@inproceedings{, author = {Blaschke, Konstantin Rupert}, title = {Automated Model Quality Estimation and Change Impact Analysis on Model Histories}, booktitle = {IEEE/ACM 46th International Conference on Software Engineering: Companion Proceedings (ICSE-Companion ’24)}, publisher = {To appear}, pages = {3}, year = {2024}, month = apr, owner = {Konstantin Rupert Blaschke}, abstract = {The development of Cyber-Physical Systems combines hardware with software in complex applications. To mitigate the complexity, collaborating system engineers rely on model-based approaches in systems engineering. Updates and function enhancements lead to frequent changing constraints and objectives. These changes increase the need to rework and extend model artifacts of the system. This can cause quality degradation over time due to errors, knowledge disparities or a lack of guidelines. To enable efficient collaboration and reduce maintenance costs in model-based systems engineering, industry needs a cost-efficient, scalable approach to monitor, and control model quality. The work outlines a doctoral thesis investigating the potential of automated data-driven quality assessment strategies using model artifact history and model changes. We will extract metrics and model changes to establish a quality feedback loop for system engineers. We aim to leverage the results of manual model quality assessments to incorporate domain-specific expert knowledge into the automated strategy. The main goal is to lower the effort of model quality assessments and provide practitioners with foresight on quality development and estimate task effort to improve model artifact quality.}, isbn = {979-8-4007-0502-1/24/04}, doi = {10.1145/3639478.3639809}, keywords = {Model-based Systems Engineering, Model Quality, Model Metrics, Quality Assessment, Model Review, Change-Impact Analysis, MbSE, AutoFOCUS3}, } @article{, author = {Dantas, Yuri Gil and Munaro, Tiziano and C{\^{a}}rlan, Carmen and Nigam, Vivek and Barner, Simon and Fan, Shiqing and Pretschner, Alexander and Sch{\"{o}}pp, Ulrich and Tverdyshev, Sergey}, title = {A Toolchain for Synthesizing and Validating Safety Architectures}, publisher = {Springer}, journal = {SN Computer Science}, volume = {4}, number = {4}, pages = {335}, year = {2023}, month = apr, timestamp = 2023.04.15, abstract = {Autonomous vehicles handle complicated tasks that may lead to harm when performed incorrectly. These harms, in particular when caused by system faults, may be avoided by the deployment of safety architectural patterns, such as the Heterogeneous Duplex pattern. Our goal is to provide safety engineers with computer-aided support for synthesizing architectures with safety architecture patterns. To this end, we build on our previous work in which we proposed a model-based system engineering plugin to enable the model-driven approach using safety architecture patterns. This article proposes a toolchain for synthesizing the structure and switching logic of safety architectures, as well as for validating them through simulation-based fault-injection. We validate our toolchain using an industrial use-case for autonomous driving systems, namely, a Highway Pilot system.}, issn = {2661-8907}, doi = {10.1007/s42979-023-01712-5}, keywords = {Model-based systems engineering, Toolchain, Safety architecture patterns, Reconfiguration, Simulation, MbSE, AutoFOCUS3, DSE}, } @misc{, author = {H{\"{o}}lzl, Florian and Barner, Simon}, title = {Implementing a Model-based Engineering Tool as Web Application}, year = {2023}, month = mar, timestamp = 2023.03.01, abstract = {This paper reports on a study of transferring a desktop-based model-based engineering tool to a web application. The study has been conducted in the WEBMODEL project where the well-established technology stack around the Eclipse platform and the Eclipse Modeling Framework was lifted into a cloud-based environment. As results, a modeling language independent tooling kernel for web-based modeling tools and a minimal prototypical web-based implementation of the AutoFOCUS 3 model-based engineering tool are presented. Furthermore, the report documents experiences and implementation advises gained during the implementation.}, howpublished = {arXiv:2302.14091 [cs.SE]}, doi = {10.48550/arXiv.2302.14091}, keywords = {Model-based Systems Engineering, MbSE, Tooling, Web Technology, AutoFOCUS3; AF3}, } @inproceedings{, author = {Terzimehić, Tarik and Barner, Simon and Dantas, Yuri Gil and Sch{\"{o}}pp, Ulrich and Nigam, Vivek and Ke, Pei}, title = {Safety-Aware Deployment Synthesis and Trade-Off Analysis of Apollo Autonomous Driving Platform}, booktitle = {9th International Workshop on Automotive System/Software Architectures ({WASA}) co-located with {ICSA} 2023}, publisher = {IEEE}, year = {2023}, month = mar, abstract = {The adoption of autonomous cars requires operational critical functions even in the event of HW faults and/or SW defects, and protection of safety-critical functions against security threats. Defining appropriate safe and secure architectures is challenging and costly. In previous work, we have proposed tools to automate the recommendation of safety and security patterns for safety-critical systems. However, safety and security measures may (negatively) influence system performance, besides introducing additional development effort. We present a design space exploration approach, a model-based engineering workflow and tool prototype for automated guidance on trade-off decisions when applying safety and security patterns on a given (unsafe) baseline architecture. Based on models that abstract the vehicle’s functionality and its software and hardware components, as well as an engine for the automated pattern recommendation, we investigate the optimization of HW/SW deployments, and provide a trade-off analysis for different architecture candidates. We implemented our approach in an open-source tool and evaluate it with a model of the Apollo autonomous driving platform.}, doi = {10.1109/ICSA-C57050.2023.00070}, keywords = {Autonomous vehicles, Apollo, model-driven development, system architecture, safety, model-based systems engineering, MbSE, design-space exploration, DSE, AutoFOCUS3, AF3}, } @inproceedings{icissp23_1, author = {Dantas, Yuri Gil and Nigam, Vivek and Sch{\"{o}}pp, Ulrich and Barner, Simon and Ke, Pei}, title = {Automating Vehicle SOA Threat Analysis using a Model-Based Methodology}, booktitle = {Proceedings of the 9th International Conference on Information Systems Security and Privacy (ICISSP)}, publisher = {SciTePress}, pages = {180-191}, year = {2023}, month = feb, abstract = {This article proposes automated methods for threat analysis using a model-based engineering methodology that provides precise guarantees with respect to safety goals. This is accomplished by proposing an intruder model for automotive SOA which together with the system architecture and the loss scenarios identified by safety analysis are used as input for computing assets, impact rating, damage/threat scenarios, and attack paths. To validate the proposed methodology, we developed a faithful model of the autonomous driving functions of the Apollo framework, a widely used open source autonomous driving stack. The proposed machinery automatically enumerates several attack paths on Apollo, including attack paths not reported in the literature.}, isbn = {978-989-758-624-8}, issn = {2184-4356}, doi = {10.5220/0011786400003405}, keywords = {automotive, threat analysis, service-oriented architectures, Apollo, automation, safe and secure-by-design, MbSE, Model-based Systems Engineering, AutoFOCUS3, AF3}, } @inproceedings{VNC 2020, author = {Dantas, Yuri Gil and Nigam, Vivek and Talcott, Carolyn}, title = {A Formal Security Assessment Framework for Cooperative Adaptive Cruise Control}, booktitle = {IEEE Vehicular Networking Conference (VNC)}, publisher = {IEEE}, pages = {1-8}, year = {2020}, month = dec, abstract = {For increased safety and fuel-efficiency, vehicle platoons use Cooperative Adaptive Cruise Control (CACC) where vehicles adapt their state, incl. speed and position, based on information exchanged between vehicles. Intruders, however, may carry out attacks against CACC platoons by exploiting the communication channels used to cause harm, e.g., a vehicle crash. Therefore, during design-phase, engineers should provide evidence supporting platoon security. This paper proposes a formal framework for the security verification of CACC platoons to provide such evidence based on precise mathematical models. Our vehicle platoon models support the specification of both cyber, e.g., communication protocols, and physical, e.g., speeds, position, vehicle behaviors. Moreover, we propose intruder models that are parametric on his capabilities of manipulating communication channels, i.e., message injection and blocking. Our model is implemented enabling the automated formal verification involving both platoon and intruder models. We validate our machinery with a number of attacks taken from the literature and novel attacks discovered by using our formal machinery.