Bernhard Rumpe

Jörg Christian Kirchhof, Evgeny Kusmenko, Jonas Ritz et al.

In this paper, we propose to adopt the MDE paradigm for the development of Machine Learning (ML)-enabled software systems with a focus on the Internet of Things (IoT) domain. We illustrate how two state-of-the-art open-source modeling tools, namely MontiAnna and ML-Quadrat can be used for this purpose as demonstrated through a case study. The case study illustrates using ML, in particular deep Artificial Neural Networks (ANNs), for automated image recognition of handwritten digits using the MNIST reference dataset, and integrating the machine learning components into an IoT system. Subsequently, we conduct a functional comparison of the two frameworks, setting out an analysis base to include a broad range of design considerations, such as the problem domain, methods for the ML integration into larger systems, and supported ML methods, as well as topics of recent intense interest to the ML community, such as AutoML and MLOps. Accordingly, this paper is focused on elucidating the potential of the MDE approach in the ML domain. This supports the ML engineer in developing the (ML/software) model rather than implementing the code, and additionally enforces reusability and modularity of the design through enabling the out-of-the-box integration of ML functionality as a component of the IoT or cyber-physical systems.

Vincent Bertram, Miriam Boß, Evgeny Kusmenko et al.

Systems engineering, in particular in the automotive domain, needs to cope with the massively increasing numbers of requirements that arise during the development process. To guarantee a high product quality and make sure that functional safety standards such as ISO26262 are fulfilled, the exploitation of potentials of model-driven systems engineering in the form of automatic analyses, consistency checks, and tracing mechanisms is indispensable. However, the language in which requirements are written, and the tools needed to operate on them, are highly individual and require domain-specific tailoring. This hinders automated processing of requirements as well as the linking of requirements to models. Introducing formal requirement notations in existing projects leads to the challenge of translating masses of requirements and process changes on the one hand and to the necessity of the corresponding training for the requirements engineers. In this paper, based on the analysis of an open-source set of automotive requirements, we derive domain-specific language constructs helping us to avoid ambiguities in requirements and increase the level of formality. The main contribution is the adoption and evaluation of few-shot learning with large pretrained language models for the automated translation of informal requirements to structured languages such as a requirement DSL. We show that support sets of less than ten translation examples can suffice to few-shot train a language model to incorporate keywords and implement syntactic rules into informal natural language requirements.

Lukas Netz, Jan Reimer, Bernhard Rumpe

We present and evaluate a method called grammar masking, which is used to guide large language models (LLMs) toward producing syntactically correct models for a given context-free grammar. Prompt engineering methods such as few-shot learning or priming can be used to improve the chances of an LLM producing correct syntax, but the more complex the grammar, the more time-consuming and less promising these methods become. Previous work is focused primarily on the usage of either language model training or prompt engineering. In this work, a method is presented that restricts the output to a given grammar using constrained decoding to ensure the output adheres to a valid syntax. We use several DSLs built with MontiCore and task multiple LLMs to produce models with and without constrained decoding. A corresponding parser is used to confirm the syntactic correctness of each model. We show that grammar masking can dramatically improve the modeling capabilities of several LLMs, reducing the need for well-refined prompting while increasing the chance of producing correct models.

Carsten Kolassa, Bernhard Rumpe

Open sourcing modelling tools and generators becomes more and more important as open source software as a whole becomes more important. We evaluate the impact open source licenses of code generators have on the intellectual property (IP) of generated artifacts comparing the most common open source licenses by categories found in literature. Restrictively licensed generators do have effects on the IP and therefore on the usability of the artifacts they produce. We then how how this effects can be shaped to the needs of the licensor and the licensee.

Rohit Gupta, Sieglinde Kranz, Nikolaus Regnat et al.

Domain-Specific Languages (DSLs) help practitioners in contributing solutions to challenges of specific domains. The efficient development of user-friendly DSLs suitable for industrial practitioners with little expertise in modelling still is challenging. For such practitioners, who often do not model on a daily basis, there is a need to foster reduction of repetitive modelling tasks and providing simplified visual representations of DSL parts. For industrial language engineers, there is no methodical support for providing such guidelines or documentation as part of reusable language modules. Previous research either addresses the reuse of languages or guidelines for modelling. For the efficient industrial deployment of DSLs, their combination is essential: the efficient engineering of DSLs from reusable modules that feature integrated documentation and guidelines for industrial practitioners. To solve these challenges, we propose a systematic approach for the industrial engineering of DSLs based on the concept of reusable DSL Building Blocks, which rests on several years of experience in the industrial engineering of DSLs and their deployment to various organizations. We investigated our approach via focus group methods consisting of five participants from industry and research qualitatively. Ultimately, DSL Building Blocks support industrial language engineers in developing better usable DSLs and industrial practitioners in more efficiently achieving their modelling.

