basis <strong>for</strong><br />
Architectural<br />
Layers<br />
structures<br />
<strong>an</strong>d<br />
integrates<br />
Product<br />
Model<br />
<strong>for</strong>malized by<br />
Comprehensive<br />
Modeling Theory<br />
configures configures<br />
assigned<br />
to<br />
Process<br />
Model<br />
Garching, , Chair IV: Software <strong>an</strong>d Systems Engineering 5<br />
Figure 5: Main ingredients <strong>for</strong> seamless model-based development.<br />
13
3.1 Sem<strong>an</strong>tic Domain<br />
Seamless model-based development requires a comprehensive modeling theory as theoretical<br />
basis to ensure a thorough <strong>for</strong>malization of all artifacts produced during the development of<br />
a system. An appropriate modeling theory provides firstly the appropriate modeling concepts<br />
such as the concept of a system <strong>an</strong>d that of a user function, with<br />
1. a concept <strong>for</strong> structuring the functionality by function hierarchies,<br />
2. concepts to establish dependency relationships between these functions, <strong>an</strong>d<br />
3. techniques to model the functions with their behavior in isolation including time behavior<br />
<strong>an</strong>d to connect them – according to their dependability relations – into a comprehensive<br />
functional model <strong>for</strong> the system.<br />
<strong>an</strong>d secondly a concept of composition <strong>an</strong>d architecture to capture<br />
1. the decomposition of the system into components that cooperate <strong>an</strong>d interact to achieve<br />
the system functionalities,<br />
2. the interfaces of the components including not only the syntactic interfaces but also the<br />
behavior interfaces, <strong>an</strong>d<br />
3. a notion of modular composition which allows us to define the interface behavior of a<br />
composed system from the interface behaviors of its components.<br />
The modeling theory must be strong <strong>an</strong>d expressive enough to model all relev<strong>an</strong>t aspects of<br />
hardware <strong>an</strong>d software architectures of a system such as structuring software deployment,<br />
description of tasks <strong>an</strong>d threads, as well as modeling behavior aspects of hardware. These<br />
aspects <strong>an</strong>d properties of architecture should be represented in a very direct <strong>an</strong>d explicit way.<br />
Our approach to such a modeling theory is given by the FOCUS theory [BS01] <strong>an</strong>d its various<br />
extensions.<br />
3.2 <strong>Integrated</strong> architectural Model<br />
A comprehensive architecture model of <strong>an</strong> embedded system <strong>an</strong>d its functionality is a basis<br />
<strong>for</strong> a product model that comprises all the content needed to specify a distributed embedded<br />
system in terms of its comprehensive architecture. A first version of a integrated architectural<br />
model <strong>for</strong> the automotive domain is described in [BFG + 08].<br />
Architectural layers. An architectural model describes all model views that define a system<br />
at different abstraction levels <strong>an</strong>d the relations among them. It enables a systematic <strong>an</strong>d<br />
domain-appropriate development process <strong>an</strong>d represents the starting point <strong>for</strong> tool support.<br />
All views on a system are part of the product model.<br />
14
Product model. In order to describe all the relev<strong>an</strong>t aspects of a system, we need a domainappropriate<br />
system architecture that contains all modeling artifacts in a product model. Its<br />
structure is described by a metamodel that is the basis <strong>for</strong> a data model that allows to capture<br />
all the contents. This product model describes <strong>an</strong> embedded system inside a computer, <strong>an</strong>d<br />
c<strong>an</strong> be subsequently used as a data backbone <strong>for</strong> development. In the product model, the<br />
dependencies <strong>an</strong>d relationships between the modeling artifacts should be made explicit, since<br />
they are a key to extensive tool support. In the end, all artifacts produced throughout the<br />
development process should be part of the product model <strong>an</strong>d related in a sem<strong>an</strong>tic way such<br />
that import<strong>an</strong>t issues such as tracing, impact <strong>an</strong>alysis <strong>an</strong>d consistency checks are supported.<br />
Process model. A comprehensive process model is m<strong>an</strong>datory that relates the modeling<br />
artifacts to the activities that are needed to construct the architecture model step by step.<br />
According to the consistency <strong>an</strong>d quality notions of the product model, the process model<br />
defines the sequence of steps that need to be per<strong>for</strong>med at a certain development phase.<br />
3.3 <strong>Integrated</strong> Model Engineering Environment<br />
A central characteristic of model-based development is a high degree of automation by extensive<br />
tool support. The level of automation that c<strong>an</strong> be achieved strongly depends on the used<br />
models <strong>an</strong>d the associated theory. In fact, the support <strong>for</strong> automation has to address the<br />
capturing <strong>an</strong>d elaboration of models, the <strong>an</strong>alysis of models with respect to their consistency<br />
<strong>an</strong>d import<strong>an</strong>t properties as well as techniques <strong>for</strong> generating further development artifacts<br />
from models. <strong>Tool</strong>ing should be based exclusively on the product model. Then all tools that<br />
carry out the steps of capturing models <strong>an</strong>d creating models, <strong>an</strong>alyzing models <strong>an</strong>d generating<br />
new artifacts from existing ones basically only m<strong>an</strong>ipulate <strong>an</strong>d enh<strong>an</strong>ce the product model.<br />
The whole development should be regarded as <strong>an</strong> incremental <strong>an</strong>d iterative process with the<br />
goal to work out the contents of a comprehensive product model.<br />
In order to turn the vision of high automation into reality, we need <strong>an</strong> integrated engineering<br />
environment that offers support <strong>for</strong> creating <strong>an</strong>d m<strong>an</strong>aging models within well-defined process<br />
steps. The integrated development environment should comprise the following four blocks:<br />
1) a model repository that maintains the different artifacts including their dependencies, 2)<br />
adv<strong>an</strong>ced tools <strong>for</strong> editing models that directly support their users to build-up models, 3) tools<br />
<strong>for</strong> <strong>an</strong>alyzing the product model <strong>an</strong>d synthesizing new artifacts out of the product model, <strong>an</strong>d<br />
4) a workflow engine to guide the engineers through the steps defined by the development<br />
process.<br />
15
4 General <strong>Concepts</strong> <strong>for</strong> <strong>an</strong> <strong>Integrated</strong> <strong>Tool</strong> Architecture<br />
To all intents <strong>an</strong>d purposes, the integrated modeling l<strong>an</strong>guage should be operationalized by<br />
a tooling environment that supports the creation, tr<strong>an</strong>s<strong>for</strong>mation, <strong>an</strong>alysis <strong>an</strong>d subsequent<br />
processing of all the artifacts that are needed. Due to the fact that tool development is<br />
extremely expensive, the industry sees no alternative to existing commercial tools. These tools<br />
are m<strong>an</strong>y times of general nature <strong>an</strong>d not tailored to the specific needs of the engineers from<br />
a specific industry. M<strong>an</strong>y ef<strong>for</strong>ts trying to develop their own tailored integrated engineering<br />
environment fail because of huge development ef<strong>for</strong>ts but even more subst<strong>an</strong>tial mainten<strong>an</strong>ce<br />
costs. This is due to the fact that beside the core business functionality, tools need a lot of<br />
infrastructure <strong>for</strong> the m<strong>an</strong>agement of models. Figure 6 shows that a development tool c<strong>an</strong> be<br />
decomposed Technische into Universität the four München parts Repository, Editors, Workflow, <strong>an</strong>d Analysis <strong>an</strong>d Synthesis.<br />
Each of the four parts c<strong>an</strong> again be divided into a generic <strong>an</strong>d l<strong>an</strong>guage specific part. The<br />
generic part c<strong>an</strong> be provided by a Generic <strong>Tool</strong> Framework. The l<strong>an</strong>guage specific parts are<br />
encapsulated Decomposing in L<strong>an</strong>guage Modules. development tools<br />
Development <strong>Tool</strong><br />
Repository<br />
Editors<br />
Workflow<br />
Analysis / Synthesis<br />
Garching,<br />
< DD.<br />
MM.<br />
JJJJ><br />
Generic <strong>Tool</strong> Framework<br />
Common Model Repository<br />
- Complex constraint checking<br />
- Configuration m<strong>an</strong>agement<br />
- L<strong>an</strong>guage evolution<br />
Generic Editor Framework<br />
- Searching <strong>an</strong>d browsing<br />
- Editing <strong>an</strong>d refactoring<br />
- Comparing <strong>an</strong>d merging<br />
Workflow Engine<br />
- Task distribution <strong>an</strong>d to-do lists<br />
- Automated ch<strong>an</strong>ge m<strong>an</strong>agement<br />
- Quality gates <strong>an</strong>d access control<br />
Model Interpretation Engine<br />
- In-place M2M tr<strong>an</strong>s<strong>for</strong>mation<br />
- Out-of-place M2M <strong>an</strong>d M2T tr<strong>an</strong>sf.<br />
- Generic Simulation Framework<br />
L<strong>an</strong>guage Modules<br />
< FIRSTNAME><br />
< LASTNAME><br />
, Chair<br />
IV:<br />
Software<br />
<strong>an</strong>d<br />
Systems<br />
Engineering<br />
Figure 6: Decomposing development tools.<br />
Abstract Syntax<br />
- Structure (concepts <strong>an</strong>d properties)<br />
- Context sensitive constraints<br />
- Configurable units<br />
Concrete Syntax<br />
- Types: diagram / text / table<br />
