This report describes the use of Model-driven Engineering (MDE) to develop critical software applications. A systematic literature review after  has been performed for this report. This literature review has shown, that many different approaches and frameworks exist, that support MDE. Many of these frameworks cover specific properties of critical software (explained in chapter 2) (see [1, 2, 3, 4, 7, 8, 10, 15]). Other frameworks focus on the support of non-functional requirements (NFRs) in general, which are related to the properties of critical software (explained in chapter 2) (see [5, 9, 16]). Together with these different approaches, tools have been developed to support integrating the properties of critical systems and NFRs in general into MDE (see [6, 11, 12, 13, 14, 15, 22, 23]). However the literature has shown that no standard exists to develop critical software with MDE. Much more has the review shown that a differentiated analysis is necessary to answer the question, if MDE is a promising approach for developing critical software applications? This report will try to do that.
In section 2 will be explained what critical systems are, what properties are important and how critical systems are usually developed. Section 3 will explain MDE in general, especially how the framework from the Object Management Group (OMG) looks like, what the general goals of MDE are, together with the advantages and disadvantages of MDE. The last section will relate the properties of critical software applications to the advantages and disadvantages of MDE and provides a detailed discussion to answer the question above.
2. Critical software applications
To describe the properties of critical software applications the term critical software application has to be defined. After Sommerville a critical software application is a ‘technical or socio technical system that people or businesses depend on’ [18, p. 44]. Sommerville defines further, that a system failure can result in serious problems and significant losses. Depending on the type of critical software application (safety-critical, mission-critical or business-critical) the loss can be the loss of life, environmental damage, failure of goal-directed activity or high costs for a business .
The most important property of critical software applications is dependability . Dependability covers a range of properties which will be explained in the following paragraph. The first property is availability, which describes the probability of a system to be up and running and to deliver the requested services [18, 19]. The second property is reliability, which describes the probability of a system to function correctly and deliver the services as expected [18, 20]. Reliability includes correctness (ensure the system services cover the functional and non-functional requirements), precision (ensure information in detail as necessary is delivered) and timeliness (ensure that information is delivered when needed) [18, 20]. The third property, safety, describes the probability of a system to cause damage to people or its environment [18, 21]. Security, fourth property, judges on how likely it is, that a system is assassinated to accidental or deliberate intrusions . Security includes integrity (ensure that the software and data it contains are not damaged) and confidentiality (ensure that information is only delivered to authorised users) [18, 19]. The fifth property is repairability, which considers how fast a system can be repaired after a failure has been discovered [18, 23]. Maintainability, which is the sixth property, describes how fast and easy software can be adopted to satisfy new requirements . Another property, number seventh, is survivability and describes the ability of a system to deliver services while under attack . All these properties are NFRs and are important to prevent system failure and information loss . Usually critical systems are developed using well-tried techniques rather than newer techniques . In the following paragraph one process will be explained to develop critical software applications.
Critical software applications are usually developed using dependable processes . Dependable processes consist of five characteristics: documentable, standardised, auditable, diverse, robust . These characteristics have to be considered within the process activities. The process of developing critical software applications consists of seven activities :
- Requirements inspection: discover problems with the system specification
- Requirements management: keeping track of changes and trace these
- Model checking: automatically analysing system models to ensure consistency
- Design and code inspections: based on checklist of common faults
- Static analysis: program is analysed in detail to find erroneous conditions
- Test planning and management: ensure complete test coverage and traceability
- Configuration management: keep track of versions of software and its components
With these activities the majority of mistakes that occur during software development (e. g. misunderstanding of specification, over-complex programs and use of error prone constructs) can be avoided .
However the use of MDE changes the way software is developed and is needs to be checked if the properties and activities explained above are existent in MDE.