Michael Felderer, Ralf Reussner, Bernhard Rumpe

Digitization not only affects society, it also requires a redefinition of the location of computer science and computer scientists, as the science journalist Yogeshwar suggests. Since all official aspects of digitalization are based on software, this article is intended to attempt to redefine the role of software engineering and its research. Software-based products, systems or services are influencing all areas of life and are a critical component and central innovation driver of digitization in all areas of life. Scientifically, there are new opportunities and challenges for software engineering as a driving discipline in the development of any technical innovation. However, the chances must not be sacrificed to the competition for bibliometric numbers as an end in themselves.

Timo Greifenberg, Markus Look, Sebastian Roidl et al.

To keep a DSL clean, readable and reusable in different contexts, it is useful to define a separate tagging language. A tag model logically adds information to the tagged DSL model while technically keeping the artifacts separated. Using a generic tagging language leads to promiscuous tag models, whereas defining a target DSL-specific tag language has a high initial overhead. This paper presents a systematic approach to define a DSL-specific tag language and a corresponding schema language, combining the advantages of both worlds: (a) the tag language specifically fits to the DSL, (b) the artifacts are kept separated and enabling reuse with different tag decorations, (c) the tag language follows a defined type schema, and (d) systematic derivation considerably reduces the effort necessary to implement the tag language. An example shows that it can at least partially be realized by a generator and applied for any kind of DSL. Index Terms Software Engineering, Modeling, MDE, GSE

Katrin Hölldobler, Pedram Mir Seyed Nazari, Bernhard Rumpe

Many textual software languages share common concepts such as defining and referencing elements, hierarchical structures constraining the visibility of names, and allowing for identical names for different element kinds. Symbol tables are useful to handle those reference and visibility concepts. However, developing a symbol table can be a tedious task that leads to an additional effort for the language engineer. This paper presents a symbol table meta model usable to define languagespecific symbol tables. Furthermore, we integrate this symbol table meta model with a meta model of a grammar-based language definition. This enables the language engineer to switch between the model structure and the symbol table as needed. Finally, based on a grammarannotation mechanism, our approach is able to generate a symbol table infrastructure that can be used as is or serve as a basis for custom symbol tables.

Carsten Kolassa, Markus Look, Klaus Müller et al.

Template-based code generator development as part of model-drivendevelopment (MDD) demands for strong mechanisms and tools that support developers to improve robustness, i.e., the desired code is generated for the specified inputs. Although different testing methods have been proposed,a method for testing only parts of template-based code generators that can be employed in the early stage of development is lacking. Thus, in this paper we present an approach and an implementation based on JUnit to test template-based code generators. Rather than testing a complete code generator,it facilitates partial testing by supporting the execution of templates with a mocked environment. This eases testing of code generators in early stages of development as well as testing new orchanged parts of a code generator. To test the source code generated by the templates under test, different methods are presented including string comparisons, API-based assertions, and abstract syntax tree based assertions.

Timo Greifenberg, Klaus Müller, Alexander Roth et al.

Generating software from abstract models is a prime activity in model-drivenengineering. Adaptable and extendable code generators are important to address changing technologies as well as user needs. However, theyare less established, as variability is often designed as configuration options of monolithic systems. Thus, code generation is often tied to a fixed set of features, hardly reusable in different contexts, and without means for configuration of variants. In this paper,we present an approach for developing product lines of template-based code generators. This approach applies concepts from feature-oriented programming to make variability explicit and manageable. Moreover, it relies on explicit variability regions (VR) in a code generators templates, refinements of VRs, and the aggregation of templates and refinements into reusable layers. Aconcrete product is defined by selecting one or multiple layers. If necessary, additional layers required due to VR refinements are automatically selected.

Dimitri Plotnikov, Bernhard Rumpe, Inga Blundell et al.

Biological nervous systems exhibit astonishing complexity .Neuroscientists aim to capture this com- plexity by modeling and simulation of biological processes. Often very comple xm odels are nec- essary to depict the processes, which makes it dif fi cult to create these models. Powerful tools are thus necessary ,which enable neuroscientists to express models in acomprehensi ve and concise way and generate ef fi cient code for digital simulations. Se veral modeling languages for computational neuroscience ha ve been proposed [Gl10, Ra11]. Howe ver, as these languages seek simulator inde- pendence the ytypically only support asubset of the features desired by the modeler .Int his article, we present the modular and extensible domain speci fi cl anguage NESTML, which provides neuro- science domain concepts as fi rst-class language constructs and supports domain experts in creating neuron models for the neural simulation tool NEST .N ESTML and aset of example models are publically available on GitHub.

