Ph.D. - geht es zur Homepage der Informatik des Fachbereiches 3 ...
Ph.D. - geht es zur Homepage der Informatik des Fachbereiches 3 ...
Ph.D. - geht es zur Homepage der Informatik des Fachbereiches 3 ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Chapter 12. Conclusion and Outlook<br />
static semantics can have an erroneous impact to all lower instanc<strong>es</strong>. Accordingly, the concrete<br />
syntax – <strong>es</strong>pecially the graph bindings – and the static semantic were extensively documented.<br />
Furthermore, mathematical models were developed and introduced to also formalise the dynamic<br />
semantics of the openETCS meta model.<br />
All static source code that do<strong>es</strong> not have to be generated from a concrete model was d<strong>es</strong>igned<br />
and implemented as domain framework for the openETCS meta model. An object-oriented<br />
d<strong>es</strong>ign was chosen because this could be aligned to the object-oriented meta model syntax,<br />
which simplified the later generator development. Hence, the openETCS domain framework<br />
provid<strong>es</strong> class<strong>es</strong>, which only have to be instantiated from the concrete openETCS model by<br />
the generator. All implementations of the dynamic semantics were transferred accordingly<br />
to the domain framework librari<strong>es</strong>. Additionally, functional t<strong>es</strong>ts were provided to verify the<br />
correctn<strong>es</strong>s of the openETCS domain framework implementation.<br />
The openETCS generator, as link between the concrete openETCS model as formal specification<br />
and the source code, was developed and its software d<strong>es</strong>ign was discussed. Additionally, the<br />
developed strategi<strong>es</strong> for the verification of the used model transformation for the generation of<br />
the openETCS source code for the EVC were d<strong>es</strong>cribed: Assert statements are generated from<br />
the GOPRR instance, which can be executed on the transformed GOPPRR model to ensure<br />
that all model elements for the model-to-model transformation from GOPRR to GOPPRR<br />
model are correctly converted. The final model-to-text transformation from GOPPRR model<br />
to the instantiation of the openETCS domain framework is verified by t<strong>es</strong>ts for the existence of<br />
certain domain framework objects in the generated source code. Furthermore, the openETCS<br />
generator provid<strong>es</strong> the possibility to generate the build configuration needed for creating the<br />
EVC binary from the generated source code and the configuration for executing the PIM and<br />
PSM of the openETCS model in separated virtual machin<strong>es</strong> un<strong>der</strong> a Xen hypervisor.<br />
The ETCS SRS or rather Subset-026 [83] was partly 1 modelled and discussed by exemplary<br />
diagrams of the corr<strong>es</strong>ponding openETCS model for all developed graph typ<strong>es</strong>. Additionally,<br />
the possibility of tracing the modification of safety properti<strong>es</strong> due to model extensions was<br />
illuminated.<br />
A simulation for the model or rather the generated openETCS EVC binary was developed<br />
un<strong>der</strong> the MDA principle to validate the complete openETCS case study. Hence, a special<br />
simulative PSM had to be realised to provide the interconnection between EVC binary and<br />
simulation. The succ<strong>es</strong>sful execution of the simulation shows that the proposed and developed<br />
concepts for developing safety-critical software for train control applications as open model<br />
software can be seen as a proof-of-concept. The reduction of model size and complexity is<br />
no limitation to this statement because the influence of further model extensions was also<br />
illuminated and the case study is a valid sub-subset of the ETCS SRS.<br />
The concepts for dependability were only exemplary realised by generating configurations for<br />
VMs, which was also applied in the simulation execution. The certification of the developed<br />
openETCS case study software for the EN 50128 and SWSIL 4 is obviously out of the scope of<br />
this work because this always has to be done by an external party. Since neither a concrete<br />
hardware target platform was available during this work nor the proposed minimal host<br />
operating system, all t<strong>es</strong>ts (including the simulation) are pure software t<strong>es</strong>ts and no system<br />
1 according to the scope of the openETCS case study<br />
238