- Based on c<strong>an</strong>onical syntaxes<br />
- Combination of syntax types<br />
Process Definition<br />
- Roles <strong>an</strong>d access rights<br />
- Artifact as constrained concept<br />
- Activity as in-place tr<strong>an</strong>s<strong>for</strong>mation<br />
Sem<strong>an</strong>tics<br />
- Refactoring tr<strong>an</strong>s<strong>for</strong>mations<br />
- Tr<strong>an</strong>slational sem<strong>an</strong>tics<br />
- Operational sem<strong>an</strong>tics<br />
To assess the ratio of the business functionality <strong>an</strong>d the m<strong>an</strong>agement infrastructure, we per<strong>for</strong>med<br />
<strong>an</strong> empirical study on the functionality provided by engineering tools. Our assumption<br />
is that by investigating the menus or toolbars of a tool <strong>an</strong>d by classifying the functionality<br />
that c<strong>an</strong> be accessed from there, we c<strong>an</strong> estimate the ratio between the functionality of tools<br />
that is related to their business domain <strong>an</strong>d the functionality that is horizontal. We per<strong>for</strong>med<br />
our empirical study based on the description of menus <strong>an</strong>d toolbars comm<strong>an</strong>d buttons as given<br />
in the user documentation of the following tools: Esterel Scade v6.0, Telelogic Rhapsody v7.4<br />
<strong>an</strong>d Telelogic Doors v9.1. In Table 1 we present <strong>an</strong> overview of the functionality of COTS<br />
as resulted from our classification. We notice in this figure that most of the functionality<br />
accessible to tool users is related to the editing of the models (e. g., creation, modification or<br />
deletion of model parts), navigation (e. g., searching) <strong>an</strong>d layout (e. g., colors, fonts, zooming).<br />
16<br />
9
In fact, the functionality that is strongly related to a specific l<strong>an</strong>guage (e. g., different <strong>an</strong>alyses<br />
of models, synthesis of other in<strong>for</strong>mation from models) is rather small. Thus, a big part of the<br />
front-end functionality of tools is unspecific, c<strong>an</strong> be seen as commodity <strong>an</strong>d most of it could<br />
be provided by a generic tools plat<strong>for</strong>m. We also c<strong>an</strong> see that none of the tools provides <strong>an</strong><br />
integrated workflow support.<br />
Scade Rhapsody Doors<br />
Repository<br />
- Persistency 7 3 2<br />
- Configuration M<strong>an</strong>agement - - 6<br />
Editors<br />
- Editing 107 95 40<br />
- Navigation 24 5 14<br />
- Layout 15 43 12<br />
Analysis/Synthesis<br />
- Analysis 29 12 1<br />
- Synthesis 14 7 -<br />
Total 196 165 75<br />
Table 1: Qu<strong>an</strong>titative overview over the functionality of COTS.<br />
However, it is in particular the heterogeneous implementation of this infrastructure in different<br />
tools which hinders their seamless integration. To countervail this situation, we propose a<br />
generic tooling plat<strong>for</strong>m which offers all the technical details which are independent of the<br />
concrete modeling l<strong>an</strong>guage. In today’s development tools, these so-called horizontal tooling<br />
aspects are interwoven with the implementation of the proper modeling l<strong>an</strong>guages, which we call<br />
vertical tooling aspects. However, <strong>an</strong> integrated modeling l<strong>an</strong>guage is rather complex <strong>an</strong>d thus<br />
difficult to develop in one step. In order to ease l<strong>an</strong>guage development, <strong>an</strong> integrated modeling<br />
l<strong>an</strong>guage should result from the composition of reusable, modular modeling l<strong>an</strong>guages which<br />
c<strong>an</strong> be customized to the specific needs of the engineers. Furthermore, appropriate tool support<br />
is required <strong>for</strong> model migration in order to be able to improve a modeling l<strong>an</strong>guage that is<br />
already under use.<br />
4.1 Separation of horizontal <strong>an</strong>d vertical <strong>Tool</strong>ing Aspects<br />
In order to reduce development costs, the tooling plat<strong>for</strong>m has to factor out the functionality<br />
that is independent of the specific product model. The tooling plat<strong>for</strong>m c<strong>an</strong> then be<br />
parametrized by a modeling l<strong>an</strong>guage which operationalizes a certain product model. By<br />
me<strong>an</strong>s of our tooling plat<strong>for</strong>m, we thus w<strong>an</strong>t to achieve a strict separation of horizontal <strong>an</strong>d<br />
vertical tooling aspects. <strong>Tool</strong>ing aspects like the central model repository which are independent<br />
of a specific modeling l<strong>an</strong>guage are termed horizontal. <strong>Tool</strong>ing aspects like the syntax<br />
of a certain modeling l<strong>an</strong>guage which are specific to a certain modeling l<strong>an</strong>guage are called<br />
vertical. In today’s development tools, these horizontal tooling aspects are interwoven with<br />
the implementation of the vertical tooling aspects. The missing separation of horizontal <strong>an</strong>d<br />
vertical tooling aspects hampers the implementation of a central model repository which is<br />
17
Technische Universität München<br />
crucial <strong>for</strong> the introduction of <strong>an</strong> integrated engineering environment. Figure 7 depicts the<br />
different tooling aspects together with their classification. In the following, we discuss the<br />
Horizontal <strong>an</strong>d vertical tooling aspects<br />
ingredients that are necessary to implement both vertical <strong>an</strong>d horizontal tooling aspects.<br />
<strong>Integrated</strong> Model Engineering<br />
Environment<br />
Horizontal tooling aspects:<br />
Generic <strong>Tool</strong> Framework<br />
Common Model Repository<br />
Generic Editor Framework<br />
Workflow Engine<br />
Model Interpretation Engine<br />
Vertical tooling aspects:<br />
L<strong>an</strong>guage Modules<br />
Figure 7: Horizontal <strong>an</strong>d vertical tooling aspects of <strong>an</strong> integrated engineering environment.<br />
4.1.1 Vertical Aspects<br />
Garching, , Chair IV: Software <strong>an</strong>d Systems Engineering 10<br />
<strong>Tool</strong>ing aspects are called vertical if they are specific to a certain modeling l<strong>an</strong>guage. The<br />
tooling plat<strong>for</strong>m must support tool builders to easily implement vertical aspects. It should be<br />
easily possible <strong>for</strong> a comp<strong>an</strong>y to adapt or develop a modeling l<strong>an</strong>guage appropriate to its needs.<br />
In order to enable the cost-effective development of such modeling l<strong>an</strong>guages, we need so-called<br />
meta l<strong>an</strong>guages to describe the different elements of a modeling l<strong>an</strong>guage. The tooling aspects<br />
related to supporting modeling l<strong>an</strong>guages are partitioned into the following elements: Abstract<br />
Syntax, Concrete Syntax, Process Definition, <strong>an</strong>d Sem<strong>an</strong>tics. In the following, we inspect the<br />
different elements of modeling l<strong>an</strong>guages <strong>an</strong>d their requirements in more detail.<br />
Abstract syntax. The abstract syntax defines the concepts of a modeling l<strong>an</strong>guage <strong>an</strong>d their<br />
relationships. When a modeling l<strong>an</strong>guage is appropriate to a domain, it enables the engineers to<br />
directly reflect the domain concepts <strong>an</strong>d relations in their models. By using domain appropriate<br />
l<strong>an</strong>guages, the engineers c<strong>an</strong> work at a higher abstraction level <strong>an</strong>d in direct <strong>an</strong>alogy to the<br />
domain knowledge.<br />
The abstract syntax determines the validity of models <strong>an</strong>d c<strong>an</strong> there<strong>for</strong>e be used to en<strong>for</strong>ce<br />
the construction of valid models. The domain sem<strong>an</strong>tics of l<strong>an</strong>guages c<strong>an</strong> be encoded in <strong>an</strong><br />
abstract syntax by restricting syntactically correct models to those that are me<strong>an</strong>ingful in the<br />
domain [EW05]. The abstract syntax usually consists of constructive <strong>an</strong>d descriptive parts:<br />
constructive parts describe how to build valid models <strong>an</strong>d descriptive parts further restrict the<br />
18<br />
Abstract Syntax<br />
Concrete Syntax<br />
Process Definition<br />
Sem<strong>an</strong>tics
number of valid models by constraints. Since <strong>an</strong> integrated modeling theory needs to describe<br />
the relationship between different models, a model is required to have a graph-like structure.<br />
We advocate to put the abstract syntax in the center of modeling l<strong>an</strong>guage definition. Other<br />
elements of a modeling l<strong>an</strong>guage definition are then specified in relation to the abstract syntax.<br />
This enables the rapid development of modeling l<strong>an</strong>guages. Furthermore, different modeling<br />
l<strong>an</strong>guages are best integrated in terms of their abstract syntax.<br />
The literature provides a large number of examples <strong>for</strong> l<strong>an</strong>guages to define the abstract syntax<br />
of a modeling l<strong>an</strong>guage. The Object M<strong>an</strong>agement Group (OMG) even st<strong>an</strong>dardized l<strong>an</strong>guages<br />
to define the abstract syntax of object-oriented modeling l<strong>an</strong>guages: the Meta Object Facility<br />
(MOF) [OMG06a] <strong>for</strong> the constructive part <strong>an</strong>d the Object Constraint L<strong>an</strong>guage (OCL)<br />
[OMG06b] <strong>for</strong> the descriptive part. However, MOF provides too m<strong>an</strong>y constructs to be completely<br />
understood <strong>an</strong>d implemented. The most widely known implementation of a subset of<br />
MOF called EMOF (Essential MOF) is the Eclipse Modeling Framework (EMF) [BSM + 03].<br />
Concrete syntax. The concrete syntax defines the representation of a model in a hum<strong>an</strong>readable<br />