}, doi = {10.1109/VNC51378.2020.9318334}, keywords = {attacks, formal verification, platoon, security, AutoFOCUS3, AF3}, } @article{, author = {Eder, Johannes and Voss, Sebastian and Bayha, Andreas and Ipatiov, Alexandru and Khalil, Maged}, title = {Hardware architecture exploration: automatic exploration of distributed automotive hardware architectures}, journal = {Software and Systems Modeling}, volume = {19}, pages = {911--934}, year = {2020}, month = jul, abstract = {As the engineering of distributed embedded systems is getting more and more complex, due to increasingly sophisticated functionalities demanding more and more powerful hardware, model-based development of software-intensive embedded systems has become a de facto standard in recent years. Among other advantages, it enables design space exploration methods allowing for frontloading techniques which support a system architect already at early stages of development. In this paper, we want to present an approach which is capable of automatically generating automotive E/E architectures (electric/electronic architecture; in-car network of processing units and buses). Based on the concept of viewpoints, we will introduce dedicated technical meta-models, a language to formally describe a hardware architecture exploration problem and an automatic exploration approach using satisfiability modulo theories. We will furthermore introduce a dedicated methodology and show how an exploration integrates into a system development process. In the end, we will evaluate our approach by applying it to an industrial use case provided by Continental.}, doi = {10.1007/s10270-020-00786-6}, keywords = {AutoFOCUS3, design-space exploration, DSE, architecture synthesis, deployment synthesis, HW/SW co-design, model-based systems engineering, MbSE, case study}, } @inproceedings{Diewald2019, author = {Diewald, Alexander and Barner, Simon and Saidi, Selma}, title = {Combined Data Transfer Response Time and Mapping Exploration in MPSoCs}, booktitle = {10th International Workshop on Analysis Tools and Methodologies for Embedded and Real-time Systems ({WATERS}) co-located with {ECRTS}}, year = {2019}, month = jul, abstract = {Recent embedded applications such as Autonomous Driver Assistance Systems (ADAS) require large computational resources that increase the need for HW accelerators, e.g., in system-on-chip-based platforms. Synthesising optimal task/data mappings and schedules for such platforms becomes increasingly challenging, even more in safety-critical contexts. For designing real-time heterogeneous systems, response time computation and the resolution of task mapping problems are required as demanded in the WATERS 2019 challenge. Our contribution to address the challenge is to extend a design space exploration (DSE) formulation of mapping applications on MPSoCs architectures to consider DMA-based data (pre)-fetching. The approach is performed in two steps. First, we determine task mappings to a heterogeneous MPSoC platform using a multi-objective evolutionary algorithm (MOEA)-based DSE. In order to check the feasibility of an allocation, and to rate its quality, we use a SMT solver to construct schedules whose latency is close to the achievable minimum. Our task response time analysis considers the effects of memory access times and DMAs to supply the SMT scheduler with data fetching latencies. The MOEA-DSE, the SMT scheduler, and the response time calculation are integrated into the AutoFOCUS 3 tool that has been extended with an importer for the AMALTHEA model that specifies the challenge use case.}, howpublished = {10th International Workshop on Analysis Tools and Methodologies for Embedded and Real-time Systems ({WATERS}) co-located with {ECRTS}}, keywords = {AutoFOCUS3, design-space exploration, DSE, deployment synthesis, mapping, model-based systems engineering, MbSE}, url = {https://archives.ecrts.org/fileadmin/WebsitesArchiv/ecrts2019/waters/waters-program/}, } @inproceedings{, author = {bin Abid, Saad and Mahajan, Vishal and L{\'{u}}cio, Levi}, title = {Towards Machine Learning for Learnability of MDD Tools}, booktitle = {Software Engineering and Knowledge Engineering (SEKE) Conference, Lisbon, Portugal}, pages = {1--6}, year = {2019}, month = jul, location = {Lisbon, Portugal}, abstract = {Learning how to build software systems using new tools can be a daunting task to anyone new to the job. This is especially true of tools that provide a large number of functionalities and views on the system under development, such as IDES for Model-Driven Development (MDD). Applying Machine Learning (ML) techniques can help in this state of affairs by pointing out to appropriate next actions to rookie or even intermediate developers. AutoFOCUS3 (AF3) is a mature MDD tool we are building in-house and for which we provide regular tutorials to new users. These users come from both the academia (e.g, students/professors) and the industry (e.g. managers/software engineers). Nonetheless, AF3 remains a complex tool and we have found there is a need to speedup the learning curve of the tool for students that attend our tutorials-or alternatively and more importantly for others that simply download the tool and attempt using it without human supervision. In this paper, we describe a machine learning-based recommendation system named MAGNET for aiding beginner and intermediate users of AF3 in learning the tool. We describe how we have gathered data and trained an ML model to suggest new commands, how a recommender system was integrated in the AF3, experiments we have run thus far, and the future directions of our work.}, doi = {10.18293/SEKE2019-050}, keywords = {Model-Driven Development, MDD, AutoFOCUS3, Machine Learning, Intelligent Recommendation Systems, IRS, Eclipse IDE, Domain-Specific Languages , DSLs, development interaction data, methodology, tooling, model-based systems engineering, MbSE}, } @inproceedings{, author = {Zverlov, Sergey and Voss, Sebastian and B{\"{o}}hm, Thomas and Herpel, Hans-J{\"{u}}rgen and Kerep, Mladen}, title = {Model-based methodology for space vehicles}, booktitle = {Proceedings of the Eurospace Annual Conference on Data Systems in Aerospace (DASIA)}, year = {2019}, month = jun, abstract = {The technological challenges that companies in the space domain are facing today are becoming more and more complex. On the one hand complexity of the tasks that need to be performed by the new generation of spacecrafts is increasing. On the other hand, the development needs to be cost and time efficient to be able to compete against new players in this domain, such as SpaceX. To deal with these challenges new development tools and methods are needed. In scope of this work we propose a model-based approach for future spacecrafts. We integrated this approach into a state-of-the-art model-based tool and applied it onto an industrial case-study to show proof-of-concept.}, keywords = {AutoFOCUS3, case study, model-based systems engineering, MbSE}, } @inproceedings{carlan19wosocer, author = {Nigam, Vivek and Tsalidis, Alexandros and Voss, Sebastian and C{\^{a}}rlan, Carmen}, title = {ExplicitCase: Tool-support for Creating and Maintaining Assurance Arguments Integrated with System Models}, booktitle = {2019 IEEE International Symposium on Software Reliability Engineering Workshops ({ISSREW})}, year = {2019}, abstract = {Assurance cases are collections of standard-mandated documents that entail the specification of system's objectives and a collection of processes, development or verification evidence regarding the satisfaction of the respective objectives. A considerable amount of work has been done in the direction of modelling assurance cases, to support communication and reasoning regarding the system's safety. In this work, we present a set of features of ExplicitCase - a tool for modeling assurance cases. While there is a plethora of tools for creating and managing model-based assurance cases, the uniqueness of our tool is that it integrates assurance case models with system models created in AutoFOCUS3 (AF3) - an open-source model-based development tool for embedded software systems. While trying to keep up with state-of-the-art assurance case editors, the newly implemented features support assurance case creation using typed patterns, change impact analysis for assurance cases, assessment of the confidence in the created assurance arguments, export of the argumentation diagrams generated in ExplicitCase and integration of assurance case models with system models created in AutoFOCUS3. In particular, based on the integration with AF3 system models, we propose automatic support for detecting the impact of a change within system models on the assurance case model, thus enabling the integrated development of system and assurance case models.}, doi = {10.1109/ISSREW.2019.00093}, keywords = {AutoFOCUS3, model-based safety cases, ExplicitCase, Model-based systems engineering, MbSE}, } @misc{, author = {L{\'{u}}cio, Levi and Voss, Sebastian and Chuprina, Tatiana and Bayha, Andreas and Eder, Johannes and Kanav, Sudeep}, title = {[T3] Develop your Own Car}, booktitle = {MODELS Conference Tutorials}, series = {MODELS 2018 Conference Tutorials, Copenhagen, Denmark}, year = {2018}, month = oct, address = {Copenhagen, Denmark}, abstract = {AutoFOCUS3 (AF3) is a mature model-driven engineering environment to develop software for embedded systems. For the past 20 years,several versions of AF3 have served as a platform for experimenting with cutting-edge research ideas in Model-Driven Development. AF3 is a tool that fully encompasses the software life cycle, from requirements, to architecture, simulation, deployment, code generation and verification. The attendees of this tutorial will be given the unique opportunity to model and deploy software on a real remote-controlled vehicle, using only AF3. Attendees will start by modeling the software controller for a blinker, which will be integrated with the model of the vehicle’s software. The generated code will then be flashed onto a Raspberry Pi contained in the physical remote-controlled model vehicle which can then be driven in the real world. Attendees who finish early will be able to model more advanced driving assistance functionalities. The last part of the tutorial will be dedicated to deepening the attendees’ understanding of the modeling capabilities of AF3 in areas such as requirements engineering, design-space exploration, building safety cases, formal verification, modeling processes, testing or variability modeling.