3. Model-driven Engineering
Similar to the concept of critical software applications, the term Mode-driven Engineering has to be defined. The literature review (explained in section 1) has revealed that a lot of different definitions and terms exist. Most common are the use of the terms Model-driven Engineering and Model-driven Development (MDD). Within MDE models are used to specify, simulate, verify, test and generate the system that has to be built . This definition is consistent with the one from the OMG, which is an organisation who sets standards . However MDE is only a general definition of the topic. To use MDE for developing software a more concrete view has to be chosen. As well, a lot of different views and approaches exist . This report will concentrate on the Model-driven approach (MDA) because it is the most prevalent . MDA separates the development of software into three different stages, therefore it uses different models . First of all a Platform Independent Model (PIM) has to be developed [25, 26]. This kind of model concentrates on the functionality based on the business-level. It is independent from the underlying technology . After that, the PIM is transformed into a Platform Specific Model (PSM) through a Model-to-Model transformation . Multiple PSM can share on PIM . After that the PSM is transformed into executable code through Model-to-Text transformation . Thereafter a complete MDA application consists of one PIM, one or more PSMs and one concrete implementation for each platform the developer supports .
The major goal of the use of models for developing software is to raise the level of abstraction [26, 27]. Thereafter the model aims to improve the communication between different participants (no matter if customer or developer) and makes the whole developing process more understandable [26, 29]. In general it makes software development more systematic and formal and aims to achieve adaptability (because models are less bound to the underlying technology), portability and reuseability (because models are less sensitive to the chosen technology and are closer to the problem domain) [27, 28, 29]. In addition it simplifies the development process, reduces the amount of developer effort (because it is an automated process) and the complexity of software [26, 29]. As explained above, the use of MDE aims to construct systems automatically. This helps to prevent failures made by developers (e.g. typos) and makes it possible to run simulations easily before the software deployment .
However MDE has not only advantages but also disadvantages. First of all it creates redundancy because in MDE multiple representations of artefacts are used . As explained above, different models are used for different stages with a different level of abstraction. This means, if one model changes, all the other models have to be changed as well. This can create a huge developer effort . The next problem is closely connected to the previous one. Between different models and abstractions for a software application exist relationships and many of these relationships are interrelated . The round-trip problem occur when an interrelated attribute changes and that change affects some or all of its related attributes . Above, the reduction of complexity was stated as an advantage for MDE; however not all the researchers agree.  has the opinion that models move the complexity elsewhere and not always reduce it. Thereafter spurious complexity can be created which is difficult to solve . For MDE different models are used (see above) with eventually different model technologies. Especially for bigger development teams this can become a problem. The different development teams have to be an expert in all the different model technologies used and not only in the one they used . Thereafter more expertise is required at each construction site . In addition they have to know the different transformation notations (see above) . A last disadvantage is that with a higher abstraction more choices exist on how the executable code will be realised . However this doesn’t have to be a disadvantage in call cases, as we will see in the next chapter, where the theory of MDE will be applied in terms of developing critical software applications.
The second section of this report stated, that for critical software applications especially non-functional requirements are important. This means for a connection between MDE and critical software applications the support of MDE for NFRs has to be analysed. Furthermore the transformations of the different models are important because the priority of NFRs have to be chosen . To justify if MDE is a promising approach for developing critical software applications, the advantages and disadvantages (section 3) have to be connected to the properties of critical systems (section 2) and related to NFRs. Table 1 and 2 show the result of this connection. The following paragraph will explain how this connection was achieved.
The first column shows the properties of critical systems (Table 1) respectively the characteristics of dependable processes (Table 2). The facts from this column are based on the research explained in section 2. The second column shows the advantages from section 3 assigned to the rows in column 1. The third column shows tools and frameworks (from the area of MDE) that help to satisfy the needs of the rows in column 1. The fourth column shows the disadvantages from section 3 assigned to the rows in column 1. The sources at the end of every cell reveal the academic paper where the advantages and disadvantages were assigned to the properties of critical software applications.