Pedram Mir Seyed Nazari, Alexander Roth, Bernhard Rumpe

Code generation is regarded as an essential part of model-driven development (MDD) to systematically transform the abstract models to concrete code. One current challenges of templatebased code generation is that output-specific information, i.e., information about the generated source code, is not explicitly modeled and, thus, not accessible during code generation. Existing approaches try to either parse the generated output or store it in a data structure before writing into a file. In this paper, we propose a first approach to explicitly model parts of the generated output. These modeled parts are stored in a symbol for efficient management. During code generation this information can be accessed to ensure that the composition of the overall generated source code is valid. We achieve this goal by creating a domain model of relevant generator output information, extending the symbol table to store this information, and adapt the overall code generation process.

Arvid Butting, Bernhard Rumpe, Christoph Schulze et al.

Smart factories that allow flexible production of highly individualized goods require flexible robots, usable in efficient assembly lines. Compliant robots can work safely in shared environments with domain experts, who have to program such robots easily for arbitrary tasks. We propose a new domain-specific language and toolchain for robot assembly tasks for compliant manipulators. With the LightRocks toolchain, assembly tasks are modeled on different levels of abstraction, allowing a separation of concerns between domain experts and robotics experts: externally provided, platform-independent assembly plans are instantiated by the domain experts using models of processes and tasks. Tasks are comprised of skills, which combine platform-specific action models provided by robotics experts. Thereby it supports a flexible production and re-use of modeling artifacts for various assembly processes.

Jan O. Ringert, Bernhard Rumpe, Andreas Wortmann

Combining component & connector architecture descriptionlanguageswithcomponentbehaviormodelinglanguages enables modeling great parts of software architectures platformindependently. Nontrivial systems typically contain components with programming language behavior descriptions to interface with APIs. These components tie the complete software architecture to a specific platform and thus hamper reuse. Previous work on software architecture reuse with multiple platforms either requires platform-specific handcrafting or the effort of explicit platform models. We present an automated approach to transform platform-independent, logical software architectures into architectures with platform-specific components. This approach introduces abstract components to the platform-independent architecture and refines the se with components specific to the target platform prior to code generation. Consequently, a single logical software architecture model can be reused with multiple target platforms, which increases architecture maturity and reduces the maintenance effort of multiple similar software architectures.

Jan O. Ringert, Bernhard Rumpe, Andreas Wortmann

Component&connector (C&C) architecture description languages (ADLs) combine component-based software engineering and model-driven engineering to increase reuse and to abstract from implementation details. Applied to robotics application development, current C&C ADLs often require domain experts to provide component behavior descriptions as programming language artifacts or as models of a-priori mixed behavior modeling languages. They are limited to specific target platforms or require extensive handcrafting to transform platform-independent software architecture models into platform-specific implementations. We have developed the MontiArcAutomaton framework that combines structural extension of C&C concepts with integration of application-specific component behavior modeling languages, seamless transformation from logical into platform-specific software architectures, and a-posteriori black-box composition of code generators for different robotics platforms. This paper describes the roles and activities for tailoring MontiArcAutomaton to application-specific demands.

Bernhard Rumpe, Christoph Schulze, Michael von Wenckstern et al.

Embedded software systems, e.g. automotive, robotic or automation systems are highly configurable and consist of many software components being available in different variants and versions. To identify the degree of reusability between these different occurrences of a component, it is necessary to determine the functional backward and forward compatibility between them. Based on this information it is possible to identify in which system context a component can be replaced safely by another version, e.g. exchanging an older component, or variant, e.g. introducing new features, to achieve the same functionality. This paper presents a model checking approach to determine behavioral compatibility of Simulink models, obtained from different component variants or during evolution. A prototype for automated compatibility checking demonstrates its feasibility. In addition implemented optimizations make the analysis more efficient, when the compared variants or versions are structurally similar. A case study on a driver assistance system provided by Daimler AG shows the effectiveness of the approach to automatically compare Simulink components.

Lars Hermerschmidt, Katrin Hölldobler, Bernhard Rumpe et al.