m<strong>an</strong>ner. There are different <strong>for</strong>ms of concrete syntax: diagrammatic, textual <strong>an</strong>d<br />
tabular. The diagrammatic syntax shows the model in diagrams with layout in<strong>for</strong>mation, the<br />
textual syntax visualizes the model as linear texts, <strong>an</strong>d the tabular syntax visualizes the model<br />
in two-dimensional tables.<br />
As real-world models c<strong>an</strong> become quite large, the concrete representation of a whole model<br />
becomes incomprehensible. As a consequence, we have to be able to define a concrete syntax<br />
only <strong>for</strong> a view onto the model. For example, only the direct sub components of a component<br />
are visualized in a diagram. Furthermore, the representations of the different views have to<br />
be related with each other. The black-box of a component is depicted in the diagram <strong>for</strong> its<br />
parent component, whereas the white-box is shown in a different diagram.<br />
Some modelers may prefer the diagrammatic concrete syntax, while others prefer the textual<br />
one. As a consequence, there might be several representations of the same view in different<br />
variations of concrete syntax. The consistency between the different representations has to be<br />
guar<strong>an</strong>teed by me<strong>an</strong>s of the abstract syntax. Furthermore, it should be possible to combine<br />
several variations of concrete syntax <strong>for</strong> a view. A diagrammatic representation of a state<br />
machine <strong>for</strong> example may contain textual representations of the tr<strong>an</strong>sition guards.<br />
As we put the abstract syntax in the center of l<strong>an</strong>guage definition, the concrete syntax has<br />
to be defined as a function that maps <strong>an</strong> abstract representation of a model into a concrete<br />
representation. If this function is bidirectional, it c<strong>an</strong> be employed to provide authoring <strong>for</strong><br />
the model. Otherwise, it provides only a read-only representation of the model.<br />
There are already some approaches to define the concrete syntax on top of <strong>an</strong> abstract syntax.<br />
Textual Concrete Syntax (TCS) provides a template l<strong>an</strong>guage to define a bidirectional function<br />
that maps EMF models into textual representations [JBK06]. The Graphical Modeling<br />
Framework (GMF) provides a l<strong>an</strong>guage to specify a diagrammatic syntax <strong>for</strong> EMF models<br />
<strong>an</strong>d allows to generate <strong>an</strong> authoring tool from that specification [Foua]. Diagram Interch<strong>an</strong>ge<br />
Mapping L<strong>an</strong>guage (DIML) provides a l<strong>an</strong>guage to define a mapping from the abstract syntax<br />
to a diagrammatic syntax, <strong>an</strong>d a tool architecture to reconcile the diagrams based on model<br />
tr<strong>an</strong>s<strong>for</strong>mations [ALP07]. Most of the approaches towards concrete syntax definition do not<br />
19
provide a clear separation between abstract <strong>an</strong>d concrete syntax. This makes it difficult to<br />
define alternative concrete syntaxes <strong>for</strong> the same abstract syntax.<br />
Process definition. Part of the l<strong>an</strong>guage definition is also the methodical way of modeling,<br />
defining at what time which parts of the model have to be developed. For each development<br />
phase it defines both, which operations are available <strong>an</strong>d what properties have to be fulfilled<br />
at the end of the phase. The process definition is interpreted by (<strong>an</strong>d thus parametrizes) a<br />
workflow engine.<br />
A process definition consists of the activities that have to be per<strong>for</strong>med, the roles that are<br />
responsible <strong>for</strong> certain activities, <strong>an</strong>d the artifacts that are produced in the course of certain<br />
activities. The abstract syntax defines the possible structure of the artifacts, <strong>an</strong>d the concrete<br />
syntax the different views onto the model. The roles come with access rights which regulate the<br />
access to certain views onto the model. Activities may be per<strong>for</strong>med sequentially, in parallel<br />
as well as iteratively. For a better overview, activities should be structured hierarchically. A<br />
basic activity may be fully automated such as code generation <strong>an</strong>d c<strong>an</strong> then be specified by<br />
<strong>an</strong> interpreter of the modeling l<strong>an</strong>guage. On the other h<strong>an</strong>d a basic activity may have to<br />
be per<strong>for</strong>med m<strong>an</strong>ually like e.g. requirements elicitation <strong>an</strong>d c<strong>an</strong> then be supported by the<br />
operations defined by the modeling l<strong>an</strong>guage. Furthermore, the tr<strong>an</strong>sition from one activity<br />
to the next may be protected by quality gates which guar<strong>an</strong>tee the quality of the activity’s<br />
result. This c<strong>an</strong> be achieved by integrity constraints or by the execution of complex <strong>an</strong>alysis<br />
by interpreters. Integrity constraints actually not only depend on the modeling l<strong>an</strong>guage, but<br />
also on the progress of the process. For example, every requirement has to be implemented at<br />
the end of the process, but is of course not implemented after requirements elicitation.<br />
Sem<strong>an</strong>tics. Generally, there are three ways of specifying sem<strong>an</strong>tics: The first one is to describe<br />
the sem<strong>an</strong>tics of the modeling l<strong>an</strong>guage by a calculus (axiomatic sem<strong>an</strong>tics), the second<br />
one is to define the relationship to <strong>an</strong>other <strong>for</strong>malism (denotational <strong>an</strong>d tr<strong>an</strong>slational sem<strong>an</strong>tics),<br />
<strong>an</strong>d the third one is to specify a model interpreter (operational sem<strong>an</strong>tics).<br />
The first one results in syntactical tr<strong>an</strong>s<strong>for</strong>mation rules preserving the sem<strong>an</strong>tics. It is possible<br />
to provide these rules with regard to tool support in the <strong>for</strong>m of refactoring functionality<br />
which is being realized via <strong>an</strong> in-place tr<strong>an</strong>s<strong>for</strong>mation engine (the original model is thus altered<br />
directly). In general, it must be differentiated between postulated rules (axioms) <strong>an</strong>d deducible<br />
rules (theorems). In the scope of a l<strong>an</strong>guage definition, however, axioms would in principle<br />
be sufficient. As theorems are, however, generally not deducible in <strong>an</strong> automated way but<br />
are particularly relev<strong>an</strong>t in practice <strong>for</strong> the refactoring, they should nonetheless be <strong>for</strong>mulated<br />
explicitly in the l<strong>an</strong>guage definition. From a <strong>for</strong>mal point of view, the syntactic tr<strong>an</strong>s<strong>for</strong>mation<br />
rules complete the syntax definition to <strong>for</strong>m a calculus.<br />
The second way maps each model according to the syntax definition to a model of <strong>an</strong>other<br />
<strong>for</strong>malism (referred to as sem<strong>an</strong>tic domain). This may be a mathematical <strong>for</strong>malism like<br />
logic or set theory (denotational sem<strong>an</strong>tics) but also a programming l<strong>an</strong>guage like C or Java<br />
(tr<strong>an</strong>slational sem<strong>an</strong>tics). Note that this kind of sem<strong>an</strong>tical definition always depends on<br />
<strong>an</strong>other <strong>for</strong>malism which needs to be <strong>for</strong>malized itself. In total, this results in a system of<br />
modeling l<strong>an</strong>guages which are correlated to each other by the sem<strong>an</strong>tical mapping. According<br />
20
to our integrated tooling framework, the specified tr<strong>an</strong>s<strong>for</strong>mation rules are per<strong>for</strong>med by <strong>an</strong><br />
out-place tr<strong>an</strong>s<strong>for</strong>mation engine, i. e., the original model is not altered.<br />
The third way describes how a valid model is interpreted as sequences of computational steps.<br />
These sequences then make up the me<strong>an</strong>ing of the model. In the context of generic tooling<br />
environments, it is there<strong>for</strong>e possible to use operational sem<strong>an</strong>tics to parameterize a generic<br />
simulation framework. Kermeta [DFF + 08] is aiming at such a solution.<br />
4.1.2 Horizontal Aspects<br />
<strong>Tool</strong>ing aspects are called horizontal if they are independent of a certain modeling l<strong>an</strong>guage.<br />
Horizontal tooling aspects like a model repository are often reimplemented by each isolated<br />
tool. However, the use of different technologies <strong>for</strong> a model repository complicates seamless<br />
tool integration, as models have to be tr<strong>an</strong>s<strong>for</strong>med to enable data exch<strong>an</strong>ge between the tools.<br />
There<strong>for</strong>e, we propose a tooling plat<strong>for</strong>m that factors out horizontal tooling aspects. We identified<br />
the following horizontal tooling aspects that are required <strong>for</strong> seamless system development<br />
in the large: Common Model Repository, Generic Editor Framework, Workflow Engine, <strong>an</strong>d<br />
Model Interpretation Engine. In the following, we deal with the different horizontal tooling<br />
aspects <strong>an</strong>d their requirements in more detail.<br />
Common model repository. A central model repository is crucial <strong>for</strong> maintaining the dependencies<br />
between the different models produced during the development process. As the models<br />
of industrial systems become quite large, a database system is required to store all the models<br />
<strong>an</strong>d their dependencies. The central model repository is also responsible to ensure the overall<br />
consistency of the models. A model is consistent if it fulfills the constraints defined by the<br />