Table 1 – Properties of critical software applications
|availability||simplifying , abstract||Generalized Stochastic Petri Nets||round-trip problem |
|reliability||automatic construction of system model ||Markov models ||moving complexity , depending on the approach very high till low |
|correctness||development more systematic ||probabilistic models |
|precision||and formal , accurate , predictive ||LTSA |
|timeliness||reuseability , amount of developer effort ||depending on the approach very high or low |
|safety||simulation ||UML Profile [23, 24]||round-trip problem |
|integrity||separation between NFRs and FRs ||UML Profile [23, 24]||redundancy |
|confidentiality||separation between NFRs and FRs ||more expertise required |
|repairability||round-trip problem |
|maintainability||less sensitive to technology , separation between NFRs and FRs ||round-trip problem , depending on the approach very high till low |
|survivability||less sensitive to technology |
Table 2 – Characteristics of dependable processes
|documentable||simplifying ||round-trip problem |
|standardised||more systematic and formal ||the higher the abstraction, the more choices for code |
|auditable||understandable ||more expertise required |
|diverse||the higher the abstraction, the more choices for code ||more expertise required |
|robust||simulation ||the higher the abstraction, the more choices for code |
Table 1 and 2 show that for nearly every advantage a disadvantage exists, as well. In the majority the advantages and disadvantages are connected to the underlying MDE approach (including the transformations and modelling software) (e.g. cells C-2, C-5, C-11, E-14). In some cases it is not even clear if the advantages of MDE can be clearly assigned to the properties of critical software applications because researchers do not always agree (e.g. cells A-1 (for abstraction), A-8, A-9, C-1, D-16, E14). In one case a disadvantage of MDE can be seen as an advantage in another circumstance (cells E-14, D-16). Based on the results shown in these tables it is not possible to give a clear answer to the proposed question in section 1. Based on the argumentation in this report the use of MDE within the context of critical software application development is connected to the following key factors:
- The use of MDE approach, because different models have different properties and therefore different advantages and disadvantages (Table 1 shows the advantages and disadvantages for a wide range of approaches)
- The use of MDE framework (especially transformations), because it depends on the framework if it is possible to choose the priority of NFRs
- The use of software tools that support MDE, because the available tools don’t support all properties equally
- The priority of properties of critical software applications, because not all properties are well supported by MDE (e.g. safety and repairability)
Thereafter I come to the conclusion that MDE can be considered for the development of critical software applications but a human being should always check the transformations between the different models and the executable code. Last but not least a human being should perform the last tests and validations because the life of other human beings depends on the software. This means that the process activities outlined in section 2 should persist and be performed by human beings.
This report has related the properties and processes of critical software application development to the advantages and disadvantages of different MDE approaches, including frameworks and tools. The results of this report show that the question formulated in section can’t be answered with yes or no. It highly depends on the four factors outlined at the end of section 4.
 G. N. Rodrigues, D. S. Rosenblum, and S. Uchitel, “Reliability prediction in model driven development,” Model Driven Engineering Languages and Systems, vol. 3713, pp. 339-354, 2005.
 G. Rodrigues, G. Roberts, and W. Emmerich, “Reliability support for the Model Driven Architecture,” in Work, Springer Verlag, 2004, pp. 0-5.
 J. Skene and W. Emmerich, “Model driven performance analysis of enterprise information systems,” Electronic Notes in Theoretical Computer Science, vol. 82, no. 6, pp. 147-157, 2003.
 A. Sabetta, D. Petriu, V. Grassi, and R. Mirandola, “Abstraction-Raising Transformation for Generating Analysis Models,” in Satellite Events at the MoDELS 2005 Conference, 2006, vol. 3844, pp. 217-226.
 S. Röttger and S. Zschaler, “Model-Driven Development for Non-functional Properties: Refinement Through Model Transformation,” 2004 The Unified Modelling Language, vol. 3273, pp. 275-289, 2004.
 G. Rodrigues, D. Rosenblum, and S. Uchitel, “Reliability Prediction in Model-Driven Development,” Model Driven Engineering Languages and Systems, pp. 339–354, 2005.
 I. Majzik, A. Pataricza, and A. Bondavalli, “Stochastic Dependability Analysis of System Architecture Based on UML Models,” Architecting dependable systems, vol. 2677, pp. 219-244, 2003.
 G. P. Gu and D. C. Petriu, “Early evaluation of software performance based on the UML performance profile,” pp. 66-79, Oct. 2003.
 J. Skene and W. Emmerich, “A model-driven approach to non-functional analysis of software architectures,” 18th IEEE International Conference on Automated Software Engineering 2003 Proceedings, vol. 0, pp. 236-239, 2003.
 V. Cortellessa and A. Pompei, “Towards a UML profile for QoS: a contribution in the reliability domain,” ACM SIGSOFT Software Engineering Notes, vol. 29, no. 1, pp. 197-206, 2004.