Component-based software engineering (CBSE) decomposes complex systems into reusable components. Model-driven engineering (MDE) aims to abstract from complexities by lifting abstract models to primary development artifacts. Component and connector architecture description languages (ADLs) combine CBSE and MDE to describe software systems as hierarchies of component models. Using models as development artifacts is accompanied with the need to evolve, maintain and refactor those models, which can be achieved by model transformations. Domain-specific transformation languages (DSTLs) are tailored to a specific modeling language as the modeling language's concrete syntax is used to describe transformations. To automate the development of DSTLs for ADLs, we present a framework to systematically derive such languages from domain-specific C&C language grammars. These DSTLs enable to describe such model transformations concisely in vocabulary of the underlying ADL. These domain-specific transformations are better comprehensible to ADL experts than generic transformations.

Lars Hermerschmidt, Stephan Kugelmann, Bernhard Rumpe

To exchange complex data structures in distributed systems, documents written in context-free languages are exchanged among communicating parties. Unparsing these documents correctly is as important as parsing them correctly because errors during unparsing result in injection vulnerabilities such as cross-site scripting (XSS) and SQL injection. Injection attacks are not limited to the web world. Every program that uses input to produce documents in a context-free language may be vulnerable to this class of attack. Even for widely used languages such as HTML and JavaScript, there are few approaches that prevent injection attacks by context-sensitive encoding, and those approaches are tied to the language. Therefore, the aim of this paper is to derive context-sensitive encoder from context-free grammars to provide correct unparsing of maliciously crafted input data for all context-free languages. The presented solution integrates encoder definition into context-free grammars and provides a generator for context-sensitive encoders and decoders that are used during (un)parsing. This unparsing process results in documents where the input data does neither influence the structure of the document nor change their intended semantics. By defining encoding during language definition, developers who use the language are provided with a clean interface for writing and reading documents written in that language, without the need to care about security-relevant encoding.

Timo Greifenberg, Klaus Müller, Bernhard Rumpe

Manually ensuring that the implementation of a software system is consistent with the software architecture is a laborious and error-prone task. Thus, a variety of approaches towards automated consistency checking have been developed to counteract architecture erosion. However, these approaches lack means to define and check architectural restrictions concerning plugin dependencies, which is required for plugin-based software systems. In this paper, we propose a domain-specific language called Dependency Constraint Language (DepCoL) to facilitate the definition of constraints concerning plugin dependencies. Using DepCoL, it is possible to define constraints affecting groups of plugins, reducing the required specification effort, to formulate constraints for specific plugins only and to refine constraints. Moreover, we provide an Eclipse plugin, which checks whether the software system under development is consistent with the modeled constraints. This enables a seamless integration into the development process to effortless check consistency during development of the software system. In this way, developers are informed about dependency violations immediately and this supports developers in counteracting architecture erosion.

Jan Oliver Ringert, Bernhard Rumpe, Andreas Wortmann

This book presents MontiArcAutomaton, a modeling language for architecture and be- havior modeling of Cyber-Physical Systems as interactive Component & Connector mod- els. MontiArcAutomaton extends the Architecture Description Language MontiArc with automata to describe component behavior. The modeling language MontiArcAutomaton provides syntactical elements for defin- ing automata with states, variables, and transitions inside MontiArc components. These syntactical elements and a basic set of well-formedness rules provide the syntax for a fam- ily of modeling languages for state-based behavior modeling in Component & Connector architectures. We present two concrete language profiles with additional well-formedness rules to model time-synchronous component behavior and untimed, event-driven behav- ior of components. This book gives an overview of the MontiArcAutomaton language including examples, a language reference, and a context-free grammar for MontiArcAutomaton models. It also provides syntax definition, well-formedness rules, and semantics for two language profiles. We summarize projects and case studies applying MontiArcAutomaton. MontiArcAutomaton is implemented using the DSL framework MontiCore. Available tools include a textual editor with syntax highlighting and code completion as well as a graphical editor and a powerful and extensible code generation framework for target languages including EMF, Java, Mona, and Python.

Arne Haber, Markus Look, Antonio Navarro Perez et al.

Effective model-driven engineering of complex systems requires to appropriately describe different specific system aspects. To this end, efficient integration of different heterogeneous modeling languages is essential. Modeling language integaration is onerous and requires in-depth conceptual and technical knowledge and ef- fort. Traditional modeling lanugage integration approches require language engineers to compose monolithic language aggregates for a specific task or project. Adapting these aggregates cannot be to different contexts requires vast effort and makes these hardly reusable. This contribution presents a method for the engineering of grammar-based language components that can be independently developed, are syntactically composable, and ultimately reusable. To this end, it introduces the concepts of language aggregation, language embed- ding, and language inheritance, as well as their realization in the language workbench MontiCore. The result is a generalizable, systematic, and efficient syntax-oriented composition of languages that allows the agile employment of modeling languages efficiently tailored for individual software projects.