modeling l<strong>an</strong>guage.<br />
In order to efficiently h<strong>an</strong>dle distributed development of systems, the database system has to<br />
be distributed. The models may be partitioned according to the different comp<strong>an</strong>ies which<br />
participate in the development of a system, since each comp<strong>an</strong>y needs to have sovereignty over<br />
its own models. Furthermore, as some comp<strong>an</strong>ies may not be permitted to access or modify<br />
the models of other comp<strong>an</strong>ies, the model repository has to provide individual rights by access<br />
control.<br />
When distributed parties simult<strong>an</strong>eously work on the same models, conflicts arise that lead to<br />
inconsistencies. In order to prevent or repair conflicts, configuration m<strong>an</strong>agement is to keep<br />
track of the different versions of the model. Furthermore, configuration m<strong>an</strong>agement is to<br />
define which version of different models fit together.<br />
Object-oriented database systems are best suited <strong>for</strong> implementing common model repositories,<br />
as they c<strong>an</strong> efficiently h<strong>an</strong>dle graph-like model structures. Traditional file-based configuration<br />
m<strong>an</strong>agement systems like CVS <strong>an</strong>d SVN do not fit the needs of model-based development.<br />
Current configuration m<strong>an</strong>agement systems <strong>for</strong> models like Odyssey-VCS mainly support a<br />
certain modeling l<strong>an</strong>guage like UML [OMW05]. However, there is also research on configuration<br />
m<strong>an</strong>agement systems which c<strong>an</strong> be parametrized by a modeling l<strong>an</strong>guage (e.g. ModelCVS<br />
[Mod]).<br />
21
Generic editor framework. A front-end provides a user interface <strong>for</strong> authoring models in the<br />
repository. The front-end should constitute a generic framework that c<strong>an</strong> be parametrized<br />
by the applied modeling l<strong>an</strong>guages. The front-end provides editors to author a model in its<br />
concrete representation by using the concrete syntax of the modeling l<strong>an</strong>guage. Furthermore,<br />
the front-end offers the operations to the modeler, which are defined by the modeling l<strong>an</strong>guage<br />
(vertical) <strong>an</strong>d operations that are common to all l<strong>an</strong>guages (horizontal).<br />
These operations have to be intuitive to support the engineers in working with the models in <strong>an</strong><br />
efficient m<strong>an</strong>ner. For example, the operations that support configuration m<strong>an</strong>agement should<br />
allow the engineers to commit the ch<strong>an</strong>ges on models <strong>an</strong>d to update parts of the models. In<br />
case of a conflict, we need a merge operation that allows the visualization of the differences<br />
between models in their concrete syntax. The Eclipse plat<strong>for</strong>m is a perfect c<strong>an</strong>didate <strong>for</strong> a<br />
front-end, as its service-oriented architecture makes it highly extensible [Foub].<br />
Workflow engine. Our experiences show that a defined process is often not followed by its<br />
particip<strong>an</strong>ts, as long as it is not supported by the modeling tool. To prevent deviation from the<br />
process, the developers should be guided through the defined process by the tooling plat<strong>for</strong>m.<br />
In order to operationalize the process, the workflow engine interprets the process definition of<br />
the modeling l<strong>an</strong>guage. When interpreting a process model, the progress <strong>an</strong>d current activities<br />
that need to be per<strong>for</strong>med are always available through the workflow engine. To <strong>for</strong>ce a modeler<br />
to per<strong>for</strong>m the current activities, all operations <strong>an</strong>d interpreters not required <strong>for</strong> the activity<br />
have to be suppressed. The rights m<strong>an</strong>agement of the tooling plat<strong>for</strong>m has to ensure that<br />
certain activities are only per<strong>for</strong>med by certain roles. When modelers log on to the tooling<br />
plat<strong>for</strong>m, they c<strong>an</strong> only per<strong>for</strong>m activities which are currently available based on the process<br />
definition <strong>an</strong>d which correspond to one of the roles they own.<br />
Model interpretation engine. It provides the facilities to per<strong>for</strong>m complex tasks such as<br />
<strong>an</strong>alysis <strong>an</strong>d synthesis based on the sem<strong>an</strong>tical definition of the l<strong>an</strong>guage. To per<strong>for</strong>m complex<br />
editing <strong>an</strong>d refactoring facilities, <strong>an</strong> in-place model-to-model tr<strong>an</strong>s<strong>for</strong>mation engine is necessarily<br />
integrated in the front-end. For <strong>an</strong> automated generation of code <strong>an</strong>d other process<br />
artifacts, <strong>an</strong> out-of-place model-to-model as well as a model-to-text tr<strong>an</strong>s<strong>for</strong>mation engine is<br />
needed. Since such generation tasks might need a lot of time <strong>an</strong>d computing power they should<br />
be located at a different machine in the back-end. In order to be able to execute <strong>an</strong> operational<br />
sem<strong>an</strong>tics, a generic simulation framework is necessary which should be also located in<br />
the back-end because of resource consumption issues.<br />
4.2 Building-Block Principle<br />
To operationalize <strong>an</strong> integrated model theory <strong>for</strong> practice, a comp<strong>an</strong>y may aim at defining <strong>an</strong><br />
integrated modeling l<strong>an</strong>guage that covers the whole development process. As a consequence,<br />
such <strong>an</strong> integrated modeling l<strong>an</strong>guage is quite extensive <strong>an</strong>d thus difficult to develop. The<br />
development costs are reduced by developing <strong>an</strong> integrated modeling l<strong>an</strong>guage that is reused<br />
<strong>for</strong> several comp<strong>an</strong>ies. However, this approach is usually not feasible, as a comp<strong>an</strong>y may<br />
request a modeling l<strong>an</strong>guage tailored to its specific needs.<br />
22
Nevertheless, integrated modeling l<strong>an</strong>guages of different comp<strong>an</strong>ies will be identical in some<br />
parts or similar in others. For example, a lot of automotive comp<strong>an</strong>ies prefer to use dataflow<br />
networks to model embedded systems. Reuse of these parts c<strong>an</strong> be achieved by modularizing<br />
modeling l<strong>an</strong>guages. An integrated modeling l<strong>an</strong>guage is then built by a number of predefined<br />
modeling l<strong>an</strong>guage modules. As shown in Figure 8, <strong>an</strong> org<strong>an</strong>ization composes existing modules<br />
Technische Universität München<br />
<strong>for</strong> modeling requirements, software design <strong>an</strong>d deployment on hardware to <strong>for</strong>m their own<br />
integrated modeling l<strong>an</strong>guage.<br />
comp<strong>an</strong>y<br />
specific<br />
Dependencies between l<strong>an</strong>guage modules<br />
Tailored l<strong>an</strong>guages<br />
Upper level l<strong>an</strong>guages<br />
Feature Architecture Logical Architecture Technical Architecture<br />
Use Case Automaton Dataflow Topology Allocation<br />
Basic l<strong>an</strong>guages<br />
EADS Avionic System BMW Automotive System<br />
Domain-independent Product Model<br />
Garching, 11.11.2008 Stef<strong>an</strong>o Merenda, Chair IV: Software <strong>an</strong>d Systems Engineering 11<br />
Figure 8: Modularity in tooling: Dependencies between l<strong>an</strong>guage modules.<br />
A modeling l<strong>an</strong>guage module consists of the elements that we have already described: abstract<br />
syntax, concrete syntax, process definition <strong>an</strong>d sem<strong>an</strong>tics. Additionally, a modeling l<strong>an</strong>guage<br />
module needs to provide <strong>an</strong> interface so that it c<strong>an</strong> be connected to other modules. A module<br />
<strong>for</strong> modeling software design e.g. provides a connector <strong>for</strong> deployable units which c<strong>an</strong> be<br />
connected to <strong>an</strong> appropriate connector in a module <strong>for</strong> modeling deployment on hardware. As<br />
we put the abstract syntax in the center of l<strong>an</strong>guage development, the interface of a module is<br />
defined in terms of the abstract syntax.<br />
Furthermore, comp<strong>an</strong>ies might w<strong>an</strong>t to adapt a modeling l<strong>an</strong>guage module to fit their specific<br />
requirements. Because of associated costs, comp<strong>an</strong>ies do not w<strong>an</strong>t to rebuild the adapted<br />
modeling l<strong>an</strong>guage from scratch. For this reason, a me<strong>an</strong>s has to be provided that allows <strong>for</strong><br />
the customization of modeling l<strong>an</strong>guage modules. There are several possibilities to do so: a<br />
l<strong>an</strong>guage c<strong>an</strong> be customized by constraints (lightweight extensions), sub concepts (heavyweight<br />
extensions) or parameters of the module. Customizing a modeling l<strong>an</strong>guage results in a new<br />
module that depends on the module of the customized modeling l<strong>an</strong>guage.<br />
MOF provides basic coarse-grained operators <strong>for</strong> the composition of modeling l<strong>an</strong>guages like<br />
importing, merging or combining packages [OMG06a]. Bl<strong>an</strong>c et al. motivate the need <strong>for</strong> a new<br />
operator that allows to reuse <strong>an</strong>d generalize concepts when combining packages [BRR05]. Clark<br />
et al. provide a new composition operator that allows to equate concepts be<strong>for</strong>e merging the<br />
packages [CEK02]. Karsai et al. propose more fine-grained operators that allow <strong>for</strong> the composition<br />