}, keywords = {AutoFOCUS3, case study, fortissimo, rover, model-based systems engineering, MbSE}, url = {https://modelsconf2018.github.io/program/tutorials/#t3-develop-your-own-car}, } @inproceedings{, author = {Kanav, Sudeep}, title = {A modular approach to integrate verification tools in model based development}, booktitle = {Proceedings of the 21st ACM/IEEE International Conference on Model Driven Engineering Languages and Systems: Companion Proceedings}, publisher = {ACM}, pages = {150--155}, year = {2018}, month = oct, abstract = {The problem of integrating an existing formal verification tool in a given software specification tool arises repeatedly both in industry and academia. At present this task is executed in an ad-hoc manner and is time consuming. Moreover, interpreting the results of the verification to locate and fix the bug (by the human user) is implicitly complicated, hence, time consuming. In this work we draft a solution for reducing the complexity of these tasks and aim at reducing the time required to complete them. We sketch a framework formalizing the concepts required to execute these tasks in a modular fashion and implement a solution based on domain specific languages (DSLs) and parameterizable model transformations. We expect that the modularity of our framework will raise its potential to be reused. We plan on evaluating this work on a set of modeling environments and a set of verification tools.}, doi = {10.1145/3270112.3275334}, keywords = {AutoFOCUS3, simulation, case study, model-based systems engineering, MbSE}, } @inproceedings{, author = {L{\'{u}}cio, Levi and Kanav, Sudeep and Bayha, Andreas and Eder, Johannes}, title = {Controlling a virtual rover using {AutoFOCUS3}}, booktitle = {Proceedings of the {MDETools} Workshop co-located with {MODELS} 2018}, series = {{CEUR} Workshop Proceedings}, volume = {2245}, pages = {356--365}, year = {2018}, month = oct, abstract = {AUTOFOCUS3 (AF3) is a mature model-driven engineering environment for developing software for embedded systems. For the past 20 years, several versions of AF3 have served as a platform for experimenting with cutting edge research ideas in Model-Driven Development. AF3 is a tool that fully encompasses the software lifecycle, from requirements, to architecture, simulation, deployment, code generation and verification. In this article, we describe how we used an existing model of a complex controller for a real-life miniature vehicle and have downsized and adapted it to control a rover in a virtual environment. The model we present here automates the maneuvering of a rover to follow an-other leader rover in a virtual environment, while keeping a safe distance to it. The controller operates by adapting the rover’s speed and steering according to the position and movements of the leader. The results we present in this article illustrate the whole development cycle of an embedded system using AF3, from the development of the model down to deployment to a specific platform as well as code generation and connecting to the hardware}, keywords = {AutoFOCUS3, case study, fortissimo, rover, model-based systems engineering, MbSE}, url = {http://ceur-ws.org/Vol-2245/mdetools_paper_6.pdf}, } @inproceedings{eder2018exploration, author = {Eder, Johannes}, title = {Exploration of hardware topologies based on functions, variability and timing}, booktitle = {Proceedings of the 21st ACM/IEEE International Conference on Model Driven Engineering Languages and Systems: Companion Proceedings}, publisher = {ACM}, pages = {145--149}, year = {2018}, month = oct, abstract = {This paper gives an overview over a dissertation project in the area of design space exploration for distributed, embedded systems. As the engineering of distributed embedded systems is getting more and more complex due to increasingly sophisticated functionalities demanding more and more powerful hardware, automation is required in order cope with this rising complexity. Using a model based systems engineering approach enables design space exploration methods which provide such automations, given a formalization of the problem in order to be solvable e.g. by SMT solvers. In this thesis we want to provide an automated synthesis of hardware topologies (E/E architectures) based on the functions which are deployed onto this topology and constraints and optimization objectives which are derived from the requirements of the system. The synthesis shall consider variability aspects (possible variants) of the hardware elements. Additionally, timing aspects of the deployed shall be regarded such that the solution of the synthesis is a hardware topology, a deployment of functions onto this topology and a schedule of these functions. The thesis shall be evaluated by using an automotive industrial use case of realistic size.}, doi = {10.1145/3270112.3275333}, keywords = {AutoFOCUS3, design-space exploration, DSE, architecture synthesis, HW/SW co-design, model-based systems engineering, MbSE}, } @inproceedings{eder2018deployment, author = {Eder, Johannes and Bayha, Andreas and Voss, Sebastian and Ipatiov, Alexandru and Khalil, Maged}, title = {From deployment to platform exploration: automatic synthesis of distributed automotive hardware architectures}, booktitle = {Proceedings of the 21th ACM/IEEE International Conference on Model Driven Engineering Languages and Systems}, pages = {438--446}, year = {2018}, month = oct, organization = {ACM}, abstract = {In order to cope with the rising complexity of today's systems, model-based development of software-intensive embedded systems has become a de-facto standard in recent years. In a previous work, we demonstrated how such a model-based approach can enable automatization of certain development steps, namely the deployment of logical (platform-independent) system models to technical (platform-specific) system models. Together with Continental, we especially focused on industrial applicability. In this work, we demonstrate how we extended, again in cooperation with Continental, the previous approach in order to enable a synthesis of the topology of technical platforms (E/E architectures) together with a deployment. We furthermore introduced variability concepts in order to model variants of technical platforms which is an industrial required need. Our approach is thus capable of calculating a platform architecture and its topology which is optimized in terms of the deployment of logical system models, constraints, optimization objectives and choses the optimal variant for all technical models.}, doi = {10.1145/3239372.3239385}, keywords = {AutoFOCUS3, design-space exploration, DSE, architecture synthesis, HW/SW co-design, model-based systems engineering, MbSE, case study}, } @inbook{, author = {Migge, J{\"{o}}rn and Balbastre, Patricia and Barner, Simon and Chauvel, Franck and Craciunas, Silviu S. and Diewald, Alexander and Durrieu, Guy and Haugen, Oystein and Syed, Ali Abbas Jaffari and Pagetti, Claire and Oliver, Ramon Serna and Vasilevskiy, Anatoly}, editor = {Ahmadian, Hamidreza and Obermaisser, Roman and P{\'{e}}rez, Jon}, title = {Algorithms and Tools}, booktitle = {Distributed Real-Time Architecture for Mixed-Criticality Systems}, publisher = {{CRC} Press}, pages = {98}, year = {2018}, month = aug, timestamp = 2018.08.21, abstract = {This chapter introduces the algorithms and tools to support the design and verification activities of the model driven development process. In addition, the scheduling and configuration algorithms are described to support different scheduling domains of the DREAMS architecture. This chapter begins with Section 5.1.2, which describes variability and design space exploration in the design of mixed-criticality systems. In Section 5.2, scheduling algorithms at different levels, e.g., partition level, task level, on-chip and off-chip communication are elaborated. Adaptation strategies is another topic which is covered in Section 5.3. Recovery strategies, transition modes for faster switching and algorithms for online admission of tasks in offline scheduling tables are described in this section. Timing analysis is described in Section 5.4 at different levels and Section 5.5 describes by the tools. At the Section 5.6 three toolchain use cases are presented that help to apply the toolchain.