 J. A. Stankovic et al., “VEST: an aspect-based composition tool for real-time systems,” RealTime and Embedded Technology and Applications Symposium 2003 Proceedings The 9th IEEE, pp. 58-69, 2003.
 D. C. Schmidt et al., “CoSMIC : An MDA Generative Tool for Distributed Real-time and Embedded Component Middleware and Applications,” Information Sciences, pp. 300-306, 1829.
 A. Sassen et al., “QCCS: A Methodology for the Development of Contract-Aware Components Based on Aspect-Oriented Design,” in Workshop on Early Aspects AspectOriented Requirements Engineering and Architecture Design AOSD2002, 2002.
 S. Burmester, H. Giese, M. Hirsch, D. Schilling, and M. Tichy, “The fujaba real-time tool suite,” in Proceedings of the 27th international conference on Software engineering – ICSE ’05, 2005, p. 670.
 S. Gallotti, C. Ghezzi, R. Mirandola, and G. Tamburrelli, “Quality Prediction of Service Compositions through Probabilistic Model Checking,” Quality of Software Architectures Models and Architectures, vol. 5281, pp. 119-134, 2008.
 V. Cortellessa, A. D. Marco, and P. Inverardi, “Non-Functional Modeling and Validation in Model-Driven Architecture,” 2007 Working IEEEIFIP Conference on Software Architecture WICSA07, pp. 25-25, 2007.
 B. Kitchenham, “Procedures for Performing Systematic Reviews,” Keele UK Keele University, vol. 33, no. 401, p. 28, 2004.
 I. Sommerville, Software Engineering 8. Addison Wesley; Auflage: 8th ed., 2006.
 A. Avizienis, J. C. Laprie, B. Randell, and C. Landwehr, “Basic concepts and taxonomy of dependable and secure computing,” Ieee Transactions On Dependable And Secure Computing, vol. 1, no. 1, pp. 11-33, 2004.
 F. Tolerance, Dependability: Basic Concepts and Terminology, vol. 5, no. August. Springer-Verlag New York, Inc., 1992.
 B. Littlewood and L. Strigini, “Software reliability and dependability: a roadmap,” in Proceedings of the Conference on the Future of Software Engineering, 2000, pp. 175-188.
 D. Ardagna, C. Ghezzi, and R. Mirandola, “Rethinking the Use of Models in Software Architecture,” in Quality of Software Architectures Models and Architectures, 2008, vol. 5281, pp. 1-27.
 H. Wada, J. Suzuki, and K. Oba, “A Model-Driven Development Framework for Non-Functional Aspects in Service Oriented Grids,” International Conference on Autonomic and Autonomous Systems ICAS06, vol. 5, no. 4, pp. 30-30, 2008.
 R. France and B. Rumpe, “Model-driven Development of Complex Software: A Research Roadmap,” in Future of Software Engineering FOSE 07, 2007, no. May, pp. 37-54.
 D. Ameller, X. Franch, and J. Cabot, “Dealing with Non-Functional Requirements in Model-Driven Development,” 2010 18th IEEE International Requirements Engineering Conference, vol. 0, pp. 189-198, 2010.
 B. Hailpern and P. Tarr, “Model-driven development: The good, the bad, and the ugly,” IBM Systems Journal, vol. 45, no. 3, pp. 451-461, 2006.
 L. Zhu and Y. Liu, “Model Driven Development with Non-Functional Aspects,” Challenge, pp. 49-54, 2009.
 B. Selic, “The pragmatics of model-driven development,” IEEE Software, vol. 20, no. 5, pp. 19-25, 2003.
 S. J. Mellor, A. N. Clark, and T. Futagami, “Model-driven development – Guest editor’s introduction,” IEEE Software, vol. 20, no. 5, pp. 14-18, Sep. 2003.
 G. R. Nisha, “A model driven approach for design and development of a safety critical system,” in 2011 3rd International Conference on Electronics Computer Technology, 2011, pp. 15-18.
 Object Management Group, The, Model Driven Architecture resources page (2011), Internet: http://www.omg.org/mda/index.htm.