Timo Greifenberg, Katrin Hölldobler, Carsten Kolassa et al.

Code generation from models is a core activity in model-driven development (MDD). For complex systems it is usually impossible to generate the entire software system from models alone. Thus, MDD requires mechanisms for integrating generated and handwritten code. Applying such mechanisms without considering their effects can cause issues in projects with many model and code artifacts, where a sound integration for generated and handwritten code is necessary. We provide an overview of mechanisms for integrating generated and handwritten code for object-oriented languages. In addition to that, we define and apply criteria to compare these mechanisms. The results are intended to help MDD tool developers in choosing an appropriate integration mechanism.

Christian Berger, Delf Block, Sönke Heeren et al.

Context: Since 2014 several modern cars were rated regarding the performances of their active safety systems at the European New Car Assessment Programme (EuroNCAP). Nowadays, consumer tests play a significant role for the OEM's series development with worldwide perspective, because a top rating is needed to underline the worthiness of active safety features from the customers' point of view. Furthermore, EuroNCAP already published their roadmap 2020 in which they outline further extensions in today's testing and rating procedures that will aggravate the current requirements addressed to those systems. Especially Autonomous Emergency Braking/Forward Collision Warning systems (AEB/FCW) are going to face a broader field of application as pedestrian detection or two-way traffic scenarios. Objective: This work focuses on the systematic generation of test scenarios concentrating on specific parameters that can vary within certain tolerance ranges like the lateral position of the vehicle-under-test (VUT) and its test velocity for example. It is of high interest to examine the effect of the tolerance ranges on the braking points in different test cases representing different trajectories and velocities because they will influence significantly a later scoring during the assessments and thus the safety abilities of the regarding car. Method: We present a formal model using a graph to represent the allowed variances based on the relevant points in time. Now, varying velocities of the VUT will be added to the model while the vehicle is approaching a target vehicle. The derived trajectories were used as test cases for a simulation environment. Selecting interesting test cases and processing them with the simulation environment, the influence on the system's performance of different test parameters will be investigated.

Pedram Mir Seyed Nazari, Bernhard Rumpe

In model-driven development (MDD) software emerges by systematically transforming abstract models to concrete source code. Ideally, performing those transformations is to a large extent the task of code generators. One approach for developing a new code generator is to write a reference implementation and separate it into handwritten and generatable code. Typically, the generator developer manually performs this separation a process that is often time-consuming, labor-intensive, difficult to maintain and may produce more code than necessary. Software categories provide a way for separating code into designated parts with defined dependencies, for example, "Business Logic" code that may not directly use "Technical" code. This paper presents an approach that uses the concept of software categories to semi-automatically determine candidates for generated code. The main idea is to iteratively derive the categories for uncategorized code from the dependencies of categorized code. The candidates for generated or handwritten code finally are code parts belonging to specific (previously defined) categories. This approach helps the generator developer in finding candidates for generated code more easily and systematically than searching by hand and is a step towards tool-supported development of generative software.

Alexander Roth, Bernhard Rumpe

A code generator systematically transforms compact models to detailed code. Today, code generation is regarded as an integral part of model-driven development (MDD). Despite its relevance, the development of code generators is an inherently complex task and common methodologies and architectures are lacking. Additionally, reuse and extension of existing code generators only exist on individual parts. A systematic development and reuse based on a code generator product line is still in its infancy. Thus, the aim of this paper is to identify the mechanism necessary for a code generator product line by (a) analyzing the common product line development approach and (b) mapping those to a code generator specific infrastructure. As a first step towards realizing a code generator product line infrastructure, we present a component-based implementation approach based on ideas of variability-aware module systems and point out further research challenges.

Carsten Kolassa, Holger Rendel, Bernhard Rumpe

Modeling variability in Matlab/Simulink becomes more and more important. We took the two variability modeling concepts already included in Matlab/Simulink and our own one and evaluated them to find out which one is suited best for modeling variability in the automotive domain. We conducted a controlled experiment with developers at Volkswagen AG to decide which concept is preferred by developers and if their preference aligns with measurable performance factors. We found out that all existing concepts are viable approaches and that the delta approach is both the preferred concept as well as the objectively most efficient one, which makes Delta-Simulink a good solution to model variability in the automotive domain.

Jan Oliver Ringert, Alexander Roth, Bernhard Rumpe et al.