}, isbn = {978-0-8153-6064-3}, doi = {10.1201/9781351117821-5}, keywords = {AutoFOCUS3, design-space exploration, DSE, architecture synthesis, HW/SW co-design, model-based systems engineering, MbSE}, } @inbook{, author = {Barner, Simon and Chauvel, Franck and Diewald, Alexander and Eizaguirre, Fernando and Haugen, Oystein and Migge, J{\"{o}}rn and Vasilevskiy, Anatoly}, editor = {Ahmadian, Hamidreza and Obermaisser, Roman and P{\'{e}}rez, Jon}, title = {Modeling and Development Process}, booktitle = {Distributed Real-Time Architecture for Mixed-Criticality Systems}, publisher = {{CRC} Press}, pages = {76}, year = {2018}, month = aug, timestamp = 2018.08.21, abstract = {This chapter introduces the DREAMS metamodel and a model-driven development process ranging from variability exploration to configuration synthesis. The metamodel is described in Section 4.1 and is organized into a set of viewpoints, each of which represents one system aspect. The logical viewpoint is introduced in Section 4.2 and allows for the platform-independent description of applications. The technical viewpoint enables the hierarchical description of the architecture and services of the platform. The timing viewpoint is introduced in Section 4.3 to model timing requirements that must be satisfied in order to guarantee a correct and safe operation of the system. Safety management is another topic that is covered in Section 4.4 and is supported by a safety modeling viewpoint. The deployment and resource allocation viewpoints are addressed in Section 4.5 and link the application model with the platform model. Section 4.6 describes a configuration viewpoint and defines a model-driven process to generate deployable configuration artifacts for HW/SW target platform. Lastly, in Section 4.7 a variability viewpoint constitutes the basis of a product-line exploration process.}, isbn = {978-0-8153-6064-3}, doi = {10.1201/9781351117821-4}, keywords = {AutoFOCUS3, methodology, tooling, model-based systems engineering, MbSE}, } @inproceedings{voss2018handling, author = {Voss, Sebastian and Eder, Johannes}, title = {Handling system complexity in sCPS: usable design space exploration}, booktitle = {2018 IEEE/ACM 4th International Workshop on Software Engineering for Smart Cyber-Physical Systems (SEsCPS)}, pages = {2--5}, year = {2018}, month = may, organization = {IEEE}, abstract = {With a growing demand for complex features in smart cyber physical systems, the design of such system is getting increasingly complex. These features demand sound and scalable approaches to deal with the increasing design space. Consequently, standards (e.g. like ISO26262) propose methods and techniques for the systematic development of (in this case: automotive) systems. The growing amount of functionality correspondingly require more powerful electronic platforms and thus methods to deal with the integration. In this paper, we describe drivers for complexity and illustrate how formal methods, namely design space exploration techniques, can be applied to deal with this complexity. This approach is based on requirements defined by the given standards and supports the system designer by a (semi-) automatic approach to handle the complexity in system design - already in early design phases.}, doi = {10.1145/3196478.3196489}, keywords = {AutoFOCUS3, design-space exploration, DSE, deployment synthesis, mapping, model-based systems engineering, MbSE}, } @inproceedings{Diewald2018, author = {Diewald, Alexander and Barner, Simon and Voss, Sebastian}, title = {Architecture Exploration for Safety-Critical Systems}, booktitle = {Proceedings of the DATE Workshop on New Platforms for Future Cars: Current and Emerging Trends (NPCAR)}, year = {2018}, month = mar, abstract = {Future cars will host massively more functionality that comes along with the introduction of new technologies such as neural networks and data fusion, which are enablers for autonomous driving, but which require massive processing capabilities. Hence, new architectures are required that can handle the contradicting requirements for efficiency and safety compliance. The increased complexity and size of upcoming target architectures raise the need for advanced design methodologies and tool support. In this work, we present an approach that combines model-driven development (MDD) with design space exploration (DSE) that can explore suitable architectures of safety functions and platforms also in early design phases and enables trade-off decisions. The DSE uses optimization decomposition for complexity reduction and reusability while respecting the dependencies implied by development processes.}, keywords = {AutoFOCUS3, design-space exploration, DSE, architecture synthesis, HW/SW co-design, model-based systems engineering, MbSE}, } @inproceedings{eder2017bringing, author = {Eder, Johannes and Zverlov, Sergey and Voss, Sebastian and Khalil, Maged and Ipatiov, Alexandru}, title = {Bringing DSE to life: exploring the design space of an industrial automotive use case}, booktitle = {2017 ACM/IEEE 20th International Conference on Model Driven Engineering Languages and Systems (MODELS)}, pages = {270--280}, year = {2017}, month = sep, organization = {IEEE}, abstract = {In order to cope with the rising complexity of today's systems, model-based development of software-intensive embedded systems has become a de-facto standard in recent years. Such a development approach enables a variety of frontloading methods. Design space exploration is one of those techniques. However, in order to properly perform a valid exploration, a system model has to have a certain quality. This requires dedicated, meaningful models as an input according to well-known design principles, which entails the structuring of models according to different viewpoints and usage of dedicated models for each of these viewpoints.In this work, we demonstrate how, based on an industrial application model represented in SysML, design space exploration methods can be efficiently applied to enable the synthesis of deployments from a logical (platform-independent) system models to technical (platform-specific) system models. Moreover, we will demonstrate the applicability of this approach by a project conducted with Continental.}, doi = {10.1109/MODELS.2017.36}, keywords = {AutoFOCUS3, design-space exploration, DSE, deployment synthesis, mapping, model-based systems engineering, MbSE, case study}, } @inproceedings{, author = {Barner, Simon and Diewald, Alexander and Migge, J{\"{o}}rn and Syed, Ali Abbas Jaffari and Fohler, Gerhard and Faug{\`{e}}re, Madeleine and Gracia P{\'{e}}rez, Daniel}, title = {DREAMS Toolchain: Model-Driven Engineering of Mixed-Criticality Systems}, booktitle = {Proceedings of the ACM/IEEE 20th International Conference on Model Driven Engineering Languages and Systems (MODELS '17)}, publisher = {IEEE}, pages = {259--269}, year = {2017}, month = sep, abstract = {Mixed-criticality systems (MCS) aim at boosting the integration density in safety-critical systems, resulting into efficient systems, while simultaneously providing increased performance. The DREAMS project provides a cross-domain architectural style for MCS based on networked, virtualized multi-cores controlled by hierarchical resource managers. However, the availability of a platform is only one side of the coin: deploying mixed-critical applications to shared resources typically requires design-time configurations (e.g., to ensure real-time constraints or separation constraints mandated by safety regulations). These configurations are the outcome of complex optimization problems which are intractable in a manual process that also hardly can guarantee the consistency of all deployable artefacts nor their traceability to the requirements. However, existing toolchains lack support for MCS integration, and particularly DREAMS' advanced platform capabilities. We present an integrated model-driven toolchain and the underlying metamodels covering all relevant aspects of MCS including applications, timing, platforms, deployments, configurations and annotations for extra-functional properties such as safety. The approach focuses on the left branch of the V-cycle, and ranges from product-line and design space exploration to resource allocation and configuration generation. We report on the integration of exploration tools and a reconfiguration graph synthesizer, and evaluate the resulting toolchains in two use cases consisting of a product-line of wind power control applications and an avionic subsystem respectively.}, doi = {10.1109/MODELS.2017.28}, keywords = {Multicore processing, Resource management, Safety, Tools, Mixed-Criticalitity Systems, , Product-Lines, AutoFOCUS3, design-space exploration, DSE, architecture synthesis, HW/SW co-design, model-based systems engineering, MbSE}, } @inproceedings{, author = {C{\^{a}}rlan, Carmen and Barner, Simon and Diewald, Alexander and Tsalidis, Alexandros and Voss, Sebastian}, title = {ExplicitCase: Integrated Model-based Development of System and Safety Cases}, booktitle = {Proceedings of the SAFECOMP 2017 Workshops ASSURE, DECSoS, SASSUR, TELERISE, and TIPS}, publisher = {Springer}, series = {LNCS}, volume = {10489}, pages = {52 -- 63}, year = {2017}, month = sep, timestamp = 2017.09.12, abstract = {Tools for creating safety cases currently on the market target safety experts, whose main concern is the management of safety cases. However, for safety assurance, safety experts should collaborate with technical experts, who have better understanding of technical and operational hazards. Thus, there should be a closer collaboration between the management of safety cases and technical expertise. Technical expertise may be retrieved, among others, from model-based system artifacts and processes. In order to close the gap between safety and technical expertise, we present ExplicitCase, an open-source tool for semi-automatic modeling, maintenance, and verification of safety cases integrated with system models. The advantage of this tool is two-fold. First, it enables its users to capture safety relevant information from model-based artifacts into safety cases. Second, it makes the safety cases rationale available to engineers in order to help them reason about design choices, while minding safety concerns. We evaluate the approach and the implemented tool based on the experiences obtained in a project use case.