of modeling l<strong>an</strong>guages like the union of two concepts or finer control over inherit<strong>an</strong>ce<br />
23
elationships between two concepts [KML + 03]. Balasubram<strong>an</strong>i<strong>an</strong> et al. show how to apply<br />
these operators to the integration of existing model-based development tools [BSML07]. Estublier<br />
et al. provide similar constructs, but allow not only <strong>for</strong> the composition of the generated<br />
editors, but also consider composition of corresponding model interpreters [EVI05]. Emerson<br />
<strong>an</strong>d Sztip<strong>an</strong>ovits envision metamodel templates that enable a more flexible generalization <strong>an</strong>d<br />
customization of modeling l<strong>an</strong>guages [ES06].<br />
4.3 M<strong>an</strong>aging Ch<strong>an</strong>ge <strong>for</strong> Modeling L<strong>an</strong>guages<br />
In order to be prepared <strong>for</strong> the inevitable evolution of modeling l<strong>an</strong>guages, appropriate tool<br />
support is required to safely ch<strong>an</strong>ge or extend a modeling l<strong>an</strong>guage when already deployed<br />
[HBJ08]. In our tool architecture, the abstract syntax is first modified to fulfill the new<br />
requirements. As the other elements of a modeling l<strong>an</strong>guage all depend on the abstract syntax,<br />
they have to be adapted to the modified abstract syntax <strong>an</strong>d maybe extended with respect to<br />
the new requirements. Most import<strong>an</strong>tly however, existing models have to be migrated so that<br />
they c<strong>an</strong> be used with the evolved modeling l<strong>an</strong>guage.<br />
Appropriate tool support is required <strong>for</strong> the migration of models in response to <strong>an</strong> evolving<br />
modeling l<strong>an</strong>guage. As there may be a large number of models, model migration has to be<br />
automated. Further automation c<strong>an</strong> be provided by reusing recurring migration scenarios.<br />
However, model migration becomes quite complex, when motived by ch<strong>an</strong>ges in the sem<strong>an</strong>tics<br />
of the modeling l<strong>an</strong>guage. For this reason, appropriate tool support also needs to account <strong>for</strong><br />
m<strong>an</strong>ual, expressive migrations.<br />
With appropriate tool support <strong>for</strong> l<strong>an</strong>guage mainten<strong>an</strong>ce, modeling l<strong>an</strong>guages c<strong>an</strong> be even<br />
developed in <strong>an</strong> evolutionary way. A version of a modeling l<strong>an</strong>guage is created <strong>an</strong>d deployed<br />
to be assessed by the modelers. The feedback of the modelers is then easily incorporated<br />
into a new version of the modeling l<strong>an</strong>guage which is again deployed <strong>for</strong> further assessment.<br />
Elements of a modeling l<strong>an</strong>guage other th<strong>an</strong> the abstract syntax do not have to be defined in<br />
a first version of the modeling l<strong>an</strong>guage, but are completed in later versions. By evolutionary<br />
development of modeling l<strong>an</strong>guages, domain appropriateness c<strong>an</strong> thus be reached iteratively.<br />
When a specification ch<strong>an</strong>ges, potentially all existing inst<strong>an</strong>ces have to be reconciled in order<br />
to con<strong>for</strong>m to the updated version of the specification. Since this problem of coupled<br />
evolution affects all specification <strong>for</strong>malisms (e. g., database or document schemata, types or<br />
grammars) alike, numerous approaches <strong>for</strong> coupled tr<strong>an</strong>s<strong>for</strong>mation [Läm04] of a specification<br />
<strong>an</strong>d its inst<strong>an</strong>ces have been proposed. The problem of schema evolution which has been a<br />
field of study <strong>for</strong> several decades has probably received the closest investigation [RB06]. Recently,<br />
the literature provides some work that tr<strong>an</strong>sfers ideas from other areas to the problem<br />
of metamodel evolution. In order to reduce the ef<strong>for</strong>t <strong>for</strong> model migration, Sprinkle proposes<br />
a visual, graph-tr<strong>an</strong>s<strong>for</strong>mation based l<strong>an</strong>guage <strong>for</strong> the specification of model migration [SK04].<br />
Gruschko et al. envision to automatically derive a model migration from the difference between<br />
two metamodel versions [BGGK07, GKP07]. Wachsmuth adopts ideas from grammar<br />
engineering <strong>an</strong>d proposes a classification of metamodel ch<strong>an</strong>ges based on inst<strong>an</strong>ce preservation<br />
properties [Wac07].<br />
24
5 AutoFOCUS 3: Prototypical Implementation of <strong>an</strong> <strong>Integrated</strong> <strong>Tool</strong><br />
Architecture<br />
History. AutoFOCUS is a CASE tool that is developed at the Technische Universität München<br />
since 1996. The tool was <strong>an</strong> implementation of tool support <strong>for</strong> the <strong>for</strong>mal method FOCUS<br />
[BS01]. AutoFOCUS demonstrated that <strong>for</strong>mal methods c<strong>an</strong> be applied to practical engineering,<br />
if they are built into <strong>an</strong> easy to use development environment. The major capability of<br />
AutoFOCUS was the graphical modeling of networks of logical components (system structure),<br />
automatons <strong>for</strong> the specification of dynamic behavior <strong>an</strong>d of course data types. As AutoFO-<br />
CUS was based on a well defined sem<strong>an</strong>tic foundation, a simulator has been implemented<br />
which made it possible to do early validation <strong>an</strong>d verification of AutoFOCUS systems. In<br />
1999, AutoFOCUS has won the <strong>Tool</strong> Competition at the Formal Methods conference. Based<br />
on the success of the first AutoFOCUS implementation, AutoFOCUS 2 was developed based on<br />
more modern technologies. This new version also offered extended functionality which mainly<br />
addressed verification activities by supporting model checking <strong>an</strong>d test-case generation. Also<br />
the generation of Java <strong>an</strong>d C code from the models was supported. We used this version to<br />
conduct the CoCoME case study [BFH + 08].<br />
AutoFOCUS 3. In 2007, AutoFOCUS 2 <strong>an</strong>d its SWING-based GUI were considered outdated<br />
<strong>an</strong>d old-fashioned, <strong>an</strong>d that it was no longer meeting the dem<strong>an</strong>ds of nowadays CASE tools.<br />
Thus, it was decided to implement the next major evolution AutoFOCUS 3 on the basis of the<br />
well-established Eclipse technologies EMF <strong>an</strong>d GEF [BSM + 03]. So, the tool AutoFOCUS 3<br />
itself is now widely developed by applying model-based software engineering techniques like<br />
meta-modeling <strong>an</strong>d code generation. Although the sem<strong>an</strong>tic foundation behind AutoFOCUS 3<br />
is still the FOCUS theory, its scope is beyond being just a demonstrator <strong>for</strong> <strong>for</strong>mal methods.<br />
AutoFOCUS 3 was designed to be <strong>an</strong> extendable plat<strong>for</strong>m that supports systems modeling <strong>for</strong><br />
different domains. As already stated in Section 2.1, a modeling l<strong>an</strong>guage (e.g. state charts)<br />
does not per<strong>for</strong>m equally well on each given domain. For some kinds of systems, a specific modeling<br />
technique is convenient <strong>for</strong> expressing the system’s functionality, <strong>for</strong> other ones it is very<br />
cumbersome [LKpT04]. The requirement of offering domain-appropriate modeling l<strong>an</strong>guages<br />
c<strong>an</strong>not be addressed by a single monolithic CASE tool that provides a fixed set of description<br />
techniques. Thus, the modeling workbench AutoFOCUS 3 should explicitly fulfill the requirement<br />
of being easily extendable <strong>for</strong> new l<strong>an</strong>guage modules as proposed in Section 4.2. This<br />
approach is in contrast to in<strong>for</strong>mal modeling techniques in which the relationships between<br />
different views often remain unclear. Even completely new description techniques should be<br />
deeply integrated into the overall l<strong>an</strong>guage supported by AutoFOCUS. This integration should<br />
not only provide consistency checks, but also simulation <strong>an</strong>d code-generation of models containing<br />
different description techniques that have been composed with each other.<br />
A building-block tool architecture. The main principle of the architecture of AutoFOCUS<br />
was the separation of horizontal <strong>an</strong>d vertical tooling aspects as described in Section 4.1. As<br />
illustrated in Figure 9, generic functionalities that are not specific to a certain modeling technique<br />
(green boxes) have been factored out from the implementation of the l<strong>an</strong>guage-specific<br />
building-blocks (blue boxes) that contain the functionality needed <strong>for</strong> only one single modeling<br />
technique. Thus, a layer providing very generic modeling functionality has been introduced<br />
25
above the Eclipse frameworks. Generic functionality has been implemented to support the<br />
easy <strong>an</strong>d quick development of l<strong>an</strong>guage modules. More specifically, libraries have been built<br />
that offer convenient support <strong>for</strong> developing new meta-models, editing functionality <strong>an</strong>d codegenerators<br />
that are deeply integrated with each other. Eclipse with its OSGi-based dynamic<br />
Figure 9: The modular architecture of AutoFOCUS 3.<br />
module system [OSG] <strong>an</strong>d its robust descriptive extension mech<strong>an</strong>isms turned out to be perfectly<br />
suited <strong>for</strong> the implementation of the vision of <strong>an</strong> extendable modeling environment.<br />
Every l<strong>an</strong>guage module is implemented as a set of Eclipse plugins. Be<strong>for</strong>e starting <strong>an</strong> engineering<br />
