Leveraging formal verification tools for DSML users: a process modeling case study

15 pagesIn the last decade, Model Driven Engineering (MDE) has been used to improve the development of safety critical systems by providing early Validation and Verification (V&V) tools for Domain Specific Modeling Languages (DSML). Verification of behavioral models is mainly addressed by translating domain specific models to formal verification dedicated languages in order to use the sophisticated associated tools such as model-checkers. This approach has been successfully applied in many different contexts, but it has a major draw- back: the user has to interact with the formal tools. In this paper, we present an illustrated approach that allows the designer to formally express the expected behavioral properties using a user oriented language -- a temporal extension of OCL --, that is automatically translated into the formal language; and then to get feedback from the assessment of these properties using its domain language without having to deal with the formal verification language nor with the under- lying translational semantics. This work is based on the metamodeling pattern for executable DSML that extends the DSML metamodel to integrate concerns related to execution and behavior

Intégration de la modélisation comportementale dans la conception par points de vue

View-based modeling is the main subject of this thesis. It is a variant of the object oriented modeling approach for the analysis and design of complex systems, focusing on the actors that use the system and decomposing the specification according to their needs. With this prospect, our team developed a UML profile named VUML (View based UML), which allows the elaboration of a unique and sharable model accessible according to the view of each of the system's actors. However the achieved work on the VUML profile does not tackle the behavior aspects of the modeling process. The VUML approach address the structural aspects related to the composition of views and to the sharing of data without dealing with the way these views will react, or how to be able to synchronize them in order to obtain the behavior of multiple-view objects (instances of a multi-view class). The achieved work in this thesis aims to fill this gap by providing new mechanism to the VUML profile that allows expressing the behavioral needs of a system. We will focus on describing the individual behavior of multi-view objects by state-machines that require adjustments of UML modeling concepts. To achieve this objective we introduced the concept of event probes, which allow to specify implicit communication between the view-objects via event observation. This allows decoupling the view specifications that are a priori strongly interconnected, and therefore allows them to be designed separately, in agreement with the VUML method recommendations, and then to be integrated without the need of making modifications. We first define the concept of event monitoring and identified the different types of probes and the appropriate parameters that characterize them. We also define a set of concepts that can extend and manipulate probes. Then we propose a UML-compatible representation of the introduced concepts in form of a profile named VxUML (extension of VUML). In addition to defining the profile elements (stereotypes, tagged value, predefined library classes), we have developed rules for proper formation of the static semantics using OCL to reduce ambiguity in the specification of such concepts. Afterwards, to demonstrate the usefulness of the concepts introduced, we developed a case study through which we sought to provide a full view-based model, addressing both structural and behavioral aspects. At the end, to concretely validate our approach in a model driven engineering setting, we developed a code generator that takes as input a specification developed in VxUML profile. This generator uses the techniques of model transformation related to the code generation, including transformation of platform independent models (PIM) to platform specific