}, isbn = {978-3-319-66284-8}, doi = {10.1007/978-3-319-66284-8_5}, keywords = {Safety Cases, Goal Structuring Notation, System Models, AutoFOCUS3, model-based safety cases, ExplicitCase, model-based systems engineering, MbSE}, } @phdthesis{, author = {Teufl, Sabine}, title = {Seamless Model-based Requirements Engineering: Models, Guidelines, Tools}, year = {2017}, month = may, school = {Technische Universit{\"{a}}t M{\"{u}}nchen}, abstract = {A practical model-based approach for requirements engineering (RE) should address all of the following challenges: Textual documentation; analysis, validation and verification of requirements; the integration of RE into a comprehensive development approach; guidance and tool support. These challenges have previously been studied in isolation. This work examines these challenges holisticly, selects models, guidelines and tool support, and integrates them into a seamless model-based RE approach.}, type = {Dissertation}, keywords = {AutoFOCUS3, MIRA, model-based requirements engineering, model-based systems engineering, MbSE}, url = {http://nbn-resolving.de/urn/resolver.pl?urn:nbn:de:bvb:91-diss-20171006-1360281-1-5}, } @inproceedings{DBLP:conf/models/KanavA17, author = {Kanav, Sudeep and Aravantinos, Vincent}, title = {Modular Transformation from {AF3} to nuXmv}, booktitle = {Proceedings of {MODELS} 2017 Satellite Event: Workshops (ModComp, ME, EXE, COMMitMDE, MRT, MULTI, GEMOC, MoDeVVa, MDETools, FlexMDE, MDEbug), Posters, Doctoral Symposium, Educator Symposium, {ACM} Student Research Competition, and Tools and Demonstrations}, pages = {300--306}, year = {2017}, abstract = {{AutoFOCUS3 (AF3)} supports formal verification of its models using the {nuXmv} model checker. This requires a model transformation from {AF3} to {nuXmv} models. In this paper we present this behavior transformation. It is a two way transformation between a high-level and a low-level model involving intricate cases typical of behavior transformations whose solutions can therefore be beneficial to the community.}, keywords = {AutoFOCUS3, formal verification, model-based systems engineering, MbSE}, url = {http://ceur-ws.org/Vol-2019/modevva_1.pdf}, crossref = {DBLP:conf/models/2017s}, } @inproceedings{8101258, author = {Aravantinos, Vincent and Kanav, Sudeep}, title = {Tool Support for Live Formal Verification}, booktitle = {2017 ACM/IEEE 20th International Conference on Model Driven Engineering Languages and Systems (MODELS)}, pages = {145-155}, year = {2017}, abstract = {Despite an increasing interest from industry (e.g., DO333 standard [1]), formal verification is still not widely used in production for safety critical systems. This has been recognized for a while and various causes have been identified, one of them being the lack for scalable and cost effective tools. Many such tools exist for formal verification, but few of them are userfriendly: using formal verification generally still requires such an effort that the time spent on the tool prevents the integration of the method in an industrial setting. This paper presents a tool prototype aiming at supporting non-experts in using formal verification. The tooling approach is meant to be cost effective and change-supportive: user-friendliness is designed not only for the non-expert, but also to require minimum effort so that formal verification is triggered even for the non-enthusiast who is not willing to push a button. To do so, we trigger, in a background task, pre-defined formal verification checks at (almost) every change of the model. We only display error messages in case of problem: the user is not disturbed if no problem is detected. To prevent checks to be triggered all the time, we decide to consider only local analyses (i.e., only checks which do not require knowledge of elements in a remote position in the model). This restricts the sort of formal verification that we support, but this is a conscious choice: our motto is ”Let us first make basic techniques very user-friendly; more powerful ones will be considered only when at least the basic techniques have proven to be accepted”.}, doi = {10.1109/MODELS.2017.6}, keywords = {program verification, software tools, formal verification, safety critical systems, automata, component architectures, AutoFOCUS3, formal verification, model-based systems engineering, MbSE}, } @inproceedings{, author = {Eder, Johannes and Voss, Sebastian}, title = {Usable Design Space Exploration in {AutoFOCUS3}}, booktitle = {Joint Proceedings of the 12th Educators Symposium (EduSymp 2016) and 3rd International Workshop on Open Source Software for Model Driven Engineering (OSS4MDE 2016) co-located with MODELS 2016}, publisher = {CEUR-WS}, pages = {51--58}, year = {2016}, month = oct, abstract = {Software-intensive embedded systems are characterized by an increasing number of features that implement complex functionalities. To effectively manage this complexity, development processes in general, and model-based approaches in particular, support the development of such systems as model-based approaches have been considered a central design approach to deal with increasing complexity in software and hardware development. A valid system design and configuration, especially a safety-critical system design, has to fulfill a corresponding set of requirements describing all desired system constraints and objectives. In general, these constraints may be contradicting and correspond to different dimensions (e.g. timing, safety, energy, cost, etc.). Thus, considering all system constraints during system design is a manually unsolvable task. To support the system designer, usable Design Space Exploration methods are needed. Therefore, a proper tool implementation is needed that supports the usability. In this paper, we describe a Design Space Exploration process which aims to explore the architectural design space during system design. This process has been implemented in the open source CASE tool AutoFOCUS3 with the focus on usability.}, keywords = {AutoFOCUS3, design-space exploration, DSE, model-based systems engineering, MbSE}, url = {http://ceur-ws.org/Vol-1835/paper08.pdf}, } @inproceedings{Barner2016, author = {Barner, Simon and Diewald, Alexander and Eizaguirre, Fernando and Vasilevskiy, Anatoly and Chauvel, Franck}, title = {Building Product-lines of Mixed-Criticality Systems}, booktitle = {Proceedings of the Forum on Specification and Design Languages (FDL 2016)}, publisher = {IEEE}, year = {2016}, month = sep, address = {Bremen, Germany}, abstract = {Mixed-Criticality Systems (MCS) reconcile safety-critical requirements with multi-core architectures, by offering spatial and temporal isolation while preserving other extra-functional properties such as optimised energy consumption or minimised latencies. MCS designers struggle to manually balance the offered functionalities with pertinent implementation choices in order to ensure that the system eventually meets all constraints. Existing attempts to further automate this process focus on specific concerns, and fail to account for variation in system functionalities. Our contribution is to integrate product-lines that capture functional variations with evolutionary optimisation to explore possible implementations and their impact on extra-functional properties. Our solution is a model-driven process (and a tool prototype) to automatically select functionally different products that balance well the various concerns of interest. We illustrate how this process applies to the construction of wind turbines.}, doi = {10.1109/FDL.2016.7880378}, keywords = {Product-lines, cyber-physical systems, MCS, evolutionary optimisation, mixed-criticality systems, multicore architectures, wind turbines, Energy consumption, AutoFOCUS3, design-space exploration, DSE, architecture synthesis, HW/SW co-design, model-based systems engineering, MbSE}, } @inproceedings{voss2016schedule, author = {Voss, Sebastian and Eder, Johannes and Sch{\"{a}}tz, Bernhard}, title = {Schedule synthesis for multi-period SW components}, booktitle = {SAE 2016 World Congress and Exhibition}, publisher = {SAE International}, year = {2016}, month = apr, institution = {SAE Technical Paper}, abstract = {The growing complexity of functionalities in automotive vehicles and their safety-criticality, including timing requirements, demands sound and scalable approaches to deal with the increasing design space. Most often, such complex automotive systems are composed of a set of functions that are characterized by multi-period timing behaviors, e.g., due to environment constraints limiting sensing/acting frequencies, or various worst case execution times of software components.As safety-critical systems must perform the desired behavior within guaranteed time bounds, a valid system configuration is needed including a time-correct schedule that fulfills all timing requirements. This contribution proposes a systematic and correct schedule synthesis of complex multi-rate automotive software systems that ensures precise timing behavior of software components.The proposed synthesis approach - guaranteeing given timing requirements, based on preemptive, time-triggered scheduling - optimizes non-harmonic task sets by minimizing context switches between these tasks. This approach is integrated into the AUTOFOCUS 3 tool-chain, using its models of a software component architecture as well as of a hardware platform, combined with precalculated interrupt sets and a symbolic encoding scheme to synthesize schedules meeting the given multi-rate timing requirements. The approach is demonstrated using an Adaptive Cruise Control System.