project, a composition of modeling l<strong>an</strong>guages that are most appropriate <strong>for</strong> a specific<br />
system c<strong>an</strong> be combined. To achieve a deep integration the modeling l<strong>an</strong>guages are dependent<br />
of each other <strong>an</strong>d use one <strong>an</strong>other’s extension points.<br />
Currently supported modeling techniques. At first, AutoFOCUS aimed at supporting the<br />
‘classical’ description techniques from the previous versions. Thus, in the initial releases,<br />
networks of hierarchical logical components could be modeled that interact by using ports<br />
to send messages through ch<strong>an</strong>nels. The correct composition of the components is ensured<br />
by the type system. The behavior of the system c<strong>an</strong> be specified using automatons in leaf<br />
components. After this stage has been achieved, new views have been introduced to support<br />
a model-based deployment of the logical components onto a distributed hardware plat<strong>for</strong>m<br />
consisting of ECUs that are connected by different bus systems <strong>an</strong>d provide different kinds<br />
of actuators <strong>an</strong>d sensors [Sch08]. To support this functionality, a new l<strong>an</strong>guage module has<br />
been developed that provides a graphical editor to model hardware topologies. Furthermore,<br />
<strong>an</strong>other l<strong>an</strong>guage was built to define the deployment mapping between the logical components<br />
to the ECUs as well as the mapping between the logical ports <strong>an</strong>d the physical actuators <strong>an</strong>d<br />
26
sensors.<br />
5.1 Example: Describing heterogeneous Hardware by L<strong>an</strong>guage Modules<br />
A l<strong>an</strong>guage <strong>for</strong> describing hardware topologies. Especially <strong>for</strong> integrating the modeling of<br />
hardware topologies containing heterogeneous ECUs, buses, sensors <strong>an</strong>d actuators the extendable<br />
architecture has proved to be <strong>an</strong> effective decision. There are a multitude of different<br />
ECUs <strong>an</strong>d bus systems on the market. Conventional tools that allow model-based deployment<br />
often rely on specific (rapid prototyping) hardware (e.g. ASCET [ETA]). Thus, the actual<br />
hardware used <strong>for</strong> production <strong>an</strong>d the hardware used during design or prototyping differ. The<br />
architecture of AutoFOCUS 3 allowed us to implement a metamodel of the hardware topology<br />
that is generic (in one plugin). This generic topology metamodel only knows about ECUs that<br />
are connected to buses, sensors <strong>an</strong>d actuators without talking about which specific ECUs are<br />
given. The implementation of specific ECUs (e.g. <strong>an</strong> MPC5554, ARM, Coldfire), buses (e.g. a<br />
CAN-bus, Flexray, Ethernet) <strong>an</strong>d peripherals (buttons, LEDs, displays etc.) is per<strong>for</strong>med by<br />
extending the metamodel classes of the generic topology plugin. These specific ECUs are provided<br />
by the metamodel of separate plugins that contain the l<strong>an</strong>guage of the concrete hardware<br />
components. The specific hardware components are represented directly in the metamodel of<br />
the l<strong>an</strong>guage. The l<strong>an</strong>guage module depends on the generic hardware topology l<strong>an</strong>guage component<br />
by inheriting from the abstract ECU, bus, actuator or sensor entities of its metamodel.<br />
These kind of l<strong>an</strong>guage modules might be provided as hardware support bundles by vendors<br />
of the specific hardware instead of providing ordinary libraries as they do today. This kind of<br />
approach allows <strong>for</strong> a deep integration of the specific hardware with the editors, constraintchecking,<br />
simulation <strong>an</strong>d code-generators of a CASE-tool like AutoFOCUS. A similar way of<br />
integrating heterogeneous hardware into <strong>an</strong> integrated development environment is currently<br />
pursued by Microsoft’s NET-Micro-Framework [Mic] by so-called Board Support Packages.<br />
Generating code. The big adv<strong>an</strong>tage of representing concrete hardware directly in the metamodel<br />
of the l<strong>an</strong>guage is that very detailed <strong>an</strong>d specific in<strong>for</strong>mation about the hardware components<br />
c<strong>an</strong> be provided. This in<strong>for</strong>mation c<strong>an</strong> be used, <strong>for</strong> example, in the code generator<br />
to be able to produce better (smaller, more efficient etc.) code. For example, the in<strong>for</strong>mation<br />
about the architecture of a processor of <strong>an</strong> ECU c<strong>an</strong> be used to generate code that directly<br />
accesses its IO modules <strong>for</strong> interacting with sensors <strong>an</strong>d actuators (instead of writing glue code)<br />
or that actively uses co-processors like DSPs <strong>an</strong>d specialized timing units to achieve better per<strong>for</strong>m<strong>an</strong>ce.<br />
Nowadays, generated code often fails short on runtime- <strong>an</strong>d memory-per<strong>for</strong>m<strong>an</strong>ce<br />
<strong>an</strong>d <strong>for</strong>ces developers to implement such code m<strong>an</strong>ually. The l<strong>an</strong>guage module that provides<br />
the model of a certain piece of hardware also comes up with <strong>an</strong> associated part of a code generator.<br />
This partial code generator implements <strong>an</strong> interface requested by the generic topology<br />
l<strong>an</strong>guage generator. Consequently, the people that know the hardware best (i. e., the vendors)<br />
would be able to provide specific generator parts in order to achieve the best per<strong>for</strong>m<strong>an</strong>ce of<br />
the hardware. The customer would be able to quickly get a running system that already comes<br />
up with high runtime- <strong>an</strong>d memory-per<strong>for</strong>m<strong>an</strong>ce without having to learn every detail of the<br />
hardware.<br />
27
Beyond hardware. The extendable architecture of AutoFOCUS 3 was not only built to allow<br />
extending the hardware topology l<strong>an</strong>guage. Also, on the logical architecture, extendability is<br />
a key issue. For example, the automata which were the only way of describing behavior in the<br />
previous AutoFOCUS versions are not always the most appropriate modeling technique. If the<br />
function that has to be computed by a logical component is just a simple mapping of its input to<br />
its output ports, a mapping table is a much more convenient way of describing the situation. To<br />
develop control applications, special l<strong>an</strong>guages that allow <strong>an</strong> efficient description of the control<br />
algorithms would be much more desirable th<strong>an</strong> automata. Even some imperative l<strong>an</strong>guage that<br />
enables the definition of variable assignments, loops (perhaps only statically bounded ones)<br />
<strong>an</strong>d if-statements might be beneficial in several situations. Having the flexibility to tune the<br />
l<strong>an</strong>guage to make it most appropriate <strong>for</strong> the specific task achieves a less cumbersome <strong>an</strong>d<br />
more efficient development. Furthermore, smaller <strong>an</strong>d more comprehensible models c<strong>an</strong> be<br />
built that due not fall short a huge encoding gap [Rat09].<br />
5.2 Case Studies <strong>an</strong>d Future Work on AutoFOCUS<br />
AutoFOCUS 3 has already been successfully applied to develop a realistic ACC/PCS system<br />
[FFH + 08] <strong>an</strong>d a Keyless Entry system [FHP + ar] based on real-world requirements. Furthermore,<br />
we also provided support <strong>for</strong> the generation of verified code [H¨09].<br />
In the future, AutoFOCUS will be further extended with l<strong>an</strong>guage components that address<br />
the early phases of a project. In addition, several behavior description techniques, such as<br />
mode diagrams, <strong>an</strong> imperative l<strong>an</strong>guage etc. are pl<strong>an</strong>ned.<br />
28
6 Related Work<br />
6.1 <strong>Tool</strong> Integration Approaches<br />
In the literature, we c<strong>an</strong> already find some approaches <strong>for</strong> tool integration. In [BHW05], the authors<br />
propose a model-based approach to integrate tools working on interdependent documents.<br />
Wrappers <strong>for</strong> each tool allow us to abstract from technical details <strong>an</strong>d provide homogenized<br />
access to documents through graph models. The different documents are kept consistent by<br />
graph tr<strong>an</strong>s<strong>for</strong>mations rules which allow us to propagate ch<strong>an</strong>ges in <strong>an</strong> incremental development<br />
process. In [BHLW07], the authors give a more detailed description of their algorithm<br />
<strong>for</strong> incremental <strong>an</strong>d interactive consistency m<strong>an</strong>agement. The authors of [KLN05] explain <strong>an</strong>d<br />
compare two architectural design patterns which allow <strong>for</strong> tool integration. The first architecture<br />
is based on <strong>an</strong> integrated model <strong>an</strong>d adapters <strong>for</strong> each tool which tr<strong>an</strong>slate the data to<br />
the integrated model. The second architecture is based on a messaging system, which routes<br />
data according to a workflow specification, <strong>an</strong>d implements a pairwise integration among tools.<br />
[Mar05] presents the extension of the ETI (Electronic <strong>Tool</strong> Integration) plat<strong>for</strong>m with web service<br />
technology. The integrated tools interact with each other by use of web services, which<br />
allow to decouple the different tools from each other <strong>an</strong>d which there<strong>for</strong>e ease integration <strong>an</strong>d<br />
mainten<strong>an</strong>ce activities. In [KS06], the authors present their rule-based approach MDI (Multi<br />
Document Integration) <strong>for</strong> data integration of multiple data repositories. Metamodels are used<br />
