Zinovy Diskin

Mehrnoosh Askarpour, Alan Wassyng, Mark Lawford et al.

Machine learning (ML) is finding its way into safety-critical systems (SCS). Current safety standards and practice were not designed to cope with ML techniques, and it is difficult to be confident that SCSs that contain ML components are safe. Our hypothesis was that there has been a rush to deploy ML techniques at the expense of a thorough examination as to whether the use of ML techniques introduces safety problems that we are not yet adequately able to detect and mitigate against. We thus conducted a targeted literature survey to determine the research effort that has been expended in applying ML to SCS compared with that spent on evaluating the safety of SCSs that deploy ML components. This paper presents the (surprising) results of the survey.

Zinovy Diskin, Nicholas Annable, Alan Wassyng et al.

We propose considering assurance as a model management enterprise: saying that a system is safe amounts to specifying three workflows modelling how the safety engineering process is defined and executed, and checking their conformance. These workflows are based on precise data modelling as in functional block diagrams, but their distinctive feature is the presence of relationships between the output data of a process and its input data; hence, the name ``WorkflowPlus'', WF+ . A typical WP^+ model comprises three layers: (i) process and control flow, (ii) dataflow (with input-output relationships), and (iii) argument flow or constraint derivation. Precise dataflow modelling signifies a crucial distinction of (WP+)-based and GSN-based assurance, in which the data layer is mainly implicit. We provide a detailed comparative analysis of the two formalisms and conclude that GSN does not fulfil its promises.

Zinovy Diskin, Harald König, Mark Lawford

Multiple (more than 2) model synchronization is ubiquitous and important for model driven engineering, but its theoretical underpinning gained much less attention than the binary case. Specifically, the latter was extensively studied by the bx community in the framework of algebraic models for update propagation called lenses. Now we make a step to restore the balance and propose a notion of multiary delta lens. Besides multiarity, our lenses feature {\em reflective} updates, when consistency restoration requires some amendment of the update that violated consistency. We emphasize the importance of various ways of lens composition for practical applications of the framework, and prove several composition results.

Zinovy Diskin, Tom Maibaum

There is a hidden intrigue in the title. CT is one of the most abstract mathematical disciplines, sometimes nicknamed "abstract nonsense". MDE is a recent trend in software development, industrially supported by standards, tools, and the status of a new "silver bullet". Surprisingly, categorical patterns turn out to be directly applicable to mathematical modeling of structures appearing in everyday MDE practice. Model merging, transformation, synchronization, and other important model management scenarios can be seen as executions of categorical specifications. Moreover, the paper aims to elucidate a claim that relationships between CT and MDE are more complex and richer than is normally assumed for "applied mathematics". CT provides a toolbox of design patterns and structural principles of real practical value for MDE. We will present examples of how an elementary categorical arrangement of a model management scenario reveals deficiencies in the architecture of modern tools automating the scenario.