}, issn = {2688-3627}, doi = {10.4271/2016-01-0012}, keywords = {AutoFOCUS3, design-space exploration, DSE, scheduling, model-based systems engineering, MbSE}, } @inproceedings{Diewald2016, author = {Diewald, Alexander and Voss, Sebastian and Barner, Simon}, title = {A Lightweight Design Space Exploration and Optimization Language}, booktitle = {Proceedings of the 19th International Workshop on Software and Compilers for Embedded Systems (SCOPES '16)}, publisher = {ACM}, pages = {190--193}, year = {2016}, address = {New York, NY, USA}, location = {Sankt Goar, Germany}, abstract = {The solution of many engineering and scientific problems requires the exploration of a huge n-dimensional design space. Typical approaches rely on an abstract problem model consisting of a system model (description of the problem's variable couplings) and an optimization specification defining the objectives as well as the constraints bounding the design space. Advances in solver technologies enabled to efficiently search the solution space, however the diversity of the approaches led to problem descriptions that are difficult to reuse, as well as to solutions that are hard to compare. Our Exploration Meta-Model (EMM) addresses this issue by providing a unified language for optimization specifications that is a well-defined basis for model-based implementations of solver-independent design-space exploration (DSE) tool-chains. The EMM is a light-weight framework that allows to a) describe optimization specifications independent of particular optimization methods and solvers, b) relate solutions and optimization specifications, and c) define domain profiles that provide high-level optimization specifications that ease the adoption of automated DSE by domain experts. The applicability of our framework to different optimization methods is demonstrated by applying it to the generic vector optimization problem and to single-objective linear programs. The EMM's support to relate optimization results to input specifications is exercised for the Opt4J framework. Finally, a profile for real-time embedded systems demonstrates how the EMM can be tailored to specific domains.}, isbn = {978-1-4503-4320-6}, doi = {10.1145/2906363.2906367}, keywords = {AutoFOCUS3, design-space exploration, DSE, model-based systems engineering, MbSE}, } @incollection{, author = {Aravantinos, Vincent and Voss, Sebastian and Teufl, Sabine and H{\"{o}}lzl, Florian and Sch{\"{a}}tz, Bernhard}, title = {AutoFOCUS 3: Tooling Concepts for Seamless, Model-based Development of Embedded Systems}, booktitle = {ACES-MB&WUCOR@MoDELS 2015}, publisher = {CEUR-WS.org}, series = {CEUR Workshop Proceedings}, pages = {19-26}, year = {2015}, abstract = {This paper presents tooling concepts in AutoFOCUS 3 supporting the development of software-intensive embedded system design. AutoFOCUS 3 is a highly integrated model-based tool covering the complete development process from requirements elicitation, deployment, the modelling of the hardware platform to code generation. This is achieved thanks to precise static and dynamic semantics based on the FOCUS theory. Models are used for requirements, for the software architecture (SA), for the hardware platform and for relations between those different viewpoints: traces from requirements to the SA, refinements between SAs, and deployments of the SA to the platform. This holistic usage of models allows the provision of a wide range of analysis and synthesis techniques such as testing, model checking and deployment and scheduling generation. In this paper, we demonstrate how tooling concepts on different steps in the development process look like, based on these integrated models and implemented in AutoFOCUS 3.}, keywords = {AutoFOCUS3, Seamless MBD, Model-Based Development, Embedded Systems, Tooling Concept, Tooling, model-based systems engineering, MbSE}, url = {http://ceur-ws.org/Vol-1508/paper4.pdf}, } @inproceedings{schaetz2015, author = {Sch{\"{a}}tz, Bernhard and Zverlov, Sergey and Voss, Sebastian}, title = {Automating Design-Space Exploration: Optimal Deployment of Automotive SW-Components in an ISO26262 Context}, booktitle = {Design Automation Conference (DAC), 2015 52st ACM/EDAC/IEEE}, year = {2015}, abstract = {With a growing demand for complex, safety-critical features in automotive vehicles, functional safety is a key issues of automotive software development. Consequently, standards like ISO26262 propose methods and techniques for the systematic development of automotive software. Furthermore, the growing amount of functionality - including active safety systems or automated driver assistance functions - on the control of the vehicle dynamics and the correspondingly used more powerful electronic platforms requires methods supporting the development of systems in an increasingly complex design space. In this contribution, an approach is presented that supports the allocation of software functions to hardware elements in an automated fashion, respecting the separation constraints concerning assurances levels.}, doi = {10.1145/2744769.2747912}, keywords = {AutoFOCUS3, design-space exploration, DSE, deployment synthesis, mapping, model-based systems engineering, MbSE}, } @inproceedings{voss2014design, author = {Voss, Sebastian and Eder, Johannes and H{\"{o}}lzl, Florian}, title = {Design Space Exploration and its Visualization in AutoFOCUS3}, booktitle = {Software Engineering (Workshops)}, pages = {57--66}, year = {2014}, month = feb, abstract = {Software-intensive embedded systems are characterized by an increasing number of features that implement complex safety-critical functionalities. These systems are more and more developed in a model-based fashion that has been considered as a central design approach to deal with the increase in software complexity. These kinds of embedded systems always require multiple constraints both functional and non-functional ones. AutoFOCUS3 is a model-based development framework using tightly integrated models that enable to perform design space exploration for multi-criteria problems. Finding suitable deployments, meaning the (efficient) assignment of software components to hardware components, is one of these problems. This paper illustrates how such a Design Space Exploration approach in a model-based framework can support the system designer in a (semi-) automatic way, enabling to compare different valid design solutions, w.r.t. a set of given system requirements. We propose a visualization technique to efficiently guide the system designer through such a calculated solutions space. The presented approach has been implemented in the AutoFOCUS3 framework.}, keywords = {AutoFOCUS3, design-space exploration, DSE, model-based systems engineering, MbSE}, url = {http://ceur-ws.org/Vol-1129/paper33.pdf}, } @inproceedings{, author = {Zverlov, Sergey and Voss, Sebastian}, title = {Synthesis of Pareto Efficient Technical Architectures for Multi-core Systems}, booktitle = {Computer Software and Applications Conference Workshops (COMPSACW), 2014 IEEE 38th International}, year = {2014}, abstract = {In the area of embedded systems exists a continuous need for more computing power while still fulfilling a large set of constraints in - for instance - timing, safety, cost and energy consumption. Since single-core technologies seem to reach their limits, multi-core systems became the trend in this area. This paper describes a synthesis approach of application-specific homogeneous multi-core architectures, which are optimized towards timing, number of cores and energy consumption. Our method finds the optimal number of cores of the multi-processor system, along with the mapping of tasks onto these cores with the corresponding schedules and the frequency for each core. Since the optimization criteria are concurrent, the results are presented as a Pareto front. The approach is integrated in the model-based tooling framework, called Auto FOCUS3. As input our approach uses the information from the logical architecture of AF3, which represents a component based structure view of the system under development. The approach is based on the Branch & Bound algorithm, which was adapted for our three-dimensional optimization problem.