Engineering software for robotics applications requires multidomain and application-specific solutions. Model-driven engineering and modeling language integration provide means for developing specialized, yet reusable models of robotics software architectures. Code generators transform these platform independent models into executable code specific to robotic platforms. Generative software engineering for multidomain applications requires not only the integration of modeling languages but also the integration of validation mechanisms and code generators. In this paper we sketch a conceptual model for code generator composition and show an instantiation of this model in the MontiArc- Automaton framework. MontiArcAutomaton allows modeling software architectures as component and connector models with different component behavior modeling languages. Effective means for code generator integration are a necessity for the post hoc integration of applicationspecific languages in model-based robotics software engineering.

Betty Cheng, Kerstin Eder, Martin Gogolla et al.

A self-adaptive software system modifies its behavior at runtime in response to changes within the system or in its execution environment. The fulfillment of the system requirements needs to be guaranteed even in the presence of adverse conditions and adaptations. Thus, a key challenge for self-adaptive software systems is assurance. Traditionally, confidence in the correctness of a system is gained through a variety of activities and processes performed at development time, such as design analysis and testing. In the presence of selfadaptation, however, some of the assurance tasks may need to be performed at runtime. This need calls for the development of techniques that enable continuous assurance throughout the software life cycle. Fundamental to the development of runtime assurance techniques is research into the use of models at runtime (M@RT). This chapter explores the state of the art for usingM@RT to address the assurance of self-adaptive software systems. It defines what information can be captured by M@RT, specifically for the purpose of assurance, and puts this definition into the context of existing work. We then outline key research challenges for assurance at runtime and characterize assurance methods. The chapter concludes with an exploration of selected application areas where M@RT could provide significant benefits beyond existing assurance techniques for adaptive systems.

Jan Oliver Ringert, Bernhard Rumpe, Andreas Wortmann

Component-based software engineering aims to reduce software development effort by reusing established components as building blocks of complex systems. Defining components in general-purpose programming languages restricts their reuse to platforms supporting these languages and complicates component composition with implementation details. The vision of model-driven engineering is to reduce the gap between developer intention and implementation details by lifting abstract models to primary development artifacts and systematically transforming these into executable systems. For sufficiently complex systems the transformation from abstract models to platform-specific implementations requires augmentation with platform-specific components. We propose a model-driven mechanism to transform platform-independent logical component & connector architectures into platform-specific implementations combining model and code libraries. This mechanism allows to postpone commitment to a specific platform and thus increases reuse of software architectures and components.

Timo Greifenberg, Markus Look, Bernhard Rumpe

Integrating existing heterogeneous data models for buildings, neighbourhoods and periphery devices into a common data model that can be used by all participants, such as users, services or sensors is a cumbersome task. Usually new extended standards emerge or ontologies are used to define mappings between concrete data models. Within the COOPERaTE project a neighbourhood information model (NIM) has been developed to address interoperability and allow for various kinds of data to be stored and exchanged. The implementation of the NIM follows a meta model based approach, allowing for runtime extension and for easily integrating heterogeneous data models via a mapping DSL and code generation of adaptation components.

Martin Henze, Lars Hermerschmidt, Daniel Kerpen et al.

Internet of Things devices are envisioned to penetrate essentially all aspects of life, including homes and urbanspaces, in use cases such as health care, assisted living, and smart cities. One often proposed solution for dealing with the massive amount of data collected by these devices and offering services on top of them is the federation of the Internet of Things and cloud computing. However, user acceptance of such systems is a critical factor that hinders the adoption of this promising approach due to severe privacy concerns. We present UPECSI, an approach for user-driven privacy enforcement for cloud-based services in the Internet of Things to address this critical factor. UPECSI enables enforcement of all privacy requirements of the user once her sensitive data leaves the border of her network, provides a novel approach for the integration of privacy functionality into the development process of cloud-based services, and offers the user an adaptable and transparent configuration of her privacy requirements. Hence, UPECSI demonstrates an approach for realizing user-accepted cloud services in the Internet of Things.

Radu Grosu, Cornel Klein, Bernhard Rumpe

In this report, the SYSLAB model is complemented in different ways: State-box models are provided through timed port automata, for which an operational and a corresponding denotational semantics are given. Composition is defined for components modeled in the state-box view as well as for components modeled in the black-box view. This composition is well-defined for networks of infinitely many components. To show the applicability of the model, several examples are given.

Ruth Breu, Radu Grosu, Franz Huber et al.

In this paper we show by using the example of UML, how a software engineering method can benefit from an integrative mathematical foundation. The mathematical foundation is given by a mathematical system model. This model provides the basis both for integrating the various description techniques of UML and for implementing methodical support. After describing the basic concepts of the system model, we give a short overview of the UML description techniques. Then we show how they fit into the system model framework and sketch an approach to structure the UML development process such that it provides methodological guidance for developers.