to provide <strong>an</strong> abstract specification of the different models, a separate model is used to specify<br />
correspondence links between the models, <strong>an</strong>d rules are used to specify consistency between<br />
the models. The declarative rules which are specified in the <strong>for</strong>m of triple graph grammars are<br />
used to derive code <strong>for</strong> creating <strong>an</strong>d consistency checking of correspondence links as well as<br />
<strong>for</strong> <strong>for</strong>ward <strong>an</strong>d backward propagation of ch<strong>an</strong>ges. TOPCASED [FGC + 06] is <strong>an</strong> open-source<br />
CASE environment <strong>for</strong> model-based development of critical applications <strong>an</strong>d systems. Their<br />
ambition is to build <strong>an</strong> extensible <strong>an</strong>d evolutive CASE tool that allows its users to access<br />
various models <strong>an</strong>d associated tools.<br />
Beside these academic approaches there are already some tool developers offering integrated<br />
tool support. For the automotive domain, Vector has developed the tool eASEE 1 which is<br />
intended to be a data backbone that stores the product data in a central repository. This tool<br />
is not designed as a generic tool integration plat<strong>for</strong>m, but focuses on supporting predefined<br />
modeling functionalities. The tool PREEVision from Aquintos 2 follows a similar direction.<br />
6.2 L<strong>an</strong>guage Workbenches<br />
There are m<strong>an</strong>y st<strong>an</strong>dards from the Object M<strong>an</strong>agement Group (OMG) like the Meta Object<br />
Facility (MOF) <strong>for</strong> the definition of metamodels, Object Constraint L<strong>an</strong>guage (OCL)<br />
[OMG06b] <strong>for</strong> defining constraints on MOF-based metamodels <strong>an</strong>d the Query/ Views/ Tr<strong>an</strong>s<strong>for</strong>mations<br />
(QVT) specification [OMG08]. Only partially based on these st<strong>an</strong>dards, m<strong>an</strong>y<br />
so-called L<strong>an</strong>guage Workbenches have been developed to enable the development of mainly<br />
diagrammatic domain-specific l<strong>an</strong>guages (DSLs). The most prominent ones are the Generic<br />
1 http://www.vector-worldwide.com/vc easee de,,1296.html<br />
2 http://www.aquintos.info<br />
29
Modeling Environment (GME) [Dav03], MetaEdit+ [Tol04], Microsoft’s Domain-Specific L<strong>an</strong>guage<br />
<strong>Tool</strong>s, <strong>an</strong>d the Eclipse Modeling Framework (EMF). All of these tools offer support <strong>for</strong><br />
building modeling l<strong>an</strong>guages. However, these l<strong>an</strong>guages are often trapped inside of these tool<br />
environments because they all implement different metamodeling techniques. The composition<br />
of l<strong>an</strong>guages to <strong>an</strong> integrated modeling chain is still only supported in a very limited way.<br />
These tools also lack of support <strong>for</strong> the development workflow. But nevertheless they represent<br />
tool architectures that separate the modeling l<strong>an</strong>guage from the tool infrastructure.<br />
Ptolemy 2 [EJL + 03] is a scientific tool based on the idea of combining heterogeneous models<br />
of computation. The basic architecture of Ptolemy 2 consists of a kernel <strong>an</strong>d several shells<br />
around it. The first shell is a general graph implementation allowing entities to be connected.<br />
The actor shell then provides the sem<strong>an</strong>tic interpretation of entities <strong>an</strong>d connections by me<strong>an</strong>s<br />
of different models of computation. These models of computation c<strong>an</strong> be plugged into the tool.<br />
Compared to Ptolemy 2, AutoFOCUS 3 follows a different goal. While AutoFOCUS 3 targets<br />
the complete development cycle from requirements m<strong>an</strong>agement to system deployment using a<br />
single model of computation (which we believe is in particular suitable to describe the software<br />
of embedded systems), Ptolemy aims at combining different models of computation at different<br />
levels of the design. AutoFOCUS 3 provides a coherent set of sem<strong>an</strong>tically founded description<br />
models that leads to a seamless, pervasive engineering process. In contrast, Ptolemy 2 aims at<br />
studying the correlation between heterogeneous models of computation defined by computer<br />
science during the last decades.<br />
30
7 Conclusion<br />
The full promises of model-based development will only be achieved by using models throughout<br />
the development process. Requirements models have to be refined to design models from which<br />
implementation models are generated. To reuse the model in<strong>for</strong>mation from one process step<br />
within other process steps, a seamless integration of the different models is required. Seamless<br />
model based development c<strong>an</strong> only be achieved with three main ingredients: 1) a comprehensive<br />
modeling theory, 2) <strong>an</strong> integrated architectural model <strong>an</strong>d 3) a seamless model engineering<br />
environment.<br />
The large body of research in the last twenty years led to a wide body of knowledge about<br />
modeling theories <strong>an</strong>d architectures. In current practice, however, model-based development<br />
finds its way into the industry with difficulties mostly because of the lack of adequate tool support.<br />
Working with models requires the tools to be aware of the sem<strong>an</strong>tics of models <strong>an</strong>d that<br />
the tools c<strong>an</strong> exch<strong>an</strong>ge the models, <strong>an</strong>d these requirements increase subst<strong>an</strong>tially the difficulty<br />
of developing tools. In order to tackle these problems <strong>an</strong>d to enable a seamless integration of<br />
methods, models, processes <strong>an</strong>d tools, we proposed a new tooling plat<strong>for</strong>m. We advocate that<br />
a tooling plat<strong>for</strong>m should separate between common functionality related to the infrastructure<br />
(horizontal aspects) from the functionality that is specific to a modeling aspect (vertical aspects).<br />
The horizontal aspects enable <strong>an</strong> common model repository with explicit dependencies<br />
between the different models. The generic tooling plat<strong>for</strong>m c<strong>an</strong> be parametrized by a modeling<br />
l<strong>an</strong>guage which defines the product model of a comp<strong>an</strong>y. The clear separation of vertical<br />
<strong>an</strong>d horizontal tooling aspects <strong>for</strong>ms the foundation to reduce costs <strong>for</strong> both development <strong>an</strong>d<br />
mainten<strong>an</strong>ce of <strong>an</strong> integrated engineering environment.<br />
31
References<br />
[A38] A380 cable problems threaten airbus. FlugRevue.<br />
[ALP07] Marcus Al<strong>an</strong>en, Torbjörn Lundkvist, <strong>an</strong>d Iv<strong>an</strong> Porres. Creating <strong>an</strong>d reconciling diagrams<br />
after executing model tr<strong>an</strong>s<strong>for</strong>mations. Sci. Comput. Program., 68(3):128–<br />
151, 2007.<br />
[BFG + 08] M<strong>an</strong>fred Broy, Martin Feilkas, Joh<strong>an</strong>nes Grünbauer, Alex<strong>an</strong>der Gruler, Alex<strong>an</strong>der<br />
Harhurin, Judith Hartm<strong>an</strong>n, Birgit Penzenstadler, Bernhard Schätz, <strong>an</strong>d Doris<br />
Wild. Umfassendes architekturmodell für das engineering eingebetteter softwareintensiver<br />
systeme. Technical report, Technische Universität München, 08 2008.<br />
[BFH + 08] M. Broy, J. Fox, F. Hölzl, D. Koss, M. Kuhrm<strong>an</strong>n, M. Meisinger, B. Penzenstadler,<br />
S. Rittm<strong>an</strong>n, B. Schätz, M. Spichkova, <strong>an</strong>d D. Wild. Service-Oriented Modeling of<br />
CoCoME with Focus <strong>an</strong>d AutoFocus. pages 177–206, 2008.<br />
[BGGK07] Steffen Becker, Thomas Goldschmidt, Boris Gruschko, <strong>an</strong>d Heiko Koziolek. A<br />
process model <strong>an</strong>d classification scheme <strong>for</strong> semi-automatic meta-model evolution.<br />
In Workshop ’MDD, SOA <strong>an</strong>d IT-M<strong>an</strong>agement 2007’, 2007.<br />
[BHLW07] Simon M. Becker, Sebasti<strong>an</strong> Herold, Sebasti<strong>an</strong> Lohm<strong>an</strong>n, <strong>an</strong>d Bernhard Westfechtel.<br />
A graph-based algorithm <strong>for</strong> consistency mainten<strong>an</strong>ce in incremental <strong>an</strong>d<br />
interactive integration tools. Software <strong>an</strong>d System Modeling, 6(3):287–315, 2007.<br />
[BHW05] Simon M. Becker, Thomas Haase, <strong>an</strong>d Bernhard Westfechtel. Model-based aposteriori<br />
integration of engineering tools <strong>for</strong> incremental development processes.<br />
Software <strong>an</strong>d System Modeling, 4(2):123–140, 2005.<br />
[Bro07] M<strong>an</strong>fred Broy. Model-driven architecture-centric engineering of (embedded) software<br />
intensive systems: modeling theories <strong>an</strong>d architectural milestones. Innovations<br />
in Systems <strong>an</strong>d Software Engineering, 3(1):75–102, 2007.<br />
[BRR05] Xavier Bl<strong>an</strong>c, Fr<strong>an</strong>klin Ramalho, <strong>an</strong>d Jacques Robin. Metamodel reuse with mof.<br />
In MoDELS, pages 661–675, 2005.<br />
[BS01] M<strong>an</strong>fred Broy <strong>an</strong>d Ketil Stolen. Specification <strong>an</strong>d development of interactive systems:<br />
focus on streams, interfaces, <strong>an</strong>d refinement. Springer-Verlag New York,<br />
Inc., Secaucus, NJ, USA, 2001.<br />
[BSM + 03] Fr<strong>an</strong>k Budinsky, David Steinberg, Ed Merks, Raymond Ellersick, <strong>an</strong>d Timothy J.<br />
Grose. Eclipse Modeling Framework. Addison-Wesley Professional, 2003.<br />
[BSML07] Krishnakumar Balasubram<strong>an</strong>i<strong>an</strong>, Douglas C. Schmidt, Zolt<strong>an</strong> Molnar, <strong>an</strong>d Akos<br />
Ledeczi. Component-based system integration via (meta)model composition. In<br />
ECBS ’07: Proceedings of the 14th Annual IEEE International Conference <strong>an</strong>d<br />