}, doi = {10.1109/COMPSACW.2014.63}, keywords = {AutoFOCUS3, design-space exploration, DSE, architecture synthesis, HW/SW co-design, model-based systems engineering, MbSE}, } @inproceedings{, author = {Kelly, Tim and C{\^{a}}rlan, Carmen and Voss, Sebastian}, title = {Model-Based Safety Cases in AutoFOCUS3 (Tool Demonstration)}, booktitle = {Proceedings of the 1st International Workshop on Assurance Cases for Software-intensive Systems ({ASSURE} 2013)}, year = {2013}, month = may, keywords = {AutoFOCUS3, model-based safety cases, ExplicitCase, model-based systems engineering, MbSE}, url = {https://www.cs.york.ac.uk/assure2013/Program.html}, } @inproceedings{, author = {Voss, Sebastian and Sch{\"{a}}tz, Bernhard}, title = {Deployment and Scheduling Synthesis for Mixed-Critical Shared Memory Applications}, booktitle = {Proceedings of the Engineering Computer-Based Systems Conference ({ECBS} '13)}, publisher = {IEEE}, pages = {100--109}, year = {2013}, month = apr, address = {Phoenix, AZ, USA}, abstract = {This paper presents an efficient approach for generating suitable system architectures for embedded systems efficiently. Thereby, we focus on a joint generation of schedules and deployment for mixed-criticality multicore architectures using shared memory. The presented approach computes task and message schedules that are optimized with respect to a global discrete time base. As part of the solution, our approach generates an optimized assignment of tasks to computation resources (cores) concerning local memory constraints of cores and criticality constraints of tasks.This approach is integrated into the Auto FOCUS3 tool-chain, using a formally defined model of computation with explicit data-flow and discrete-time semantics to develop multi-criticality embedded systems. Our approach relies on a symbolic encoding scheme, based on a system model that is derived from the system architecture. This paper provides a formalization describing the scheduling problem as a satisfiability problem using boolean formulas and linear arithmetic constraints. A state-of-the-art satisfiability modulo theory (SMT) solver is used to compute the joint schedule and deployment for such architectures. This paper demonstrates that state-of-the art satisfiability modulo theory solvers can be used to efficiently compute (safety-oriented) deployments including real-time task and communication schedules for mixed-criticality applications.}, doi = {10.1109/ECBS.2013.23}, keywords = {deployment synthesis, mapping, scheduling, shared-memory applications, SMT, AutoFOCUS3, design-space exploration, DSE, model-based systems engineering, MbSE}, } @inproceedings{, author = {Voss, Sebastian and Kondeva, Antoaneta and Ratiu, Daniel and Sch{\"{a}}tz, Bernhard}, title = {Seamless Model-based Development of Embedded Systems with {AF3} Phoenix}, booktitle = {Tool demonstration on the 20th Annual {IEEE} International Conference and Workshops on the Engineering of Computer Based Systems ({ECBS})}, pages = {212}, year = {2013}, month = apr, abstract = {To effectively and efficiently use a model-based development process, tools must offer integrated system views on several levels of abstraction, and provide useable sophisticated analysis and synthesis techniques. We demonstrate how these features are implemented for the development of embedded systems in AF3 Phoenix.}, doi = {10.1109/ECBS.2013.20}, keywords = {AutoFOCUS3, methodology, tooling, model-based systems engineering, MbSE}, } @inproceedings{, author = {Hattendorf, Anton and Voss, Sebastian}, title = {Emergency Shutdown System Demonstrator using {AutoFOCUS3}}, booktitle = {Proceedings of the {W8} Workshop on Industry-Driven Approaches for Cost-effective Certification of Safety-Critical, Mixed-Criticality Systems ({WICERT}) (co-located with {DATE})}, year = {2013}, abstract = {For safety critical applications, separation is needed in hardware and software. The model based development tool AutoFocus 3 supports design, simulation and verification of safety critical applications. It uses a hierarchical component based model and provides a complete tool chain from application design to running code. Our separation platform provides spatial and temporal separation in a shared memory architecture. Temporal separation is archived through a special DDR2 arbiter, while spatial separation is enforced through a MPU that guards the shared memory. The Emergency Shutdown System Demonstrator - jointly implemented by Danfoss Drives and fortiss GmbH - implements a software controlled emergency shutdown system. It uses a dual core architecture. All inputs are forwarded to both cores. When the emergency switch is hit, both cores independently shut down the system. The application logic is designed and verified using AF3. The application components are deployed to the cores. Finally the automated code generation of the AF3 tool chain is used to bring the application to the hardware.}, keywords = {AutoFOCUS3, Danfoss, Emergency Shutdown, Demonstrator, Model-based Systems Engineering, MbSE}, } @inproceedings{TMR2013, author = {Teufl, Sabine and Mou, Dongyue and Ratiu, Daniel}, title = {MIRA: A Tooling-Framework to Experiment with Model-Based Requirements Engineering}, booktitle = {Proceedings of the 21st IEEE International Requirements Engineering Conference (RE)}, year = {2013}, timestamp = 2013.05.31, owner = {teufl}, abstract = {Model-based requirements engineering supports eliciting, specifying and analyzing the work products elaborated during the requirements engineering process by providing adequate models. However, especially the inclusion of formal models needs to be investigated further. These models represent requirements and have to be integrated with reference models that define and structure the work results and their relations. We have developed the research tool MIRA to provide an infrastructure for the tool-based evaluation of the usage of models in the field of requirements engineering. In this paper we present the research questions addressed by MIRA concerning the reference model and the formal models. We explain how MIRA supports answering these research questions.}, doi = {10.1109/RE.2013.6636740}, keywords = {AutoFOCUS3, MIRA, model-based requirements engineering, model-based systems engineering, MbSE}, } @inproceedings{, author = {Voss, Sebastian and Sch{\"{a}}tz, Bernhard and Khalil, Maged and C{\^{a}}rlan, Carmen}, title = {Towards Modular Certification using Integrated Model-Based Safety Cases}, booktitle = {Proceedings of the International Workshop on Verification and Assurance ({VeriSure} 2013) (co-located with {CAV})}, publisher = {Springer}, year = {2013}, abstract = {Software-intensive systems are characterized by an increasing number of features implementing complex functionalities. In many domains, these new functionalities perform more and more safety-critical tasks. To argue about the safety of such systems, Safety Cases are a proven technique that allows a systematic argumentation. Safety Cases may contain complex arguments that can be decomposed corresponding to modular system artifacts. This paper illustrates how a model-based system design can be tightly integrated with safety case arguments, to demonstrate both how safety cases link safety-specific analysis techniques like FMEA or FTA to architectural elements to provide evidence for safety argumentation, as well as how safety cases can be directly applied to efficiently guide the construction of the system architecture w.r.t. the claims given in the safety case. We demonstrate how existing information about the system and tool assisted techniques (e.g. formal verification, statistical testing) can be integrated into a safety case for a convincing argument in a seamless model-based development environment.}, keywords = {Modular Certification, Safety Cases, Model-based Development, AutoFOCUS3, model-based safety cases, ExplicitCase, model-based systems engineering, MbSE}, url = {http://fm.csl.sri.com/VeriSure2013/}, } @inproceedings{, author = {Mou, Dongyue and Ratiu, Daniel}, title = {Binding requirements and component architecture by using model-based test-driven development}, booktitle = {2012 First IEEE International Workshop on the Twin Peaks of Requirements and Architecture (TwinPeaks)}, pages = {27--30}, year = {2012}, month = sep, abstract = {Model-based testing is a well known technique to generate automatically highly qualitative tests for a given system based on a simplified testing model. Test-driven development is an established development practice in the agile development projects, which implies firstly the partial specification of a system by using tests, and after this, the development of the system. In test driven development the system implementation is continuously checked against the tests in order to assess its correctness with respect to the specification. In this paper we investigate how can these two methods be combined such that the advantages of these two approaches can be leveraged: highly qualitative test-cases used as specification of requirements and support of a continuous checking of architecture. We propose to formalize sub-sets of requirements into models that are amenable to generate tests by using automatic techniques well-known from model based testing. These tests can then be used to check the system architecture specification against the requirements in a continuous manner.}, doi = {10.1109/TwinPeaks.2012.6344557}, keywords = {automatic programming, formal specification, object-oriented programming, program testing, program verification, software architecture, software prototyping, AutoFOCUS3, MIRA, model-based requirements engineering, model-based systems engineering, MbSE}, } @inproceedings{, author = {Blech, Jan Olaf and Mou, Dongyue and Ratiu, Daniel}, title = {Reusing Test-Cases on Different Levels of Abstraction in a Model Based Development Tool}, booktitle = {Proceedings 7th Workshop on Model-Based Testing ({MBT})}, series = {{EPTCS}}, pages = {13--27}, year = {2012}, month = mar, timestamp = 2012.03.25, address = {Tallinn, Estonia}, abstract = {Seamless model based development aims to use models during all phases of the development process of a system. During the development process in a component-based approach, components of a system are described at qualitatively differing abstraction levels: during requirements engineering component models are rather abstract high-level and underspecified, while during implementation the component models are rather concrete and fully specified in order to enable code generation. An important issue that arises is assuring that the concrete models correspond to abstract models. In this paper, we propose a method to assure that concrete models for system components refine more abstract models for the same components. In particular we advocate a framework for reusing testcases at different abstraction levels. Our approach, even if it cannot completely prove the refinement, can be used to ensure confidence in the development process. In particular we are targeting the refinement of requirements which are represented as very abstract models. Besides a formal model of our approach, we discuss our experiences with the development of an Adaptive Cruise Control (ACC) system in a model driven development process. This uses extensions which we implemented for our model-based development tool and which are briefly presented in this paper.