Jan Philipps, Bernhard Rumpe

Software and hardware architectures are prone to modifications. We demonstrate how a mathematically founded powerful refinement calculus for a class of architectures, namely pipe and filter architectures, can be used to modify a system in a provably correct way. The calculus consists of basic rules to add and to remove filters (components) and pipes (channels) to a system. A networking example demonstrates some of the features of our calculus. The calculus is simple, flexible and compositional. Thus it allows us to build more complex and specific rules that e.g. embed models of existing architectures or define design patterns as transformation rules.

Manfred Broy, Franz Huber, Barbara Paech et al.

Modeling and documentation are two essential ingredients for the engineering discipline of software development. During the last twenty years a wide variety of description and modeling techniques as well as document formats has been proposed. However, often these are not integrated into a coherent methodology with well-defined dependencies between the models and documentations. This hampers focused software development as well as the provision of powerful tool-support. In this paper we present the main issues and outline solutions in the direction of a unified, formal basis for software and system modeling.

Bernhard Rumpe, Cornel Klein

Relating formal re nement techniques with commercial object oriented software development methods is important to achieve enhancement of the power and exibility of these software development methods and tools. We will present an automata model together with a denotational and an operational semantics to describe the behavior of objects. Based on the given semantics we de ne a set of powerful re nement rules and discuss their applicability in software engineering practice especially with the use of inheritance.

Borislav Gajanovic, Bernhard Rumpe

This paper presents an overview of the verification framework ALICE in its current version 0.7. It is based on the generic theorem prover Isabelle [Pau03a]. Within ALICE a software or hardware component is specified as a state-full black-box with directed communication channels. Components send and receive asynchronous messages via these channels. The behavior of a component is generally described as a relation on the observations in form of streams of messages flowing over its input and output channels. Untimed and timed as well as state-based, recursive, relational, equational, assumption/guarantee, and functional styles of specification are supported. Hence, ALICE is well suited for the formalization and verification of distributed systems modeled with this stream-processing paradigm.

Barbara Paech, Bernhard Rumpe

This paper aims at integrating heterogeneous documents used in pragmatic software develpoment methods to describe views with a formal refinement based software development process. Therefore we propose an integrated semantics of heterogeneous documents based on a common system model and a set of syntactic development steps with a well-defined semantics for document evolution. The use of the development steps is demonstrated in a small example.

Wolfgang Pree, Marcus Fontoura, Bernhard Rumpe

The Unified Modeling Language (UML) community has started to define so-called profiles in order to better suit the needs of specific domains or settings. Product lines1 represent a special breed of systems they are extensible semi-finished pieces of software. Completing the semi-finished software leads to various software pieces, typically specific applications, which share the same core. Though product lines have been developed for a wide range of domains, they apply common construction principles. The intention of the UML-F profile (for framework architectures) is the definition of a UML subset, enriched with a few UML-compliant extensions, which allows the annotation of such artifacts. This paper presents aspects of the profile with a focus on patterns and exemplifies the profile's usage.

Bernhard Rumpe, Christian Berger, Holger Krahn

"This article describes software engineering techniques to be used in order to ensure the necessary quality of intelligent and therefore massive software-based systems in vehicles. Quality assurance for intelligent software is achieved through a bundle of modern software engineering methods. Architecture and design patterns for securing the software components are supplemented by test concepts and frameworks for validation and checks of robustness of the implementation. These patterns describe established and therefore consolidated solutions for certain problems as for instance reliability or efficient execution. -- Dieser Artikel skizziert, welche Software-Entwurfstechniken heute zum Einsatz kommen können, um intelligente, Software-lastige Systeme im Fahrzeug abzusichern. Dabei spielt zunächst das Qualitätsmanagement durch Software-technische Maßnahmen eine zentrale Rolle. Architektur- und Entwurfmuster für die Software-technische Absicherung von Komponenten werden ergänzt um Test-Konzepte zur Validierung von Spezifikationen und der Robustheit der Implementierung. Architekturen und Entwurfs-Muster beschreiben erprobte und damit konsolidierte Lösungen für bestimmte Problemklassen wie etwa Zuverlässigkeit oder effiziente Ausführung.

Klaus Bergner, Bernhard Rumpe

In this report we investigate the suitability of algebraic specication techniques for the modular speci cation of complex object oriented systems As an example part of the event handling mechanism of the application framework ET is speci ed using a variant of the algebraic specication language Spectrum.

Jan Philipps, Bernhard Rumpe

This paper aims at integrating heterogeneous documents used in pragmatic software develpoment methods to describe views with a formal refinement based software development process. Therefore we propose an integrated semantics of heterogeneous documents based on a common system model and a set of syntactic development steps with a welldefined semantics for document evolution. The use of the development steps is demonstrated in a small example.