models (PSM), and transformation of PSMs to code; the current target language is Java. Finally, another contribution of this thesis is a process associated with VxUML. It is an approach that complements the approach associated with VUML (which deal only with structural aspects) to be able to use in methodical manner the new mechanisms dedicated to behavioral treatment. Now, the VxUML development process offers a complete view based modeling, that is, dealing with both structural and behavioral aspects. Keywords: View based modeling, VUML profile, VxUML profile, event observation, multi-view states machine, behavior composition.La modélisation par points de vue constitue la thématique générale de notre travail de thèse. C'est une approche de modélisation orientée objet, visant l'analyse et la conception des systèmes complexes avec une démarche centrée autour des acteurs interagissant avec le système. Notre équipe a ainsi développé un profil UML appelé VUML (View based UML), qui permet l'élaboration d'un modèle unique partageable à partir de vues associées aux points de vue des acteurs. Cependant, les travaux réalisés sur le profil VUML [Nassar, 05 ; Anwar, 09] ne couvrent pas les aspects comportementaux de la modélisation. En effet, – en proposant la notion de classe multivue – VUML traite les aspects structuraux liés à la composition des vues et au partage des données statiques sans prendre en compte la manière dont ces vues vont réagir, ni comment les synchroniser afin de représenter le comportement des objets multivue (instances d'une classe multivue). Les travaux effectués dans le cadre de cette thèse cherchent à combler ce manque en dotant le profil VUML de nouveaux mécanismes permettant d'exprimer le comportement d'un système. Nous nous sommes concentrés pour cela sur le comportement des objets multivue décrit par des machines à états qui nécessitent des adaptations des concepts de modélisation UML. Pour réaliser cet objectif nous avons introduit la notion de sonde d'événements, qui permet de spécifier des communications implicites entre les vues par observation d'événements. Ceci permet de découpler des spécifications qui sont a priori fortement interconnectées, de les concevoir séparément par points de vue, selon les préconisations de la méthode VUML, puis de les intégrer sans avoir à les modifier. Nous avons tout d'abord défini le concept de sonde d'événements, identifié les différents types de sondes avec les paramètres associés, puis défini un ensemble de concepts permettant d'enrichir et de manipuler les sondes. Nous avons ensuite proposé une représentation compatible avec VUML des concepts introduits sous forme d'un profil nommé VxUML (extension de VUML). En plus de la définition des éléments du profil (stéréotypes, valeurs marquées, classes de librairie prédéfinies), nous avons développé en OCL des règles de bonne formation (sémantique statique). Pour illustrer l'intérêt des concepts introduits, nous avons développé une étude de cas en proposant une modélisation par points de vue complète traitant à la fois les aspects structurel et comportemental. Pour valider concrètement notre approche, nous avons développé, selon une approche IDM, un générateur de code qui prend en entrée une spécification de système en VxUML. Ce générateur utilise les techniques de transformation de modèles liées à la génération de code, et notamment les transformations de modèles indépendants de plate-forme (PIM) vers des modèles spécifiques à une plate-forme (PSM), et des modèles PSM vers le code ; il a été développé dans un premier temps avec le langage cible Java. Sur le plan méthodologique, nous avons défini une démarche associée à VxUML, qui complète celle de VUML, en permettant d'utiliser d'une manière méthodique les mécanismes dédiés au traitement du comportement. Désormais, le processus de développement VxUML permet une modélisation par points de vue complète, traitant à la fois les aspects structurel et comportemental. Mots clés : Conception par points de vue, profil VUML, profil VxUML, sonde d'événements, machine à états multivue, composition du comportement