}, doi = {10.4204/EPTCS.80.2}, keywords = {AutoFOCUS3, model-based testing, model-based systems engineering, MbSE}, } @inproceedings{, author = {Voss, Sebastian and Sch{\"{a}}tz, Bernhard}, title = {Scheduling shared memory multicore architectures in {AutoFOCUS3} using Satisfiability Modulo Theories}, booktitle = {{Tagungsband - Dagstuhl-Workshop MBEES: Modellbasierte Entwicklung eingebetteter Systeme VIII, MBEES 2012}}, year = {2012}, month = feb, abstract = {This paper presents an approach to task and message scheduling for multicore architectures using a shared memory. A shared memory architecture is used in most of the current multicore systems. The presented approach is integrated in the AUTOFOCUS 3 toolchain that allows to automatically compute schedules for this architecture to fulfill certain system requirements. AUTOFOCUS 3 models are based on a formally defined system model using explicit data-flow and discrete-time semantics. Our approach relies on a symbolic encoding scheme, based on a scheduling model, that we generate out of AUTOFO-CUS 3 system architectures. This encoding scheme relies on the AUTOFOCUS 3 semantics of strong-and weak-causal com-ponents and enables to generate schedules, that fulfill certain system properties. In this paper we focus on finding optimized schedules with respect to the global discrete time base. This paper provides a formalization that describes the scheduling problem as a satisfiability problem using boolean formulas and linear arithmetical constraints. A state-of-the-art satisfiability modulo theories (SMT) solver is then used to compute these schedules. This paper demonstrates that state-of-the art satisfiability modulo theories solver can be used to to compute a schedule that fulfills certain system requirements and meet the challenges of providing both a convenient modeling language and the performance to solve industrialized-sized design problems.}, keywords = {AutoFOCUS3, design-space exploration, DSE, scheduling, model-based systems engineering, MbSE}, url = {http://www.in.tu-clausthal.de/fileadmin/homes/GI/Documents/MBEES12Proceedings.pdf}, } @techreport{, author = {Feilkas, Martin and H{\"{o}}lzl, Florian and Pfaller, Christian and Rittmann, Sabine and Sch{\"{a}}tz, Bernhard and Schwitzer, Wolfgang and Sitou, Wassiou and Spichkova, Maria and Trachtenherz, David}, title = {A Refined Top-Down Methodology for the Development of Automotive Software Systems - The Keyless Entry-System Case Study}, year = {2011}, month = feb, timestamp = 2011.02.11, school = {Technische Universit{\"{a}}t M{\"{u}}nchen}, abstract = {This technical report advances the methodology for the model-based development of automotive systems that was already defined in [FFH + 09], which was evaluated by developing an Adaptive Cruise Control (ACC) system with Pre-Crash Safety (PCS) functionality.}, keywords = {AutoFOCUS3, model-based testing, case study, model-based systems engineering, MbSE}, url = {https://mediatum.ub.tum.de/1094230}, } @inproceedings{, author = {Campetelli, Alarico and H{\"{o}}lzl, Florian and Neubeck, Florian}, title = {User-friendly Model Checking Integration in Model-based Development}, booktitle = {Proceedings of the 24th International Conference on Computer Applications in Industry and Engineering}, year = {2011}, abstract = {We present our approach to a user-friendly model checking integration in model-based development. The used modeling tool is AutoFocus 3, developed at our research group and specialized for reactive and embedded systems. For this integration, we approach usability at four points: tight coupling of verification properties with model elements, different specification languages for the formulation of properties, visualization of counterexamples as well as evaluation of different model checkers for adequate performance. Dealing with these issues leads to one of the first model-based development environments incorporating property specification, model checking and debugging.}, keywords = {verification, model checking, model-based development, tool support, embedded systems, AutoFOCUS3, formal verification, model-based systems engineering, MbSE}, } @techreport{, author = {H{\"{o}}lzl, Florian and Spichkova, Maria and Trachtenherz, David}, title = {AutoFocus Tool Chain}, number = {TUM-I1021}, year = {2010}, month = nov, school = {Technische Universit{\"{a}}t M{\"{u}}nchen}, abstract = {This work presents the tool support for a model-based development methodology for verified software systems. We focus in this discussion on the design, implementation and the verification phase of the overall methodology developed for safety-critical embedded systems. In particular, we show how design models are transformed into C code and Isabelle/HOL theories by code generators. We discuss the applied AutoFocus tool chain and its basic principles emphasizing the verification of the system under development as well as the check mechanisms we applied to raise the level of confidence in the correctness of the implementation of the automatic generators.}, keywords = {AutoFOCUS3, methodology, tooling, model-based systems engineering, MbSE, architecture, verification}, url = {https://mediatum.ub.tum.de/1094431}, } @incollection{, author = {H{\"{o}}lzl, Florian and Feilkas, Martin}, title = {{AutoFOCUS}3 - A Scientific Tool Prototype for Model-Based Development of Component-Based, Reactive, Distributed Systems}, booktitle = {Model-Based Engineering of Embedded Real-Time Systems}, publisher = {Springer}, series = {LNCS}, volume = {6100}, year = {2010}, address = {Berlin Heidelberg}, abstract = {We give an introduction of the AutoFOCUS3 tool, which allows component-based modeling of reactive, distributed systems and provides validation and verification mechanisms for these models. Furthermore, AutoFOCUS3 includes descriptions of specific technical platforms and deployments. The modeling language is based on precise semantics including the notion of time and allows for a refinement-based methodology for the development of reactive systems, typically found in user-accessible embedded realtime-systems.}, doi = {10.1007/978-3-642-16277-0_13}, keywords = {AutoFOCUS3, methodology, tooling, model-based systems engineering, MbSE}, } @article{Broy2010, author = {Broy, Manfred and Feilkas, Martin and Herrmannsd{\"{o}}rfer, Markus and Merenda, Stefano and Ratiu, Daniel}, editor = {Balsamo, MariaSimonetta and Knottenbelt, William J. and Marin, Andrea}, title = {Seamless Model-Based Development: From Isolated Tools to Integrated Model Engineering Environments}, journal = {Proceedings of the IEEE}, volume = {98}, pages = {526 - 545}, year = {2010}, timestamp = 2013.08.20, owner = {jeraj}, abstract = {More than 20 years of research has created a large body of ideas, concepts, and theories for model-based development of embedded software-intensive systems. These approaches have been implemented by several tools and successfully applied to various development projects. However, the everyday use of model-based approaches in the automotive and avionic industries is still limited. Most of the time, the engineers work with a predefined set of isolated tools, and therefore adapt their engineering methods and process to the available tools. Today, the industry achieves tool integration by demand-driven, pragmatic, and ad-hoc composed chains of a priori existent commercial tools. Nevertheless, these tool chains are not (and cannot be) seamless, since the integration that can be achieved is not deep enough. This hampers the reuse and refinement of models, which subsequently leads to problems like redundancy, inconsistency, and lack of automation. In the end, these deficiencies decrease both the productivity and quality that could be provided by model-based approaches. To overcome these problems, a deep, coherent, and comprehensive integration of models and tools is required. Such an integration can be achieved by the following three ingredients: 1) a comprehensive modeling theory that serves as a semantic domain for the models, 2) an integrated architectural model that holistically describes the product and process, and 3) a manner to build tools that conform to the modeling theory and allow the authoring of the product model. We show that from a scientific point of view, all ingredients are at our hands to do a substantial step into an integrated process and tool world. Further, we illustrate why such a solution has not been achieved so far, and discuss what is to be done to get a step closer to seamless model-based engineering.}, doi = {10.1109/JPROC.2009.2037771}, keywords = {AutoFOCUS3, methodology, tooling, model-based systems engineering, MbSE}, }