Workshops on the Engineering of Computer-Based Systems, pages 93–102, Washington,<br />
DC, USA, 2007. IEEE Computer Society.<br />
32
[CEK02] Tony Clark, Andy Ev<strong>an</strong>s, <strong>an</strong>d Stuart Kent. A metamodel <strong>for</strong> package extension<br />
with renaming. In UML ’02: Proceedings of the 5th International Conference<br />
on The Unified Modeling L<strong>an</strong>guage, pages 305–320, London, UK, 2002. Springer-<br />
Verlag.<br />
[Dav03] James Davis. Gme: the generic modeling environment. In OOPSLA ’03: Comp<strong>an</strong>ion<br />
of the 18th <strong>an</strong>nual ACM SIGPLAN conference on Object-oriented programming,<br />
systems, l<strong>an</strong>guages, <strong>an</strong>d applications, pages 82–83, New York, NY, USA,<br />
2003. ACM.<br />
[DFF + 08] Zoé Drey, Cyril Faucher, Fr<strong>an</strong>ck Fleurey, Vincent Mahé, <strong>an</strong>d Didier Vojtisek. Kermeta<br />
l<strong>an</strong>guage - Reference m<strong>an</strong>ual. IRISA Triskell Project, 1 2008.<br />
[EJL + 03] Joh<strong>an</strong> Eker, Jörn W. J<strong>an</strong>neck, Edward A. Lee, Jie Liu, Xiaojun Liu, J. Ludvig,<br />
Stephen Neuendorffer, S. Sachs, <strong>an</strong>d Yuhong Xiong. Taming heterogeneity - the<br />
Ptolemy approach. Proceedings of the IEEE, 91(1):127–144, 2003.<br />
[ES06] Matthew Emerson <strong>an</strong>d J<strong>an</strong>os Sztip<strong>an</strong>ovits. Techniques <strong>for</strong> metamodel composition.<br />
In OOPSLA - 6th Workshop on Domain Specific Modeling, pages 123–139, October<br />
2006.<br />
[ETA] ETAS. Etas ascet website.<br />
[EVI05] Jacky Estublier, Germán Vega, <strong>an</strong>d Anca D<strong>an</strong>iela Ionita. Composing domainspecific<br />
l<strong>an</strong>guages <strong>for</strong> wide-scope software engineering applications. In MoDELS,<br />
pages 69–83, 2005.<br />
[EW05] Joerg Everm<strong>an</strong>n <strong>an</strong>d Yair W<strong>an</strong>d. Toward <strong>for</strong>malizing domain modeling sem<strong>an</strong>tics<br />
in l<strong>an</strong>guage syntax. IEEE Tr<strong>an</strong>s. Softw. Eng., 31(1):21–37, 2005.<br />
[Fav05] Je<strong>an</strong>-Marie Favre. L<strong>an</strong>guages evolve too! ch<strong>an</strong>ging the software time scale. In<br />
IWPSE ’05: Proceedings of the Eighth International Workshop on Principles of<br />
Software Evolution, pages 33–44, Washington, DC, USA, 2005. IEEE Computer<br />
Society.<br />
[FFH + 08] M. Feilkas, A. Fleischm<strong>an</strong>n, F. Hölzl, C. Pfaller, K. Scheidem<strong>an</strong>n, M. Spichkova,<br />
<strong>an</strong>d D. Trachtenherz. A Top-Down Methodology <strong>for</strong> the Development of Automotive<br />
Software. Technical report, Technische Universität München, 2008.<br />
[FGC + 06] Patrick Farail, Pierre Gaufillet, Agusti C<strong>an</strong>als, Christophe Le Camus, David Sciamma,<br />
Pierre Michel, Xavier Crégut, <strong>an</strong>d Marc P<strong>an</strong>tel. The TOPCASED project:<br />
a <strong>Tool</strong>kit in Open source <strong>for</strong> Critical Aeronautic SystEms Design. In Embedded<br />
Real Time Software (ERTS), 2006.<br />
[FHP + ar] M. Feilkas, F. Hölzl, C. Pfaller, M. Spichkova, W. Schwitzer, <strong>an</strong>d D. Trachtenherz.<br />
A Refined Methodology <strong>for</strong> the Development of Automotive Software. Technical<br />
report, Technische Universität München, 2009 To Appear.<br />
[Foua] Eclipse Foundation. Eclipse GMF website.<br />
[Foub] Eclipse Foundation. Eclipse website.<br />
33
[FR07] Robert Fr<strong>an</strong>ce <strong>an</strong>d Bernhard Rumpe. Model-driven development of complex software:<br />
A research roadmap. In FOSE ’07: 2007 Future of Software Engineering,<br />
pages 37–54, Washington, DC, USA, 2007. IEEE Computer Society.<br />
[GKP07] Boris Gruschko, Dimitrios Kolovos, <strong>an</strong>d Richard Paige. Towards synchronizing<br />
models with evolving metamodels. In CSMR 2007: Software Evolution in Complex<br />
Software Intensive Systems, 2007.<br />
[H¨09] F. Hölzl. The AutoFocus 3 C0 Code Generator. Technical Report TUM-I0918,<br />
Technische Universität München, 2009.<br />
[HBJ08] Markus Herrm<strong>an</strong>nsdoerfer, Sebasti<strong>an</strong> Benz, <strong>an</strong>d Elmar Juergens. Automatability<br />
of coupled evolution of metamodels <strong>an</strong>d models in practice. In Model Driven Engineering<br />
L<strong>an</strong>guages <strong>an</strong>d Systems (MODELS 2008), Lecture Notes in Computer<br />
Science, pages 645–659. Springer Berlin / Heidelberg, October 2008.<br />
[HM09] Markus Herrm<strong>an</strong>nsdoerfer <strong>an</strong>d Stef<strong>an</strong>o Merenda. Result of the tool questionnaire.<br />
<strong>SPES</strong> <strong>2020</strong> <strong>Deliverable</strong> <strong>1.4.B</strong>-1, Technische Universität München, 2009.<br />
[JBK06] Frédéric Jouault, Je<strong>an</strong> Bézivin, <strong>an</strong>d Iv<strong>an</strong> Kurtev. Tcs:: a dsl <strong>for</strong> the specification<br />
of textual concrete syntaxes in model engineering. In GPCE ’06: Proceedings of<br />
the 5th international conference on Generative programming <strong>an</strong>d component engineering,<br />
pages 249–254, New York, NY, USA, 2006. ACM.<br />
[KLN05] Gabor Karsai, Andras L<strong>an</strong>g, <strong>an</strong>d S<strong>an</strong>deep Neema. Design patterns <strong>for</strong> open tool<br />
integration. Software <strong>an</strong>d System Modeling, 4(2):157–170, 2005.<br />
[KML + 03] Gabor Karsai, Miklos Maroti, Akos Ledeczi, Jeff Gray, <strong>an</strong>d J<strong>an</strong>os Sztip<strong>an</strong>ovits.<br />
Composition <strong>an</strong>d cloning in modeling <strong>an</strong>d meta-modeling. IEEE Tr<strong>an</strong>sactions on<br />
Control System Technology, 2003.<br />
[KS06] Alex<strong>an</strong>der Königs <strong>an</strong>d Andy Schürr. Mdi: A rule-based multi-document <strong>an</strong>d tool<br />
integration approach. Software <strong>an</strong>d System Modeling, 5(4):349–368, 2006.<br />
[Läm04] Ralf Lämmel. Coupled Software Tr<strong>an</strong>s<strong>for</strong>mations (Extended Abstract). In First<br />
International Workshop on Software Evolution Tr<strong>an</strong>s<strong>for</strong>mations, November 2004.<br />
[Lev00] N<strong>an</strong>cy G. Leveson. Intent specifications: An approach to building hum<strong>an</strong>-centered<br />
specifications. IEEE Tr<strong>an</strong>s. Software Eng., 26(1):15–35, 2000.<br />
[LKpT04] J<strong>an</strong>ne Luoma, Steven Kelly, <strong>an</strong>d Juha pekka Tolv<strong>an</strong>en. Defining domain-specific<br />
modeling l<strong>an</strong>guages: Collected experiences. In In Proceedings of the 4th OOPSLA<br />
Workshop on Domain-Specific Modeling (DSM04, 2004.<br />
[Mar05] Tizi<strong>an</strong>a Margaria. Web services-based tool-integration in the eti plat<strong>for</strong>m. Software<br />
<strong>an</strong>d System Modeling, 4(2):141–156, 2005.<br />
[Mic] Microsoft. .net micro framework website.<br />
[Mod] Model cvs webpage.<br />
[OMG06a] OMG. Meta Object Facility (MOF) Specification 2.0, 2006.<br />
[OMG06b] OMG. Object Constraint L<strong>an</strong>guage (OCL) Specification 2.0, 2006.<br />
34
[OMG06c] OMG. Unified Modeling L<strong>an</strong>guage (UML) Specification 2.1.2, 2006.<br />
[OMG08] OMG. Query/View/Tr<strong>an</strong>s<strong>for</strong>mation (QVT) Specification 1.0, 2008.<br />
[OMW05] Hamilton Oliveira, Leonardo Murta, <strong>an</strong>d Cláudia Werner. Odyssey-vcs: a flexible<br />
version control system <strong>for</strong> uml model elements. In SCM ’05: Proceedings of the<br />
12th international workshop on Software configuration m<strong>an</strong>agement, pages 1–16,<br />
New York, NY, USA, 2005. ACM.<br />
[OSG] OSGi. Osgi alli<strong>an</strong>ce website.<br />
[PEP02] Trai<strong>an</strong> Pop, Petru Eles, <strong>an</strong>d Zebo Peng. Holistic scheduling <strong>an</strong>d <strong>an</strong>alysis of mixed<br />
time/event-triggered distributed embedded systems. In CODES ’02: Proceedings of<br />
the tenth international symposium on Hardware/software codesign, pages 187–192,<br />
New York, NY, USA, 2002. ACM.<br />
[Rat09] D<strong>an</strong>iel Ratiu. Intensional Me<strong>an</strong>ing of Programs. PhD thesis, Technische Universität<br />
München, 2009.<br />
[RB06] Erhard Rahm <strong>an</strong>d Philip A. Bernstein. An online bibliography on schema evolution.<br />
Sigmod Record, 35, 2006.<br />
[Sch08] Wolfg<strong>an</strong>g Schwitzer. Konzeption und Implementierung eines Deployment-Konzepts<br />
für AutoFocus 3. Master’s thesis, Technische Universität München, Fakultät für<br />
In<strong>for</strong>matik, 2008.<br />
[SK04] Jonath<strong>an</strong> Sprinkle <strong>an</strong>d Gabor Karsai. A domain-specific visual l<strong>an</strong>guage <strong>for</strong> domain<br />
model evolution. J. Vis. L<strong>an</strong>g. Comput., 15(3-4):291–307, 2004.<br />
[Tol04] Juha-Pekka Tolv<strong>an</strong>en. Metaedit+: domain-specific modeling <strong>for</strong> full code generation<br />
demonstrated [gpce]. In OOPSLA ’04: Comp<strong>an</strong>ion to the 19th <strong>an</strong>nual ACM<br />
SIGPLAN conference on Object-oriented programming systems, l<strong>an</strong>guages, <strong>an</strong>d applications,<br />
pages 39–40, New York, NY, USA, 2004. ACM.<br />
[vL00] Axel v<strong>an</strong> Lamsweerde. Formal specification: a roadmap. In ICSE ’00: Proceedings<br />
of the Conference on The Future of Software Engineering, pages 147–159, New<br />
York, NY, USA, 2000. ACM Press.<br />
[WA08] Peter Wallin <strong>an</strong>d Jakob Axelsson. A case study of issues related to automotive e/e<br />
system architecture development. Engineering of Computer Based Systems, 2008.<br />
ECBS 2008. 15th Annual IEEE International Conference <strong>an</strong>d Workshop on the,<br />
pages 87–95, 31 2008-April 4 2008.<br />
[Wac07] Guido Wachsmuth. Metamodel adaptation <strong>an</strong>d model co-adaptation. In Erik Ernst,<br />
editor, Proceedings of the 21st Europe<strong>an</strong> Conference on Object-Oriented Programming<br />
(ECOOP’07), volume 4609 of Lecture Notes in Computer Science. Springer-<br />
Verlag, July 2007.<br />
35