Software architectures: multi-scale refinement

We propose a multi-scale modeling approach for complex software system architecture description. The multi-scale description may help to obtain meaningful granularities of these systems and to understand and master their complexity. This vision enables an architect designer to express constraints concerning different description levels, oriented to facilitate adaptability management. We define a correct-by-design approach that allows a given abstract architectural description to be refined into architecture models. We follow a progressive refinement process based on model transformations; it begins with a coarse-grain description and ends with a fine-grain description that specifies design details. The adaptability property management is performed through model transformation operations. The model transformation ensures the correctness of UML description, and the correctness of the modeled system. We experimented our approach with a use case that models a smart home system for the monitoring of elderly and disabled persons at home

A graph based approach to trace models composition

International audienceA model driven engineering process involves different and heterogeneous models that represent various perspectives of the system under development. The model composition operation allows combining those sub-models into an integrated view, but remains a tedious activity. For that, traceability information must be maintained to comprehend the composition effects and better manage the operation itself. Against this context, the current paper describes a framework for model composition traceability. We consider the traces generation concern as a crosscutting concern where the weaving mechanism is performed using graph transformations. A composition specification case study is presented to illustrate our contribution

Systemic classification of concern-based design methods in the context of enterprise architecture

Enterprise Architecture (EA) is a relatively new domain that is rapidly developing. "The primary reason for developing EA is to support business by providing the fundamental technology and process structure for an IT strategy” [TOGAF]. EA models have to model enterprises facets that span from marketing to IT. As a result, EA models tend to become large. Large EA models create a problem for model management. Concern-based design methods (CBDMs) aim to solve this problem by considering EA models as a composition of smaller, manageable parts—concerns. There are dozens of different CBDMs that can be used in the context of EA: from very generic methods to specific methods for business modeling or IT implementations. This variety of methods can cause two problems for those who develop and use innovative CBDMs in the field of Enterprise Architecture (EA). The first problem is to choose specific CBDMs that can be used in a given EA methodology: this is a problem for researchers who develop their own EA methodology. The second problem is to find similar methods (with the same problem domain or with similar frameworks) in order to make a comparative analysis with these methods: this is a problem of researchers who develop their own CBDMs related to a specific problem domain in EA (such as business process modeling or aspect oriented programming). We aim to address both of these problems by means of a definition of generic Requirements for CBDMs based on the system inquiry. We use these requirements to classify twenty CBDMs in the context of EA. We conclude with a short discussion about trends that we have observed in the field of concern-based design and modelin

Putting Teeth into Open Architectures: Infrastructure for Reducing the Need for Retesting

Proceedings Paper (for Acquisition Research Program)The Navy is currently implementing the open-architecture framework for developing joint interoperable systems that adapt and exploit open-system design principles and architectures. This raises concerns about how to practically achieve dependability in software-intensive systems with many possible configurations when: 1) the actual configuration of the system is subject to frequent and possibly rapid change, and 2) the environment of typical reusable subsystems is variable and unpredictable. Our preliminary investigations indicate that current methods for achieving dependability in open architectures are insufficient. Conventional methods for testing are suited for stovepipe systems and depend strongly on the assumptions that the environment of a typical system is fixed and known in detail to the quality-assurance team at test and evaluation time. This paper outlines new approaches to quality assurance and testing that are better suited for providing affordable reliability in open architectures, and explains some of the additional technical features that an Open Architecture must have in order to become a Dependable Open Architecture.Naval Postgraduate School Acquisition Research ProgramApproved for public release; distribution is unlimited

Mise en correspondance et gestion de la cohérence de modèles hétérogènes évolutifs