Bernhard Rumpe, V. Thurner

In this paper we present a calculus for re nement of business process models based on a precisede nition of business processes and process nets Business process models are a vital concept for communicating with experts of the application domain Depending on the roles and responsibilities of the application domain experts involved process models are discussed on different levels of abstraction These may range from detailed regulations for process execution to the interrelation of basic core processes on a strategic level To ensure consistency and to allow for a exible integration of process information on di erent levels of abstraction we introduce re nement rules that allow the incremental addition to and re nement of the information in a process model while maintaining the validity of more abstract high level processes In particular we allow the decomposition of single processes and logical data channels as well as the extension of the interface and channel structure to information that is newly gained or increased in relevance during the modeling process.

Cornel Klein, Bernhard Rumpe, Manfred Broy

In the SysLab project we develop a software engineering method based on a mathematical foundation. The SysLab system model serves as an abstract mathematical model for information systems and their components. It is used to formalize the semantics of all used description techniques such as object diagrams state automata sequence charts or data-flow diagrams. Based on the requirements for such a reference model, we define the system model including its different views and their relationships.

Ruth Breu, Ursula Hinkel, Christoph Hofmann et al.

The Unified Modeling Language UML is a language for specifying visualizing and documenting object oriented systems UML combines the concepts of OOA OODOMT and OOSE and is intended as a standard in the domain of object oriented analysis and design Due to the missing formal mathematical foundation of UML the syntax and the semantics of a number of UML constructs are not precisely defined.This paper outlines a proposal for the formal foundation of UML that is based on a mathematical system model

Barbara Paech, Bernhard Rumpe

In this paper we propose I/O state transition diagrams for service description In contrast to other techniques like for example Statecharts we allow to model non atomic services by sequences of transitions This is especially important in a distributed system where concurrent service invocation cannot be prohibited We give a mathematical model of object behaviour based on concurrent and sequential messages Then we give a precise semantics of the service descriptions in terms of the mathematical model.

Cornel Klein, Christian Prehofer, Bernhard Rumpe

In this paper, we introduce a graphic specification technique, called state transition diagrams (STD), and show the application to the feature interaction problem. Using a stream-based formal semantics, we provide refinement rules for STDs. Refinements define an implementation relation on STD specifications. We view features as particular refinements which add previously unspecified behavior to a given STD specification. The refinement relation is then used to add features, and to define the notion of conflicting features. Our techniques are demonstrated by a systematic development of an example given in [25].

Ruth Breu, Radu Grosu, Christoph Hofmann et al.

In this paper we present a variant of message sequence diagrams called EETs Extended Event Traces We provide the graphical notation discuss the methodological use of EETs to describe behavior of object oriented business information systems and sketch their semantics Special emphasis is put on the different implications of using EETs for exemplary and complete interaction descriptions. The possibility to describe interactions between single objects as well as composite objects with EETs makes them particularly suitable to describe the behavior of large systems.

Jan Philipps, Bernhard Rumpe

A calculus is presented for the stepwise refinement of abstract information flow architectures. We give a mathematical model for information flow components based on relations between input and output communication histories, and describe system architectures using two views: the glass box view is a network of basic components, while the black box view regards the network itself as a component. This allows us to hierarchically compose systems. The calculus consists of basic rules to add or remove components and channels, and to replace components by subnetworks and vice versa. The correctness of the rules is justified by the refinement relation on the black box view of architectures.

Max Fuchs, Dieter Nazareth, Dirk Daniel et al.

This paper presents an object-oriented method customized for a tool-assisted development of car software components. Tough market conditions motivate smart software development. ASCET SD is a tool to generate target code from graphic specifications, avoiding costly programming in C. But ASCET lacks guidelines on what to do, how to do it, in what order, like a fully equipped kitchen without a cooking book. Plans to employ the tool for BMW vehicle software sparked off demand for an adequate, object-oriented real-time methodology. We show how to scan the methodology market in order to adopt an already existing method for this purpose. The result of the adaptation of a chosen method to ASCET SD is a pragmatic version of ROOM, which we call BROOM. We present a modeling guidebook that includes process recommendations not only for the automotive sector, but for real-time software development in general. The method suggests to produce early prototypes that are validated and refined to completion. BROOM offers phase-independent, harmonic guidelines. Product requirements, in form of scenarios, are transformed through several activities into operational models. BROOM takes advantage of ASCET's rich experimentation- and code generation features. These allow to validate emerging models on button press. The factual development of a simplified heating/cooling system at BMW serves as a running example throughout the paper.