To understand and manipulate a complex system, it is necessary to apply the separation of concerns and produce separate parts. In Model Driven Engineering (MDE), these parts are represented by models qualified as partial models. In this context of multi-modeling, these models are called heterogeneous when they are described in separate modeling languages dedicated to different business domains: DSML (Domain Specific Modeling Language). Global model creation requires identifying existing correspondences between the elements of the partial models. However, in practice these correspondences are either incompletely identified or not sufficiently formalized to be maintained when the partial models evolve. This restricts their use and does not allow to fully exploit them for building the global model or for treating partial models evolution. The contribution of this thesis is twofold. The first contribution deals with a process for creating a global view of the system by means of a composition based on partial models matching. Identified correspondences between models elements are based on types of relationship instantiated from a metamodel of correspondences. This latter is extensible, depending on the considered application domain, and allows supporting the concepts related to this domain. Correspondences are firstly identified between meta-elements belonging to metamodels of the respective partial models. Correspondences between model elements are then obtained by a refinement mechanism, supported by an ad hoc Semantic Expression language: SED (Semantic Expression DSL). The composition is called “virtual” since elements represented in a correspondence are only references to elements belonging to partial models. Therefore, models interconnected by this correspondences form a virtual global model. The second contribution relates the consistency of the global model. Indeed, as models evolve over time, changing one or several elements involved in a correspondence, may cause the inconsistency of the global model. To maintain its consistency, we propose a second process enabling to automatically identify the changes, classify them and treat their impacts on the involved model elements. Management of repercussions is performed semi-automatically by the expert by means of strategies and weights. This work has been implemented through a support tool named HMCS (Heterogeneous Matching and Consistency management Suite) based on the Eclipse Platform. The approach has been validated and illustrated through a case study related to the management of a Hospital Emergency Service. This work was led in collaboration with the “CHU of Montpellier”.Pour permettre la compréhension et la manipulation d’un système complexe, le découpage en parties séparées est nécessaire. En Ingénierie Dirigée par les Modèles (ou Model Driven Engineering), ces parties sont représentées par des modèles, que nous qualifions de modèles partiels, dans la mesure où ils sont focalisés sur des domaines métiers distincts. Dans ce contexte de multi-modélisation, ces modèles sont dits hétérogènes quand ils sont décrits dans des langages de modélisation distincts dédiés à différents domaines métiers : DSML (Domain Specific Modeling language). La compréhension et l’exploitation efficace des connaissances relatives à un tel système supposent la construction d’un modèle global représentant son fonctionnement. La création du modèle global requiert l’identification des correspondances existant entre les éléments des différents modèles partiels. Dans la pratique, ces correspondances sont soit incomplètement identifiées, soit insuffisamment formalisées pour être maintenues lorsque les modèles partiels évoluent. Ceci limite leur utilisation et ne permet pas de les exploiter pleinement lors de la construction du modèle global ou du traitement de l’évolution des modèles partiels. L’apport de cette thèse est double. La première contribution est celle d’un processus permettant la création d’une vue globale du système par l’intermédiaire d’une composition fondée sur la mise en correspondance des modèles partiels. Les correspondances identifiées entres les éléments des modèles se basent sur des types de relations instanciées à partir d’un métamodèle de correspondance. Ce dernier est extensible (selon les spécificités du domaine d’application considéré) et permet de supporter les concepts relatifs à ce domaine. Les correspondances sont d’abord identifiées entre les méta-éléments des métamodèles respectifs des modèles partiels. Les correspondances entre les éléments de modèles sont ensuite obtenues par un mécanisme de raffinement, supporté par un langage d’expression sémantique ad hoc : SED (Semantic Expression DSL). La composition est dite « virtuelle » dans la mesure où les éléments figurant dans une correspondance ne sont que des références aux éléments appartenant aux modèles partiels. De ce fait, les modèles interconnectés par ces correspondances forment un modèle global virtuel. La seconde contribution est relative au maintien de la cohérence des modèles partiels et du modèle global. En effet, les modèles évoluant dans le temps, le changement d’un élément ou de plusieurs éléments participant à l’expression des correspondances, peut entrainer l’incohérence du modèle global. Pour maintenir la cohérence du modèle global, nous proposons un second processus permettant tout d’abord d’identifier automatiquement les changements réalisés ainsi que leurs classifications et leurs répercussions sur les éléments de modèles concernés. Par la suite, les différents cycles sont gérés à l’aide de l’expert puis une liste de changements est générée en fonction de la stratégie choisie et des coefficients de pondération. Enfin, le traitement des changements est réalisé de façon semi-automatique. Ce travail a été concrétisé par le développement d’un outil support nommé HMCS (Heterogeneous Matching and Consistency management Suite), basé sur la plateforme Eclipse. L’approche a été validée et illustrée à travers un cas d’étude portant sur la gestion du Service d'Urgence d'un hôpital. Ce travail a été mené en collaboration avec le CHU de Montpellier

Language Support for Megamodel Renarration

Megamodels may be difficult to understand because they reside at a high level of abstraction and they are graph-like structures that do not immediately provide means of order and decomposition as needed for successive examination and comprehension. To improve megamodel comprehension, we introduce modeling features for the recreation, in fact, renarration of megamodels. Our approach relies on certain operators for extending, instantiating, and otherwise modifying megamodels. We illustrate the approach in the context of megamodeling for Object/XML mapping (also known as XML data binding)